CyberInsight: Boards and Business Leaders and Cybersecurity Engagement

CyberInsight: Directors and Cybersecurity Engagement

By Dr Sally Ernst and Lani Refiti

AISA 2014 National Conference Paper | info@csns.co

Foreword

Having come from a commercial background with director responsibilities and entrepreneurial insight in an international context, where over a significant period some of the very best in the cyber security industry have taken the time and effort to engage and skill me in the space, I have become passionate about helping others like me on the issue.

To do this, I had been researching how directors can consume cyber security for quite a while, though with the goal of growing a business around helping them … and in the process actually help them.

AISA was calling for papers for their 2014 National Conference and Lani, knowing what I had been trying to achieve, came to me with the idea of looking at the evidenced issue of board directors and engagement in cyber security. Given Lani’s background is firmly grounded in the cyber security industry, alongside his recognised credentials and experience, the collaboration has turned out to be a powerful reflection of how barriers to directors’ engagement with cyber security can be overcome.

AISA accepted our paper for presentation at its 2014 national conference, and so over the following 6 months we embarked on this research.

Significance in these findings also lies in the fact that each of us independently researched our own director networks and ‘snowball’ introductions, without known overlaps, and yet produced common themes and findings in the analysis process and agreed explanations for differences only served to add richness and robustness to the model.

Lani and I have differing but important, complementary and relevant, researcher ‘lenses’. This provides a very rich perspective on the issue of director-level cyber security engagement, as you will see from the findings in the enclosed report.

I hope you, too, enjoy the read and derive value from the findings for your business or profession – whether as a director or, an actual or aspiring, ‘cyber security peer’.

We strongly believe this research provides a robust platform for understanding of the issue of directors and cyber security engagement, and offers practical and executable options for alleviating the barriers to that engagement toward a much-less insecure business ecosystem.

Dr Sally Ernst

CyberInsight: Directors and cyber security engagement

By Dr Sally Ernst and Lani Refiti

Executive Summary

Cyber security is a business problem and needs to be a part of any good governance. There is, however, some industry research as well as anecdotal evidence that suggests Board Directors and Senior Executives may not be engaging with cyber security.

Through the in-depth analysis of interviews with over 100 directors of primarily Australian organisations that range in market segment and size (<AUD$1m to >$500m, with a potential impact of billions), alongside associated literature, and reflection on relevant experiences, it has been found in this research that:

There is a desire for directors to engage in cyber security but there are barriers to that engagement” (Figure 1)

The contextual reason for this is that the internet and the businesses that leverage it, including those of the attackers, involve radical innovation – ie businesses are changing the way they consume information, as are the attackers.

Radical innovation requires a top-level change of mindset, which directs strategy that in turn guides new, or leveraged adaptations of existing, support structures to control the desired outcome – in this case a much-less insecure business ecosystem (Ernst, 2007).

In the case of cyber security, there is a mindset challenge that requires both directors of organisations and cyber security professionals to be involved in that top level change of world view (Intrabond Capital & Ernst, 2014). This is because directors look to maximise shareholder value and have likely gained the most significant portion of their education and exposure pre-internet and cyber security commercialisation at scale; and, do not think like attackers (unless they’re in the business of crime, which our data sets are not). Whereas, ‘cyber security peers’, those skilled in the space of thinking like attackers to protect secrets, may not have strategic business exposure, experience or education. This creates an issue with obtaining strategic peer-to-peer advice from either party by either party.

The outcomes of these barriers are alot of unknowns; mistrust; concerns about who to turn to for advice; and, reactions somewhere on the spectrum of cognitive dissonance.

The issues are influenced by the developing nature of support structures in the cyber security industry in terms of things like 1) navigable standards of professionalism; 2) board frameworks, including time/cost/ risk justifications; and, education, experience and exposure of directors and what could be their ‘cyber-security peers’ to each others domains at a strategic level.

