Skip to main content

2025 | OriginalPaper | Buchkapitel

Improving the Human Firewall: Exploring the Factors that Influence Cyber-Security Incident Reporting

verfasst von : Kristiina Ahola, Daniel Sturman, Nadia Scott, Malcolm Pattinson, Andrew Reeves, Marcus Butavicius, Agata McCormac

Erschienen in: Human Aspects of Information Security and Assurance

Verlag: Springer Nature Switzerland

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Purpose: Cyber-security incidents present a growing risk to organisations due to their increasing sophistication and prevalence. It is crucial for employees, often considered the ‘human firewall’ against cyber-attacks, to report these incidents promptly. Doing so can minimise damage and enable cyber-security teams to quickly detect and mitigate active attacks. Hence, the aim of this study was to investigate the relationship of a subset of factors on the reporting of cyber-security incidents. Methodology: 549 working Australian adults completed the Cyber Security Incident Reporting Inventory (CSIRI; pronounced, “Siri”) and a series of demographic questions via an online survey. Findings: Participants were significantly more likely to report incidents if their organisation had a cyber-security policy, regardless of whether it was formal or informal, or if they perceived cyber-security as being primary or relevant to their job. In addition, employees identifying with diverse gender identities exhibited significantly more negative attitudes and less perceived behavioural control in reporting cyber-security incidents, compared to the male, female, and non-binary groups. Implications: The results of this study indicate that organisations should consider introducing or modifying their existing cyber-security policies and training programs to meet the needs of their diverse employees. Organisations who leverage such insights can reinforce their ‘human firewall’ and better defend themselves against cyber-attacks.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Literatur
Zurück zum Zitat Ahola, K., Butavicius, M., McCormac, A., Sturman, D.: Hey ‘CSIRI’, should i report this? an investigations into the factors that influence employees to report cyber security incidents in the workplace. Manuscript submitted for publication (2024) Ahola, K., Butavicius, M., McCormac, A., Sturman, D.: Hey ‘CSIRI’, should i report this? an investigations into the factors that influence employees to report cyber security incidents in the workplace. Manuscript submitted for publication (2024)
Zurück zum Zitat Benson, S.G., Dundis, S.P.: Understanding and motivating health care employees: integrating maslow’s hierarchy of needs, training and technology. J. Nurs. Manag. 11, 315–320 (2003)CrossRef Benson, S.G., Dundis, S.P.: Understanding and motivating health care employees: integrating maslow’s hierarchy of needs, training and technology. J. Nurs. Manag. 11, 315–320 (2003)CrossRef
Zurück zum Zitat Bryman, A.: Integrating quantitative and qualitative research: how is it done? Qual. Res. 6(1), 97–113 (2006)CrossRef Bryman, A.: Integrating quantitative and qualitative research: how is it done? Qual. Res. 6(1), 97–113 (2006)CrossRef
Zurück zum Zitat Butavicius, M., Parsons, K., Lillie, M., McCormac, A., Pattinson, M., Calic, D.: When believing in technology leads to poor cyber security: development of a trust in technical controls scale. Comput. Secur. 98, 1–11 (2020)CrossRef Butavicius, M., Parsons, K., Lillie, M., McCormac, A., Pattinson, M., Calic, D.: When believing in technology leads to poor cyber security: development of a trust in technical controls scale. Comput. Secur. 98, 1–11 (2020)CrossRef
Zurück zum Zitat Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the human firewall: social engineering in phishing and spear-phishing emails [Paper Presentation]. In: Australasian Conference on Information Systems (ACIS), Adelaide, Australia (2015). https://arxiv.org/abs/1606.00887 Butavicius, M., Parsons, K., Pattinson, M., McCormac, A.: Breaching the human firewall: social engineering in phishing and spear-phishing emails [Paper Presentation]. In: Australasian Conference on Information Systems (ACIS), Adelaide, Australia (2015). https://​arxiv.​org/​abs/​1606.​00887
Zurück zum Zitat Creswell, J.W., Clark, V.L.P.: Designing and Conducting Mixed Methods Research. Sage publications, Thousands Oaks (2017) Creswell, J.W., Clark, V.L.P.: Designing and Conducting Mixed Methods Research. Sage publications, Thousands Oaks (2017)
