Addressing Human Factors in Cybersecurity Leadership
Abstract
:1. Introduction
2. Cybersecurity as a Citizen’s Challenge
3. Corporate Communications
4. The Role of Cybersecurity Leaders in Promoting Cybersecurity
5. Materials and Methods
6. Results
Citation | Repository | Purpose | Participants | Method | Findings | Enforcement | Suggestions |
---|---|---|---|---|---|---|---|
Aldawood and Skinner [33] | WoS | To raise awareness and educate employees on cybersecurity social engineering | Six cybersecurity specialists; 15 articles | Qualitative | Defines social engineering as manipulating a user of technology by deceiving them. Identifies humans as the weakest link in organizational security. | Education in cyberattacks helped reduce incidences. | Qualitative research is needed for employee understanding of cybersecurity. |
Nobles [34] | IDEAS/RePEc | To explore human factors influencing cybersecurity in organizations | Nine participants | Qualitative | Cyber-related attacks are propagated by human factors. Nevertheless, managers were reluctant to equip themselves with the knowledge, skills, and expertise to effectively mitigate cyberattacks. | Found lack of cybersecurity training or other enforcements. | Employees, as well as college and university students, should be trained in human factors associated with cybersecurity. |
Dawson and Thomson [15] | WoS | To review the literature on the future of cybersecurity in the workforce | Systematic literature review | The analysis revealed six themes, including team players, sense of civic duty, social skill, and technical skills, which would be critical in addressing cybersecurity issues. | n/a | Research should examine the cognitive underpinnings of intentional and unintentional cybersecurity risks. | |
Wong et al. [35] | WoS | To explore the human factors behind information leakage and the mitigation of insider threats | Five managers from five companies | Qualitative multi-case studies | Information leakage occurred because of intentional and unintentional human behavior. | Mitigation of leakage includes clear ethical codes enforced by an ethical organizational climate and employee training. | Future research should consider quantitative analysis and extension of the geographical reach of studies. |
Jeong et al. [9] | IEEE explore | To provide an understanding of human factors in cybersecurity | 27 articles | Systematic literature review | Personality, demographic, and cultural contexts influence employee behavior to unintentionally facilitate malicious attacks. | n/a | Cybersecurity research should incorporate findings from other fields regarding the impact of human factors on technology. |
Ani et al. [16] | Emerald | To evaluate the human factor in industrial cybersecurity efforts | 37 cybersecurity specialists | Quantitative | Lack of knowledge and skills on cybersecurity, negligence, and misinformation on cybercrimes may unintentionally spur increased cases of cyberthreats. | Unintentional effects were mitigated by making cybersecurity training intentional and mandatory. | Future studies can develop automated evaluation tools with cognitive and behavioral components for understanding human factors. |
Williams et al. [36] | Springer | To explore human error in information security, specifically multitasking and interruptions | 15 participants | Qualitative | Distraction of employees by unplanned interruptions and multitasking unintentionally facilitates cyberattacks. | n/a | Continued empirical research in cyberpsychology to guide human–machine solutions for cybersecurity issues. |
Maalem Lahcen et al. [37] | WoS | To explore the role of social and behavioral aspects of cybersecurity | Systematic literature review | Human factors facilitating cyberattacks include lack of communication, distractions, lack of teamwork, lack of knowledge and skills, and complacency. These factors facilitated unintentional errors and increase organizations’ vulnerability to attacks. | Education as a preventive measure. | An interdisciplinary conceptual framework is needed to investigate behavioral cybersecurity, human factors, modeling, and simulation. | |
Kadena and Gupi [38] | Google Scholar | To explore human factors in cybersecurity with the associated risks and factors | Literature review | Inadequate use of technology by employees, the management’s lack of motivation, and inadequate staffing expose organizations to cyberattacks. | n/a | Private and public cybersecurity companies should be considered in cybersecurity studies. | |
Abulencia [39] | Science Direct | To understand insider attacks from the perspective of human factors and mitigation | Conceptual | Unintentional human factors such as miscommunication, forgetting company policies and procedures, and limited skills and information on cyberattacks may contribute to increased incidents. | n/a | A holistic approach to cybersecurity should be applied instead of analyzing one risk at a time. | |
Nifakos et al. [40] | WoS | To investigate how human factors impact cyber security in healthcare organizations | 70 articles | Systematic literature review | Many cyberattacks exploited human weakness, including ignorance of cyber threats to healthcare employees and management. | n/a | There is a need to evaluate the effectiveness of training employees on human factors. |
