Cybersecurity and the unbearability of uncertainty

Cyber criminals increasingly target Small and Medium Sized Businesses (SMEs) since they are perceived to have the weakest defences. Some will not survive a cyber attack, and others will have their ability to continue trading seriously impaired. There is compelling evidence that, at present, SMEs do not seem to be implementing all the advisable security measures which could help them to resist such attacks. Many in the security industry believe that this is because SMEs do not take the threat seriously. This paper reports on a study to find out whether this is the case, or not. The primary finding is that most SMEs do care about the threat but that very few implement even a small subset of the available security precautions. One contributory factor seemed to be the uncertainty caused by the wealth of conflicting and confusing online advice offered by industry and official bodies. This seemed to be hindering rather than helping SMEs so that they did not know what actions to take to improve their resilience. The conclusion is a recommendation for actions to be taken to better inform SMEs and help them to secure their systems more effectively

Re-thinking Decision-Making in Cybersecurity: Leveraging Cognitive Heuristics in Situations of Uncertainty

The prevailing consensus in cybersecurity is that individuals’ insecure behavior due to inadequate decision-making is a primary source of cyber incidents. The conclusion of this assumption is to enforce desired behavior via extensive security policies and suppress individuals’ intuitions or rules of thumb (cognitive heuristics) when dealing with critical situations. This position paper aims to change the way we look at these cognitive heuristics in cybersecurity. We argue that heuristics can be particularly useful in uncertain environments such as cybersecurity. Based on successful examples from other domains, we propose that heuristic decisionmaking should also be used to combat cyber threats. Lastly, we give an outlook on where such heuristics could be beneficial in cybersecurity (e.g., phishing detection or incident response) and how they can be found or created

Is the responsibilization of the cyber security risk reasonable and judicious?

Cyber criminals appear to be plying their trade without much hindrance. Home computer users are particularly vulnerable to attack by an increasingly sophisticated and globally dispersed hacker group. The smartphone era has exacerbated the situation, offering hackers even more attack surfaces to exploit. It might not be entirely coincidental that cyber crime has mushroomed in parallel with governments pursuing a neoliberalist agenda. This agenda has a strong drive towards individualizing risk i.e. advising citizens how to take care of themselves, and then leaving them to face the consequences if they choose not to follow the advice. In effect, citizens are “responsibilized .” Whereas responsibilization is effective for some risks, the responsibilization of cyber security is, we believe, contributing to the global success of cyber attacks. There is, consequently, a case to be made for governments taking a more active role than the mere provision of advice, which is the case in many countries. We conclude with a concrete proposal for a risk regulation regime that would more effectively mitigate and ameliorate cyber risk

Would US citizens accept cybersecurity deresponsibilization? <i>Perhaps not</i>

Responsibilizing governments provide advice about how to manage a variety of risks. If citizens do not heed the advice and things go wrong, they are expected to accept the adverse consequences without complaint. However, in some cases, citizens are unable or unwilling to embrace these government-assigned responsibilities and to act on the advice, for a variety of valid reasons. It may be appropriate for governments to provide more direct support: in essence, deresponsibilizing citizens who struggle to embrace the responsibility. In this paper, we explore whether US citizens would be willing to accept more help from their government in the cyber realm. Using two studies, we find that perceptions related to the government's competence and benevolence are necessary pre-requisites for a willingness to be deresponsibilized, and also that many respondents did not have confidence that either of these were sufficient. This deficiency might well render governments’ well-intended deresponsibilization endeavours futile. We conclude by proposing deresponsibilization strategies that acknowledge and accommodate this

A cyber situational awareness model to predict the implementation of cyber security controls and precautions by SMEs

PurposeThere is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.Design/methodology/approachIn this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.FindingsThe results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.Research limitations/implicationsWhile resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.Practical implicationsThe findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.Originality/valueThis is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures

Cyber security responsibilization:an evaluation of the intervention approaches adopted by the Five Eyes countries and China

