Journal Website

List of Authors

Allen Peter Diman , Titik Khawa Abdul Rahman

Keyword

Cybersecurity, Cybersecurity Incidents, Dirty Dozen, Human Errors, Human Factors

Abstract

Cybersecurity incidents, such as data breaches, pose a significant threat to organisations. Shockingly, 95% of these incidents occur due to human errors. Despite organisations making substantial efforts to reduce the likelihood of such occurrences through technological and non-technological means, the frequency of these incidents has been increasing. Previously, organisations relied on technology as the primary barrier to minimise cybersecurity incidents and achieve their objectives. Although research indicates that humans are the weakest link in an organisation's efforts to combat cybersecurity incidents, organisations still consider technology as the key to improving security defences. Therefore, the researchers suggest improving human interventions should precede technological means to overcome the problem. They propose that existing information security plans should consider human factors in cybersecurity risk management. Prioritising an understanding of human factors in managing information security can help organisations identify the relationships between various dimensions of human errors and cybersecurity incidents. To achieve this, the paper suggests solving the human factor problem in cybersecurity incidents by explaining how DuPont's Dirty Dozen framework, commonly used in aviation, can help understand why cybersecurity incidents and accidents occur. The framework lists twelve human behaviours that can be used to understand the relationships between various dimensions of human errors and cybersecurity incidents. By understanding these relationships, organisations can improve their cybersecurity strategies by anticipating, mitigating, and resolving issues more effectively and efficiently.

Reference

1. Al-Alawi, A. I., & Al-Bassam, S. A. (2020). The significance of cybersecurity systems in helping manage risk in the banking and financial sector. Journal of Xidian University, 14(7), 1523–1536. https://doi.org/10.37896/jxu14.7/174

2. Ambrozaitytė, L., Brilingaitė, A., Bukauskas, L., Domarkienė, I., & Rančelis, T. (2021). Human Characteristics and Genomic Factors as Behavioural Aspects for Cybersecurity. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Bioinformatics), 12776 LNAI. https://doi.org/10.1007/978-3-030-78114-9_23

3. Baillon, A., de Bruin, J., Emirmahmutoglu, A., van de Veer, E., & van Dijk, B. (2019). Informing, simulating experience, or both: A field experiment on phishing risks. PLOS ONE, 14(12). https://doi.org/10.1371/journal.pone.0224216

4. Branley-Bell, D., Coventry, L., Dixon, M., Joinson, A., & Briggs, P. (2022). Exploring age and gender differences in ICT cybersecurity behaviour. Human Behavior and Emerging Technologies, 2022, 1–10. https://doi.org/10.1155/2022/2693080

5. Center for Strategic and International Studies. (2024, March). Significant cyber incidents: Strategic technologies program. Significant Cyber Incidents. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

6. Chatzi, A. V., & Malliarou, M. (2023). The need for a nursing-specific patient safety definition, a viewpoint paper. International Journal of Health Governance, 28(2), 108–116. https://doi.org/10.1108/ijhg-12-2022-0110

7. Chowdhury, N. H., Adam, M. T. P., & Teubner, T. (2020). Time pressure in human cybersecurity behaviour: Theoretical Framework and countermeasures. Computers & Security, 97, 101963. https://doi.org/10.1016/j.cose.2020.101963

8. De Silva, B. (2023). Exploring the relationship between cybersecurity culture and cyber-crime prevention: A systematic review. International Journal of Information Security and Cybercrime, 12(1), 23–29. https://doi.org/10.19107/ijisc.2023.01.03

9. El-Bably, A. Y. (2021). Overview of the impact of human error on cybersecurity based on ISO/IEC 27001 information security management. Journal of Information Security and Cybercrimes Research, 4(1), 95–102. https://doi.org/10.26735/wlpw6121

10. Furnell, S., Heyburn, H., Whitehead, A., & Shah, J. N. (2020). Understanding the full cost of cyber security breaches. Computer Fraud & Security, 2020(12), 6–12. https://doi.org/10.1016/s1361-3723(20)30127-5