Our recommendations for improving director engagement, therefore, centre on accelerating the already developing support structures and include:

  • Strategic business education and exposure for cyber security professionals, and strategic cyber security education for directors
  • Board-level frameworks and ‘checklists’
  • Accelerating navigable industry standards and certifications
  • Assessing cyber security maturity levels within a radical innovation framework

 

As an initial and broad piece, these initial findings importantly provide a much-needed platform to reference and build on for:

  • further guided research, by any researcher, on board directors and cyber security engagement
  • contributions to practice to improve the security of the business ecosystem
  • community commentary

Dr Sally Ernst and Lani Refiti

Key Themes

There is a desire for directors to engage in cyber security, however there are barriers to that engagement. 

“…too much to take in and not enough time..”

“All I get is statistics and jargon, which is almost meaningless for me”

“All I saw was cyber security as a cost centre, not an opportunity for ($xm) savings”

“Do (cyber security professionals) know what a board director does?”

DataSetB

“I didn’t think of losing my (unprotected..) mobile (holding sensitive and important information …) as a cyber incident.

…… worried that I have a virus and my backups don’t go far enough back to recover from.

….could you keep me updated.”

“….I would pay for that”

                                                                                   DataSetA

“(Don’t know) Detail – Hacking countries…..mutual destruction, like nuclear war … about how many people does ASD have working on it… how secure is Australia and how much can we trust our alliances.. a civil war problem… don’t know how I would survive”

DataSetA

“…. Don’t know who to trust – no professionalization or standards”

DataSetA

“It’s all about trust and transparency – that’s what you need”

DataSetA

Directors appear to:

  • be worried;
  • have many unknowns;
  • have difficulty “sizing” the problem;
  • do not know who to turn to or who to trust;
  • lack a ‘strategic peer’ in cyber security to help them, and,
  • in the main, strongly indicate they would like to engage in the issue of cyber security.

Context

Commercial internet use is proliferating, as are cyber attacks. Directors own the risks and consequences of cyber attacks and compliance requirements. In Dataset A, we can see all directors hold more than one directorship and belong to formal and informal networks. Further research has been recommended into the “multiplier effect” of a single director’s engagement in cyber security on the security of an ecosystem.

Radical Innovation

Like the proliferation of the internet for commercial use, cyber security changes the way things are consumed – specifically information. Cyber security is therefore a radical innovation. For radical innovation to be successful, ie. become a profitable reality, it needs:

  • strategic change, ie. a change in world view at the top;
  • top-down engagement; and,
  • a support infrastructure to control and effect change for the organization and for an ecosystem (Ernst, 2007).

The radical innovation process also describes, what in the cyber security industry is termed, ‘maturity level’. In juxtaposition, this could be characterised as the cyber security maturity continuum on which an organization lies from:

  • changing the world view at the top, to
  • decoupling cyber security to build a support structure for that change, to
  • leveraged adaptation of existing systems into something new or creating new systems that have a marginal cost benefit across the group, to
  • integrating those systems and process back into Business as Usual (Ernst, 2014).

Further research has therefore been recommended into the radical innovation process for cyber security in organisations.

A mind-set challenge to peer-to-peer strategic advice

“The internet is a powerful, ubiquitous tool used for massive good and massive evil”

DataSetA

“Board Director time is strategic, not tactical/operational – cyber security is tactical/ operational”

DataSetB Key Theme

“Cyber security is a technology problem”

DataSetA and DataSetB Common Theme

“Not on the same page”

DataSetB Common Theme

It is further indicated that there is a mindset challenge to directors’ strategic engagement with cyber security, and so the cyber security industry’s strategic engagement with directors. That is, directors think about maximising shareholder value, while cyber security professionals think like attackers and how to protect secrets (Ernst, 2014; Intrabond & Ernst, 2014). This research strongly indicates it may hinder strategic cyber security advice in a peer-to-peer setting and suggests it may be overcome by cyber security professionals in this role receiving strategic business education and exposure.

Unknowns, mistrust and cognitive dissonance are apparent

“… (Know) Very little. Apart from the word, the name…. Threat….. Enormity of exposure of the entire world as a result of reliance on computers”

DataSetA 

“…Ummmmmmm…”

Multiple Directors, DataSetA

“…Y2K…”

Multiple Directors, DataSetA and DataSetB

“Psychology of avoidance – in the nuclear war category”

DataSetA

“Cognitive Dissonance is a state of perceived inconsistency between a persons expressed attitudes and actual behavior”

Wood, Wallace, Zeffane, Schermerhorn, Hunt, Osbourne (1998, p.146)

It was clear that there are many unknowns for directors when it comes to cyber security. This underlines the need to overcome the mindset challenge and create ‘cyber security peers’. The lack of trust, perhaps due to unknowns, may contribute to what appears to be varying degrees of cognitive dissonance (Table 1). An area for future research may be to adapt methods used in organizational behavior to overcome cognitive dissonance for the purpose of cyber security engagement. 

