Professional Documents
Culture Documents
University Assignment Report CT7098
University Assignment Report CT7098
University Assignment Report CT7098
Prepared by
1. Introduction 03
3. Methodology 04
9. Conclusion 13
10. References 14
1. Introduction
The acts or occurrences that lead to a breach in information security are the human
components of Cybersecurity. In most cases, the need for mindfulness, carelessness, or
inappropriate gain control results in the manifestation of these variables.
The possibility of human mistakes always exists in any circumstance and for any purpose.
According to IBM's estimates, the average cost of the data breach caused by human error is
enormous. The vast majority of SME businesses cannot meet such a substantial expense.
In any event, finding a solution to human error is a challenging task. You can't just delete a
"faulty" piece of software like a "faulty" piece of hardware or workforce. There is always an
explanation for why individuals act foolishly. The most important thing is to comprehend
the reasons behind the blunders made and to think of approaches to keep a safe distance
from similar
situations.
It may be more work than many small business owners believe they can handle
independently. Whatever the case may be, the benefits are well worth the effort. Small
businesses can be more secure, but for that, if you know how to secure your information.
Following are some basic human errors that cause cybersecurity issues in organisations.
- Users use simple and guessable passwords like 1234 and password.
- 45% of users reuse their passwords on other services as well.
- Users keep their passwords the same for an extended period.
- Users share their passwords with their colleagues or friends.
If passwords get into the hands of a culprit, they can be easily misused, causing
cybersecurity breaches that would be a massive loss for individuals and
organisations.
3. Methodology
A. The Decision-Making Process Regarding Human Information Security:
The term "human information security decision-making" refers to the process through
which employees working for an organisation's information systems and data are
responsible for making decisions on the organisation's overall information security. The
decision-making process is affected by several elements, some of which are the individual's
knowledge, attitudes, and behaviours.
The decisions made regarding information security by humans are significant to the overall
security posture of a business. Human mistakes, insider threats, and social engineering
attacks are ways even the most advanced technical security systems might be ineffective. As
a result, companies should acknowledge the Significance of addressing the human
component of Cybersecurity.
A security solution that is practicable and effectively manages the managed human aspects
of Cybersecurity efficiently. This solution should incorporate different technical controls,
rules, and procedures that, when combined, function as an integrated whole to deal with
the numerous dangers and openings associated with human information security decision-
making.
Attacks based on social engineering are meant to coerce individuals into exposing
confidential information or taking actions that threaten the security of an organisation's
information systems by using various forms of psychological coercion. Phishing attacks are a
popular type of social engineering assault that primarily include sending bogus emails to
persons working for an organisation to collect sensitive information. These emails are sent
to trick the recipients into divulging their data.
The term "insider threat" refers to the dangers that might be posed to a company by its
employees or other members of the organisation who have access to organisational data.
These individuals may inflict damage to the organisation's information or reputation, either
purposefully or accidentally.
C. Human Error:
At every point in the hierarchy of an organisation, there is the potential for a human error to
occur, which could lead to a breach of data security, the inadvertent disclosure of
confidential information, or system downtime.
The human factors that are involved in Cybersecurity provide major dangers to enterprises.
The repercussions of these risks might include monetary losses, damage to reputation, and
difficulties complying with legal and regulatory requirements.
The interaction between the social and technical parts of an organisation’s security systems
is referred to as the socio-technical aspects of Cybersecurity. This encompasses the people,
processes, and technology that collaborate to guarantee the confidentiality of the
organisation's data.
Programs for security awareness and training are vital to any security intended to be
effective. These programs assist in educating employees on the dangers associated with
making decisions about human information security and give them the knowledge and skills
necessary to make educated decisions about Cybersecurity.
We will analyse an analysis solution that is both practical and efficient and manages the
socio-technical and human aspects of Cybersecurity.
A. Support Engagements:
2- Requirements Assessment:
It is essential to undertake a requirements assessment to determine the unique
cybersecurity dangers the firm and its employees are up against.
3- Content Development:
The program’s content should be tailored to the organisation's and its employees'
needs.
