An empirical study into how cyber security professionals deal with uncertainty in information security risk assessments

An empirical study into how cyber security professionals deal with uncertainty in information security risk assessments: Understanding perceptual aspects and judgment operations

Hagenaars, Kay (TU Delft Technology, Policy and Management)

Pieters, W. (mentor)
Franssen, M.P.M. (graduation committee)
van Eeten, M.J.G. (mentor)
Meeuwisse, Kirsten (graduation committee)

Delft University of Technology

Management of Technology (MoT)

2019

The information security (IS) risk assessment process is an essential part to organisation's their protection of digital assets. However, the fast changing IS environment causes for limited knowledge of eventualities, dependencies and values of systems and phenomena. Consequently, the IS risk assessment process is depending on the judgment of cybersecurity professionals to complement the incomplete knowledge. The outset of this research is to understand how cybersecurity professionals provide judgment when they experience uncertainty about the IS environment. First, the perception of uncertainty with cybersecurity professionals is analysed, guided by the theory on perceived environmental uncertainty. Second, the judgment operations of the cybersecurity professionals are analysed, guided by the theory on judgment heuristics. These two concepts are synthesised against the backdrop of the ISO27005 information security risk asessment methodology, that serves as different components of the information security environment. The results show that cybersecurity professionals perceive uncertainty about the IS environment in which it is difficult to: grasp the different interrelations in the organisation’s landscape of information and information systems, assign accurate values to the occurrence of changes/events in the IS environment and to determine the impact from changes/events to the organisation. This uncertainty is caused by the complexity and dynamism dimensions within the organisation’s IS environment. Indicated factors attributed to these dimensions are shadow IT, the innovation processes within an organisation and the organisational structuring. The judgment operations of the cybersecurity professionals are partly explained with the help from judgment heuristics. The data shows that the selective accessibility model is predominantly used to provide judgment about the IS environment during risk assessments. Thereby heavily relying on the information provided to them from different sources, consequently staying close to the initial values. The availability and representative heuristic are also identified but are referenced in fewer instances. This would suggest that the cybersecurity professional assess the information more on a case–by–case basis, rather than providing judgment based on similarity or the ease with which a scenario is retrieved from memory. Aside from the identified heuristics, the cybersecurity professional is observed not to be included in the final judgment. In such cases the uncertainty is then accepted because it is not part of their responsibility. Additionally, the security policy and philosophy paradigm shift from prevention to detection and response allow the cybersecurity professional to accept that not all IS incidents can be prevented. But that detection and response of IS incidents allow the impact to the organisation to be minimised. Finally the cybersecurity professional also judges the security awareness of the people involved when providing judgment operations during an IS risk assessment.

information security risk assessment
uncertainty
information security environment
perceived environmental uncertainty
judgment heuristics
ISO 27005

http://resolver.tudelft.nl/uuid:dd449566-a3ba-4695-95ae-037914e366d4

Student theses

master thesis

© 2019 Kay Hagenaars