Making sense of the unknown: How managers make cyber security decisions-Reference-Cited by-同舟云学术

Making sense of the unknown: How managers make cyber security decisions

Published:2022-08 Issue: Volume: Page:
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Shreeve Ben¹,Gralha Catarina²,Rashid Awais¹,Araujo João²,Goulão Miguel²

Affiliation:

1. University of Bristol, United Kingdom

2. NOVA LINCS, Universidade NOVA de Lisboa, Portugal

Abstract

Managers rarely have deep knowledge of cyber security, and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of 7 teams of senior managers from the same organisation, as they complete the Decisions&Disruptions (D-D) cyber security exercise. We use Grounded Theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams’ dialogue which illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning which describes how these teams make their decisions, showing how each team members’ experience, intuition and understanding affects the team’s overall shared reasoning and decision-making. Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security specific training they demonstrate reasoning which closely resembles the decision-making approaches espoused in cyber security specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non-cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3548682

Reference43 articles.

1. 2021. CCDCOE Locked Shields Exercise. https://ccdcoe.org/exercises/locked-shields/ 2021. CCDCOE Locked Shields Exercise. https://ccdcoe.org/exercises/locked-shields/

2. Steven Alter . 2013. Work system theory: overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems ( 2013 ), 72. Steven Alter. 2013. Work system theory: overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems (2013), 72.

3. A Serious Game for Eliciting Social Engineering Security Requirements

4. Kevin Bock , George Hughey , and Dave Levin . 2018 . King of the Hill: A Novel Cybersecurity Competition for Teaching Penetration Testing. In 2018 USENIX Workshop on Advances in Security Education (ASE 18) . USENIX Association, 9. Kevin Bock, George Hughey, and Dave Levin. 2018. King of the Hill: A Novel Cybersecurity Competition for Teaching Penetration Testing. In 2018 USENIX Workshop on Advances in Security Education (ASE 18). USENIX Association, 9.

5. Gary Bornstein , Tamar Kugler , and Anthony Ziegelmeyer . 2004. Individual and group decisions in the centipede game: Are groups more “rational ” players?Journal of Experimental Social Psychology 40, 5 ( 2004 ), 599–605. Gary Bornstein, Tamar Kugler, and Anthony Ziegelmeyer. 2004. Individual and group decisions in the centipede game: Are groups more “rational” players?Journal of Experimental Social Psychology 40, 5 (2004), 599–605.

Cited by 7 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. How Do Practitioners Reason About Security Requirements? An Interview Study;2024 IEEE 32nd International Requirements Engineering Conference (RE);2024-06-24

2. Enhancing cybersecurity capability investments: Evidence from an experiment;Technology in Society;2024-03

3. Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, Review;Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering;2024

4. Can We Trust the Default Vulnerabilities Severity?;2023 IEEE 23rd International Working Conference on Source Code Analysis and Manipulation (SCAM);2023-10-02

5. Counterattacking Cyber Threats: A Framework for the Future of Cybersecurity;Sustainability;2023-09-06