ArticlePDF Available


Human factors remained unexplored and underappreciated in information security. The mounting cyber-attacks, data breaches, and ransomware attacks are a result of human-enabled errors, in fact, 95% of all cyber incidents are human-enabled. Research indicates that existing information security plans do not account for human factors in risk management or auditing. Corporate executives, managers, and cybersecurity professionals rely extensively on technology to avert cybersecurity incidents. Managers fallaciously believe that technology is the key to improving security defenses even though research indicates that new technologies create unintended consequences; nonetheless, technological induced errors are human-enabled. Managers’ current perspective on the human factors problem information security is too narrow in scope and more than a training problem. The management of complex cybersecurity operations accompanied by mounting human factor challenges exceeds the expertise of most information security professionals; yet, managers are reluctant to seek the expertise of human factors specialists, cognitive scientists, and behavioral analysts to implement effective strategies and objectives to reduce human-enabled error in information security.
HOLISTICA Vol 9, Issue 3, 2018, pp. 71-88 DOI: 10.2478/hjbpa-2018-0024
Botching Human Factors in Cybersecurity in Business Organizations
Calvin NOBLES,
Cybersecurity Policy Fellow, New America Think Tank, Washington, DC, USA
University of Maryland University College, Adelphi, MD, USA
Human factors remained unexplored and underappreciated in information security. The mounting
cyber-attacks, data breaches, and ransomware attacks are a result of human-enabled errors, in
fact, 95% of all cyber incidents are human-enabled. Research indicates that existing information
security plans do not account for human factors in risk management or auditing. Corporate
executives, managers, and cybersecurity professionals rely extensively on technology to avert
cybersecurity incidents. Managers fallaciously believe that technology is the key to improving
security defenses even though research indicates that new technologies create unintended
consequences; nonetheless, technological induced errors are human-enabled. Managers’ current
perspective on the human factors problem information security is too narrow in scope and more
than a training problem. The management of complex cybersecurity operations accompanied by
mounting human factor challenges exceeds the expertise of most information security
professionals; yet, managers are reluctant to seek the expertise of human factors specialists,
cognitive scientists, and behavioral analysts to implement effective strategies and objectives to
reduce human-enabled error in information security.
Keywords: Information Security, Cybersecurity, Human Factors, Technological Determinism,
Human-centered Cybersecurity, Human-enabled Errors, Technology.
JEL Classification: M1, L32.
1. Introduction
Business organizations continue to invest extensively in technologies to
prevent sophisticated cyber threats on prized possessions to maintain business
as usual. Even with the latest technological capabilities, malicious cyber actors
can gain access to businesses’ most critical networks, systems, and data. A 2015
report indicates that Wells Fargo, Bank of America, Citibank, and J. P. Morgan
Chase invested 1.5 billion dollars in mitigating emerging and persistent cyber
threats (Morgan, 2016). Humans are notably the weakest link in security and risk
HOLISTICA Vol 9, Issue 3, 2018
management (Alavi, Islam, & Mouratidis, 2016; Proctor & Chen, 2015) because
organizations struggle to understand and mitigate behavioral-based risk in
information security. Human factors are the study of human interaction with
information systems, networks, and practices in an information security
environment (Nobles, 2015). Organizations leverage information systems to gain
the competitive and strategic advantage to pursue business objectives;
consequently, as the complexity of information systems and technologies
increase humans become more susceptible to mistakes (Alavi, Islam, &
Mouratidis, 2016). The cybersecurity threat landscape is continually evolving,
and businesses are quickly adapting, primarily by leveraging technologies to
counter cyber threats (Neely, 2017). The investment ratio in technologies to
people is vastly disproportionate and problematic as most organizations
associate human factors issues as a training issue. Metalidou et al. (2014) lament
that businesses pursue technological solutions to resolve behavioral-based risk
rather than addressing the issue from a human factors perspective, which
highlights the disregard for understanding human decision-making and end-
users’ interaction with information systems.
One study indicates that humans (86%) are the most prominent security
weakness followed by technology (63%) (Metalidou, 2014). It is common
knowledge that human-enabled errors account for more than 80% of all cyber-
attacks, data breaches, and ransomware attacks (Soltanmohammadi, Asadi, &
Ithnin, 2013). The U.S. and U.K. national-level cybersecurity policies listed
human-related errors in cybersecurity as a significant degradation to national
security (Dykstra, 2016). Nonetheless, most organizations have failed to
implement programs to address human factors in cybersecurity (Alavi, Islam, &
Mouratidis, 2016). Technology alone will not eliminate human error in
cybersecurity. On a daily basis, organizations encounter a barrage of
cybersecurity threats indicating the compelling disposition to reduce human
errors and stop enabling the efforts of malicious cyber actors (Wirth, 2017). The
purpose of this paper highlights the complexity of managing human factors in
information security.
2. Cybersecurity Threat Landscape
According to a Symantec Report, in 2016, 401 million pieces of malware
traversed the internet in which 89% were new variants of malicious software
(Wirth, 2017). The Symantec report revealed that newly installed internet of
things devices are scanned by hackers within two minutes after installation,
highlighting the swift notification of network changes (Wirth, 2017) and
continuous network scanning searching for vulnerabilities. Malicious actors use
HOLISTICA Vol 9, Issue 3, 2018
spear phishing and malware as threat vectors to capitalize on human error to
gain access to networks and critical data. The cybersecurity threat landscape is
continually evolving as malicious cyber actors pursue new vectors to target and
capitalize on newly discovered or known vulnerabilities (Wirth, 2017). The top
industries targeted by cybercriminals are (1) healthcare, (2) manufacturing, (3)
financial services, (4) government, and (5) transportation (Morgan, 2015). These
industries are targeted for sensitive information primarily in the healthcare and
financial services sectors. Researchers are forecasting the global cost of
cybercrime in 2019 to reach over 2 trillion dollars (Morgan, 2016).
Cybercriminals persistently take advantage of hyperconnected systems,
technology-induced vulnerabilities, human-enabled errors, and underprepared
organizations. The most prominent cyber threats in the past 12 months are (a)
phishing, (b) spyware, (c) ransomware, and (d) Trojans (Keely, 2017). Malware-
less threats are emerging as the weapon of choice for malicious cyber actors
seeking to compromise credentials (Keely, 2017). The top three threat vectors
are (a) email links and attachments, (b) web-based download, and (c) application
vulnerability (Keely, 2017). Of the three threat vectors, the most complicated is
application vulnerability because organizations have countless applications with
unaccounted for vulnerabilities (Keely, 2017). In 2017, 75% of data breaches
were executed by external malicious actors while internal actors conducted 25%
of the breaches, and organized criminal entities conducted 51% of breaches and
state-sponsored activity accounted for 18% of breaches (Verizon, 2017).
Malicious cyber actors use the following tactics (Verizon, 2017):
-81% of breaches resulted from weak or stolen passwords
-62% of breaches stemmed from hacking
-51% of breaches involved malware
-43%of breaches were social engineering attacks
Research indicates that web attacks decreased in 2016; however, 229,000
web attacks occur daily in which 76% of scanned websites contained
vulnerabilities, and 9% had critical security weaknesses (Wirth, 2017).
Cybercriminals use rootkit exploits as the primary attack vector to conduct
malicious cyber operations accounting for 60% of the attacks in 2016; however,
researchers noticed a sharp decrease in rootkits as cybercriminals migrated to
different techniques such as social engineering, malware, physical theft, and
ransom attacks (Wirth, 2017).
HOLISTICA Vol 9, Issue 3, 2018
Research revealed that 80-90% of security breaches are due to human-
enabled errors in the U.S. and U.K. (Maglaras, He, Janicke, & Evans, 2016) which
these two countries account for over 90% of reported data breaches (Wirth,
2017). The evolving changes and threats in the cyber landscape are progressing;
consequently, requiring organizations to develop holistic and dynamic
information security strategies to eradicate and mitigate threats and
vulnerabilities (Alavi, Islam, & Mouratidis, 2016). Even with the influx of
technological capabilities coupled with operational, administrative, and technical
countermeasures; there is a continuity of failure to address human factors
concerns in information security, which enables the proliferation of data
breaches, ransom attacks, and social engineering attacks at unprecedented
3. Human Factors
Schultz (2005) has stated the significance of the shortage of experts and
information security research on human factors and human error. Schultz (2005)
has outlined the importance of understanding how the work environment and
work culture influence the development or non-development of knowledgeable
employees that engage in productive and proper security-oriented behaviors.
According to Schultz (2005), human behavior has often been an overlooked focus
in information security research and organizational business strategy. As a result,
the growth security breaches driven by human factors will continue to create
disparaging organizational results, causing bankrupt reputations, enormous
customer dissatisfaction, business losses, and significant governmental sanctions
(Buckhead, 2014; Van- Zadelhoff, 2016).
Kraemer and Carayon (2007) classified a human factor error as, “Any action
leading to an undesired result (p. 77). Often, employees are tricked by an
outsider into engaging in problematic behavior and may not mean to cause an
adverse event for the organization (Van- Zadelhoff, 2016). An employee’s action
and decision making when engaging in work duties are intended to help advance
the goals of the organization, instead of purposely engaging in actions or
behaviors that would harm the organization. The result is often human error or
mistakes in human decision making that create information security problems
(Van-Zedlhoff, 2016).
Van-Zedlhoff, (2016) stressed that human errors or human factors as one of
the highest areas of organizational vulnerability. Solutions for information
protection should consider human error and flawed decision making as one of
the most significant aspects of information security (Schultz, 2005). An
organization’s business strategy should encompass creating an effective
HOLISTICA Vol 9, Issue 3, 2018
information security-oriented organization (Van-Zedlhoff, 2016). This means
creating policies that perpetuate a culture where employees are reluctant to
circumvent information security controls to complete tasks (Albrechtsen, 2007).
This security of enlightened culture is one where employees will purposefully
increase their knowledge and concern for in the importance of information
security in a manner where they will understand that this is an aspect of
everyone’s job not just those with information technology job titles and duties
(Buckhead, 2014). Many of the studies that pertain to end-user behavior imply
that humans make uninformed information security decisions (Van-Zedlhoff,
2016). For example, users base decisions on personal values because of a lack of
training and threat perception, or the organization’s poor security culture (Van-
Zedlhoff, 2016).
An increasing concern for information security is human factors because
human error is the leading contributor to (a) data breaches, (b) ransomware
attacks, and (c) cyber-attacks (Kraemer Carayon, 2007; Wirth, 2017). Even with
the deployment of automated countermeasures, malicious actors gain access to
targeted systems by exploiting human error through (a) spear phishing, (b) social
engineering, (c) malware, (d) noncompliance, (e) poor policies, and (f)
technology-induced vulnerabilities. Given the number of human-enabled errors
in cyber operation proves that technology alone will not eradicate human-
induced mistakes. Researchers and practitioners postulate that the impact of
malicious cyber activity targeting humans remains underexplored in existing
research (Mancuso, Strang, Funke, & Finomore, 2014). Mancuso et al. (2014)
acknowledge that the existing research gap in human performance and behavior
in cybersecurity require urgent attention from human factors practitioners and
psychology-based experts.
Moreover, researchers emphasize that understanding human behavior in
cybersecurity is a complex problem (National Security Agency, 2015). An
egregious oversight in cybersecurity is the absence of cognitive scientists and
human factor experts to conduct assessments on human performance and
behavior in an active environment (National Security Agency, 2015). The
observation of human performance and behavior by cognitive and human factor
experts can provide practical insight on automation and information overload,
technological deterministic thinking, procedural alignment, operational tempo,
and the impact of technology on the workforce (Nobles, 2015). With the
ascendancy of technology in cybersecurity, cognitive scientists and human factor
experts are pivotal in conducting performance and human factors assessments
to predispose (a) systemic weaknesses, (b) vulnerabilities, (c) critical phases of
cybersecurity operations, and (d) cognitive overload (Hadlington, 2017; Pfleeger
HOLISTICA Vol 9, Issue 3, 2018
& Caputo, 2012). Human factors initiatives can be solidified through
organizational culture by implementing practices and processes to increase
awareness of human performance and decision-making (Hadlington, 2017).
Researchers indicate that 50% of the cyber-attacks in 2014 were due to
human error illustrating a 31% increase from 2013 (Evans, Maglaras, Ho, &
Janicke, 2015). The increasing complexity of the cybersecurity environments is
resulting in security fatigue, alert anxiety, (Masters, 2017; Stanton, Theofanos,
Prettyman, & Furman, 2016) and operational fatigue. These phenomena ascend
from the increasing number of incidents and vulnerabilities that easily
overwhelm cybersecurity operators (Wirth, 2017). The number of system
vulnerabilities remains challenging; Masters (2017) alluded that each system
could have as many as ten vulnerabilities. A collapse in alertness is indicative of
cognitive and information overload leading to a degradation in human
Businesses rely on information systems and technology to yield profits; yet,
most companies struggle with integrating human factors into the organizational
culture (Hadlington, 2017). Not only are human factors a concern for protecting
crown jewels, critical information, intellectual property, and networks.
Researchers give prominence to the unbalanced focus of organizations
leveraging automated technologies with little to no thought on the impacts on
information security (Vieane, 2016). It is imperative for organizations to develop
strategic human factors objectives in the organization’s information strategy. The
U.S. and U.K. both address human-related errors in cybersecurity in national-
level policies (Dykstra, 2016). Nonetheless, most organizations failed to
implement programs to address human factors (National Science and Technology
Council (NSTC), 2016). A noticeable change in information security are efforts to
reduce human-enabled errors by including psychologists, cognitive scientists,
behavioral analysts, and human factors experts to analyze and evaluate the
behavior of end-users in cyber operations (Pfleeger & Caputo, 2012). Pfleeger
and Caputo (2012) acknowledge the importance of accounting for human
behavior when designing computer systems and technologies and the criticality
of behavioral science in ameliorating cybersecurity effectiveness.
Researchers and human factors experts vehemently emphasize that
technology alone will not ameliorate information security (Pfleeger & Caputo,
2012; Safa et al., 2015). Therefore, organizations need to leverage behavioral
specialists to examine cybersecurity operations from cognitive and bias
viewpoints as well as other behavioral factors to develop an amalgamated
approach to address capitalized on technology, processes, and procedural to
maximize security (Pfleeger & Caputo, 2012; Safa et al., 2015). The community
discussion between cybersecurity professional and behavioral scientists as
HOLISTICA Vol 9, Issue 3, 2018
recommended by Pfleeger and Caputo (2012) is a progressive effort to start
developing a common understanding between the two disciplines. The inclusion
of human factors experts, cognitive scientists, and behavioral analysts in the
cybersecurity domain could potentially benefit the cybersecurity analogous to
improvements in the aviation and nuclear power.