Rahman et al. [41] | ACM Digital Library | To investigate the role of human factors in cybersecurity | 27 studies | Systematic and scoping literature review | Employees’ and leaders’ social influence, attitude, feelings of usefulness, and perceptions of security impacted their use of technology and the likelihood of being cyberattacked. Related skills and a positive attitude on the use of technology protect against cyberattacks. | Training in cybersecurity skills can reduce cyberattacks. | A qualitative grounded theory research method focusing on the influence of culture could improve research on human factors in cybersecurity. |
Randall and Allen [42] | WoS | To explore how cybersecurity professionals share information in the electrical sector | 13 participants from 10 organizations | Qualitative exploratory case study | Sharing of information exists at interpersonal and intergroup levels. | The impacts of human factors could be addressed via law enforcement agencies and the development of critical infrastructure. | There is a need to examine infrastructural factors that enhance human factors in promoting cyberthreats. |
Georgiadou et al. [43] | WoS | To investigate how a cybersecurity culture framework can help detect insider threats | 28 IT employees and 449 non-IT employees | Qualitative multi-case study research design | The cybersecurity culture framework helps to prevent human behaviors that would facilitate unintentional attacks on organizational information systems. | Appropriate cultural norms help enforce cybersecurity. | The study could be extended to diverse work responsibilities, more dimensions of the cybersecurity culture framework, and wider geographical coverage. |
Hadlington [44] | IGI Global | To explore the human factor in cybersecurity | Literature review | Cybersecurity research has focused on the role of disgruntled and greedy employees facilitating malicious attacks, but there is inadequate research on unintentional factors, such as poor planning, ignorance, and lack of attention. | Behavioral nudges were identified as an enforcement mechanism of cybersecurity. | Theory on behavioral nudges could contribute to this field. | |
Ramlo and Nicholas [45] | WoS | To assess the individual perception of cybersecurity and the diverse views regarding cybersecurity | Six semi-structured interviews | Qualitative | Four perspectives that relate to individual perceptions of cybersecurity were identified, namely, best practices, poor cybersecurity behaviors such as worried but not vigilant persons, naïve cybersecurity practitioners, and cybersecurity as a big problem. | The implementation of best practices could improve cybersecurity. | More research on cybersecurity best practices is needed with regard to human factors. |
Zwilling et al. [32] | WoS | To examine cybersecurity in terms of awareness, knowledge, and behavior | 459 participants from Israel, Poland, and Turkey | Quantitative regression analysis | Internet users were well aware of cyberthreats but employed limited protective measures. Cyber connectedness is closely associated with cybersecurity awareness. | A lack of cybersecurity training was identified. | Future research could explore training programs to increase cyber knowledge, awareness, and connectedness. |
Year | Authors | Journal/Conference | Title | Citations in WoS | Citations in Google Scholar |
---|---|---|---|---|---|
2018 | Dawson and Thomson | Journal | The future cybersecurity workforce: going beyond technical skills for successful cyber performance | 29 | 115 |
2022 | Zwilling et al. | Journal | Cyber security awareness, knowledge and behavior: a comparative study | 24 | 67 |
2018 | Aldawood and Skinner | Conference | Educating and raising awareness on cyber security social engineering: a literature review | 19 | 70 |
2021 | Hadlington | Journal | The “human factor” in cybersecurity: exploring the accidental insider | n/a | 56 |
2019 | Ani et al. | Journal | Human factor security: evaluating the cybersecurity capacity of the industrial workforce | n/a | 44 |
2018 | Nobles | Journal | Botching human factors in cybersecurity in business organizations | n/a | 29 |
2019 | Wong et al. | Journal | Human factors in information leakage: mitigation strategies for information sharing integrity | 9 | 21 |
2021 | Georgiadou et al. | Journal | Detecting insider threat via a cybersecurity culture framework | 4 | 5 |
2020 | Maalem Lahcen et al. | Journal | Review and insight on the behavioral aspects of cybersecurity | 2 | 15 |
2019 | Jeong et al. | Conference | Toward an improved understanding of human factors in cybersecurity | n/a | 12 |
7. Discussion
8. Conclusions
- A cumulative analysis of specific human factors in cybersecurity leadership, including complacent or unintentional behaviors;
- An analysis of the underlying mechanisms, highlighting the ignorance of leaders and employees;
- A cumulative analysis of enforcement initiatives focused on training and including alternative behavioral, cultural, and infrastructural measures;
- A research agenda identifying the recurrent suggestions for future research regarding human factors in cybersecurity, highlighting the usefulness of behavioral and cognitive theories.
