IT security officers in companies face a difficult task: they demand additional efforts from the staff and must provide management with evidence that they are successful. However, they are minimally integrated into the company's structures and rely on purchased tools that contribute little to the secure behavior of employees. This was the result of a series of workshops conducted over eight months with 30 Swiss Chief Information Security Officers (CISOs) by a team from the Cluster of Excellence Cyber Security in the Age of Large-Scale Adversaries (CASA). They presented their findings at the 32nd Usenix conference in the USA in August 2023.
It all depends on the employees
To be protected against cyberattacks, companies must not only keep their technology up to date, but also ensure that their employees behave securely. This human-centred approach to IT security requires influencing staff behaviour - a complex task. The research team from Ruhr-University Bochum examined how well this works in practice in a five-part workshop series with 30 Swiss Chief Information Security Officers, or CISOs.
"The discussions have shown that CISOs primarily understand people-centric security as something that can be purchased on the market, namely, awareness and phishing simulations," reports Jonas Hielscher from the research team. Such simulations involve sending emails with phishing links that are sent by a security company to the staff of a company. It is then possible to quantify how many employees have clicked on the links. "This is the biggest advantage of the simulations for CISOs, who have to provide their management with figures," says researcher Uta Menges. According to the current state of IT security research, such actions contribute little to secure behaviour.
Lack of influence
The researchers found that CISOs are not sufficently integrated into company structures and lack direct influence and the ability to implement necessary measures among the workforce. "They tend to shift responsibility either to the management by demanding more support or onto the employees, whom they see as security risks," says the research team. This overlooks the fact that employees are already occupied with their primary tasks, and IT security tasks detract from these activities. "This creates friction that must be taken into account," says Prof. Dr. Angela Sasse, Chair of Human Centered Security at Ruhr-University Bochum. "To align the results of research on human-centric security with company practices, more collaboration is needed between top management and CISOs to identify and address obstacles," adds Prof. Dr. Annette Kluge, Chair of Work, Organizational, and Economic Psychology. The researchers suggest involving CISOs, for example, in multi-stakeholder risk committees. Furthermore, more research on the perspective of board members and top management on security is necessary, for example, by bringing CISOs and board members together in a similar workshop setting.
Original publication
Jonas Hielscher, Uta Menges, Simon Parkin, Annette Kluge., M. Angela Sasse: "Employees Who Don’t Accept the Time Security Takes Are Not Aware Enough": The CISO View of Human-Centred Security, 32th USENIX Security Symposium, 2023, Anaheim, USA, Download Pre-Print
Press contact
Jonas Hielscher
Human Centered Security
Fakultät für Elektrotechnik und Informationstechnik
Ruhr-Universität Bochum
Tel.: +49 234 32 25715
E-Mail: jonas.hielscher(at)ruhr-uni-bochum.de
Uta Menges
Fakultät für Psychologie
Lehrstuhl Arbeits-, Organisations- & Wirtschaftspsychologie
Ruhr-Universität Bochum
Tel.: +49 234 32 24608
E-Mail: uta.menges(at)ruhr-uni-bochum.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex