IT security officers in companies face a tough challenge: they demand additional effort from the staff and must demonstrate to management through numbers that they are successful. However, they are minimally integrated into the company's structures and rely on purchased tools that contribute little to the secure behavior of employees. This was the result of a workshop series conducted over eight months with 30 Swiss Chief Information Security Officers (CISOs) by a team from the Cluster of Excellence CASA "Cyber Security in the Age of Large-Scale Adversaries". They presented their findings at the 32nd Usenix Conference in the USA in August 2023.
It's About the Employees
To be protected against cyberattacks, companies need to not only keep their technology up to date but also ensure that employees behave securely. This human-centered approach to IT security requires influencing the behavior of staff - a complex task. The research team at Ruhr University Bochum examined how well this works in practice in a five-part workshop series with 30 Swiss Chief Information Security Officers, or CISOs.
"The discussions have shown that CISOs primarily understand human-centered security as something that can be purchased on the market, namely awareness and phishing simulations," reports Jonas Hielscher from the research team. Such simulations involve sending phishing links in emails to a company's staff by a security firm. Subsequently, it can be quantified how many employees clicked on the links. "That is also the biggest advantage that simulations have for CISOs who need to provide numbers to their management," says researcher Uta Menges. According to the current state of IT security research, such actions contribute very little to secure behavior.
Lack of Influence
The researchers found that CISOs are too little integrated into company structures and lack direct influence and control to enforce necessary measures among the workforce. "They tend to shift responsibility to management on the one hand by demanding more support or offload it onto the employees whom they see as security risks," says the research team. This overlooks the fact that employees are already occupied with their primary job, and IT security tasks detract from these activities. "This creates friction that needs to be taken into account," says Prof. Dr. Angela Sasse, Chair of Human-Centered Security at Ruhr University Bochum. "To align the results of human-centered security research with practices in companies, there needs to be more collaboration between company leadership and CISOs to identify and address obstacles," adds Prof. Dr. Annette Kluge, Chair of Work, Organizational, and Economic Psychology. The researchers suggest involving CISOs in multi-stakeholder risk committees, for example. Additionally, more research on the perspective of board members and top management on security is needed, for instance, by bringing CISOs and board members together in a similar workshop setting.
Jonas Hielscher, Uta Menges, Simon Parkin, Annette Kluge., M. Angela Sasse: "Employees Who Don’t Accept the Time Security Takes Are Not Aware Enough": The CISO View of Human-Centred Security, 32nd USENIX Security Symposium, 2023, Anaheim, USA, Download Pre-Print
Human Centered Security Faculty of Electrical Engineering and Information Technology
Ruhr University Bochum
Tel: +49 234 32 25715
Faculty of Psychology Chair of Work, Organizational, and Economic Psychology
Ruhr University Bochum
Tel: +49 234 32 24608
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.