CYSE201S

Career Paper

Posted by ihagm001 on

Select a type of cybersecurity career and write a two-page paper describing how professionals in that career require and depend on social science research and social science principles in those careers.  Pay specific attention to the key concepts learned in class and demonstrate how those concepts are applied in the career you selected.   The focus should be on demonstrating how the material from class relates to cybersecurity professionals’ daily routines.  Specific attention should be given to how the career relates to marginalized groups and society in general.  Students should use at least three reliable sources to write the paper.

Governance, Risk, and Compliance Career and Social Science

Cybersecurity is a very interdisciplinary field with many of the different roles in
cybersecurity looking to diverse disciplines. Governance, risk, and compliance (GRC) is a role in
cybersecurity that works to align IT with business intentions (1,2). Governance is the use of
policies, rules, and frameworks to guide business practices. Risk management is a process of
identifying and dealing with risks. Compliance is following necessary laws, regulations, and
standards. GRC professionals can look to social science research, principles, and concepts to
better align IT for business. The field of GRC affects marginalized groups, with a few challenges,
and society in general.
The two types of social science research that I think would benefit GRC professionals the
most are experiment research and archival research. Experimental research can test the
efficacy of different types of cybersecurity awareness training. Experiments can also help
determine what types of rules to put in place to protect the business. As for archival research,
looking at past cybersecurity breaches of similar companies can give an idea of what risks need
more focus on addressing. Archival research can also aid GRC professionals in the initial
creation process for the policies and rules that will guide business activities.
Parsimony and determinism are two social science principles that can aide GRC tasks.
Parsimony means that explanations should be as simple as possible. Keeping policies and rules
that affect everyone working in a company easy to understand makes sure that people will be
able to follow them. Determinism means that previous events influence, cause, or determine
behavior. Understanding that people behave differently depending on past experiences can
improve to simulate bad experiences like falling for phishing.
There are five concept from social science that can be applied in the daily tasks of GRC
professionals. The first is human factors, which is using knowledge of human aspects to design
things. By designing policy and training in a human centered way, GRC professionals can reduce
mistakes by people (3). The next concept is knowledge and risk. By giving employees the
knowledge they need to stay safe online, the risk of them being unsafe goes down. Another is
costs/benefits analysis. Because money is limited and managing risks costs money, it is
necessary to make compromises based on cost/benefit analysis. Some risks have a greater
benefit from mitigating than others depending on their severity. Then there are the social
forces of education, which are social influences that shape peoples’ experiences. Cybersecurity
awareness training should influence how employees act on the internet to stay safe. Allowing
employees to relate to each other and discuss what they learned about staying safe online in
training can greatly reduce human errors. Lastly there is social engineering, which are strategies
used to gain information from someone. The dangers of social engineering are immense and
things like training and testing can be used by GRC professionals to reduce those risks.
Those in marginalized groups have some challenges that might relate to what GRC
professionals do. Older individuals may have a harder time understanding and adhering to policies set forth by GRC personnel. It is up to GRC professionals to make their policies
accessible. Another group that may face difficulty are those that have less cybersecurity
knowledge. In order to protect the business and individuals working there, GRC professionals
have to make sure that education and training are available for employees. During risk
assessments some assets have to be prioritized over others. Accounting, for example, might
think that their system is the most important for business operation. In situations like those,
GRC professionals have to ensure that all groups’ perspectives are considered fairly.
The field of GRC is greatly shaped by society. Compliance is only possible if there are
laws or standards set forth in society to follow. Different industries in society have to follow
different laws and regulations. Frameworks, set forth by organizations like NIST, are tools open
to anyone for use in better making security decisions. There are GRC frameworks which can be
used to manage risks and make better policies (1,2). Professionals working in GRC can look to
other companies to see what works and doesn’t work for them.

References

[1] “What Is GRC?” IBM, https://www.ibm.com/topics/grc.
[2] “What Is GRC (Governance, Risk, and Compliance)?” Amazon,
https://aws.amazon.com/what-is/grc/.
[3] Nobles, Calvin. “Botching Human Factors in Cybersecurity in Business Organizations.”
HOLISTICA – Journal of Business and Public Administration, vol. 9, no. 3, Dec. 2018, pp.
71–88., https://doi.org/10.2478/hjbpa-2018-0024.

Leave a Reply

Your email address will not be published. Required fields are marked *