4- Delivery:
The program should be communicated to participants through various platforms,
including online modules, in-class instruction, and printed posters.
5- Evaluation:
The program's usefulness ought to be evaluated consistently, utilising testing and
comments from staff members.
The Effects on Employees of Participating in Security Awareness and Training
Programs:
Security awareness and training programs have the potential to have a significant impact on
the understanding and behaviour of employees concerning Cybersecurity. Studies have
shown that employees who undergo regular security training are more likely to report
security incidents, and they are also less likely to fall for phishing scams.
RBAC plays a crucial role in managing the human component of Cybersecurity since it
helps avoid attacks from within an organisation and lowers the chance of data breaches.
RBAC guarantees that employees have access to only the resources they require to
execute their duties, reducing the event of data breaches occurring accidentally or
intentionally. It can be accomplished by giving rights to roles.
The incident response plan is a collection of protocols an organisation has in place if it has a breach
in its Cybersecurity. The program should comprise methods for locating, containing, and mitigating
the issue and procedures for informing stakeholders and communicating with the general public.
When handling the human component of Cybersecurity, having an incident response plan is
vital because it ensures that staff know what to do if there is a breach in Cybersecurity.
Because they have a plan, employees can respond rapidly and effectively, allowing them to
contain the incident and lessen its impact.
Components of an Effective Incident Response Plan:
1- Rapid Support:
The organisation should prepare for potential incidents by identifying risks and
developing a plan to respond to them.
The organisation should have procedures in place for detecting and analysing
incidents.
The organisation should have procedures for containing, eradicating, and recovering
from incidents.
4- Post-Incident Activity:
A company’s security posture may significantly improve with a culture that values and
prioritises Cybersecurity. Businesses can lessen the likelihood of security breaches brought
on by carelessness or deceit on the part of employees if they create an environment in the
workplace that prioritises safety. A security awareness culture helps employees realise the
value of the information they handle and are driven to safeguard it. This can be
accomplished by ensuring staff are aware of the importance of information security.
In addition, a robust cybersecurity culture can help foster compliance with regulatory
standards and industry best practices, which can be a significant competitive advantage. It
can help businesses demonstrate their commitment to security and develop trust with
customers, partners, and other stakeholders by establishing credibility in those
relationships. A healthy culture surrounding Cybersecurity can also help businesses recruit
and keep personnel dedicated to the field and interested in expanding their knowledge and
abilities in this area.
The feasible and efficient security solution comprises four essential elements: security
awareness and training programs, role-based access control, an incident response strategy,
and a cybersecurity culture. Each component possesses particular advantages, which are
outlined in the following paragraphs:
Security Awareness and Training Programs of security awareness and training are essential
to foster a culture of security awareness inside a business. These programs can help to
reduce the risk of security events caused by human mistakes or malicious actions by
educating employees about the hazards posed by cyber threats and providing them with the
better knowledge and skills they need to protect themselves and the organisation. They also
help to ensure that employees understand the value of the information they manage and
are driven to preserve it by ensuring that employees understand the importance of the
information they handle.
Because it guarantees that employees only have access to the information and
resources necessary to perform their jobs, role-based access control is an essential
component of any security program. Adopting role-based access control can help
lessen the risk of data breaches by insider threats or other criminal actors by limiting
users' access to critical information.
3- Cybersecurity Culture:
The practical and efficient security approach discussed in this paper possesses several
qualities; nevertheless, it has several drawbacks that should be considered.
Based on the workable and effective security solution evaluation, the following
recommendations can be made for improvement and will secure your organisation from
falling for a cybersecurity attack.
Security awareness and training programs should be ongoing rather than a one-time
event. Organisations should conduct regular training sessions to educate employees
on the latest threats and best practices for Cybersecurity. It can be done through in-
person training sessions, online courses, or other means.
It should be reviewed and updated regularly to ensure they are practical and can be
implemented quickly during a security incident. The plans should also include clear
roles and responsibilities for employees involved in incident response and should be
tested regularly through simulation exercises.
