Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Spartan Daily, November 8, 2018

Volume 151, Issue 35https://scholarworks.sjsu.edu/spartan_daily_2018/1077/thumbnail.jp

Learning from safety science: A way forward for studying cybersecurity incidents in organizations

In the aftermath of cybersecurity incidents within organizations, explanations of their causes often revolve around isolated technical or human events such as an Advanced Persistent Threat or a “bad click by an employee.” These explanations serve to identify the responsible parties and inform efforts to improve security measures. However, safety science researchers have long been aware that explaining incidents in socio-technical systems and determining the role of humans and technology in incidents is not an objective procedure but rather an act of social constructivism: what you look for is what you find, and what you find is what you fix. For example, the search for a technical “root cause” of an incident might likely result in a technical fix, while from a sociological perspective, cultural issues might be blamed for the same incident and subsequently lead to the improvement of the security culture. Starting from the insights of safety science, this paper aims to extract lessons on what general explanations for cybersecurity incidents can be identified and what methods can be used to study causes of cybersecurity incidents in organizations. We provide a framework that allows researchers and practitioners to proactively select models and methods for the investigation of cybersecurity incidents

Designing the Extended Zero Trust Maturity Model A Holistic Approach to Assessing and Improving an Organization’s Maturity Within the Technology, Processes and People Domains of Information Security

Zero Trust is an approach to security where implicit trust is removed, forcing applications, workloads, servers and users to verify themselves every time a request is made. Furthermore, Zero Trust means assuming anything can be compromised, and designing networks, identities and systems with this in mind and following the principle of least privilege. This approach to information security has been coined as the solution to the weaknesses of traditional perimeter-based information security models, and adoption is starting to increase. However, the principles of Zero Trust are only applied within the technical domain to aspects such as networks, data and identities in past research. This indicates a knowledge gap, as the principles of Zero Trust could be applied to organizational domains such as people and processes to further strengthen information security, resulting in a holistic approach. To fill this gap, we employed design science research to develop a holistic maturity model for Zero Trust maturity based on these principles: The EZTMM. We performed two systematic literature reviews on Zero Trust and Maturity Model theory respectively and collaborated closely with experts and practitioners on the operational, tactical and strategic levels of six different organizations. The resulting maturity model was anchored in prior Zero Trust and maturity model literature, as well as practitioner and expert experiences and knowledge. The EZTMM was evaluated by our respondent organizations through two rounds of interviews before being used by one respondent organization to perform a maturity assessment of their own organization as a part of our case study evaluation. Each interview round resulted in ample feedback and learning, while the case study allowed us to evaluate and improve on the model in a real-world setting. Our contribution is twofold: A fully functional, holistic Zero Trust maturity model with an accompanying maturity assessment spreadsheet (the artifact), and our reflections and suggestions regarding further development of the EZTMM and research on the holistic application of Zero Trust principles for improved information security

Citizens in the Digital Age: ICTs safety & security

The idea is to extend the studies and try to create a common umbrella not only for cybersecurity but for any kind of technology solution that will range between security, safety and even disaster prevention or recovery and management. If we consider safety, we have natural and human disasters but also infrastructure, transportation, safety at working places and our every day life, health, … If we speak about security—apart from cybersecurity, we have human security, security of goods, assets and items (including food, drugs, etc.), but also the security of ideas. Some actions in this field: On the occasion of the 10th World Summit on the Information Society (WSIS) in May 2015 in Geneva, a group has been created in order to support the idea to enlarge the scope of action line C5. Building confidence and security in the use of ICTs. This group will have the possibility to discuss at the Preparatory Meeting of the WSIS in October at the United Nations Secretariat, New York. The hope is that this will lead to a new programme for the follow-up of the WSIS. To conclude with an example, Grillo is a compact device, a cube, created by a group of young Mexicans, in order to provide citizens with an early warning system in case of an earthquake. The moderator then followed-up with the question concerning the mentioned four aspects of cybersecurity (safety, security, disaster prevention, recovery and management) taking us away from a more technical aspect to a more human one in terms of the era we live in and how we deal with disasters in these areas. Why those four areas? In order to be more explanatory, Mr Ronchi referred to an example of the technical university he is teaching at: There are a lot of skills related to security and safety in different departments. However, in each department, people used to work as stand-alone researcher and no one tried to mix up the knowledge, the different skills in order to improve the potential of the group. It took 10 years to put all of them together and to create a cluster of people consisting of chemical engineers, structural engineers, mechanical engineers, people from the information science etc. and to create a small unit of about 50 people that share the same concept of security. During the very first meeting almost every participant declared learning something from a colleague coming from another sector and the usefulness of transferring this to the own sector. Starting from this small nucleus a kind of international group, a joint research group, has been created aggregating additional forces in order to improve this holistic vision about risk assessment in general. This is very closed to what was mentioned in the presentation: the idea to put together things that are usually separated

Designing the Extended Zero Trust Maturity Model A Holistic Approach to Assessing and Improving an Organization’s Maturity Within the Technology, Processes and People Domains of Information Security

