How to Mitigate Nbr 1 Cause of Cyber Attacks - Employees Socially Engineered




INFORMATION TECHNOLOGY MODELS

AND ORGANIZATIONAL PSYCHOLOGY THEORIES

USED TO MITIGATE THE NUMBER ONE REASON FOR CYBERSECURITY ATTACKS AND BREACHES

A Master’s Thesis

Submitted to the Faculty of

American Public University

by

Dianne Petersen

In Partial Fulfillment of the

Requirements for the Cybersecurity Degree

Of

Master of Science

American Public University



 

INFORMATION TECHNOLOGY MODELS AND ORGANIZATIONAL PSYCHOLOGY THEORIES USED TO MITIGATE THE NUMBER ONE REASON FOR CYBERSECURITY ATTACKS AND BREACHES





















COPYRIGHT








The author hereby grants the American Public University System the right to display these contents for educational purposes.


The author assumes total responsibility for meeting the requirements set by United States Copyright Law for the inclusion of any materials that are not the author’s creation or in the public domain.


© Copyright 2020 by Dianne L. Petersen

All rights reserved.

ABSTRACT OF THE THESIS

INFORMATION TECHNOLOGY MODELS AND ORGANIZATIONAL PSYCHOLOGY THEORIES USED TO MITIGATE THE NUMBER ONE REASON FOR CYBERSECURITY ATTACKS AND BREACHES

by

Dianne Petersen

American Public University, June 2020

Charles Town, West Virginia

Dr. Elliot Lynn, Capstone Professor


It is said that eight of ten cybersecurity attacks or breaches come from within an organization, and continues to be the issue today (EC-Council, 2019, Harris, 2013). As organizations consist of employees, it is the employee’s lack of cybersecurity awareness, training and more as root cause of cybersecurity issues. This paper uses a qualitative approach by reviewing current literature on these topics. First is a review of three international studies to verify further research is needed on employee awareness and training to resolve cybersecurity problems. The specific literature reviews four information technology models along with the author’s experience implementing three of them; these are the capability maturity model, balanced scorecard, information technology infrastructure library and cybersecurity capability maturity model. Then a look at other cybersecurity maturity models. Next, a literature review on three organizational psychology theories used to motivate employees, to include the need achievement theory, the MODE theory, and the social cognitive theory. Lastly a discussion is done to include a recommended hybrid cybersecurity implementation model that is core to employee awareness, training and motivation.


Keywords: Balanced Scorecard (BSC), Capability Maturity Model (CMM), Cybersecurity Capability Maturity Model (C2M2), and Information Technology Infrastructure Library (ITIL). Need Achievement Theory, MODE Theory, Social Cognitive Theory, employee motivation, organizational psychology



 



COPYRIGHT. ii

ABSTRACT OF THE THESIS. iii

Table of Figures. vi

Introduction. 1

Problem Statement 2

Purpose. 3

Methodology. 3

Hypotheses and Research Questions. 3

Significance of the Study. 4

Definitions of Unclear Terms. 5

Theoretical Framework. 7

Subjects and Settings. 8

Sampling Plan. 8

Statistical Analysis. 8

Identified and operationalized variables. 9

Limitations. 9

Assumptions. 10

Literature review.. 10

Foundational Literature. 11

International University Research – Employees and Cybersecurity. 11

Study in Australia. 12

Study in the United States. 14

Study in Finland. 16

Informational Technology Models. 18

Capability Maturity Model (CMM) 18

Balanced Scorecard (BSC) 20

Information Technology Infrastructure Library (ITIL) 22

Cybersecurity Capability Maturity Model (C2M2) 26

Other Cybersecurity Maturity Models. 29

Organizational Psychology Theories. 31

Need Achievement Theory. 32

MODE Model or Theory. 34

Social Cognitive Theory. 35

Results and Discussion. 37

Overview.. 37

Hypothesis One through Three, IT Models with no Organizational Psychology. 37

Hypothesis One Capability Maturity Model with no Organizational Psychology. 38

Hypothesis Two Cybersecurity Capability Maturity Model with no Organizational Psychology. 38

Hypothesis Three Information Technology Infrastructure Library with no Organizational Psychology. 40

Hypothesis Four Balanced Scorecard with Organizational Psychology. 40

Hypothesis Five A Cybersecurity + Organizational Psychology Recommendation. 41

Conclusion. 42

References. 43

Appendices. 50

Appendix 1 Cyber Security + Organizational Psychology Business Plan - Draft 50

Appendix 2: Sample of IRB Approval Letter 57

Appendix 3: Sample of the Capstone Approval Document 58


Table of Figures


Figure 1. Lerums’s State of Indiana Cybersecurity Scorecard Survey (Lerums, 2018, p 49) 15

Figure 2. Capability Maturity Model’s Five Levels of Maturity (Duffy, 2016, Rouse & Jayaram, 2016.). 19

Figure 3. Information Technology Infrastructure Library’s Nine Core Principles (White & Greiner, 2019) 23

Figure 4. Information Technology Infrastructure Library’s Five Service Areas (Rubio & Arcilla, 2020, p 1) 23

Figure 5. Information Technology Infrastructure Library’s Top Five Process Areas (Rubio & Arcilla, 2020 p2) 23

Figure 6. Flowchart for Hypothesized relationships ITIL Anecdotes, Implementation and Consequences (Iden & Eikebrokk, 2014, p 9). 24

Figure 7. C2M2’s Four Levels of Maturity (U.S. Department Of Energy Office And Electricity Delivery And Energy Reliability, 2015, p25.) 26

Figure 8. C2M2’s Ten Domains (U.S. Department Of Energy Office And Electricity Delivery And Energy Reliability, 2015, p20.) 28

Figure 9. Barclay’s C2M2 Model for Developing Nations Cybersecurity Awareness  29


 

Information Technology Models And Organizational Psychology Theories Used To Mitigate The Number One Reason For Cybersecurity Attacks And Breaches

Introduction

This research study proposes to addresses the most significant root cause of why cybersecurity attacks and breaches occur in organizations. Many times organizations implement Information Technology (IT) models spending tens of thousands to millions of dollars to implement them; nonetheless organizations continue to have cybersecurity attacks and breaches. In order for IT models to be effective both management and employees of the organizations need a commitment to put the IT models in practice. Is it possible the IT models should include models from organizational psychology to assure the employees will take cybersecurity to heart and put it into action? 

This paper looks at three well-intentioned and vetted IT models: 1. Capability Maturity Model (CMM), 2. Cybersecurity Capability Maturity Model (C2M2), and Information Technology Infrastructure Library (ITIL). Also, addressed are three organizational psychology theories:  Need Achievement Theory, Motivation and Opportunity as Determinants (MODE) Model/Theory, and Social Cognitive Theory and an organizational psychology change tool, the Balanced Scorecard (BSC). (Barclay, 2014, Brehm, Kasin & Fein,  2005, Covington, 2000,  Holman, Devane, Cady & Associates, 2007, NIST 800-37 Rev 2, 2018, Rea-Guaman1, Feliu, Rubio & Arcilla, 2020, U.S. Department Of Energy Office and  Electricity Delivery and Energy Reliability ,2015, Verizon, 2019, White. & Greiner, 2019). Yeh, Adams, Marshall, Dasgupta, Zhunushov, Richards, and Hay, 2017). Spoiler alert, the number one reason for cybersecurity attacks and breaches is employees.

Problem Statement

The number one reason for cybersecurity attacks and breaches is due to the employee. One can conclude that the most-widely used cybersecurity models fail to resolve this number one reason. As the number one reason for cybersecurity attacks and breaches is due to employees, than IT security models may need to address organization psychology theories to make a significant reduction in cybersecurity attacks and breaches.

Many think it is hackers attacking networks by writing brilliant computer code as cause for cyber-attacks, but this is not true (Pauli, 2013, Sirius Business Radio, 2020). First of all to write such code takes considerable skill and effort along with the need to have knowledge of network systems, such as firewalls, server names and operating systems (e.g.). Actually, hackers are most successful with social engineering techniques, the old-fashion phishing social engineering, where an employee receives an email with a link or attachment and clicks on it (Harris, 2013). But now, social attacks include phone calls with voices to match someone in the company or emails that appear to come from with inside an organization many times for requests to move money into a bank account (Splunk, 2020, Sirius Business Radio, 2020). Hackers contacting employees in organizations engage are called social engineered cybersecurity attacks. Many organizations believe if they put an IT model in place to address cybersecurity it is all that is needed; but the organizations fail to focus on employee behavior especially around social engineering attacks.

