Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection

James Nicholson; Lynne Coventry; Pam Briggs

doi:10.5555/3291228.3291262

Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection

James Nicholson, Lynne Coventry, Pam Briggs

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

16 Citations (Scopus)

Abstract

Despite increased awareness of cybersecurity incidents and consequences, organisations still struggle to convince employees to comply with information security policies and engage in effective cyber prevention. Here we introduce and evaluate The Cybersurvival Task, a ranking task that highlights cybersecurity misconceptions amongst employees and that serves as a reflective exercise for security experts. We describe an initial deployment and refinement of the task in one organisation and a second deployment and evaluation in another. We show how the Cybersurvival Task could be used to detect 'shadow security' cultures within an organisation and illustrate how a group discussion about the importance of different cyber behaviours led to the weakening of staff's cybersecurity positions (i.e. more disagreement with experts). We also discuss its use as a tool to inform organisational policy-making and the design of campaigns and training events, ensuring that they are better tailored to specific staff groups and designed to target problematic behaviours.

Original language	English
Title of host publication	Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018
Editors	Mary Ellen Zurko, Heather Richter Lipford, Sonia Chiasson, Rob Reeder
Place of Publication	United States
Publisher	USENIX Association
Pages	443-457
Number of pages	15
ISBN (Electronic)	9781939133106, 9781931971454
DOIs	https://doi.org/10.5555/3291228.3291262
Publication status	Published - 12 Aug 2018
Externally published	Yes
Event	14th Symposium on Usable Privacy and Security - Baltimore Marriott Waterfront, Baltimore, United States Duration: 12 Aug 2018 → 14 Aug 2018 Conference number: 14th https://www.usenix.org/conference/soups2018

Other

Other	14th Symposium on Usable Privacy and Security
Abbreviated title	SOUPS 2018
Country/Territory	United States
City	Baltimore
Period	12/08/18 → 14/08/18
Internet address	https://www.usenix.org/conference/soups2018

Keywords

Cyber security
Group discussions
Information security policies
Initial deployments
Organisational
Policy making
Security experts

Access to Document

10.5555/3291228.3291262

https://www.usenix.org/system/files/conference/soups2018/soups2018-nicholson.pdf

Cite this

Nicholson, J., Coventry, L., & Briggs, P. (2018). Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection. In M. E. Zurko, H. Richter Lipford, S. Chiasson, & R. Reeder (Eds.), Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018 (pp. 443-457). USENIX Association. https://doi.org/10.5555/3291228.3291262

Nicholson, James ; Coventry, Lynne ; Briggs, Pam. / Introducing the cybersurvival task : assessing and addressing staff beliefs about effective cyber protection. Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018. editor / Mary Ellen Zurko ; Heather Richter Lipford ; Sonia Chiasson ; Rob Reeder. United States : USENIX Association, 2018. pp. 443-457

@inproceedings{e3668115d48f467ea2b3f7b9a5b974ec,

title = "Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection",

abstract = "Despite increased awareness of cybersecurity incidents and consequences, organisations still struggle to convince employees to comply with information security policies and engage in effective cyber prevention. Here we introduce and evaluate The Cybersurvival Task, a ranking task that highlights cybersecurity misconceptions amongst employees and that serves as a reflective exercise for security experts. We describe an initial deployment and refinement of the task in one organisation and a second deployment and evaluation in another. We show how the Cybersurvival Task could be used to detect 'shadow security' cultures within an organisation and illustrate how a group discussion about the importance of different cyber behaviours led to the weakening of staff's cybersecurity positions (i.e. more disagreement with experts). We also discuss its use as a tool to inform organisational policy-making and the design of campaigns and training events, ensuring that they are better tailored to specific staff groups and designed to target problematic behaviours.",

author = "James Nicholson and Lynne Coventry and Pam Briggs",

note = "Publisher Copyright: {\textcopyright} 2018 by The USENIX Association All Rights Reserved.; 14th Symposium on Usable Privacy and Security, SOUPS 2018 ; Conference date: 12-08-2018 Through 14-08-2018",

