Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Human factor security: evaluating the cybersecurity capacity of the industrial workforce As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.Design/methodology/approachA quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.FindingsUsing a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.Practical implicationsThe approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.Originality/valueThis paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Journal of Systems and Information Technology Emerald Publishing

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Download PDF
34 pages

Loading next page...
 
/lp/emerald-publishing/human-factor-security-evaluating-the-cybersecurity-capacity-of-the-0m0VX4L9h3
Publisher
Emerald Publishing
Copyright
© Emerald Publishing Limited
ISSN
1328-7265
DOI
10.1108/jsit-02-2018-0028
Publisher site
See Article on Publisher Site

Abstract

As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.Design/methodology/approachA quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.FindingsUsing a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.Practical implicationsThe approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.Originality/valueThis paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.

Journal

Journal of Systems and Information TechnologyEmerald Publishing

Published: Mar 11, 2019

Keywords: Cybersecurity evaluation; Human-factor security; Industrial control environment security; Workforce security evaluation

References

  • Security threats of internet-reachable industrial control system (ICS)
    Abe, S.; Fujimoto, M.; Horata, S.; Uchida, Y.; Mitsunaga, T.
  • Cybersecurity skills training: an attacker-centric gamified approach
    Adams, M.; Makramalla, M.
  • The need for effective information security awareness
    Aloul, F.A.
  • Human capability evaluation approach for cyber security in critical industrial infrastructure
    Ani, U.P.D.; He, H.M.; Tiwari, A.; Nicholson, D
  • Mental models of security risks
    Asgharpour, F.; Liu, D.; Camp, L.J.; Dhamija, R
  • Lack of cyber security awareness putting UK organisations at risk
    Ashford, W.
  • A new evaluation criteria for effective security awareness in computer risk management based on AHP
    Badie, N.; Lashkari, A.H.
  • Productive security: a scalable methodology for analysing employee security behaviours
    Beautement, A.; Becker, I.; Parkin, S.; Krol, K.; Sasse, M.A.
  • The compliance budget: managing security behaviour in organisations
    Beautement, A.; Sasse, M.; Wonham, M.
  • Effects of cyber security knowledge on attack detection
    Ben-Asher, N.; Gonzalez, C.
  • Towards understanding IT security professionals and their tools
    Botta, D.; Werlinger, R.; Gagné, A.; Beznosov, K.; Iverson, L.; Fels, S.; Fisher, B.
  • Cyber attacks against critical infrastructure are no longer just theories
    Brassso, B.
  • Information security policy compliance: an emperical study of rationality-based beliefs and information security awareness
    Bulgurcu, B.; Cavusoglu, H.; Benbasat, I.
  • Research challenges for the security of control systems
    Cárdenas, A.A.; Saurabh, A.; Sastry, S.; Provos, N. (ed.)
  • Experience-based cyber situation recognition using relaxable logic patterns
    Chen, P.-C.; Liu, P.; Yen, J.; Mullen, T.
  • Two approaches to the study of experts’ characteristics
    Chi, M.T.H.; Ericsson, K.A.; Charness, N.; Feltovich, P.J.; Hoffman, R.R. (Eds)
  • Survey reveals spear phishing as a top security concern to enterprises
  • Achieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts
    D’Amico, A.; Whitley, K.; Tesone, D.; O’Brien, B.; Roth, E.
  • Preventing cyberattacks and data breaches via employee awareness training and phishing simulations
    Debo, C.
  • Cybersecurity capability maturity model (C2M2)
  • Analysis of cyber security for industrial control systems
    Drias, Z.; Serhrouchni, A.; Vogel, O.
