Posts By Stephen Phillips

publications
Tell Me What that Means to You: Small-Story Narratives in Technology Adoption

Abstract: Technology adoption is often predicted based on little information such as the Perceived ease-of-use and the Perceived usefulness of the technology. Related constructs such as Attitude to use, Behavioral intention to use and External variables cannot be easily operationalised and so are often ignored. However, technology characteristics themselves fail to represent other factors such as potential adopter attitudes and how they react to the opportunities offered by the technology to meet their needs. In a series of three studies, qualitative methods were used to identify, validate and then exploit narrative themes. Based on the short narratives of potential adopters discussing their experiences with a set of cybersecurity tools, we are developing a small-story narrative framework to capture how they respond to the technology contextualised directly within their professional environment. Akin to concepts from adoption frameworks in healthcare intervention studies, we conclude that adopter’s personal response to a technology and how they make sense of it in their environment becomes evident in the narratives they create.

publications
I Just Want to Help: SMEs Engaging with Cybersecurity Technology

Abstract: The cybersecurity landscape is particularly challenging for SMEs. On the one hand, they must comply with regulation or face legal sanction. But on the other, they may not have the resource or expertise to ensure regulatory compliance, especially since this is not their core business. At the same time, it is also well-attested in the literature that individuals (human actors in the ecosystem) are often targeted for cyber attacks. So, SMEs must also consider their employees but also their clients as potential risks regarding cybersecurity. Finally, it is also known that SMEs working together as part of a single supply chain are reluctant to share cybersecurity status and information. Given all of these challenges, assuming SMEs recognise their responsibility for security, they may be overwhelmed in trying to meet all the associated requirements. There are tools to help support them, of course, assuming they are motivated to engage with such tooling. This paper looks at the following aspects of this overall situation. In a set of four studies, we assess private citizen understanding of cybersecurity and who they believe to be responsible. On that basis, we then consider their attitude to sharing data with service providers. Moving to SMEs, we provide a general overview of their response to the cybersecurity landscape. Finally, we ask four SMEs across different sectors how they respond to cybersecurity tooling. As well as providing an increased understanding of private citizen and SME attitudes to cybersecurity, we conclude that SMEs need not be overwhelmed by their responsibilities. On the contrary, they can take the opportunity to innovate based on their experience with cybersecurity tools.

publications
Information Security and Risk Management: Trustworthiness and Human Interaction

Abstract: As digital information has come to underpin the majority of modern systems in almost all domains (e.g. business, finance, government, education, health, third sector), increasingly sophisticated cybersecurity attacks have become an unavoidable reality of modern life. In the face of this, regulation and best practice are increasing moving from simplistic security control tick-lists towards risk management frameworks (such as recommended in the EU’s GDPR and NIS directive and described in standards such as ISO 27005). Consequently, it is highly relevant for students, practitioners, and researchers alike to understand risk management, systems modelling, attack paths, and human interactions and risks in order to understand the central value and importance of cybersecurity risk management in supporting trustworthiness in information systems. As part of the H2020 CyberKit4SME project, this interactive, hands-on tutorial will explore state-of-the-art approaches to trustworthy cybersecurity risk management that is able to effectively and sufficiently account for the risks that humans introduce into any information system [1]. After establishing the basic concepts around cybersecurity, trustworthiness, system modelling, risk management and socio-technical theory, an exploration of the importance and role of visualised attack paths in providing easily understood risks, thereby ensuring intelligent risk management tools do not become ‘black boxes’ to their users, will be undertaken. Alongside this, how attack paths help support human decision-making by pinpointing the most effective risk mitigation strategies will be investigated. In addition, the tutorial will explore human interaction flows and how they can combine with attack paths to empower comprehensive cybersecurity risk assessments and help guide holistic mitigations. In the final part of the tutorial, there will be an opportunity to get practical experience of modelling an information system and identifying and mitigating the cybersecurity risks to it using two tools: the System Security Modeller [2, 3] (University of Southampton) and the Human and Organisational Risk Modelling framework (SINTEF) which is derived from the Customer Journey Modelling Language [4, 5] (CJML).

It’s Not My Problem: How Healthcare Models relate to SME Cybersecurity Awareness snippet
publications
It’s Not My Problem: How Healthcare Models relate to SME Cybersecurity Awareness

Abstract: Small and medium enterprises (SMEs) make up a significant part of European economies. They are often described as poorly place to deal with cyber risks though because of resource constraints or commercial interests. Providing appropriate tooling would facilitate a greater appreciation of the risks and provide mitigation strategies. In a series of workshops demonstrating visualization tools for cybersecurity, constructs from healthcare models such as awareness, self-efficacy, and a willingness to engage were investigated to throw light on the likelihood that the technologies would be adopted. Although most constructs were validated, it turns out that self-efficacy could more appropriately be interpreted as a desire to understand a broader company narrative rather than empowering any individual to identify and manage cyber risk. As part of an ongoing examination of technology acceptance, this work provides further evidence that technology must be contextualized to make sense for the individual as part of the SME rather than as individual employee.

Socio-technical Cybersecurity Risk Assessment diagram
publications
Cybersecurity for SMEs: Introducing the Human Element into Socio-technical Cybersecurity Risk Assessment

Abstract: Small and medium-sized enterprises (SMEs) rarely conduct a thorough cyber-risk assessment and they may face various internal issues when attempting to set up cyber-risk strategies. In this work, we apply a user journey approach to model human behaviour and visually map SMEs’ practices and threats, along with a visualisation of the socio-technical actor network, targeted specifically at the risks highlighted in the user journey. By using a combination of cybersecurity-related visualisations, our goals are: i) to raise awareness about cybersecurity, and ii) to improve communication among IT personnel, security experts, and non-technical personnel. To achieve these goals, we combine two modelling languages: Customer Journey Modelling Language (CJML) is a visual language for modelling and visualisation of work processes in terms of user journeys. System Security Modeller (SSM) is an asset-based risk-analysis tool for socio-technical systems. By demonstrating the languages’ supplementary nature through a threat scenario and considering related theories, we believe that there is a sound basis to warrant further validation of CJML and SSM together to raise awareness and handle cyber threats in SMEs.