CRITICAL SUCCESS FACTORS FOR CYBERSECURITY JUST TECHNICAL? EXPLORING THE ROLE OF HUMAN FACTORS IN CYBERSECURITY MANAGEMENT

Year 2023, Volume: 10 Issue: 2, 51 - 57, 30.06.2023

Cenk Aksoy

https://doi.org/10.17261/Pressacademia.2023.1735

Abstract

Purpose- With the rapid advancement of information and communication technologies, businesses are facing growing security risks. The prevalence, intensity, and complexity of cyber attacks worsen these vulnerabilities, leading to a rising focus on cybersecurity. Enterprises exposed to such cyberattacks might not only face considerable financial losses but also experience data breaches, operational interruptions, harm to their reputation, regulatory penalties, legal expenses, reduced competitive standing, and increased insurance premiums. In this concept study discusses the importance of human factors in cybersecurity management. While organizations spend billions on information technology systems and software to detect and prevent cyber threats, individuals play a critical role in managing these risks.
Methodology- Through a review of literature and statistical data, study examines the factors contributing to cybersecurity breaches, the allocation of resources to address them, and proposes potential solutions.
Findings- In the workplace, most research on cybersecurity focuses on employees as the most important source of vulnerability. In the literature review, it is understood that an employee’s carelessness and lack of awareness pose the greatest risk to cybersecurity. However, businesses often fail to show sufficient attention to human behavior in their efforts to keep organizational data secure and to plan security strategies. It is important to note that effective cybersecurity management requires not only technical controls but also the management of human factors. Meanwhile, security expenditures in enterprises are often disproportionately allocated to technology investments, with 97% being spent on technology investments, despite the fact that over 85% of breaches are attributable to human factors.
Conclusion- In the literature review, it is understood that cybersecurity management is not only related to technical controls, but also the management of human factors is of critical importance. The management of individuals is also an essential cybersecurity responsibility. It is important to adopt a holistic approach to cybersecurity management includes both technical and human perspectives. Cybersecurity awareness has significant benefits for businesses to effectively manage cybersecurity which can be achieved by developing appropriate training programs and foster a cybersecurity culture.

Keywords

Cybersecurity, cybersecurity management, cybersecurity awareness, technology investments, human factor

