New research led by Lancaster University into 'responsible' cybersecurity suggests the wellbeing of those in cybersecurity roles should be a key consideration for firms' security strategies due to the level of burn out amongst those in high-pressure roles.
The new study, published in Information Systems Frontiers and funded by the Security Lancaster Institute, is based on 20 in-depth interviews with senior cybersecurity professionals from a range of organisations and sectors. Researchers use their findings to outline a new model for organisations to follow that illustrates the multiple layers of cybersecurity required in a modern firm.
Using responses and insights from the participants who had between 5 and 30 years' experience in the cybersecurity sector, the research team, led by Professor Niki Panteli from Lancaster University Management School (LUMS), and supported by Dr Boineelo Nthubu, also from LUMS; and Dr Konstantinos Mersinas from Royal Holloway, University of London, identify five different 'layers' of responsible cybersecurity needed for an organisation to act responsibly and be adequately protected.
These layers span the:
1) Techno-centric; to ensure an organisation's systems are secure by design and security considerations are embedded in every aspect of an IT system's development, from architecture to deployment.
2) Human-centric; to ensure not only employees' individual security and responsible use of IT systems but for firms to act responsibly towards the well-being of those in cybersecurity roles. Measures need to be taken to support those in cyber security roles mentally and physically to sustain their effectiveness in a high-pressure environment and avoid risky behaviours due to burnout and fatigue, and to increase the diversity and inclusivity of the cybersecurity sector by addressing the lack of women in these roles.
3) Intra-organisational-centric; to develop a strong culture and shift in mindset that embraces the fact that cybersecurity is a shared responsibility amongst all stakeholders- not just an IT problem. This will need to be supported by agile policies, clear accountability pathways and training and awareness programmes.
4) Inter-organisational centric; to emphasise an organisation's responsibility and impact on the cybersecurity of other firms including that of its supply chain.
5) Societal-centric perspectives; to consider the wider social and societal impacts of cyberthreats.
Niki Panteli is a Professor of Digital Business at Lancaster University Management School. She said: "Our study highlights interesting findings for the cybersecurity sector to consider but perhaps the most concerning is the level of burnout that was reported amongst our interviewees and the risks this presents to not only individuals' health, but that of organisations and wider society.
"Our data suggests that if firms want to act responsibly with their cybersecurity, there is a pressing need to foster a culture that prioritises employee wellbeing and a work-life balance, so that cybersecurity professionals can perform at their best without compromising their health."
Researchers also stress the need for firms to recognise the wider responsibility they have for the security that lies beyond their own systems, that can impact on the supply chain and the general public.
"Cyber-attacks don't just impact the individual firms they target, they can generate ripple effects that are felt across supply chains and can touch all corners of society," Prof Panteli continues. "And in this era of expanding digitalisation, when we are seeing a growing dependence on cloud computing and the boom in hybrid work, maintaining robust cybersecurity is a necessity.
"The boundaries of responsible security are changing; and we need firms to recognise and act on this urgently. As participants of this study suggest, this needs to be directed from the top down, with senior leaders taking a leading role in implementing responsible cyber security - but generate a culture where cybersecurity is seen as the collective responsibility of everyone."
Researchers say their new framework can serve as a tool for organisations to create a positive security culture.
