An empirical study into how cyber security professionals deal with uncertainty in information security risk assessments

Understanding perceptual aspects and judgment operations

Master thesis (2019)

Authors

K.J.C. Hagenaars Technology, Policy and Management

Contributors

W. Pieters Organisation & Governance - TPM (supervisor 1)
M.P.M. Franssen Ethics & Philosophy of Technology - TPM (supervisor 2)
M.J.G. van Eeten Organisation & Governance - TPM (supervisor 1)
Kirsten Meeuwisse Deloitte (coach)
Faculty
Technology, Policy and Management
Copyright: © 2019 Kay Hagenaars
More Info
expand_more

Published Date

2019

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

The information security (IS) risk assessment process is an essential part to organisation's their protection of digital assets. However, the fast changing IS environment causes for limited knowledge of eventualities, dependencies and values of systems and phenomena. Consequently, the IS risk assessment process is depending on the judgment of cybersecurity professionals to complement the incomplete knowledge. The outset of this research is to understand how cybersecurity professionals provide judgment when they experience uncertainty about the IS environment. First, the perception of uncertainty with cybersecurity professionals is analysed, guided by the theory on perceived environmental uncertainty. Second, the judgment operations of the cybersecurity professionals are analysed, guided by the theory on judgment heuristics. These two concepts are synthesised against the backdrop of the ISO27005 information security risk asessment methodology, that serves as different components of the information security environment. The results show that cybersecurity professionals perceive uncertainty about the IS environment in which it is difficult to: grasp the different interrelations in the organisation’s landscape of information and information systems, assign accurate values to the occurrence of changes/events in the IS environment and to determine the impact from changes/events to the organisation. This uncertainty is caused by the complexity and dynamism dimensions within the organisation’s IS environment. Indicated factors attributed to these dimensions are shadow IT, the innovation processes within an organisation and the organisational structuring. The judgment operations of the cybersecurity professionals are partly explained with the help from judgment heuristics. The data shows that the selective accessibility model is predominantly used to provide judgment about the IS environment during risk assessments. Thereby heavily relying on the information provided to them from different sources, consequently staying close to the initial values. The availability and representative heuristic are also identified but are referenced in fewer instances. This would suggest that the cybersecurity professional assess the information more on a case–by–case basis, rather than providing judgment based on similarity or the ease with which a scenario is retrieved from memory. Aside from the identified heuristics, the cybersecurity professional is observed not to be included in the final judgment. In such cases the uncertainty is then accepted because it is not part of their responsibility. Additionally, the security policy and philosophy paradigm shift from prevention to detection and response allow the cybersecurity professional to accept that not all IS incidents can be prevented. But that detection and response of IS incidents allow the impact to the organisation to be minimised. Finally the cybersecurity professional also judges the security awareness of the people involved when providing judgment operations during an IS risk assessment.