University Assignment Report

Human Factors on Cyber Security

Prepared by

The Code for this Assignment Is: CT7098

Course Name: Master of Science in Cyber-Security
Application Identification Number:
The Year of Admission Will Be:
 TABLE OF CONTENTS

1. Introduction 03

2. The Importance of Human Factors in Cyber-Security 03

3. Methodology 04

4. Aspects of Human Behavior That Affect Cyber-Security 05

5. Aspects of Cyber-Security That Takes into Account Society and Technology 06

6. The Solution to Security that is Both Doable and Effective 06

7. Program for Effective Awareness and Training that Focuses On 07

8. Evaluation of Workable and Effective Security Solutions 10

9. Conclusion 13

10. References 14
1. Introduction

The acts or occurrences that lead to a breach in information security are the human
components of Cybersecurity. In most cases, the need for mindfulness, carelessness, or
inappropriate gain control results in the manifestation of these variables.

The possibility of human mistakes always exists in any circumstance and for any purpose.
According to IBM's estimates, the average cost of the data breach caused by human error is
enormous. The vast majority of SME businesses cannot meet such a substantial expense.

In any event, finding a solution to human error is a challenging task. You can't just delete a
"faulty" piece of software like a "faulty" piece of hardware or workforce. There is always an
explanation for why individuals act foolishly. The most important thing is to comprehend
the reasons behind the blunders made and to think of approaches to keep a safe distance
from similar
situations.

It may be more work than many small business owners believe they can handle
independently. Whatever the case may be, the benefits are well worth the effort. Small
businesses can be more secure, but for that, if you know how to secure your information.

2. The Importance of Human Factors in Cyber Security

Cybersecurity is one of the most alarming issues in today's era. Organisations need a robust
cybersecurity program to ensure the protection of confidential data. However, according to
Cybrint, 95% of Cybersecurity breaches are caused due to human error.

Following are some basic human errors that cause cybersecurity issues in organisations.

1- Phishing – A Social Engineering Attack:

Phishing is a tactic used to persuade humans to disclose confidential information. It
mainly includes passwords, social security numbers, credit card numbers, or other
private data.
For phishing, attackers usually practice a combination of social engineering and
deception. Different methods used by attackers include email, texts, phone calls, URL
directs and even social media platforms.
 2- Scan and Exploit – Human Failure:
New ways of causing cybersecurity breaches include scanning. QR codes are sent to
users and are said to be highly important. Once the hacker scans the code, the
confidential data can be accessed easily by the hacker.
The vulnerable cybersecurity infrastructure and IT components like web servers,
databases, and cloud apps can be easily misconfigured. Hackers take advantage of
these security holes. Thus, easy access to confidential data and cause a cybersecurity
breach.

3- Credentials Thefts – Unauthorised Access:

Credential thefts lead to unauthorised access to secure data and IT systems. Hackers
use various ways to steal credentials:
Shoulder Surfing: Stealing someone’s credentials by watching someone typing their
password.
Phishing: To trick someone into giving their credentials to a spoof login page.
Social Engineering: Deceiving someone into giving away their credentials by
pretending to be someone else. It also can be done via social media, calls, emails or
other communication methods like help desk or texts.

4- Poor Password Hygiene:

61% of breaches are due to stolen passwords. Passwords can be easily compromised
due to the following reasons:

- Users use simple and guessable passwords like 1234 and password.
- 45% of users reuse their passwords on other services as well.
- Users keep their passwords the same for an extended period.
- Users share their passwords with their colleagues or friends.

If passwords get into the hands of a culprit, they can be easily misused, causing
cybersecurity breaches that would be a massive loss for individuals and
organisations.

3. Methodology
A. The Decision-Making Process Regarding Human Information Security:

The term "human information security decision-making" refers to the process through
which employees working for an organisation's information systems and data are
responsible for making decisions on the organisation's overall information security. The
decision-making process is affected by several elements, some of which are the individual's
knowledge, attitudes, and behaviours.