4. Theoretical Alignment
4.1 Theory of Planned Behavior
Ajzen (1991) framed the seminal theory of planned behavior (TPB), which is
one of the most frequently used theoretical frameworks for explaining many of
the human factors that influence behavioral actions. The TPB focuses on
theoretical constructs reflecting an individual’s motivational and cognitive
factors as significant prognosticators of behavioral action or inaction (Ajzen,
1991). The theory of planned behavior assumes the most proximal determinant
of the response is an intention to perform a behavior, which, in turn, is strongly
affected by attitude and subjective norm toward behavior and perceived
behavioral control over the performance of behavior (Ajzen, 1991). The TPB has
significant application to this study and exploration of the nature of employee
behaviors, human factors, and organizational business strategy around
cybersecurity and information security.
Considering cybersecurity from the context of TPB, employee attitudes
towards a behavior is significantly influenced by individual dogmas about results
of the performance of the conduct (behavioral beliefs). If employees believe that
the expected consequence of performing a behavior is positive, that employee
will have an encouraging attitude about engaging in that behavior (Ajzen, 1991).
That means if proper and effective information security behavior is taught, highly
acknowledged, and heavily rewarded, then employees will feel more positive
about promoting and engaging in the appropriate behaviors (Ajzen, 1991). On
the contrary, if employees have limited knowledge, no vested interest, and are
frustrated in a way strongly that creates a convincing belief that performing a
behavior is negative, the employees will have an adverse attitude towards a
behavior (Ajzen, 1991).
4.2 Change Management
Dhillon’s (2001) study on organizations makes a compelling case that
human factors and organizational culture can be changed and positively
influenced. Dhillon study outlined the importance of employee engagement as a
HOLISTICA Vol 9, Issue 3, 2018
useful tool for change management. Dhillon (2001) outlined the importance of
creating collaborative organizational cultures that focus on ways to leverage the
intellectual capital of everyone, which aligns with the socio-technical system
model in that the work system and work culture. Dhillion’s (2001) research
outlines the importance of the entire work system, including the organizational
culture and human factors as it relates to the active engagement of cybersecurity
Change management is the process of organizing, directing, and executing
change within an organization by establishing objectives and metrics to complete
the transformation (Benvenuti, 2011). Change at an organizational level is a
difficult undertaking because personnel often resist change due to the
apprehension of the future or the unknown (Benvenuti, 2011). Change is a
strategic objective for organizations to withstand continuous evolution;
however, resistance to change is a significant phenomenon (Georgalis,
Samaratunge, Kimberley, & Lu, 2015) that can be disruptive and
counterproductive. For human factors to be recognized as a credible science
requires cybersecurity leaders must undergo a cultural and philosophical change
(Hadlington, 2017). A part of the fundamental change involves accepting
psychology as a vital element of cybersecurity (Hadlington, 2017). Cybersecurity
and information security consist of many technical specialties creating barriers
for psychologists, behavioral analysts, cognitive scientists, and human factors
specialists (Pfleeger & Caputo, 2012).
Leveraging change management is necessary to remove obstacles and
allow cybersecurity professionals to appreciate the value that behavioral
specialists and analysts can contribute to reducing human-enabled errors in
cyber and information security (Pfleeger & Caputo, 2012). Evaluating the
utilization of behavioral analysts and specialists in the aviation, safety, and
nuclear power fields can change the perspective of how psychology is regarded
in cybersecurity (Lee, Park, & Jang, 2011). Without the expertise of psychology-
based professionals, human-enabled errors will continue to wreak havoc on
organizations Pfleeger & Caputo, 2012). It is imperative to change the
philosophical viewpoint on human error by welcoming and integrating
psychology professionals into cyber because the one constant in cyber is humans
remain the weakest link (Hadlington, 2012). The information security culture can
affect the behavior of end-users within the organization and should be
developed to motivate users’ actions to meet information security requirements
(Albrechtsen & Hovden, 2010; Buckhead, 2014). Alfawaz et al. (2010) conducted
a study on information security culture and created a compliance framework,
which requires a tremendous amount of employee engagement.
HOLISTICA Vol 9, Issue 3, 2018
Information security culture is reliant on senior management, priorities,
actions, and attitudes (Albrechtsen & Hovden, 2010; Buckhead, 2014). A study by
Buckhead (2014) outlined the importance of creating an organizational culture
where employees feel a sense of personal ownership regarding the mitigation of
information security risk.
4.3 Technological determinism
Technological determinism is a theory grounded on constant creation and
integration of new technologies to simplify processes and ameliorates the quality
of human life and work procedures with no concern for societal, cultural, or
organizational implications (Nobles, 2015). Clegg and Bailey (2007) state that
technological determinism is centered on technology impacting humans by
revolutionizing societal, organizational, and economic progression. Technological
deterministic thinking can have a significant influence on an organization’s
behavior and acceptance to leverage emerging technologies (NSTC, 2016). Some
scholars argue that technology is incapable of influencing humans instead it
transforms society (Clegg and Bailey, 2007). The aviation domain leverages
advanced technologies to reduce the cognitive demand of pilots through the use
of automated avionics and auto-pilot capabilities designed for easy manipulation
by pilots. Advanced technologies influenced the aviation community by
contributing to the reduction of aviation incidents and accidents (Nobles, 2015).
The cybersecurity domain profoundly demonstrates technological
deterministic behavior by continuously integrating emerging technologies as a
measure to mitigate advanced persistent threats (Nobles, 2015; NSTC, 2016). A
common practice by organizations is investing extensively in cybersecurity
technologies to counterpoise the shortage of trained information security
professionals and to defend against constant cybersecurity threats (Cobb, 2016;
NSTC, 2016). Businesses overreliance on cybersecurity technology has resulted in
organizational and cultural fallacies; consequently, shifting the defense of critical
networks, systems, and data on technology which minimizes the role information
security professionals (Alavi, Islam, & Mouratidis, 2016; NSTC, 2016).
Human-enabled errors in cybersecurity have not decreased with the
integration of new technology (Alavi, Islam, & Mouratidis, 2016; NSTC, 2016).
There is a shortage of research on human-enabled errors and technology
integration in cybersecurity. The underappreciation of human factors in
cybersecurity illustrates a gap between theoretical research and organizational
practices regarding information security NSTC, 2016). Cybersecurity operations
HOLISTICA Vol 9, Issue 3, 2018
are growing increasingly sophisticated analogous to aviation and nuclear power
operations. Both the aviation and nuclear power industries capitalize on the
scientific underpinnings of human factors by holistically assessing the effect of
technology, operations, procedures and tasks, decision-making, and the
environment on information security professionals (Lee, Park, & Jang, 2011).
Human factors assessment can be used by organizations to determine the
problematic areas for technical and non-technical employees (Aoyama, Naruoka,
Koshijima, & Watanabe, 2015; Hadlington, 2017). Technological deterministic
thinking impedes businesses from valuing human factors and increases
dependency on technology (Nobles, 2015) to support cybersecurity objectives
(Hadlington, 2017).
