Behavioral Aspects of Cybersecurity

Narratives of cyber attacks become a routine in which cyber attackers demonstrate new levels of intent with sophisticated attacks on networks. Unfortunately, cybercriminals have developed profitable business models and are taking advantage of online anonymity. For the advocates of networks, it's a serious situation that needs improvement. Therefore, a paradigm shift is essential for the effectiveness of existing techniques and practices. The cybersecurity issue area encompasses human behavior-based concerns as well as technology-based challenges. Technology-focused professionals cannot fully ensure cybersecurity effectiveness, although it is a vital part of cybersecurity. People also play a critical role – the 2014 IBM Global Technology Services cybersecurity report attributed more than 70% of successful system or data breaches to human error (Carlton & Levy, 2015; Parsons et al, 2017). It is vital to focus on social and behavioral issues to improve the current situation.

Behavioral Cybersecurity

Cybersecurity behaviors emerge from the interaction between an environment and the individuals in it. Various factors such as culture, policies, participation in the Safety Education, Training and Awareness program, organizational structure, managerial involvement, and leadership were examined as environmental impacts. In addition, the support received from the organization is accepted as an important environmental factor that can increase the positive performance of the employees. According to the situational constraint theory proposed by Peters & O'Connor, situational constraints are important factors that prevent individuals from using their abilities and reduce their performance. Many studies use the concept of situational support, which is the opposite of situational restraint, to positively predict individuals' organizational behavior and performance. As in the field of information security, it is believed that individuals who are provided with sufficient situational support will increase their self-efficacy and thus lead to the formation of information security behaviors.

Computer scientists, security researchers, psychologists, and social scientists have tried to explain users' cybersecurity-related behavior. There is not enough information about the user's behavior towards information technology that protects systems and data from problems such as malware, spyware, and outages. Researchers have stated that the only way to be proactive in cyberspace is to consider behavioral or psychosocial data. There is a mutual cause and effect between a person's behavior and both the social world and personal characteristics. Therefore, crime or deviant behavior is a learned behavior just like any other behavior.

Human Factor

In the context of information security, human factors have gained increasing attention, especially when they use of security technologies has failed to protect companies from cyber attacks. The use of such technologies is denied if employees do not comply with cybersecurity protocols or engage in activities that put them and the company at risk. The growth in research investigating the role that human factors play in information security was born from this perspective. Studies have found that employees consistently underestimate the possibility of falling victim to a cybersecurity breach.

Lack of communication is a problem for any organization. A survey by Ponemon Institute LLC (2014) found that 51% reported a lack of knowledge of security solutions and were unsure whether their solution could tell the cause of an attack. A lack of communication can certainly negatively impact awareness. Human factor integration can contribute to environmental aspects such as work shifts, communication in emergencies, escalation of concerns and risks to contractors, identification of tools, and communication of changes in procedures and plans. The main goal is not to miss important information, create misunderstandings, or increase costs due to dealing with useless information. Indifference can lead to false trust, both at the enterprise level and at the user level. A user may feel confident that the current behavior does not cause a violation, but this does not mean that an intentionally incorrect behavior will not cause a future violation. Lack of knowledge can lead to unintentional mistakes, such as not closing accounts, and writing hard-to-memorize passwords on paper. Distraction has already been cited as a mistake and an offensive tactic. A lack of teamwork can lead to a breach because hackers have an understanding of how IT teams work and can take advantage of dysfunctions. Fatigue has already been cited as a problem factor. The environment in which the user works can cause pressure and stress while not providing actionable policies or training to reinforce vulnerabilities. Lack of assertiveness may be linked to communication and self-efficacy. A lack of assertiveness can lead to not communicating directly with teammates' potential concerns, suggesting possible solutions, or seeking feedback. Lack of awareness can result from not being alert.

Reduce Human-Led Cybersecurity Risk

The behavioral aspects of cybersecurity are becoming a vital area for research. The unpredictable nature of human behavior and actions makes humans an important element and facilitator of cybersecurity. The purpose of discussing the theories examined is to highlight the importance of social, behavior, environment, prejudices, perceptions, deterrence, intent, attitude, norms, alternatives, sanctions, decision making, etc., in understanding cybercrime. While these theories have some limitations, they can be used collectively to strengthen a behavioral model. The behavior and intentions of both the user and the offender must be understood and modeled. Improving this area will help improve preparedness and prevent accidents. No system is 100% secure, but it is not possible to maximize security without considering the human element. There is a level of trust to be built in cyberspace to be able to work with it, but constant validation is required. Employees should be aware of the risks and distinguish desired behavior from undesirable behavior. However, some workers may not comply due to the application of neutralization techniques. Cyber ​​awareness training should be personalized as employees may have different credentials or levels of access and responsibility. They also have their own biases about security. Not all mindfulness programs are one-size-fits-all. There is a level of trust in employees, but technology and cyber awareness must be taught and compliance must be verified. More education is not always the solution. An interdisciplinary conceptual framework is proposed to bring together behavioral cybersecurity, human factors, modeling, and simulation. Businesses should be involved in research to ensure that models work as intended. For convenience, it may not be correct to use an existing model without customizing it. George E. P. Box's statement, "All models are wrong, but some are useful" should motivate researchers and organizations to ask more questions about the usefulness of a model, which in turn should encourage a review of policies and approaches to security. Therefore, it should be typical for every organization to coordinate the behavioral and technical aspects of cybersecurity.

Source:

1. Hong, Y. and Furnell, S. (2021). Understanding cybersecurity behavioral habits: Insights from situational support

2. Lahcen, R., Caulkins, B., Mohapatra, R. and Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity

3. Gillam, A. and Foster, W. (2020). Factors affecting risky cybersecurity behaviors by U.S. workers: An exploratory study

4. Li, L., He, W., Xu, L., Ash, I., Anwar, M. and Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior

5. Hadlington, Lee. (2017). Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviors