This is part two of a blog reviewing key takeaways from SABS4CYBER 2019. The annual conference to highlight the contributions social and behavioural sciences can make to cyber security.  You can read part one here.

Multitasking a cause for concern?

Dr. Helen Jones took to the SABS4CYBER stage just before lunch, discussing her research into the effects of multitasking on cyber crime vulnerability. As part of her research, Dr. Jones asked participants to complete an e-tray study while initially counting backwards, then, later, pressing a key on a second computer. The experiments indicated that multitasking can influence our vulnerability to cyber threats, offering attendees another potential insight to explore.

 

 

 

What makes security teams more effective?

In our second keynote of the day, Pavisade’s Pete Cooper hooked attendees back in when pronouncing a skilled violinist inferior to an entire orchestra. His point: security teams are better when they have access to varied skill sets. Far too often, rigid recruitment strategies see security teams made up of techies only. In fact, Cooper reminded, security is as people-based as it is technological. The sooner we accept that, the better off we’ll be.

 

 

Organisational reputation

Coventry University’s Duncan Greaves followed Cooper, discussing his model of the relationship between organisational reputation and perceived level of data security. According to Greaves, organisational reputation is built on trust, which in turn is mediated by communication quality. Greaves plans to research whether his findings can be generalised cross culturally.

 

Highlight of the day!

In a conference highlight, Kirsty Macmillian of Heriot-Watt University then introduced her research on the online risks autistic children face. Through a mixed-methods study, Dr. Macmillan found that autistic children expose themselves to an above-average level of cyber risk. Perhaps surprisingly, as opposed to the risks being mitigated by parents, Macmillan found parents of autistic children are in fact less likely to impose controls or internet blocks on their children’s internet usage than they otherwise might. Further research may explain the apparent paradox.

 

 

What goes on in the boardroom?

CybSafe’s own Isabella Manghi was next on the bill, presenting her research into cyber risk management in the boardroom. In her talk, Isabella characterised the boardroom as a “black box” of sorts – in that we know what goes into the boardroom and we know what comes out, but we don’t know how boardroom decisions are reached. Why is it, for example, boards tend to be disengaged with cyber security? And why is it boards typically underinvest in security provisions? Isabella’s research suggests boardrooms are melting pots of cognitive biases – ultimately breeding suboptimal outcomes.

 

Who is responsible for security?

While Manghi’s research sought to explain board member behaviours, the Open University’s Dr. Tamara Lopez sought to understand the behaviours of another group: developers. Through a combination of observational studies and interviews, Dr. Lopez found developers occasionally choose to circumnavigate known security policies because security simply wasn’t their number one priority. Further probing revealed developers were unsure of the appropriate levels of security they exercise, and largely relied on the actions of peers as a rough guide. Dr. Lopez’s research underlined the importance of people-centric security and why developing a culture of security should remain high on CISO agendas.

 

What does this mean for us?

With the conference drawing to a close, Professor Debi Ashenden, Cybsafe’s Dr. John Blythe, Pete Cooper and Dr David Ellis led a panel discussion on moving between academia and the so-called “real-world”. The conversation jumped from the reasons for and against doing so to the practicalities of transitioning – but rarely strayed far from a unifying theme:

 

The scholastic profession is constantly evolving. Today, it’s possible to be an academic without necessarily occupying the university system. 

With the security industry calling for more interdisciplinary collaboration, it was a take-home thought, and something that at CybSafe we’re committed to doing more of. With that, SABS4CYBER ended for another year. We look forward to seeing you again in 2020