Enhancing Cybersecurity Resilience: A Comprehensive Analysis of Human Factors and Security Practices Aligned with the NIST Cybersecurity Framework
Authors: 
Rohani Rohan, Borworn Papasratorn, Wichian Chutimaskul, Jari Hautamäki, Suree Funilkul, Debajyoti PalAuthors Info & Claims
Article No.: 13, Pages 1 - 16
Abstract
Although effective technical countermeasures play a pivotal role in safeguarding organizations’ digital assets, the persistent challenge of human factors in cybersecurity cannot be underestimated. This study aims to identify the human factors employed within the cybersecurity research community and the relevant human-centric security practices. These human factors and security practices are subsequently mapped to the functions, categories, and sub-categories of the NIST Cybersecurity Framework (NIST-CSF). The methodology for this research comprises a literature review and qualitative mapping techniques. The findings show the identification of 20 distinct human factors and 12 security practices. Additionally, the mapping reveals that 3 of the NIST-CSF functions, 8 categories, and 19 sub-categories are directly related with human aspects of cybersecurity. By aligning human factors and security practices with established NIST-CSF guidelines, organizations can strengthen their overall security posture. Moreover, it helps identify gaps in cybersecurity related to human factors to address vulnerabilities and mitigate risks associated with human errors, reducing the likelihood of security incidents and data breaches. Ultimately, this study provides valuable insights, presents conclusions, and suggests directions for future work.
References
[1]
Saad Alahmari, Karen Renaud, and Inah Omoronyia. 2023. Moving beyond cyber security awareness and training to engendering security knowledge sharing. Springer Berlin Heidelberg.
[2]
Marfua Alanazi, Mark Freeman, and Holly Tootell. 2022. Exploring the factors that influence the cybersecurity behaviors of young adults. Comput. Human Behav. 136, June (2022), 107376.
[3]
Basim AlGhanboosi, Saqib Ali, and Ali Tarhini. 2023. Examining the effect of regulatory factors on avoiding online blackmail threats on social media: A structural equation modeling approach. Comput. Human Behav. 144, November 2022 (2023), 107702.
[4]
Bakheet Aljedaani, Aakash Ahmad, Mansooreh Zahedi, and M. Ali Babar. 2023. End-users’ knowledge and perception about security of clinical mobile health apps: A case study with two Saudi Arabian mHealth providers. J. Syst. Softw. 195, 2023 (2023), 111519.
[5]
Shouq Alrobaian, Saif Alshahrani, and Abdulaziz Almaleh. 2023. Cybersecurity Awareness Assessment among Trainees of the Technical and Vocational Training Corporation. Big Data Cogn. Comput. 7, 2 (2023), 73.
[6]
Rawan A. Alsharida, Bander Ali Saleh Al-rimy, Mostafa Al-Emran, and Anazida Zainal. 2023. A systematic review of multi perspectives on human cybersecurity behavior. Technol. Soc. 73, August 2022 (2023), 102258.
[7]
Ibrahim Arpaci and Omer Aslan. 2023. Development of a Scale to Measure Cybercrime-Awareness on Social Media. J. Comput. Inf. Syst. 63, 3 (2023), 695–705.
[8]
Jan Boehmer, Robert LaRose, Nora Rifon, Saleem Alhabash, and Shelia Cotten. 2015. Determinants of online safety behaviour: Towards an intervention strategy for college students. Behav. Inf. Technol. 34, 10 (2015), 1022–1035.
[9]
Michael W. Boyce, Katherine Muse Duma, Lawrence J. Hettinger, Thomas B. Malone, Darren P. Wilson, and Janae Lockett-Reynolds. 2011. Human performance in cybersecurity: A research agenda. Proc. Hum. Factors Ergon. Soc. (2011), 1115–1119.
[10]
Greg Brown, Jennifer Strickland-Munro, Halina Kobryn, and Susan A. Moore. 2017. Mixed methods participatory GIS: An evaluation of the validity of qualitative and quantitative mapping methods. Appl. Geogr. 79, (2017), 153–166.
[11]
Therdpong Daengsi, Phisit Pornpongtechavanich, and Pongpisit Wuttidittachotti. 2021. Cybersecurity Awareness Enhancement: A Study of the Effects of Age and Gender of Thai Employees Associated with Phishing Attacks. Educ. Inf. Technol. 0123456789 (2021).
[12]
Giuseppe Desolda, Lauren S. Ferro, Andrea Marrella, Tiziana Catarci, and Maria Francesca Costabile. 2022. Human Factors in Phishing Attacks: A Systematic Literature Review. ACM Comput. Surv. 54, 8 (2022).