4.4 Human-centered Cybersecurity
At this time there is a scarcity of scientific research on human-centered
cybersecurity framework, which formed from the human-centered design
theory. However, a cybersecurity company is focusing on behavioral-related risk
in information security through a new paradigm known as human-centered
cybersecurity (Bureau, 2018; ForcePoint, 2018). The human-centered
cybersecurity framework is places humans at the center of cybersecurity and
information security practices, design aspects, and technology integration as an
effort to reduce behavioral-centric risks by accounting for psychologic efforts
(Bureau, 2018; ForcePoint, 2018). School, researchers, and practitioners are
engaging in discourse and designing research projects to further explore human-
centered cybersecurity as a theory (Bureau, 2018). Researchers and practitioners
are working to elevate human-centered cybersecurity as a standard approach to
information security and cybersecurity (Bureau, 2018).
According to ForcePoint (2018), human-centered cybersecurity provides
the basis for gaining an in-depth understanding of human behavioral and the
reasons humans make specific decisions when interacting with computer
systems. Placing humans at the center is a distinctive approach because
organizations prefer to put increased emphasis on technology, which has led to
an underappreciation of behavioral and cognitive sciences in information
security and cybersecurity (ForcePoint, 2018). The proliferation of human-
centered cybersecurity requires the inclusion of human factors experts,
behavioral analysts, and cognitive specialists into the information security and
cyber domain (ForcePoint, 2018). The human-centered cybersecurity approach
shifts the centric viewpoint from technology to humans, which will transform
existing organizational practices (ForcePoint, 2018).
HOLISTICA Vol 9, Issue 3, 2018
5. Human Derailments in Information Security
Numerous factors have derailed information security (Hadlington, 2017);
consequently increasing risks and threats to organizations (Bureau, 2018).
Human factors initiatives and efforts are prioritized against competing
requirements and given that organizational leaders do not understand or value
human factors as science (Hadlington, 2017). The underappreciation of human
factors impedes researchers and practitioners from defining the scope of human
behavior when interacting with an information system (Hadlington, 2017).
Another significant factor that propagates human errors in cybersecurity is the
shortage of information security professionals (Cobb, 2016). By 2019 researchers
are forecasting a deficient of cybersecurity professionals by more than 1 million
cybersecurity jobs (Cobb, 2016), which will prevent organizations from achieving
optimum levels of preparedness to counter malicious activities. Nefarious cyber
activities continue to increase each year; therefore, information security
professionals face increased operational tempo, stress, fatigue, and burnout due
to personnel shortages (Wirth, 2017). The increasing complexity of information
security requirements coupled with the continuous integration of technology,
regulatory demands, emerging and persistent threats, and the disproportionate
reliance on technology negatively affects information security practices and
degrades organizations ability reach an optimal level because the science
involving human factors is an afterthought (Pfleeger & Caputo, 2012).
The derailment of human factors in cybersecurity is propagated by threat
actors targeting end-users’ weaknesses in the human-machine teaming (Sawyer
& Hancock, 2017). For example, as humans leverage computing capabilities and
systems, analogous to any partnering situation, one partner will have stronger
performance tendencies than the other (Sawyer & Hancock, 2017). In the case of
the human-machine teaming, Sawyer and Hancock (2017) postulate that
prevalence paradox effects diminish human performance as a result of
overreliance, mistrust, complacency, and misuse. These prevalence paradoxes
increase vulnerabilities in cybersecurity, primarily due to human factors.
6. The Urgency for an Organizational Platform
Executive leaders must mandate platforms, in the form of committees,
programs, councils, or working groups to address human-enabled error in
information security practices and cybersecurity operations. Leveraging
platforms to work with human factors specialists, cognitive scientists, and
psychologists are vital to understanding operational complexity, organizational
HOLISTICA Vol 9, Issue 3, 2018
weaknesses, critical phases of security, and reckless attitudes by humans. In the
aviation domain, researchers identified hazardous attitudes that contributed to
aviation incidents and accidents. Information security and cybersecurity
professionals should employ best practices from other industries to mitigate
behavioral-based errors that result in cyber-attacks, ransomware attacks or data
breaches. Researchers advocate for information security and cybersecurity
professionals to leverage the findings of existing human factors studies to
cultivate operational practices to minimized human-enabled errors (Vieane,
The information security domain evolvement outpaces researchers’ ability
to develop a comprehensive understanding of human interaction with
information systems. A 2015 report by IBM highlights that human factor
accounts for 95% of cybersecurity incidents as a result of inconsiderate work
practices, ignorance, poor software patching, use of malicious software codes,
unsecured network connections, and inadequate communication surrounding
sensitive information (Gyunka & Christiana, 2017). Research and practitioners
deem the study of human behavior in information security as a critical area
because humans are labeled as the most vulnerable link in cybersecurity (Gyunka
& Christiana, 2017). Even though organizations are leveraging technology in
cybersecurity at an unprecedented rate, failure to address human factors
nullifies the ability to capitalize on the technological advances (Gyunka &
Christiana, 2017). Gyunka and Christiana (2017) argue that threat actors target
the vulnerabilities of human factors because it is less complicated than exploiting
technologies. The dynamic nature of the cyber threat landscape is onerous
because organizations are unable to produce engineering solutions to counter to
threat actors’ ability to generate emerging threats and technologies (Klimoski,
Paul and Dykstra (2016) assert that cybersecurity and the paths of social
and behavioral science remain undervalued and underexplored, which is
indicative of the number of human-related errors in cybersecurity. Another
complexing issue is the difficulty in assessing and measuring fatigue, frustration,
and cognitive exertion in cybersecurity, which might result in technical mistakes
and increased risk (Paul & Dykstra, 2017). The dearth of scientific research on
leveraging applicable platforms to address human factors in cybersecurity
further perpetuates the dependency on technology. Private and public entities
need to work collaboratively to develop platforms and assessment capabilities to
identify human factor shortfalls in information security and cybersecurity
operations (NSTC, 2015).
HOLISTICA Vol 9, Issue 3, 2018
Coffey (2017) argues that existing cybersecurity training and awareness is
restrictive in scope because training programs fail to modify end-users’ behavior.
For organizations to influence the behavior of end-users, require fostering an
environment that transforms the organizational climate to active learning to
perpetuate ameliorating the culture (Coffey, 2017).
The Department of Defense (DOD) Cybersecurity Culture Compliance
Initiative (DC3I) exists as an institutional platform to promote a culture to
advance human factors by focusing on inadequate authorities, architectures, and
capabilities (Department of Defense, 2015). The DC3I is a significant concept that
applies to private organizations as well. Unfortunately, the targeted
organizational changes by DC3I have been inconsequential due to the lack of
appreciation for organizational change (Department of Defense, 2015). The DoD
like many private organizations aims to reduce human error in cybersecurity by
overly investing in technology (Department of Defense, 2015). Without a doubt,
this practice is pernicious because organizations are disproportionately investing
in technology and disregarding the underlying behavioral and cognitive issues.
7. Recommendations and Conclusion
Safety science research can help with understanding why information
system users do not comply with information security controls (Young &
Leveson, 2013). A study by Lawton (1998) focused on rule violations and the
motivations given by violators. This study determined that, in most cases, the
violations occurred unintentionally because workers were committed to
completing the task (Lawton, 1998). Time pressure, workload, and using a
“quicker way of working” were among some of the human factor issues that
influence the engagement in risky actions by employees in organizations (Young
& Leveson, 2013; Buckhead, 2014; Lawton 1998).
Without a doubt, human factor is a scientific field that is underutilized and
undervalued in information security and cybersecurity (NSTC, 2016). Human
involvement in information security is too invaluable for organizational leaders
to continue to ignore the significance of psychology-based specialists to analyze
the human behavior in information security (National Security Agency, 2015).