“Problem may not be a big as it’s made out to be”

Theme DataSetB

“Could I be a target than randomly attacked?”

DataSetA

“So many phishing emails – how do I ensure they’re genuine?”

DataSetA 

“Need some sort of trust signal and transparent pricing”

DataSetA

Unknowns included:

  • Directors, in the main, displaying the ability to articulate what data they have and is important to them but, without prompting, not necessarily where it is and therefore how it is protected; and,
  • The consequences of:
    • unauthorised access to that data; and,
    • breaches they may have already had.

In DataSetA most directors knew of at least one cyber incident in their organisations ranging from websites; contacts; phone systems; viruses on devices; ransomware; and, advanced persistent attacks occurring up to 15 years prior; to, data published on the web in error; and, mobiles left unprotected on planes holding sensitive and important information without the ability to remotely wipe them. This is not a particularly new finding in a time when we ‘assume breach’.

The more interesting finding is what appears to be confusion about consequences. For example, confusion as to whether a loss was caused by the Global Financial Crisis (GFC) or a cyber incident, even when the dots could be connected to the cyber incident.

Perhaps the most interesting finding beyond the explanatory model itself was evidence of cognitive dissonance among directors, particularly in the analysis of DataSetA (Table 1).

“Cognitive Dissonance is a state of perceived inconsistency between a persons expressed attitudes and actual behavior” 

Wood, Wallace, Zeffane, Schermerhorn, Hunt, Osbourne (1998, p.146)

Variously displayed throughout the data were conflicting statements, deflection of risk, statements of concern that the interviewee may not be the right director to talk to, talking about directors as third party to the interviewee, shifting cyber security responsibility to cloud providers or government, and attempting to shift the interview to a talk about how to capitalise on cyber security as a business plan and start up.

This could have indicated avoidance of, and a lack of desire to engage with, cyber security. However, we can see by looking holistically at the data (including Table 1) that directors are worried, realise they own the consequences of a cyber incident and would like to understand more.

Start of interview Later in or end of interview
“ there is no good reason to pay attention to cyber security”

 

“It’s time to do something about cyber security”
“I think the growth of cloud has created a level playing field but made less clear about where responsibility sits … but on other hand ..”

 

“…. data lost or open to attack then the responsibility of business to protect and take appropriate care”
It’s not on the director or management radar”

“Won’t care until high profile cases happen – and they will … Just don’t want to be the director on the board when it happens” 

“There’s a sweet spot just below (Big Banks) ”

“(Needs to be) improvement of awareness of these issues”

“the issue is about knowing where to go for advice”

“…these start ups take in 250-500k investment ……”

“<<cloud application>> has customer data, IP … apart from a catastrophic event, not a high priority …not a high degree of exposure”

 

“consequences would be corporate hacking, gaining product, client, financial information and end up with competitive duplication beating them to the doorstep of a new prospect. More competition – and it’s already competitive. Also disruption – which we’ve already experienced. “ 

Table 1: Examples of cognitive dissonance in DataSetA:

Further research, therefore, has been recommended into

  • overcoming cognitive dissonance;
  • “strategic peer” education of cyber security professionals with the capacity for board directorships and heads of function roles; and,
  • creating definitions of opportunity and profit – a criteria for success – resulting in board frameworks that are appropriate and effective in practice.

There is a “multiplier effect” 

“We know we are a vulnerability to clients and they know it too….. they don’t do security audits, not even a supplier security validation by any of the .. [major corporate chains in the industry]”

DataSetA 

“Multiplier effect: the additional shifts in aggregate demand that result when expansionary fiscal policy increases income and thereby increases consumer spending.”

