Abstract
Cybersecurity decisions are made across a range of social, technical, economic, regulatory and political domains. There is a gap between what companies and institutions plan to do while developing their internal IS-related policies and what should be done according to a multi-stakeholder system perspective in this area. Our task as researchers is to bridge this gap by offering potential solutions. The aim of our work is to promote the usage of the socio-technical systems (STS) approach to support the emerging role of systems thinking in cybersecurity education, using simulation as a supporting tool for learning. Meanwhile, new trends in cybersecurity curricula suggest an important shift toward new thinking approaches such as adversarial and systems thinking. We explored individuals’ adversarial and systems thinking skills in an open agent-based simulated environment and subsequently assessed the impact based on a participant survey. We discuss these results and point to directions for further investigation. The second contribution of the article is the provision of a tool for developing target users’ skills in making quantitative risk decisions and giving them a deeper understanding of the importance and use of key indices in the cyber risk management process.
Highlights
We hardly ever pass any day without hearing of new cybersecurity incidents affecting different stakeholders in society such as individuals, organizations, and national and international entities
The aim of our work is to promote the usage of the socio-technical systems approach to support the emerging role of systems thinking in cybersecurity education, using simulation as a supporting tool for learning
This course is an elective course in a 2 years Master Program in Information Security, at the Norwegian University of Science and Technology (NTNU)
Summary
We hardly ever pass any day without hearing of new cybersecurity incidents affecting different stakeholders in society such as individuals, organizations, and national and international entities. With all these vulnerable systems and threat actors out there, organizations today are in a constant race to defend adequately against potential cyber-attackers through technical or social means. Lack of adversarial thinking – a process that considers the potential actions of the opposing force working against the desired result – in defenders leads to misplaced ideas of cybersecurity resilience and preparedness. The social component has its cultural and structural sub-components, while the technical side has its own. That means a change in the machines used in the system will affect the methods used in the system and its structure and culture
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