The lack of research on human behavior in cyber and information security
further acerbates the misunderstanding of human decision-making while
operating an information system. The cybersecurity threat landscape expands
every day as malicious actors develop sophisticated techniques to conduct
nefarious activities.
HOLISTICA Vol 9, Issue 3, 2018
Technological deterministic thinking influences the constant invest in
technologies; yet, human errors remains a primary contributor to data breaches,
cyber-attacks, and ransomware attacks (Hadlington, 2017). Many security
professionals are unfamiliar with the science of human factors and equate
human error to a training and awareness issue which is a misconception
(National Security Agency, 2015). Therefore, the following recommendations are
necessary to optimize human performance in information security (Clark, 2015;
Georgalis et al., 2015; Lee, Park, & Jang, 2011; Paustenbach, 2015):
a) Seek the expertise of human factors specialists and behavioral analysts
b) Mandate an executive-led committee to address human factors in
information security
c) Conduct a risk assessment solely based on human factors
d) Integrate human factors objectives into the information security
e) Make humans centric to the foundation of information security and
cybersecurity practices
f) Leverage human factors lessons learned from the aviation, nuclear
power, and safety industries
g) Design training and awareness programs to include gamification
h) Train personnel on human factors
i) Develop metrics to capture the changes after implementing human
factors objectives
j) Sponsor human factors research projects with universities and colleges
k) Integrate human factors course material into information security
certification program
l) Advocate for colleges and universities to develop and teach human
factors courses
This analysis indicated that human factors in information security continue
to be plagued by widespread and systemic issues (Georgalis et al., 2015; NSTC,
2015). The mismanagement of human factors by organizations increases risks
and the susceptibility to malicious cyber activities (Georgalis et al., 2015). The
above-listed recommendations provide organizations with the basis to explore
deeper into human behavior to reduce behavior-related risk. There is a litany of
problems surrounding human factors in information security that requires
extensive change management to eradicate preventable human errors (Georgalis
et al., 2015). Information security professionals must have a profound
comprehension and appreciation for human factors analogous to leaders in
other industries to stop the perpetuation of information security shortfalls by
equating human-enabled errors as a training and technology problem, when in
HOLISTICA Vol 9, Issue 3, 2018
fact, it is the mismanagement of human factors. Taking aggressive and strategic
actions in exploring behavior-based risks accompanied by comprehensive and
scientific assessments can yield data to highlight the significant infractions that
result in human error.
[1] A Eurocontrol FAA Action Plan 15 White Paper. (2015 December). A human
performance standard or excellence.
[2] Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and
Human Decision Processes, 50, 179-211.
[3] Alavi, R., Islam, S., & Mouratidis, H. (2016). An information security risk-driven
investment model for analysing human factors. Information & Computer
Security, 24(2), 205-227.
[4] Albrechtsen, E. & Hovden, J. (2010). Improving information security awareness and
behavior through dialogue, participation and collective reflection. An intervention
study. Computers & Security, 29, 432-445.
[5] Alfawaz, S., Nelson, K. & Mohannak, K. (2010). Information security culture: A
behavior compliance conceptual framework. Eighth Australasian Information
Security Conference, Brisbane, Australia.
[6] Aoyama, T., Naruoka, H., Koshijima, I., & Watanabe, K. (2015). How management
goes wrong?The human factor lessons learned from a cyber incident handling
exercise. Procedia Manufacturing, 3, 1082-1087.
[7] Benvenuti, S. (2011). Making a case for Change Management Theory to support
IS/IT curriculum innovation. Issues in Informing Science and Information
Technology, 8(unknown), 093-109.
[8] Blair, T. (2017). Investigating the cybersecurity skills gap (Order No. 10623377).
Available from ProQuest Dissertations & Theses Global. (1989786177). Retrieved
[9] Bureau, S. (2018). Human-centered cybersecurity: A new approach to securing
networks. Research at RIT. Rochester Institute of Technology Research Report ,
Fall/Winter 2017-2018.
[10]Burkhead, R. L. (2014). A phenomenological study of information security incidents
experienced by information security professionals providing corporate information
security incident management (Order No. 3682325). Available from ProQuest
Dissertations & Theses Global. (1657429053). Retrieved from https://search-
HOLISTICA Vol 9, Issue 3, 2018
[11]Clark, A. (2013). Whatever next? Predictive brains, situated agents, and the future
of cognitive science. Behavioral and brain sciences, 36(3), 181-204.
[12]Clegg, S., & Bailey, J. R. (Eds.). (2007). International Encyclopedia of Organization
Studies. Sage Publications.
[13]Cobb, S. (2016). Mind this Gap: Criminal hacking and the global cybersecurity skills
shortage, a critical analysis.
[14]Coffey, J. W. (2017). Ameliorating sources of human error in cybersecurity:
technological and human-centered approaches. In The 8th International Multi-
Conference on Complexity, Informatics, and Cybernetics, Pensacola (pp. 85-88).
[15]Department of Defense (DoD) Cybersecurity Cultural Compliance Initiative (DC3I).
(2015, September).
[16]Dhillon, G. (2001). Violation of safeguards by trusted personnel and understanding
related information security concerns. Computers & Security, 20(2), 165-172.
[17]Dykstra, J. (2017). Cyber Issues Related to Social and Behavioral Sciences for
National Security.
[18]Evans, M., Maglaras, L. A., He, Y., & Janicke, H. (2016). Human behavior as an
aspect of cybersecurity assurance. Security and Communication Networks, 9(17),
[19]ForcePoint Security Labs. (2018). 2018 Security Predictions. Retrieved February 23,
2018 from
[20]Georgalis, J., Samaratunge, R., Kimberley, N., & Lu, Y. (2015). Change process
characteristics and resistance to organisational change: The role of employee
perceptions of justice. Australian Journal of Management, 40(1), 89-113.
[21]Gyunka, B. A., & Christiana, A. O. (2017). Analysis of human factors in cyber
security:A case study of anonymous attack on Hbgary. Computing & Information
Systems,21(2), 10-18. Retrieved from
[22]Hadlington, L. (2017). Human factors in cybersecurity; examining the link between
Internet addiction, impulsivity, attitudes towards cybersecurity, and risky
cybersecurity behaviours. Heliyon, 3(7), e00346.
[23]Klimoski, R. (2016). Critical success factors for cybersecurity leaders: Not just
technical competence. People and Strategy, 39(1), 14.
[24]Kraemer, S. & Carayon, P. (2007). Human errors and violations in computer and
information security: the viewpoint of network administrators and security
specialists. Applied Ergonomics, 38(2007), 143-154.
[25]Kraemer, S., Carayon, P. & Clem, J. (2009). Human and organizational factors in
computer and information security: Pathways to vulnerabilities. Computers &
Security, 28, 509-520.
HOLISTICA Vol 9, Issue 3, 2018
[26]Lawton, R. (1998). Not working to rule: Understanding procedural violations at
work. Safety Science, 28(2), 77-95.
[27]Lee, Y. H., Park, J., & Jang, T. I. (2011). The human factors approaches to reduce
human errors in nuclear power plants. In Nuclear Power-Control, Reliability and
Human Factors. InTech.
[28]Maglaras, L., He, Y., Janicke, H., & Evans, M. (2016). Human Behaviour as an aspect
of Cyber Security Assurance.
[29]Mancuso, V. F., Strang, A. J., Funke, G. J., & Finomore, V. S. (2014, September).
Human factors of cyber attacks: a framework for human-centered research.
In Proceedings of the Human Factors and Ergonomics Society Annual Meeting(Vol.
58, No. 1, pp. 437-441). Sage CA: Los Angeles, CA: SAGE Publications.
[30]Marble, J. L., Lawless, W. F., Mittu, R., Coyne, J., Abramson, M., & Sibley, C. (2015).
The human factor in cybersecurity: Robust & intelligent defense. In Cyber
Warfare (pp. 173-206). Springer International Publishing.
[31]Masters, G. (2017 June 09). Crying wolf: Combatting cybersecurity alert fatigue. SC
Media. Retrieved from
[32]McClain, J., Silva, A., Emmanuel, G., Anderson, B., Nauer, K., Abbott, R., & Forsythe,
C. (2015). Human performance factors in cyber security forensic analysis. Procedia
Manufacturing, 3, 5301-5307.
[33]Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., &
Giannakopoulos, G.
[34](2014). The human factor of information security: Unintentional damage
perspective. Procedia-Social and Behavioral Sciences, 147, 424-428.
[35] Morgan, S. (2016, May 13). Top 5 industries at risk of cyber-attacks.
Retrieved on February 17, 2018, from
[36]National Security Agency (2015). Science of Security (SoS) Initiative Annual Report 2015.
Retrieved from
[37]National Science and Technology Council. (2016 February). Networking and
Information Technology Research and Development Program. Ensuring Prosperity
and National Security. Retrieved on March 3, 2018,
[38]Neely, L. (2017). 2017 Threat Landscape Survey: Users on the front line. Sans
Institute. Retrieved on February 17, 2018, from
[39]Nobles, C. (2015). Exploring pilots' experiences of integrating technologically
advanced aircraft within general aviation: A case study (Order No. 3682948).
HOLISTICA Vol 9, Issue 3, 2018
Available from ProQuest Central; ProQuest Dissertations & Theses Global.
(1658234326). Retrieved from
[40]Paustenbach, D. J. (Ed.). (2015). Human and Ecological Risk Assessment: Theory and
Practice (Wiley Classics Library). John Wiley & Sons.
[41]Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate
cyber security risk. Computers & security, 31(4), 597-611.
[42]Ponemon Institute. (2017, June). 2017 Cost of Data Breach Study.
[43]Proctor, R. W., & Chen, J. (2015). The role of human factors/ergonomics in the
science of security: decision making and action selection in cyberspace. Human
factors, 57(5), 721-727.
[44]Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T.
(2015). Information security conscious care behaviour formation in organizations.
Computers & Security, 53, 65-78.
[45]Sawyer, B. D., & Hancock, P. A. (2018). Hacking the Human: The Prevalence Paradox
in Cybersecurity. Human factors, 60(5), 597-609.
[46]Schultz, E. (2005). The human factor in security. Computers & Security, 24, 425-426.
[47]Soltanmohammadi, S., Asadi, S., & Ithnin, N. (2013). Main human factors affecting
information system security. Interdisciplinary Journal of Contemporary Research in
Business, 5(7), 329-354.
[48]Stanton, B., Theofanos, M. F., Prettyman, S. S., & Furman, S. (2016). Security
Fatigue. IT Professional, 18(5), 26-32.
[49]Van- Zadelhoff, Marc (2016, September). The Biggest Cybersecurity Threats Are
Inside Your Company. Harvard Business Review.
[50]Verizon 2017 Data Breach Investigations Report 10th Edition. (2017). Retrieved on
February 18, 2018, from
[51]Vieane, A., Funke, G., Gutzwiller, R., Mancuso, V., Sawyer, B., & Wickens, C. (2016,
September). Addressing Human Factors Gaps in Cyber Defense. In Proceedings of
the Human Factors and Ergonomics Society Annual Meeting (Vol. 60, No. 1, pp.
770-773). Sage CA: Los Angeles, CA: SAGE Publications.
[52]Young, W. & Leveson, N. (2013). Systems thinking for safety and security.
Proceedings of the 29th Annual Computer Security Applications Conference. New
Orleans, Lousiana, USA.
... In this new way of working, having one technical expertise alone isn't enough for a professional to be truly effective in organizations requiring increasing multidisciplined skillsets in their subject matter knowledge. On top of technical expertise, the cyber security professional in this new type of environment needs to understand human behavior as well as organizational processes to meet the ever-changing challenges [5, p.121] since human factors often remain the weakest link in securing data and information [14]. The new reality says [5] that information has become more valuable than ever before and is now a major target of threat actors capable of using advanced technology. ...
Full-text available
A qualitative case study focused on understanding what steps are needed to prepare the cybersecurity workforces of 2026-2028 to work with and against emerging technologies such as Artificial Intelligence and Machine Learning. Conducted through a workshop held in two parts at a cybersecurity education conference, findings came both from a semi-structured interview with a panel of experts as well as small workgroups of professionals answering seven scenario-based questions. Data was thematically analyzed, with major findings emerging about the need to refocus cybersecurity STEM at the middle school level with problem-based learning, the disconnects between workforce operations and cybersecurity operators, the distrust of Non-Traditional Training Programs, and the need to build digital security generalists' curriculum and training. Recommendations are also made for possible next steps. Abstract-A qualitative case study focused on understanding what steps are needed to prepare the cybersecurity workforces of 2026-2028 to work with and against emerging technologies such as Artificial Intelligence and Machine Learning. Conducted through a workshop held in two parts at a cybersecurity education conference, findings came both from a semi-structured interview with a panel of experts as well as small workgroups of professionals answering seven scenario-based questions. Data was thematically analyzed, with major findings emerging about the need to refocus cybersecurity STEM at the middle school level with problem-based learning, the disconnects between workforce operations and cybersecurity operators, the distrust of Non-Traditional Training Programs, and the need to build digital security generalists' curriculum and training. Recommendations are also made for possible next steps.
... C ONTINUOUS security threats pose a significant challenge for organizations, as new vulnerabilities and attacks are constantly emerging [1]- [3]. These vulnerabilities are introduced during the development process [4], [5] and these issues are often recurring [6], meaning that their detection is far simpler than a zero-day attack. Public efforts exist to keep track of vulnerabilities like the CVE program 1 and efforts to prevent security risks are seen within the CWE 2 program which presents hardware and software weakenesses that can have security ramifications. ...
Full-text available
As software applications continue to become more complex and attractive to cyber-attackers, enhancing resilience against cyber threats becomes essential. Aiming to provide more robust solutions, different approaches were proposed for vulnerability detection in different stages of the application life-cycle. This article explores three main approaches to application security: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). The analysis conducted in this work is focused on open-source solutions while considering commercial solutions to show contrast in the approaches taken and to better illustrate the different options available. It proposes a baseline comparison model to help evaluate and select the best solutions, using comparison criteria that are based on community standards. This work also identifies future opportunities for application security, highlighting some of the key challenges that still need to be addressed in order to fully protect against emerging threats, and proposes a workflow that combines the identified tools to be used for vulnerability assessments.
... Discouraged workers are those who have given up searching for employment due to a lack of opportunities or other factors, leading to a decline in their mental and physical health (Bockerman & Ilmakunnas, 2019). Human factors refer to the study of how humans interact with systems, products, and environments, with a focus on optimizing performance, safety, and well-being (Nobles, C., 2018). They encompass various factors such as cognitive and perceptual abilities, communication, teamwork, and user-centered design (Smith & Salvendy, 2019). ...
