The Work of Cybersecurity Advocates

Author/Creator

Author/Creator ORCID

Date

2020-01-20

Department

Information Systems

Program

Human Centered Computing

Citation of Original Publication

Rights

Distribution Rights granted to UMBC by the author.
This item may be protected under Title 17 of the U.S. Copyright Law. It is made available by UMBC for non-commercial research and education. For permission to publish or reproduce, please see http://aok.lib.umbc.edu/specoll/repro.php or contact Special Collections at speccoll(at)umbc.edu

Abstract

Cyber attacks are on the rise, with potentially devastating effects at the personal, business, and national levels. Despite real and evolving cyber threats, people often fail to implement and effectively use basic, well-known cybersecurity technologies and practices. Further contributing to the cybersecurity problem is the shortage of security personnel to address these challenges. A critical role and force-multiplier in security adoption is the cybersecurity advocate: a security professional who has the skills to effectively promote security and facilitate positive security behavior change. Cybersecurity advocates attempt to remedy implementation failures by promoting and facilitating the adoption of security best practices and technologies as an integral component of their jobs. Currently, there is no clear career track and few resources for educating professionals on how to be good cybersecurity advocates. Furthermore, it is unclear as to what advocacy techniques may be most effective. In addition to the bias towards technical skills, these gaps are likely due to the fact that we have little understanding of the work practices and competencies that lead to successful security advocacy. The purpose of my research is to gain a better understanding of these work practices. A first stage in my investigation involved interviews of professional security advocates. Since this interview data was one-sided from the perspective of advocates themselves, I validated the findings with a second stage exploring the effectiveness of advocates' approaches via a case study of a security awareness team at a U.S. government agency. This research uncovers definitional boundaries of cybersecurity advocates, including skills, characteristics, motivations, challenges, and tactics. Findings reveal that advocates employ technical and non-technical skills and a variety of techniques to overcome negative perceptions of security and other barriers to security adoption. A better understanding of the work of advocates can inform more effective security advocacy techniques and resources to aid in professional development of advocates. A promulgation of this understanding to practitioners and educators may result in an increase in cybersecurity advocates armed with the necessary tools to be successful. This growth of the advocate workforce might then lead to increased adoption of cybersecurity best practices.