Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Guidelines for ethical nudging in password authentication

Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context

Exploring knowledge exchange: a useful framework for practice and policy

Knowledge translation is underpinned by a dynamic and social knowledge exchange process but there are few descriptions of how this unfolds in practice settings. This has hampered attempts to produce realistic and useful models to help policymakers and researchers understand how knowledge exchange works. This paper reports the results of research which investigated the nature of knowledge exchange. We aimed to understand whether dynamic and fluid definitions of knowledge exchange are valid and to produce a realistic, descriptive framework of knowledge exchange. Our research was informed by a realist approach. We embedded a knowledge broker within three service delivery teams across a large mental health organisation, each of whom was grappling with specific challenges. The knowledge broker participated in the team's problem-solving process and collected observational fieldnotes. We also interviewed the team members. Observational and interview data were analysed quantitatively and qualitatively in order to determine and describe the nature of the knowledge exchange process in more detail. This enabled us to refine our conceptual framework of knowledge exchange. We found that knowledge exchange can be understood as a dynamic and fluid process which incorporates distinct forms of knowledge from multiple sources. Quantitative analysis illustrated that five broadly-defined components of knowledge exchange (problem, context, knowledge, activities, use) can all be in play at any one time and do not occur in a set order. Qualitative analysis revealed a number of distinct themes which better described the nature of knowledge exchange. By shedding light on the nature of knowledge exchange, our findings problematise some of the linear, technicist approaches to knowledge translation. The revised model of knowledge exchange which we propose here could therefore help to reorient thinking about knowledge exchange and act as a starting point for further exploration and evaluation of the knowledge exchange process

Design thinking and innovation: synthesising concepts of knowledge co-creation in spaces of professional development

This paper explores how design thinking connects to concepts of knowledge creation and innovation. A case study of a knowledge sharing network in the social services sector is used to illustrate how design thinking supports Ba, the spaces for knowledge creation. Further exploration of the four enabling conditions for Ba resulted in delineation of two distinct types: relational and structural. Relational enablers support three groups of enabling conditions: interaction, shared values and communication. It is proposed that design thinking aligns well with relational enabling conditions for Ba to create the ideal spaces for knowledge creation. The group of structural enablers can assist or obstruct change and relate to the culture and management approaches of an organization, which may or may not be assisted by design thinking. However, to ensure that design thinking is not undermined, and innovation is achieved, the presence of an appropriate structural enabler is critical for success

Culture and culture change in a higher education context: what works and what doesn’t?

PUBLISHED VERSION: Organisational culture and culture change are related concepts which have their origins in organisational studies, but also have relevance to higher education and the constitution of contemporary universities. This paper first explores definitions of and approaches to organisational culture and culture change. Two specific theories are then favoured as being particularly useful when planning and undertaking change initiatives in higher education environments – these being ‘multiple cultural configurations’ and the ‘meso’ theory. Based on a literature review of thirty six studies, arguments are put forward for their wider application in higher education change contexts. In addition, a critique of more popular technical rationalist approaches for the management of change is presented

Addressing Organisational, Individual and Technological Aspects and Challenges in Information Security Management: Applying a Framework for a Case Study

This study investigates information security management challenges in a large organisation. The aim of this study is to apply the Technological-Organisational-Individual (TOI) Framework in this organisation to determine to what extent current security management practices are informed by findings of relevant literature and standards on information security incorporated in the framework. The TOI framework is used to map factors influencing security behavior to current practices applied by the organisation and to analyse them. Conclusions suggest that some factors that play a critical role in information security management are not adequately covered. This study also aims to provide recommendations to security managers on how to address these factors to implement security management practices that can improve ISP compliance, and inform literature on any additional security management practices. Further, this study includes insights into how organisations may exploit key strengths in applying information security management to achieve good security behaviour among their employees and take an adaptive approach to changing conditions, such as teleworking