Book Review: Psychosocial Dynamics of Cyber Security
What led me to this book: I was searching for a psychological understanding of why organization leadership does not act on Cybersecurity threats until:
- Hit by Ransomware and desperate.
- Hit with regulatory data compromise fines.
- Operations stopped due to a cyber-attack.
- Resulting in their being top of the news.
In other words, until disaster strikes them directly. Despite their peers hit with disastrous results, complacency prevents serious action, until one of the three catastrophic events occur, and they are in the news. One would think that a near miss might spur senior leadership to re-evaluate their security effectiveness.
I found this book edited by four leading professionals and thirty-two experienced practical contributors in various disciplines of behavioral psychology and cybersecurity to assist in my quest for answers to why a lack of action occurs in so many organizations experiencing real or near data loss.
Although the work does not address the issue of why actions are not undertaken by leadership in direct response to security situational awareness or a near miss, it does bring functional Industrial and Organizational (I/O) Psychology best practices to light in a practical manner addressing the concepts of security performance improvements.
Numerous frameworks are discussed with diagram figures and tables providing practical insight and ideas to contrast with the busy world of oft dysfunctional reality. Evolving threats and technology drive new priorities and technical requirements at rapid rates outstripping effective management.
A whitepaper I published 25 years ago, People Practices, and Paradigms on managing large networks reminds me that same technology team management issues continue today for security team management.
The similar diagram below is from the Pwc Cyber Security Risk Management Model.
Goes to show technology management continues to be challenging, I added a Security Team to the Wheel of Collaboration diagram soon after publication. We built collaborative teams from technology departments to address the complexities of large computer networks. Today, we must manage across these same departments to attain a coordinated security defense with respect to individual department to achieve full organizational effectiveness.
The book discusses cybersecurity performance, processes, people placement, SOC teams, training of both users and security analysts. Of note is discussion of the evolution of the CISO role. Sad was the lessening of technical detail experience as a primary criterion in favor of more budget ROI management and congenial factors.
I would like to see an ROI analysis of why data compromise is at an all time high, while the number of people and spending on security tools from the biggest vendors busts budgets without making a dent in the problem as evidenced in every morning newspaper and evening newscast.
I continue searching for psychological reasons security leadership seems to do less when faced with evidence of greater compromise. I and many others would appreciate a cogent analysis of why we are failing so miserably to prevent data compromise.
My personal thought is that the higher level of management, i.e., CIO, CISO, CEO with political contributions of both Trump and Biden handling the issue – it seems to get worse the greater the distance from the technologist.
Insider threat psychology and counterproductive work behavior are mentioned and external threat actors sparking creative responses to hacking with the security community.
You will find many practical criteria for selecting security roles such as critical thinking, troubleshooting, resilience, and persistence characteristics when applying human capital. Continuous learning and adapting are central qualities as the security environment pushes change.
Much content on creating more meaningful work for additional personnel experiencing quite high turnover rates. Many security solutions focus on “boiling the ocean”, are tedious and time consuming failing to provide satisfying work.
Key takeaway: Cyber leadership competencies and traits are discussed at length as organizations create and build cyber into their firms.
Technology investment discussions are balanced with understanding that security competency and capability is more cultivated than taught.
The whole of the book works to build a credible organization to address cybersecurity. As with most academic discussions, this book provides excellent notes and reference to other works to inspire self-discovery and research.
A great addition to this excellent groundbreaking work would be the psychological reasons we keep failing to keep data secure. As this is intrinsically focused on larger organizations, it would be excellent if they were to write a chapter on how smaller organizations might apply the methods.
I wrote a 46 page detailed SolarWinds Breach Report that offers a more technical assessment in a link below: (academics and non-profits email me for a free copy)
You may also join me in a Free Webinar at various dates.