Zurück zum Zitat De Veiga, A.D.: The influence of information security policies on information security culture: illustrated through a case study. In: Furnell, S., Clarke, N.L. (eds.) Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Proceedings [Symposium], HAISA 2015, Lesvos Greece (2015) De Veiga, A.D.: The influence of information security policies on information security culture: illustrated through a case study. In: Furnell, S., Clarke, N.L. (eds.) Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Proceedings [Symposium], HAISA 2015, Lesvos Greece (2015)
Zurück zum Zitat Enogieru, I., et al.: Prevalence and correlates of workplace violence: descriptive results from the National Transgender Discrimination Survey. Occup. Environ. Med. 81, 178–183 (2024)CrossRef Enogieru, I., et al.: Prevalence and correlates of workplace violence: descriptive results from the National Transgender Discrimination Survey. Occup. Environ. Med. 81, 178–183 (2024)CrossRef
Zurück zum Zitat Frese, M., Plüddermann, K.: Umstellungsbereitschaft im Osten und Westen Deutschlands: Inflexibilita¨t als Gefahrenzeichen? [Change orientation in East and West Germany: Inflexibility as a sign of danger?]. Zeitschrift fu¨r sozialpsychologie 24, 198 –210 Frese, M., Plüddermann, K.: Umstellungsbereitschaft im Osten und Westen Deutschlands: Inflexibilita¨t als Gefahrenzeichen? [Change orientation in East and West Germany: Inflexibility as a sign of danger?]. Zeitschrift fu¨r sozialpsychologie 24, 198 –210
Zurück zum Zitat Gale, M., Bongiovanni, I., Slapnicar, S.: Governing Cybersecurity from the boardroom: challenges, drivers, and ways Ahead. Comput. Secur. 121, 102840 (2022)CrossRef Gale, M., Bongiovanni, I., Slapnicar, S.: Governing Cybersecurity from the boardroom: challenges, drivers, and ways Ahead. Comput. Secur. 121, 102840 (2022)CrossRef
Zurück zum Zitat Grispos, G., Glisson, W. B., Bourrie, D., Storer, T., Miller, S.: Security incident recognition and reporting (SIRR): an industrial perspective. In: 2017 Americas Conference on Information Systems (AMCIS 2017), Boston, Massachusetts, United States (2017) Grispos, G., Glisson, W. B., Bourrie, D., Storer, T., Miller, S.: Security incident recognition and reporting (SIRR): an industrial perspective. In: 2017 Americas Conference on Information Systems (AMCIS 2017), Boston, Massachusetts, United States (2017)
Zurück zum Zitat Humphrey, M.: Identifying the critical success factors to improve information security incident reporting. [Doctoral Dissertation, Cranfield University] (2017) Humphrey, M.: Identifying the critical success factors to improve information security incident reporting. [Doctoral Dissertation, Cranfield University] (2017)
Zurück zum Zitat Kaplan, S., Pany, K., Samuels, J., Zhang, J.: An examination of the association between gender and reporting intentions for fraudulent financial reporting. J. Bus. Ethics 87, 15–30 (2009)CrossRef Kaplan, S., Pany, K., Samuels, J., Zhang, J.: An examination of the association between gender and reporting intentions for fraudulent financial reporting. J. Bus. Ethics 87, 15–30 (2009)CrossRef
Zurück zum Zitat King, S., Kraus, A.: Code DARL: leveraging the human firewall. Nurse Lead. 21(1), 102–107 (2023)CrossRef King, S., Kraus, A.: Code DARL: leveraging the human firewall. Nurse Lead. 21(1), 102–107 (2023)CrossRef
Zurück zum Zitat Kock, F., Berbekova, A., Assaf, G.A.: Understanding and managing the threat of common method bias: detection, prevention and control. Tour. Manag. 86, 1–10 (2021)CrossRef Kock, F., Berbekova, A., Assaf, G.A.: Understanding and managing the threat of common method bias: detection, prevention and control. Tour. Manag. 86, 1–10 (2021)CrossRef
Zurück zum Zitat Kollen, T., Rumens, N.: Challenging cisnormativity, gender binarism and sex binarism in management research: foregrounding the workplace expereicnes of trans* and intersex people. Gender Manag. 37(6), 701–715 (2022)CrossRef Kollen, T., Rumens, N.: Challenging cisnormativity, gender binarism and sex binarism in management research: foregrounding the workplace expereicnes of trans* and intersex people. Gender Manag. 37(6), 701–715 (2022)CrossRef
Zurück zum Zitat Kollen, T.: Diversity management – a critical review and agenda for the future. J. Manag. Inq. 30(3), 259–272 (2021)CrossRef Kollen, T.: Diversity management – a critical review and agenda for the future. J. Manag. Inq. 30(3), 259–272 (2021)CrossRef
Zurück zum Zitat Koza, E.: Information security awareness and training as a holistic key factor – how can a human firewall take on a complementary role in information security? Human Fact. Cybersecur. (2022) Koza, E.: Information security awareness and training as a holistic key factor – how can a human firewall take on a complementary role in information security? Human Fact. Cybersecur. (2022)