[13]
N'guessan Yves Roland Douha, Karen Renaud, Yuzo Taenaka, and Youki Kadobayashi. 2023. Smart home cybersecurity awareness and behavioral incentives. Inf. Comput. Secur. (2023).
[14]
ENISA. 2010. The new users ’ guide: Inf. Secur. (2010). Retrieved from https://www.enisa.europa.eu/publications/archive/copy_of_new-users-guide
[15]
European Network and Information Security Agency (ENISA) and ENISA. 2007. Information security awareness initiatives: Current practice and the measurement of success. July (2007), 24.
[16]
Lee Hadlington. 2017. Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon 3, 7 (2017), e00346.
[17]
Security Questionnaire Hais-q, Kathryn Parsons, Agata Mccormac, and Marcus Butavicius. 2014. Determining Employee Awareness Using the Human Aspects of Information ScienceDirect Determining employee awareness using the Human Aspects of Information Security Questionnaire ( HAIS-Q ). Comput. Secur. 42, May (2014), 165–176.
[18]
Wilson Cheong Hin Hong, Chun Yang Chi, Jia Liu, Yun Feng Zhang, Vivian Ngan Lin Lei, and Xiao Shu Xu. 2022. The influence of social education level on cybersecurity awareness and behaviour: a comparative study of university students and working graduates. Springer US.
[19]
Wilson Cheong Hin Hong, Chun Yang Chi, Jia Liu, Yun Feng Zhang, Vivian Ngan Lin Lei, and Xiao Shu Xu. 2023. The influence of social education level on cybersecurity awareness and behaviour: a comparative study of university students and working graduates. Springer US.
[20]
Jongkil Jeong, Joanne Mihelcic, Gillian Oliver, and Carsten Rudolph. 2019. Towards an improved understanding of human factors in cybersecurity. Proc. - 2019 IEEE 5th Int. Conf. Collab. Internet Comput. CIC 2019 Cic (2019), 338–345.
[21]
Peter Korovessis, Steven Furnell, Maria Papadaki, and Paul Haskell-Dowland. 2017. A toolkit approach to information security awareness and education. J. Cybersecurity Educ. Res. Pract. 2017, 2 (2017), 5.
[22]
Yohannes Kurniawan, Samuel Ivan Santoso, Regina Rolanda Wibowo, Norizan Anwar, Ganesh Bhutkar, and Erwin Halim. 2023. Analysis of Higher Education Students’ Awareness in Indonesia on Personal Data Security in Social Media. Sustain. 15, 4 (2023).
[23]
Claire Seungeun Lee and Dongsim Kim. 2023. Pathways to Cybersecurity Awareness and Protection Behaviors in South Korea. J. Comput. Inf. Syst. 63, 1 (2023), 94–106.
[24]
Wilson Li, Alvin Leung, and Wei Yue. 2023. Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches. MIS Q. 47, 1 (2023), 317–342.
[25]
Pongsakorn Limna, Sutithep Siripipattanakul, and Tanpat Kraiwanit. 2022. The Relationship between Cyber Security Awareness, Knowledge, and Behavioural Choice Protection among Mobile Banking Users in Thailand. Int. J. Comput. Sci. Res. (2022), 1–19.
[26]
Taufik Mohammad, Nur Atikah Mohamed Hussin, and Mohd Heikal Husin. 2022. Online safety awareness and human factors: An application of the theory of human ecology. Technol. Soc. 68, July 2021 (2022), 101823.
[27]
Sokratis Nifakos, Krishna Chandramouli, Charoula Konstantina Nikolaou, Panagiotis Papachristou, Sabine Koch, Emmanouil Panaousis, and Stefano Bonacina. 2021. Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors 21, 15 (2021).
[28]
Sokratis Nifakos, Krishna Chandramouli, Charoula Konstantina Nikolaou, Panagiotis Papachristou, Sabine Koch, Emmanouil Panaousis, and Stefano Bonacina. 2021. Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors 21, 15 (2021), 1–25.
[29]
Joseph K. Nwankpa and Pratim Milton Datta. 2023. Remote vigilance: The roles of cyber awareness and cybersecurity policies among remote workers. Comput. Secur. 130, (2023), 103266.
[30]
Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Comput. Secur. 66, (2017), 40–51.
[31]
Kathryn Parsons, Dragana Calic, Malcolm Pattinson, Marcus Butavicius, Agata McCormac, and Tara Zwaans. 2017. The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Comput. Secur. 66, (2017), 40–51.
[32]
Kathryn Parsons, Agata McCormac, Marcus Butavicius, Malcolm Pattinson, and Cate Jerram. 2014. Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Comput. Secur. 42, (2014), 165–176.
