Behavioural Issues in Cybersecurity

Jose Vila

DevStat and University of Valencia

Pam Briggs, Dawn Branley-Bell

Northumbria University

Yolanda Gomez


Lynne Coventry

Northumbria University

This chapter opens with the challenges that organisations face in dealing with cybersecurity, then looks at the critical role of individuals’ cybersecurity behaviour within an organisation in ensuring the cybersecurity of the organisation as a whole. We then turn to models of human behaviour and decision-making drawn from psychology and behavioural economics, examining their key insights for cybersecurity and cyber insurance. From psychology we consider the Theory of Planned Behaviour, Protection Motivation Theory, and others deriving from them, while from behavioural economics we consider Dual-Thinking Theory and Prospect Theory. We also look at Behavioural Economics Experiments, which help us investigate the effects of behavioural interventions, presenting an example involving cyber insurance. We conclude with a discussion of the benefits of combining psychological and behavioural economics approaches.

The cybersecurity challenge for organisations

Cybersecurity represents a large and growing business threat. The UK Government’s Cyber Security Breaches Survey 2019 found that 32% of businesses experienced at least one breach or attack in the past year (Finnerty et ah, 2019). The estimated costs of such breaches vary widely, in part because while many breaches result in direct financial losses, it is difficult to account for secondary costs such as reputational damage. In addition, the majority of estimates are calculated by security and consultancy firms; therefore, biases may arise from their vested interests (Eling and Schnell, 2016).

The threats that organisations face are constantly evolving. For example, ransomware attacks have risen steadily in recent years, as noted in the European Union Agency for Cybersecurity’s Threat Landscape Report 2018 (ENISA, 2019). The past several years have also seen the growth of botnets that are more destructive than ever before, as they leverage the computing power of devices that are part of the burgeoning Internet of Things. Meanwhile, what we call "the human factor” remains unchanged: Regardless of the latest security products adopted by an organisation, employee error will always be a source of vulnerability, making it impossible to achieve 100% protection (Pal et ah, 2017).

A role for cyber insurance in tackling the cybersecurity challenge?

This creates a market for cyber insurance. Cyber insurance policies are beginning to diversify but have tended to provide three basic types of coverage: (i) liability coverage in the event of a data breach, (ii) a means to remedy the breach, and (iii) support to repair reputational damage (Bandyopadhyay et al., 2009; Romanosky et ah, 2019). An ideal scenario is that organisations would invest in both self-protection (e.g. firewalls and up-to-date antivirus software) and cyber insurance (Pal et ah, 2017).

If widely adopted and well-functioning, cyber insurance has the potential to encourage market-based risk management for cybersecurity, with a mechanism for spreading risk among multiple stakeholders. It also has the ability to act as an incentive for organisations to invest in cybersecurity, which would reduce risk for the organisation investing and for their wider network. Uptake could also lead to data aggregation on best practices and better tools for assessing security, something that is currently lacking in relation to cyber insurance. We noted elsewhere that cyber insurance has the capacity to strengthen IT security for society as a whole (Baer and Parkinson, 2007; Kuril and Bayraktar, 2017).

However, despite the proposed benefits and the increasing risk of cyber attacks, uptake has not reached expectations. Low (2017) found that less than 10% of UK companies take out cyber insurance and two years later the Cybersecurity Breaches Survey 2019 found that only 11% of businesses reported having cyber insurance (Finnerty et al., 2019). This number is considerably lower than would be expected, given the size of the cybersecurity threat.

Overview of key challenges in cybersecurity

It seems well established that many businesses fail to understand the threat from cybersecurity. Only 33% of businesses have cybersecurity policies in place and only 31% conducted a cyber risk assessment within the last 12 months (Finnerty et al., 2019). There is also a relatively low awareness of cybersecurity issues among employees, where inaccurate perceptions of risk can cause individuals and businesses to assume that cyberattacks will not happen to them (e.g. “my data is not interesting enough”) (Eling and Schnell, 2016).

The problem may be particularly acute for SMEs. These may not possess the expertise or understanding to appreciate the risk to their business, such as the risk as a result of not having secured their data (Henson and Garfield, 2016). Advisen (2015) found that SMEs tend to consider that there is a low probability that they will experience a cyber attack and are thus less likely to engage with cyber insurance. These assumptions are dangerous as, contrary to popular belief, the majority of cyberattacks actually target SMEs (Meland et ah, 2015).

Organisations are not investing sufficient time in understanding their vulnerabilities (Klahr et ah, 2017) nor allocating adequate funding for cybersecurity (Fielder et ah, 2016). There are some signs that this may be beginning to improve. Cybersecurity as an issue for the board is increasing: Nexus (2016) found that most organisations (82%) reported that their board of directors was “concerned” or “very concerned” about cybersecurity and information security. The Cyber Security Breaches Survey 2019 also reported that 78% of businesses stated that cybersecurity was a “high” priority for their senior management, with 40% saying it was a “very high” priority (Finnerty et ah, 2019), an increase compared to previous years. However, much still remains to be done.

Businesses, particularly SMEs, are often heavily restricted by the budget they have available for cybersecuritv. Because of this, they are forced to make trade-offs regarding how they defend their systems (Fielder et ah, 2016). The organisation also has to take into account both the direct costs of implementing a particular safeguard and the indirect costs that the safeguard may have on the business (e.g. a reduction in productivity, negative impact on morale, decline in system performance speed, or re-training costs) (Fielder et ah, 2016).

A further, pressing issue is that most organisations still see cybersecurity as being the IT department’s problem (Advisen, 2015; Eling and Schnell, 2016). This is unfortunate as it positions cybersecuritv solely as a technical issue rather than as a business concern (Nexus, 2016), and it certainly overlooks the behavioural issues and biases that pervade cybersecurity decision-making.

< Prev   CONTENTS   Source   Next >