Addressing Cybersecurity Challenges in Times of Crisis: Extending the Sociotechnical Systems Perspective
Abstract
1. Introduction
- What sociotechnical cybersecurity challenges have emerged in the Higher Education and Research Sector (HERS) during major crises between 2019 and 2023, such as the COVID-19 pandemic or other global disruptions?
2. Literature Review
2.1. Cybersecurity and the Major Crisis
2.2. STS Theory and Cybersecurity
3. Methodology
3.1. Research Design
3.2. Participants and Recruitment
3.3. Data Collection
3.4. Data Coding
4. Findings and Results
4.1. Reflection on the Proposed STS Cybersecurity Challenges Model
4.2. Comparative Analysis of Existing and Proposed STS Framework
5. Discussion
5.1. Cybersecurity Challenges in Social Subsystem
5.1.1. People-Related Cybersecurity Challenges
- Lack of Security Awareness
- Mishandling Information
- Coronavirus Vaccine Scam
- Hi Colleague Scam
5.1.2. Structure-Related Cybersecurity Challenges
- Lack of Communication
- Opposing Cultural Shift
- Lack of Budget and Resources
- Slippy Spider Attack
5.2. Cybersecurity Challenges in Technical Subsystem
5.2.1. Technology-Related Cybersecurity Challenges
- Denial of Service (DoS)
- Eavesdropping Attack
- Malicious Attack
- Man-in-the-Middle Attack
- Network Attacks
- Phishing emails
- Password breaches
5.2.2. Work- and Task-Related Cybersecurity Challenges
- Credential Theft
- Data Breaches
- Lack of cyber skills
- Lack of Appropriate IT Policies and Procedures
5.3. Cybersecurity Challenges in Environmental Subsystem
5.3.1. Internal-Environment-Related Cybersecurity Challenges
- Insufficient Monitoring and Detection Capabilities
- Inadequate Planning and Preparation
- Legacy Systems
5.3.2. External-Environment-Related Cybersecurity Challenges
- Use of Insecure Outside Office Spaces
5.4. Cybersecurity Challenges in Political Subsystem
5.4.1. Legal and Regulatory-Related Cybersecurity Challenges
- Targeted Ransomware Attacks
- Zoom Bombing
5.4.2. Policy-Related Cybersecurity Challenges
- Temporary Shutdown of IT systems
5.5. Cybersecurity Challenges in Economic Subsystem
5.5.1. National Cybersecurity Challenges
- Lack of Appropriate Cybersecurity Educational Ecosystem
- Need for Suitable National Economic Cyber-Resources
5.5.2. Global Cybersecurity Challenges
- Inadequate International Authoritative Cybersecurity Bodies
6. Theoretical and Practical Contribution
- 1
- This study has made theoretical progress toward addressing the cybersecurity challenges that emerged amidst the major crisis. By focusing exclusively on the HERS, this study has addressed real cybersecurity incidents and their underlying situations amidst the recent major crisis in Australia.
- 2
- Although several researchers have pointed to rethinking and redesigning the current organizational practices to mitigate the immense increase in cybersecurity challenges amidst the recent major crisis [84,134,135,136], few studies have addressed the cybersecurity challenges during the recent major crisis [8,9,18,45]. However, most of the studies are conceptual literature review papers and do not focus on a particular sector Ramadan et al. (2021) [18] and Himdi et al. (2021) [45]. There is limited literature on empirically identifying real cybersecurity challenges that emerged in the HERS, particularly amidst the major crisis. The current study filled this research gap and has exclusively identified the cybersecurity challenges faced by the HERS amidst a major crisis.
- 3
- The prior literature has not considered extensively investigating the HERS, though it has experienced one of the highest percentages of cyberattacks [7]. Previous studies have pointed out several cybersecurity challenges; however, most of the studies are conceptual in nature and lack investigation and classification of cybersecurity challenges considering one particular sector [19,43,44]. Therefore, this study took the opportunity to identify cybersecurity challenges exclusively and explore strategic resilience changes to minimize these challenges in the HERS in Australia amidst a recent major crisis.
- 4
- Building on the STS theory, this study contributes to the understanding and classifying of identified cybersecurity challenges. This study extends and proposes an STS cybersecurity model that posits an interrelationship between five organizational subsystems instead of the previously used three subsystems in the literature. More specifically, the STS cybersecurity model explains the emerging cybersecurity challenges by various factors, indicating the social, technical, political, economic, and environmental subsystems. The proposed model contributes to the STS literature by addressing key cybersecurity challenges HERS has faced amidst the major crisis due to shortcomings in the factors associated with the five subsystems.
- 1
- For the cybersecurity department, this study has provided a method for classifying cybersecurity challenges concerning factors involving five different subsystems in an organization.
- 2
- For cybersecurity consultants and strategic managers, this study has provided better knowledge of how cybersecurity challenges can be classified and explained following various organizational subsystems. Both the cybersecurity department and strategic managers should not only understand the cybersecurity challenges but must also have knowledge of the particular subsystem elements where they are falling behind and due to which they are becoming the victim of that particular cybersecurity challenge. The STS cybersecurity framework acts as a tool for guiding the classification of cybersecurity challenges during any major organizational changes.
7. Recommendations
7.1. Recommendations for HERS
- 1
- The HERS can conduct regular cybersecurity training sessions for staff, faculty, and students, focusing on identifying phishing scams, securing remote working practices, and properly handling sensitive information.
- 2
- The sector can focus on developing mandatory orientation programs for new employees and students that include cybersecurity best practices.
- 3
- The sector can implement clear policies for secure remote work, including mandatory use of VPNs, MFAs, and encrypted communication tools.
- 4
- The HERS system can work on regularly updating IT infrastructure and provide secure devices to employees working remotely.
- 5
- To be better prepared for a crisis, the sector can develop robust incident response plans with clear protocols for handling cyberincidents, including data breaches and ransomware attacks.
- 6
- The sector can set up dedicated cybersecurity teams to monitor and respond to real-time threats in crises.
- 7
- The sector can focus on allocating specific budgets for upgrading legacy systems, implementing new security technologies, and hiring skilled cybersecurity professionals.
- 8
- The strategic managers can foster collaboration with cybersecurity research institutions to test and implement innovative solutions.
- 9
- The sector can participate in cybersecurity networks to stay updated on emerging threats and mitigation strategies, specifically in a crisis context.
- 10
- The sector can introduce specialized courses and certifications in cybersecurity to build a skilled workforce.
7.2. Recommendations for Government
- 1
- States can provide grants to institutions for implementing large-scale cybersecurity awareness campaigns.
- 2
- Governments can partner with cybersecurity organizations to develop standardized training modules tailored to educational institutions.
- 3
- Governments can help create national guidelines for cybersecurity practices in remote work environments, emphasizing higher education sectors.
- 4
- States can establish regional cybersecurity support hubs to assist institutions during major incidents.
- 5
- Governments can offer tax incentives for institutions that invest in advanced cybersecurity measures.
- 6
- Governments can facilitate the creation of national or regional cybersecurity alliances for educational institutions to collaborate on risk management.
8. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Shaluf, I.M.; Ahmadun, F.l.R.; Mat Said, A. A review of disaster and crisis. Disaster Prev. Manag. Int. J. 2003, 12, 24–32. [Google Scholar] [CrossRef]
- WHO. Coronavirus. Available online: https://www.who.int/health-topics/coronavirus#tab=tab_1 (accessed on 12 March 2023).
- Oxford University Press. Oxford Online Dictionary. Available online: http://www.oxforddictionaries.com/definition/english/Cybersecurity (accessed on 4 April 2023).
- Warren, M. Critical Infrastructure in the COVID-19 Age. Available online: https://www.rmit.edu.au/news/acumen/critical-infrastructure (accessed on 12 January 2024).
- Murphy, D. Middle East Facing ‘Cyber Pandemic’ as COVID Exposes Security Vulnerabilities. Available online: https://www.cnbc.com/2020/12/06/middle-east-facing-cyber-pandemic-amid-covid-19-uae-official-says.html (accessed on 19 January 2024).
- Lohrmann, D. 2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic. Available online: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html (accessed on 7 May 2024).
- ACSC. ACSC Annual Cyber Threat Report July 2019 to June 2020. 2020. Available online: https://www.cyber.gov.au/sites/default/files/2023-03/ACSC-Annual-Cyber-Threat-Report-2019-20.pdf (accessed on 9 April 2022).
- Eian, I.C.; Yong, L.K.; Li, M.Y.X.; Qi, Y.H.; Fatima, Z. Cyber Attacks in the Era of COVID-19 and Possible Solution Domains. 2020. Available online: https://www.preprints.org/manuscript/202009.0630/v1 (accessed on 4 January 2024).
- Pranggono, B.; Arabo, A. COVID-19 pandemic cybersecurity issues. Internet Technol. Lett. 2021, 4, e247. [Google Scholar] [CrossRef]
- He, Y.; Aliyu, A.; Evans, M.; Luo, C. Health care cybersecurity challenges and solutions under the climate of COVID-19: Scoping review. J. Med. Internet Res. 2021, 23, e21747. [Google Scholar] [CrossRef] [PubMed]
- Saleous, H.; Ismail, M.; AlDaajeh, S.H.; Madathil, N.; Alrabaee, S.; Choo, K.-K.R.; Al-Qirim, N. COVID-19 pandemic and the cyberthreat landscape: Research challenges and opportunities. Digit. Commun. Netw. 2023, 9, 211–222. [Google Scholar] [CrossRef] [PubMed]
- UNESCO. Higher Education Sector (for R&D Data). Available online: https://uis.unesco.org/en/glossary-term/higher-education-sector-rd-data (accessed on 17 March 2024).
- Raju, R.; Abd Rahman, N.H.; Ahmad, A. Cyber Security Awareness in Using Digital Platforms among Students in a Higher Learning Institution. Asian J. Univ. Educ. 2022, 18, 756–766. [Google Scholar]
- Lourenço, J.; Morais, J.C.; Sá, S.; Neves, N.; Figueiredo, F.; Santos, M.C. Cybersecurity Concerns Under COVID-19: Representations on Increasing Digital Literacy in Higher Education. In Perspectives and Trends in Education and Technology: Selected Papers from ICITED 2022; Springer: Berlin/Heidelberg, Germany, 2023; pp. 739–748. [Google Scholar]
- Malatji, M.; Von Solms, S.; Marnewick, A. Socio-technical systems cybersecurity framework. Inf. Comput. Secur. 2019, 27, 233–272. [Google Scholar] [CrossRef]
- Zoto, E.; Kianpour, M.; Kowalski, S.J.; Lopez-Rojas, E.A. A socio-technical systems approach to design and support systems thinking in cybersecurity and risk management education. Complex Syst. Inform. Model. Q. 2019, 18, 65–75. [Google Scholar] [CrossRef]
- Craigen, D.; Diakun-Thibault, N.; Purse, R. Defining cybersecurity. Technol. Innov. Manag. Rev. 2014, 4. [Google Scholar] [CrossRef]
- Ramadan, R.A.; Aboshosha, B.W.; Alshudukhi, J.S.; Alzahrani, A.J.; El-Sayed, A.; Dessouky, M.M. Cybersecurity and Countermeasures at the Time of Pandemic. J. Adv. Transp. 2021, 2021, 6627264. [Google Scholar] [CrossRef]
- Khan, N.A.; Brohi, S.N.; Zaman, N. Ten Deadly Cyber Security Threats Amid COVID-19 Pandemic. 2020. Available online: https://www.techrxiv.org/users/662470/articles/675719-ten-deadly-cyber-security-threats-amid-covid-19-pandemic (accessed on 11 February 2021).
- Williams, C.M.; Chaturvedi, R.; Chakravarthy, K. Cybersecurity risks in a pandemic. J. Med. Internet Res. 2020, 22, e23692. [Google Scholar] [CrossRef]
- Lallie, H.S.; Shepherd, L.A.; Nurse, J.R.; Erola, A.; Epiphaniou, G.; Maple, C.; Bellekens, X. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput. Secur. 2021, 105, 102248. [Google Scholar] [CrossRef] [PubMed]
- Emery, F. Sociotechnical foundations for a new social order? Hum. Relat. 1982, 35, 1095–1122. [Google Scholar] [CrossRef]
- Mumford, E. The story of socio-technical design: Reflections on its successes, failures and potential. Inf. Syst. J. 2006, 16, 317–342. [Google Scholar] [CrossRef]
- Bostrom, R.P.; Heinen, J.S. MIS problems and failures: A socio-technical perspective. Part I: The causes. MIS Q. 1977, 1, 17–32. [Google Scholar] [CrossRef]
- Troyer, L. Expanding sociotechnical systems theory through the trans-disciplinary lens of complexity theory. Transdiscipl. Perspect. Complex Syst. 2017, 177–192. [Google Scholar] [CrossRef]
- Walker, G.H.; Stanton, N.A.; Jenkins, D.; Salmon, P.; Young, M.; Aujla, A. Sociotechnical theory and NEC system design. In Proceedings of the International Conference on Engineering Psychology and Cognitive Ergonomics, Beijing, China, 22–27 July 2007; pp. 619–628. [Google Scholar]
- Davis, M.C.; Challenger, R.; Jayewardene, D.N.; Clegg, C.W. Advancing socio-technical systems thinking: A call for bravery. Appl. Ergon. 2014, 45, 171–180. [Google Scholar] [CrossRef]
- Challenger, R.; Clegg, C.; Robinson, M.; Leigh, M. Understanding Crowd Behaviors: Volume 1, Practical Guidance and Lessons Identified; TSO (The Stationery Office): London, UK, 2010. [Google Scholar]
- Clegg, C.; Shepherd, C. The biggest computer programme in the world… ever!’: Time for a change in mindset? J. Inf. Technol. 2007, 22, 212–221. [Google Scholar] [CrossRef]
- Baxter, G.; Sommerville, I. Socio-technical systems: From design methods to systems engineering. Interact. Comput. 2011, 23, 4–17. [Google Scholar] [CrossRef]
- Klein, L. Working Across the Gap: The Practice of Social Science in Organizations; Routledge: London, UK, 2018. [Google Scholar]
- Clegg, C.W. Sociotechnical principles for system design. Appl. Ergon. 2000, 31, 463–477. [Google Scholar] [CrossRef]
- Eason, K. Local sociotechnical system development in the NHS National Programme for Information Technology. J. Inf. Technol. 2007, 22, 257–264. [Google Scholar] [CrossRef]
- McEvoy, T.R.; Kowalski, S.J. Deriving cyber security risks from human and organizational factors—A socio-technical approach. Complex Syst. Inform. Model. Q. 2019, 18, 47–64. [Google Scholar] [CrossRef]
