CCE Theses and Dissertations

Date of Award

2021

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

College of Computing and Engineering

Advisor

Yair Levy

Committee Member

Martha M. Snyder

Committee Member

Carla Curado

Keywords

cybersecurity, data breach, fuzzy set qualitative comparative analysis, human error, human factors, performance influencing factors

Abstract

Information Systems (IS) are critical for employee productivity and organizational success. Data breaches are on the rise—with thousands of data breaches accounting for billions of records breached and annual global cybersecurity costs projected to reach $10.5 trillion by 2025. A data breach is the unauthorized disclosure of sensitive information—and can be achieved intentionally or unintentionally. Significant causes of data breaches are hacking and human error; in some estimates, human error accounted for about a quarter of all data breaches in 2018. Furthermore, the significance of human error on data breaches is largely underrepresented, as hackers often capitalize on organizational users’ human errors resulting in the compromise of systems or information. The research problem that this study addressed is that organizational data breaches caused by human error are both costly and have the most significant impact on Personally Identifiable Information (PII) breaches. Human error types can be classified in three categories—Skill-Based Error (SBE), Rule-Based Mistakes (RBM), and Knowledge-Based Mistakes (KBM)—tied to the associated levels of human performance. The various circumstantial and contextual factors that influence human performance to cause or contribute to human error are called Performance Influencing Factors (PIF). These PIFs have been examined in the safety literature and most notably in Human Reliability Analysis (HRA) applications. The list of PIFs is context specific and had yet to be comprehensively established in the cybersecurity literature—a significant research gap.

The main goal of this research study was to employ configurational analysis—specifically, Fuzzy-Set Qualitative Analysis (fsQCA)—to empirically assess the conjunctural causal relationship of internal (individual) and external (organizational and contextual) Cybersecurity Performance Influencing Factors (CS-PIFs) leading to Cybersecurity Human Error (CS-HE) (SBE, RBM, and KBM) that resulted in the largest data breaches across multiple organization types from 2007 to 2019 in the United States (US). Feedback was solicited from 31 Cybersecurity Subject Matter Experts (SME), and they identified 1st order CS-PIFs and validated the following 2nd order CS-PIFs: organizational cybersecurity; cybersecurity policies and procedures; cybersecurity education, training, and awareness; ergonomics; cybersecurity knowledge, skills, and abilities; and employee cybersecurity fitness for duty. Utilizing data collected from 102 data breach cases, this research found that multiple combinations, or causal recipes, of CS-PIFs led to certain CS-HEs, that resulted in data breaches. Specifically, seven of the 36 fsQCA models had solution consistencies that exceeded the minimum threshold of 0.80, thereby providing argument for the contextual nature of CS-PIFs, CS-HE, and data breaches. Two additional findings were also discovered—five sufficient configurations were present in two models, and the absence of strong cybersecurity knowledge, skills, and abilities is a necessary condition for all cybersecurity human error outcomes in the observed cases.

Share

COinS