Purpose

            The purpose of this research is to demonstrate how prior IT security research done world-wide proves a need ‘further research’ for IT security awareness via organizational management to employees (Aldawood and Skinner, Lerums, 2018, Haukilehto, 2019). This ‘further research’ suggests a review done on most popular IT models to include why the models are not enough to make employees and management act for IT cybersecurity success.  The ‘further research’ should also include research of organizational psychology theories to verify if the IT models include the psychology or how to implement the psychology.


Methodology

Hypotheses and Research Questions

Below are hypotheses (H) to frame the research on the possibility that popular IT models fail to fix the number one reason why cybersecurity attacks and breaches occur, possibly due to the lack of organizational psychology theories.

H1: The Capability Maturity Model (CMM), an IT model that does not address organizational psychology theories (Need Achievement Theory, MODE Theory, and Social Cognitive Theory), to assure employees are motivated and trained in regards to cybersecurity for positive results.

H2: Cybersecurity Capability Maturity Model (C2M2), an IT model that does not address organizational psychology theories (Need Achievement Theory, MODE Theory, and Social Cognitive Theory), to assure employees are motivated and trained in regards to cybersecurity for positive results.

H3: Information Technology Infrastructure Library (ITIL), an IT model that does not address organizational psychology theories (Need Achievement Theory, MODE Theory, and Social Cognitive Theory), to assure employees are motivated and trained in regards to cybersecurity for positive results.

H4: Balanced Scorecard (BSC) does address organizational psychology theories (Need Achievement Theory, MODE Theory, and Social Cognitive Theory), to assure employees are motivated and trained in regards to cybersecurity for positive results.

H5:  Make a recommendation for a cybersecurity model to assure employees are motivated and trained to deliver positive results to reduce cybersecurity issues.  This model will be a customization from the capability maturity model, the cybersecurity capability maturity model, the information technology infrastructure library, the balanced scorecard, the Need Achievement Theory, the MODE Model and Theory, and the Social Cognitive Theory.


Significance of the Study

            This study is significant because it looks for the root cause of why the number one cybersecurity attacks or breaches occur in organizations, which is due to employee’s mistakes, lack of training or ill-intentions (EC-Council, 2018, Harris, 2013, Pauli, 2013, Sirius Business Radio, 2020, Splunk, 2020). Many organizations spend significant monetary resources, typically via consulting firms, to implement a popular IT model to address cybersecurity issues; however, these organizations still have cyber-attacks or breaches primarily due to their staff.

Further, the review of several research international studies found that organizations lacked either cybersecurity policies, training or audits. Which is an organizational management issue. This study deals with organizational psychology to better assure management leads in a manner that the employees know their cybersecurity accountability.  Also, the author of this research study plans to use this information to start a cybersecurity consulting business to make a difference for organizations plagued with cybersecurity attacks and breaches.

Definitions of Unclear Terms

Capability Maturity Model (CMM) is organization-wide tool used to get an organization mature when it comes to software develops. It was developed by the Software Engineering Institute, which is an organization sponsored by the Department of Defense (DoD). CMM has five levels: 1. Initial level (disorganized chaos of processes); 2. Repeatable level (basic processes documented for repetition); 3. Defined level (standards developed); 4. Managed level (monitors the processes via data collection); 5. Optimizing level (continuous process improvements via communication) (Rouse & Jayaram, 2016).

            Cybersecurity Capability Maturity Model (C2M2) is based on the capability maturity model. IT is specialized for cybersecurity readiness with six elements. The six elements include society, operational, education, technical, business, legal & regulations (Barclay, 2014). The six elements are considered in detail for other areas of the business.

            Information Technology Infrastructure Library (ITIL) is a framework for best practices to deliver IT, it consists of approximately thirty volumes. It originated in 1980 from the British Central Computer and Telecommunications Agency (CCTA). It has had numerous revisions over the decades, and soon ITIL 4 will be available. As the author of this paper worked in an ITIL shop, it did not seem simple, with over thirty volumes and regular revisions of the information technology infrastructure library it is understandable.

            The Need Achievement Theory addresses three aspects of a person’s need for achievement, one is level of motivation for achievement needs, next is motivation for power needs and last is motivation for group affiliation needs. The need achievement theory originated with Henry Alexander Murry and further studied by David McClelland who created tests to validate individual needs, primarily for use of organizational settings (Runyan, 2020, VandenBos, 2007).

            The Motivation and Opportunity as Determinants (MODE) theory is how one’s attitude influences their behavior, especially when it comes to deliberate behavior.  The creator of it was Russel Fazio, who wrote it based on Determinant Theory (Latham, 2007, VandenBos, 2007). It is an important theory as employees will need a proper attitude toward cybersecurity training and practice.

            Albert Bandura and Walter Mische authored social Cognitive Theory; it is based on Goal Achievement Theory (Brehm, Kasin & Fein, 2005, Covington, 2000 Latham, 2007). As the name implies, it is awareness of one’s social interaction to impact their behavior to include goals set and executed. It is via social engineering that hackers get most success.

Theoretical Framework

This study is to address the number one root cause of cybersecurity breaches and attacks, which are the employees of organizations.  The theory for this study is that current IT models don’t include organizational psychology human motivation theories. Currently, no research is found on organizational psychology theories to motivate staff for IT models. However, there is peer-reviewed research done to support the premise of this paper’s theory, which is the lack of cybersecurity awareness and training. Usually it is not that the employee is acting in bad faith, but it due to an organizational management failures. As cybersecurity is part of IT, a look at IT models is addressed, to see how much consideration is done to assure employee training and motivation is also addressed.

For hypotheses H1, H2 and H3, they have the same research design to address the theory of this paper. The theory of this paper is three popular IT models, 1) the capability maturity model, 2) the cybersecurity capability maturity model, and 3) the information technology infrastructure library. These IT models do not address individual level concerns for cybersecurity using psychology. There is literature on the three IT models, accordingly this paper will do a literature review to support the hypotheses that the selected IT models have no foundation in organizational psychology; an organization needs to reach each individual in an organization to make it successful.

There are three psychology theories used in organizational psychology used to motive a person, especially a worker in an organization. Significant foundational literature and some current peer-reviewed articles are available on the three organizational psychology theories, 1) the need achievement theory, 2) the MODE theory and 3) the social cognitive theory. Based on the literature reviews it will ascertain employees are responsible for up to ninety-five percent of costly cybersecurity problems. Plus, IT models don’t include organizational psychology to support hypothesis one through three.

For hypothesis, H4, to use an organizational tool, the balanced scorecard, it is a viable tool, especially as it is the recommended tool to use with the IT Model capability maturity model. The balanced scorecard is used world-wide at several organizations for several purposes. There is much peer-reviewed literature and articles that serve as empirical evidence of using the balanced scorecard. The fifth hypothesis is for a customized model using the most appropriate sections of the three IT Models, three organizational psychology theories for employee motivation and the balanced scorecard to indicate how to battle the most prominent cause to cybersecurity attacks and breaches. 

.

Subjects and Settings

Sampling Plan

This paper does not include surveys, so there is no sampling plan. A sampling plan does not apply to literature-review research papers. 

Statistical Analysis

            A statistical analysis does not apply to a literature-review research paper. There is no quantitative data collected for statistical analysis. Nonetheless, there are independent variables identified to provide direction on identifying root cause of cybersecurity related issues.

Identified and operationalized variables

An independent variable is the assumed cause and the dependent variable is the assumed effect. For this study the suggested independent variables includes three IT models and three organizational psychology variables:

  • the capability maturity mode
  • the cybersecurity capability maturity model 
  • the information technology infrastructure library
  • the Need Achievement Theory
  • the MODE Model/Theory
  • the Social Cognitive Theory.

There are two dependent variables. The first dependent variable is the number one cause of cybersecurity problems within and organization. The second dependent variable is a customized recommendation that includes the independent variables and the balanced scorecard.

Limitations

            This research is limited as it defers to analysis of seven models or theories when several IT models and organizational psychology theories exist. It also is a literature review only of the seven models and theories and not tested on subjects. Further, it depends on completed peer-reviewed research from professionals.  Another limit is no access to the Mental Measurements database used to lookup psychology theories behind varies tests and tools. The last limiting factor is funds to pay for full details of IT models and the balanced scorecard from vendors and consultants, it can easily be thousands of dollars per each.

Assumptions

            This study presumes that it is correct the number one problem plaguing cybersecurity issues in organizations is from the human error per reports from prior peer-reviewed research studies. It also presumes the capability maturity model, the cybersecurity capability maturity model, and the information technology infrastructure library are widely used and highly rated IT models as they are based on or vetted by professional organizations. Further, it’s assumed the three psychology motivation theories are used as basis organizational psychology on how to motivate employees; these are the need achievement theory, the mode model and theory, and the social cognitive theory. It is also presuppose popular IT models do not take into account the responsibility of each individual in an organization, and an understanding on how to motivate individuals by using proven motivational psychology.

Literature review


            The literature review starts with foundational information from primary, secondary and tertiary sources used throughout the paper. The next section of the literature review is on international research articles to substantiate employees lack cybersecurity awareness and training and a conclusion that more research is needed to address these cybersecurity lacks. The third section demonstrates reviews IT models and bears out they do not include organizational psychology to understand employee motivation for cybersecurity success. The last section bears out information on recommended psychology theories used in organizational psychology that is relevant to employee motivation needed to positively impact a reduction in cybersecurity issues.

Foundational Literature

To get some of the best material on organizational psychology and cybersecurity, the text books required for coursework is used. For an overall understanding of worker motivation, Gary P. Latham authored “Work Motivation – History, Theory, Research and Practice” in 2007.  Followed by “The Change Handbook” published by Peggy Holman, Tom Davane and Steven Cady provide a collection along with guidelines for organizational change management tools used worldwide. Another course text is, “Human Resources Annual Editions” edited by Fred Maidment in 2012, which is thirteen volume and used as a best practices handbook in human resources. A text on social psychology, “Social Psychology”, published in 2005 and written by Sharon S. Brehm, Saul Kassin and Steven Fein is referenced. The American Psychology Association published (APA) published the “APA Dictionary of Psychology”, in the year 2007 with Gary R. VandenBos, as Editor in Chief. Finally, the author of this paper, was on projects for the capability maturity model, the balanced scorecard and the information technology infrastructure library, her insights are used.


International University Research – Employees and Cybersecurity

This paper is to addresses the on-going number one reason why cybersecurity issues continue in organizations, which is human error. Many professionals and researchers world-wide continue to study this phenomena; nonetheless human capital remains the root cause for cybersecurity problems. It actually is an organizational management issue; the question arises: is it possible that organizational psychology must be used to assist in the resolution? We will look at three recent international studies conducted in Australia, United States, and Finland for their verification there is a lack of employee cybersecurity awareness and training and more work or research needs to be done on these topics. 

Study in Australia

Researchers, Hussain Aldawood and Geoffrey Skinner, (2019) from the University of Newcastle, Australia, published their peer-review article in Internet Future.  Their work addressed the lack of employee training and knowledge when it comes to social engineering attacks. Per Pauli (2013), social engineering is one of the best means to get access to cyber information in organizations, as it is easier to compel end-users to give information than it is to penetrate system security. System security such as firewalls, anti-virus software, intrusion detection and prevention systems and much more are difficult and time consuming to understand to execute cyberattacks.

Further, Aldawood and Skinner (2019) particularly were concerned about the statistics of four world major information technology firms who suffered from many social engineering attacks. The four firms were Yahoo, Weebly, Dropbox and Myspace. These social engineering attacks found success in access to millions if not billions of passwords.  These four firms are not as widely used as others, such as Facebook, Amazon and Google, but still used widely in past twelve years, here are the findings on the four firm’s password cybersecurity breaches:

  • Yahoo had 3 billion passwords compromised, with attacks that started in 2013 and passwords were still revealed as of October 2017(Hackett, 2017 as cited by Aldawood and Skinner, 2019).  
  • Weebly had 43 million password attacks in 2016 (Ragan as cited by Aldawood and Skinner, 2019).
  • Dropbox had 68 million password attacks from 2012 to 2016 (Hein as cited by Aldawood and Skinner, 2019).
  • Myspace had 360 million password attacks from 2008 to 2016 (Weir as cited by Aldawood and Skinner, 2019).

The number of password attacks on just four internet companies is astounding, just imagine what the statics could be for Facebook, Amazon and Google. These password breaches mentioned above does not even provide information on subsequent data breaches once the hackers got the passwords. One cause as to why it could be so easy to hack the password is there are tools for hackers to get passwords via social engineering (Pauli, 2013).  

The study of Aldawood and Skinner (2019) did not address the technical tools used by social engineering hackers or other technical details. Their research established via ninety-eight references that social engineering along with lack of cybersecurity policies and employee training was cause of cybersecurity breaches in organizations. They recommend further research be done to address these deficits; hence new ideas and research are warranted. If the solution is to be from an organizational viewpoint, then it makes sense to review widely-used IT and governance models and organizational psychology theories. Their research did not address IT models or organizational psychology theories. Let’s now review two other recent studies in two other countries, United States and Finland.

Study in the United States 

                The next study was done across the Pacific ocean from Australia at Purdue University. Indiana, United States by James Lerums in 2018. It was for Purdue’s Center for Education and Research Information Assurance and Security.  Lerums (2018), performed a research study to see if cybersecurity scorecards could be used by all sizes of public and private organizations to find cybersecurity actionable information. The cybersecurity scorecards were sent to sixty-six organizations. The actual Scorecard Questionnaire is in Figure 1.0 Lerums’s State of Indiana Cybersecurity Scorecard Survey. As one can see, it asks high-level information, but definitely addresses several questions that can gage the organization’s awareness of cybersecurity.


Figure 1. Lerums’s State of Indiana Cybersecurity Scorecard Survey (Lerums, 2018, p 49)



From reading the cybersecurity scorecard, it is obvious the study was done via dichotomous questioning, meaning it is more or less a yes or no answer (Kumar, 2014). This would make studying the results of the survey manageable for reporting

What is important for this paper, is cybersecurity issues are related to the human factor and organizational awareness; hence the need for future research.

Not surprising, Lerums’s (2018) study revealed the lowest scores were for:

  • cybersecurity awareness
  • cybersecurity training
  • cybersecurity emergency

These low scores are subjects for further research, and prove organizations need to do better for their employees to be cybersecurity savvy to lower cybersecurity risks.  Lerums’s (2018) specifically mentioned research is needed on cybersecurity training. Training in an organization falls under the umbrella of Human Resources. Human Resources and training are validated using organizational change models and organizational psychology, which is addressed further in this paper. Lerum’s research did not examine IT models or organizational psychology theories. Our next cybersecurity study is from across the Atlantic ocean from the United States to the Scandinavian country of Finland.

Study in Finland

            This recent study done in Finland by Tero Haukilehto in 2019 is with the theme of cybersecurity awareness. Similar to research done at Purdue by Lerum, this organizational study was done via surveys, but also included seminars. The work was to find the current level of cybersecurity awareness, for a baseline. From the baseline recommendations were made on how to improve cybersecurity awareness. First, the research provided information to demonstrate the seriousness of the lack cybersecurity awareness within organizations.

            What the Finland study reported on was work from IBM’s Security Services; IBM found that ninety-five percent of the time a data breach was due to an employee. In most situations it was an employee who was deceived by a phishing email, a form of a socially engineered attack. Also this study used previous research done by Enjoy Safer Technology, ESET (2017), who found that one-third of organizations don’t do cybersecurity training (Haukilehto, 2019).  Even when an employee did have cybersecurity training, sixteen percent of these employees didn’t even know they had cybersecurity training. It is the organizations management who did not provide cybersecurity training. It is key to address the root because continuous cybersecurity issues, which is train the employees on these subjects.

            Next, we look at Haukilehto’s research with participants, via one-hour cybersecurity lectures and subsequent surveys after the lectures (2019). As predicted the results of the research was the organization’s weakness was lack of cybersecurity awareness as reported by employees on the surveys.  This study in Finland further confirms, a need for an organizational psychologist along with IT professional governance models for improvement to employee’s cybersecurity awareness. The cybersecurity awareness should result in goals to execute on cybersecurity success. Next a review of IT professional governance models done to see if they include motivational organizational psychology theories.

Informational Technology Models

                The information technology models and governance frameworks are truly what their names imply a model and framework, a skeleton to guide success in an organization for information technology requirements. These frameworks and models are customizable as used world-wide in likely millions of organization. The author of this paper was on three project teams to implement the capability maturity mode, the Information technology infrastructure library, and the balanced scorecard, but not cybersecurity capability maturity model.  

Capability Maturity Model (CMM)

            The capability maturity model was developed by Carnegie-Melon University as a tool to improve software development. It originated from the work of Watts Humphrey who worked on software development improvements at Carnegie-Melon University (Duffy, 2016, Rouse, 2016). The capability maturity model is commonly practiced in other business areas outside of software development and for all types of organizations, to include university research practices, medical field, agriculture science, environmental services, and more (Yeh, Adams, Marshall, Dasgupta, Zhunushov, Richards, and Hay, 2017).

