When you think of cybersecurity, many people often think of a penetration tester, someone who is constantly at their computer trying to hack their way into a network. When in reality, cybersecurity has a broad range of fields that one could specialize in. You have cyber analysts, information assurance analysts, forensic analysts, threat analysts, and so on. But the one job that stuck out to me when researching this topic was the role of an information systems security manager. Throughout this paper, I will go over the roles of an information systems security manager, and how they apply to social sciences.
The first role I would like to discuss is the development of organizational cyber awareness training. (Cybersecurity and Infrastructure Security Agency, 2024) During this course, we have talked about the human pipeline, and how if manipulated could leave a network vulnerable to attacks. An effective way of mitigating this risk is instituting cyber awareness training. Though it may seem dry, people tend to remember the premise of the training. This is important because social engineering can be used in many different ways to break the human pipeline. One principle is commonly used to conduct a phishing campaign is Social Compliance. This principle merely suggests that society is trained not to question those with authority. (Stajano, 2011) For instance, a malicious hacker could send an email to an employee, acting as a system administrator, with a link to update their password. This link would allow them to enter their old password and new password. Since the link is directing them to a location that is not affiliated with the company, their password would not be updated. But luckily for the attacker, they have printed their password in plain text for the attacker to use. I would say that using sociology aligns to implementing cyber awareness. Yes, you have to look at criminology and how a criminal would convince a person to divulge information, but you also need to look at social constructs that play a role in these attacks.
The next role I would like to discuss is the implementation of corporate security policies and procedures. (Cybersecurity and Infrastructure Security Agency, 2024) This could be a number of things, but the overall objective is to mitigate risk when it comes to your everyday users. This could range from setting policies to blacklisting all social media on the company network, to limiting access to certain parts of the network. This could help mitigate the risk of social media phishing and insider threats. It is said that 50% of all phishing attacks contain links to malware. (DataProt, 2024) This could be very dangerous for an organization if policies are not in place. But these policies cannot just be copied and pasted from one organization to another because the workplace requirements may differ. Therefore, you need to have procedures. The accounting department may not have a need to access Facebook, but the marketing department may have a Facebook page dedicated to advertising. In this case, you could allow an exception to a single workstation that the marketing department can use to promote the company via Facebook. This ties in well with behavioral science.
The final role I would like to review is the response and post-analysis of security incidents. (Cybersecurity and Infrastructure Security Agency, 2024) I believe this role ties well into criminology, with respect to the post-analysis portion of this role. You have responded to the event, you have the events in your possession, the technical portion of the job is done. But the analysis of the events is where social science and cybersecurity intersect. Being that hackers are unique, and their methods typically vary depending on their skill level. The type of attack is typically dependent on the goal they wish to achieve. With all of this being said, the security manager would need to investigate further to ensure this is not an advanced persistent threat, where they were able to gain access, what vulnerabilities were exploited, and if backdoors or malware were deployed during the attack. This is where thinking like a criminal comes into play. To see these aspects of an attack and determine the cause as well as the motive is what makes someone an information system security manager. This can also help you when it comes to hardening your network after an attack, as well as preparing for the next attack.
In conclusion, cybersecurity is both a computer science, as well as a social science. Without a fundamental understanding of networking and technology as a whole, you will not be successful, but it is not the entirety of the job. You must also be able to get into the mindset of a cybercriminal and see the network as a target. This can involve many social sciences, such as sociology, criminology, psychology, etc.
References:
Cybersecurity and Infrastructure Security Agency. (2024, April 3). Cybersecurity for Students. Retrieved from National Initiative for Cybersecurity Careers and Studies: https://niccs.cisa.gov/sites/default/files/documents/Information%20Systems%20Security%20Manager%20CISA.pdf?trackDocs=Information%20Systems%20Security%20Manager%20CISA.pdf
DataProt. (2024). Hacking Statistics to Give You Nightmares. Retrieved from DataProt: https://dataprot.net/statistics/hacking-statistics/
Stajano, F. (2011, March). Understanding Scam Victims: Seven Principles for Systems Security. Communications of the AMC, 54(3), 70-75. doi:https://web-p-ebscohost-com.proxy.lib.odu.edu/ehost/detail/detail?vid=0&sid=0a3a4c06-371e-40a9-946f-02c083c111c3%40redis&bdata=JnNjb3BlPXNpdGU%3d#AN=59423980&db=iih