Timothy Shea, D.B.A., is an Associate Professor of Management Information Systems in the Charlton College of Business at the University of Massachusetts Dartmouth. He received his D.B.A. in Management Information Systems from Boston University. Dr. Shea’s research has recently focused on the delivery and management of web-based learning and teaching technologies, end-user training, and cyber-security. He teaches undergraduate and graduate classes and is the Assessment Coordinator for the Charlton College of Business and the Assistant Director of the Business & Innovation Research Center. [email protected]assd.edu
Dr. D. Steven White is a Professor of Marketing & International Business in the Charlton College of Business, University of Massachusetts Dartmouth. Dr. White teaches Undergraduate and Graduate courses in Social Media Marketing, Marketing Management, and International Business. His research interests include global marketing, services marketing, and digital commerce. Prior to entering academia, he was Vice President of an advertising agency specializing in sports and special event marketing. [email protected] / http://dstevenwhite.com/about/ / http://www.linkedin.com/in/dstevenwhite
Marcus McInnis, as the Director of Operations for Lockheed Martin’s Cybersecurity Innovation Center, provided the full range of system security solutions for complex enterprise and system environments. As an advocate for increased security awareness he promoted the concepts of brand assurance while developing internal cybersecurity practices and policies across a $40 billion corporation. [email protected]
Key Take Away
The issue of cyber security is “front & center” in the minds of directors and executives. I understand that the Business Innovation Research Center at UMass Dartmouth conducted a survey recently. What are the main findings?
Yes, through the Business Innovation Research Center (BIRC) in the Charlton College of Business at UMass Dartmouth, Steve and I designed and implemented a survey to determine the human/behavioral side of cyber security (threat readiness). We partnered with the research firm AYTM to collect the data.
The most compelling results of the survey are the differences between perceived company policies regarding overall awareness – as demonstrated through a variety of company communications, training, etc. – and the knowledge needed to implement the required day-to-day cyber-behaviors of company employees. The software and technology (bits and bytes) is not the issue – the risk is at the employee level.
It’s analogous to having the best home security system on the market and sleeping with your first-floor windows open. All of the technology in the world won’t protect you if you’re not diligent in how you use it to reduce risk.
How does your research differ from previous investigations of cyber security? Were there any surprises in your findings?
Most of the research that exists regarding cyber-security focuses on the bits and bytes side of the equation. It’s been known for some time that the users are the weakest link. Although generally aware of the need to practice ‘safe computing’ most grow complacent or don’t fully appreciate the risk that their behavior poses to their employer. One of the biggest surprises is that companies do not appear to be providing their employees with engaging and relevant training – at least from the employee perspective.
In other words, we looked at the issue from two perspectives: knowing and doing. Almost 3 out of 4 companies are getting the word out – awareness, or “knowing”. Employees are aware of the problem and aware that the company is supporting the effort – at least at a high level.
It’s on the ‘doing’ side that the results get interesting. Almost 1 out of 2 respondents stated that they do not feel prepared to handle common activities related to cyber-security.
This ‘doing’ gap points to the need for better training methods. The current approach isn’t delivering the results required for adequate levels of cyber security.
How can directors and executives get the word out regarding the human behavioral element in cyber security?
Directors and executives are coming to the realization that the importance of cyber security is ever increasing. In my opinion, though investment in the bits and bytes is warranted, the Achilles Heel is the human behavioral element. Most of the respondents indicated that their companies have a cyber policy and that they’ve read and signed that policy. But is that enough?
Directors and executives may want to focus more on cyber security training – training that is delivered in a way to ensure comprehension, adoption and that leads to safe cyber practices. In essence, training should be dynamic and scheduled throughout the year. Get an external assessment of your cyber security training programs from a company who has demonstrable expertise in this segment. Ask what types of training and reinforcement programs they offer. Find a partner who adds value to your cyber security efforts.
In terms of cyber security implementation, what’s not happening now that should be happening?
Individual employees acknowledge that cyber security risks exist, but do little to practice ‘safe computing’ because, in my opinion, they view it as a hassle or something not needed. Until all of the employees of an organization realize that the entire company’s cyber security is only as strong as its weakest link, few will prioritize cyber security as good business practice.
The human behavioral element in cyber security should be an essential component of cyber security training. Training needs to be engaging and reinforce best practices. But for this to work, each employee has to buy-in to the team mentality and strive to not be the weakest link. Once companies begin to take cyber security more seriously, those who are responsible for security breaches need to be reprimanded, retrained and/or certified or, if needed, redeployed. Major breaches are grounds for termination and may lead to recovery lawsuits. Companies need insurance coverage for cyber security breaches. Their policy, ultimately, is going to be based on some risk assessment. Directors and Executives have an opportunity to reduce their risk by focusing on the human behavioral element of cyber security. The survey we developed can be one component of that risk assessment.
Used as a diagnostic tool, the survey can help a company quickly assess where the vulnerabilities are – the first step in closing those gaps. By customizing the demographic variables collected, the data can be sliced and diced to help company’s identify pockets of high risk which can be converted to focused, cost-effective training efforts.