- Carley, K.M. Social cybersecurity: An emerging science. Comput. Math. Organ. Theory 2020, 26, 365–381. [Google Scholar] [CrossRef] [PubMed]
- Malatji, M.; Marnewick, A.; von Solms, S. Validation of a socio-technical management process for optimising cybersecurity practices. Comput. Secur. 2020, 95, 101846. [Google Scholar] [CrossRef]
- van Haastrecht, M.; Yigit Ozkan, B.; Brinkhuis, M.; Spruit, M. Respite for SMEs: A systematic review of socio-technical cybersecurity metrics. Appl. Sci. 2021, 11, 6909. [Google Scholar] [CrossRef]
- Ulven, J.B.; Wangen, G. A systematic review of cybersecurity risks in higher education. Future Internet 2021, 13, 39. [Google Scholar] [CrossRef]
- Christine, D.I.; Thinyane, M. Socio-technical cyber resilience: A systematic review of cyber resilience management frameworks. In Digital Transformation for Sustainability: ICT-Supported Environmental Socio-Economic Development; Springer: Berlin/Heidelberg, Germany, 2022; pp. 573–597. [Google Scholar]
- Lallie, H.S.; Thompson, A.; Titis, E.; Stephens, P. Understanding Cyber Threats Against the Universities, Colleges, and Schools. arXiv 2023, arXiv:2307.07755. [Google Scholar]
- Redd, B.; Tang, Y.; Ziv, H.; Patil, S. Layering Sociotechnical Cybersecurity Concepts Within Project-Based Learning. In Proceedings of the 2024 ACM Conference on International Computing Education Research, Melbourne, VIC, Australia, 13–15 August 2024; Volume 1, pp. 406–418. [Google Scholar]
- Okereafor, K.; Marcelo, A. Addressing Cybersecurity Challenges of Health Data In The COVID-19 Pandemic. SSRN Electr. J. 2020, 8, 1–12. [Google Scholar]
- Ahmad, T. Corona Virus (COVID-19) Pandemic and Work from Home: Challenges of Cybercrimes and Cybersecurity. 2020. Available online: https://www.researchgate.net/publication/340443250_Corona_Virus_COVID-19_Pandemic_and_Work_from_Home_Challenges_of_Cybercrimes_and_Cybersecurity (accessed on 8 August 2022).
- Aljohani, H. Cyber security threats during the pandemic. J. Contemp. Sci. Res. 2021, 5. Available online: https://www.jcsronline.com/wp-content/uploads/2021/05/Volume5Issue1Paper1.pdf (accessed on 12 September 2023).
- Himdi, T.; Ishaque, M.; Ahmed, J. Cybersecurity challenges during pandemic in smart cities. In Proceedings of the 2021 8th International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 17–19 March 2021; pp. 445–449. [Google Scholar]
- Shah, I.A. Cybersecurity Issues and Challenges for E-Government During COVID-19: A Review. Cybersecur. Meas. E-Gov. Framew. 2022, 187–222. [Google Scholar] [CrossRef]
- Anderson, J.; Poole, M. Assignment and Thesis Writing; Juta and Company Ltd.: Cape Town, South Africa, 2009. [Google Scholar]
- de Bruijn, H.; Janssen, M. Building cybersecurity awareness: The need for evidence-based framing strategies. Gov. Inf. Q. 2017, 34, 1–7. [Google Scholar] [CrossRef]
- Emory, C.W.; Cooper, D.R. Business Research Method; Homewood: Irwin, IL, USA, 1991. [Google Scholar]
- Patton, M.Q. Qualitative Research and Evaluation Methods. Thousand Oaks; Cal. Sage Publications: Thousand Oaks, CA, USA, 2002; Volume 4. [Google Scholar]
- Yin, R.K. Case Study Research: Design and Methods; Sage: Thousand Oaks, CA, USA, 2009; Volume 5. [Google Scholar]
- Aitzhan, N.Z.; Svetinovic, D. Security and privacy in decentralized energy trading through multi-signatures, blockchain and anonymous messaging streams. IEEE Trans. Dependable Secur. Comput. 2016, 15, 840–852. [Google Scholar] [CrossRef]
- Charmaz, K. Constructing Grounded Theory: A Practical Guide Through Qualitative Analysis; Sage: Thousand Oaks, CA, USA, 2006. [Google Scholar]
- Guest, G.; MacQueen, K.M.; Namey, E.E. Validity and reliability (credibility and dependability) in qualitative research and data analysis. Appl. Themat. Anal. 2012, 79, 106. [Google Scholar]
- Challenger, R.; Clegg, C.W. Crowd disasters: A socio-technical systems perspective. Contemp. Soc. Sci. 2011, 6, 343–360. [Google Scholar] [CrossRef]
- Gao, T.-P.; Su, H.; Yu, T. The Connotation and Logical Construction of Government Digital Transformation—Based on the Analysis of Sociotechnical System Theory. E3S Web Conf. 2021, 251, 03069. [Google Scholar] [CrossRef]
- Leavitt, H.J. Applied organizational change in industry: Structural, technological and humanistic approaches. In Handbook of Organizations (RLE: Organizations); Routledge: London, UK, 2013; pp. 1144–1170. [Google Scholar]
- Challenger, R.; Clegg, C.W. Crowd disasters: A socio-technical systems perspective. In Crowds in the 21st Century; Routledge: London, UK, 2015; pp. 80–97. [Google Scholar]
- Pollini, A.; Callari, T.C.; Tedeschi, A.; Ruscio, D.; Save, L.; Chiarugi, F.; Guerri, D. Leveraging human factors in cybersecurity: An integrated methodological approach. Cogn. Technol. Work 2022, 24, 371–390. [Google Scholar] [CrossRef]
- Griffiths, S.; Del Rio, D.F.; Sovacool, B. Policy mixes to achieve sustainable mobility after the COVID-19 crisis. Renew. Sustain. Energy Rev. 2021, 143, 110919. [Google Scholar] [CrossRef]
- Ryan, T.; Ryan, N.; Hynes, B. The integration of human and non-human actors to advance healthcare delivery: Unpacking the role of actor-network theory, a systematic literature review. BMC Health Serv. Res. 2024, 24, 1342. [Google Scholar] [CrossRef] [PubMed]
- Smith, M.; Miller, S. Technology, institutions and regulation: Towards a normative theory. AI Soc. 2023, 1–11. [Google Scholar] [CrossRef]
- Oetzel, J.; Miklian, J. Multinational enterprises, risk management, and the business and economics of peace. Multinatl. Bus. Rev. 2017, 25, 270–286. [Google Scholar] [CrossRef]
- Appelbaum, S.H. Socio-technical systems theory: An intervention strategy for organizational development. Manag. Decis. 1997, 35, 452–463. [Google Scholar] [CrossRef]
- Shaw, R.S.; Chen, C.C.; Harris, A.L.; Huang, H.-J. The impact of information richness on information security awareness training effectiveness. Comput. Educ. 2009, 52, 92–100. [Google Scholar] [CrossRef]
- Zwilling, M.; Klien, G.; Lesjak, D.; Wiechetek, Ł.; Cetin, F.; Basim, H.N. Cyber security awareness, knowledge and behavior: A comparative study. J. Comput. Inf. Syst. 2022, 62, 82–97. [Google Scholar] [CrossRef]
- OAIC. Part 1: Data Breaches and the Australian Privacy Act. Available online: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/part-1-data-breaches-and-the-australian-privacy-act (accessed on 9 March 2024).