(Mankiw, 2001: p.457)

As discussed earlier, in DataSetA all directors held more than one directorship. All directors also belonged to formal and informal director ‘peer’ networks where they regularly communicate and learn. Many also invested in other businesses, or took investment into their own. Further, from the above illustrative comment, we can see that assurance requirements within a business ecosystem, such as by partners and suppliers, may also bolster cyber security engagement.

Therefore, the impact of influencing one director, likely has a multiplier effect on consumption of cyber security by directors at an order of magnitude of significantly greater than only that one director or organization (BGF & Barclays, 2014; Ernst, 2009; 2010). This reinforces the recommendation made earlier in the report for further research on director impact and the ‘multiplier effect’ in the context of cyber security engagement

Support structures are still developing

“…the issue is about knowing where to go for advice”

DataSetA

“Our trusted Advisor is in the business”

Key Theme DataSetB

“Business talks technology, Board Directors talk business …it’s a technology issue … CEO/CIO talk technology”

Blended Key Themes DataSetB

Standards, regulation, certification, professionalism 

“…who to trust”

DataSetA

“.. Don’t know who to trust – no professionalization or standards”

DataSetA

“ …can’t evaluate who to trust so it will be on reputation, to take significant risk off their agenda …. are they competent, write a book on it, certification process – there is an opportunity in that”

DataSetA

“…don’t know how much it will cost or who’s an expert… nothing there like a chartered security professional. I don’t have any way of gauging someone’s skill in it.“

DataSetA

As mentioned in prior themes, there was evidence of director-level mistrust of the cyber security industry and difficulty knowing who to turn to for advice. There was also evidence directors may turn to advisors that may not have the cyber security expertise for that advice.

Further research is recommended into professionalism indicators, such as certifications, standards and regulations for industry that are transparent for users (eg. directors) of cyber security professionals to assess appropriateness for advice and help. Some of the supporting infrastructure for this is already available, such as CISSP and CREST for example (Hernandez, 2013). Therefore, further research is suggested into making them navigable.

“You wouldn’t know who to turn to”

DataSetA

“I think there’s an issue about who you would turn to for that advice”

DataSetA

Board framework (‘checklist’)

There was significant evidence throughout both data sets that directors are having difficulty understanding the risk, time and cost associated with cyber security.

“What you need is a checklist”

Multiple Directors, DataSetA

 “Need information in a format that is digestible by Boards … perhaps a new framework”

DataSetB Key Theme

“ …don’t know what the risks are, whether the processes are in place and following the issue.”

Director, DataSetA 

“.. should I be spending money and if I do spend it will I reduce the risk or will I just be experimenting on my computer”

Director, DataSetA

“It’s just a virus” …..

DataSet A

“Who do you go to? Who? Cloud system admins? Bundled up in IT, then the issue about who owns it? The business? Cloud Service Providers?

DataSetA 

“Information about cyber security needs to be distilled

DataSetA

“Directors not sure of what data is critical to their business running… ummm…. I don’t know… 20-50% .. I’m not sure”

DataSetA

“Partly it’s cost”

DatasetA

“A mixture of time and cost is the barrier”

DatasetA

“Concerns with time, cost and risk……”

Common theme DataSetA and DataSetB

“Commercial imperatives and regulation”

Common theme DataSetA and DataSetB

“Compliance is still weighed up with cost as well … That is the potential cost of not complying may be perceived as less than the cost of complying”

DatasetA

“Oh .. the risk you face is breaching privacy laws, loss of data, but you kinda weigh it up with … the cost associated with the risk. I don’t think you can afford to have a perfect environment.”

DatasetA

“The actual level of risk. The quantified level of risk. That’s probably the first thing I don’t know…….. and the main thing.”

DatasetA

A common theme throughout both the datasets was the need for a board framework or ‘checklist’ to engage effectively and appropriately with cyber security.

