Cybersecurity has been a topic of great interest over recent years, in the news, legal policies, and within research, while also gaining prominence in both our personal and professional lives. The financial sector is a critical industry in terms of cybersecurity due to the economic and reputational repercussions if attacked.
The NIS Directive, an EU-wide cybersecurity legislation, has named banking and financial market infrastructures as two of the seven most critical sectors in terms of cybersecurity protection. Due to this, it is important to understand the cybersecurity threats that need to be managed. One area of exploration is threats in the finance sector involving the human factor. The SOTER project examines this as it combines technology-led research and development with social sciences led research, with a specific focus on the human factors related to cybersecurity in the financial sector.
To better understand the human-factor-based aspects of cybersecurity, SOTER has conducted a research task entitled “Mapping of human behaviour related threats and mitigation measures”. The first iteration of this task provided a theoretical background and framework of the human factors related to cybersecurity. This work was then used to outline the focus of the second iteration of the task, a research study guided by the following three hypotheses:
- Management, the cybersecurity department, and general employees have conflicting priorities regarding cybersecurity.
- Certain pressures exist that act as disablers of effective cybersecurity in the organisation.
- Viewing employees as threat vectors impact trust levels within the organisation.
The qualitative study conducted involved 1-to-1 online interviews with employees from a financial services organisation. The interviews were carried out with a range of employees from different departments and job roles, including management, general staff, and cybersecurity staff. Employees were asked a series of questions about cybersecurity in their job and presented with hypothetical scenarios in order to provide their opinion on how they would respond to specific cybersecurity issues.
Five main themes were discussed:
- Friction between cybersecurity and other business processes.
- Resource allocation and relation to effective cybersecurity.
- Collaborative cybersecurity and professional responsibility.
- The role of training and awareness in effective cybersecurity.
- Employee and organisational trust.
The findings support two out of three study hypotheses. Despite employees agreeing on the importance of cybersecurity and cybersecurity training and awareness, employees expressed different views of cybersecurity depending on their role and the department they worked in. Moreover, urgency, lack of time and the friction between cybersecurity and meeting business demands were mentioned by participants as disablers of effective cybersecurity in the workplace.
Employees did not discuss staff being viewed as threat vectors; however, they did discuss the importance of trust. First, they considered the trust between employers and employees, as employees form one of the most important elements of effective cybersecurity. Nevertheless, employees also addressed the role trust has in the relationship between organisations and their clients, which is especially critical in the perspective of cybersecurity in the finance sector.
The results validate and expand our current knowledge of human factor-based cybersecurity in the finance sector. The qualitative nature of the interviews allowed us to draw upon different employees’ views and experiences of implementing cybersecurity procedures in the workplace, to effectively gain a holistic understanding of the human factors that lead to effective cybersecurity. Obtaining employees’ perspectives enabled us to observe how cybersecurity translates into the real world and how it compares to policies and literature in this domain.
The research from this study has allowed the SOTER team to test how social research practices help us better understand a finance sector organisation’s current cybersecurity culture while helping to identify current vulnerabilities and threats to support a more human-orientated organisational risk assessment. The findings from this study will be used to inform further SOTER work, including the development of specific mitigation methods, such as the SOTER human-orientated risk assessment framework, dedicated finance sector training and awareness campaigns, and the design and delivery of management level cybersecurity masterclasses.
Author: Eliza Jordan, Trilateral Research