The SOTER project attempts to research the problem of cybersecurity within the critical financial sector through a holistic research plan. There are two parallel strands of research. The first is technology-led, focused on the development of a biometric onboarding platform for the financial services sector. The second strand of this research is social sciences led, and the focus of this blog post – the human factors side of cybersecurity.
In August 2020, SOTER submitted the first iteration of a study entitled “Mapping of human behaviour related threats and mitigation measures”, which provides the theoretical framework for the empirical research looking into the human factor-based aspects of cybersecurity.
The study hopes to understand what threats are actually seen within banks, what their likelihood is of materialising, and to identify a specific and tangible course of action to mitigate against them. Mitigation efforts include efforts to increase specific employee competences, more specific training and awareness campaigns within the organisation, or by cultivating greater employee buy into the ideologies and goals of the company and the industry. These are especially important to consider from the perspective of cybersecurity, whether through workshops, gamification, or by creating a more welcoming, empowered, fulfilling and ethically aware environment for the employee.
The research complemented prior studies by agencies such as ENISA and NATO, who have previously focused on aspects related to the human factors side of cybersecurity. ENISA reported on aspects such as Cybersecurity Culture, Cybersecurity Behaviour, and Cybersecurity Skills Development in the EU and have provided excellent contextual support to the human factor-based cybersecurity resilience problem. These works are also complemented with additional reports from internationally respected organisations, such as the report provided by NATO, on cybersecurity Human Factor Systems Integration.
Within the first phase, SOTER has developed the overarching lens of the study, which will frame the second phase of the research that begins in 2021, after the initial study design aspects conclude. There are two main outcomes so far – the first is the development of the dimensional lens, which allows specific cybersecurity threats to be understood through established and respected bodies of knowledge. Any human factor-based threat may be framed through psychological, sociological, organisation, or individual dimensions. However, it is important to remember that dimensions may not be mutually exclusive, as certain traits may be impacted by others. For instance, attributes such as (but not limited to) competences, awareness, threat perception, cognition and decision making may not just be framed by understanding the individual – they may be impacted by aspects related to the environment, the organisation, or interactions between individuals in the workplace. The same may be said of personality-based attributes or those related to demographics, motivations, attitudes to conformity, rule-following, risk posture, privacy preferences, etc.
The second primary output from the first iteration of the research task is the identification and outlining of the focus of the study moving forward. This process situates the research and allows the consortium to design the study accordingly. One of the most important aspects of the second phase of the research is the qualitative enquiry, which involves engaging with employees of banks and FinTechs directly as they work, to understand the cybersecurity aspects that emerge. However, the research focus also impacts on the related research tasks such as the training and awareness modules, and the sector-specific competence catalogue that is being developed as one of the core SOTER outputs.
SOTER has identified three core areas of concern:
- Human error (including employee negligence and malpractice);
- Malicious insider (attacks made against an organisation from a malevolent internal actor);
- Legal and ethical threats (GDPR and reputational based cybersecurity risks).
The areas of concern are viewed as the core components of the study, especially in relation to forming a better understanding of critical aspects of the financial services sector. The core areas also focus the study into manageable elements that can be researched in conjunction with end-users and their employees. It is important to note that the first phase was to discuss how cybersecurity is imagined theoretically, while the second phase seeks to provide the empirical evidence of how cybersecurity actually is.
The first phase of the SOTER human factors study also moved the research towards a ‘mapping of human factor cybersecurity threats’, by beginning work on a threat taxonomy. This work complements the theoretical understanding developed in phase one, with the more concrete and tangible threat taxonomy developed by MITRE, entitled the Common Attack Pattern Enumeration and Classification (CAPEC™).
The second phase of the study will then attempt to provide evidence and analysis of the types of threats that appear within the financial services sector, with insight drawn from a qualitative enquiry that borrows on ethnographic methodologies within financial organisations and their employees.
Author: Robin Renwick, Trilateral Research