While human efforts are critical to maintaining Cybersecurity, technology can also
play an essential role in preventing cyber-attacks. Organisations should invest in
advanced security technologies such as intrusion detection and prevention systems,
security information and event management (SIEM) systems, and security
automation and orchestration platforms to complement human efforts and
strengthen their overall security posture.
Nevertheless, organisations must proactively offer access to the file they need to do
their work effectively. However, if there is a need, employees can access files for the
time being so they can get their jobs done.
Ensuring that employees are backing up their data on their devices is essential. In
case of an incident, they would have a backup. Data stored in the public cloud should
also be backed up in a hard drive regularly to ensure business operations run
smoothly. Data backups ensure business continuity even if any cybersecurity attack
takes the resources offline.
9. Conclusion:
A. Summary of Key Points:
In this article, a possible and practical security solution that addresses the socio-technical
and human elements of Cybersecurity in an organisational environment was subjected to in-
depth analysis and critical evaluation. The following are the essential points:
The findings of this research have significant repercussions for clinical practice.
Organisations must acknowledge the fundamental Significance of the human component in
Cybersecurity, and these organisations must invest in systems that efficiently handle this
facet of Cybersecurity. They must take a comprehensive strategy considering
Cybersecurity's technological and human components. They are also required to tailor
solutions to the company’s particular requirements and the environment in which it
operates. For this to be successful, all relevant parties, including upper management,
workers, and outside partners, must participate and agree.
In the future, research should concentrate on developing and accessing specific solutions for
managing the socio-technical human side of Cybersecurity in various diverse organisational
contexts. This study should take into consideration the continually changing nature of cyber
threats as well as the requirement for solutions that are flexible and adaptable. In addition,
it needs to emphasise leadership's role in fostering a culture of security and the efficacy of
various training and awareness initiatives. Finally, future research should investigate the
relationship between the human factor and other aspects of Cybersecurity, such as
technology and policy, and how these aspects can be effectively integrated to manage
cybersecurity risk in organisations. This research should focus on how these aspects can be
effectively integrated.
10. References:
1- Albrechtsen, E., & Hovden, J. (2019). Information security culture – the
organisational issues. Journal of Information Security and Applications, 49,
102375. https://doi.org/10.1016/j.jisa.2019.102375.
2- Anderson, R. (2008). Security engineering: A guide to building dependable
distributed systems (2nd ed.). John Wiley & Sons.
3- Bada, M., Olsson, T., & Magnusson, C. (2018). Human factors in cyber
security: A review of the literature. Journal of Risk Research, 21(3), 396-417.
https://doi.org/10.1080/13669877.2017.1326248
4- Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age: A review of
information privacy research in information systems. MIS Quarterly, 35(4),
1017-1041. https://doi.org/10.2307/23044089
5- Botta, D., Caviglione, L., & Mazzeo, A. (2020). An overview of human factors
in cyber security. Journal of Information Security and Applications, 54,
102576. https://doi.org/10.1016/j.jisa.2020.102576
6- Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future
research directions. Computers & Security, 30(8), 719-731.
https://doi.org/10.1016/j.cose.2011.06.012
7- Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. In
Proceedings of the SIGCHI Conference on Human Factors in Computing
Systems (pp. 581-590). ACM.
8- Gallagher, K. P., & Parker, R. A. (2011). Socio-technical cyber security risk
assessment. Journal of Information Warfare, 10(2), 30-46.
9- Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A
framework for security policy compliance in organisations. European Journal
of Information Systems, 18(2), 106-125. https://doi.org/10.1057/ejis.2008.61
10- Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee
compliance with information security policies: The critical role of top
management and organisational culture. Decision Sciences, 43(4), 615-660.
https://doi.org/10.1111/j.1540-5915.2012.00356.x
11- Kirlappos, I., Parkin, S., Sasse, M. A., & Malheiros, M. (2019). Human factors
in phishing risk perception: Social norms, security culture, risk tolerance and
situational awareness. Computers & Security, 82, 165-176.
https://doi.org/10.1016/j.cose.2018.12.004
12- Luiijf, H. A. M., & Veenstra, F. A. (2015). Cybersecurity in the Netherlands:
Establishing a baseline for strategic control. Computers & Security, 53, 65-77.
https://doi.org/10.1016/j.cose.2015.05.002
13- Merkow, M. S., & Breithaupt, J. (2006). Information security: Principles and
practices.