- Evans, M.; He, Y.; Maglaras, L.; Janicke, H. HEART-IS: A novel technique for evaluating human error-related information security incidents. Comput. Secur. 2019, 80, 74–89. [Google Scholar] [CrossRef]
- Wong, W.P.; Tan, H.C.; Tan, K.H.; Tseng, M.-L. Human factors in information leakage: Mitigation strategies for information sharing integrity. Ind. Manag. Data Syst. 2019, 119, 1242–1267. [Google Scholar] [CrossRef]
- Chaufan, C. Is COVID-19 “vaccine uptake” in postsecondary education a “problem”? A critical policy inquiry. Health 2023, 28, 831–857. [Google Scholar] [CrossRef]
- Marić, J.; Gama-Araujo, I. Implications of the COVID-19 pandemic in education and vaccine hesitancy among students: A cross-sectional analysis from France. Int. J. Logist. Res. Appl. 2024, 27, 557–576. [Google Scholar] [CrossRef]
- Chiguvi, D.; Bakani, K. Exploring the effects of remote work on employee productivity in Botswana amidst the COVID-19 Pandemic. Int. J. Res. Bus. Soc. Sci. 2023, 12, 101–117. [Google Scholar] [CrossRef]
- McElroy, N. Australians Have Lost at Least $7.2 Million to the ‘Hi Mum’ Scam. How Does It Work and Why Is It so Lucrative for Cybercriminals? Available online: https://www.abc.net.au/news/2022-12-12/inside-the-hi-mum-text-scam-how-it-works-whos-behind-it/101726762 (accessed on 12 May 2024).
- Teaster, P.B.; Roberto, K.A.; Savla, J.; Du, C.; Du, Z.; Atkinson, E.; Shealy, E.C.; Beach, S.; Charness, N.; Lichtenberg, P.A. Financial fraud of older adults during the early months of the COVID-19 pandemic. Gerontologist 2023, 63, 984–992. [Google Scholar] [CrossRef]
- Ravenelle, A.J.; Janko, E.; Kowalski, K.C. Good jobs, scam jobs: Detecting, normalizing, and internalizing online job scams during the COVID-19 pandemic. New Media Soc. 2022, 24, 1591–1610. [Google Scholar] [CrossRef]
- Corradini, I. Building a Cybersecurity Culture in Organizations: How to Bridge the Gap Between People and Digital Technology; Springer Nature: Berlin/Heidelberg, Germany, 2020; Volume 284. [Google Scholar]
- Furnell, S.; Shah, J.N. Home working and cyber security–an outbreak of unpreparedness? Comput. Fraud Secur. 2020, 2020, 6–12. [Google Scholar] [CrossRef]
- Triplett, W.J. Addressing human factors in cybersecurity leadership. J. Cybersecur. Priv. 2022, 2, 573–586. [Google Scholar] [CrossRef]
- Nasir, A.; Arshah, R.A.; Ab Hamid, M.R.; Fahmy, S. An analysis on the dimensions of information security culture concept: A review. J. Inf. Secur. Appl. 2019, 44, 12–22. [Google Scholar] [CrossRef]
- Nasir, A.; Abdullah Arshah, R.; Ab Hamid, M.R. A dimension-based information security culture model and its relationship with employees’ security behavior: A case study in Malaysian higher educational institutions. Inf. Secur. J. Glob. Perspect. 2019, 28, 55–80. [Google Scholar] [CrossRef]
- O’Reilly III, C.A.; Chatman, J.; Caldwell, D.F. People and organizational culture: A profile comparison approach to assessing person-organization fit. Acad. Manag. J. 1991, 34, 487–516. [Google Scholar] [CrossRef]
- Barney, J.B. Organizational culture: Can it be a source of sustained competitive advantage? Acad. Manag. Rev. 1986, 11, 656–665. [Google Scholar] [CrossRef]
- Van‘t Wout, C. Develop and maintain a cybersecurity organisational culture. In Proceedings of the ICCWS 2019 14th International Conference on Cyber Warfare and Security, ICCWS, Stellenbosch, South Africa, 28 February–1 March 2019. [Google Scholar]
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Working from home during COVID-19 crisis: A cyber security culture assessment survey. Secur. J. 2022, 35, 486–505. [Google Scholar] [CrossRef]
- Ravi, P.; Ismail, A.; Kumar, N. The pandemic shift to remote learning under resource constraints. Proc. ACM Hum.-Comput. Interact. 2021, 5, 1–28. [Google Scholar] [CrossRef]
- Rawal, D.M. Mapping of school teachers’ digital competency in the context of digital infrastructure: A systematic review and empirical study of India. J. Prof. Cap. Community 2024, 9, 173–195. [Google Scholar] [CrossRef]
- CROWDSTRIKE. Slippy Spider. Available online: https://www.crowdstrike.com/adversaries/slippy-spider/ (accessed on 7 May 2023).
- Todeva, E.; Knoke, D. Strategic alliances and models of collaboration. Manag. Decis. 2005, 43, 123–148. [Google Scholar] [CrossRef]
- Kaur, M. Opportunities and Challenges faced by Education Sector as a Consequence of COVID-19 Pandemic—A Review. ANVESHAK-Int. J. Manag. 2022, 11, 31–41. [Google Scholar] [CrossRef]
- Kang, B. How the COVID-19 pandemic is reshaping the education service. Future Serv. Post-COVID-19 Pandemic 2021, 1, 15–36. [Google Scholar]
- Smith, D.J.; Simpson, K.G. The Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) and Related Guidance; Butterworth-Heinemann: Oxford, UK, 2020. [Google Scholar]
- Bahashwan, A.A.; Anbar, M.; Manickam, S.; Al-Amiedy, T.A.; Aladaileh, M.A.; Hasbullah, I.H. A systematic literature review on machine learning and deep learning approaches for detecting DDoS attacks in software-defined networking. Sensors 2023, 23, 4441. [Google Scholar] [CrossRef] [PubMed]
- Gaurav, A.; Gupta, B.B.; Panigrahi, P.K. A novel approach for DDoS attacks detection in COVID-19 scenario for small entrepreneurs. Technol. Forecast. Soc. Chang. 2022, 177, 121554. [Google Scholar] [CrossRef]
- York, D. Seven Deadliest Unified Communications Attacks; Syngress: Oxford, UK, 2010. [Google Scholar]
- Mandal, S.; Khan, D.A. A Study of security threats in cloud: Passive impact of COVID-19 pandemic. In Proceedings of the 2020 International Conference on Smart Electronics and Communication (ICOSEC), Trichy, India, 10–12 September 2020; pp. 837–842. [Google Scholar]
- Hussein, M.R.; Shams, A.B.; Apu, E.H.; Mamun, K.A.A.; Rahman, M.S. Digital surveillance systems for tracing COVID-19: Privacy and security challenges with recommendations. arXiv 2020, arXiv:2007.13182. [Google Scholar]
- Proofpoint. What Is Malware? Available online: https://www.proofpoint.com/au/threat-reference/malware (accessed on 6 July 2024).
