When a person thinks about cybersecurity as a profession and social science, they likely imagine those to be two very distinctly different fields. They’re actually very interdisciplinary though. According to the career website, Indeed, an IT Security Specialist’s job is to safeguard networks and systems against unauthorized access or threats through implementing security measures to keep information secure and confidential. In other words, making sure anyone without the right to access the information, cannot access it. (Indeed, 2024).
IT Security must acknowledge and examine human behavior and how people interact with systems, which place their roots in social science. In fact, the concept of social science and behavior within the field of cybersecurity has grown in popularity to the point where it has created a whole new branch which is referred to as a scientific discipline called social cybersecurity. According to the National Academies, the field was created with two primary objectives: to characterize and forecast cyber changes in human behavior and to build a social cyber infrastructure that will allow the characteristics of a society to adapt and grow to its environmental conditions whether they be actual or imminent social-cyber threats. (National Academies Press, 2019).
As with any interdisciplinary field, the IT security specialists, cybersecurity specialists, and social cybersecurity each feel their roles are specific and may or may not be related, but the role of social cybersecurity takes an advanced role in that it goes beyond integrating the knowledge and methods of diverse disciplines and has created new theories, methods, and knowledge that create specific opportunities used by personnel who are threatening the security of information in some way (National Academies Press, 2019).
Social science, in and of itself, is the study of individuals and communities and how they interact behaviorally. These interactions may occur within the natural environment or within a built or technical environment (Academy of Social Sciences, 2021). It is within the technical environment where social science interacts with information, likely on a network, and in that environment is where the IT security professional must have knowledge beyond the information system itself and understand the behaviors of actors who threaten those systems.
More than twenty years ago, two university researchers, Aytes and Connolly (2003) created a model for investigating human behavior as it relates to computer security. At the core of the model is the user’s perception of risk. In other words, if a person does not feel the information is at risk of being hacked, phishing, malware, or a virus introduced, etc. then they likely will not take the proper action to secure the information or guard it from such risks. The proposed model included not only knowledge of threats, such as how they can occur, but also an awareness of countermeasures and recover procedures to avoid total loss.
Since the IT security professional’s role is to keep the information secure and manage the accessing of the systems to acquire information, they can apply Aytes and Connolly proposed model by not just understanding potential consequences of a breach to the information, or threat to it, but also by understanding risky behaviors of actors who commit the acts of threatening the systems (Aytes and Connolly 2003). A person’s attitude, or perception, toward the risk, will determine the level of measures taken to deter the risks.
There must be a certain process that is followed while safeguarding information. The cybersecurity field should never allow anybody to let their own attitude, beliefs, or personal judgment be a reason they don’t follow the certain prosses to safeguard information. Organization should hire at least one expert in the cybersecurity field to create an outlined prosses to be followed in order to maintain keeping their data and information protected.
In examining the Bureau of Labor and Statistics, there is no specific listing for IT security officers or specialists. There is a listing for Information Security Analysts which illustrates a comprehensive industry profile, further indicating that the industry is very broad, further solidifying the interdisciplinary nature of the field. Notably, Virginia is listed as the top state with the highest number of jobs in the field, yet it was not among the five highest paid income states for this field. This creates an interesting angle in relationship to risk and human behavior because if the IT security professional is not getting paid competitively, they may have a lowered risk perception of threats to the systems they are responsible for guarding and may be more vulnerable to attacks on the system itself. Information security and human behavior doesn’t just involve behaviors of the actors posing a threat but goes beyond to involve the behavior of the person responsible for safeguarding the information.
References
Aytes, K. and Conolly, T. (2003). A Research Model for Investigating Human Behavior Related
to Computer Security. Association for Information Systems: America’s Conference for
Information Systems (AMCIS) 2003 Proceedings. 260.
http://aisel.aisnet.org/amcis2003/260
Academy of Social Sciences. (2021). What is Social Science? Academy of Social Sciences.
Retrieved from https://acss.org.uk/what-is-social-science/
Bureau of Labor and Statistics. (2022). Occupational and Wage Statistics: 15-1212 Information
Security Analysts. Bureau of Labor and Statistics. Retrieved from
https://www.bls.gov/oes/current/oes151212.htm
Indeed. (2024). What does an IT Security Specialist Do? Indeed. Retrieved from
https://www.indeed.com/career-advice/finding-a-job/what-it-security-specialist-do
National Academies Press. (2019). A decadal survey of the social and behavioral sciences: A
research agenda for advancing intelligence analysis. Chapter 6: Integrating Social and
Behavioral Sciences (SBS) Research to Enhance Security in Cyberspace. National
Academies Press. Retrieved from
Leave a Reply