A methodological framework for fostering cybersecurity mindsets and behaviour

The continuously growing attack surfaces and artificial intelligence-enabled attacks have increased the overwhelming nature of the cybersecurity challenge. The result is that to some organizations, no amount of preparedness can guarantee immunity from cyber-attacks. Cybersecurity preparedness is an ongoing process and incentivizing the right behaviour is an essential characteristic of a human-centered whole-of-enterprise approach to cybersecurity. While there are many techniques developed to improve and understand cybersecurity decision making, there is a lack of design methodologies to allow cybersecurity design teams to systematically tackles creation of conditions that stimulate and sustain desired level of cybersecurity mindsets in an organization. To bridge this gap, we propose the Human Centered Methodological Cybersecurity (HCMC) framework to address this gap. This human-centered approach is based on the fundamental premise that the unpredictable nature of human behaviour and actions make humans an important element and enabler of the level of cybersecurity.  Fostering sustainable cybersecurity mindset is a design problem. This study uses framework formulated from the Design Science Research (DSR) approach. The evaluation of the framework was done using different groups of cybersecurity experts, professionals, and general users. HCMC enables cybersecurity teams to surface and explore complex cybersecurity behaviour fostering issues specific to their organization and stimulate thinking from the perspective of different groups of stakeholders systematically, which might potentially be overlooked otherwise.