In everyday office life, there are many pitfalls that endanger IT security. But how to think of everything and not interfere with the actual work?
© Michael Schwettmann

Dissertation How to reconcile IT security and productivity

Uta Menges and Jonas Hielscher want to lift the label of being a nuisance from IT security measures and incorporate them more effectively into everyday life.

IT security – many people roll their eyes at the mere sound of the word. Everybody realises, of course, that it is a matter of great importance. The spectacular attacks on IT systems of organisations in recent years are frightening; entire universities and city administrations were sometimes offline for weeks. And the successful attacks are only the tip of the iceberg, because attempted attacks are a daily occurrence. But what are companies and organisations doing to ensure that their IT is secure? Ultimately, each and every individual has to contribute to this security. Why doesn’t it actually work all that well and how could it be made to work?

This is the question explored by Uta Menges and Jonas Hielscher. The two form a tandem in the Graduate School SecHuman – Security for People in Cyberspace. Even though they’re working together on their PhD thesis, their professional backgrounds couldn’t be more different. While Jonas Hielscher studied computer science in Magdeburg, Uta Menges studied business psychology. She completed her Master’s degree in the field of marriage, family and life coaching and has also worked in this area. How do they all go together?

SecHuman Graduate School

Since 2016, PhD students at Ruhr University Bochum have been researching security in cyberspace at the “SecHuman” Graduate School, which is funded by the NRW Ministry of Culture and Science. At the school, PhD students work not only with researchers from other disciplines, but also with actors from the industry. The SecHuman Graduate School, short for “Brave New World: Security for People in Cyberspace”, is located at the Horst Görtz Institute for IT Security in Bochum and is also integrated into the Cluster of Excellence CASA – Cybersecurity in the Age of Large-Scale Adversaries.

Not happy with how it works in practice

“They go surprisingly well together,” she says. “I can transfer what I’ve learned to the field of IT security.” This is because the focus in both fields is on humans. “No matter how good the technological measures for the security of an IT system are, they won’t work without the cooperation of the users,” adds Jonas Hielscher. But research results have been scarce on how to get organisations to support their employees in the transition to secure behaviour and not simply dump the burden on the end users. And Menges and Hielscher are not very happy with the way it’s handled in practice either.

“Many companies commission providers, for example, to send fake phishing emails to their employees in order to sensitise the team to potential attacks,” elaborates Jonas Hielscher. “But such one-off and one-dimensional measures don’t effect much.” In case of doubt, someone who has fallen for it has the feeling of being in the hot seat. That doesn’t help anyone.

No one can do that on a normal working day.


Uta Menges

The two researchers ask completely different questions: How feasible is IT security for employees? Do employees know exactly what they have to do? Can measures really be implemented or is there no time for it in the daily work routine? Do the IT security measures compete with other tasks that need to be done? “For example: read every email very carefully and check it for indications of a phishing attack,” illustrates Uta Menges. “No one can do that in a normal working day.”

Jonas Hielscher (left) and Uta Menges want to know how IT security can be integrated into everyday working life so that it is not a hindrance.
© CASA, Caroline Schreer

In addition to such questions, which are grouped under the umbrella term “productive security”, the two PhD researchers also focus on communication about IT security. How do people talk about it? The implementers are often engineers. They talk about technology without taking their colleagues who are not technologically savvy on board. This communicative hurdle leads to misunderstandings and doesn’t do anything to foster a cooperation based on mutual trust. But this is precisely what the researchers consider indispensable. “If someone has opened a phishing email and fallen into the trap, they mustn’t be afraid to report the incident,” says Uta Menges. “And it must be clear to whom.” She calls for a healthy error culture: no one should be pilloried because they’ve made a mistake. Clear instructions are essential. All too often, however, employees are left alone with vague rules. Communication also includes the response of the help desk. If it’s impersonal, IT security remains abstract.

There’s no measure of how secure or insecure the behaviour of employees is.


Jonas Hielscher

Both researchers have also identified communication barriers between IT security professionals and the managers of institutions. “Professionals want to talk about products. Management is much more interested in the risk that needs to be contained. But there’s no measure of how secure or insecure the behaviour of employees is,” Jonas Hielscher explains. He and Uta Menges are venturing into largely unexplored territory. “You’d have to interview people, observe their behaviour, get their feedback, evaluate incidents. But none of that has been done yet, partly because it’s so complicated,” he says.

Based on her expertise as a psychologist, Uta Menges points out: if IT security is to succeed in organisations, self-efficacy is the most important aspect. In other words: IT security must be manageable. And it must be effective. “This may sound self-evident, but the decades-old narrative that everything’s getting worse and nothing can be done anyway is stuck in many people’s heads,” says Uta Menges. “Those who have internalised it have a hard time taking action because they don’t believe in it.”

Cooperation with partners from the industry

Uta Menges and Jonas Hielscher are tackling the issue with a number of partners from the industry. Together with a large enterprise in North Rhine-Westphalia, they are coaching more than a dozen trainees to become ambassadors for IT security. They’ve met the Chief Information Security Officer and got his mobile phone number. The goal is to create a network across the company’s many subsidiaries with over 20,000 employees. This is how IT security is to be given a face. Since November 2021, the two researchers have been communicating with a group of 28 Swiss Chief Information Officers from various companies. Among other things, they help design workshops and stay up to date on everyday problems in the companies.

“This PhD thesis is only just evolving as we work on it,” says Jonas Hielscher. Still, both are fascinated by their field of research. “It’s pioneering work and can’t be planned – after all, it’s humans who are the focus,” says Uta Menges. Plenty of research questions are still open. The research field of human-centred security is still young, the concept only emerged around 2000. “But there’s an ever increasing number of professorships, it’s a growing field,” as Jonas Hielscher is pleased to say. “And our results will certainly not fall on deaf ears.”

Damage caused by IT attacks

No one can put an exact figure on how much economic damage is caused by IT attacks, as there is no obligation to report such incidents in Germany. The figure published by the industry association Bitcom, which amounts to around six per cent of the gross domestic product, is therefore only an estimate, and Jonas Hielscher believes it is too high.

Ransomware attacks, in which IT systems are encrypted by external parties in order to extort a ransom, frequently hit medium-sized companies, whose protection is often inadequate.

Download high-resolution images
The selected images are downloaded as a ZIP file. The captions and image credits are available in the HTML file after unzipping.
Conditions of use
The images are free to use for members of the press, provided the relevant copyright notice is included. The images may be used solely for press coverage of Ruhr-Universität Bochum that relates solely to the contents of the article that includes the link for the image download. By downloading the images, you receive a simple right of use for one-time reporting. Saving the images for other purposes or further processing of the images that goes beyond adapting them to the respective layout requires an extended right of use. Should you therefore wish to use the photos in any other way, please contact redaktion@ruhr-uni-bochum.de

Document download

Published

Friday
02 June 2023
9:13 am

By

Meike Drießen (md)

Translated by

Donata Zuber

Share