Volume 8 (2024-25)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published both in print and online.

Volume 8 Number 2

Editorial
Simon Beckett, Publisher
Case Study
From compliance to impact: Tracing the transformation of an organisational security awareness programme
Julie Haney, Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology and Wayne Lutters, Professor and Associate Dean for Strategic Initiatives, College of Information Studies, University of Maryland

There is a growing recognition of the need for a transformation from organisational security awareness programmes focused on compliance, measured by training completion rates, to those resulting in behaviour change. Few researchers or practitioners, however, have begun to unpack the organisational practices of the security awareness teams tasked with executing programme transformation. The authors of this paper conducted a year-long case study of a security awareness programme in a US government agency, collecting data via observations, interviews and documents. Their findings reveal the challenges and practices involved in the progression of a security awareness programme from being compliance-focused to emphasising impact on workforce attitudes and behaviours. The authors capture transformational organisational security awareness practices in action from multiple workforce perspectives. The study insights can serve as a resource for other security awareness programmes and workforce development initiatives aimed at better defining the security awareness work role.
Keywords: cyber security; awareness; training; compliance; measures; case study
Practice Papers
Three approaches to foster organisational cohesion and reduce friction for cyber and security teams
Elizabeth Wanic, Director of Cyber Partnerships and Government Engagement, Morgan Stanley and Bradley Smith, Head of Cyber Fraud Fusion, Barclays

High-quality and engaged cyber and security teams are essential to the successful operation and continued growth of any modern organisation. Deficiency in funding, lack of executive leadership and support and internal friction, however, can often present challenges to efficient and effective cyber and security programmes, limiting the responsiveness and capabilities of an organisation’s defenders. Therefore, building internal support and permission to execute is critical to enabling these teams to operate as the high-performing functions they need to be. To help facilitate cyber and security teams in achieving their goals, this paper presents suggestions and best practices to foster high-level support, dialogue and engagement throughout the organisation. The authors draw on their work building connections across functions in a large global institution as well as their previous experiences within other financial services organisations to provide concrete actions teams can take to refocus on the fundamentals and deliver immense benefits.
Keywords: fraud; cyber security; fusion; cross-team collaboration; information sharing; communication
How to mitigate ransomware risk through data and risk quantification
Erik Sørup Andersen, Partner and Chief Executive Officer, Risk Measure

Ransomware attacks have, over the past years, been the most frequent cyberattack type and a growing community of adversaries continues to innovate methods for extorting organisations into paying ransom. Yet this risk is still, to many organisations, not well understood. Some refer to the averages reported in the media of the size of ransom and cost of ransomware attacks. But these numbers can be very far from the actual risk of a particular organisation. The nature of the risk, comprising many attack techniques and paths through an organisation’s IT assets affecting a range of systems, data and the processes they support, makes it complex to describe and analyse. By using a risk analysis technique, where the risk scenario is decomposed to account for the contributions to the risk from different attack techniques, the vulnerabilities they exploit and the different forms of impact the attack inflicts on an organisation, it is possible to describe the risk in a more nuanced way unique to an organisation. Having created a model of the risk scenario that accounts for the factors relevant to the target organisation, it is possible to study mitigation options more consistently and simulate effects of implementing potential controls. Collecting data used to estimate the individual contributions to the total risk reduces the uncertainty of the risk measure and enables calculation of mitigation effects. This paper introduces the concept of quantitative risk assessment by highlighting results from quantitative studies of ransomware risk and providing examples of how data can be collected. Common pitfalls when using high-level data are demonstrated by showing examples of insights gained from collecting data about controls effectiveness. Being more effective in mitigating ransomware risk will both benefit the organisation directly and, by making ransomware attacks less profitable, society.
Keywords: cyber risk quantification; ransomware risk; controls effectiveness; mitigation strategies
Crumbling bridges: The failed economics of software maintenance
JC Herz, Senior Vice President of Cyber Supply Chain, Exiger

This paper defines a microeconomic framework for understanding systemic failure in cyber security as market failure. In a marketplace with limited supply chain transparency on software quality in general and software maintenance in particular, rational actors — both software vendors and software buyers — will maximise economic returns by minimising software maintenance and security. As technical debt accrues, so does vulnerability and operational risk, as systems become more difficult to update. In this regard, the depreciation of resilience in software infrastructure is similar to the breakdown of physical infrastructure that is chronically undermaintained, but with the added element of adversarial profit. These problems cannot be solved at the computer science level that created them. They can only be solved as a business problem, as transparency requirements (eg software bill of materials [SBOMs]) and automation slash the cost of diligence, enable preferential selection of higher-quality software and continuous enforcement of terms and conditions for active maintenance.
Keywords: software supply chain; SCRM; C-SCRM; vulnerability management; end of life; compliance; procurement
Why crisis leadership competencies matter in the effective management of a cyber crisis
Caroline Sapriel, Managing Partner, CS&A International

