Why IT Security Needs Therapy

Menges, Uta; Hielscher, Jonas; Buckmann, Annalina; Kluge, Annette; Sasse, M. Angela; Verret, Imogen

doi:10.1007/978-3-030-95484-0_20

Cited by 4 publications

(4 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fostering a healthy relationship between privacy experts and developers. Different parties with different backgrounds perceive each other in a blocking manner has also been found in security research (e.g., [9,13,35,91]), such as end users seeing security experts and the measures they deploy within their company as a hindrance, resulting in a dysfunctional relationship between the two groups [51]. This may limit the interaction of the groups, hindering the establishment of a Personal Common Ground.…”

Section: Recommendations For Academiamentioning

confidence: 96%

“Those things are written by lawyers, and programmers are reading that.” Mapping the Communication Gap Between Software Developers and Privacy Experts

Horstmann,

Domiks,

Gutfleisch

et al. 2024

PoPETs

View full text Add to dashboard Cite

To ensure data-privacy compliance, it is common for companies to consult privacy experts for the identification and communication of privacy requirements to software developers. However, developers often fail to fulfill those requirements resulting in companies regularly being fined for violations due to non-compliance with privacy data regulations. To investigate why software developers struggle with the implementation of privacy requirements and explore their communication modality, we conducted a qualitative semi-structured interview study with 30 participants involving 10 software developers, 10 privacy experts, and 10 team coordinators with an average experience of nine years in the privacy communication and implementation process within a company context. We found a communication gap between software developers and privacy experts, suggesting a lack of proper procedural steps during the software development process to guarantee that the privacy requirements have been adequately addressed. We also uncovered that since privacy requirements were mostly communicated in a uni-directional manner, they were often perceived as a hindrance during software development, thus fostering an adversarial relationship between privacy experts and developers. Therefore, in order to fulfill the experts' requirements, software developers requested concrete steps to take during the software development process, as observed in the security field. However, privacy experts often lacked the technical knowledge to provide such instructions. This work contributes an explanatory theory on the communication gap between software developers and privacy experts. We discuss common obstacles in the communication of privacy experts and software developers and provide guidance on how to address them.

show abstract

Section: Recommendations For Academiamentioning

confidence: 96%

“Those things are written by lawyers, and programmers are reading that.” Mapping the Communication Gap Between Software Developers and Privacy Experts

Horstmann,

Domiks,

Gutfleisch

et al. 2024

PoPETs

View full text Add to dashboard Cite

show abstract

“…These information security breaches are caused by insiders and outsiders (Ncubukezi, 2022). Insider information threats are often caused by employee ignorance, poor decision making, lack of skills, poorly enforced security strategies, understaffing, poor security guidelines, and a technological knowledge gap (Kluge, Sasse & Verret, 2022;Singh & Singh, 2022).…”

Section: Impact Of Information Threatsmentioning

confidence: 99%

Impact of information security threats on small businesses during the Covid-19 pandemic

Ncubukezi

2022

eccws

View full text Add to dashboard Cite

Information is a significant asset of any organization. The increased information demand by all parties has gained attention and raised security concerns – especially in this digital era where everyone depends heavily on the Internet. The Internet and online platforms expose valuable information to various information threats. These pervasive threats compromise information privacy, safety, and security. Legitimate people and criminals compete to access information. Criminals use innovative ways to gradually increase information security threats, especially in the small business sector with only a minimal budget for proactive security measures. Due to the scarcity of academic research on information security threats for small businesses, this study presents the impact of security threats on businesses during the global Covid-19 pandemic. A qualitative survey within the interpretive approach was used to gather data from 20 small businesses in Western Cape, South Africa, to fill this gap. The study used judgmental sampling to select research participants who are business owners. Data were analyzed using thematic analysis. The results indicated the knowledge gap relating to information threats, even though most businesses are familiar with the costly and negative impact of threats on business operations, resulting in business discontinuity. However, some small business sectors showed minimal awareness a6nd understanding of information security threats, their impact, and proactive mitigation strategies. The study concluded with recommendations to protect against information security threats.

show abstract

“…The Verizon 2022 Data Breach Investigations Report emphasizes that 82 percent of the breaches that occurred were made possible by the decisions and/or active unconscious behavior of humans, involving phishing, the theft of credentials, misuse, and error [4]. However, Menges et al [5] point out that using negative language and blaming employees are indicators of dysfunctional relationships. Information security awareness (ISA) among employees is important but should not be seen as a panacea [5].…”

Section: Introductionmentioning

confidence: 99%

“…However, Menges et al [5] point out that using negative language and blaming employees are indicators of dysfunctional relationships. Information security awareness (ISA) among employees is important but should not be seen as a panacea [5]. It cannot resolve organizational and technical deficiencies, implement security protocols that go beyond staff capabilities, or manage conflicts with the productivity goals that companies expect of their employees.…”

Section: Introductionmentioning

confidence: 99%

Target Groups in German SMEs for Information Security Training: The Use and Limits of Job Profiles in Designing Training Units

Tippelskirch¹,

Scholl²

2022

JITST

View full text Add to dashboard Cite

As digitization becomes increasingly ubiquitous, the importance of information security for every institution is growing more evident year by year. According to recent studies, the cyberattacks of the past year have shown that any company can be targeted by hackers. Without proper information security, a company's survival is at risk. German companies have recognized the dangers of a wide range of cyberattacks and taken technical precautions. There has, however, been no significant increase in organizational measures for information security-including awareness raising and training for managers and employees. The question remains, however, how should awareness-raising measures be tailored to target groups? Profile groups tailored to the everyday working life and usage behavior of employees facilitate authentic learning based on a constructivist concept. Information security training is needed for every job profile in German SMEs. To verify this, an online survey was conducted and analyzed descriptively. Questions include the use of technical infrastructure and external interactions, the work environment, security measures, and the frequency and need for information security training. Correlations between job profiles, scatter plots with usage characteristics, and a comparison of usage behavior largely confirm the urgent need for awareness and the expected job profiles. SMEs are becoming more digital, more mobile, and more in need of training. The result is a "profile arc" that can be found in every company and used to guide authentic learning approaches. Constraints in the SME environment, such as short time frames with limited resources, and the impact of the pandemic need to be discussed.

show abstract

Why IT Security Needs Therapy

Cited by 4 publications

References 35 publications

“Those things are written by lawyers, and programmers are reading that.” Mapping the Communication Gap Between Software Developers and Privacy Experts

“Those things are written by lawyers, and programmers are reading that.” Mapping the Communication Gap Between Software Developers and Privacy Experts

Impact of information security threats on small businesses during the Covid-19 pandemic

Target Groups in German SMEs for Information Security Training: The Use and Limits of Job Profiles in Designing Training Units

Contact Info

Product

Resources

About