- Yadav, R. Cyber security threats during COVID-19 pandemic. Int. Trans. J. Eng. Manag. Appl. Sci. Technol. 2021, 12, 12A3Q. [Google Scholar]
- Alrabaee, S.; Manna, R. Boosting students and teachers cybersecurity awareness during COVID-19 pandemic. In Proceedings of the 2021 IEEE Global Engineering Education Conference (EDUCON), Vienna, Austria, 21–23 April 2021; pp. 726–731. [Google Scholar]
- Mallik, A. Man-in-the-middle-attack: Understanding in simple words. Cyberspace J. Pendidik. Teknol. Inf. 2019, 2, 109–134. [Google Scholar] [CrossRef]
- Sebastian, G. A descriptive study on cybersecurity challenges of working from home during COVID-19 pandemic and a proposed 8 step WFH cyber-attack mitigation plan. Commun. IBIMA 2021, 2, 2–7. [Google Scholar]
- DeCusatis, C.; Bavaro, J.; Cannistraci, T.; Griffin, B.; Jenkins, J.; Ronan, M. Red-blue team exercises for cybersecurity training during a pandemic. In Proceedings of the 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), Virtual, 27–30 January 2021; pp. 1055–1060. [Google Scholar]
- Zhou, Z.; Gaurav, A.; Gupta, B.; Hamdi, H.; Nedjah, N. A statistical approach to secure health care services from DDoS attacks during COVID-19 pandemic. Neural Comput. Appl. 2021, 36, 1–14. [Google Scholar] [CrossRef]
- Shersad, F.; Salam, S. Managing risks of E-learning during COVID-19. Int. J. Innov. Res. Educ. Sci. 2020, 7, 2349–5219. [Google Scholar]
- Khweiled, R.; Jazzar, M.; Eleyan, D. Cybercrimes during COVID-19 pandemic. Int. J. Inf. Eng. Electron. Bus. 2021, 13, 1. [Google Scholar] [CrossRef]
- Odiase, I. What Is a Password Breach? Available online: https://www.keepersecurity.com/blog/2023/09/08/what-is-a-password-breach/#:~:text=A%20password%20breach%20is%20when,password%20habits%20are%20the%20culprit (accessed on 7 June 2024).
- Ahmed, J.; Tushar, Q. COVID-19 pandemic: A new era of cyber security threat and holistic approach to overcome. In Proceedings of the 2020 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Gold Coast, Australia, 16–18 December 2020; pp. 1–5. [Google Scholar]
- Bernstein, C. What Is Credential Theft? Available online: https://www.techtarget.com/searchsecurity/definition/credential-theft#:~:text=Credential%20theft%20is%20a%20type,in%20a%20credential%2Dbased%20attack (accessed on 9 September 2023).
- Alexei, L.A.; Alexei, A. Cyber security threat analysis in higher education institutions as a result of distance learning. Int. J. Sci. Technol. Res. 2021, 10, 128–133. [Google Scholar]
- Muthuppalaniappan, M.; Stevenson, K. Healthcare cyber-attacks and the COVID-19 pandemic: An urgent threat to global health. Int. J. Qual. Health Care 2021, 33, mzaa117. [Google Scholar] [CrossRef]
- Faraj, S.; Renno, W.; Bhardwaj, A. Unto the breach: What the COVID-19 pandemic exposes about digitalization. Inf. Organ. 2021, 31, 100337. [Google Scholar] [CrossRef]
- Anand, P. Report: 80% of Data Breaches Caused by Lack of Cyber Security Skills. Available online: https://www.itpro.com/security/data-breaches/367528/report-80-of-data-breaches-caused-by-lack-of-cyber-security-skills (accessed on 9 May 2024).
- Ramim, M.; Levy, Y. Securing e-learning systems: A case of insider cyber attacks and novice IT management in a small university. J. Cases Inf. Technol. (JCIT) 2006, 8, 24–34. [Google Scholar] [CrossRef]
- Jones, R.N. An environmental risk assessment/management framework for climate change impact assessments. Nat. Hazards 2001, 23, 197–230. [Google Scholar] [CrossRef]
- Radware. Insufficient Logging and Monitoring. Available online: https://www.radware.com/cyberpedia/application-security/insufficient-logging-and-monitoring/#:~:text=Insufficient%20logging%20and%20monitoring%20refers,to%20the%20incident%20or%20breach. (accessed on 12 June 2024).
- Chigada, J.; Madzinga, R. Cyberattacks and threats during COVID-19: A systematic literature review. S. Afr. J. Inf. Manag. 2021, 23, 1–11. [Google Scholar] [CrossRef]
- Fezzey, T.; Batchelor, J.H.; Burch, G.F.; Reid, R. Cybersecurity continuity risks: Lessons learned from the COVID-19 pandemic. J. Cybersecur. Educ. Res. Pract. 2023, 2022, 4. [Google Scholar] [CrossRef]
- Talend. What Is a Legacy System? Available online: https://www.talend.com/resources/what-is-legacy-system/#:~:text=A%20legacy%20system%20is%20outdated,all%20it%20will%20ever%20do (accessed on 14 July 2023).
- Weil, T.; Murugesan, S. IT risk and resilience—Cybersecurity response to COVID-19. IT Prof. 2020, 22, 4–10. [Google Scholar] [CrossRef]
- Javaid, M.; Khan, I.H. Internet of Things (IoT) enabled healthcare helps to take the challenges of COVID-19 Pandemic. J. Oral Biol. Craniofacial Res. 2021, 11, 209–214. [Google Scholar] [CrossRef]
- Senarciens, P.D. Governance and the crisis in the international mechanisms of regulation. Int. Soc. Sci. J. 1998, 50, 91. [Google Scholar] [CrossRef]
- Al-Hawawreh, M.; Den Hartog, F.; Sitnikova, E. Targeted ransomware: A new cyber threat to edge system of brownfield industrial Internet of Things. IEEE Internet Things J. 2019, 6, 7137–7151. [Google Scholar] [CrossRef]
- Lai, B. The Threat of Ransomware. Available online: https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/BriefingBook47p/ThreatRansomware#:~:text=Consistent%20with%20these%20global%20trends,on%20the%20previous%20financial%20year. (accessed on 7 May 2023).
- ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO: Geneva, Switzerland, 2022.