The work from Yeh, Adams, Marshall, Dasgupta, Zhunushov, Richards, and  Hay in 2017, inform the capability maturity model is a self-assessment tool to see what level an organization is at for ‘processes’. It does not mention it uses organizational psychology theories. Due to the lack of access to mental measurements database or official capability maturity model document, it was not possibly to verify if the capability maturity model was validated in psychology theories. The higher the maturity level between one to five indicates maturity and where to improve productivity (e.g.). Productivity in an organization is dependent on written policies and procedures. The procedures become process to be practiced, repeated and updated.  Regardless of what maturity level of the organization, its maturity level is a benchmark to identify next steps for next level of maturity. The five levels are in Figure 2.0 capability maturity model’s Five Levels of Maturity (Duffy, 2016, Rouse & Jayaram, 2016).


Figure 2. Capability Maturity Model’s Five Levels of Maturity (Duffy, 2016, Rouse & Jayaram, 2016.).


It takes management to drive to the next capability maturity level, and no level can be missed. This means it is not possible to go to, for example, from level two, a documented and repeatable process, to a level four when all the processes are managed and proven through data collection. At level five, the optimized level, is when employees are empowered. This is what is so important to resolve the problem with employees as the source of cybersecurity issues, if employees are empowered for cybersecurity practices, improvements are investable. The author of this paper was a team member on a project to implement the capability maturity model at the seventh largest County in the United States for the entire Information Technology Department, it seemed to be a short-term project without final documentation and plans for moving forward. Duffy (2016) informed to use the balanced scorecard to get to levels four and five of the balanced scorecard. Too, the author of this paper was a key Information Technology team member to implement the balanced scorecard at the same County. Therefore, the balanced scorecard is considered next.

Balanced Scorecard (BSC)

            The balanced score card’s originator was Robert Kaplan, a Harvard Business School accounting professor along with David Norton, an international consultant (Schwartz, 2005). Noteworthy, the balanced scorecard was developed in the early 1990’s, and the first fifteen years of its release there is foundational information to include in this study. The balanced scorecard is an organizational change management tool. This type of tool is to solve the problems with employees, which is relevant as they are number one cause of cybersecurity issues. Obviously, employees need to change their behaviors to reduce cybersecurity breaches in organizations. The balanced scorecard uses high-level strategies that can go down to the tactile details on who performs tasks. The balanced scorecard is action oriented for all persons in an organization (Martinson, Davison, & Tse, 1999 as cited by Chen-Yuan, Yi-Feng, Cheng-Wu, Lien-Tung, and Tsung-Hao, 2010).

The balanced scorecard starts with a vision and mission statement for the entire organization and then each department. Then goals are determined to best assure the vision and mission is done.  From the goals a roadmap is done to meet goals, vision and mission. The lack of the vision and mission statements can break an organization; to have them greatly increases the success of an organization (Bass & Bass, 2008). It is even said that vison and mission statements can impact the employees, especially if they match the values of the employees. Too the work culture should embody the vision and mission statements (Naous & Zahwi, 2018). To that end, vision and mission statements even drive organizational processes for employees perform, this is a requirement to get to maturity levels four and five for the capability maturity model (Juneja, 2015). In turn, this can be key to resolve the number one issue of organization’s cybersecurity problems, the unmotivated and untrained employee. 

As mentioned beforehand the author of this paper, Petersen, played a key role to implement the balanced scorecard at one of the largest County’s in the United States, Hennepin County. Per tracking the main required balanced scorecard documents, something management wanted from the author of this paper, it was found that only twenty percent of those who participated had a vision and mission statements (Petersen, 2008). The Hennepin County Justice Department, which is of high profile during these times of the Minneapolis 2020 riots had none of the key documents, the Emergency Preparedness department had a vision statement but no mission statement and incomplete strategy map and Community Corrections had no vision and mission statement.  The Sheriff’s Office had no documents at all, possibly they did participate but should have (e.g.). The balanced scorecards were no longer used in approximately 2010. 

One may wonder, if management understood how highly valuable the balanced scorecard can be, maybe the horrific murder of George Floyd would have not happened and that the entire world watched in horror.  This led to Minneapolis riots to include over five hundred destroyed business alone, not to mention riots done throughout the globe. Of course, this is off subject for cybersecurity, but demonstrates how important it is for management to define vision, mission, and goals down to each employee.  Next, we will discuss another tool the author of this paper, Petersen was a significant team member on, was the implementation of the information technology infrastructure library.


Information Technology Infrastructure Library (ITIL)

As the balanced scorecard implementation faded away, Hennepin County Information Technology Department took an interest in the information technology infrastructure library. The information technology infrastructure library is nearly forty years old. It originated in Britain via the government agency, Central Computer and Telecommunications Agency (CCTA). It has several iterations over the decades. Per White (2019 p1), “information technology infrastructure library is used world-wide by IT Management”. It has nine core principles, see Figure 6.0 Information Technology Infrastructure Library’s Nine Core Principles (White & Greiner, 2019). To have core values is important for an organizational change management tool and as information technology is complex, core values are a must. The information technology infrastructure library is service oriented, so service is a core value. Rubio & Arcilla (2020), provides a list of the specific five service areas for information technology infrastructure library in Figure 3.0 Information Technology Infrastructure Library’s Five Service Areas, Rubio & Arcilla, 2020.


Figure 3. Information Technology Infrastructure Library’s Nine Core Principles (White & Greiner, 2019)



Figure 4. Information Technology Infrastructure Library’s Five Service Areas (Rubio & Arcilla, 2020, p 1)

 


Figure 5. Information Technology Infrastructure Library’s Top Five Process Areas (Rubio & Arcilla, 2020 p2)

The next question is where do these services occur, it is in five

Processes as shown in Figure 5.0 Information Technology Infrastructure Library’s Top Five Process Areas, Rubio & Arcilla, 2020, p2. A universal problem in organizations is what process area to start the implementation. It was found sometimes organizations attempt to implement in more than one process area, for example, Problem Management and Event Management (e.g.). A study done in Norway by Iden & Eikebrokk in 2014 provides a good illustration showing the ‘Implementation’ process has no detail (see Figure 6.0 Flowchart for Hypothesized Relationships Information Technology Infrastructure Library Anecdotes, Implementation, and Consequences, Iden & Eikebrokk, 2014, p 9). Further their flowchart illustrates much more complication for information technology infrastructure library under ITIL Anecdotes and ITIL Consequences.  ITIL Anecdotes has four areas to address and ITIL Consequences has seven areas to address.


Figure 6. Flowchart for Hypothesized relationships ITIL Anecdotes, Implementation and Consequences (Iden & Eikebrokk, 2014, p 9).


It was via recent complicated algorithm study, How to Optimize the Implementation of ITIL through a Process Ordering Algorithm, done Rubio & Arcilla (2020), they came to a scientific conclusion that the information technology infrastructure library’s initial implementation should be done at Incident Management process. This is good for cybersecurity issues, if the implementation is done correctly, any social engineering attack performed by hackers on an employee, could get addressed and documented swiftly.  Nonetheless, management is responsible that processes are in place and employees trained identify and report a cybersecurity incident, especially if a social engineered attack.

The author of this paper was on an initial implementation of the information technology infrastructure library model and it did start in Incident Management for Level Two Support for one customer portfolio, called General Government. It took over two years to gather all the documentation to include an application inventory, system architectures, list of databases, list of all the vendors, documented security access and more. This team was to populate the Remedy software for Incident Management. The staff provided to the author of this paper to implement Level Two Support for General Government was former mainframe programmers who had no interest to become support on non-mainframe applications. But, as information technology infrastructure library model is a mature framework, we had goals and specific documents to support the goals. After review of the capability maturity model, the balanced scorecard and information technology infrastructure library let’s next address an information technology model specific for cybersecurity, the cybersecurity capability maturity model.

Cybersecurity Capability Maturity Model (C2M2)

            The cybersecurity capability maturity model is an example of one of the many customizations of the capability maturity model. As the intent of this paper is to address cybersecurity, it is important to look at an established capability maturity model for cybersecurity. The cybersecurity capability maturity model was developed by the United States Department of Energy but utilized the inputs from secular industries and other government agencies, specifically the National Institute of Standards and Technology (NIST) and the Framework on Cybersecurity (U.S. Department Of Energy Office And Electricity Delivery And Energy Reliability, 2015). The focus of the capability maturity model is on critical infrastructures.

 Aside from the difference in originator between the cybersecurity capability maturity model and capability maturity model is the number of maturity levels. The cybersecurity capability maturity model uses four levels of maturity, whereas, the capability maturity model uses five levels. The cybersecurity capability maturity model four levels are from Level 0 to Level 3, (see Figure 7.0 C2M2’s Four Levels of

Maturity).