14- Kahneman, D., & Tversky, A. (1979). Prospect Theory: An Analysis of Decision
under Risk, Econometrica, XLVII, 263-291.
15- Katsabas, D., Furnell, S.M. & Dowland, P.S. (2005). Using human computer
interaction principles to promote usable security, Proceedings of the Fifth
International Network Conference (INC 2005), Samos, Greece.
16- Koh, K., Ruighaver, A.B, Maynard, S. & Ahmad, A. (2005). Security
governance: its impact on security culture. Proceedings of the Third
Australian Information Security Management Conference, Perth, Australia,
September.
17- Kruger, H., Drevin, L., & Steyn, T. (2007). Email Security Awareness – A
Practical Assessment of Employee Behaviour. In L. Futcher & R. Dodge (Eds.)
IFTP International Federation for Information Security Education. Boston:
Springer, 33-40.
18- Mitnick, K.D. & Simon, W.L. (2005). The Art of Intrusion: The Real Stories
Behind the Exploits of Hackers, Intruders & Deceivers. Indianapolis, ID: Wiley
Publishing, Inc.
19- Mitnick, K.D. & Simon, W.L. (2002). The Art of Deception: Controlling the
Human Element of Security. Indianapolis, ID: Wiley Publishing, Inc.
20- Morrow, P.C. (1983). Concept of redundancy in organizational research: The
case of work commitment. Academy of Management Review, 8, 486-500.
21- Muchinsky, P.M. (1977). Organizational communication: Relationships to
organizational climate and job satisfaction. Academy of Management Journal,
20(4), 592-607.
22- Myers, S. (2007). Introduction to phishing. In M. Jakobsson & S. Myers (Eds.).
Phishing and Countermeasures: Understanding the Increasing Problem of
Electronic Identity Theft (pp. 1-29). New York: Wiley-Interscience
23- Needle, D. (2000). Culture at the level of the firm: organizational and
corporate perspectives. In J. Barry, J. Chandle, H. Clarck, R. Johnson & D.
Needle (Eds.). Organization and Management: A Critical Text. London:
Business Press.
24- Norman, D. A. (1981). Categorization of action slips. Psychological Review,
88(1), 1-15.
25- O’Neill, B. (2004). Developing a Risk Communication Model to Encourage
Community Safety from Natural Hazards, paper presented at the Fourth NSW
Safe Communities Symposium, Sydney, NSW
26- O’Neill, B. & Williams, A. (1998). Risk homeostasis hypothesis: a rebuttal.
Injury Prevention, 4, 92-93.
27- Odlyzko, A.M. (2003), Economics, psychology, and sociology of security, in
R.N. Wright (Ed.). Financial Cryptography: 7th International Conference, FC
2003, Springer, New York, NY, Lecture Notes in Computer Science No. 2742,
pp.182-9
28- Parker, C.P., Baltes, B. B., Young, S.A., Huff, J.W., Altmann, R.A., Lacost, H.A. &
Roberts, J.E. (2003). Relationship between psychological climate perceptions
and work outcomes: a metaanalytic review. Journal of Organizational
Behavior, 24, 389-416.
29- Pattinson, M. & Anderson, G. (2007). How well are information risks being
communicated to your computer end-users? Information Management and
Computer Security, 15(5), 362-371.
30- Pattinson, M. & Anderson, G. (2005). Risk communication, risk perception
and information security. In P. Dowland, S. Furnell, B. Thuraisingham and X.
Wang (Eds.). Security Management, Integrity, and Internal Control in
Information Systems, Proceedings of IFIP TC-11 WG 11.1 & WG 11.5 Joint
Working Conference on Security Management, Integrity, and Internal Control
in Information Systems, 175-184, Virginia.