  • Human behaviour as an aspect of cyber security assurance
    Evans, M.; Maglaras, L.; He, Y.; Janicke, H.
  • Overview of cyber-security of industrial control system
    Fan, X.; Fan, K.; Wang, Y.; Zhou, R.
  • Cognition and technology
    Gonzalez, C.; Ben-Asher, N.; Oltramari, A.; Lebiere, C.; Kott, A.; Wang, C.; Erbacher, R.F. (eds)
  • I know my network: collaboration and expertise in intrusion detection
    Goodall, J.R.; Lutters, W.G.; Komlodi, A.
  • Developing expertise for network intrusion detection
    Goodall, J.R.; Lutters, W.G.; Komlodi, A.
  • SANS 2016 state of ICS security survey
    Harp, D.; Gregory-Brown, B.
  • Security skills assessment and training: the ‘make or break’ critical security control
    Hershberger, P.
  • The role of human error in successful security attacks
    Howarth, F.
  • Amateyrs attack technology. Professional hackers target people
  • Issues of cyber security in SCADA-systems-On the importance of awareness
    Johansson, E.; Sommestad, T.; Ekstedt, M.
  • Kaspersky-Labs: Empowering industrial cyber security
  • A human factors vulnerability evaluation method for computer and information security
    Kraemer, S.; Carayon, P.
  • A survey of cyber security management in industrial control systems
    Knowles, W.; Prince, D.; Hutchison, D.; Disso, J.F.P.; Jones, K.
  • Breaches on the rise in control systems: a SANS survey
    Luallen, M.
  • ICS vulnerabilities
    Macaulay, T.; Singer, B.L.
  • M-Trends 2017: A view from the front line
  • Measures of Central tendency: the mean
    Manikandan, S.
  • Cloud computing
    Mirashe, S.P.; Kalyankar, N.V.; Antonopoulos, N.; Gillam, L.
  • The art of deception: Controlling the human element in security
    Mitnick, K.D.; Simon, W.L.
  • Cybersecurity in the chemical industry
    Murphy, G.B.; Leclair, J
  • Train employees – your best defense - for security awareness
    Navarro, L.
  • SCADA security in the light of Cyber-Warfare
    Nicholson, A.; Webber, S.; Dyer, S.; Patel, T.; Janicke, H.
  • Evaluating the human factor in information security
    Nikolakopoulos, T.
  • Security and privacy controls for federal information systems and organizations
  • Security for industrial control systems: framework overview – a good practice guide
  • The number of ICS attacks continues to increase worldwide
    Paganini, P.
  • Finding the weakest link in the interdependent security chain using the analytic hierarchy process
    Pan, C.; Zhong, W.; Mei, S.
  • Human factors and information security: individual, culture and security environment, science and technology
    Parsons, K.; Ferguson, L.
  • Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)
    Parsons, K.; McCormac, A.; Butavicius, M.; Pattinson, M.; Jerram, C.
  • A taxonomy of cyber awareness questions for the user-centered design of cyber situation Awareness
    Paul, C.L.; Whitley, K.; Marinos, L.; Askoxylakis, I
  • Cyber security risk assessment for SCADA and DCS networks
    Ralston, P.A.S.; Graham, J.H.; Hieb, J.L.
  • People, process, technology – the three elements for a successful organizational transformation
    Ramakrishnan, S.; Testani, M.
  • Humans ‘often the weakest link’ when it comes to cyber security
    Robert, H.
  • Security Awareness - Implementing an effective strategy
    Russell, C.
  • Employees’ adherence to information security policies: an exploratory field study
    Siponen, M.; Adam Mahmood, M.; Pahnila, S.
  • Guide to industrial control systems (ICS) Security – NIST.SP.800-82r2
    Stouffer, K.; Hahn, A.
  • 2014: the year in cyberattacks
    Tobias, S.
  • 10 Steps to cyber security, cyber security strategy
  • Cybersecurity ‘s weakest link is humans’, the conversation
    Vishwanath, A.
  • Assessment of cybersecurity knowledge and behavior: an anti-phishing scenario
    Wang, P.A.
  • Security lapses and the omission of information security measures: a threat control model and empirical test
    Workman, M.; Bommer, W.H.; Straub, D.