Cybersecurity Misconceptions, Investment, and Understanding

Verified

Added on 2023/01/18

AI Summary

This report delves into the prevalent misconceptions surrounding cybersecurity within companies and proposes effective investment strategies to enhance understanding and improve security postures. It examines the historical context of cybersecurity, emphasizing the continuous evolution of cyber threats and the need for proactive measures. The report highlights how companies often underestimate the importance of cybersecurity, leading to reactive rather than proactive investments, and the negative impacts on employee satisfaction. It explores various factors contributing to these misconceptions, including a lack of appreciation for cybersecurity professionals and the challenges in mitigating sophisticated cyberattacks. The report also discusses the Gordon-Loeb Model, which provides a framework for determining optimal cybersecurity investments based on asset valuation and vulnerability assessment. Furthermore, it reviews the importance of information security awareness (ISA) and how it improves user behavior and overall organizational security. The report also references various research papers and models, including the Protection Motivation Theory (PMT) and the Health Belief Model (HBM), to provide a comprehensive understanding of cybersecurity challenges and potential solutions.

Running head: WHY IS IT SO COMPANIES HAVE A MISCONCEPTION ABOUT
CYBERSECURITY AND HOW BEST CAN THEY INVEST IN CYBERSECURITY TO
BETTER UNDERSTAND THE concept? 1
Why is it so companies have a misconception about cybersecurity and how best can they invest
in cybersecurity to better understand the concept?
Name: Sithembiso Mpofu
Schiller International University

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

LITERATURE REVIEW 2
LITERATURE REVIEW
Cyber security has always been an important area under the cyber world since early
2000s. The process of cyber security involves various techniques to protect a computer system,
internet, information system from unauthorized attack or access. In the current world of
information age, organizations including their information assets, architecture and computer
infrastructure and the individuals needs to be protected from criminal attack. Cyber criminals are
always a step ahead from the security measures that are taken against any cyber security.
Companies usually invest only a retroactive action for the cyber security threat and are known to
have invested very rarely against protecting their system. Cyber security is a misconceived topic
that is followed by companies.
In various studies that are related to cyber security (Collar, 2015), it is argued that people
who are under the responsibility of cyber-security, are not given that much credit as there is some
misconception about cyber-security. This misconception can result into a negative impact in
organizations affecting the job satisfactions to the people who are responsible for securing the
cyber networks. The author also mentions about the different factors that results in the decrease
of the roles related to cyber security as they are not appreciated by their coworkers even after
providing efforts in protecting the company’s data and well-being from cyber threats. Their roles
are not given credit in the company.
Protection of Cyber security is not always successful. As for instances, the cyber security
threats are not always aware of the type of malware that is responsible for the attack and thus
companies are not always aware of the mitigation techniques that are needed in order to defend
the systems against the cyber-attacks. The cyber attackers in this case are not visible and so this

LITERATURE REVIEW 3
makes a difficult task for the security officials in order to conceive successful defensive
techniques and hence are not given the credit of cyber experts. (Collar, 2015). Most of the
members of the company who rely on the protecting techniques of the cyber security assets
including bio-metric systems, firewalls, encryption, forensics and many more for protecting the
minimal knowledge of the varied types of controls and solving techniques are skillfully placed.
Hence there is a kind of misconception about the fact of protecting the mechanisms and hence
there is no appreciation for the protecting efforts. (Collar, 2015).
In another research it is reflected that major of the companies lack the conception of
cyber-security with in their business (Suter, 2008). According to the author, there are certain
myths including denial of reality that are often faced by companies as a result of failure of
knowledge about the threats and consequences that are taking place in real world and failing to
protect their systems with the help of the existing severe policies of security.
Most of the organisations have a misconception that nobody wants to attack them as
hence believes that the existing system that are present within the company are well protected
and hence are capable of determining the attacks. These companies have no guarantee regarding
the intrinsic security that these systems offer.
According to some company officials, the cyber security incidents that are likely to take
place will not impact the operation of the company. Also, there is a misconception about the fact
that is there are some cyber incidents occurring in the database system, then there will be no
adverse effect in the details of the customers and no effect will be caused. But this is not actually

LITERATURE REVIEW 4
the case. If this kind of threat takes place within the organization’s database, then major of the
customers will refrain their trust from the business and hence will result in the loss and good will
of the company’s reputation.
It is under the misconception of several companies that mere firewall protection can protect
the cybercriminal’s from breaking through the firewalls. This kind of incorrect concepts about
technologies to various companies believe about the fact the existing protocols are much safe and
secure enough. But they remain unaware of the fact that these systems can be can be also used
for reverse engineering purpose. Another view that companies have about cyber security
awareness is that, only by introducing new technologies within the business process can reduce
the threat of cyber security. But actually, these companies lack to implement properly skilled and
expert cyber security experts, s as to operate these technologies that are used. (Suter, 2008).
In another way, the researchers have caught hold of certain security investments in order to
curb the lack of conception of the cyber security. According to them there are several other
securities as well as non-security measures that are related to technology based on the investment
of understanding the value of investment of cyber-security in organizations. As identified by one
of the researchers, security investments bring some kind of returns to the organizations. A
holistic approach (Luo, 2014) in this context is related to the technical as well as organizational
elements such as security governance, regulatory policies and compliances in order to provide a
much deeper understanding of the security investments. Secondly (Luo, 2014) a hybrid
approach, as proposed by some authors, includes utilization of strengths in order to overcome the