Mutual education of directors and cyber security peers 

I want to know what I’m doing myself before I go an engage someone professionally.. I want to know what I’m buying and how it fits”

DatasetA 

“Education/awareness building for Board Directors is important”

Common Theme DatasetA and DataSetB

“Keep me updated”

DatasetA

“I think it’s about how the internet works and exists. Need some context of that and context for direction”

DataSetA

“I know it could cause significant damage to my business”

DataSetA

“… second internet built that’s more secure”

DataSetA

“I know the mechanics but I don’t really know the mechanics of how they hack in and take over my network or part of my network”

DataSetA

“I want to know what I’m buying and how it fits”

DataSetA 

“lack of understanding of consequences of vulns and threats”

DataSetA

“Have paranoia and anxiety about data, rather than a considered thing”

DataSetA

“I found that really useful to make me think about it”

DataSetA

“I guess we’re finding here I don’t know all the risks”

DataSetA

“Barriers are sookiness, ickiness, cost, journey of self discovery – never really though about it. The vulnerabilities of the business … now I have”

DataSetA

We can see throughout all the interviews in Data set A that, by the end of the interview process, directors wanted to know more and be kept updated with information about cyber security. This also suggests ‘questioning’ as a way to engage directors and help them think about their context. It also provides some support to the argument that a “cyber security peer” is needed to engage directors in cyber security.

Barriers to directors’ engagement with cyber security can be alleviated

The good news is that this research demonstrates not only a desire for directors to engage, but also identifies the barriers to their engagement as surmountable.

Key to overcoming barriers to director level cyber security engagement appear to be:

  • Mutual education, particularly in an effort to create cyber security peers
  • Board level frameworks (and for smaller and entrepreneurial companies ‘checklists’
  • Acceleration of industry standards, certifications and navigation

About the research

Method

Because no strong basis existed in the literature for why directors may not be engaging in cyber security, no strong basis existed for hypotheses to be tested. The method for analysis chosen, then, was Grounded Theory.

Grounded Theory is a well accepted exploratory method for robustly generating new knowledge and provide ground work for other researchers, as well as ourselves, to hypothesise, test and build on this knowledge with future research (Glaser and Strauss, 1967; Parker and Roffey, 1997).

While a time-consuming approach, it has been used for this research to generate new knowledge through understanding emerging themes that may explain directors’ engagement in cyber security and provide practical suggestions for encouraging engagement.

The researchers followed the Strauss and Corbin (1998) Model of Grounded Theory, which allows for some sensitization to the literature and predefined questions to use in the research, as is the case with our semi-structured interview approach.

It also allows the researchers to develop, test and verify themes and relationships as we analysed the data to the point of saturation within the sample.

Both researchers are also variously directors, and board members of organisations, and involved in cyber security, making us Complete Member Researchers (Denzin 1978, p.183, Glaser and Strauss, 1967, Parker 2003). This is also allowed and considered an advantage under the Strauss and Corbin (1998) Model.

The method as outlined and in this and the following sections is adapted and contextualised from Ernst (2007).

The terms used for the explanatory model have been mapped to more useful terms in this research report and can be provided on request. 

Research Process

Sample

  • Two independent data sets, mutually exclusive and confidential to each researcher, were created from a convenience sample.
  • Primarily Australia, some directors or their organisations may be based in Australia or UK with Asia Pacific, UK, US and potentially other interests
  • DataSetA: Dr Sally Ernst
    • Directors of company turnover range <$1m- >$500m
    • All directors hold more than one directorship
    • Many directors invest or take investment
  • DataSetB: Lani Refiti
    • Company turnover range <$1m- >$50m
  • DataSetA and DataSet B
    • Directors of at least one company
    • Broad Market segment representation

Complete Member Researchers

  • Dr Sally Ernst holds directorships, has sat on boards, has a deep business and entrepreneurship background, and is engaged with cyber security
  • Lani Refiti sits on the board of AISA and advisory board of the Australian Cyber Security Network and has a deep security background
  • Bias is acknowledged, but also allowed within the Strauss and Corbin (1998) model of Grounded Theory when followed rigorously.
  • The complete member researcher approach provides insight otherwise unobtainable if not immersed in the subject (Patton 2002)
  • Rich reflection is provided by the complementary dual perspective of the researchers appropriate for the purposes of this research.

Collection

Each researcher performed semi-structured interviews broadly in parallel for the ‘6 questions’ (below) on their own convenience sample of directors by phone, Skype, WebEx, telepresence, and/or face-to-face.