- Butt, U.; Dauda, Y.; Shaheer, B. Ransomware attack on the educational sector. In AI, Blockchain and Self-Sovereign Identity in Higher Education; Springer: Berlin/Heidelberg, Germany, 2023; pp. 279–313. [Google Scholar]
- Cythera. Cybersecurity. Available online: https://cythera.com.au/resources/security-legislation-in-australia#:~:text=The%20NIST%20CSF%20is%20a,Detect%2C%20Respond%2C%20and%20Recover (accessed on 18 July 2024).
- CyberCX. Ten Things You Should Know About ISO/IEC 27001. Available online: https://cybercx.com.au/resource/ten-things-you-should-know-about-iso-iec-27001/ (accessed on 18 July 2024).
- Çubukçu, C.; Aktürk, C. The rise of distance education during COVID-19 Pandemic and the related data threats: A study about Zoom. Iğdır Üniv. Sos. Bilim. Derg. 2020, 127–144. [Google Scholar]
- Grandinetti, J. “From the classroom to the cloud”: Zoom and the platformization of higher education. First Monday 2022, 27. [Google Scholar] [CrossRef]
- Minister for Education Dan Tehan. Development of University Foreign Interference Taskforce. 2019. Available online: https://www.education.gov.au/guidelines-counter-foreign-interference-australian-university-sector/resources/development-university-foreign-interference-taskforce-media-release (accessed on 7 July 2024).
- AustCyber. SCP—Chapter 3—The Challenge: Australia Needs to Fill the Workforce Gap, Remove Startup Barriers and Strengthen Research and Development. Available online: https://www.austcyber.com/resources/sector-competitiveness-plan-2019/chapter3 (accessed on 6 May 2024).
- Government, A. 2023–2030 Australian Cyber Security Strategy. 2023. Available online: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy (accessed on 7 June 2024).
- Tokat, Y. Cyber Threats to Hospitals and Critical Infrastructure in Times of COVID-19 Pandemic. 2021. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4539458 (accessed on 9 August 2024).
- Dwivedi, Y.K.; Hughes, D.L.; Coombs, C.; Constantiou, I.; Duan, Y.; Edwards, J.S.; Gupta, B.; Lal, B.; Misra, S.; Prashant, P. Impact of COVID-19 pandemic on information management research and practice: Transforming education, work and life. Int. J. Inf. Manag. 2020, 55, 102211. [Google Scholar] [CrossRef]
- Carroll, N.; Conboy, K. Normalising the “new normal”: Changing tech-driven work practices under pandemic time pressure. Int. J. Inf. Manag. 2020, 55, 102186. [Google Scholar] [CrossRef]
- Coram, V.; Louth, J.; Tually, S.; Goodwin-Smith, I. Community service sector resilience and responsiveness during the COVID-19 pandemic: The Australian experience. Aust. J. Soc. Issues 2021, 56, 559–578. [Google Scholar] [CrossRef]


| References | Description | Cybersecurity Challenges | 
|---|---|---|
| [19] | The study highlights ten cybersecurity threats during COVID-19, which various organizations have reported from several sectors. | Distributed Denial of Server (DDoS), Malicious attacks, Ransomware, Spam emails, Mobile and Browsing Apps | 
| [20] | The conceptual paper highlights cybersecurity challenges in the health sector during the COVID-19 crisis and strategies to deal with these challenges. | Ransomware, Data breaches, Insecure devices | 
| [9] | The paper categorizes cybersecurity attacks during the pandemic into three categories. The paper reports these issues concerning the countries in which the attack happened. | Ransomware, DDoS, Phishing | 
| [21] | The study analyses various cybersecurity challenges concerning the UK-based case study and investigates the execution of these cybersecurity issues. The study citations are more than 500. | Phishing, Pharming, Extortion, Malware, Financial fraud, Hacking | 
| [18] | The conceptual study classifies cybersecurity attacks into four groups and gave a subjective overview of strategies to avoid these challenges. | Injection, Information Leakage, DoS, and Flow control issues | 
| [13] | The research study empirically explores the use of digital learning platforms to investigate cybersecurity awareness among students in the Malaysian education system. | Virus, Phishing, DNS Spoofing, Misuse of social network, Password strength, Spam emails, Malware, DoS, Session Hijacking, SQL injection, Man-in-the-middle attack | 
| [11] | This study reports the latest literature on the cybersecurity challenges in the ongoing COVID-19 crisis and highlights a few counterstrategies to minimize these issues. | Ransomware, Data breaches, Scams, Fake emails, Malware, Phishing, Session Invasion, DoS | 
| [14] | The qualitative study encourages the importance of different levels of digital literacy regarding cybersecurity in Portuguese Higher Education (HE) students in COVID-19. | - | 
| References | Description | Gaps Identified | 
|---|---|---|
| [35] | The study aims to integrate computational social science and cybersecurity perspectives. The study has highlighted how social structures and human behaviors can influence cybersecurity issues. | The study is based on secondary data. The article is conceptual in nature. Also, the article lacks focus on a specific industry or unit of analysis. | 
| [36] | The study presents a framework for analyzing organizational cybersecurity practices using STS theory, emphasizing the need for balanced consideration of social, technical, and environmental dimensions. | Although the paper gives references to the case studies or practical examples to illustrate the framework, it does not involve original empirical data collection. | 
| [37] | The authors review cybersecurity metrics from an STS perspective. The paper highlights the importance of adaptable and aggregated metrics that consider human and technical elements. | The paper is a conceptual review paper and lacks empirical evidence. Also, the paper focuses on small and medium enterprises for performing the systematic review. | 
| [38] | This review identifies and analyses cybersecurity risks specific to higher education institutions, considering both technical vulnerabilities and human factors that contribute to security challenges | The study is conducted in the higher education sector and considers technical and human factors. However, the study is a systematic review paper and lacks empirical evidence. | 
| [39] | The study explores how organizations can achieve cyber resilience by addressing vulnerability at the intersections of STS theory | The study is a systematic review paper and has only reported cyber resilience based on social, technical, and environmental dimensions of STS theory. The study lacks empirical evidence and does not specify the unit of analysis. | 
| [40] | The study provides an assessment of current cybersecurity threats to educational institutions. The study also mentioned the importance of considering STS factors in developing effective security measures. | The study provides a theoretical exploration of cybersecurity challenges specific to the educational sector. The study lacks the collection of empirical primary data from HERS. | 
| [41] | The paper discusses the integration of sociotechnical cybersecurity concepts into project-based learning environments in higher education, aiming to enhance students’ understanding of the complex interplay between social and technical aspects of cybersecurity | The study focus was to develop learning modules to introduce higher education students to foundational sociotechnical concepts related to security and privacy instead of exploring the cybersecurity challenges in the HERS. | 
| Case Code | Pseudo Code | Role | HEIs Code | Code | Role | 
|---|---|---|---|---|---|
| C1 | R001 | Chief Security Officer (CSO) | C3 | R017 | Senior IT Officer | 
| C1 | R002 | Information Security Manager (ISM) | C3 | R018 | Senior Security Officer | 
| C1 | R003 | Senior IT Manager | C3 | R019 | Head of Change Management | 
| C1 | R004 | Cybersecurity Analyst | C4 | R020 | Information Security Assistant | 
| C1 | R005 | Security Testing Manager | C4 | R021 | Development Manager | 
| C1 | R006 | Strategic Manager | C4 | R022 | ISO | 
| C2 | R007 | Cybersecurity Lead | C4 | R023 | Senior Manager | 
| C2 | R008 | Data security analyst | C4 | R024 | Senior Changes Management Personnel | 
| C2 | R009 | CSO | C5 | R025 | ISO | 
| C2 | R010 | Information Security Officer (ISO) | C5 | R026 | Senior business analyst | 
| C2 | R011 | CSO | C5 | R027 | Security Engineer | 
| C3 | R012 | ISM | C5 | R028 | Security Consultant | 
| C3 | R013 | Senior IT Manager | C5 | R029 | Technology Audit Manager | 