Governments can intervene to a greater or lesser extent in managing the risks their citizens face. They can adopt a maximal intervention approach (e.g. COVID-19) or a handsoff approach, effectively “responsibilizing” their citizens (e.g. unemployment). To manage the cyber risk, governments publish cyber-related policies. The question that we wanted to answer was: “What intervention stances do governments adopt in supporting individual citizens managing their personal cyber risk?” We pinpointed the cyber-related responsibilities that several governments espoused, applying a “responsibilization” analysis. We identified those that applied to citizens, and thereby revealed their cyber-related intervention stances. Our analysis revealed that most governments adopt a minimal cyber-related intervention stance in supporting their individual citizens. Given the increasing number of successful cyber attacks on individuals, it seems time for the consequences of this stance to be acknowledged and reconsidered. We argue that governments should support individual citizens more effectively in dealing with cyber threats

Cybersecurity insights gleaned from world religions

Organisations craft and disseminate security policies, encoding the actions they want employees to take to preserve and protect organisational information resources. They engage in regular cybersecurity awareness and training drives to ensure that employees know what to do, and how to do it. Despite these efforts, employees make mistakes or do not comply with policy dictates, triggering cybersecurity incidents. The reality is that whereas cyber professionals propose, human nature disposes.In addressing this kind of conundrum, researchers suggest that it could be beneficial to learn from the established practices of other domains that also grapple with erratic human behaviours. This seems reasonable, given that cybersecurity is a relatively young field, and not yet particularly successful in accommodating human nature and fallibility, whereas other fields have years of experience coping with these kinds of problems. Here, we consider learning from religions, which have been around for millennia. The one aspect that all understand is human nature, and the tendency of humans to make mistakes and behave ill-advisedly, sometimes despite knowing better. Religions have developed a number of practices to accommodate human frailties, and to care for their adherents. This might well be a fruitful domain for cybersecurity professionals to learn from, in terms of harnessing effective mechanisms to encourage secure behaviours.To this end, we explored the literature on religions, and interviewed a number of religious leaders to produce a ‘vision for cybersecurity’. The vision was evaluated by cybersecurity professionals, its target audience. We provide our vision here, in the hope that it will launch a debate into a more equitable new era of ‘best practice’ in the cybersecurity domain

The Development of a Red Teaming Service-Learning Course

Despite advancements in pedagogy and technology, students often yearn for more applied opportunities in information security education. Further, small businesses are likely to have inadequate information security postures due to limited budgets and expertise. To address both issues, an advanced course in ethical hacking was developed which allows students to perform security assessments for local businesses through red team engagements. This paper will allow academics to implement similar courses, improving security education for students and increasing opportunities for local businesses to receive affordable security assessments

Outsourcing and its Influence on Cybersecurity in SMEs: An Exploratory Study in Norwegian Context

Outsourcing IT services to a third party is a trend that is becoming more common, and the majority of those who do not, are considering it. By outsourcing these services, companies do not have to take care of IT themselves and can expect that the provider ensures safety in the solutions. But exactly how cybersecurity is influenced by this in Norwegian small and medium-sized companies is the purpose of this qualitative study. A purposive sampling method was used to recruit participants who had first-hand experience with outsourcing and the potential to provide us with the insight we sought. Semi-structured interviews were conducted with personnel responsible for managing IT in companies with less than 250 employees. Data from the interviews were transcribed and analyzed by using the qualitative data analysis software NVivo 12 Pro. The study found several different ways in which outsourcing influences cybersecurity. The most prominent security benefits that were identified were quality improvement and increased capacity. Loss of data control, communication issues, dependency and supply chain attacks were the main security challenges found in the study. To address these difficulties, mitigation measures such as control competency, contract with SLA, and a focus on business continuity were discovered. The findings of this study can be used by organizations that consider an outsourcing strategy to be better prepared and make correct choices at an early stage. In addition, it gives companies that already outsource a valuable insight into which measures others have applied to mitigate known challenges. Keywords: Outsourcing, Small and medium-sized enterprises, Managed service provider, Challenges, Benefits, Mitigation technique