100% tevredenheidsgarantie Direct beschikbaar na betaling Zowel online als in PDF Je zit nergens aan vast
logo-home
Cyber threats Summary of ALL literature €4,49
In winkelwagen

Samenvatting

Cyber threats Summary of ALL literature

 35 keer bekeken  4 keer verkocht

Summary of ALL literature

Voorbeeld 4 van de 104  pagina's

  • 17 mei 2022
  • 104
  • 2021/2022
  • Samenvatting
Alle documenten voor dit vak (4)
avatar-seller
mauritshorst
Employee rule breakers, excuse makers and security champions:
Mapping the irks perceptions and emotions that drive security
behaviours. (Beris et al. 2015)
Employee Rule Breakers, Excuse Makers and Security Champions: Mapping the risk perceptions and
emotions that drive security behaviors

· Shadow security - employees create workarounds when ‘official’ security is too burdensome,
yet are still security-conscious and take other measures to protect against the risks they understand

· Security hygiene - process of identifying and re-designing high-friction security

· Security hygiene - necessary, but not sufficient condition for compliance - staff may still be
tempted to cut corners where they perceive risks as negligible, or think the organization does not
‘deserve’ their contribution to security

· Security managers typically only consider lack of knowledge as a driver of security behavior –
but not appreciating severity of a risk

- First step - systematically identify and categorize meaningful heterogeneous characteristics
within an employee population Measures of behavioral types in the social sciences focus on aspects
of personality

- Emotional responses consciously or unconsciously shape employees’ general attitude
towards security, and their risk perception

- Risk perception is also based on an individual’s skill at assessing risk, backed by the relevant
information or knowledge they may have



Security behavior results from

1) an individual’s affective responses to security

2) their competence in assessing risk

- Organizations with a healthy security culture are likely to have high levels of risk
understanding, combined with positive emotion towards security

· The affect heuristic is also applied to both conscious and subconscious modes of thinking -
Kahneman suggests that we are likely to default to automatic and intuitive processing in risk
assessments particularly under pressure, referred to as System 1, rather than a more analytical
approach, referred to as System 2



Johari Window - psychological framework used to facilitate a better understanding of an individual’s
relationship with themselves and others

- 2 x 2 grid - expresses four states of awareness, combining what is known and not known by the
self and what is known or not known by others

- Widely used in conceptualizing risk in other domains such as space exploration

,- Massie and Morris’ risk model builds on Johari Window to explore how known and unknown
information influences decision-making under conditions of risk


Behavioral Security Grid (BSG) – revised version of the Johari Window - four states of awareness
incorporated into the Johari Window which are referred to as: Open, Blind, Hidden and Unknown

Open area - refers to what is known by both the self and others, the Blind area refers to what others
know about the person but they are not aware of themselves

Hidden area - refers to what the person knows about themselves but others are not aware of

Unknown area - refers to what is not known by self and others



- Quadrants of the Johari Window, Open, Blind, Hidden and Unknown offer a basic heuristic to
express the employee’s style or mode of security behavior

- Aims to better understand the relationship between individuals and organizational security
policy - useful framework to represent differences in security behavior

- Discard the Johari Window axes relating to the self and others, since it does not fit the
model



· Affective Security (AS) – emotional dimension, assigned to y-axis

· AS - deals with individual’s emotional response to security, as represented by the
organization’s security policy

· Risk Understanding (RU) – dimension of competence, assigned to x-axis

· RU - denotes the individual’s ability to accurately perceive the existence and severity of the
risks associated with the actions they take themselves, as well as those they observe in the
surrounding environment

· Application of these axes, along with the re-orientation of the window, results in BSG

· Second stage - use revised Johari Window to categorize members of two different
organizations in order to identify differences between their populations



Affective Security

• Strong Positive (AS++) - these individuals regard security as their personal business and
responsibility

- They feel organization has effectively designed and implemented its security strategy

- May act as leaders and have the capacity to positively influence those around them

- Clear indication that the individual personally takes action to comply with, or support, the
security policy of the organization, such as adopting practices aligned with the policy, or challenging
non-compliant practices they observe in their environment

,• Weak Positive (AS+) - positive inclination toward security and statements reflecting a reasonably,
but not strongly, positive stance