Zurück zum Zitat Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X.: Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behaviour. Int. J. Inf. Manag. 45, 13–24 (2019)CrossRef Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X.: Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behaviour. Int. J. Inf. Manag. 45, 13–24 (2019)CrossRef
Zurück zum Zitat Maslow, A.H.: Motivation and Personality. Harper and Row, New York (1954) Maslow, A.H.: Motivation and Personality. Harper and Row, New York (1954)
Zurück zum Zitat McCormac, A., Zwaans, T., Parson, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017)CrossRef McCormac, A., Zwaans, T., Parson, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017)CrossRef
Zurück zum Zitat Miles-Johnson, T.: LGBTI variations in crime reporting: how sexual identity influences decisions to call the cops. Sage Open 3(2) (2013) Miles-Johnson, T.: LGBTI variations in crime reporting: how sexual identity influences decisions to call the cops. Sage Open 3(2) (2013)
Zurück zum Zitat Morgan, P.L., Asquith, P. M., Bishop, L. M., Raywood-Burke, G., Wedgbury, A., Jones, K.: A new hope: human-centric cybersecurity research embedded within organizations. In: HCI for Cybersecurity, Privacy and Trust, pp. 206–216 (2020) Morgan, P.L., Asquith, P. M., Bishop, L. M., Raywood-Burke, G., Wedgbury, A., Jones, K.: A new hope: human-centric cybersecurity research embedded within organizations. In: HCI for Cybersecurity, Privacy and Trust, pp. 206–216 (2020)
Zurück zum Zitat Okumu, D.O., Omollo, R.O., Raburu, G.: Human firewall simulator for enhancing security awareness against business email compromise. J. Comput. Cogn. Eng. (2022) Okumu, D.O., Omollo, R.O., Raburu, G.: Human firewall simulator for enhancing security awareness against business email compromise. J. Comput. Cogn. Eng. (2022)
Zurück zum Zitat Patterson, C., Nurse, J., Franqueira, V.: “I Don’t Think We’re There yet”: The Practices and Challenges of Organisational Learning from Cyber Security Incidents (2024) Patterson, C., Nurse, J., Franqueira, V.: “I Don’t Think We’re There yet”: The Practices and Challenges of Organisational Learning from Cyber Security Incidents (2024)
Zurück zum Zitat Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)CrossRef Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)CrossRef
Zurück zum Zitat Spector, P.E.: Using self-report questionnaires in OB research: a comment on the use of a controversial method. J. Organ. Behav. 15(5), 385–392 (1994)CrossRef Spector, P.E.: Using self-report questionnaires in OB research: a comment on the use of a controversial method. J. Organ. Behav. 15(5), 385–392 (1994)CrossRef
Zurück zum Zitat Steinmetz, H., Knappstein, M., Ajzen, I., Schmidt, P., Kabst, R.: How effective are behavoir change interventions based on the theory of planned behavior? Zeitschrift für Psychologie 224(3), 216–233 (2016)CrossRef Steinmetz, H., Knappstein, M., Ajzen, I., Schmidt, P., Kabst, R.: How effective are behavoir change interventions based on the theory of planned behavior? Zeitschrift für Psychologie 224(3), 216–233 (2016)CrossRef
Zurück zum Zitat Warkentin, M., Carter, L., and McBride, M. E. (2011). Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. In The 2011 Dewald Roode Workshop on Information Systems Security Research Warkentin, M., Carter, L., and McBride, M. E. (2011). Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies. In The 2011 Dewald Roode Workshop on Information Systems Security Research
Zurück zum Zitat Wiant, T.L.: Information security policy’s impact on reporting security incidents. Comput. Secur. 24, 448–459 (2005)CrossRef Wiant, T.L.: Information security policy’s impact on reporting security incidents. Comput. Secur. 24, 448–459 (2005)CrossRef
Zurück zum Zitat Yazdanmehr, A., Wang, J.: Employees’ information security policy compliance: a norm activation perspective. Decis. Support. Syst.. Support Syst. 92, 36–46 (2016)CrossRef Yazdanmehr, A., Wang, J.: Employees’ information security policy compliance: a norm activation perspective. Decis. Support. Syst.. Support Syst. 92, 36–46 (2016)CrossRef
Metadaten
Titel
Improving the Human Firewall: Exploring the Factors that Influence Cyber-Security Incident Reporting
verfasst von
Kristiina Ahola
Daniel Sturman
Nadia Scott
Malcolm Pattinson
Andrew Reeves
Marcus Butavicius
Agata McCormac
Copyright-Jahr
2025
DOI
https://doi.org/10.1007/978-3-031-72563-0_9