Zero Trust is an approach to security where implicit trust is removed, forcing applications, workloads, servers and users to verify themselves every time a request is made. Furthermore, Zero Trust means assuming anything can be compromised, and designing networks, identities and systems with this in mind and following the principle of least privilege. This approach to information security has been coined as the solution to the weaknesses of traditional perimeter-based information security models, and adoption is starting to increase. However, the principles of Zero Trust are only applied within the technical domain to aspects such as networks, data and identities in past research. This indicates a knowledge gap, as the principles of Zero Trust could be applied to organizational domains such as people and processes to further strengthen information security, resulting in a holistic approach. To fill this gap, we employed design science research to develop a holistic maturity model for Zero Trust maturity based on these principles: The EZTMM. We performed two systematic literature reviews on Zero Trust and Maturity Model theory respectively and collaborated closely with experts and practitioners on the operational, tactical and strategic levels of six different organizations. The resulting maturity model was anchored in prior Zero Trust and maturity model literature, as well as practitioner and expert experiences and knowledge. The EZTMM was evaluated by our respondent organizations through two rounds of interviews before being used by one respondent organization to perform a maturity assessment of their own organization as a part of our case study evaluation. Each interview round resulted in ample feedback and learning, while the case study allowed us to evaluate and improve on the model in a real-world setting. Our contribution is twofold: A fully functional, holistic Zero Trust maturity model with an accompanying maturity assessment spreadsheet (the artifact), and our reflections and suggestions regarding further development of the EZTMM and research on the holistic application of Zero Trust principles for improved information security

Local Government Cybersecurity: How Michigan Counties Cope with Cyber Threats

In the age of global interconnectedness, we can all be equally affected by cyberattacks. Given the evolving nature of threat landscapes, comprehensive and preemptive practices are needed now more than ever to keep local government and citizen data secure. According to Recorded Future, in 2019, local U.S. government infrastructure was targeted by ransomware attacks 100 times. Cyber threats to local government systems have been increasing exponentially over the last several years, and the frequency of attacks will only continue to grow. Although cyberattacks on local government entities are rising every year, the challenges county IT departments face in combating the thousands of yearly attacks remains largely unexamined. This research study aims to understand how Michigan counties are currently protecting their IT systems, define the challenges they face in improving their cybersecurity posture, and address the potential improvements regarding current cybersecurity practices. This thesis addresses these goals through semi-structured interviews and a post-interview questionnaire with local government IT leaders across the State of Michigan. The results of this research study found challenges local Michigan governments face in enhancing their county's culture of cybersecurity, operating with limited funding and support, and inability to properly utilize state resources due to limited staffing needed to operationalize. A surprising finding was learning how essential communication and relationship building are to cybersecurity and how these relationships impact the culture of cybersecurity in an organization. By identifying these challenges, policymakers can introduce evidence-based policies that will address the essential needs of local Michigan counties and provide actionable and implementable solutions. Additionally, it will enable researchers and cybersecurity professionals to develop recommendations and mitigating solutions to improve local Michigan government cybersecurity.Master of Science in InformationSchool of Informationhttp://deepblue.lib.umich.edu/bitstream/2027.42/168552/1/20210511_Duque,Marilu_Final_MTOP_Thesis.pd

Why Do Employees Report Cyber Threats? Comparing Utilitarian and Hedonic Motivations to Use Incident Reporting Tools

Organizational cybersecurity is threatened by increasingly sophisticated cyberattacks. Early detection of such threats is paramount to ensure organizations’ welfare. Particularly for advanced cyberattacks, such as spear phishing, human perception can complement or even outperform technical detection procedures. However, employees’ usage of reporting tools is scarce. Whereas prior cybersecurity literature has limited its scope to utilitarian motives, we specifically take hedonic motives in the form of warm glow into account to provide a more nuanced understanding of cyber incident reporting behavior. Drawing on a vignette experiment, we test how the design features of report reasoning and risk indication impact users’ reporting tool acceptance. The results of our mediation analysis offer important contributions to information systems literature by uncovering the dominant and under-investigated role of hedonic motives in employees’ cyber incident reporting activities. From a practice perspective, our findings provide critical insights for the design of cyber incident reporting tools

Introduction to the special issue on the 50th anniversary of IJHCS

This special issue celebrates the 50th anniversary of the International Journal of Human-Computer Studies (IJHCS), which published its first volume in January 1969. The special issue comprises 15 contributions from a number of experts in Human-Computer Interaction (HCI) and other areas relevant to IJHCS. These contributions are best characterized as ‘landscape papers’, providing insightful analyses about the evolution (i.e., the past, the present and the future) of research areas relevant to IJHCS. The areas covered in this special issue include: the history and scope of the journal; foundational concerns in HCI; critical discussions about the issues surrounding digital living in a variety of areas, from healthcare and cybersecurity to digital games and art; the making of interactive products and services, as seen through the viewpoints defined by research in psychology of programming, end-user development and participatory design; and, finally, the issues associated with adapting to various novel emerging technologies, including automated systems, online personalisation, human augmentations, mixed reality, and sonic interfaces. In this short essay, we introduce the special issue, reflecting on the nature and evolution of the journal, before providing short outlines of each of the contributions to this special issue