B. The Importance of Human Decision-Making with Regards to

Information Security:

The decisions made regarding information security by humans are significant to the overall
security posture of a business. Human mistakes, insider threats, and social engineering
attacks are ways even the most advanced technical security systems might be ineffective. As
a result, companies should acknowledge the Significance of addressing the human
component of Cybersecurity.

C. A Concise Overview of a Security Solution That Is Both Workable and

Effective:

A security solution that is practicable and effectively manages the managed human aspects
of Cybersecurity efficiently. This solution should incorporate different technical controls,
rules, and procedures that, when combined, function as an integrated whole to deal with
the numerous dangers and openings associated with human information security decision-
making.

4. Aspects of Human Behavior That Affect Cybersecurity

A. Conspiracies Based on Social Engineering and Phishing:

Attacks based on social engineering are meant to coerce individuals into exposing
confidential information or taking actions that threaten the security of an organisation's
information systems by using various forms of psychological coercion. Phishing attacks are a
popular type of social engineering assault that primarily include sending bogus emails to
persons working for an organisation to collect sensitive information. These emails are sent
to trick the recipients into divulging their data.

B. Threats from Inside:

The term "insider threat" refers to the dangers that might be posed to a company by its
employees or other members of the organisation who have access to organisational data.
These individuals may inflict damage to the organisation's information or reputation, either
purposefully or accidentally.
C. Human Error:

At every point in the hierarchy of an organisation, there is the potential for a human error to
occur, which could lead to a breach of data security, the inadvertent disclosure of
confidential information, or system downtime.

D. Influence that Human Considerations Have on Cybersecurity:

The human factors that are involved in Cybersecurity provide major dangers to enterprises.
The repercussions of these risks might include monetary losses, damage to reputation, and
difficulties complying with legal and regulatory requirements.

5. Aspects of Cybersecurity That Take Into Account Society

and Technology
A. A Definitive Exposition of What We Mean by "Socio-Technical Aspects":

The interaction between the social and technical parts of an organisation’s security systems
is referred to as the socio-technical aspects of Cybersecurity. This encompasses the people,
processes, and technology that collaborate to guarantee the confidentiality of the
organisation's data.

B. Considerable Weight Given to Socio-Technical Factors:

When it comes to the entire security strategy of a business, the socio-technical aspects of
Cybersecurity are necessary to limit the risks associated with human information security
decision-making effectively; a security solution that has been appropriately developed and
should consider both the technical and social factors.

C. Considerations Regarding the Influence of Socio-Technical Factors on

Cybersecurity:

The degree of attention paid to the socio-technical components of Cybersecurity is inversely

proportional to the efficacy of a security solution. When protecting an organisation’s
information systems and data, a solution may be ineffectual if it sufficiently handles the
social and technological aspects involved.
6. The Solution to Security that is Both Doable and Effective
A. Programs for Raising Awareness of Security Issues and Training:

Programs for security awareness and training are vital to any security intended to be
effective. These programs assist in educating employees on the dangers associated with
making decisions about human information security and give them the knowledge and skills
necessary to make educated decisions about Cybersecurity.

We will analyse an analysis solution that is both practical and efficient and manages the
socio-technical and human aspects of Cybersecurity.

7. Program for Effective Awareness and Training that

Focuses On
The following are some of the components that should be included in a
good awareness and training program:

A. Support Engagements:

1- Support at the Executive Level:

The program must receive authorisation from high management to be successful.

2- Requirements Assessment:
It is essential to undertake a requirements assessment to determine the unique
cybersecurity dangers the firm and its employees are up against.

3- Content Development:
The program’s content should be tailored to the organisation's and its employees'
needs.

4- Delivery:
The program should be communicated to participants through various platforms,
including online modules, in-class instruction, and printed posters.

5- Evaluation:
The program's usefulness ought to be evaluated consistently, utilising testing and
comments from staff members.
The Effects on Employees of Participating in Security Awareness and Training
Programs:

Security awareness and training programs have the potential to have a significant impact on
the understanding and behaviour of employees concerning Cybersecurity. Studies have
shown that employees who undergo regular security training are more likely to report
security incidents, and they are also less likely to fall for phishing scams.

