'Cyber security is a dark art': The CISO as soothsayer
- URL: http://arxiv.org/abs/2202.12755v1
- Date: Fri, 25 Feb 2022 15:21:29 GMT
- Title: 'Cyber security is a dark art': The CISO as soothsayer
- Authors: Joseph Da Silva and Rikke Bjerg Jensen
- Abstract summary: Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises.
Many organisations employ a Chief Information Security Officer (CISO) to lead such a function.
We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders.
- Score: 12.246860992135783
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Commercial organisations continue to face a growing and evolving threat of
data breaches and system compromises, making their cyber-security function
critically important. Many organisations employ a Chief Information Security
Officer (CISO) to lead such a function. We conducted in-depth, semi-structured
interviews with 15 CISOs and six senior organisational leaders, between October
2019 and July 2020, as part of a wider exploration into the purpose of CISOs
and cyber-security functions. In this paper, we employ broader security
scholarship related to ontological security and sociological notions of
identity work to provide an interpretative analysis of the CISO role in
organisations. Research findings reveal that cyber security is an expert system
that positions the CISO as an interpreter of something that is mystical,
unknown and fearful to the uninitiated. They show how the fearful nature of
cyber security contributes to it being considered an ontological threat by the
organisation, while responding to that threat contributes to the organisation's
overall identity. We further show how cyber security is analogous to a belief
system and how one of the roles of the CISO is akin to that of a modern-day
soothsayer for senior management; that this role is precarious and, at the same
time, superior, leading to alienation within the organisation. Our study also
highlights that the CISO identity of protector-from-threat, linked to the
precarious position, motivates self-serving actions that we term `cyber
sophistry'. We conclude by outlining a series of implications for both
organisations and CISOs.
Related papers
- SoK: Unifying Cybersecurity and Cybersafety of Multimodal Foundation Models with an Information Theory Approach [58.93030774141753]
Multimodal foundation models (MFMs) represent a significant advancement in artificial intelligence.
This paper conceptualizes cybersafety and cybersecurity in the context of multimodal learning.
We present a comprehensive Systematization of Knowledge (SoK) to unify these concepts in MFMs, identifying key threats.
arXiv Detail & Related papers (2024-11-17T23:06:20Z) - Security in IS and social engineering -- an overview and state of the art [0.6345523830122166]
The digitization of all processes and the opening to IoT devices has fostered the emergence of a new formof crime, i.e. cybercrime.
The maliciousness of such attacks lies in the fact that they turn users into facilitators of cyber-attacks, to the point of being perceived as the weak link'' of cybersecurity.
Knowing how to anticipate, identifying weak signals and outliers, detect early and react quickly to computer crime are therefore priority issues requiring a prevention and cooperation approach.
arXiv Detail & Related papers (2024-06-17T13:25:27Z) - AI Risk Management Should Incorporate Both Safety and Security [185.68738503122114]
We argue that stakeholders in AI risk management should be aware of the nuances, synergies, and interplay between safety and security.
We introduce a unified reference framework to clarify the differences and interplay between AI safety and AI security.
arXiv Detail & Related papers (2024-05-29T21:00:47Z) - The MESA Security Model 2.0: A Dynamic Framework for Mitigating Stealth Data Exfiltration [0.0]
Stealth Data Exfiltration is a significant cyber threat characterized by covert infiltration, extended undetectability, and unauthorized dissemination of confidential data.
Our findings reveal that conventional defense-in-depth strategies often fall short in combating these sophisticated threats.
As we navigate this complex landscape, it is crucial to anticipate potential threats and continually update our defenses.
arXiv Detail & Related papers (2024-05-17T16:14:45Z) - We need to aim at the top: Factors associated with cybersecurity awareness of cyber and information security decision-makers [0.0]
We study cybersecurity awareness of cyber and information security decision-makers.
Our findings indicate that awareness of well-known threats and solutions seems to be quite low for individuals in decision-making roles.
arXiv Detail & Related papers (2024-04-06T20:32:19Z) - PsySafe: A Comprehensive Framework for Psychological-based Attack, Defense, and Evaluation of Multi-agent System Safety [70.84902425123406]
Multi-agent systems, when enhanced with Large Language Models (LLMs), exhibit profound capabilities in collective intelligence.
However, the potential misuse of this intelligence for malicious purposes presents significant risks.
We propose a framework (PsySafe) grounded in agent psychology, focusing on identifying how dark personality traits in agents can lead to risky behaviors.
Our experiments reveal several intriguing phenomena, such as the collective dangerous behaviors among agents, agents' self-reflection when engaging in dangerous behavior, and the correlation between agents' psychological assessments and dangerous behaviors.
arXiv Detail & Related papers (2024-01-22T12:11:55Z) - Cyber Sentinel: Exploring Conversational Agents in Streamlining Security Tasks with GPT-4 [0.08192907805418582]
This paper introduces Cyber Sentinel, an innovative task-oriented cybersecurity dialogue system.
It embodies the fusion of artificial intelligence, cybersecurity domain expertise, and real-time data analysis to combat the multifaceted challenges posed by cyber adversaries.
Our work is a novel approach to task-oriented dialogue systems, leveraging the power of chaining GPT-4 models combined with prompt engineering.
arXiv Detail & Related papers (2023-09-28T13:18:33Z) - The Opportunity to Regulate Cybersecurity in the EU (and the World):
Recommendations for the Cybersecurity Resilience Act [1.2691047660244335]
Safety is becoming cybersecurity under most circumstances.
This should be reflected in the Cybersecurity Resilience Act when it is proposed and agreed upon in the European Union.
It is based on what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft.
arXiv Detail & Related papers (2022-05-26T07:20:44Z) - A System for Automated Open-Source Threat Intelligence Gathering and
Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management.
It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z) - A System for Efficiently Hunting for Cyber Threats in Computer Systems
Using Threat Intelligence [78.23170229258162]
We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI.
ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
arXiv Detail & Related papers (2021-01-17T19:44:09Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.