| C3 | R014 | Security Engineer | C5 | R030 | ISO | 
| C3 | R015 | ISO | C5 | R031 | Senior Changes Management Personnel | 
| C3 | R016 | Senior Executive Officer | 
| Participants Quotes | Open Coding | Thematic Coding | Core Themes | 
|---|---|---|---|
| while working from home, the communication between our main server and other lower-level control systems was disrupted by a DoS attack. Due to this, all our employees systems was denying access to the server network. | DoS attack | Technology-related cybersecurity challenges | Technical Subsystem | 
| the attacker oversees to urge our IT back e-mail passwords and was controlling the emails being sent by our support people | Eavesdropping attack | ||
| a massive malicious attack happened and chatbot app control was in the hands of the hacker. Although it was just for [a] few minutes but still that few mins I remembered were difficult to us | Malicious attack | ||
| At first, all we had set up was essentially a link to a video meeting, which, in reality, wasn’t at all secure. Anyone might access it by clicking the link. As a result, they appeared occasionally. instances in which hackers might dismiss a teacher from class or cause disturbances during the virtual eLearning meetings. That was a significant difficulty at first. | MITM attack | ||
| There were several issues offering online learning to international students, [which] opened us more towards the network attacks. | Network attack | ||
| One of the primary complaints coming to us was the targeting [of] phishing emails. They are using incorrect email addresses which looks similar to the official ones like peterjohnson@fds.com.au this is the official one and the phishing email send by hackers are using like peterjohnson@fdss.com so they just alter a bit. Employees just thought its an official email and reply to them. | Phishing emails | ||
| there was a technical problem with password hacking. Before, we used relatively easy passwords, such “abc1” | Password breaches | ||
| Hackers steal paid membership learning materials by stealing academic staff personal account information. | Credential thefts | Work and Task Related cybersecurity challenges | |
| thousands of staff members personal data was leaked due to our supplier’s mistake. The suppliers system was hacked. | Data breaches | ||
| employees didn’t have cyber skills. I think our system wasn’t designed for it. Basic process should have involved the upskilling of cyberskills to avoid massive attacks. Specially during this hybrid mode of work we realized it. | Lack of cyber skills | ||
| Cyberattacks like session hijacking, zoom crashers were increasing and after thorough thinking, we came up with the results that our IT policies are very weak. | Lack of appropriate IT policies and procedures | ||
| I would like to highlight that non-technical staff struggled a lot because they didn’t have any knowledge of these security issues. Staff was unaware how to install firewalls, VPNS, use secure networks, etc. because before this COVID-19, everything was being done by the IT and Cyber support department | Lack of security awareness | People-related cybersecurity challenges | Social Subsystem | 
| if I think of cyber social risks, the first thing comes in mind during remote working is the information mishandling incidents by employees. The official information was being leaked due to unintentional employee mistakes. We couldn’t blame them as they were themselves not aware of this major cyber issue. We all know how important data sensitivity issue is | Mishandling information | ||
| a hostile attack occurred while people were working from home, and that hacker into our official portals, seized control of it, and put messages telling people not to obtain the COVID-19 vaccine because, as many people have heard, the government is giving out outdated shots | Coronavirus vaccine scam | ||
| You know the major human-related error causing cybersecurity incident I would like to highlight is the colleague scam. You can say Hi Mum Scam which our employees got victim of. Back in 2022, it was reported on various platforms that our employees sent money to fake colleagues who were hackers | Hi colleague scam | ||
| Like when we were sitting in the office, we simply turned our head towards a colleague and asked did you get an email from this department? And if the other person says no, they quickly guess, it’s spam, so they just ignore it, but when the employee was working from home, they don’t have a chance to ask the person sitting next to their workstation and the majority of our employees became victims of phishing emails, clicking false links. So, I would say a significant security challenge was communication between entities | Lack of communication | Structure-related cybersecurity challenges | |
| Old practices were playing a prominent role in increased cybersecurity challenges during RW in such crisis situations. Therefore, a cultural shift was required, and this was a big challenge | Cultural change | ||
| The major issue was work changes and cyber challenges due to it. Essential tools like firewalls, anti-virus software, and intrusion detection systems require both initial investment and ongoing maintenance costs which we weren’t focusing on before the remote work change. We weren’t expecting such huge cybersecurity attacks during this new work environment change | Lack of budget and resources | ||
| The hacker didn’t use any high tech to get access, rather, it was reported that they used a simple social engineering technique to get access to our cloud system which we all were all thinking was highly secured. Anyway, it wasn’t, they got access and after reaching out to all employees credentials and PII, the group leaked it to social media platforms. I heard they even sell it at dark web. I would say this attack which they call now slippy spider, is one of the most powerful attacks during hybrid mode of working | Slippy spider attack | ||
| I believe most of the cybersecurity issues arose because our internal systems were not prepared for such massive pandemic conditions | Insufficient monitoring and detection capabilities | Internal environment-related cybersecurity challenges | Environmental Subsystem | 
| our risk plans were too old. We didn’t update them especially since we didn’t focus on updating them according to the new cybersecurity issues. This was itself a big cybersecurity issue as this lack of appropriate risk plans led us to be victims of increasing cybersecurity issues. | Inadequate planning and preparation | ||
| before this pandemic, we never spend that much on technology especially cyber technology. That was the major reason that our traditional systems were not secure enough and we became victims of such massive attacks. | Legacy systems | ||
| If I tell you the truth, we weren’t prepared for hybrid work and most of these increases in attacks were due to insecure networks that employees were using at various public places | Use of insecure outside office spaces | External environment-related cybersecurity challenges | |
| we got victims of targeted ransomware attacks where we got emails from fake WHO and other governmental bodies and clicked the fake malware links. The malicious links interrupted the official systems, and attackers were asking the organization to pay the ransom in exchange for getting back system access otherwise, all information could be leaked to third parties. Attackers were well aware of our valuable data, and they knew we would pay to regain access at any cost | Targeted ransomware attacks | Legal and regulatory-related cybersecurity challenges | Political Subsystem | 
| I remember when we started using Zoom, and yes privacy was breached. Zoom wasn’t secure at all. | Zoom bombing | ||
| most of the attacks could be controlled if we had appropriate Victorian cybersecurity policies relevant to remote working | Temporary shutdown of IT systems | Policy-related cybersecurity challenges | |
| Due to the shortage of cyber professionals across the state, there was a massive increase in network, phishing and scam attacks during hybrid mode of work. You know, Australia has a massive shortage of qualified cyber professionals and this shortage cannot be fulfilled until the government takes significant steps. | Lack of appropriate cybersecurity educational ecosystem | National Cybersecurity Challenges | Economic Subsystem | 