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Parenty, T.J.; Domet, J.J. A Leader’s Guide to Cybersecurity: Why Boards Need to Lead—And How to do; Harvard Business Review Press: Boston, MA, USA, 2019. [Google Scholar]
- Pollini, A.; Callari, T.C.; Tedeschi, A.; Ruscio, D.; Save, L.; Chiarugi, F.; Guerri, D. Leveraging human factors in cybersecurity: An integrated methodological approach. Cogn. Technol. Work 2021, 24, 371–390. [Google Scholar] [CrossRef] [PubMed]
- Schultz, E. The human factor in security. Comput. Sec. 2005, 24, 425–426. [Google Scholar] [CrossRef]
- Burkhead, R.L. A Phenomenological Study of Information Security Incidents Experienced by Information Security Professionals Providing Corporate Information Security Incident Management. Doctoral Dissertation, Capella University, Minneapolis, MN, USA, 2014. Available online: https://www.proquest.com/openview/99b9a26ae6ba188163d5aab0e10b7ddb/1?pq-origsite=gscholar&cbl=18750 (accessed on 6 July 2022).
- Van-Zadelhoff, M. The biggest cybersecurity threats are inside your company. Harv. Bus. Rev. 2016, 19. [Google Scholar]
- Corradini, I. Building a Cybersecurity Culture in Organizations: How to Bridge the Gap between People and Digital Technology; Springer Nature: Berlin/Heidelberg, Germany, 2020. [Google Scholar]
- Metalidou, E.; Marinagi, C.; Trivellas, P.; Eberhagen, N.; Skourlas, C.; Giannakopoulos, G. The human factor of information security: Unintentional damage perspective. Procedia Soc. Behav. Sci. 2014, 147, 424–428. [Google Scholar] [CrossRef] [Green Version]
- Soltanmohammadi, S.; Asadi, S.; Ithnin, N. Main human factors affecting information system security. Interdiscip. J. Contemp. Res. Bus. 2013, 5, 329–354. [Google Scholar]
- Jeong, J.; Mihelcic, J.; Oliver, G.; Rudolph, C. Towards an Improved Understanding of Human Factors in Cybersecurity. In Proceedings of the IEEE 5th International Conference on Collaboration and Internet Computing, Los Angeles, CA, USA, 12–14 December 2019; pp. 338–345. [Google Scholar]
- Khan, N.; Houghton, J.R.; Sharples, S. Understanding factors that influence unintentional insider threat: A framework to counteract unintentional risks. Cogn. Technol. Work 2021, 1–29. [Google Scholar] [CrossRef] [PubMed]
- Glaspie, H.W.; Karwowski, W. Human Factors in Information Security Culture: A Literature Review. In International Conference on Applied Human Factors and Ergonomics; Springer: Berlin/Heidelberg, Germany, 2017; pp. 269–280. [Google Scholar]
- Nasir, A.; Arshah, R.A.; Ab Hamid, M.R.; Fahmy, S. An analysis on the dimensions of information security culture concept: A review. J. Inf. Sec. Appl. 2019, 44, 12–22. [Google Scholar] [CrossRef]
- Nasir, A.; Arshah, R.A.; Ab Hamid, M.R. A dimension-based information security culture model and its relationship with employees’ security behavior: A case study in Malaysian higher educational institutions. Inf. Sec. J. Glob. Perspect. 2019, 28, 55–80. [Google Scholar] [CrossRef]
- Uchendu, B.; Nurse, J.R.; Bada, M.; Furnell, S. Developing a cyber security culture: Current practices and future needs. Comput. Sec. 2021, 9, 109. [Google Scholar] [CrossRef]
- Dawson, J.; Thompson, R. The future cybersecurity workforce: Going beyond technical skills for successful cyber performance. Front. Psychol. 2018, 9, 744. [Google Scholar] [CrossRef] [Green Version]
- Ani, U.D.; He, H.; Tiwari, A. Human factor security: Evaluating the cybersecurity capacity of the industrial workforce. J. Sys. Info. Technol. 2019, 21, 2–35. [Google Scholar] [CrossRef]
- Anwar, M.; He, W.; Ash, I.; Yuan, X.; Li, L.; Xiu, L. Gender difference and employees’ cybersecurity behavior. Comput. Hum. Behav. 2017, 69, 437–443. [Google Scholar] [CrossRef] [Green Version]