year = "2018",

month = aug,

day = "12",

doi = "10.5555/3291228.3291262",

language = "English",

pages = "443--457",

editor = "Zurko, \{Mary Ellen\} and \{Richter Lipford\}, Heather and Sonia Chiasson and Rob Reeder",

booktitle = "Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018",

publisher = "USENIX Association",

address = "United States",

url = "https://www.usenix.org/conference/soups2018",

}

Nicholson, J, Coventry, L & Briggs, P 2018, Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection. in ME Zurko, H Richter Lipford, S Chiasson & R Reeder (eds), Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018. USENIX Association, United States, pp. 443-457, 14th Symposium on Usable Privacy and Security, Baltimore, Maryland, United States, 12/08/18. https://doi.org/10.5555/3291228.3291262

Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection. / Nicholson, James; Coventry, Lynne; Briggs, Pam.
Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018. ed. / Mary Ellen Zurko; Heather Richter Lipford; Sonia Chiasson; Rob Reeder. United States: USENIX Association, 2018. p. 443-457.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Introducing the cybersurvival task

T2 - 14th Symposium on Usable Privacy and Security

AU - Nicholson, James

AU - Coventry, Lynne

AU - Briggs, Pam

N1 - Conference code: 14th

PY - 2018/8/12

Y1 - 2018/8/12

N2 - Despite increased awareness of cybersecurity incidents and consequences, organisations still struggle to convince employees to comply with information security policies and engage in effective cyber prevention. Here we introduce and evaluate The Cybersurvival Task, a ranking task that highlights cybersecurity misconceptions amongst employees and that serves as a reflective exercise for security experts. We describe an initial deployment and refinement of the task in one organisation and a second deployment and evaluation in another. We show how the Cybersurvival Task could be used to detect 'shadow security' cultures within an organisation and illustrate how a group discussion about the importance of different cyber behaviours led to the weakening of staff's cybersecurity positions (i.e. more disagreement with experts). We also discuss its use as a tool to inform organisational policy-making and the design of campaigns and training events, ensuring that they are better tailored to specific staff groups and designed to target problematic behaviours.

AB - Despite increased awareness of cybersecurity incidents and consequences, organisations still struggle to convince employees to comply with information security policies and engage in effective cyber prevention. Here we introduce and evaluate The Cybersurvival Task, a ranking task that highlights cybersecurity misconceptions amongst employees and that serves as a reflective exercise for security experts. We describe an initial deployment and refinement of the task in one organisation and a second deployment and evaluation in another. We show how the Cybersurvival Task could be used to detect 'shadow security' cultures within an organisation and illustrate how a group discussion about the importance of different cyber behaviours led to the weakening of staff's cybersecurity positions (i.e. more disagreement with experts). We also discuss its use as a tool to inform organisational policy-making and the design of campaigns and training events, ensuring that they are better tailored to specific staff groups and designed to target problematic behaviours.

UR - https://www.usenix.org/conference/soups2018/presentation/nicholson

U2 - 10.5555/3291228.3291262

DO - 10.5555/3291228.3291262

M3 - Conference contribution

AN - SCOPUS:85067287106

SP - 443

EP - 457

BT - Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018

A2 - Zurko, Mary Ellen

A2 - Richter Lipford, Heather

A2 - Chiasson, Sonia

A2 - Reeder, Rob

PB - USENIX Association

CY - United States

Y2 - 12 August 2018 through 14 August 2018

ER -

Nicholson J, Coventry L, Briggs P. Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection. In Zurko ME, Richter Lipford H, Chiasson S, Reeder R, editors, Proceedings of the Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018. United States: USENIX Association. 2018. p. 443-457 Epub 2018 Aug 12. doi: 10.5555/3291228.3291262

Introducing the cybersurvival task: assessing and addressing staff beliefs about effective cyber protection

Abstract

Other

Keywords

Access to Document

Other files and links

Fingerprint

Cite this