Skip to main content
Kent Academic Repository

Practitioners' Views on Cybersecurity Control Adoption and Effectiveness

Axon, Louise, Erola, Arnau, Janse van Rensburg, Alastair, Nurse, Jason R. C., Goldsmith, Michael, Creese, Sadie (2021) Practitioners' Views on Cybersecurity Control Adoption and Effectiveness. In: ARES 2021: The 16th International Conference on Availability, Reliability and Security. . ACM ISBN 978-1-4503-9051-4. (doi:10.1145/3465481.3470038) (KAR id:88746)

PDF Publisher pdf
Language: English

Download this file
[thumbnail of 3465481.3470038.pdf]
Request a format suitable for use with assistive technology e.g. a screenreader
PDF Author's Accepted Manuscript
Language: English

Restricted to Repository staff only
Contact us about this Publication
[thumbnail of ares2021-85.pdf]
Official URL:


Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture is challenging, yet without this understanding there is a risk of implementing inefficient or even harmful security practices. There is a critical need to comprehend the value of controls in reducing cyberrisk exposure in various organisational contexts, and the factors affecting their usage. Such information is important for research into cybersecurity risk and defences, for supporting cybersecurity decisions within organisations, and for external parties guiding cybersecurity practice such as standards bodies and cyber-insurance companies. Cybersecurity practitioners possess a wealth of field knowledge in this area, yet there has been little academic work collecting and synthesising their views. In an attempt to highlights trends and a range of wider organisational factors that impact on a control's effectiveness and deployment, we conduct a set of interviews exploring practitioners' perceptions. We compare alignment with the recommendations of security standards and requirements of cyberinsurance policies to validate findings. Although still exploratory, we believe this methodology would help in identifying points of improvement in cybersecurity investment, describing specific potential benefits.

Item Type: Conference or workshop item (Proceeding)
DOI/Identification number: 10.1145/3465481.3470038
Uncontrolled keywords: Cybersecurity Risk, Control Effectiveness
Subjects: H Social Sciences > HF Commerce
Q Science > QA Mathematics (inc Computing science)
T Technology
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Jason Nurse
Date Deposited: 18 Jun 2021 09:11 UTC
Last Modified: 08 Jan 2024 11:54 UTC
Resource URI: (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.