B. Control of Access Based on Roles:

A strategy that restricts access to resources in an organisation based on individual users'

responsibilities is known as role-based access control or RBAC. RBAC makes it simpler for an
organisation to control who has access to which resources by delegating permissions not to
individual users but to the various roles that make up the organisation.

1- The Role-Based Access Control Concept Defined, Along with Its

Importance:

RBAC plays a crucial role in managing the human component of Cybersecurity since it
helps avoid attacks from within an organisation and lowers the chance of data breaches.
RBAC guarantees that employees have access to only the resources they require to
execute their duties, reducing the event of data breaches occurring accidentally or
intentionally. It can be accomplished by giving rights to roles.

2- Impact on Safety Caused by Utilization of Role-Based Access

Control:

Research has demonstrated that RBAC can considerably strengthen an organisation’s

security posture. RBAC helps to limit the risk of insider threats and prevents
unauthorised access to sensitive data.

C. Incident Response Plan:

The incident response plan is a collection of protocols an organisation has in place if it has a breach
in its Cybersecurity. The program should comprise methods for locating, containing, and mitigating
the issue and procedures for informing stakeholders and communicating with the general public.

The Definition of an Incident Response Plan, as well as its Significance:

When handling the human component of Cybersecurity, having an incident response plan is
vital because it ensures that staff know what to do if there is a breach in Cybersecurity.
Because they have a plan, employees can respond rapidly and effectively, allowing them to
contain the incident and lessen its impact.
Components of an Effective Incident Response Plan:

An effective incident response plan should include the following components:

1- Rapid Support:

The organisation should prepare for potential incidents by identifying risks and
developing a plan to respond to them.

2- Detection and Analysis:

The organisation should have procedures in place for detecting and analysing
incidents.

3- Containment, Eradication, and Recovery:

The organisation should have procedures for containing, eradicating, and recovering
from incidents.

4- Post-Incident Activity:

The organisation should conduct a post-incident review to identify lessons learned

and improve its incident response plan.

Definition and Importance of Cybersecurity Culture:

Regarding information security, an organisation’s cybersecurity culture can be defined as its

workforce's values, beliefs, and behaviours. It promotes a security-conscious working
environment and encourages employees to adhere to security best practices, making it an
essential component of an efficient cybersecurity program. Establishing a cybersecurity
culture inside an organisation is cultivating a security-aware culture in which workers
recognise the Significance of Cybersecurity and play an active part in protecting the firm's
information assets.

When protecting themselves from cyber-attacks, enterprises must have a robust

cybersecurity culture. Employees are more likely to recognise security incidents, which helps
to minimise the risk of security events caused by human mistakes or malicious acts. This
helps to reduce the risk of security incidents caused by human error or harmful actions. A
security awareness culture helps employees realise the value of the information they handle
and are driven to safeguard it. It can be accomplished by ensuring staff know the
importance of information security.
Impact of Cybersecurity Culture on the Organization:

A company’s security posture may significantly improve with a culture that values and
prioritises Cybersecurity. Businesses can lessen the likelihood of security breaches brought
on by carelessness or deceit on the part of employees if they create an environment in the
workplace that prioritises safety. A security awareness culture helps employees realise the
value of the information they handle and are driven to safeguard it. This can be
accomplished by ensuring staff are aware of the importance of information security.

In addition, a robust cybersecurity culture can help foster compliance with regulatory
standards and industry best practices, which can be a significant competitive advantage. It
can help businesses demonstrate their commitment to security and develop trust with
customers, partners, and other stakeholders by establishing credibility in those
relationships. A healthy culture surrounding Cybersecurity can also help businesses recruit
and keep personnel dedicated to the field and interested in expanding their knowledge and
abilities in this area.

8. Evaluation of Workable and Effective Security Solution

A. Strengths of the Security Solution:

The feasible and efficient security solution comprises four essential elements: security
awareness and training programs, role-based access control, an incident response strategy,
and a cybersecurity culture. Each component possesses particular advantages, which are
outlined in the following paragraphs:

Security Awareness and Training Programs of security awareness and training are essential
to foster a culture of security awareness inside a business. These programs can help to
reduce the risk of security events caused by human mistakes or malicious actions by
educating employees about the hazards posed by cyber threats and providing them with the
better knowledge and skills they need to protect themselves and the organisation. They also
help to ensure that employees understand the value of the information they manage and
are driven to preserve it by ensuring that employees understand the importance of the
information they handle.

