Practitioners' Views on Cybersecurity Control Adoption and Effectiveness

Abstract

Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture is challenging, yet without this understanding there is a risk of implementing inefficient or even harmful security practices. There is a critical need to comprehend the value of controls in reducing cyber-risk exposure in various organisational contexts, and the factors affecting their usage. Such information is important for research into cybersecurity risk and defences, for supporting cybersecurity decisions within organisations, and for external parties guiding cybersecurity practice such as standards bodies and cyber-insurance companies. Cybersecurity practitioners possess a wealth of field knowledge in this area, yet there has been little academic work collecting and synthesising their views. In an attempt to highlights trends and a range of wider organisational factors that impact on a control's effectiveness and deployment, we conduct a set of interviews exploring practitioners' perceptions. We compare alignment with the recommendations of security standards and requirements of cyber-insurance policies to validate findings. Although still exploratory, we believe this methodology would help in identifying points of improvement in cybersecurity investment, describing specific potential benefits.