This paper examines whether specific leadership competencies are relevant in a cyber crisis and what it takes to manage one effectively. Our increasing dependence on technology exposes us to risks and makes us more vulnerable to digital crises. Cyberattacks are more common and can affect even well-prepared companies. Leadership during a crisis can influence an organisation’s success or failure, no matter how primed and savvy its people are. The author compares crisis management to crisis leadership and emphasises the shift in crisis management responsibility from an operational response to prevention and the ability to steer through uncertainty. This change requires crisis-specific leadership skills and a broader recognition of organisational risk. The author highlights research by Wooten and James,1 which notes leadership competencies applicable to different phases of a crisis. Not all leaders can demonstrate all these attributes in every crisis and are often ill prepared when a crisis hits; however, leaders can learn, develop and practise the competencies needed to survive and triumph over a crisis. Tools that can help develop these skills include stakeholder mapping and a protocol that evaluates and trains leaders in hard (knowledge-based) and soft (behaviour-based) skills. The author refers to the Salviotti et al.2 (2023) study, which analysed the Norsk Hydro ransomware case, noting that leadership competencies identified in traditional crisis management also apply in a cyber crisis. Given the certainty of a cyber threat, the author recommends a stronger emphasis on developing crisis leadership competencies. Training should complement other activities and programmes to prepare employees to handle crises adeptly.
Keywords: cyber security; cyberattack; crisis leadership
Guidelines for non-profit organisation governance in cyber resilience
Margaret Mavins Johnson, Doctor of Business Administration Graduate, University of Phoenix

Previous research on corporate governance and cyber security risk management has focused primarily on large for-profit organisations. Although this paper includes a focus on cyber resilience strategies non-profit organisation leaders use, a significant aspect of the research exploration is applicable to the growing need for both for-profit and non-profit businesses to develop cyber resilience guidelines to sustain their organisations’ abilities to detect, withstand and recover from cyberattacks and threats. Despite the growing awareness of the importance of cyber resilience, the problem addressed was that a considerable number of organisation senior executives continue to demonstrate an unpreparedness to address information security cybercrime issues and cyber resilience decisions. As a consequence, a single set of standard cyber security risk management procedures related to non-profit organisation cyber resilience decisions did not exist to justify how nonprofit organisation leaders addressed existing network security procedures, implemented strategies or achieved cyber resilience success. This is and has been arguably the most significant threat non-profit organisation leaders have experienced. The goal of this paper is to provide an understanding of non-profit organisation leaders — board chairman, board of directors, executive directors and other executives — cyber security risk management procedures and strategies for cyber resilience board governance in an urban metropolitan city area in the southeastern US. Emerging cyber resilience network security trends and technologies are identified to include the ways non-profit organisation leaders responded to the COVID-19 pandemic health crisis.
Keywords: non-profit organisation board governance; cyber security risk management procedures; cyber resilience decisions; data threats
Research Paper
Your decision: Senior professionals’ decision making during a simulated ransomware attack
Fabian Muhly, Partner and Philipp Leo, Partner, Leo & Muhly Cyber Advisory

The current authors surveyed 315 senior professionals of Swiss organisations for their decision making in a simulated ransomware attack. They were put into the shoes of a chief executive officer (CEO) of a fictitious organisation that is victim of a ransomware attack. The study described in this paper used an interactive ransomware simulation presentation. In three stages, study participants voted for their preferred course of action using the mentimeter.com platform. The results of this study help to better understand senior professionals’ preferred choices in ransomware decision dilemmas. It shows that most decision makers would report an attack to authorities and would not pay a ransom. In reality, however, this preferable path of action might not always be observable, ex post. The current authors call for decision makers to be more sensitive about ransomware decision dilemmas to strengthen business continuity operations. This can help to increase crisis management efficiency and effectiveness while minimising losses.
Keywords: ransomware; decision making; interactive simulation; senior professionals; business environment

Volume 8 Number 1

Editorial
Simon Beckett, Publisher
Practice Papers
Common pitfalls when mitigating cyber risk: Addressing socio-behavioural factors
Öykü Işik, Professor of Digital Strategy and Cybersecurity, IMD, Yanya Viskovich, Senior Manager, Security Consulting, Accenture and Si Pavitt, Head of Cyber Behaviours and Culture, Recyber