1- Role-Based Access Control:

Because it guarantees that employees only have access to the information and
resources necessary to perform their jobs, role-based access control is an essential
component of any security program. Adopting role-based access control can help
 lessen the risk of data breaches by insider threats or other criminal actors by limiting
users' access to critical information.

2- Incident Response Plan:

A company must have an incident response strategy to respond promptly and

efficiently to security problems. Incident response plans can help to reduce the risk
of data loss or theft by minimising the effect of security incidents, detailing methods
for recognising and responding to security incidents, and establishing
communication protocols. These elements include defining roles and responsibilities,
outlining procedures for identifying and responding to security incidents and
establishing communication protocols.

3- Cybersecurity Culture:

A company’s security posture may be significantly improved if it has a culture that

values and prioritises Cybersecurity. Businesses can lessen the likelihood of security
breaches brought on by carelessness or deceit on the part of employees if they
create an environment in the workplace that prioritises safety. A security awareness
culture helps guarantee that employees realise the Significance of the information
they handle and are motivated to safeguard it. In addition, a culture of security
awareness helps to ensure that the data is protected.

B. Limitations of the Security Solution:

The practical and efficient security approach discussed in this paper possesses several
qualities; nevertheless, it has several drawbacks that should be considered.

The implementation of an all-encompassing security program may be pretty pricey,

particularly for smaller and medium-sized businesses that have fewer resources available to
them. Even though it's possible that, in the long run, the advantages of a robust security
program will outweigh the costs, organisations may still need to prioritise which.

C. Recommendations for Improvement:

Based on the workable and effective security solution evaluation, the following
recommendations can be made for improvement and will secure your organisation from
falling for a cybersecurity attack.

1- Continuous Training and Awareness:

Security awareness and training programs should be ongoing rather than a one-time
event. Organisations should conduct regular training sessions to educate employees
 on the latest threats and best practices for Cybersecurity. It can be done through in-
person training sessions, online courses, or other means.

2- Regular Security Assessments:

Organisations should conduct regular security assessments to identify system and

network vulnerabilities. This can help to identify potential threats and vulnerabilities
and address them before attackers can exploit them.

3- Strengthened Incident Response Plans:

It should be reviewed and updated regularly to ensure they are practical and can be
implemented quickly during a security incident. The plans should also include clear
roles and responsibilities for employees involved in incident response and should be
tested regularly through simulation exercises.

4- Encourage a Culture of Security:

Organisations should promote a culture of security by making it a priority and

emphasising the importance of Cybersecurity to all employees. This can be done by
involving all employees in security-related decisions, providing rewards and
recognition for good security practices, and creating a sense of ownership and
responsibility for security among all employees.

5- Use Technology to Complement Human Efforts:

While human efforts are critical to maintaining Cybersecurity, technology can also
play an essential role in preventing cyber-attacks. Organisations should invest in
advanced security technologies such as intrusion detection and prevention systems,
security information and event management (SIEM) systems, and security
automation and orchestration platforms to complement human efforts and
strengthen their overall security posture.

6- Audit on Access Rights and Privileges:

It is risky to provide access to all the files to an organisation's employees. Security

policy implementation is required to restrict access to confidential files. This will help
to prevent data theft from inside the organisation.

Nevertheless, organisations must proactively offer access to the file they need to do
their work effectively. However, if there is a need, employees can access files for the
time being so they can get their jobs done.

7- Regular Data Backups:

Ensuring that employees are backing up their data on their devices is essential. In
case of an incident, they would have a backup. Data stored in the public cloud should
 also be backed up in a hard drive regularly to ensure business operations run
smoothly. Data backups ensure business continuity even if any cybersecurity attack
takes the resources offline.