| most of the phishing and scam attacks were due to a lack of finances and managing the finances wasn’t considered ever. The Australian government has no such financial cybersecurity programs that can help institutions to gain cybersecurity training and skills. | Need for suitable national economic cyber resources | ||
| one of the key challenges is the lack of international authorities’ interest in developing one standard that can be implemented worldwide. | Inadequate international authoritative cybersecurity bodies | Global Cybersecurity Challenges | 
| Reference | Aim | Industry | Methodology | Participants | Gaps Identified | 
|---|---|---|---|---|---|
| [59] | The paper presents a human approach where the individual, organizational, and technological factors are investigated and reveal how they impact cybersecurity risks | Healthcare | Qualitative | Management, operative, and IT experts | The paper focuses more on the human factor as compared with other STS dimensions. Also, the study’s results are from different industries. | 
| [37] | The paper systematically reviewed sociotechnical cybersecurity metrics and investigated the issue in small and medium enterprises. | Small and medium enterprise | Systematic literature review | Secondary data | The paper lacks empirical evidence and is a conceptual literature review. Also, the type of industry and unit of analysis is different from the current study. | 
| [60] | The paper reviews and examines the sociocultural dynamics of transportation in the COVID-19 crisis and how it impacts carbon efficiency in transportation. | Transportation | Systematic literature review | Secondary data | The study uses sociotechnical factors from a different perspective rather than considering cybersecurity challenges in a major crisis. | 
| [36] | The study validates management process that identifies and organizational sociotechnical security gaps in existing enterprise systems security frameworks. | Not specified | Qualitative | Practitioners | The study’s focus is on identifying security gaps in current cybersecurity frameworks instead of using STS theory to outline cybersecurity challenges. Also, the study has not specified the type of industry practitioners. | 
| [16] | STS approach is used to build a simulation-based teaching tool in the ICT ecosystem, towards cybersecurity. | Higher education | quantitative | students | The study does not address cybersecurity challenges due to human errors. Also, the unit of analysis is students, and the study is not focused on cybersecurity issues in major crisis. | 
| [34] | The study investigates and maps behavioral patterns to sociotechnical risk factors and shows how specific behaviors have the potential to push an organization’s working practices across its security boundaries. | Not specified | Qualitative | Not specified | The study’s focus is on exploring behavioral patterns using STS theory and other risk factors. Also, the study lacks a specifying explanation about the type of participants and industry. | 
| STS Framework by Challenger and Challenger (2010) and Clegg (2007) | Proposed STS Cybersecurity Framework in Current Research | |
|---|---|---|
| 1 | The framework proposed involves the elements from the social and technical subsystem. | The study extends and includes elements from five organizational subsystems: social, technical, political, economic, and environment. | 
| 2 | The framework focuses on disaster and fire events. | The study has classified cybersecurity challenges that emerged amidst major crises considering HERS exclusively. | 
| 3 | The framework is based on three crowd-related disasters: the Hillsborough football stadium disaster (1989), the King’s Cross underground fire (1987), and the Bradford City stadium fire (1985). | The proposed framework classifies security issues considering the recent major crisis that is COVID-19 pandemic. | 
| 4 | The study itself recommends using the STS framework in other areas, including security, and resilience. | The proposed framework has empirically explored and classified cybersecurity challenges using the STS dimensions. | 
| 5 | The framework is general for achieving joint optimization in organizations by interrelating only social and technical elements. | The framework explores emerging cybersecurity challenges by studying social, technical, political, economic, and environmental interrelations. | 
| Existing Theories/Frameworks | Proposed STS Framework | 
|---|---|
| Actor–network theory (ANT) highlights the relationships between human and non-human factors. The focus is on the interaction of entities within a system. Ryan et al. [61] emphasize that ANT recognizes collective efforts to change social conditions as complex systems of action shaped by sociotechnical networks. | While it is valuable for understanding the interactions within a system, ANT lacks a structured approach to evaluate systemic interdependencies across broader dimensions like political or economic contexts. Also, the five subsystems in the STS framework extend beyond the relational focus of ANT, enabling deeper insights into how external factors (e.g., regulatory policies, market dynamics, and environmental constraints) impact cybersecurity. | 
| Institutional Theory focuses on how norms, rules, and institutional structures shape organizational behavior, offering valuable insights into governance and compliance. However, it often overlooks technical nuances and environmental factors critical to cybersecurity. Research study states that Institutional Theory tends to focus on formal structures and may not adequately account for the dynamic interplay between technological advancements and environmental contexts in cybersecurity [62]. These perspectives suggest that while Institutional Theory provides a framework for understanding organizational behavior, it may not fully capture the multifaceted challenges present in cybersecurity. | The proposed STS framework incorporates institutional elements within its political and social subsystems while addressing technical cybersecurity vulnerabilities and solutions. Unlike Institutional Theory, the proposed STS framework emphasizes the dynamic interactions between five subsystems, which is critical for understanding adaptive cybersecurity challenges in rapidly changing technological environments. | 
| Risk management frameworks are instrumental in identifying, assessing, and mitigating risks, primarily concentrating on technical and procedural elements. However, they often overlook the broader sociopolitical and economic contexts that influence risk. Oetzel and Miklian [63] argue that current risk management approaches often fail due to their limitations in addressing the dynamic and interconnected nature of today’s business environment. They assert that “doing so requires new ways of conceptualizing the problem and a willingness to redefine what we mean by risk management”, highlighting the necessity for frameworks that encompass sociopolitical and economic dimensions. | The proposed STS framework integrates risk considerations within its technical subsystem but goes further to explore how risks emerge from and influence social behaviors, political decisions, and economic pressures. Moreover, the framework’s inclusion of environmental factors allows for the evaluation of external shocks (e.g., crises, natural disasters, climate change) that conventional risk frameworks often neglect. | 
| Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. | 
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Mahmood, S.; Chadhar, M.; Firmin, S. Addressing Cybersecurity Challenges in Times of Crisis: Extending the Sociotechnical Systems Perspective. Appl. Sci. 2024, 14, 11610. https://doi.org/10.3390/app142411610
Mahmood S, Chadhar M, Firmin S. Addressing Cybersecurity Challenges in Times of Crisis: Extending the Sociotechnical Systems Perspective. Applied Sciences. 2024; 14(24):11610. https://doi.org/10.3390/app142411610
Chicago/Turabian StyleMahmood, Samreen, Mehmood Chadhar, and Selena Firmin. 2024. "Addressing Cybersecurity Challenges in Times of Crisis: Extending the Sociotechnical Systems Perspective" Applied Sciences 14, no. 24: 11610. https://doi.org/10.3390/app142411610
APA StyleMahmood, S., Chadhar, M., & Firmin, S. (2024). Addressing Cybersecurity Challenges in Times of Crisis: Extending the Sociotechnical Systems Perspective. Applied Sciences, 14(24), 11610. https://doi.org/10.3390/app142411610
 
        
 
                                                

 
       
       