 

Figure 7. C2M2’s Four Levels of Maturity (U.S. Department Of Energy Office And Electricity Delivery And Energy Reliability, 2015, p25.)

Another difference from the cybersecurity capability maturity model from the capability maturity model is it uses ten domains. The ten domains used by cybersecurity capability maturity model are gaged for their maturity level (see Figure 8.0 C2M2’s Ten Domains) (e.g.). Each of the domains is benchmarked from level zero for maturity to three level for maturity. Something else to point out is the cybersecurity capability maturity model does not include employee empowerment at the highest level, such as capability maturity model does at level five. As it is employees who are the ones to cause cybersecurity issues, it is surprising that this cybersecurity capability maturity model does not include ‘employees’.

The cybersecurity capability maturity model does have the domains that are needed for ‘cybersecurity management’. There is need for improvement to focus on the ‘employee’ and ‘empowerment’. A suggestion is for an eleventh domain for ‘cybersecurity trained employees for empowerment’. The cybersecurity capability maturity model can be customized, just as the capability maturity model.  Next is an example of a customized cybersecurity capability maturity model.




Figure 8. C2M2’s Ten Domains (U.S. Department Of Energy Office And Electricity Delivery And Energy Reliability, 2015, p20.)


In Jamaica, Barclay (2014) did a cybersecurity capability maturity model study for developing countries to become more mature. It included six elements: 1) society, 2) operational, 3) education, 4) technical, 5) business, 6) legal & regulations. Likely the six ‘elements’ could be considered as the ten ‘domains’ that original cybersecurity capability maturity model uses.  Another customization Barclay did of the original cybersecurity capability maturity model was the number of maturity levels, as Barclay  had six levels of maturity, zero to five, versus the original four levels of maturity. Further, the six levels of maturity have eight ‘Indicators’. The eight ‘Indicators’ are for each of the six elements or domains, mentioned above (see Figure 9.0 Barclay’s C2M2 Model for Developing Nations Cybersecurity Awareness). Just as with the original cybersecurity capability maturity model, if you will, it does not address the employee or organizational psychology theories. But, as this paper’s theme includes employee behavior there are various other customized cybersecurity maturity models to take a brief look next


Figure 9. Barclay’s C2M2 Model for Developing Nations Cybersecurity Awareness


Other Cybersecurity Maturity Models 

Rea-Guamán, Feliu, Calvo-Manzano, & Sanchez-Garcia, (2017) studied various cybersecurity maturity models. They addressed the cybersecurity maturity models they found mentioned in most of the literature. These often mentioned cybersecurity maturity models are paraphrased below (e.g.):

  • National Cybersecurity Education Initiative (NICE), is a child of the Integral Cyber Security Initiative (CNCI). The highest maturity level is three; it is for trained cybersecurity staff, not all employees, just cybersecurity employees.


  • Community Cyber Security Maturity Model (CCSMM) was developed by the Center for Infrastructure Assurance and Security (CIAS), out of the University of San Antonio, Texas; The highest maturity is level five which is for others in the organization to teach others cybersecurity practices and procedures.
  • Systems Security Engineering Capability Maturity Model (SSE-CMM) comes from the National Security Agency (NSA). It has five levels of maturity for twenty-two processes, which does a good job for addressing internal and external security, but did not have a process for cybersecurity training and awareness for employees. The highest level of maturity includes quantitative performance to meet the business goals of the organization.

Again, none of these cybersecurity maturity models specifically address employee motivation. As aforementioned in the Finland study, ninety-five percent of the time a data breach was due to an employee (Haukilehto, 2019). As many if not most cybersecurity professionals go to Krebs on Security, it was interesting that when Krebs reviewed cybersecurity maturity models he did not include the cybersecurity capability maturity model, National Cybersecurity Education Initiative, Community Cyber Security Maturity Model, and Systems Security Engineering Capability Maturity Model.

Krebs looked at InfoSec’s Cybersecurity Maturity Model and one from Blue Lava Consulting. InfoSec’s maturity model included regulatory requirements such as Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), European Union (EU) and more. These were on scale from reactive to proactive; it was very high level and did not seem usable. Krebs preferred the security model from Blue Lava Consulting, which had three levels of maturity for Responsible, Accountable, Consulted, and Informed (RACI) chart for the domains of Cybersecurity Training and Cybersecurity Awareness. Again, Krebs cybersecurity models did not address the root organizational issue of cybersecurity, which of course it is the employee’s behavior.

From the literature reviewed so far in this paper, to include three international studies, four information technology and governance models and five additional cybersecurity maturity models, none addressed the psychology of the employee or the psychology of the organization. Per the theme of this paper, it is the employee who is the number one cause of cybersecurity attacks and data breaches. Employees  need to be motivated to understand how important their role is and to perform. It makes sense to look at organizational psychology theories related to employee motivation next.

             

Organizational Psychology Theories

            All organizations want to be successful and organizations are comprised of people who have knowledge, skills and abilities. Due to this organizational need of success via the employees the field of organizational psychology came to be. Organizational psychology uses psychology theories to understand how to motivate employees to use their knowledge, skills and abilities. As this paper is to address the number one reason for why cybersecurity attacks and breaches occur, which is due to the employee, it is important to know how to motivate an employee to do their best for cybersecurity practices. Three foundational organizational psychology theories are explored here, they are the need achievement theory, the MODE theory and the social cognitive theory.

Need Achievement Theory

The need achievement theory basically is the need for an individual to achieve a goal or goals. But, the goal must be something attainable (VandenBos, 2007). When it comes to do actual practices for cybersecurity, it is management that should define the goals for the organization’s cybersecurity policies, procedures, process and practices for each employee. It must be emphasized, the goals should go down to each employee in the organization. Also, the need achievement theory takes into consideration that the individual must also believe or need to know they can achieve the goal or goals (e.g.). Of course, one way to make an employee know they can achieve them to greatly reduce organizational cybersecurity issues, is to be trained in cybersecurity awareness.  But, does just an annual training on cybersecurity cut it? No, it does not. Per the Human Resources Annual Edition in 2012, who exclusively provides scholarly peer-reviewed articles, informed it takes thirteen times for an employee to be told how to do something to be successful in doing it (Maidment, 2012).  So, management should have a manager’s goal for all their employees reminded, trained and re-trained thirteen times to do all their cybersecurity related duties.

As declared earlier the balanced scorecard is an organizational tool to define goals and how to achieve them; the capability maturity model gages an organizations maturity for processes that are practiced to the point the employee is empowered to meet the process goal. If the need achievement theory addresses an employee’s need to achieve, a manager may ask, why not look to an achievement theory. Covington (2000), studied the foundations of goal theories to understand dependencies on student learning. He conducted his study on school achievement by using an accumulation of various goal and motivation theories. He found the best theory to understand why someone would chose a goal, is to look to the need achievement theory. Of note, Covington did conclude that a psychologist should work with management to have visions, missions and roles. If it is a psychologist working with management, they would be an organizational psychologist. Thus the need for organizational psychology even in cybersecurity arena.

To have vision, missions and goals is dominant in the balanced scorecard, and the balanced scorecard is the best tool to get to level four and or  five in capability maturity model. The need achievement is integral for employees to succeed in reducing organization cybersecurity issues. Continuing on with studies in the education field, let’s see how the need achievement theory was observed in a university study from Sweden; a country that excels in education and wealth.

This literature review is a study done in Sweden in 2012 by Erik Lindberg out of the University of Ume˚a, Ume˚a, and Sweden. Lindberg’s purpose of the study was to understand how high school principals in Sweden use their time in order to achieve long-term goals. Lindberg conducted his quantitative study by mailing questionnaires to all the principals in Sweden’s upper secondary schools. Lindberg informed the start of point of any successful organization is to set goals. In his paper under the Theoretical Background section, he mentions the use of the goal setting theory, and emphasized that it is rooted in the need achievement theory. Surprisingly, Lindberg did not mention vision or mission statements. He said the schools in Sweden use a customized private sector tool, the management by objectives (MBO) and the School’s tool name is school-based management (SBM); but are the objectives tied to vision or mission? One may wonder if they did as it would help with assigning goals to increase the need to achieve at the individual level. As researchers such as Covington and Lindberg concur goal theory is rooted in the need achievement theory, the need achievement theory is chosen to use for this paper.

The need achievement theory was developed by Henry Alexander Murray, a Harvard professor and expounded on by David McClelland. Henry Murray passed away in 1988, and ten years later David McClelland passed away in 1998. As shown, the need achievement theory is still highly valued and most of their foundational work is obviously done earlier than year 2000 (Runyan, 2020). Moving on, another theory important for employees to be successful, is to understand the employee’s attitude and how social aspects influence an employee. The next two psychology theories used for organizations are the MODE theory and the social cognitive theory.