9. Conclusion:
A. Summary of Key Points:

In this article, a possible and practical security solution that addresses the socio-technical
and human elements of Cybersecurity in an organisational environment was subjected to in-
depth analysis and critical evaluation. The following are the essential points:

1- The human factor is a critical aspect of Cybersecurity that is often overlooked or

underemphasised in organisations.
2- The workable and effective security solution for managing the socio-technical human
aspect of Cybersecurity involves a holistic approach that addresses Cybersecurity's
technical and human factors.
3- This solution involves implementing policies and procedures, providing training and
awareness programs, establishing a culture of security, and implementing
technological solutions that support and reinforce the human aspect of
Cybersecurity.
4- The solution should be tailored to the specific needs and context of the organisation
and should involve the participation and buy-in of all stakeholders.

B. Implications for Practice:

The findings of this research have significant repercussions for clinical practice.
Organisations must acknowledge the fundamental Significance of the human component in
Cybersecurity, and these organisations must invest in systems that efficiently handle this
facet of Cybersecurity. They must take a comprehensive strategy considering
Cybersecurity's technological and human components. They are also required to tailor
solutions to the company’s particular requirements and the environment in which it
operates. For this to be successful, all relevant parties, including upper management,
workers, and outside partners, must participate and agree.

C. Future Research Directions:

In the future, research should concentrate on developing and accessing specific solutions for
managing the socio-technical human side of Cybersecurity in various diverse organisational
contexts. This study should take into consideration the continually changing nature of cyber
threats as well as the requirement for solutions that are flexible and adaptable. In addition,
it needs to emphasise leadership's role in fostering a culture of security and the efficacy of
various training and awareness initiatives. Finally, future research should investigate the
relationship between the human factor and other aspects of Cybersecurity, such as
technology and policy, and how these aspects can be effectively integrated to manage
cybersecurity risk in organisations. This research should focus on how these aspects can be
effectively integrated.

In conclusion, companies face a significant obstacle in the form of a crucial problem in

managing the socio-technical human side of Cybersecurity. This necessitates taking a
comprehensive approach to Cybersecurity, one that considers both the technological and
human components of the problem and one that tailors solutions to the particular
requirements and circumstances of the business. The world is becoming increasingly digital;
companies that invest in efficient solutions that can effectively manage the human element
of Cybersecurity will be better prepared to safeguard their assets, reputations, and the trust
of their customers.

