Hanna Paananen and Naomi Woods: Human Perspectives in Cybersecurity

Naomi Woods

I am Doctor Naomi Woods, Research coordinator in this university. And my colleague doctor Hanna Paananen, University Teacher here. Both on cybersecurity.

Pur research group examines human interaction in the digital world within cybersecurity context. See our research group page.

My background is in psychology. I apply that to the cybersecurity context. Can mental health affect information security behavior.

ISP (Information Security Policy): detail how employees should behave in order to prevent, identify, and respond to security incidents. This is hard to comply with for an "average" employee. Research tries to understand this, and find approaches to improve. There is research about the effect of presuasive security messaging, or awareness of sanctions.

Mental health is an issue for many. Most common: depressive disorder and anxiety disorders. Both types can lead to cognitive slowness and avoidance behavior. Many people have symptoms, but are still able to work professionally. You can be more vulnerable: a more easy victim of social engineering, online harassment, fishing, etc.

We did a study on the effect on deterrence factors: perceived risks of sanctions and shame by an employer or peers. With anxiety there is more intention to comply with ISPs. With depression they are more likely to violate their ISPs.

Neutralization techniques (NT) are used to help individuals rationalize their less desirable or deviant behaviors. It allows them to justify it to themselves. For example rationalization: "My boss expects me to make really long passwords, so I will just use the same password everything." We did a study with four groups with combinations from low anxiety and low depression to medium-higher anxiety and medium-higher depression. The group with medium-higher anxiety and low depression had the highest use of NT to justify intentions to violate ISPs. So an increase in depression has a damping effect on use of NT: they care less.

This means there is no one-size-fits-all approach. With different mental health issues, you need to interact and motivate employees differently. Be inclusive, and do not set users up to fail at security.

Audience question: Would this mean it is better to reserve a part of the cybersecurity budget of your organisation to keep your employees happy?

Interesting question. You need a holistic approach: security is not just technical solutions, you also need to look at what employees can handle in terms of security on top of their already demanding jobs.

Hanna Paananen

Collaboration intoduces cybersecurity risk. There are threats against value chains. There have been lots of examples the last year with malicious code, intrusion attempts, fraud and deception, sabotage. A Russian-backed hack in software to access water treatment systems caused a water tank to overflow in one city in the US But also just errors and omissions, like with the CloudStrike problem earlier this year.

Inter-organisational cybersecurity is a necessity. Regulation and best practice as drivers. The EU cyber strategy tackles value chain threats. Organisations try to control compliance of their partners, with contracts, audits, standards certifications, technical measures, training. But high-level compliance requirements can be more a checklist than working instructions. It may lead to low visibility on actual risk control.

Management practices are needed across organizational boundaries. A company approached us. They focused on their core processes, and outsourced the rest. But they had no control there, so it posed risk.

Building a common understanding with people from other communities can be done in different ways. In one-on-one meetings we may get to know one another and learn. Immersion: visits, an in-house consultant. But the consultant learns about the organisation, but the organisation does not learn much about the consulting firm. Delegations: agreements, conferences. That is good, but does not really support the daily challenges.

Build a community between organisations. This is a way to build collaborative cybersecutiry management practices to match the requirements. It helps you know who to talk to when a jointly used asset is under attack, either to warn them or to get help.

We had three value networks in our project: with energy, water, and transport, all very different in how value was created. What practices should be built?

• Specify goals, reduce barriers.
• Get a mandate for practices: get a boss to allow you to spend time on inter-organisational cybersecurity. Let it be not for one person, but tied to a job, so also for your successor. Connect contracts to practice.
• Competence building. Learning from others. Small companies have different means than a big company.
• Materia for practices. Materia can be a contract, a ritual. "We have meetings, and this is what we do in them." It helps translates meanings. Makes conflict explicit.

So answer this question for yourself: What is my role in building cybersecurity with people from other communities?