MODE Model or Theory

The MODE model or theory is to understand the attitude of the person towards an activity. One’s motivation and the opportunity to act on it will determine their attitude. Thus, MODE is an acronym for Motivation and Opportunity as Determinants (Fazio & Olson, 2013, VandenBos, 2007). Russel Fazio, founded it in 1990 hence foundational literature needs to be consulted. It is classically referred to as the MODE Model or even a dual process theory. The MODE model is dual process for attitude and behavior.

Fazio & Olson (2013) studied other theories related to Fazio’s MODE Model, to support that one’s actions can be automatic, such as second nature or a controlled action, one that is not second nature. These automatic and controlled thoughts, feelings and behavior do impact one’s attitude. A way to change one’s automatic or controlled thoughts, feelings and behaviors is to have a motivation. The motivation must also have an opportunity to act. This information is useful to support how important it is understand what it may take for an employee to gain a new habit or automated response to practice cybersecurity processes. In regards to finding literature on the MODE theory or model in relation to vision, goals or mission; the literature was lacking. However, the MODE theory or model is related to social cognition, which is addressed next.


Social Cognitive Theory

As social engineering attacks is the number one source to deceive employees to engage unwittingly in cybersecurity breaches, it makes sense cyber criminals use a form social psychology. Organizations have an opportunity to also use social psychology, specifically the social cognition theory. VandenBos (2007), simple points out the social cognition theory includes cognition theory and social theory, and how the sociocultural environment impacts one’s behavior.

Latham (2007) established the social cognitive theory is dominate in fields of Human Resources, Industrial & Organizational Psychology and Organization Behavior fields. Organizations can ingrain cybersecurity practices as part of the work culture and co-workers can provide social support. Social cognitive theory is effective as it includes one’s self-assessments, feedback from others and even goals. Again, we see how goals are so important.

It is up to management to set goals, the goals should include robust cybersecurity practices. It is not uncommon for upper management to not even support an organization’s cybersecurity polices procedures and practices themselves, something the author of this paper has observed over and over again. So, the next step to support a cybersecurity social culture, is to make managers and all employees more responsible via the implementation of a whistleblower policy.

There are several studies done on whistleblower policies, because most organizations don’t promote such a policy even if they have one. A study in Norway by   Sørensen & Magnussen (2020) is one such whistleblower study, but with a unique view, offering a reward for those who do blow the whistle. The reward is a motivation and socializes that wrongdoing is not acceptable. Their findings were to gage if a reward policy would motivate an employee. The employees said they would be motivated with a monetary reward for whistle blowing and many said it would be via a salary raise. This is a good because it implies the employee wants to stay at the organization if they get a raise plus knowing that it is socially acceptable to blow a whistle. But, there was also concern that some employees may falsely blow a whistle just to get a monetary reward.  A whistleblower policy could be a good method for improvement to cybersecurity practices and policies, as many times employees see other employees, even high-level managers not abide by them.

Social cognition theory needs to be incorporated in change management tools and IT models, to motivate employees and make cybersecurity practices as ‘most socially acceptable’. One tried and true method to ingrain social cognition is used in group formation; it is forming, storming, norming and performing (Brehm, Kasin & Fein, 2005). Forming, storming, norming and performing should also be considered for a success to reduce the number one cybersecurity problem, the lack of employee training and responsibility.

Results and Discussion


Overview

                This study dealt with the number one root cause of cybersecurity breaches and attacks using the theory that current IT models don’t include organizational psychology human motivation theories. There were five hypothesis to address the theory. Hypothesis one through three considered three well-known IT models: capability maturity model, cybersecurity capability maturity model, and information technology infrastructure library to see if they included well-known organizational psychology theories: need achievement theory, mode model or theory, and social cognitive theory. The fourth hypothesis is that the balanced scorecard (BSC) does address the aforementioned organizational psychology theories. The fifth hypothesis was to make a recommendation for a new IT cybersecurity model that includes organizational goals and psychology to encompass all in the organization.

Hypothesis One through Three, IT Models with no Organizational Psychology

                Per the literature review of the three selected IT models; capability maturity model, cybersecurity capability maturity model, and information technology infrastructure library to verify if the three organizational psychology theories were mentioned, there was no evidence the organizational psychology theories were present. The literature review on the IT models consisted of who devised the IT models how they were structured, if the employee was considered and any organizational or motivational psychology was utilized.

Hypothesis One Capability Maturity Model with no Organizational Psychology

In regards to the capability maturity model, its focus is on processes. This is important and useful for cybersecurity, as processes are needed especially for cybersecurity practices. As most cybersecurity attacks and breaches are due to social engineering, there should be specific processes for how an employ can identify a social engineering attack and steps to report them swiftly. Importantly, management should have goals and training for cybersecurity processes to specifically address employee’s roles, their defined training and their understanding of processes. This IT model is highly customizable and suggested to use with the balanced scorecard to get to highest levels of maturity, four and five. Per the information found and reviewed on the capability maturity model, the hypothesis it does not include specific organizational psychology theories was validated.

Hypothesis Two Cybersecurity Capability Maturity Model with no Organizational Psychology

The cybersecurity capability maturity model is a form of customization to the capability maturity model. It was designed for critical infrastructures. It differs from the capability maturity model by having four levels of maturity, verses five. Also, it has ten cybersecurity related domains to gage maturity and not as much on processes as the capability maturity model. The tenth domain is for Workforce Management. The cybersecurity capability maturity model is customizable, with an example of customized done for developing nations. Lastly, one could possibly customize the cybersecurity capability maturity model to include organizational psychology theories. This would be an eleventh domain, such as ‘Empowered Workforce for Cybersecurity’.  

Also, there are other cybersecurity maturity models lightly reviewed. One did address cybersecurity staff specifically to be trained, it was the IT model, National Cybersecurity Education Initiative (NICE).  The Community Cyber Security Maturity Model (CCSMM) IT model mentioned at highest level staff should train each other on cybersecurity, this is IT model was most focused on the employee’s cybersecurity practices empowerment. Then the Systems Security Engineering Capability Maturity Model (SSE-CMM) IT model had a light review that revealed five levels of maturity and twenty-two process for internal and external cybersecurity practices, but not at the employee level. Additionally, Krebs on Security blog was searched for cybersecurity models and Krebs recommended two, 1) InfoSec’s Cybersecurity Maturity Model and 2) Blue Lava Consulting. One of the two cybersecurity maturity models from Krebs did address cybersecurity awareness and training, it was Blue Lava Consulting; neither  referenced organizational or motivational psychology.

As cybersecurity attacks and breaches are via employee’s exploitation usually, it is important organizations have incident management for employees easily inform IT and management of cybersecurity problems or questions. The next IT model, the information technology infrastructure library is discussed. Per the information found and reviewed on the cybersecurity capability maturity model and other similar cybersecurity models, the hypothesis they do not include specific organizational psychology theories was proven.

Hypothesis Three Information Technology Infrastructure Library with no Organizational Psychology

            The information technology infrastructure library could be considered a legacy IT model as it is over forty years old. It does not include specific organizational psychology theories, but does include core principles, which is important to organizational success.  Some of the nine core principles are: work holistically, be transparent and collaborate, which terms are found in the organizational psychology field. The first process an organization should implement from the library is incident management. It is vital that high-quality incident management be documented and practiced for cybersecurity social engineering attacks. But, as information technology infrastructure library was created for IT management, it must be important the entire organization embrace and be motived to practice cybersecurity processes, which comes from management. Also, it must be said per the information found and reviewed on the Information Technology Infrastructure Library, there was no evidence of organizational psychology theories used; hence the hypothesis was positive. The balanced scorecard is a change management tool used to impact the entire organization for each and every employee, possibly it includes organizational psychology theories?

Hypothesis Four Balanced Scorecard with Organizational Psychology

                After a literature review of the balanced scorecard, the hypothesis was not proven it addresses organizational psychology theories, specifically: need achievement theory, mode theory, and social cognitive theory. As the balance scorecard is used in organizational and industrial psychology practices, it could be based on the aforementioned organizational psychology theories. Due to the lack of access to the Mental Measurements database that tracks psychology theories for organizational psychology practice, the verification of the three psychology theories could not be done. Another limitation was one can’t access the actual balanced scorecard details without payment to a certified balanced scorecard businesses.

The author of this paper was on an implementation team for the balanced scorecard and has completed coursework in organizational and industrial psychology, so has a basis for this tool to be a success, especially when it comes to employee success to practice their duties. This is because the balanced scorecard starts with a must for success, a vision and mission statement followed by strategies and goals to reach each person in an organization. Now we will look at hypothesis five to see if the balanced scorecard is recommended as a proposed solution to make a significant impact on reduction of the number one cybersecurity problem, the untrained and unmotivated employee.

