How a CISO Uses Social Science Research

The field of Cyber Security is ever evolving. As hardware and software becomes more advanced so do the level of threats. The Chief Information Security Officer (CISO) has become an essential role in most organizations (Monzelo et al, 2019). It is the responsibility of the CISO to develop an information security plan, implement that plan and continually adjust policies and procedures as required (Monzelo et al, 2019). The CISO role requires an understanding of the requirements of the organization it is protecting (Monzelo et al, 2019). There is also a need for understanding the behavior and habits of users in order to identify a possible security risk before it occurs (Monzelo et al, 2019). By using social science research, a CISO can effectively identify suspicious behavior and predict a security risk before it happens.

Identifying the type of personality of someone who may wish to compromise security is the first step a CISO can use. Although there is no guarantee a potential threat or hacker will fall into a specific category it has been found through study that many exude similar personality traits (Nasr et al, 2016). An example of one of these traits is a person who has low self esteem is more likely to attempt to look for vulnerabilities and exploit them (Nasr et al, 2016). When working in an organization user who exhibit this and other personality traits may warrant additional monitoring to ensure they are following policies and not performing anything that may be a breach of security. This allows the CISO to be proactive in identifying who may be a possible threat internally and reduces the risk and impact of having a security breach occur.

Knowing some of the personality traits a user may have that wishes to compromise security can also assist in understanding why. Understanding why someone may want to breach system security allows for the creation of policies and procedures the protect against these intrusions (Moustafa, 2021). It also allows for the creation of specific consequences to any actions that directly go against a policy or fall outside a procedure. The more specific and clear a rule is that is put into place the better it can be enforced.

Social science research can also be used to understand how users act and to identify exactly what type of behavior is suspicious. Understanding common tendencies and interactions of users allows for the use of automated security that can efficiently identify, flag and block suspicious behavior as required (Moustafa, 2021). This is possibly one of the most important aspects of understanding human behavior a CISO can use because while some actions may be normal in a limited capacity or malicious if performed repetitively (Moustafa, 2021). Through that understanding it is possible to put policies and security measures in place that limit the repetition of certain activities and ask for human verification (Moustafa, 2021). An example of this is used by Google when it detects traffic from several IP addresses coming from the same device when using a VPN. Google will display a message stating that there is suspicious traffic and requires a reCAPTCHA verification to continue. This helps ensure a person is the one performing a search and keeps application traffic limited to API use.

Cyber Security is an ever-evolving field and requires a knowledge a knowledge of how those using it may try to exploit vulnerabilities. A CISO is the responsible for developing and implementing an information security plan while continually adjusting policies and procedures. This means the role of a CISO requires an understanding of the security requirements as well as the behavior and habits of users. By doing so it allows a CISO to identify possible security risks before they occur.

References

Monzelo, Pedro & Nunes, Sergio. (2019). The Role of the Chief Information Security Officer (CISO) in Organizations

Moustafa, A. A. (2021). The Role of User Behaviour in Improving Cyber Security Management. Frontiers. Link

Nasr, E., Kfoury, E., Kfoury, M., & Karam, L. (2016). An Analytical Approach to Psychological Behavior of Hackers’ Motives. Ce.Sc.Edu. Link

Cover Image

Nilov, M. (2021, February 26). Man in blue crew neck shirt wearing black framed eyeglasses · Free Stock photo. Pexels. Link