Security Managers Are Not The Enemy Either

Reinfelder, Lena; Landwirth, Robert; Benenson, Zinaida

doi:10.1145/3290605.3300663

Cited by 20 publications

(15 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work contributes to and extends existing, albeit limited, scholarship which has explored cyber security within organisations, e.g. [42,50,62,88,69,99,108], and an even smaller number focusing on CISOs, e.g., [13,91]. We do so by studying the role and identity of the CISO as critical to the organisational cyber-security function and by bringing it into conversation with wider security scholarship related to ontological security and sociological notions of identity work, through a theoretically grounded interpretative analysis.…”

Section: Introductionmentioning

confidence: 77%

“…Their study showed that cyber security is inherently collaborative both within and across organisational settings -while also being grounded in a community of experts. Effective cyber security depends on multiple actors, not just those who are cyber-security practitioners [91]. However, a number of studies highlight that CISOs appear be somewhat disconnected from the rest of their organisations, being seen as blockers [13], governors [91,66], translators [58], or even adversaries [12].…”

Section: Cisosmentioning

confidence: 99%

“…Effective cyber security depends on multiple actors, not just those who are cyber-security practitioners [91]. However, a number of studies highlight that CISOs appear be somewhat disconnected from the rest of their organisations, being seen as blockers [13], governors [91,66], translators [58], or even adversaries [12]. They also highlight a lack of clarity regarding what a CISO is expected to do [58,66], and how CISOs experience conflicted identities [13].…”

Section: Cisosmentioning

confidence: 99%

See 2 more Smart Citations

'Cyber security is a dark art': The CISO as soothsayer

Silva¹,

Jensen²

2022

Preprint

View full text Add to dashboard Cite

Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modernday soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term 'cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.

show abstract

Section: Introductionmentioning

confidence: 77%

Section: Cisosmentioning

confidence: 99%

Section: Cisosmentioning

confidence: 99%

See 1 more Smart Citation

'Cyber security is a dark art': The CISO as soothsayer

Silva¹,

Jensen²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Security managers cannot be assumed to have in-depth knowledge of the human aspects of security, but may nonetheless value it in security policy decision-making [45]. They then require methods and tools to do so [51].…”

Section: Future Directionsmentioning

confidence: 99%

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

Demjaha

Parkin

Pym

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressures, and limited resources for identifying optimal securityrelated choices. Conflict arises due to information asymmetries present in the relationship, where influencers and decision-makers both consider costs, gains, and losses in ways which are not necessarily aligned. With the need to promote 'good enough' decisions about security-related behaviours under such constraints, we hypothesize that actions to resolve this misalignment can benefit from constructs from both neoclassical economics and behavioural economics. Here we demonstrate how current approaches to security behaviour provisioning in organizations mirror rational-agent economics, even where behavioural economics is embodied in the promotion of individual security behaviours. We develop and present a framework to accommodate bounded security decision-making, within an ongoing programme of behaviours which must be provisioned for and supported. We also point to applications of the framework in negotiating sustainable security behaviours, such as policy concordance and just security cultures.

show abstract

“…Engagement with cyber security experts [121] has, for instance, identified expectations for top user behaviours (highlighting also that even the experts cannot necessarily agree on how users should be supported and protected). Interviews with organisational security managers [122] has identified that they can appreciate the link between security controls and impacts upon user tasks and priorities; in other cases, it has also identified that security managers themselves need tools to be able to consider the impacts that their risk management strategies have upon users [123].…”

Section: Related Workmentioning

confidence: 99%

Identifying Unintended Harms of Cybersecurity Countermeasures

Chua

Parkin

Edwards

et al. 2019

2019 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity. The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex, multi-stakeholder challenges associated with the prevention of cyberbullying as an applied example. Our framework aims to illuminate harmful consequences, not to paralyze decisionmaking, but so that potential unintended harms can be more thoroughly considered in risk management strategies. The framework can support identification and preemptive planning to identify vulnerable populations and preemptively insulate them from harm. There are opportunities to use the framework in coordinating risk management strategy across stakeholders in complex cyberphysical environments.

show abstract

Security Managers Are Not The Enemy Either

Cited by 20 publications

References 26 publications

'Cyber security is a dark art': The CISO as soothsayer

'Cyber security is a dark art': The CISO as soothsayer

You’ve Left Me No Choices: Security Economics to Inform Behaviour Intervention Support in Organizations

Identifying Unintended Harms of Cybersecurity Countermeasures

Contact Info

Product

Resources

About