Understanding organizations’ approaches to managing cybersecurity challenges related to high levels of teleworking

a multi-actor perspective

Master thesis (2022)

Authors

T. van Veen Technology, Policy and Management

Contributors

S.E. Parkin Organisation & Governance - TPM (mentor)
M.J.G. van Eeten Organisation & Governance - TPM (coach)
Faculty
Technology, Policy and Management, Technology, Policy and Management
Copyright: © 2022 Tim van Veen
More Info
expand_more

Published Date

24-08-2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

This study investigates organizations’ approaches to managing cybersecurity challenges that are associated with high levels of teleworking. Over the last two and a half years the pandemic forced organizations to implement teleworking models that resulted in a large share of the workforce working from home. The increasing use of teleworking resulted in organizations being worried about their ability to handle cyberthreats, while at the same time they sidestepped on their cybersecurity to implement a proper teleworking model. There is a large body of literature showing what the security risks and practices are related to these high levels of teleworking, while it is not clear what the related security challenges are and how organizations are approaching these. So, there is a gap in the literature regarding the understanding of the current cybersecurity challenges and approaches that are associated with these high levels of teleworking. Semi-structured interviews were conducted with both cybersecurity consultants and individuals that fulfill a role in an organization that makes them responsible for the cybersecurity management of the organization. Thematic analysis was used that led to the identification of four main security challenges and four approaches used to manage these challenges. The following four challenges were identified: ‘Security vs. privacy’ which shows how it is challenging for organizations to secure the private environments of their organizations without invading their privacy. Secondly, the ‘Control & awareness which addresses the balance between control and awareness. More restrictions can lead to less security if there is a lack of awareness and knowledge among employees. Thirdly, the ’Lack of resources’ challenge, not all organizations have the monetary resources to achieve the desired level of security. Finally, the ’Priorities’ challenge shows how according to the consultants, cybersecurity is still seen as a burden and is being neglected by organizations, regardless of the increase in cybersecurity attention and the increased risks related to high levels of teleworking.
The identified approaches start with ‘Technology & Processes’ as this is most often the first choice for organizations. Using device management systems with corporate devices or BYOD devices with an enclave to ensure security without invading privacy. Education of the workforce is deemed one of the most successful approaches, since the security of the organizations is now more dependent on the workforce, raising awareness through education is of great importance. An approach that at first glance seems more counter-intuitive is the establishment of a security culture that takes years to achieve. Cybersecurity is involved into the daily tasks of the complete workforce. Without forcing and too many controls, but nudging employees by discussion and giving them responsibilities. The last approach shows that despite the priority challenge that is only mentioned by consultants, organizations want to become more mature, and organizations are currently giving cybersecurity a higher priority.

Files

Thesis_4469895.pdf
(pdf | 0.384 Mb)