‘6 questions’ in the semi-structured interview process were used:

  • What do you know about cyber security?
  • What do you not know about cyber security?
  • What risks do you own when it comes to cyber security?
  • Who do you turn to for cyber security advice?
  • What are the barriers to you taking that advice?
  • How would you overcome those barriers to taking cyber security advice?

Up to 5 additional semi-structured interview questions may also have been asked in DatsSetA:

  • What data do you have?
  • What of it is critical to your business operating?
  • Where is it?
  • How is it protected?

Grounded Theory Analysis Process

Figures available in the full report upon request

After the selective coding process was completed as described in Figure 4, quotes were selected from the data to illustrate the key themes in board directors’ “own terms” (Patton 2002) to add colour and richness to the narrative, the story, surrounding directors and engagement with cyber security.

Limitations

  • Use of a broadbrush, convenience sample. However, the indications are still strong and structured under the Grounded Theory explanatory model such that future research can test or build upon findings by organizational size and market segment.
  • A single director represented multiple companies and investments, however they were only asked to think of one organization when answering the questions. Further research has been recommended on the ‘multiplier effect’.
  • However, each and both researcher perspectives also provide richness.
  • Unverified turnover ranges due to private company involvement, however the top ranges have been verified, and understated.

 Verification

Strauss and Corbin (1998) methodological criteria Research coverage
1.     Are concepts generated? The explanatory model has been inductively derived using the Grounded Theory methodology.
2.     Are the concepts systematically related? As shown in diagram 2, the theory fits within the Strauss and Corbin conceptualisation model of a central theme, which is embedded in contextual, causal and action/ interaction strategies to derive outcomes and consequences, with terms mapped to be more meaningful in practice.
3.     Are there many conceptual linkages, and are the categories well developed? Do categories have conceptual density (richness of the description of a concept)? Considerable conceptual linkages between complex, well developed categories are explored with thick and rich descriptions of phenomena that support the central theme. The conceptual map of the explanatory model derived in this research clearly explains variables that produce certain outcomes and support consequences and recommendations. The structure of the explanatory model provides a platform for continued rigours in future research by manipulating these variables to create scenarios that may be explained in their own context and compared and contrasted to the explanatory model posited in this research.
4.     Is variation within the phenomena built into the theory (how differences are explored, described, and incorporated into the theory)? Strong detail of the variations within the phenomena have been provided with differences explored, described and compared and contrasted, not only amongst the findings but also against some existing literature. Reflections of researchers with differing lenses are representative of the context of the phenomena, meaningfully supporting the central theme of a desire for directors to engage in cyber security but there are barriers to that engagement.
5.     Are the conditions under which variation can be found built into the study and explained? The context and causes sections of the framework clearly provide the conditions under which variation can be found built into the study and are clearly and comprehensively explained. Successful execution of needs outlined in the consequences section of the model may also feed into the contextual and causal factors of future research.
6.     Has process been taken into account? The research design and adherence to the fundamentals of the Grounded Theory methodology in line with Straus and Corbin (1998) shows due diligence in process and probity in approach.
7.     Do the theoretical findings seem significant, and to what extent? The findings are significant in that it is the first study of its kind and draws from both sides of the phenomenon. Further, the dual lens of the researchers provides a rich and holistic perspective. The explanatory model derived has important practical applications toward a more secure ecosystem.
8.     Does the theory stand the test of time and become part of the discussions and ideas exchanged among relevant social and professional groups? (pp.270-272) This will remain to be seen

Table 2: Verification process, adapted from (Ernst 2007) Assessment of empirical findings

 

Strauss and Corbin (1998) methodological criteria Research coverage
1.     How was the original sample selected? Two, mutually exclusive and confidential to each researcher, convenience sample were collected and used.
2.     What major categories emerged? From a total of 78 themes identified through the open coding process, 16 major themes were identified through the axial coding process. The major emergent categories were Proliferation of commercial internet use – and cyber attacks; Compliance; Broad market segment and organizational size representation; Formal and informal peer-peer networks; Radical innovation; Mindset challenge to strategic peer-to-peer networks; A desire for directors to engage in cyber security but barriers to that engagement; “Multiplier effect”; Developing support structure; Unknowns; Mistrust; Cognitive dissonance; Mutual strategic education for ‘cyber-security peers’; Board level frameworks and ‘checklists’; Acceleration of navigable industry standards and certifications; Assessment of cyber security maturity levels in a radical innovation context.

