Abstract
Cybercrime is on the rise. With the ongoing digitization of our society, it is expected that, sooner or later, all organizations have to deal with cyberattacks; hence organizations need to be more cyber resilient. This paper presents a novel framework of cyber resilience, integrating models from resilience engineering and human behavior. Based on a pilot study with nearly 60 small and medium-sized enterprises (SMEs) in the Netherlands, this paper shows that the proposed framework holds the promise for better development of human aspects of cyber resilience within organizations. The framework provides organizations with diagnostic capability into how to better prepare for emerging cyber threats, while assuring the viability of human aspects of cyber security critical to their business continuity. Moreover, knowing the sources of behavior that predict cyber resiliency may help in the development of successful behavioral intervention programs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ponemon Institute: Cost of cybercrime study (2017). https://www.accenture.com/t20171006T095146Z__w__/us-en/_acnmedia/PDF-62/Accenture-2017CostCybercrime-US-FINAL.pdf#zoom=50
Ponemon Institute: 2016 Cost of Cyber Crime Study & the Risk of Business Innovation (2016). https://www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf
Accenture: Gaining ground on the cyber attacker. State of Cyber Resilience (2018). https://www.accenture.com/t20180416T134038Z__w__/us-en/_acnmedia/PDF-76/Accenture-2018-state-of-cyber-resilience.pdf#zoom=50
DiMase, D., Collier, Z.A., Heffner, K., Linkov, I.: Systems engineering framework for cyber physical security and resilience. Environ. Syst. Decis. 35(2), 291–300 (2015)
Woods, D.D.: Four concepts for resilience and the implications for the future of resilience engineering. Reliab. Eng. Syst. Saf. 141, 5–9 (2015)
Brown, C., Seville, E., Vargo, E.: Measuring the organizational resilience of critical infrastructure providers: a New Zealand case study. Int. J. Crit. Infrastruct. Prot. 18, 37–49 (2017)
Parsons, K.M., Young, E., Butaviciu, M.A., Mc Cormac, A., Pattinson, M.R., Jerram, C.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9(2), 117–129 (2015)
Bowen, P., Hash, J., Wilson, M.: Information Security Handbook: A Guide for Managers-Recommendations of the National Institute of Standards and Technology (2012)
Cain, A.A., Edwards, M.E., Still, J.D.: An exploratory study of cyber hygiene behaviors and knowledge. J. Inf. Secur. Appl. 42, 36–45 (2018)
Yoon, C., Hwang, J.W., Kim, R.: Exploring factors that influence students’ behaviours in information security. J. Inf. Syst. Educ. 23(4), 407 (2012)
Leukfeldt, E.R.: Phishing for suitable targets in the Netherlands: routine activity theory and phishing victimization. Cyberpsychol. Behav. Soc. Netw. 17(8), 551–555 (2014)
Leukfeldt, E.R., Kleemans, E.R., Stol, W.P.: A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists. Crime Law Soc. Change 67(1), 21–37 (2017)
Young, H., van Vliet, T., van de Ven, J., Jol, S., Broekman, C.: Understanding human factors in cyber security as a dynamic system. In: International Conference on Applied Human Factors and Ergonomics, pp. 244–254. Springer, Cham (2018).
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Roles of information security awareness and perceived fairness in information security policy compliance. In: Proceedings of the AMCIS, pp. 419–430 (2009)
Dodge, R.C., Carver, C., Ferguson, A.J.: Phishing for user security awareness. Comput Secur. 26(1), 73–80 (2007)
Talib, S., Clarke, N.L., Furnell, S.M.: An analysis of information security awareness within home and work environments. In: Proceedings of the International Conference on Availability, Reliability, and Security, pp. 196–203 (2010)
Crossler, R.E., Bélanger, F., Ormond, D.: The quest for complete security: an empirical analysis of users’ multi-layered protection from security threats. Inf. Syst. Front. 1–15 (2017)
Da Veiga, A., Eloff, J.H.: A framework and assessment instrument for information security culture. Comput. Secur. 29(2), 196–207 (2010)
Stanton, J.M., Stam, K.R., Mastrangelo, P., Jolton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133 (2005)
Winnefeld Jr., J.A., Kirchhoff, C., Upton, D.M.: Cybersecurity’s human factor: lessons from the Pentagon. Harv. Bus. Rev. 93(9), 87–95 (2015)
Windle, G., Bennett, K.M., Noyes, J.: A methodological review of resilience measurement scales. Health Qual. Life Outcomes 9(1), 8 (2011)