Hypothesis Five A Cybersecurity + Organizational Psychology Recommendation 

            Based on the need for further research on why cybersecurity issues continue to be the number problem for organizations due to the employee and no proof of IT models addressing this then a new IT model for cybersecurity is warranted. The model will use aspects from current IT models and organizational psychology theories to motivate employees. The organizational psychology theories are those reviewed in this paper. They are the need achievement theory, the mode model/theory, and the social cognitive theory. This Cybersecurity + Organizational Psychology model will promote the IT models and change management tools the author of this paper has used in practice. These are the capability maturity model, information technology infrastructure library and the balanced scorecard.

            Along with recommending and planning the Cybersecurity + Organizational Psychology model, a blog that will also serve as a website, https://www.cybersecorgpsych.com/ was developed.  More, a business plan has been drafted and is in Appendix 1 Cyber Security + Organizational Psychology Business Plan - Draft. The outline for the Cybersecurity + Organizational Psychology model that emphasis ‘employee empowerment for cybersecurity’ is as follows:

  • Vision Statement
  • Mission Statement
  • Short Term Goals
  • Long Term Goals
  • Processes
  • Project Plan
  • Project Work Breakdown Structure
  • Worker Motivation Plan
  • Training Plans
  • Marketing Plan
  • More . . .

Conclusion


There is much work to be done to resolve the number one reason for cybersecurity attacks and breaches. But, as we know via prior research and on-going reports from various sources, it is due to the employees that the number one problem still exists. One of these social engineering attacks occurred this month, July 2020 for Twitter if Twitter can even have their employees socially engineered, it can happen to any organization (Columbus, 2020). A new approach to address employee motivation in regards to cybersecurity is the next sound path for the author of this paper to do, as well as, a subject for future IT and Organizational Psychology research. Ultimately, this can save organizations millions of dollars per year. Per Brooks (2019) “In the U.S. a data breach costs a company on average $8.19 million, an increase from $7.91 million in 2018, and more than twice the global average”. Would it not be most meaningful work to play a part in resolving the number one reason for cybersecurity attacks and breaches that has even recently impacted Twitter, yes Twitter?




References


Aldawood, H. & Skinner, G. (2019). Reviewing Cyber Security Social Engineering Training and Awareness Programs—Pitfalls and Ongoing Issues. School of Electrical Engineering and Computing, University of Newcastle, Newcastle 2308, Australia. Retrieved on April 24, 2020 from https://www.mdpi.com/1999-5903/11/3/73/pdf

Barclay, C. (2014). Sustainable Security Advantage In A Changing Environment:The Cybersecurity Capability Maturity Model (CM2). University of Technology Jamaica. Retrieved May 1, 2020 from: https://www.researchgate.net/profile/Corlane_Barclay/publication/262917234_Sustainable_Security_Advantage_in_a_Changing_Environment_The_Cybersecurity_Capability_Maturity_Model/links/00b7d5394626356894000000/Sustainable-Security-Advantage-in-a-Changing-Environment-The-Cybersecurity-Capability-Maturity-Model.pdf.

Bass, B. M., & Bass, R. (2008). The Bass handbook of leadership: Theory, research, and managerial applications (4th ed.). NY: Free Press.

Brehm, S.S., Kasin, S., & Fein, S. (2005).  Social Psychology.  Boston, MA:  Houghton Mifflin Comp.

Brook, C. (2019). What's the Cost of a Data Breach in 2019? Retrieved June 28, 2020 from: https://digitalguardian.com/blog/whats-cost-data-breach-2019#:~:text=In%20the%20U.S.%20a%20data,%2C%20%24242%2C%20is%20steeper%20too.

Chen-Yuan C.,  Yi-Feng Y., Cheng-Wu C., Lien-Tung C., and Tsung-Hao C., (2010). Linking The Balanced Scorecard (BSC) To Business Management Performance: A Preliminary Concept Of Fit Theory For Navigation Science And Management. International Journal of the Physical Sciences Vol. 5(8), p 1296-1305.  Retrieved May 22, 2020 from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1014.405&rep=rep1&type=pdf.

Columbus, L. (2020). Dissecting the Twitter Hack with a Cybersecurity Evangelist. Retrieved July 19, 2020 from: https://www.forbes.com/sites/louiscolumbus/2020/07/18/dissecting-the-twitter-hack-with-a-cybersecurity-evangelist/#31c51f4047df

Covington, M.V. (2000). Goal theory, motivation, and school achievement: an integrative review. Annu. Rev. Psychology, 51,171-200.

Duffy, G., (2016).Achieve higher levels of excellence through the capability maturity model. Retrieved May 21, 2020 from: http://faculty.mercer.edu/burtner_j/documents/leveling-upQPJune2016CMMI.pdf.

EC-Council, (2018). Ethical Hacking and Countermeasures v10, Courseware Volume 10. Albuquerque, NM: EC-Councl.

Fazio, R.H. & Olson, M.A. (2013). The MODE model: Attitude‐Behavior Processes as a Function of Motivation and Opportunity. Retrieved May 29, 2020 from: https://www.asc.ohio-state.edu/psychology/fazio/documents/FazioOlson_DualProcessVolume__Feb062013.pdf

Harris, S. (2013). All in one CISSP exam guide. 6th Ed. NY, NY: McGraw Hill.

Haukilehto, T. (2019). Improving Cyber Security awareness - Health, social services and regional government reform in South Ostrobothnia. (Published Master’s Programme in Information Technology Cyber Security Thesis). School of Technology, Communication and Transport. JMK University of Applied Sciences, Finland. Retrieved from:  https://pdfs.semanticscholar.org/f335/feb5e079d29cc0460ff91e4cf719079f1b48.pdf.

Holman, P., Devane, T., Cady S., & Associates (2007).  The Change Handbook.   San Francisco:  Berrett-Koehler Publishers, Inc.

Iden, J., & Eikebrokk, T. R. (2014). Using the ITIL process reference model for realizing IT governance: An empirical investigation. Information Systems Management, 31(1), 37-58. Retrieved May 26, 2020 from: https://uia.brage.unit.no/uia-xmlui/bitstream/handle/11250/2391297/Iden_Using.pdf?sequence=3

Juneja, P. (2015). Importance of Vision and Mission Statements. Retrieved May 22, 2020 from: https://www.managementstudyguide.com/importance-of-vision-and-mission-statements.htm.

Krebs, B. (2020). What’s Your Security Maturity Level [Blog post] ?  Retrieved May 15, 2020 from: https://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/ .

Kumar, R. (2014). Research Methodology: a step-by-step guide for beginners. 4th edition). Thousand Oaks, CA. Sage Publications.

Latham, G.P., (2007). Work Motivation, History, Theory, Research and Practice. Thousand Oaks, CA: Sage Publication

Lerums, J. L.  (2018). Measuring The State Of Indiana’s Cybersecurity. (Unpublished Dissertation in Partial Fulfillment of the Requirements for the degree of Doctorial). Purdue University, West Lafayette, Indiana.  Retrieved April 24, 2020 from: https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2019-2.pdf

Lindberg, E. (2014). Principals with and without performance measures means no change? Journal of Organizational Change Management, 27(3), 520-531. doi:http://dx.doi.org.ezproxy1.apus.edu/10.1108/JOCM-07-2013-0113. Retrieved May 23, 2020 from: https://search-proquest-com.ezproxy1.apus.edu/docview/2154261630?accountid=8289&rfr_id=info%3Axri%2Fsid%3Aprimo.

Maidment, F. (Ed.). (2012). Annual editions: Human resources (21st ed.). Dubuque, IA: McGraw Hill. ISBN: 9780073528717.

National Institute of Science and Technology (NIST) 800-37 Rev 2, (2018). Risk Management Framework for Information Systems and Organizations. U.S. Department of Commerce

Naous, A. J. & Zahwi, L. (2018). From balanced scorecard to the science of strategy execution: 25 years of research creating shared value and positive impact. International Journal of Academic Research and Development. Vol 3(5), p142-144.  Retrieved May 22, 2020 from: https://s3.amazonaws.com/academia.edu.documents/57880826/3-5-50-465.pdf?response-content-disposition=inline%3B%20filename%3DFrom_balanced_scorecard_to_the_s.