 

Through the selective coding process, these categories were grouped into causal and contextual conditions; outcomes; influencers on those outcomes; and, consequences. Conceptualising the explanatory model in this way supported the central theme that directors had a desire to engage in cyber security but there were barriers to that engagement. After a number of trials with differing themes at the centre, the central theme as provided was found to be the most appropriate explanation the phenomenon under study and was well supported by the explanatory model.

3.     What were some of the indicators, such as events, incidents and actions that pointed to some of these major categories? As recurring themes throughout the interview data, the outcome influencers were identified as 1) the developing support structure for cyber security engagement between directors and the cyber security industry; and, 2) the ‘multiplier effect’ of directors’ formal and informal networks and the number of directorships they hold. These categories were identified through the frequency of mentions in the data and their fit in influencing the outcomes of the barriers to engagement of unknowns, mistrust and cognitive dissonance. These themes were also common to and recurring throughout both interview data sets whether expressly stated in interviews or on reflection of each interview as a whole.

 

The consequence of a set of needs leverages the explanatory model’s focus on barriers that relate to radical innovation to provide clear and practical steps toward enabling director engagement in cyber security.

 

For situational themes, such as context and consequences, hypotheses were drawn through the analysis of the situation at the beginning, and the shift in that situation at the end, of the time span under study. For causal themes the question “what is the root cause of this?” was asked of major events throughout the selective coding period and verified through similar questioning of component parts of the subsequently conceptualised major categories under outcomes and outcome influencers.

4.     On the basis of what categories did theoretical sampling proceed and guide data collection; and, was it representative of the categories? Data collection and analysis occurred simultaneously, informing the decision-making process for the next subject or data source to be analysed. Each individual set of interview data was redeemable throughout the analysis process. The process was “zig-zag” in nature and iterative in its approach. For example, in analysing a single interview, a number of themes would emerge. In analysing further interviews, these themes were either built upon or negated. In tandem, triangulation with data from a particular point in time from reflection on events and experiences provided for further insight, confirmation or negation. Researcher to researcher discussions also added to this process.
5.     What were some of the hypotheses pertaining to conceptual relationships among categories and on what grounds were they formulated and tested? Indicators, observations, illustrative comments, events, and stories were identified and labeled throughout the analysis and similar incidences of these placed under the same sub-category. These sub-categories were then analysed and similarly grouped into higher level categories, under the same name of one of the sub-categories, or a new name, which appeared to explain the data. The researchers compared and contrasted these in a number of discussions throughout the data collection and coding process. Once this process had been refined to the greatest extent, the Strauss and Corbin (1990) theoretical framework was used to take these major categories and gain some sense on how they may best explain the phenomenon and support the central theme. Once the framework was set up with the categories explaining the central phenomenon, scenarios were run by pulling out and adding categories and analysing how this would affect the structure of the theory until it appeared the theory made sense and best explained directors and cyber security engagement. This exercise also demonstrated the validity of the theory in terms of the practicality of, and ability to, create meaningful scenarios by changing variables within the theoretical framework for the purpose of further research.

 

Further, the final narrative was presented and defended with independent third parties.

6.     Were there hypotheses that did not hold up against what was actually seen? How were these discrepancies accounted for? How did they affect the hypotheses? There were no predetermined hypotheses at the outset of the research. Throughout the analysis process however, as hypotheses were drawn there were discrepancies, from time to time, that either refined or negated hypothesised categories. Where the discrepancy negated a category, it was attempted to explain or understand it in terms of its particular context. For example, one researcher found a small finance firm appeared engaged with cyber security more than another and hypothesized that it was due to sector, where as the other researcher found a larger firm in that same sector that was engaged but also experiencing many barriers to engagement, indicating sector may not be a differentiator. This issue has instead been left as an area for future research.
7.     How and why was the core category selected (sudden, gradual, difficult, easy) and on what grounds? The core category was not evident early in the data analysis process. Throughout the data collection and coding process it was evident that there were barriers to engagement, however it was only during the open coding process that it emerged that there was a level of cognitive dissonance and that masked concern and a desire to engage with cyber security by the end of interviews. During the selective coding process it emerged that the finally selected central theme was the only fit for the explanatory model and allowed barriers to engagement to be explained and derive a practical way forward to alleviate them.