11. Goyal, S., Ajmeri, N., & Singh, M. P. (2019). Applying norms and sanctions to promote cybersecurity hygiene. Proceedings of the International Joint Conference on Autonomous Agents and Multiagent Systems, AAMAS. https://doi.org/10.1773/aamas 47361.2019.9212872

12. Hakimi, M., Quchi, M. M., & Fazil, A. W. (2024). Human factors in cybersecurity: An in-depth analysis of User Centric Studies. Jurnal Ilmiah Multidisiplin Indonesia (JIM-ID), 3(01), 20–33. https://doi.org/10.58471/esaprom.v3i01.3832

13. Jurgens, J., & Dal Cin, P. (2024, January). Global cybersecurity outlook 2023. World Economic Forum. https://www.weforum.org/reports/global-cybersecurity-outlook-2023/

14. Kadena, E., & Gupi, M. (2021). Human factors in cybersecurity. Security Science Journal, 2(2), 51–64. https://doi.org/10.37458/ssj.2.2.3

15. Kalhoro, S., Ayyasamy, R. K., Jebna, A. K., Kalhoro, A., Krishnan, K., & Nodeson, S. (2022). How personality traits impact cyber security behaviours of SME employees. 2022 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT). https://doi.org/10.1109/3ict56508.2022.9990621

16. Kuraku, S., Kalla, D., Smith, N., & Samaah, F. (2023). Exploring How User Behavior Shapes Cybersecurity Awareness in the Face of Phishing Attacks. International Journal of Computer Trends and Technology, 71(11), 74–79. https://doi.org/https://doi.org/10.14445/22312803/IJCTT-V71I11P111

17. Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., & Kumar, M. (2020). Review and insight on the behavioural aspects of cybersecurity. Cybersecurity, 3(1). https://doi.org/10.1186/s42400-020-00050-w

18. Makkar, A., Ghosh, U., Sharma, P. K., & Javed, A. (2023). A fuzzy-based approach to enhance cyber defence security for next-generation IoT. IEEE Internet of Things Journal, 10(3), 2079–2086. https://doi.org/10.1109/jiot.2021.3053326

19. Mazzolin, R., & Samueli, A. M. (2020). A survey of contemporary cyber security vulnerabilities and potential approaches to Automated Defence. 2020 IEEE International Systems Conference (SysCon). https://doi.org/10.1109/syscon47679.2020.9275828

20. McAlaney, J., & Benson, V. (2020). Cybersecurity as a social phenomenon. Cyber Influence and Cognitive Threats, 1–8. https://doi.org/10.1016/b978-0-12-819204-7.00001-4

21. Natalucci, F., Qureshi, M. S., & Suntheim, F. (2024, April 9). Rising cyber threats pose serious concerns for financial stability. International Monetary Fund. https://www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability

22. Nifakos, S., Chandramouli, K., Nikolaou, C. K., Papachristou, P., Koch, S., Panaousis, E., & Bonacina, S. (2021). Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors, 21(15), 5119. https://doi.org/10.3390/s21155119

23. Nobles, C. (2022). Stress, Burnout, and security fatigue in cybersecurity: A human factors problem. HOLISTICA – Journal of Business and Public Administration, 13(1), 49–72. https://doi.org/10.2478/hjbpa-2022-0003

24. Nwankpa, J. K., & Datta, P. M. (2023). Remote vigilance: The roles of Cyber Awareness and cybersecurity policies among remote workers. Computers & Security, 130, 103266. https://doi.org/10.1016/j.cose.2023.103266

25. Office of the Australian Information Commissioner. (2024, February 21). Data breach report highlights supply chain risks. Newsroom. https://www.oaic.gov.au/newsroom/data-breach-report-highlights-supply-chain-risks

26. Ogbanufe, O., Kim, D. J., & Jones, M. C. (2021). Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures. Information & Management, 58(7), 103507. https://doi.org/10.1016/j.im.2021.103507