- Express a view that organizational policy is useful, but do not necessarily see it as their
personal responsibility

- Appreciate the need for security in a general sense but less likely to take personal initiative
to ensure security



• Weak Negative (AS-) - Think security processes are useful to the organization in the abstract, but
when it comes to applying personal effort to the task they frequently make excuses

- Security tasks take up too much time, or effort, because organizational policy is not as
effective as it could be



• Strong Negative (AS--) - Highly frustrated by current security policy and seek to implement ad hoc
workarounds that minimize their involvement with it

- Taking direct action on their own behalf, and may also set unwanted precedents for others
(particular those falling in the weak negative category)

- Intentionally circumventing the policy, or expressed a desire to circumvent, even if it was not
actually feasible to do so



Risk Understanding

• Strong Positive (RU++) – display a comprehensive understanding of risk factors, including the
ability to understand the causal relationship between their actions, risk, and any associated
outcomes

- Understood not only that a risk exists, but what causes the risk and the impacts associated
with it


• Weak Positive (RU+) - existence of risks is recognized but individuals are less clear about what
causes them, or do not demonstrate an understanding of the relationship between their actions and
the risk (or its mitigation)

- Risks are correctly identified, either explicitly or implicitly, but no further discussion is
offered as to their causes or impacts



• Weak Negative (RU-) - omissions in their ability to recognize risk

- Knowledge is accurate but incomplete, leading them to make errors in judgment, or be
uncertain as to how to proceed in a given situation

, • Strong Negative (RU--) - actively hold misconceptions about risk, they do not just fail to mention
that they exist but make statements that are incorrect

- Believe they are right while making significant mistakes

- Discussion of risk and emotive responses to security were more prevalent during the semi-
structured interviews



Blind

1) Strong Positive AS & Strong Negative RU: “Gung Ho”

· Individuals of this type pose a significant, if unintentional, threat to the organization

· See security as something they should be personally involved in, but are burdened by
inaccurate risk perception

· Leads them to propagate undesirable culture traits

· as they will seek to take a leadership role, but will not have a clear view of what constitutes
effective action

· Keen to follow the existing policy, but lack of understanding regarding the risks it addresses
may lead to perceive some or all of it as arbitrary, increasing their likelihood of non-compliance



2) Strong Positive AS & Weak Negative RU: “Uncertain”

· Strongly motivated by security, however are unaware of the risks they may encounter,
leading them to be unsure as to why certain policies may be in place, or unclear as to the
consequences of any potential workarounds

· May wish to play a role in creating a positive security culture but lack the knowledge to
consistently choose between good and bad, leaving them uncertain of where to place their effort



3) Weak Positive AS & Strong Negative RU: “Naïve”

· Hold a generally positive outlook toward security, but are more likely to contravene security
policy when it negatively impacts their primary task

· Combined with active misconceptions regarding what constitutes risky behavior



4) Weak Positive AS & Weak Negative RU: “Passive”

· Feel that security is necessary for the organization, although not something they themselves
should have to put time in to

· Aware of the policy but not clear why it exists, leaving them following rules by rote

Voordelen van het kopen van samenvattingen bij Stuvia op een rij:

Verzekerd van kwaliteit door reviews

Verzekerd van kwaliteit door reviews

Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!

Snel en makkelijk kopen

Snel en makkelijk kopen

Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.

Focus op de essentie

Focus op de essentie

Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!

Veelgestelde vragen

Wat krijg ik als ik dit document koop?

Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.

Tevredenheidsgarantie: hoe werkt dat?

Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.

Van wie koop ik deze samenvatting?

Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper mauritshorst. Stuvia faciliteert de betaling aan de verkoper.

Zit ik meteen vast aan een abonnement?

Nee, je koopt alleen deze samenvatting voor €4,49. Je zit daarna nergens aan vast.

Is Stuvia te vertrouwen?

4,6 sterren op Google & Trustpilot (+1000 reviews)

Afgelopen 30 dagen zijn er 52355 samenvattingen verkocht

Opgericht in 2010, al 14 jaar dé plek om samenvattingen te kopen

Start met verkopen
€4,49  4x  verkocht
  • (0)
In winkelwagen
Toegevoegd