Applying Sociotechnical Systems Safety to Cybersecurity

Abstract

Human-centered cybersecurity focuses on the goals of people and leverages human decision-making and performance to improve security outcomes. Because threats and errors are inevitable, a system of cybersecurity that depends on perfect human behavior to avoid catastrophe will be brittle. The continued need for human performance is evidenced by demand for cybersecurity professionals. While a great deal of effort is applied to solving cybersecurity problems, we still lack understanding of the cognitive aspects of the work. With better understanding of the knowledge, skills, and attitudes that predict success in cybersecurity careers, training and career development pipelines could be further developed. The central argument in this chapter is that cybersecurity could be better addressed with incorporation of the tools, research methods, and theory of sociotechnical systems currently helping other domains, like healthcare systems. I argue for a sociotechnical systems approach to strengthening cybersecurity in organizations, both for immediate use and as a framework for research. The chapter offers examples of tools from other sociotechnical systems and provides examples for their application to cybersecurity. A research agenda is described so that more practitioners and scientists can enter the field and collaborate to address this large and important problem.