Validation of a socio-technical management process for optimising cybersecurity practices

This study developed a socio-technical management process to optimise both technical and non-technical security measures to provide optimal, rather than adequate, enterprise security safeguards. The rationale was that over the last decade, studies have consistently shown that the human being remains the weakest link in the entire enterprise security chain. As a result, the majority of cyberattacks have resulted from human behaviour or error. Despite this, evidence suggests that many enterprises are still taking overly technocentric approaches to cybersecurity risk and this has increased the chances of missing the bigger picture. Thus, a mechanism to optimise both technical and non-technical security measures by identifying and closing socio-technical security gaps in existing enterprise security frameworks was required. The mechanism was derived from the literature and validated by industry practitioners where it was found that practitioners could categorise security controls into social (human included), technical and environmental dimensions. Through this, it was found that there were mainly non-technical (social and environmental dimensions) security gaps at practitioners' organisations. To further demonstrate how this security challenge can be identified and addressed, a desktop application of the management process was carried out on the COBIT 5 for Information Security framework. The results reveal the non-technical security gaps on COBIT 5 and the management process demonstrates how these could be closed and optimised. The importance of this study is to highlight that taking overly technocentric approaches to enterprise security risk does not yield significantly positive results in protecting assets. A new approach is required and the socio-technical management process is this paper's contribution to address that security challenge. (C) 2020 Elsevier Ltd. All rights reserved.