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

LITERATURE REVIEW 5
accounting setbacks and the measures of the market in order to access the performance of the
organization.
The ways by which insights regarding the organizations can be derived in an appropriate
way is described in the Gordon Loeb Model (Lawrence A. Gordon, 2016) The entire model is
based on the terms of key component findings of model key. It consists of three basic
components that is driven by the model to the optimal amount in order to invest it in the cyber
security. The first component that is related here identifies and values the information assets of
the company. The value of the assets represents the loss if the data set experiences a cyber-
security data breach.
Segmentation of the assets of information is an important aspect of cyber security and are
likely to have more than one sets of information that needs to be protected (Lawrence A. Gordon,
2016) Once the information assets of the organization are established and valued, another
component of the model estimates the vulnerability of the cyber security breach of the
information assets. The company estimates the probability of the information assets experiencing
a major breach in cyber security for each of the identified information assets. The third
component of the model is based on the investment in the cyber security so as to reduce the
vulnerability of the information assets to a breach in cyber security. This estimates the
investment of the productivity which likely varies for different assets of different information
depending on particular concerns of the information assets.(Lawrence A. Gordon, 2016)
In actual fact, the result as of Gordon-Loeb Model, is that the organizations should normally
finance a quantity of amount which is to be either equal to or less than approximately 37%

LITERATURE REVIEW 6
regarding the probable loss which could lead to a cyber-security breach in a set of information.
This is straightly associated with the hypothetical benefits of the cyber-security fund
enhancement goes through a decrease in rate. Moreover it can be presumed that the cyber-
security funding is associated with the activities on the basis of declining the productivity
regarding the funds. On the other hand this model can be said that it is of optimal level of cyber-
security funding that does not increases with the vulnerability level. For instance, it might be
necessary for any firm to spend much money in the protection of the assets which has a level of
medium vulnerability rather than the level of high vulnerability. Again, the output of incremental
funds are associated with this general searching in the field of cyber-security (Lawrence A.
Gordon, 2016).
According to (Siponen, 2000) defined the ISA as well as addressed a logical foundation
and an IS security awareness framework and many researchers had been proposing the general
concepts that are associated with the computer security for the organization’s Information
Security Awareness (ISA). This approaches are used for improving the user’s behavior of
security as well as provides an analysis of the security behavior’s in the relevant organizations.
Many researchers have recommended models for the enhancement of understanding security
behaviors of employees. This is done on the basis of PMT as well as health belief model (HBM).
(Bulgurcu, 2010) debated the effects that put an adverse effect on the security behavior of the
users as well as proposed numerous factors that tends to improve behavior of security. These
factors include the knowledge body, the behavioral body, the common sense of the users and the
skills for making decisions, the personal values of the users as well as the conduct standards as
well as the compliance efforts that are required.

LITERATURE REVIEW 7
In recent times, the researchers recommended mockups to clarify employees’ behaviors
regarding the computer security in a group with mechanisms that are based on fear. (Workman,
2008) hired the PMT to test a control model for the threat to understand better the security
behavior of an individual present in the organization. The results regarding this is mostly viewed
in the PMT variables that perceives vulnerability, severity, self-efficacy, effect of response as
well as the cost of response. This has impacts on the objective as well as the subjective on the
employee’s behavior of security (Ng, 2009) uses the adapted HBM from the literature of
healthcare that studies the security behavior of the employees’ computer. The results shows that
the perceived, self-efficacy as well as perceived benefits are the necessary determinants
regarding the security behavior that are related to e-mails.
In this study scholars recognize the revenues in which administrations would be visible
too and chances by financing on security as well as in the necessity of having abreast with
current trends in the security present in tech business and generating job satisfactions among
personnel and building security compliance to everybody in the administrations not only exact
persons.
In emerging the investigation over examining the fallacy and asset literature we except
why corporations have fallacy about cyber-security and in what way finest could they finance in
cyber-security to be improved understanding the subject. The earlier studies on safety except
why administrations should finance in cyber-security.
References

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

LITERATURE REVIEW 8
Anderson, M. T. (2011). Economics and Internet Security: a Survey of Recent
Analytical ,Empirical and Behaviral Research''. Oxford Handbook of the Digital
Economy .
Bulgurcu, B. C. (2010). “Information security policy compliance: an empirical. Study of
rationality-based beliefs and information security awareness. MIS Quartely, 34, 523-548.
MIS Quartely.
Collar, P. D. (2015, April). Where is the Cybersecurity Hero. Practical Recommendations for
Making Cybersecurity Heroism More Visible in Organisationss, 13. (I. J. Security, Ed.)
Danbury USA: Western Connecticut State University.
Lawrence A. Gordon, M. P. (2016, March 23). (U. o. Robert H. Smith School of Business, Ed.)
Investing in Cybersecurity: Insights from the Gordon-Loeb Model(7), 49-59.
Luo, B. B. (2014, April 20). Investigating security investment impact on the firm perfomance.
(A. S. Management, Ed.) 22, 194-208.
Ng, B. K. (2009). “Studying users’ computer security behavior: a health belief perspective.
Decision Support Systems, 46.
Siponen, T. (2000). “A conceptual foundation for organizational information security
awareness”. Information Management & Computer Security, 8(1), 31-41.
Suter, E. B. (2008). International Handbook 2008/2009. Zurich, Switzerland: Center for security
studies ETH Zurich.
Woon, I. T. (2005). A protection motivation theory approach to home wireless security”,.
Proceedings of the 26th International Conference on Information Systems, Las Vegas,
(pp. 11-14.). Las Vegas.

LITERATURE REVIEW 9
Workman, M. B. (2008). Security lapses and the omission of information security measures: a
threat control model and empirical test”. Computers in Human Behavior, 24.