when more is less
- “more is better” mentality for defending it systems - (multiple anti virus malware software conflict each other)
- often insufficient consideration of how different components in the overall system interact in complex ways
- new security controls may impact operation and functionality of existing defenses and mitigate their effect (use simplier passwords to remember them)
- Large organizations use an average of 47 different cybersecurity tools, and source them from an average of 10 different vendors this can create interoperability problems and can affect the products efficiency
violation of information security policies
- many security breaches are a consequence of accidental employee policy violation (lack of awareness)
- policy design can impair behavior if policies are incompatible with or reduce efficiency of existing work practices and people prioritize work over security (group violates policy to work more efficiently)
- policies need to be practical and employee oriented tools
sanctions and neutralization
- sanctions alone may be ineffective due to neutralization (formal (fine), informal (disapproval), shame) no effect in intention to violate
- Neutralization: finding reasons for justifying deviant behaviors (justifying why: believe they didn’t do harm)
fatigue and habituation
neuroscientific perspective on security warning
- repetition of security warnings results in repetition suppression and ‘warning fatigue’ -> habituation (warnings ignoring)
- hence effectiveness of traditional security warnings is questionable
- polymorphic design (warning changes appearance attention rises)
- (changing security warnings) to reduce habituation
are users more than just the weakest link
- users may be an important resource to information security by providing needed business knowledge that contributes to more effective security measures
- user participation in risk management also engages more protective actions
- buy-in: users begin to view the subject as personally important and relevant
- improved awareness: participation in risk management can lead to greater awareness
- business-alignment: security controls have greater alignment with business objectives/needs instead of being based on uninformed assumptions
SMEs and IT security Investments
- Small and Medium sized companies make up over 90% of all companies globally
- > as the backbone of a country’s economy, sees are structurally different from large enterprises (they are not just ‘little big companies’
- > increasing investments in security: “In 2019, 23% of it budget within smbs was allocated to security, compared to 26% in 200”
decreasing it investments:
- All over budget cuts
- companies feel secure enough Unrealistic optimism (50 % say better than average with respect to skills)
security between sees and large companies
problematic assumptions in information security research:
- > large enterprises can usually afford the ideas discussed in this course (dedicated security unit, CISO)
- > however these assumptions do not represent the reality of most smes
AIM: identify relevant sme constraints in an organizational it sec context and examine how these constraint influence it security investment decisions in smes
Qualitative Study
interviews were recorded and transcribed
topics:
company profile: please provide you company and role
it security status quo: How would you rate it sec. awareness in your company
processes (How do you decide upon it sec investments)
stakeholder perspective: (which kind of external support do you consider regarding it security investments and implementation?
need for action: What need for action do you see in the are of it sec. especially for sees
results: limited ressources
- limited budget: it security investments were seen as a strong cut
- limited time: dealing with it security was seen as an additional task that can only be performed by neglecting other important organizational duties
- limited knowhow: SMES do not employ and specialized it personnel with enough knowhow regarding it security
Results: Low formalization level
-budget planing (lack thereof): no structured budget planning process in general or for it spending in particular
-multiple roles or responsibilities:
understaffing as a common feature in smes, so managing directors are additionally responsible for it and it security
-undocumented processes: non existent, undefinded or undocumented processes
geographical insularity
- sourcing personnel; SMEs with more rural locations experienced difficulties to attract it personnel
- sourcing service providers: few expert in rural areas are often fully booked and cannot assist SME regarding IT security decisions
strategic outlook
- Desicion makers in smes rather focused on short term success and neglected long term risks for their organizational it security
- Desicion makers might rely on their gut feeling due to the lack of information, knowhow, and time for decisions
conslusion
non generaliazable assumptions and findings in the information security literature
- findings question assumptions commonly made by studies that implicitly consider smes as little big firms
- overlooked sme constraints in information security research such as limited resources low formalization, insularity, and others
practical implications
- resource constraint such as limited bought as an excuse to delay it security measures?
- documentation and formalization of processes ease the processes of decision making and lead to business sustaining investments in the long run