- Li, L.; He, W.; Xu, L.; Ash, I.; Anwar, M.; Yuan, X. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inform. Manag. 2019, 45, 13–24. [Google Scholar] [CrossRef]
- Marble, J.; Lawless, W.; Mittu, R.; Coyne, J.; Abramson, M.; Sibley, C. The Human Factor in Cybersecurity: Robust & Intelligent Defense. In Advances in Information Security; Jajodia, S., Shakarian, P., Subrahmanian, V., Swarup, V., Wang, C., Eds.; Cyber Warfare; Springer: Berlin/Heidelberg, Germany, 2015; Volume 56. [Google Scholar]
- Klimoski, R. Critical success factors for cyber security leaders: Not just technical competence. People Strategy 2016, 39, 14–18. [Google Scholar]
- Richards, K. Has the CISO role changed under the spotlight? Inf. Secur. Mag. 2014, 56. [Google Scholar]
- Knowles, W.; Prince, D.; Hutchison, D.; Disso, J.F.P.; Jones, K. A survey of cyber security management in industrial control systems. Int. J. Crit. Infr. Prot. 2015, 9, 52–80. [Google Scholar] [CrossRef]
- Möller, D.P.F. Cybersecurity Leadership. In Cybersecurity in Digital Transformation; Springer Briefs on Cyber Security Systems and Networks; Springer: Berlin/Heidelberg, Germany, 2020. [Google Scholar]
- Spidaleri, E.; Kern, S. Pell Center for International Relations and Public Policy. Available online: www.salve.edu/pellcenter (accessed on 6 July 2022).
- Cleveland, S.; Cleveland, M. Towards cybersecurity leadership framework. Proc. MWAIS 2018, 49. Available online: https://www.semanticscholar.org/paper/Toward-Cybersecurity-Leadership-Framework-Cleveland-Cleveland/ce3cbe0986768fd04361214cdb8a094dd7d4323c (accessed on 6 July 2022).
- Hult, F.; Sivanesan, G. What good cyber resilience looks like. J. Bus. Contin. Emerg. Plan. 2014, 7, 112–125. [Google Scholar]
- Burrell, D.N.; Aridi, A.S.; Nobles, C. The critical needfor formal leadership development programs for cybersecurity and information technology professionals. Int. J. Cyber Warf. Secur. 2018, pp. 82–91. Available online: https://www.proquest.com/openview/12cbf1c24ddb996f0f01a81fd12f4a4d/1?pq-origsite=gscholar&cbl=396500 (accessed on 6 July 2022).
- Rotherberger, K.E. A Quantitative Study of Perceptions about Leadership Competencies of IT Project Managers. Ph.D. Thesis, Cappella University, Minneapolis, MN, USA, 2016. [Google Scholar]
- Hasib, M. Impact of Security Culture on Security Compliance in Healthcare in the USA. Tomorrow’s Strategy Today; CreateSpace: Scotts Valley, CA, USA, 2013. [Google Scholar]
- Munn, Z.; Peters, M.D.; Stern, C.; Tufanaru, C.; McArthur, A.; Aromataris, E. Systematic Review or scoping review? Guidance for authors when choosing between a systematic or scoping review approach. BMC Med. Res. Methodol. 2018, 18, 143. [Google Scholar] [CrossRef]
- Pati, D.; Lorusso, L.N. How to write a systematic review of the literature. Health Environ. Res. Des. J. 2018, 11, 15–30. [Google Scholar] [CrossRef]
- Zwilling, M.; Klien, G.; Lesjak, D.; Wiechetek, Ł.; Cetin, F.; Basim, H.N. Cyber security awareness, knowledge and behavior: A comparative study. J. Comput. Inf. Syst. 2022, 62, 82–97. [Google Scholar] [CrossRef]
- Aldawood, H.; Skinner, G. Educating and raising awareness on Cyber Security Social Engineering: A literature review. In Proceedings of the I.E.E.E. International Conference on Teaching, Assessment, and Learning for Engineering (TALE), Wollongong, Australia, 4–7 December 2018. [Google Scholar]
- Nobles, C. Botching human factors in cybersecurity in business organizations. J. Bus. Public Admin. 2018, 9, 71–88. [Google Scholar] [CrossRef] [Green Version]
- Wong, W.P.; Tan, H.C.; Tan, K.H.; Tseng, M.-L. Human factors in information leakage: Mitigation strategies for information sharing integrity. Ind. Manag. Data Syst. 2019, 119, 1242–1267. [Google Scholar] [CrossRef]
- Williams, C.; Hodgetts, H.M.; Morey, C.; Macken, B.; Jones, D.M.; Zhang, Q.; Morgan, P.L. Human error in information security: Exploring the role of interruptions and multitasking in Action slips. Commun. Comput. Inf. Sci. 2020, 622–629. [Google Scholar]
- Maalem Lahcen, R.A.; Caulkins, B.; Mohapatra, R.; Kumar, M. Review and insight on the behavioral aspects of cybersecurity. Cybersecurity 2020, 3. [Google Scholar] [CrossRef]
- Kadena, E.; Gupi, M. Human factors in cybersecurity. Sec. Sci. J. 2021, 2, 51–64. [Google Scholar] [CrossRef]
- Abulencia, J. Insider attacks: Human-factors attacks and mitigation. Comput. Fraud Sec. 2021, 5, 14–17. [Google Scholar] [CrossRef]
- Nifakos, S.; Chandramouli, K.; Nikolaou, C.K.; Papachristou, P.; Koch, S.; Panaousis, E.; Bonacina, S. Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors 2021, 21, 5119. [Google Scholar] [CrossRef]
- Rahman, T.; Rohan, R.; Pal, D.; Kanthamanon, P. Human factors in cybersecurity: A scoping review. In Proceedings of the 12th International Conference on Advances in Information Technology, Bangkok, Thailand, 29 June–1 July 2021. [Google Scholar] [CrossRef]
- Randall, R.G.; Allen, S. Cybersecurity professionals information sharing sources and networks in the U.S. Electrical Power Industry. Int. J. Crit. Infrastruct. Prot. 2021, 34, 100454. [Google Scholar] [CrossRef]
- Georgiadou, A.; Mouzakitis, S.; Askounis, D. Detecting insider threat via a cyber-security culture framework. J. Comput. Inf. Syst. 2021, 1–11. [Google Scholar] [CrossRef]
- Hadlington, L. The “human factor” in Cybersecurity. In Psychological and Behavioral Examinations in Cyber Security; IGI Global: Hershey, PA, USA, 2021; pp. 1960–1977. [Google Scholar] [CrossRef] [Green Version]
- Ramlo, S.; Nicholas, J.B. The human factor: Assessing individuals’ perceptions related to cybersecurity. Inf. Comput. Sec. 2021, 29, 350–364. [Google Scholar] [CrossRef]
Discussion Topics | Notes |
---|---|
Humans impede cybersecurity | Humans are the weakest link of cybersecurity. Unintentional activities include setting weak passwords and forgetting to log out of computer systems. |
Complacency | Organizational leaders are complacent or unintentional in instituting policies and measures that would protect organizations from cyberattacks. |
Ignorance | Leaders and employees are ignorant of the red flags and links marked as suspicious. |
Enforcement | Organizations have become reluctant in training employees on cybersecurity, increasing the organizations’ vulnerability, as illustrated by forgetting to log out of computer systems and setting up weak passwords that are easy to crack and infiltrate. |
Interdisciplinarity | Future research in cybersecurity would benefit from analyzing human factors using behavioral and cognitive theories. |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Triplett, W.J. Addressing Human Factors in Cybersecurity Leadership. J. Cybersecur. Priv. 2022, 2, 573-586. https://doi.org/10.3390/jcp2030029
Triplett WJ. Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy. 2022; 2(3):573-586. https://doi.org/10.3390/jcp2030029
Chicago/Turabian StyleTriplett, William J. 2022. "Addressing Human Factors in Cybersecurity Leadership" Journal of Cybersecurity and Privacy 2, no. 3: 573-586. https://doi.org/10.3390/jcp2030029
APA StyleTriplett, W. J. (2022). Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy, 2(3), 573-586. https://doi.org/10.3390/jcp2030029