Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach
Cyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over time – which move an organization across the boundary of secure practice to a place where attacks will not only succeed...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Riga Technical University
2019-04-01
|
| Series: | Complex Systems Informatics and Modeling Quarterly |
| Subjects: | |
| Online Access: | https://csimq-journals.rtu.lv/article/view/2834 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849220732870983680 |
|---|---|
| author | Thomas Richard McEvoy Stewart James Kowalski |
| author_facet | Thomas Richard McEvoy Stewart James Kowalski |
| author_sort | Thomas Richard McEvoy |
| collection | DOAJ |
| description | Cyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over time – which move an organization across the boundary of secure practice to a place where attacks will not only succeed, but also have a significantly greater impact on the organization. Yet current risk analysis and management methodologies are not designed to detect these kinds of systemic risks. We present an approach, devised in the field, to deriving these risks – using a qualitative research methodology, akin to grounded theory, but based on preset coding descriptors. This allows organizational and individual behavior identified during interviews, observations or document research to be thematically analyzed, collated and mapped to potential risks, linked to poor working practices. The resulting risk factors can be linked together forming “risk narratives”, showing how the degradation of working practices in one part of the organization can contribute to undermining its ability to respond to cyber security threats in another part of the organization. |
| format | Article |
| id | doaj-art-a90a6e97b79543dfbde22c5ca248a734 |
| institution | Kabale University |
| issn | 2255-9922 |
| language | English |
| publishDate | 2019-04-01 |
| publisher | Riga Technical University |
| record_format | Article |
| series | Complex Systems Informatics and Modeling Quarterly |
| spelling | doaj-art-a90a6e97b79543dfbde22c5ca248a7342024-12-05T09:56:30ZengRiga Technical UniversityComplex Systems Informatics and Modeling Quarterly2255-99222019-04-01018476410.7250/csimq.2019-18.031611Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical ApproachThomas Richard McEvoy0Stewart James Kowalski1The Norwegian Cyber Range, Department of Information Security and Communication Technology, NTNU i Gjøvik, postboks 191, NO-2802 GjøvikThe Norwegian Cyber Range, Department of Information Security and Communication Technology, NTNU i Gjøvik, postboks 191, NO-2802 GjøvikCyber security risks are socio-technical in nature. They result not just from technical vulnerabilities but also, more fundamentally, from the degradation of working practices over time – which move an organization across the boundary of secure practice to a place where attacks will not only succeed, but also have a significantly greater impact on the organization. Yet current risk analysis and management methodologies are not designed to detect these kinds of systemic risks. We present an approach, devised in the field, to deriving these risks – using a qualitative research methodology, akin to grounded theory, but based on preset coding descriptors. This allows organizational and individual behavior identified during interviews, observations or document research to be thematically analyzed, collated and mapped to potential risks, linked to poor working practices. The resulting risk factors can be linked together forming “risk narratives”, showing how the degradation of working practices in one part of the organization can contribute to undermining its ability to respond to cyber security threats in another part of the organization.https://csimq-journals.rtu.lv/article/view/2834Human FactorsSocio-technicalSecurity CultureSecure Behavior |
| spellingShingle | Thomas Richard McEvoy Stewart James Kowalski Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach Complex Systems Informatics and Modeling Quarterly Human Factors Socio-technical Security Culture Secure Behavior |
| title | Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach |
| title_full | Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach |
| title_fullStr | Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach |
| title_full_unstemmed | Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach |
| title_short | Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach |
| title_sort | deriving cyber security risks from human and organizational factors a socio technical approach |
| topic | Human Factors Socio-technical Security Culture Secure Behavior |
| url | https://csimq-journals.rtu.lv/article/view/2834 |
| work_keys_str_mv | AT thomasrichardmcevoy derivingcybersecurityrisksfromhumanandorganizationalfactorsasociotechnicalapproach AT stewartjameskowalski derivingcybersecurityrisksfromhumanandorganizationalfactorsasociotechnicalapproach |