[33]
George Petihakis, Dimitrios Kiritsis, Aristeidis Farao, Panagiotis Bountakas, Aggeliki Panou, and Christos Xenakis. 2023. A Bring Your Own Device security awareness survey among professionals. ACM Int. Conf. Proceeding Ser. (2023).
[34]
Alessandro Pollini, Tiziana C. Callari, Alessandra Tedeschi, Daniele Ruscio, Luca Save, Franco Chiarugi, and Davide Guerri. 2021. Leveraging human factors in cybersecurity: an integrated methodological approach. Cogn. Technol. Work 0123456789 (2021).
[35]
Farzana Quayyum. 2023. Collaboration between parents and children to raise cybersecurity awareness. ACM Int. Conf. Proceeding Ser. (2023), 149–152.
[36]
Tashfiq Rahman, Rohani Rohan, Debajyoti Pal, and Prasert Kanthamanon. 2021. Human Factors in Cybersecurity: A Scoping Review. ACM Int. Conf. Proceeding Ser. (2021).
[37]
Richard Siedzik. 2014. Implementing the NIST Cybersecurity Framework. Retrieved from https://www.isaca.org/cyber
[38]
Rohani Rohan, Suree Funilkul, Wichian Chutimaskul, Prasert Kanthmanon, Borworn Papasratorn, and Debajyoti Pal. 2023. Information Security Awareness in Higher Education Institutes: A Work in Progress. 15th Int. Conf. Knowl. Smart Technol. KST 2023 (2023).
[39]
Rohani Rohan, Suree Funilkul, Debajyoti Pal, and Wichian Chutimaskul. 2021. Understanding of Human Factors in Cybersecurity: A Systematic Literature Review. (2021), 133–140.
[40]
Rohani Rohan, Suree Funilkul, Debajyoti Pal, and Himanshu Thapliyal. 2021. Humans in the Loop: Cybersecurity Aspects in the Consumer IoT Context. IEEE Consum. Electron. Mag. 2248, c (2021), 1–7.
[41]
Rohani Rohan, Debajyoti Pal, Jari Hautamäki, Suree Funilkul, Wichian Chutimaskul, and Himanshu Thapliyal. 2023. A systematic literature review of cybersecurity scales assessing information security awareness. Heliyon 9, 3 (2023).
[42]
Saqib Saeed. 2023. Digital Workplaces and Information Security Behavior of Business Employees: An Empirical Study of Saudi Arabia. Sustain. 15, 7 (2023).
[43]
William J. Triplett. 2022. Addressing Human Factors in Cybersecurity Leadership. J. Cybersecurity Priv. 2, 3 (2022), 573–586.
[44]
COBIT Security Baseline: an information security survival kit. In (2nd ed.). IT Governance Institute 2nd edition, 2007. Retrieved from www.itgi.org
[45]
Information Technology Security Training Requirements: A Role- and Performance-Based Model, Special Publication 800-16. . National Institute of Standards and Technology (NIST) (1998). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-16/800-%0A16.pdffile:///C:/Users/Rohani Rohan/Downloads/Protection Motivation Theory.pdf
Index Terms
- Enhancing Cybersecurity Resilience: A Comprehensive Analysis of Human Factors and Security Practices Aligned with the NIST Cybersecurity Framework
Index terms have been assigned to the content through auto-classification.
Recommendations
Straight From the Human Factors Professionals’ Mouth: The Need to Teach Human Factors in Cybersecurity
SIGITE '22: Proceedings of the 23rd Annual Conference on Information Technology EducationColleges and universities are vital for integrating the human factors discipline in cybersecurity courses. Human errors, limitations, and weaknesses contribute to data breaches, ransomware attacks, and cyber-attacks. The cybersecurity community ...
Employee Information Security Practices: A Framework and Research Agenda
Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measures to address them. ...
Mitigating security attacks in kubernetes manifests for security best practices violation
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringKubernetes is an open-source software system that helps practitioners in automatically deploying, scaling, and managing containerized applications. Information technology (IT) organizations, such as IBM, Spotify, and Capital One, use Kubernetes to ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2023
303 pages
ISBN:9798400708497
DOI:10.1145/3628454
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 December 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
IAIT 2023
IAIT 2023: 13th International Conference on Advances in Information Technology
December 6 - 9, 2023
Bangkok, Thailand
Acceptance Rates
Overall Acceptance Rate 20 of 47 submissions, 43%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 259Total Downloads
- Downloads (Last 12 months)259
- Downloads (Last 6 weeks)35
Reflects downloads up to 28 Dec 2024
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format