Pauli, J. (2013). The Basics of Web Hacking. Retrieved April 24, 2020 from: https://www.sciencedirect.com/topics/computer-science/social-engineering-attack

Rea-Guamán, A. M., Feliu, T. S., Calvo-Manzano, J. A.  & Sanchez-Garcia, I. (2017). Comparative Study of Cybersecurity Capability Maturity Models. 100-113. 10.1007/978-3-319-67383-7_8. Retrieved May 19, 2020 from: https://www.researchgate.net/publication/319640924_Comparative_Study_of_Cybersecurity_Capability_Maturity_Models/citation/download.

Rouse, M., & Jayaram, M.N. (2016). Capability Maturity Model (CMM).  Retrieved May 10, 2020 from: https://searchsoftwarequality.techtarget.com/definition/Capability-Maturity-Model.

Rubio, J. L. & Arcilla, M. (2020). How to Optimize the Implementation of ITIL through a Process Ordering Algorithm. Applied. Science 10(1), 34; Retrieved April 26, 2020 from https://www.mdpi.com/2076-3417/10/1/34/htm#cite.

Runyan, W. M. (2020.) Murray, Henry Alexander. Retrieved from:  https://www.encyclopedia.com/people/medicine/psychology-and-psychiatry-biographies/henry-alexander-murray.

Schwartz, J. (2005).  Project Management: Balanced Scorecard [Electronic version].   Military Medicine, Vol 170(10), 855-858. 

Sirius Business Radio (April 28 2020). New Email Hacks – Send Email with Correct Corporate Email but it is Fake, Causes Millions of Dollars Daily to Businesses.

 Sørensen, J., & Magnussen, L. (2020). Whistleblowing in Norwegian Municipalities —Can Offers of Reward Influence Employees’ Willingness and Motivation to Report Wrongdoings? Sustainability, 12(8).Retrieved May 23, 2010 from: https://doi.org/10.3390/su12083479. https://www.mdpi.com/2071-1050/12/8/3479

Splunk Security (2020).  Splunk IT Security Predictions 2020 [Blog post]. Retrieved April 16, 2020 from: https://www.splunk.com/pdfs/ebooks/security-predictions-2020.pdf.

U.S. Department Of Energy Office And Electricity Delivery And Energy Reliability (2015). Energy Sector Cybersecurity Framework Implementation Guidance. Retrieved from: https://www.energy.gov/sites/prod/files/2015/01/f19/Energy%20Sector%20Cybersecurity%20Framework%20Implementation%20Guidance_FINAL_01-05-15.pdf.

VandenBos, G.R. (2007). APA Dictionary of Psychology. American Psychological Association: Washington, D.C.

Verizon, (2019). 2019 Data Breach Investigation Report.  Retrieved April 30, 2020 from: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf.

 White, S. K. & Greiner, L. (2019). What is ITIL?  Retrieved May 10, 2020 from: https://www.cio.com/article/2439501/infrastructure-it-infrastructure-library-itil-definition-and-solutions.html.

Yeh, K. B., Adams, M. L., Marshall, E.S., Dasgupta, D., Zhunushov, A., Richards, A. L., and Hay, J. (2017). Applying a Capability Maturity Model (CMM) to evaluate global health security-related research programmes in under-resourced areas, Global Security: Health, Science and Policy, 2:1, 1-9, DOI: 10.1080/23779497.2017.1279022 Retrieved from: https://www.tandfonline.com/doi/pdf/10.1080/23779497.2017.1279022?needAccess=true.






Appendices


Appendix 1 Cyber Security + Organizational Psychology Business Plan - Draft


Cyber Security + Organizational Psychology

= Best Offense and Defense for Cyber Security

Draft Business Plan

 

Dianne Petersen, PMP, I/O PhD (abd), Cybersecurity Master’s Candidate

 

 

Email:   cyberorgpsych@gmail.com

Website/Blog: https://www.cybersecorgpsych.com/

                                        

 

 
 

 

 

Executive Summary


This company, CyberSecurity + OrgPsych = Best Offense and Defense for Cyber Security looks exclusively and number one reason for cybersecurity attacks on organizations, which is social engineering. It happens at all organizations and is the most simple to fix, which is to ‘Empower Employees For Cybersecurity’. Here is a perfect recent example, a social engineering attack was a success even at Twitter in July 2020 (Forbes, by Lewis Columbus, July18, 2020):

“Using SIM swapping (call to cell phone provider convincing they are owner of account), in which threat actors (hackers)  trick, coerce or bribe employees of their victims to gain access to privileged account credentials and administrative tools, hackers were able first to change the email address of each targeted account. Next, two-factor authentication was turned off so when an alert was sent of the account change it went to the hacker's email address. With the targeted accounts under their control, hackers began promoting their cryptocurrency scam.”


CyberSecurity + OrgPsych use IT and management tools along with motivational organizational psychology theory to make management assure employees are empowered to practice cybersecurity practices, especially for social engineering.

 


Business Description & Vision


VisionTo make a significant impact on reduction of number one cause of cybersecurity attacks and breaches that costs billions of dollars every year using peer-reviewed information in Information Technology Models and Organizational Psychology.


Mission: Provide resources on motivational organization psychology theories to ALL that utilize this blog for them to understand how to significantly reduce cybersecurity attacks and breaches.


  • Goal 1: Provide the need to understand the importance  of employees role for cybersecurity as it is via the employee most cybersecurity attacks and breaches are due to them be social engineered

  • Goal 2: Motivate management and employees to act their role when it comes to the safeguarding against costly cybersecurity incidents using motivational organizational psychology theories and tools

  • Goal 3:  Provide consulting for audit of current cybersecurity policies, procedures and practices; then follow-up with a plan for improvement that is on-going to assure cybersecurity is practiced and cybersecurity incidents reduced





  • History of Business: The principal, Dianne Petersen, knows the number one cause of cybersecurity attacks and data breaches is due to something as simple as social engineering via work experience and studies in Cybersecurity. When also studying to be a Certified Ethical Hacker is was emphasized the number one reason is the employee was compromised, who why she thought to continue to learn languages, networks, operating systems to prevent cyber-crime when there was an obvious low-hanging fruit. She also has a PhD (abd) in Industrial and Organizational Psychology so is aware of importance of on-going employee training.
  •  
  • Key Company Principal: Dianne Petersen, a certified project manager, a candidate for Cybersecurity Master’s degree, PhD (abd) Industrial and Organizational Psychology, 80 credits in computer programming & networking a four-year Accounting degree along with 25 years in IT field as computer and database programmer, business analyst and project manager.

 


Definition of the Market

 

Business Industry Outlook and Critical Needs:  Cybersecurity attacks and data breaches cost companies billions of dollars every year. There is a need to solve it as soon as possible. How? Just as recent as July 2020 Twitter was hacked via social engineering attack on an employee. This has been found true for many cybersecurity incidents. To focus on the employee to have cybersecurity awareness, training and auditing especially in regards to social engineering, this problem could be solved quicker than trying to see who is hacking a system, when the employee can receive an email, fake voicemail or link and need to know how to deal with them.


Target Market: This is any organization that would like a sound ‘novel’ approach to reduce their cybersecurity attacks by focusing on employee empowerment for their cybersecurity duties.


Market Share: Potentially this is any organization with a concern about how to most cost effectively reduce cybersecurity attacks and breaches.


 


Description of Products and Services

 

Products and Services:  Documentation on social-engineered cybersecurity attacks to show where they have occurred and cost to an organization, this can be found on the website/blog. Documentation for organizations is audit to review their current cybersecurity policies and procedures along with a cybersecurity scorecard survey for all employees to complete. A Vision and Mission will be created specifically for Cybersecurity Employee Empowerment goals. The goals will include motivational organizational psychology theories. There needs to be an on-going relationship with client to assure the cybersecurity practices are practiced. Note: Project management documents will also be included (stakeholder list, project plan, work breakdown structure, risk assessment, RACI chart, monthly status reports and others as needed).

 


Marketing and Sales Strategy


Marketing and Sales:  Any organization that wants to resolve the number one reason why cybersecurity attacks and breaches occur, which is social engineering methods on employees. Sales of services to address this issue will occur via website or blog inquiries, as well as, cold call contacts via phones initially to local businesses. Charges will start with audit on current cybersecurity practices to include a cybersecurity scorecard for employees to complete. Then charges for all needed documentation and training to get the organization to the point of ‘employee empowerment for cybersecurity’.







Appendix 2: Sample of IRB Approval Letter




Appendix 3: Sample of the Capstone Approval Document



The Capstone thesis/project for the master’s degree submitted by the student listed (above) under this title:


Information Technology Models And Organizational Psychology Theories Used To Mitigate The Number One Reason For Cybersecurity Attacks And Breaches

 

has been read by the undersigned. It is hereby recommended for acceptance by the faculty with credit to the amount of 3 semester hours.