27. Patterson, C. M., Nurse, J. R. C., & Franqueira, V. N. L. (2023). Learning from cyber security incidents: A systematic review and future research agenda. Computers & Security, 132. https://doi.org/10.1016/j.cose.2023.103309

28. Pollini, A., Callari, T. C., Tedeschi, A., Ruscio, D., Save, L., Chiarugi, F., & Guerri, D. (2021). Leveraging human factors in cybersecurity: An integrated methodological approach. Cognition, Technology & Work, 24(2), 371–390. https://doi.org/10.1007/s10111-021-00683-y

29. Rahman, T., Rohan, R., Pal, D., & Kanthamanon, P. (2021). Human factors in cybersecurity: A scoping review. The 12th International Conference on Advances in Information Technology. https://doi.org/10.1145/3468784.3468789

30. Sabillon, R. (2021). Delivering effective cybersecurity awareness training to support the organisational information security function. Research Anthology on Privatizing and Securing Data, 629–650. https://doi.org/10.4018/978-1-7998-8954-0.ch029

31. Safitra, M. F., Lubis, M., & Fakhrurroja, H. (2023). Counterattacking cyber threats: A framework for the future of Cybersecurity. Sustainability, 15(18), 13369. https://doi.org/10.3390/su151813369

32. Sarno, D. M., & Neider, M. B. (2021). So many phish, so little time: Exploring email task factors and phishing susceptibility. Human Factors: The Journal of the Human Factors and Ergonomics Society, 64(8), 1379–1403. https://doi.org/10.1177/0018720821999174

33. Satyanarayana P., & Veluchamy, R. (2023). Post-mortem analysis of Dirty Dozen companies referred by Reserve Bank of India to insolvency and bankruptcy code. SN Business & Economics, 3(4). https://doi.org/10.1007/s43546-023-00462-z

34. Schoenherr, J. R., & Thomson, R. (2021). The cybersecurity (CSEC) questionnaire: Individual differences in unintentional insider threat behaviours. 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). https://doi.org/10.1109/cybersa52016.2021.9478213

35. Simonson, R. J., Keebler, J. R., Lessmiller, M., Richards, T., & Lee, J. C. (2020). Cybersecurity teamwork: A review of current practices and suggested improvements. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 64(1), 451–455. https://doi.org/10.1177/1071181320641101

36. Sinlapanuntakul, P., Fausett, C. M., & Keebler, J. R. (2022). Exploring team competencies in Cybersecurity. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 66(1), 1110–1114. https://doi.org/10.1177/1071181322661496

37. Triplett, W. J. (2022). Addressing human factors in cybersecurity leadership. Journal of Cybersecurity and Privacy, 2(3), 573–586. https://doi.org/10.3390/jcp2030029

38. Uchendu, B., Nurse, J. R. C., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387. https://doi.org/10.1016/j.cose.2021.102387

39. Wylde, A. (2022). Cyber security norms: Trust and cooperation. European Conference on Cyber Warfare and Security, 21(1), 328–335. https://doi.org/10.34190/eccws.21.1.498

40. Yeoh, A. (2023, October 25). Cybersecurity Malaysia Report: Government Sectors suffered the most data breaches, while Telcos spilled over 400GB of data in H1 2023. The Star. https://www.thestar.com.my/tech/tech-news/2023/10/25/cybersecurity-malaysia-report-government-sectors-suffered-most-data-breaches-while-telcos-spilled-over-400gb-of-data-in-h1-2023

41. Zafar, M.F. (2024). Safety Management - Human Factor. In: Khan, A.A., Hossain, M.S., Fotouhi, M., Steuwer, A., Khan, A., Kurtulus, D.F. (eds) Proceedings of the First International Conference on Aeronautical Sciences, Engineering and Technology. ICASET 2023. Springer, Singapore. https://doi.org/10.1007/978-981-99-7775-8_42

42. Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F., & Basim, H. N. (2020). Cyber Security Awareness, knowledge and behaviour: A comparative study. Journal of Computer Information Systems, 62(1), 82–97. https://doi.org/10.1080/08874417.2020.1712269