Bias, Breach and Breakdown: Framework for cybersecurity Control Failures
Keywords:
cybersecurity, control failure, cognitive bias, data breach, policy non-compliance, insider threat, protection motivation theory, neutralisation theory, human factors, information security policy, BBB framework, organisational breakdownAbstract
The growing costs of cybersecurity control failure to organisations globally can be traced to present frameworks that capture only limited aspects of its causes. This paper draws on evidence from 25 academic and practice-based publications to 2018 to propose the Bias, Breach, and Breakdown (BBB) framework, a trinity of cognitive, technical, and organisational causes of security control failure. The paper cites Ponemon Institute (2018), which reported a global average cost of a breach of USD 3.86 million (6.4% annual growth) and the Verizon (2018) Data Breach Investigations Report documenting 2,216 confirmed breaches in 65 countries to demonstrate that the three major types of control failure are human cognitive biases, non-compliance with policy and systemic organisational breakdown. The paper is supported by theoretical frameworks of dual-process cognitive theory (Kahneman, 2011), Protection Motivation Theory (Herath & Rao, 2009), neutralisation theory (Siponen & Vance, 2010), and escalation of commitment (Kolkowska et al., 2017). Industry-specific examination of healthcare reports the highest per-record breach cost of USD 408 across all sectors (Ponemon Institute, 2018) and pervasive access control failure among 54% of organisations (Jalali & Kaiser, 2018). The framework reveals that 81% of hacked breaches using stolen credentials are a combination of cognitive and technical control vulnerabilities (Verizon, 2018). Solutions include debiasing training, human-centered control design, multi-factor authentication and organisational culture interventions as a holistic approach to multi-pillar control failure.
Downloads
References
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690
Burns, A. J., Posey, C., Roberts, T. L., & Lowry, P. B. (2017). Examining the relationship of organizational insiders' psychological capital with information security threat and coping appraisals. Computers in Human Behavior, 68, 190–209. https://doi.org/10.1016/j.chb.2016.11.018
Cheng, L., Liu, F., & Yao, D. (2017). Enterprise data breach: Causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), e1211. https://doi.org/10.1002/widm.1211
D'Arcy, J., & Lowry, P. B. (2017). Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43–69. https://doi.org/10.1111/isj.12173
De Matas, S. S., & Keegan, B. P. (2018). An exploration of research information security data affecting organizational compliance. Data in Brief, 22, 116–125. https://doi.org/10.1016/j.dib.2018.11.002
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6
Jalali, M. S., & Kaiser, J. P. (2018). Cybersecurity in hospitals: A systematic, organizational perspective. Journal of Medical Internet Research, 20(5), e10059. https://doi.org/10.2196/10059
Kahneman, D. (2011). Thinking, fast and slow. Farrar, Straus and Giroux. https://doi.org/10.1017/S0140525X12001045
Kim, S. H., Yang, K. H., & Park, S. (2014). An integrative behavioral model of information security policy compliance. The Scientific World Journal, 2014, 463870. https://doi.org/10.1155/2014/463870
Kolkowska, E., Karlsson, F., & Hedström, K. (2017). Escalation of commitment as an antecedent to non-compliance with information security policy. Information and Computer Security, 26(2), 39–57. https://doi.org/10.1108/ICS-09-2017-0066
Loch, K. D., Carr, H. H., & Warkentin, M. E. (1992). Threats to information systems: Today's reality, yesterday's understanding. MIS Quarterly, 16(2), 173–186. https://doi.org/10.2307/249574
Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203–1230. https://doi.org/10.1080/07421222.2017.1394083
Nobles, C. (2018). Botching human factors in cybersecurity in business organizations. HOLISTICA – Journal of Business and Public Administration, 9(3), 71–88. https://doi.org/10.2478/hjbpa-2018-0024
Nurse, J. R. C., Creese, S., Goldsmith, M., & Lamberts, K. (2011). Guidelines for usable cybersecurity: Past and present. 2011 Third International Workshop on Cyberspace Safety and Security (CSS), 21–26. https://doi.org/10.1109/CSS.2011.6058566
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70–82. https://doi.org/10.1016/j.cose.2015.10.006
Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the 'weakest link': A human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122–131. https://doi.org/10.1023/A:1011902718709
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502. https://doi.org/10.2307/25750688
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees' adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224. https://doi.org/10.1016/j.im.2013.08.006
Sohrabi Safa, N., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70–82. https://doi.org/10.1016/j.cose.2015.10.006
Sommestad, T., Karlzén, H., & Hallberg, J. (2017). The theory of planned behavior and information security policy compliance. Journal of Computer Information Systems, 59(4), 344–353. https://doi.org/10.1080/08874417.2017.1368421
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3–4), 190–198. https://doi.org/10.1016/j.im.2012.04.002
Verizon. (2018). 2018 Data breach investigations report. Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/dbir/2018/
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18(2), 101–105. https://doi.org/10.1057/ejis.2009.12
West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34–40. https://doi.org/10.1145/1330311.1330320
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.
