Employee well-being as a strategy for responsible cybersecurity

New research led by Lancaster University into “responsible” cybersecurity suggests the well-being of those in cybersecurity roles should be a key consideration for firms’ security strategies due to the level of burn out among those in high-pressure roles.

The new study, published in Information Systems Frontiers, is based on 20 in-depth interviews with senior cybersecurity professionals from a range of organizations and sectors. Researchers use their findings to outline a new model for organizations to follow that illustrates the multiple layers of cybersecurity required in a modern firm.

Using responses and insights from the participants who had between five and 30 years’ experience in the cybersecurity sector, the research team, led by Professor Niki Panteli from Lancaster University Management School (LUMS), and supported by Dr. Boineelo Nthubu, also from LUMS; and Dr. Konstantinos Mersinas from Royal Holloway, University of London, identified five different “layers” of responsible cybersecurity needed for an organization to act responsibly and be adequately protected.

These layers include:

1. Techno-centric: to ensure an organization’s systems are secure by design and security considerations are embedded in every aspect of an IT system’s development, from architecture to deployment.
2. Human-centric: to ensure not only employees’ individual security and responsible use of IT systems but for firms to act responsibly towards the well-being of those in cybersecurity roles. Measures need to be taken to support those in cyber security roles mentally and physically to sustain their effectiveness in a high-pressure environment and avoid risky behaviors due to burnout and fatigue, and to increase the diversity and inclusivity of the cybersecurity sector by addressing the lack of women in these roles.
3. Intra-organizational-centric: to develop a strong culture and shift in mindset that embraces the fact that cybersecurity is a shared responsibility among all stakeholders– not just an IT problem. This will need to be supported by agile policies, clear accountability pathways and training and awareness programs.
4. Inter-organizational centric: to emphasize an organization’s responsibility and impact on the cybersecurity of other firms including that of its supply chain.
5. Societal-centric perspectives: to consider the wider social and societal impacts of cyberthreats.

Niki Panteli is a Professor of Digital Business at Lancaster University Management School. She said, “Our study highlights interesting findings for the cybersecurity sector to consider, but perhaps the most concerning is the level of burnout that was reported among our interviewees and the risks this presents to not only individuals’ health, but that of organizations and wider society.

“Our data suggests that if firms want to act responsibly with their cybersecurity, there is a pressing need to foster a culture that prioritizes employee well-being and a work-life balance, so that cybersecurity professionals can perform at their best without compromising their health.”

Researchers also stress the need for firms to recognize the wider responsibility they have for the security that lies beyond their own systems, that can impact on the supply chain and the general public.

“Cyber-attacks don’t just impact the individual firms they target, they can generate ripple effects that are felt across supply chains and can touch all corners of society,” Prof Panteli continues. “And in this era of expanding digitalization, when we are seeing a growing dependence on cloud computing and the boom in hybrid work, maintaining robust cybersecurity is a necessity.

“The boundaries of responsible security are changing, and we need firms to recognize and act on this urgently. As participants of this study suggest, this needs to be directed from the top down, with senior leaders taking a leading role in implementing responsible cybersecurity—but generating a culture where cybersecurity is seen as the collective responsibility of everyone.”

Researchers say their new framework can serve as a tool for organizations to create a positive security culture.