Linkov, I., Anklam, E., Collier, Z.A., DiMase, D., Renn, O.: Risk-based standards: integrating top–down and bottom–up approaches. Environ. Syst. Decis. 34(1), 134–137 (2014)
Cox Jr., L.A.: Some limitations of ‘‘risk=threat x vulnerability x consequence’’ for risk analysis of terrorist attacks. Risk Anal. 28, 1749–1761 (2008)
Frick, D.E.: The fallacy of quantifying risk. Def. AT&L 228, 18–21 (2012)
Matzenberger, J.: A novel approach to exploring the concept of resilience and principal drivers in a learning environment. Multicultural Educ. Technol. J. 7(2/3), 192–206 (2013)
Cutter, S.L., et al.: A place-based model for understanding community resilience to natural disasters. Glob. Environ. Change 18(4), 598–606 (2008)
Hollnagel, E.: RAG – the resilience analysis grid. In: Hollnagel, E., Pariès, J., Woods, D.D., Wreathall, J. (eds.) Resilience Engineering in Practice. A Guidebook. Ashgate, Farnham (2011)
Van der Beek, D., Schraagen, J.M.: ADAPTER: analysing and developing adaptability and performance in teams to enhance resilience. Reliab. Eng. Syst. Saf. 141, 33–44 (2015)
McDonald, N.: Organisational resilience and industrial risk. In: Hollnagel, E., Woods, D.D., Leveson, (eds.) Resilience Engineering, pp. 155–180. CRC Press, Boca Raton (2006)
Hollnagel, E.: Introduction to the Resilience Analysis Grid (RAG) (2015). http://erikhollnagel.com/onewebmedia/RAG%20Outline%20V2.pdf
Parsons, D.: National Organisational Resilience Framework Workshop: The Outcomes. National Organisational Resilience Framework Workshop (2007). http://www.tisn.gov.au/Documents/FINAL1Workshop.pdf. Accessed 22 Nov 2012
McManus, S., Seville, E., Vargo, J., Brunsdon, D.: Facilitated process for improving organizational resilience. Nat. Hazards Rev. 9(2), 81–90 (2008)
Lee, A.V., Vargo, J., Seville, E.: Developing a tool to measure and compare organizations’ resilience. Nat. Hazards Rev. 14(1), 29–41 (2013)
Ferreira, P., Clarke, T., Wilson, J.R., et al.: Resilience in rail engineering work. In: Hollnagel, E., Paries, J., Woods, D.D., Wreathall, J. (eds.) Resilience in Practice, pp. 145–156. Ashgate, Aldershot (2011)
NIST: Framework for Improving Critical Infrastructure Cybersecurity, v 1.1, April 2018. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
MacInnis, D.J., Moorman, C., Jaworski, B.J.: Enhancing and measuring consumers’ motivation, opportunity, and ability to process brand information from ads. J. Mark. 55, 32–53 (1991)
Michie, S., Van Stralen, M.M., West, R.: The behaviour change wheel: a new method for characterising and designing behaviour change interventions. Implement. Sci. 6(1), 42 (2011)
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017)
Brown, J.D.: What issues affect likert- scale questionnaire formats? JALT Test. Eval. SIG 4, 27–30 (2000)
Randall, D.M., Fernandes, M.F.: The social desirability response bias in ethics research. J. Bus. Ethics 10(11), 805–817 (1991)
Spector, P.E.: Summated Rating Scale Construction: An Introduction, no. 82. Sage, ‎Thousand Oaks (1992)
Chen, Y.H., Rendina-Gobioff, G., Dedrick, R.F.: Detecting Effects of Positively and Negatively Worded Items on a Self-Concept Scale for Third and Sixth Grade Elementary Students (2007). Online Submission
Cronbach, L.J.: Coefficient alpha and the internal structure of tests. Psychometrika 16(3), 297–334 (1951)
Linkov, I., Eisenberg, D.A., Plourde, K., Seager, T.P., Allen, J., Kott, A.: Resilience metrics for cyber systems. Environ. Syst. Decis. 33(4), 471–476 (2013)
Funding and Acknowledgments
This work was partially supported by the municipality of The Hague. The authors would like to thank Dr. Susanne van ‘t Hoff - de Goede, Michelle Ancher, Iris de Bruin and students from HBO ICT at THUAS for their assistance with this research effort. Further we would like to thank Dr. Jan Maarten Schraagen and Dr. Heather Young for their thoughtful and detailed comments that greatly improved the quality and readability of the manuscript. We are also grateful to the SMEs who agreed to participate in the surveys.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
van der Kleij, R., Leukfeldt, R. (2020). Cyber Resilient Behavior: Integrating Human Behavioral Models and Resilience Engineering Capabilities into Cyber Security. In: Ahram, T., Karwowski, W. (eds) Advances in Human Factors in Cybersecurity. AHFE 2019. Advances in Intelligent Systems and Computing, vol 960. Springer, Cham. https://doi.org/10.1007/978-3-030-20488-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-20488-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20487-7
Online ISBN: 978-3-030-20488-4
eBook Packages: EngineeringEngineering (R0)