Table 3: Assessment of the research process, adapted from Ernst (2007)

Recommendations for further research:

The beauty of Grounded Theory is that the contextual and causal conditions can be manipulated, or simply may change over time, to research similar or related topics and build on the hypotheses and indications for practice. Further, the consequences found as a set of needs may eventually become contextual or causal variables under this model for future research if successfully delivered on in practice at a later time.

Further research has also been recommended or suggested into:

  • the “multiplier effect” of a single director’s engagement in cyber security on the security of an ecosystem.
  • the radical innovation process for cyber security in organisations and a framework for maturity levels
  • overcoming cognitive dissonance
  • “strategic peer” education of cyber security professionals with the capacity for board directorships and heads of function roles, and to assist in creating definitions of opportunity and profit – a criteria for success – resulting in board frameworks that are appropriate and effective in practice.

References

  • Business Growth Fund and Barclays (2014) “BGF and Barclays Entrepreneurs Index”, UK, URL: https://wealth.barclays.com/content/dam/bwpublic/global/documents/wealth_management/entrepreneurs-index-4-updated.pdf <<Last accessed 14/10/2014>>
  • Denzin, N. K. (1978) The research act: A theoretical introduction to sociological methods McGraw-Hill New York
  • Ernst, S.A. (2007) The role of the Corporate Entrepreneur in the Radical Innovation Process Macquarie Graduate School of Management Sydney
  • Ernst, S.A (2009) “EO Investec Entrepreneur Indicator”, UK
  • Ernst, S.A (2010) “EO Global Entrepreneur Indicator”, in partnership with Standard Chartered, US
  • Intrabond Capital LLC & Ernst , S.A (2014) “Wonder Twin Model” in Intrabond Capital Webinar Cyber Security for CFO’s. US
  • Hernandez (2013) Official (ISC)2 Guide to the CCISP CBK Taylor and Francis Group, Florida
  • Glaser, B. & Strauss, A. (1967) The discovery of grounded theory Aldine Publishing Company Chicago
  • Mankiw, G. (2001, p.457) Principles of Macroeconomics, Second Edition, Harcourt. Florida
  • Parker, L.D. (2003) “MGSM991 qualitative research methods in management” Macquarie Graduate School of Management Sydney
  • Parker, L.D. & Roffey, B.H. (1997) “Back to the drawing board: revisiting grounded theory and the everyday accountants’ and managers reality” Accounting Auditing and Accountability Journal Vol 10 (No 2): 212 -247
  • Wood, Wallace, Zeffane, Schermerhorn, Hunt, Osbourne (1998, p.146) “Organisational Behavior – An Asia-Pacific Perspective” John Wiley & Sons Australia

About the researchers

Dr Sally Ernst

Dr Sally Ernst, co-founder UK and Australian Cyber Security Networks (www.CSNs.co), has over 15 years leadership experience in Australian and British companies in an international context. She has held Board positions, contributed to government-led forums, and invested in startups. Sally’s Doctorate specialises in tech intrapreneurship in a radical innovation context and she continues to be involved in industry research. Sally regularly speaks on cyber security from a business perspective.

Lani Refiti

With over 17 years experience, Lani Refiti is an innovative Business and Technology thought leader specialising in Risk and Cyber security, Business Technology Consulting, and building and leading highly successful technology teams.  Lani is an AISA Board Member, QLD Branch Chair, and Spokesperson for AISA’s Advocacy Group. Lani speaks nationally at conferences and is a regular commentator on cyber security matters affecting industry and the wider public community.

About the UK and Australian Cyber Security Networks

The Australian Cyber Security Network and The UK Cyber Security Network serve to raise cyber security awareness in a language business people understand, and help them negotiate the journey involved in preventing and responding to cyber security incidents.

Given cyber security is a team sport, our Advisory Board Members span trusted and highly regarded security tech influencers as well as influencers in business, investment, finance and media variously in the UK, Australia and US.
P: +61 499 311 114 | E: info@csns.co | www.csns.co

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s