Full-text available
By 2025, up to 85 million jobs globally could be displaced due to automation and new technologies. The traditional approach of relying solely on human resources to address unemployment is no longer effective. A concern is the narrow-minded focus aligning internal organizational objectives with human resource practices. As technology rapidly advances, industries must adapt to new tools and approaches, including automation, artificial intelligence, and cybersecurity. Human factors must be understood and incorporated. These changes are creating new job opportunities while also replacing some jobs. This text highlights the urgent need to provide support, education, and retraining programs for the discouraged workforce, who are at a higher risk of displacement due to lack of skills and education. Failure to address this issue could have a detrimental effect on the economy and burden social welfare programs. This text emphasizes the importance of research at the intersection of discouraged workers, technology, and change.
... Security and technology executives indicated that cloud misconfigurations are human errors that hinder security compliance (Coker, 2020). Nobles (2018Nobles ( , 2019Nobles ( , 2022a, and 2022b) emphasized the importance of leveraging human factors in cybersecurity to better understand the human element in digitized environments, impeded by a lack of appreciation and under-exploration from the academic community. Given the persistent issues with human errors, poor cybersecurity behavior, and organizations' inability to understand the human element in cyberspace, the academic community could be the nexus to increase the appreciation for human factors by integrating such classes into cybersecurity. ...
Conference Paper
Full-text available
With human errors and behavior being significant contributors to data breaches and cyber-attacks, it is critical to integrate human factors principles into cybersecurity education. The lack of emphasis on human factors in cybersecurity curricula has resulted in a significant gap in understanding and addressing the role of human behavior in cybersecurity. This paper highlights the need for colleges and universities to offer courses in human factors principles in cybersecurity to educate the future workforce. The article discusses the importance of understanding human factors in designing secure systems and the benefits of integrating human factors into cybersecurity research and practice. The paper addresses the challenges institutions face in developing and teaching human factors courses in cybersecurity, including the need for more faculty members with relevant expertise and credentials. This research argues that teaching human factors in cybersecurity is essential to prevent data breaches and cyber-attacks caused by human errors and behavior.
... However, managing complex cybersecurity operations with increasing human factor challenges exceeds the expertise of most information security professionals. Nevertheless, managers seem hesitant to seek the assistance of human resources specialists and behavioral scientists to implement effective strategies and objectives to reduce human error in information security (Nobles, 2018). The management of individuals is also an essential cybersecurity responsibility. ...
Conference Paper
Full-text available
Purpose- With the rapid advancement of information and communication technologies, businesses are facing growing security risks. The prevalence, intensity, and complexity of cyber attacks worsen these vulnerabilities, leading to a rising focus on cybersecurity. Enterprises exposed to such cyberattacks might not only face considerable financial losses but also experience data breaches, operational interruptions, harm to their reputation, regulatory penalties, legal expenses, reduced competitive standing, and increased insurance premiums. In this concept study discusses the importance of human factors in cybersecurity management. While organizations spend billions on information technology systems and software to detect and prevent cyber threats, individuals play a critical role in managing these risks. Methodology- Through a review of literature and statistical data, study examines the factors contributing to cybersecurity breaches, the allocation of resources to address them, and proposes potential solutions. Findings- In the workplace, most research on cybersecurity focuses on employees as the most important source of vulnerability. In the literature review, it is understood that an employee’s carelessness and lack of awareness pose the greatest risk to cybersecurity. However, businesses often fail to show sufficient attention to human behavior in their efforts to keep organizational data secure and to plan security strategies. It is important to note that effective cybersecurity management requires not only technical controls but also the management of human factors. Meanwhile, security expenditures in enterprises are often disproportionately allocated to technology investments, with 97% being spent on technology investments, despite the fact that over 85% of breaches are attributable to human factors. Conclusion- In the literature review, it is understood that cybersecurity management is not only related to technical controls, but also the management of human factors is of critical importance. The management of individuals is also an essential cybersecurity responsibility. It is important to adopt a holistic approach to cybersecurity management includes both technical and human perspectives. Cybersecurity awareness has significant benefits for businesses to effectively manage cybersecurity which can be achieved by developing appropriate training programs and foster a cybersecurity culture. Keywords: Cybersecurity, cybersecurity management, cybersecurity awareness, technology investments, human factor JEL Codes: M12, M15, L86
... The employee should know cyber-attack tactics [39], during a cyber-attack, the attacker gains unauthorized ace ss to a computer system, network, or device for stealing, modifying, or destroying data. The attacker may use a variety of tactics, including malware, social engineering, or exploiting vulnerabilities in software or systems. ...
Technology as the single solution to risk is outdated and enables cybersecurity incidents. The no-involvement integrated focus on business and IT elements continues. Cyberattacks cost hundreds of billions of dollars. Consistent hacks and ransomware attacks help with the comprehension that cybersecurity risks should be managed in part under strategic management and organizational external business aspects, but apply risk tables and strategy evaluation processes. Organizations must focus more on managing risk. Project managers must be empowered with appropriate knowledge and skills, and receive consistent education as opposed to ineffective once-a-year education. Solutions must be crafted that include evolving cyberattacks. Offered is an agenda for project risk management to include cybersecurity. Described are positives that actions can provide to cybersecurity and basic project management. Intertwined are tools to use to assure effectiveness. The mission for this text is to catalyze research at the interface of cybersecurity, business, and technology.
Two central problems in change management are the lack of attention to human factors (e.g., fatigue, human error, communication breakdowns, staffing issues, workload and stress, ergonomics, organizational factors, compliance and procedures, teamwork and collaboration, and inadequate training) and cybersecurity issues. Data shows that 62.7% of adverse effects affected patients, and healthcare professionals contributed 71.7% of the effects, with communication and protocol issues being related to the damage caused. A literature review and content analysis show the overall findings of prioritizing human factors engineering and cybersecurity concerns in their change management processes to mitigate risks and ensure patient safety. Overall, this research contributes to the fields of cybersecurity leadership and healthcare by raising awareness of the critical issues that must be addressed in change management and highlighting the need for healthcare organizations to prioritize human factors engineering and cybersecurity in their change management processes.
Internet is completely integrated and absorbed in our life. Facilitating transfer of files across the world or wiring money from the couch, we could not imagine a world without it anymore. With these benefits, as with any new technology, there is also the introduction of risks and threats, for internet primarily in the form of cybercrime and online fraud. To reduce victimisation of this cybercrime, interventions are used to teach people to not perform risky behaviour. To overcome criticisms of current training materials, such as being tedious and boring, we created an Immersive Virtual Reality experience. By using a 4-step design process (i.e. ideation, specification, realisation, and evaluation), we designed a playful VR environment with simplistic non player characters to train the user to perform basic cybersecurity tasks in the right way. In the simulation, the participants are exposed to the challenge of creating a new password and a potential ransomware attack using USB storage device. The program allows for monitoring the user’s cybersecurity knowledge and behaviour and provides feedback. An evaluation of the VR environment among 16 respondents using a pretest-posttest evaluation with the Human Aspect Information Security Questionnaire (HAIS-Q) showed a statistically significant increase in scores after exposure to the VR environment. The system showed an above average SUS score. These initial findings indicate that a VR environment can be an alternative to consider for future development of cybersecurity interventions. Future research could expand our social VR environment with additional cybersecurity challenges, real-time actors, and running simulations among a broader audience to also investigate the retention of knowledge and skills.