Although humans constitute a pivotal dimension of the cyber security attack surface, prevailing approaches are often ineffective at addressing human risk. From the vantage point of three key socio-behavioural perspectives, a critical analysis of contemporary cyberattacks and cyber security practices offers insights and a range of opportunities to manage the human factor in cyber security. First, the role of metaphors in shaping cyber security discourse, particularly militaristic analogies, is analysed, supported by research advocating for careful metaphor selection to enhance comprehension, foster shared responsibility and reduce counterproductive assumptions. Secondly, the paper explores the significance of psychological safety within organisational cultures. It discusses the concept of a ‘just culture’ and the impact of cultivating an environment that encourages risk reporting. The discussion expands to highlight the interconnectedness of security culture with broader organisational values, emphasising the critical role of leadership in shaping resilient cyber security postures. Finally, an examination of blame-centric practices and associated consequences provides an insight into less visible forms of victim blaming, such as phishing tests and traditional training-centric strategies. It offers a psychological perspective on the distinction between blame and accountability and highlights the need for a shift away from a compliance-based focus towards a positivist approach. In presenting insights from these three key perspectives, this paper offers opportunities to innovatively manage socio-behavioural risk in cyber security, critiquing prevailing approaches that fail to do so. By linking metaphors, psychological safety and blame-centric practices, it contributes to a comprehensive understanding of the human dimension in cyber security and provides a foundation for advancing effective risk management strategies.
Keywords: Generative AI; GPT chatbot; data ownership; ethics; risk assessment; governance
Understanding and prioritising cyberattack paths amid growing organisational complexity
Elliott Went, Senior Security Systems Engineer, SentinelOne

This paper explores the role of attack path modelling (APM) in modern cyber security, addressing the challenges posed by the rapidly evolving digital landscape. It provides a comprehensive overview of APM frameworks and their application in identifying and prioritising potential attack paths. The challenges associated with manual APM efforts, the need for standardisation and the potential for innovation in automated APM tools are examined throughout. Drawing from real-world examples, the paper demonstrates the practical implications of APM in dissecting attack components and mitigating risks. It emphasises the dual approach of human-led APM initiatives and the integration of APM functionality in technical solutions, advocating for improved hygiene with manual and periodic APM assessments that can be optimised with advanced SecOps APM tooling. The paper serves as a general resource for all cyber security practitioners, providing insights into the historical context, frameworks and practical challenges of APM. The paper describes the significance of human-led APM initiatives, using open frameworks to enhance cyber security posture. Furthermore, the paper explores the evolving landscape of APM tools, anticipating their integration with big data platforms and artificial intelligence (AI) for comprehensive security analyses. This paper presents insights into the current state of cyber security, the practical applications of APM frameworks, and the potential future developments in APM technology.
Keywords: cyber security culture; human factor; behavioural risks; victim blaming; cyber security metaphors; cyber resilience
Improving cyber risk governance through storytelling
Levi Gundert, Chief Security Officer, Recorded Future

This paper addresses the critical challenge of cyber risk governance faced by executives, security committees and boards of directors in the rapidly changing digital landscape. Cyber security complexity, characterised by data deluges and the translational gap between technical jargon and business risk, significantly hinders effective cyber risk messaging and governance. Drawing on five years of research and interviews with chief information security officers (CISOs), the paper highlights the struggle in establishing trust and confidence in governance bodies due to these complexities. It introduces three constructs that aim to simplify cyber security messaging to enhance cyber risk governance: the intelligence to risk (I2R) pyramid, five risk impacts, and resilience and proximity graph. Each construct, illustrated with practical examples, is designed to provide clarity and foster understanding between cyber security professionals and governance bodies, ensuring a cohesive approach to cyber risk management. Readers can expect to gain valuable insights into overcoming the limitations of traditional risk communication tools such as risk registers. By adopting the presented storytelling approach, the paper promises strategies for building trust through transparency and accountability, bridging the communication gap between technical and executive levels, and facilitating informed decision making for improved governance outcomes in the face of cyber security threats.
Keywords: cyber security; risk; governance; intelligence; resilience; transparency
Obstacles and countermeasures for protecting Internet of Things devices from emerging security risks
Chahak Mittal, Cybersecurity Manager, Universal Logistics

