Abstract
Humans are and have been the weakest link in the cybersecurity chain (e.g., [1,2,3]). Not all systems are adequately protected and even for those that are, individuals can still fall prey to cyber-attack attempts (e.g., phishing, malware, ransomware) that occasionally break through, and/or engage in other cyber risky behaviors (e.g., not adequately securing devices) that put even the most secure systems at risk. Such susceptibility can be due to one or a number of factors, including individual differences, environmental factors, maladaptive behaviors, and influence techniques. This is particularly concerning at an organizational level where the costs of a successful cyber-attack can be colossal (e.g., financial, safety, reputational). Cyber criminals’ intent on infiltrating organization accounts/networks to inflict damage, steal data, and/or make financial gains will continue to try and exploit these human vulnerabilities unless we are able to act fast and do something about them. Is there any hope for human resistance? We argue that technological solutions alone rooted in software and hardware will not win this battle. The ‘human’ element of any digital system is as important to its enduring security posture. More research is needed to better understand human cybersecurity vulnerabilities within organizations. This will inform the development of methods (including those rooted in HCI) to decrease cyber risky and enhance cyber safe decisions and behaviors: to fight back, showing how humans, with the right support, can be the best line of cybersecurity defense.
In this paper, we assert that in order to achieve the highest positive impactful benefits from such research efforts, more human-centric cybersecurity research needs to be conducted with expert teams embedded within industrial organizations driving forward the research. This cannot be an issue addressed through laboratory-based research alone. Industrial organizations need to move towards more holistic – human- and systems- centric – cybersecurity research and solutions that will create safer and more secure employees and organizations; working in harmony to better defend against cyber-attack attempts. One such example is the Airbus Accelerator in Human-Centric Cyber Security (H2CS), which is discussed as a case study example within the current paper.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’–a human computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001). https://doi.org/10.1023/A:1011902718709
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)
Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133 (2005)
Verizon. 2018 data breach investigation report 1–8 (2018)
IBM. Cost of data breach report 2018 (2018)
Microsoft SIR 2018 (2018)
Perera, D.: Sony hackers used fake emails. Politico, 21 April 2015 (2015). https://www.politico.com/story/2015/04/sony-hackers-fake-emails-117200
Schuman, E.: LinkedIn’s disturbing breach notice (2016). https://www.computerworld.com/article/3077478/security/linkedin-s-disturbing-breach-notice.htmlComputerworld
Forbes. Marriott breach: starwood hacker gains access to 500 million customer records (2018). https://www.forbes.com/sites/forrester/2018/11/30/marriot-breach-starwoods-hacker-tier-rewards-millions-of-customer-records/#3f90b0245703
Yurieff, K.: Equifax data breach: what you need to know (2017). http://money.cnn.com/2017/09/08/technology/equifax-hack-qa/index.html
Weise, E.: It’s new and it’s bad: Yahoo discloses 1B account breach (2016). https://www.usatoday.com/story/tech/news/2016/12/14/yahoo-discloses-likely-new-1-billion-account-breach/95443510
Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672 (2019)
Pfleeger, S.L., Caputo, D.: Leveraging behavioral science to mitigate cyber security risk. Comput. Secur. 31(4), 597–611 (2012)
Egelman, S., Peer, E.: Scaling the security wall: developing a security behavior intentions scale (sebis). In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2873–2882. ACM (2015)
McGill, T., Thompson, N.: Old risks, new challenges: exploring differences in security between home computer and mobile device use. Behav. Inf. Technol. 36(11), 1111–1124 (2017)
Scholl, M.C., Fuhrmann, F., Scholl, L.R.: Scientific knowledge of the human side of information security as a basis for sustainable trainings in organizational practices. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 2235–2244 (2018)
Levine, T.R.: Truth default theory: a theory of human deception and deception detection. J. Lang. Soc. Psychol. 33, 378–392 (2014)
Vishwanath, A., Harrison, B., Ng, Y.J.: Suspicion, cognition, and automaticity model of phishing susceptibility. Commun. Res. 45, 1146–1166 (2016)
Williams, E.J., Beardmore, A., Joinson, A.: Individual differences in susceptibility to online influence: a theoretical review. Comput. Hum. Behav. 72, 412–421 (2017)
Williams, E.J., Morgan, P.L., Joinson, A.J.: Press accept to update now: individual differences in susceptibility to malevolent interruptions. Decis. Support Syst. 96, 119–129 (2017)