This cybersecurity case study provides a comprehensive remediation plan for an organization that recently experienced a data breach and lacks a risk management strategy. Starting with a current state analysis, the plan includes strategies to support the new organizational behaviors, understanding and aligning company culture, supporting changes with ethical decision-making and strong leadership, and ensuring changes are maintained and reinforced. Foundation theories and models are used to support the plan: human factors, theory of constraints, the plan-do-check-act cycle, Schein's model of organizational culture, the Deal and Kennedy culture model, Lewin's change management model, nudge theory, the duty-based approach to ethical decision-making, and transformational leadership. The resulting plan ensures that the organization is able to prevent most cyberattacks and has a ready response plan for dealing with any future breaches.
Full-text available
Objective: This work assesses the efficacy of the "prevalence effect" as a form of cyberattack in human-automation teaming, using an email task. Background: Under the prevalence effect, rare signals are more difficult to detect, even when taking into account their proportionally low occurrence. This decline represents diminished human capability to both detect and respond. As signal probability (SP) approaches zero, accuracy exhibits logarithmic decay. Cybersecurity, a context in which the environment is entirely artificial, provides an opportunity to manufacture conditions enhancing or degrading human performance, such as prevalence effects. Email cybersecurity prevalence effects have not previously been demonstrated, nor intentionally manipulated. Method: The Email Testbed (ET) provides a simulation of a clerical email work involving messages containing sensitive personal information. Using the ET, participants were presented with 300 email interactions and received cyberattacks at rates of either 1%, 5%, or 20%. Results: Results demonstrated the existence and power of prevalence effects in email cybersecurity. Attacks delivered at a rate of 1% were significantly more likely to succeed, and the overall pattern of accuracy across declining SP exhibited logarithmic decay. Application: These findings suggest a "prevalence paradox" within human-machine teams. As automation reduces attack SP, the human operator becomes increasingly likely to fail in detecting and reporting attacks that remain. In the cyber realm, the potential to artificially inflict this state on adversaries, hacking the human operator rather than algorithmic defense, is considered. Specific and general information security design countermeasures are offered.
Full-text available
ABSTRACT Purpose: This paper critically analyses the human factors or behaviours as major threats to cyber security. Focus is placed on the usual roles played by both the attackers and defenders (the targets of the attacker) in cyber threats’ pervasiveness and the potential impacts of such actions on critical security infrastructures. Design/Methodology/Approach: To enable an effective and practical analysis, the Anonymous attack against HBGary Federal (A security firm in the United State of America) was taken as a case study to reveal the huge damaging impacts of human errors and attitudes against the security of organizations and individuals. Findings: The findings revealed that the powerful security firm was compromised and overtaken through simple SQL injection techniques and a very crafty social engineering attack which succeeded because of sheer personnel negligence and unwitting utterances. The damage caused by the attack was enormous and it includes the exposure of very sensitive and personal data, complete shutdown of the website, loss of backup data and personnel character deformations. The research also found that damaging human factors results from ignorance or illiteracy to basic security practices, carelessness and sometimes sabotage by disgruntled employees from within and these vulnerabilities have become prime target for exploitation by attackers through social engineering attacks. Social engineering was also discovered to be the leading attack technique adopted by attackers within the cyber space in recent years. Practical Implications: The paper concludes by advocating assiduous training and cyber security awareness programmes for workforces and the implementations and maintenance of basic security culture and policies as a panacea for social engineering cyber attacks against individuals and organizations. Originality: Lots of work has been done and many still on-going in the field of social engineering attacks and human factors, but this study is the first to adopt an approach of a practical case study to critically analyze the effects of human factors on cyber security. Keywords: The Anonymous; HBGary Federal; Uniform Resource Location (URL); Content Management System (CMS); SQL Injection; Cross-site Scripting (XXS); Social Engineering; Cyber Security; Information Security
Full-text available
The present study explored the relationship between risky cybersecurity behaviours, attitudes towards cybersecurity in a business environment, Internet addiction, and impulsivity. 538 participants in part-time or full-time employment in the UK completed an online questionnaire, with responses from 515 being used in the data analysis. The survey included an attitude towards cybercrime and cybersecurity in business scale, a measure of impulsivity, Internet addiction and a ‘risky’ cybersecurity behaviours scale. The results demonstrated that Internet addiction was a significant predictor for risky cybersecurity behaviours. A positive attitude towards cybersecurity in business was negatively related to risky cybersecurity behaviours. Finally, the measure of impulsivity revealed that both attentional and motor impulsivity were both significant positive predictors of risky cybersecurity behaviours, with non-planning being a significant negative predictor. The results present a further step in understanding the individual differences that may govern good cybersecurity practices, highlighting the need to focus directly on more effective training and awareness mechanisms.
Full-text available
Cyber security is a high-ranking national priority that is only likely to grow as we become more dependent on cyber systems. From a research perspective, currently available work often focuses solely on technological aspects of cyber, acknowledging the human in passing, if at all. In recent years, the Human Factors community has begun to address human-centered issues in cyber operations, but in comparison to technological communities, we have only begun to scratch the surface. Even with publications on cyber human factors gaining momentum, there still exists a major gap in the field between understanding of the domain and currently available research meant to address relevant issues. The purpose for this panel is to continue to expand the role of human factors in cyber research by introducing the community to current work being done, and to facilitate collaborations to drive future research. We have assembled a panel of scientists across multiple specializations in the human factors community to have an open discussion regarding how to leverage previous human factors research and current work in cyber operations to continue to push the bounds of the field.
Full-text available
There continue to be numerous breaches publicised pertaining to cyber security despite security practices being applied within industry for many years. This article is intended to be the first in a number of articles as research into cyber security assurance processes. This article is compiled based on current research related to cyber security assurance and the impact of the human element on it. The objective of this work is to identify elements of cyber security that would benefit from further research and development based on the literature review findings. The results outlined in this article present a need for the cyber security field to look in to established industry areas to benefit from effective practices such as human reliability assessment, along with improved methods of validation such as statistical quality control in order to obtain true assurance. The article proposes the development of a framework that will be based upon defined and repeatable quantification, specifically relating to the range of human aspect tasks that provide, or are intended not to negatively affect cyber security posture.
Full-text available
Purpose The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors. Design/methodology/approach To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods. Findings The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures. Research limitations/implications One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors. Practical implications Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security. Social implications It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe. Originality/value The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment.
Technical Report
Full-text available
There continue to be numerous breaches publicised pertaining to cyber security despite security practices being applied within industry for many years. This article is intended to be the first in a number of articles as research into cyber security assurance processes. This article is compiled based on current research related to cyber security assurance and the impact of the human element on it. The objective of this work is to identify elements of cyber security that would benefit from further research and development based on the literature review findings. The results outlined in this article present a need for the cyber security field to look in to established industry areas to benefit from effective practices such as human reliability assessment, along with improved methods of validation such as statistical quality control in order to obtain true assurance. The article proposes the development of a framework that will be based upon defined and repeatable quantification, specifically relating to the range of human aspect tasks that provide, or are intended not to negatively affect cyber security posture
Security fatigue has been used to describe experiences with online security. This study identifies the affective manifestations resulting from decision fatigue and the role it plays in users' security decisions. A semistructured interview protocol was used to collect data (N = 40). Interview questions addressed online activities; computer security perceptions; and the knowledge and use of security icons, tools, and terminology. Qualitative data techniques were used to code and analyze the data identifying security fatigue and contributing factors, symptoms, and outcomes of fatigue. Although fatigue was not directly part of the interview protocol, more than half of the participants alluded to fatigue in their interviews. Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.