eprintid: 10084102
rev_number: 22
eprint_status: archive
userid: 608
dir: disk0/10/08/41/02
datestamp: 2019-10-24 13:19:33
lastmod: 2021-10-25 00:02:44
status_changed: 2019-10-24 13:19:33
type: article
metadata_visibility: show
creators_name: Ani, UD
creators_name: He, H
creators_name: Tiwari, A
title: Human factor security: evaluating the cybersecurity capacity of the industrial workforce
ispublished: pub
divisions: UCL
divisions: B04
divisions: C05
divisions: J39
keywords: Cybersecurity evaluation, Human-factor security, Industrial control environment security, Workforce security evaluation
note: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
abstract: Purpose: As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment. /

Design/methodology/approach: A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques. /

Findings: Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce. /

Practical implications: The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies. /

Originality/value: This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.
date: 2019-03-11
date_type: published
publisher: Emerald
official_url: https://doi.org/10.1108/jsit-02-2018-0028
oa_status: green
full_text_type: other
language: eng
primo: open
primo_central: open_green
verified: verified_manual
elements_id: 1708614
doi: 10.1108/jsit-02-2018-0028
lyricists_name: Ani, Daniel
lyricists_id: UANIX02
actors_name: Allington-Smith, Dominic
actors_id: DAALL44
actors_role: owner
full_text_status: public
publication: Journal of Systems and Information Technology
volume: 21
number: 1
pagerange: 2-35
citation:        Ani, UD;    He, H;    Tiwari, A;      (2019)    Human factor security: evaluating the cybersecurity capacity of the industrial workforce.                   Journal of Systems and Information Technology , 21  (1)   pp. 2-35.    10.1108/jsit-02-2018-0028 <https://doi.org/10.1108/jsit-02-2018-0028>.       Green open access   
 
document_url: https://discovery.ucl.ac.uk/id/eprint/10084102/7/Ani_A_Human-factored_Paper_Accepted_version_extracted.pdf