References

• Ackerman, G., Volkman, D. (2019). Cybersecurity culture and training: A practitioner’s perspective. Journal of Business Continuity & Emergency Planning, 12(1), 10-17.
• Ani, U.D. He, H., Tiwari, A. (2019). Human factor security: Evaluating the cybersecurity capacity of the industrial workforce. J. Sys. Info. Technol., 21, 2–35.
• Antonakakis, N., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J. A., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Lever, C., Ma, J., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y., & Paxson, V. (2017). Understanding the Mirai botnet. In Proceedings of the 26th USENIX Security Symposium (pp. 1093-1110).
• Baker, A. (2020). Cybersecurity: The Most Important Tech Skill of the Future. Forbes. https://www.forbes.com/sites/abdullahimuhammed/2020/01/08/cybersecurity-the-most-important-tech-skill-of-the-future/?sh=54d5db5b5
• Blyth, M., Kovacich, G. (2013). The Routledge Handbook of Computer Security. Routledge.
• Brown, J. (2017). Equifax hack hit 143 million people, and it’s just the first disaster to come. The Guardian. https://www.theguardian.com/commentisfree/2017/sep/08/equifax-hack-hit-143-million-people-disaster-waiting-to-happen
• Carpenter, P., Roer, K. (2022). The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer, Wiley, NJ, USA.
• CISA. (2021). Cybersecurity and Infrastructure Security Agency Strategic Plan 2021-2025. CISA. https://www.cisa.gov/sites/default/files/publications/2021-03/CISA-Strategic-Plan-2021-2025-Public-Final-508.pdf
• Corradini, I. (2020). Building a Cybersecurity Culture in Organizations: How to Bridge the Gap between People and Digital Technology, Springer Nature, Berlin/Heidelberg, Germany.
• Goldman, D. (2017). Target data breach: 7 lessons learned. CIO. https://www.cio.com/article/3242597/target-data-breach-7-lessons-learned.html
• González, L. M. (2018). The role of employee awareness and training in cybersecurity. Journal of International Management Studies, 18(1), 55-60.
• Gupta, A. (2019). DDoS Attack Types and Tools: All You Need to Know. Cloudflare. https://www.cloudflare.com/learning/ddos/ddos-attack-tools/
• Hashizume, K., Rosado, D. G., Fernandez-Medina, E. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), 5. https://doi.org/10.1186/1869-0238-4-5
• Haynes, J. W., Klass, B. R. (2019). Managing cybersecurity risk: A governance approach. Journal of Business Continuity & Emergency Planning, 13(1), 30-42.
• Hill, K. (2017). Yahoo says all 3 billion user accounts were hacked in 2013 data theft. Reuters. https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-3-billion-user-accounts-were-hacked-in-2013-data-theft-idUSKBN1C9188
• ISACA. (2019). Cybersecurity: Understanding Cybersecurity Risk Management. ISACA.
• Johnson, K. (2019). What Is Cybersecurity? Definition, Best Practices & More. Digital Guardian. https://digitalguardian.com/blog/what-cybersecurity-definition-best-practices-more
• Jones, S. (2015). A Brief History of Cybersecurity. Huffington Post. https://www.huffpost.com/entry/a-brief-history-of-cyber_b_11229522
• Khan, S., Khan, M. A. (2017). An overview of cyber security policy for organizations. International Journal of Scientific & Engineering Research, 8(11), 1815-1823.
• Kim, T. (2021). The Importance of Cybersecurity Updates and Patches. Security Intelligence. https://securityintelligence.com/posts/importance-of-cybersecurity-updates-and-patches/
• Klimoski, R. (2016). Critical success factors for cyber security leaders: Not just technical competence. People Strategy, 39, 14–18.
• KPMG Turkey. (2019). Türkiye Siber Güvenlik Raporu. KPMG Turkey. KPMG Turkey. https://assets.kpmg/content/dam/kpmg/tr/pdf/2019/03/Siber%20Guvenlik%20Raporu%202019.pdf
• Kumar, A. (2018). What is Malware? A Comprehensive Guide to Cyber Threats. Norton. https://us.norton.com/internetsecurity-malware-what-is-malware.html
• Kuusisto, R., Kuusisto, T. (2013). Strategic Communication for Cyber-security Leadership. Journal of Information Warfare, 12(3), 41–48. https://www.jstor.org/stable/26486840
• Lambrinoudakis, C., Kambourakis, G., Gritzalis, D. (2020). Enhancing cyber security awareness in organizations. International Journal of Information Management, 50, 280-291.
• Lehto, M., Limnell, J. (2016). Cyber Security Capability and Case Finland. In Proceedings of the 15th European Conference on Cyber Warfare and Security (ECCWS) (pp. 182–190).
• Lehto, M., Limnell, J. (2020). Strategic Leadership in Cyber Security, Case Finland. Information Security Journal: A Global Perspective, 30, 1-10. 10.1080/19393555.2020.1813851.
• Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., Giannakopoulos, G. (2014). The Human Factor Of Information Security: Unintentional Damage Perspective. Procedia Soc. Behav. Sci., 147, 424–428.
• National Institute of Standards and Technology (NIST) (2018). Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. NIST. https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11
• Nobles, C. (2018). Botching Human Factors in Cybersecurity in Business Organizations. Holistica–Journal of Business and Public Administration, 9(3), 71-88.
• Oktavianto, R. A., Prabowo, R. (2018). Cybersecurity awareness training using gamification approach: A literature review. Procedia Computer Science, 135, 313-320.
• Patel, N. (2020). The Top 10 Cybersecurity Risks of 2020. Security Boulevard. https://securityboulevard.com/2020/02/the-top-10-cybersecurity-risks-of-2020/
• Pollini, A., Callari, T.C., Tedeschi, A., Ruscio, D., Save, L., Chiarugi, F., Guerri, D. (2021). Leveraging Human Factors in Cybersecurity: An Integrated Methodological Approach. Cogn. Technol. Work, 24, 371–390.
• Ramakrishnan, R. (2019). Why Cybersecurity is Essential for Small and Medium-Sized Businesses. Entrepreneur. https://www.entrepreneur.com/article/336329
• SANS Institute. (2021). What is Cybersecurity? SANS Institute. https://www.sans.org/cybersecurity/
• Smith, C. (2021). Phishing. Britannica. Retrieved from https://www.britannica.com/topic/phishing
• Solms, R. V., Solms, B. (2016). Information security governance simplified: From the boardroom to the keyboard. Apress.
• Solove, D. J. (2013). Privacy and the media. Harvard University Press.
• Triplett, W.J. (2022). Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy, 2, 573–586. https://doi.org/10.3390/jcp2030029
• Usta, H., Kurtuldu, H. (2020). Evaluation of information security awareness of healthcare workers. Journal of Information Security and Applications, 55, 102580.
• Williams, P. A. (2019). Cybersecurity: A comprehensive overview for directors and executives. Wiley.