Chowdhury, N.H., Adam, N.T.P., Skinner, G.: The impact of time pressure on cybersecurity behaviour: a systematic review. Behav. Inf. Technol. 38(12), 1290–1308 (2019)
Bishop, L., Morgan, P.L., Asquith, P.M., Burke, G-R., Wedgbury, A., Jones, K.: Examining human individual differences in cyber security and possible implications for human-machine interface design. In: Moallem, A. (ed.) Human-Computer International: 2nd International Conference on HCI for Cybersecurity, Privacy and Trust, LNCS 12210, pp. 1–17 (2020, in press). To appear
Ajzen, I.: The theory of planned behaviour: reactions and reflections. Psychol. Health 26(9), 1103–1127 (2011)
Kelly, J.R., McGrath, J.E.: Effects of time limits and task types on task performance and interaction of four-person groups. J. Pers. Soc. Psychol. 49(2), 395–407 (1985)
Henderson, R.K., Snyder, H.R., Gupta, T., Banich, M.T.: When does stress help or harm? the effects of stress controllability and subjective stress response on stroop performance. Front. Psychol. 3–179, 1–15 (2012)
Paas, F., Renkl, A., Sweller, J.: Cognitive load theory and instructional design: recent developments. Educ. Psychol. 38(1), 1–4 (2010)
Monk, C., Trafton, J.G., Boehm-Davis, D.A.: The effect of interruption duration and demand on resuming suspended goals. J. Exp. Psychol. Appl. 14, 299–313 (2008)
Morgan, P.L., Patrick, J., Waldron, S., King, S., Patrick, T.: Improving memory after interruption: exploiting soft constraints and manipulating information access cost. J. Exp. Psychol. Appl. 15, 291–306 (2009)
Asquith, P.M., Morgan, P.L.: Representing a human-centric cyberspace. In: 6th International Conference on Human Factors in Cybersecurity, 2020, 11th International Conference on Applied Human Factors and Ergonomics, San Diego, US, pp. 1–7 (2020)
Rathburn, D.: Gathering security metrics and reaping the rewards. SANS Institute, Information Security Reading Room (2009). https://www.sans.org/reading-room/whitepapers/leadership/gathering-security-metrics-reaping-rewards-33234
Herrmann, D.S.: Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Auerbach Publications, Boca Raton (2007)
Fleming, M.H., Goldstein, E.: Metrics for measuring the efficacy of critical-infrastructure-centric cybersecurity information sharing efforts. In: Homeland Security Studies and Analysis Institute Report RP: 11-01.02.02-01, pp. 1–57 (2012)
O’Driscoll, M.P., Randall, D.M.: Perceived organisational support, satisfaction with rewards, and employee job involvement and organisational commitment. Appl. Psychol. Int. Rev. 48(2), 197–209 (1999)
Reeves, A., Parsons, K, Calic, D.: Securing mobile devices: evaluating the relationship between risk perception, organisational commitment and information security awareness. In: Proceedings of the 11th International Symposium on Human Aspects of Information Security and Assurance (HAISA), pp. 145–155 (2017)
Hearth, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18, 106–125 (2009)
Morgan, P.L., Patrick, J.: Paying the price works: increasing goal access cost improves problem solving and mitigates the effect of interruption. Q. J. Exp. Psychol. 66(1), 160–178 (2013)
Gray, W.D., Sims, C.R., Fu, W.-T., Schoelles, M.J.: The soft constraints hypothesis: a rational analysis approach to resource allocation for interactive behavior. Psychol. Rev. 113(3), 461–482 (2006)
Morgan, P.L., Patrick, J.: Designing interfaces that encourage a more effortful cognitive strategy. In: Proceedings of the 54th Annual Meeting of the Human Factors and Ergonomics Society, Cognitive Engineering and Decision Making Section, San Francisco, California, USA, pp. 408–412 (2010)
Morgan, P.L., Patrick, J., Patrick, T.: Increasing information access costs to protect against interruption effects during problem solving. In: Proceedings of the 32nd Annual Meeting of the Cognitive Science Society, Portland, Oregon, USA, pp. 949–955 (2010)
Patrick, J., et al.: The influence of training and experience on memory strategy. Memory Cogn. 43(5), 775–787 (2015)
Zimmermann, V., Renaud, K.: Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. Int. J. Hum Comput Stud. 131, 169–187 (2019)
Acknowledgements
The research and Airbus Accelerator in Human-Centric Cyber Security (H2CS) is further supported by Endeavr Wales and Cardiff University. The first author (Dr Phillip Morgan) as Technical Lead, the second author (Dr Phoebe Asquith) as a Cardiff University Research Associate, the fourth author (George Raywood-Burke) as a PhD student funded by the programme, and support in kind for the third author (Laura Bishop) who is funded via a PhD studentship from the School of Psychology at Cardiff University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Morgan, P.L., Asquith, P.M., Bishop, L.M., Raywood-Burke, G., Wedgbury, A., Jones, K. (2020). A New Hope: Human-Centric Cybersecurity Research Embedded Within Organizations. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-50309-3_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50308-6
Online ISBN: 978-3-030-50309-3
eBook Packages: Computer ScienceComputer Science (R0)