The rapid proliferation of Internet of Things (IoT) devices has ushered in a paradigm shift, revolutionising the way we interact with and perceive our environment. This phenomenon has given rise to a hyper-connected ecosystem, seamlessly integrating smart devices into the fabric of homes, cities and industries. While this interconnectedness holds tremendous promise for enhancing efficiency and convenience, it concurrently exposes a complex web of security challenges. This paper delves into the intricate interplay between the expansive scope of IoT deployment and the challenges it poses to security practitioners, policymakers and technology developers alike. By critically assessing current security gaps and potential weaknesses in IoT infrastructures, the research identifies key areas of vulnerability, ranging from insecure communication protocols and inadequate device authentication to insufficient data encryption. In response to these identified challenges, the paper proposes a set of innovative and pragmatic countermeasures aimed at mitigating emerging threats to IoT security. Emphasising the importance of a holistic security framework, the suggested countermeasures span technological enhancements, policy interventions and user education initiatives. The goal is to establish a resilient security posture that not only addresses current vulnerabilities but also adapts to the evolving threat landscape, thereby fostering a more secure and trustworthy IoT ecosystem. Through this research, we aim to contribute valuable insights to the ongoing discourse on IoT security, fostering a deeper understanding of the intricate dynamics at play and providing actionable recommendations for stakeholders invested in fortifying the security foundations of our increasingly interconnected world.
Keywords: IoT security; emerging threats; obstacles; countermeasures; secure-by-design; updates; zero-trust security; network segmentation; user education; threat intelligence
Strong reasons make strong actions: What Shakespeare’s ‘King John’ can teach us about the Internet of Things
Hanane Taidi, Director General, TIC Council

The rapid proliferation of Internet of Things (IoT) devices in modern societies brings forth unprecedented opportunities for convenience and connectivity but also poses significant cyber security challenges. This paper examines the risks associated with these devices and the regulatory frameworks governing them in key regions including the US, the EU, China and India. Through a comprehensive analysis, it becomes evident that while efforts are being made to address IoT cyber security concerns, discrepancies in approaches and regulations hinder global harmonisation and create obstacles for industry compliance. Drawing from insights into existing cyber security frameworks and industry practices, the paper proposes actionable recommendations to enhance consumer IoT cyber security. These recommendations include defining baseline security requirements, promoting expertise within IoT workforces, advocating for the independent involvement of conformity assessment bodies (CABs), leveraging the quality infrastructure ecosystem, and launching an international awareness campaign. By implementing these measures, stakeholders can foster a safer and more secure IoT environment, mitigating the risks posed by cyber threats and ensuring the trust and resilience of connected devices. As society continues to navigate the complexities of IoT adoption, it is imperative to recognise the urgency of addressing cyber security challenges. By heeding the lessons from Shakespeare’s ‘King John’ — ‘Strong reasons make strong actions’ — and taking decisive steps to fortify IoT cyber security, we can safeguard individuals, businesses and critical infrastructure from the evolving threat landscape.
Keywords: Internet of Things; IoT; cyber security; connected devices; regulatory frameworks; conformity assessment bodies; quality infrastructure ecosystem; cyber security standards
Identifying and classifying cyberattacks on airports
Lázaro Florido-Benítez, Lecturer, University of Málaga

This paper describes research to identify and classify cyberattacks in the aviation industry in order to present the true reality of airports as a critical infrastructure and the threats that airport operators face. We conducted a critical review related to types of cyberattacks and supported by updated studies to analyse cyberattacks in the aviation industry from 2000 to 2023 due to the increase of attacks occurring in this period. Data was collected from verifiable sources such as the Center for Strategic and International Studies (CSIS), Federal Aviation Administration, EUROCONTROL, European Union Aviation Safety Agency (EASA), European Union Agency for Cybersecurity (ENISA) and KonBriefing. The findings of this study revealed that recent years have seen an increase in the number of distributed denial-of-service (DDoS) and ransomware cyberattacks at airports by foreign countries motivated by political and economic reasons, diplomatic espionage or even as part of a cyber war. This is particularly worrying, because the most influential international organisations and countries are recognising the existence of a cyber war in political, espionage, terrorism, safety, financial and commercial terms. The new contribution of this research lies in the fact that many uncertainties surround the cyberattacks that airport operators and commercial airlines face on a daily basis. Cyberattacks in the aviation industry are more common than most people realise, and the issue is that sometimes this information is silenced by governments, airport and airline operators to avoid unnecessary social alarm.
Keywords: airports; cyberattacks; cyber security; critical infrastructures; airlines
Research Paper
AI detection of malicious push notifications in augmented reality in the workplace
Sarah Katz, Cybersecurity Technical Writer, Microsoft

Distraction caused by the visual processing of multiple objects during augmented reality (AR) immersion could make users more susceptible to malicious push notifications, thus potentially exposing organisations to unwitting insider threats. This case study consulted four experts in the field of AR application development to design a proposed artificial intelligence (AI) equipped feature that could detect possibly malicious artefacts entering the user’s line of sight during partial immersion in an augmented reality application at the workplace. Participants included a business partner at an AR company, a security engineering manager, an AI engineer focused on machine learning (ML) and a data analytics specialist. The case study determined that a security application natively implemented into the device could use heuristic analysis of user screen captured activity to assess potentially malicious push notifications in real time.
Keywords: cyber security; cyberpsychology; augmented reality; application development; artificial intelligence