10. References:
1- Albrechtsen, E., & Hovden, J. (2019). Information security culture – the
organisational issues. Journal of Information Security and Applications, 49,
102375. https://doi.org/10.1016/j.jisa.2019.102375.
2- Anderson, R. (2008). Security engineering: A guide to building dependable
distributed systems (2nd ed.). John Wiley & Sons.
3- Bada, M., Olsson, T., & Magnusson, C. (2018). Human factors in cyber
security: A review of the literature. Journal of Risk Research, 21(3), 396-417.
https://doi.org/10.1080/13669877.2017.1326248
4- Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age: A review of
information privacy research in information systems. MIS Quarterly, 35(4),
1017-1041. https://doi.org/10.2307/23044089
5- Botta, D., Caviglione, L., & Mazzeo, A. (2020). An overview of human factors
in cyber security. Journal of Information Security and Applications, 54,
102576. https://doi.org/10.1016/j.jisa.2020.102576
6- Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future
research directions. Computers & Security, 30(8), 719-731.
https://doi.org/10.1016/j.cose.2011.06.012
7- Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. In
Proceedings of the SIGCHI Conference on Human Factors in Computing
Systems (pp. 581-590). ACM.
8- Gallagher, K. P., & Parker, R. A. (2011). Socio-technical cyber security risk
assessment. Journal of Information Warfare, 10(2), 30-46.
9- Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A
framework for security policy compliance in organisations. European Journal
of Information Systems, 18(2), 106-125. https://doi.org/10.1057/ejis.2008.61
10- Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee
compliance with information security policies: The critical role of top
 management and organisational culture. Decision Sciences, 43(4), 615-660.
https://doi.org/10.1111/j.1540-5915.2012.00356.x
11- Kirlappos, I., Parkin, S., Sasse, M. A., & Malheiros, M. (2019). Human factors
in phishing risk perception: Social norms, security culture, risk tolerance and
situational awareness. Computers & Security, 82, 165-176.
https://doi.org/10.1016/j.cose.2018.12.004
12- Luiijf, H. A. M., & Veenstra, F. A. (2015). Cybersecurity in the Netherlands:
Establishing a baseline for strategic control. Computers & Security, 53, 65-77.
https://doi.org/10.1016/j.cose.2015.05.002
13- Merkow, M. S., & Breithaupt, J. (2006). Information security: Principles and
practices.
14- Kahneman, D., & Tversky, A. (1979). Prospect Theory: An Analysis of Decision
under Risk, Econometrica, XLVII, 263-291.
15- Katsabas, D., Furnell, S.M. & Dowland, P.S. (2005). Using human computer
interaction principles to promote usable security, Proceedings of the Fifth
International Network Conference (INC 2005), Samos, Greece.
16- Koh, K., Ruighaver, A.B, Maynard, S. & Ahmad, A. (2005). Security
governance: its impact on security culture. Proceedings of the Third
Australian Information Security Management Conference, Perth, Australia,
September.
17- Kruger, H., Drevin, L., & Steyn, T. (2007). Email Security Awareness – A
Practical Assessment of Employee Behaviour. In L. Futcher & R. Dodge (Eds.)
IFTP International Federation for Information Security Education. Boston:
Springer, 33-40.
18- Mitnick, K.D. & Simon, W.L. (2005). The Art of Intrusion: The Real Stories
Behind the Exploits of Hackers, Intruders & Deceivers. Indianapolis, ID: Wiley
Publishing, Inc.
19- Mitnick, K.D. & Simon, W.L. (2002). The Art of Deception: Controlling the
Human Element of Security. Indianapolis, ID: Wiley Publishing, Inc.
20- Morrow, P.C. (1983). Concept of redundancy in organizational research: The
case of work commitment. Academy of Management Review, 8, 486-500.
21- Muchinsky, P.M. (1977). Organizational communication: Relationships to
organizational climate and job satisfaction. Academy of Management Journal,
20(4), 592-607.
22- Myers, S. (2007). Introduction to phishing. In M. Jakobsson & S. Myers (Eds.).
Phishing and Countermeasures: Understanding the Increasing Problem of
Electronic Identity Theft (pp. 1-29). New York: Wiley-Interscience
23- Needle, D. (2000). Culture at the level of the firm: organizational and
corporate perspectives. In J. Barry, J. Chandle, H. Clarck, R. Johnson & D.
Needle (Eds.). Organization and Management: A Critical Text. London:
Business Press.
24- Norman, D. A. (1981). Categorization of action slips. Psychological Review,
88(1), 1-15.
25- O’Neill, B. (2004). Developing a Risk Communication Model to Encourage
Community Safety from Natural Hazards, paper presented at the Fourth NSW
Safe Communities Symposium, Sydney, NSW
26- O’Neill, B. & Williams, A. (1998). Risk homeostasis hypothesis: a rebuttal.
Injury Prevention, 4, 92-93.
27- Odlyzko, A.M. (2003), Economics, psychology, and sociology of security, in
R.N. Wright (Ed.). Financial Cryptography: 7th International Conference, FC
2003, Springer, New York, NY, Lecture Notes in Computer Science No. 2742,
pp.182-9
28- Parker, C.P., Baltes, B. B., Young, S.A., Huff, J.W., Altmann, R.A., Lacost, H.A. &
Roberts, J.E. (2003). Relationship between psychological climate perceptions
and work outcomes: a metaanalytic review. Journal of Organizational
Behavior, 24, 389-416.
29- Pattinson, M. & Anderson, G. (2007). How well are information risks being
communicated to your computer end-users? Information Management and
Computer Security, 15(5), 362-371.
30- Pattinson, M. & Anderson, G. (2005). Risk communication, risk perception
and information security. In P. Dowland, S. Furnell, B. Thuraisingham and X.
Wang (Eds.). Security Management, Integrity, and Internal Control in
Information Systems, Proceedings of IFIP TC-11 WG 11.1 & WG 11.5 Joint
Working Conference on Security Management, Integrity, and Internal Control
in Information Systems, 175-184, Virginia.