Skip to main content

Practitioners' Views on Cybersecurity Control Adoption and Effectiveness

Axon, Louise, Erola, Arnau, Janse van Rensburg, Alastair, Nurse, Jason R. C., Goldsmith, Michael, Creese, Sadie (2021) Practitioners' Views on Cybersecurity Control Adoption and Effectiveness. In: ARES 2021: The 16th International Conference on Availability, Reliability and Security. . ACM ISBN 978-1-4503-9051-4. (doi:10.1145/3465481.3470038) (KAR id:88746)

PDF Publisher pdf
Language: English

Download (716kB) Preview
[thumbnail of 3465481.3470038.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
PDF Author's Accepted Manuscript
Language: English

Restricted to Repository staff only
Contact us about this Publication
[thumbnail of ares2021-85.pdf]
Official URL


Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture is challenging, yet without this understanding there is a risk of implementing inefficient or even harmful security practices. There is a critical need to comprehend the value of controls in reducing cyberrisk exposure in various organisational contexts, and the factors affecting their usage. Such information is important for research into cybersecurity risk and defences, for supporting cybersecurity decisions within organisations, and for external parties guiding cybersecurity practice such as standards bodies and cyber-insurance companies. Cybersecurity practitioners possess a wealth of field knowledge in this area, yet there has been little academic work collecting and synthesising their views. In an attempt to highlights trends and a range of wider organisational factors that impact on a control's effectiveness and deployment, we conduct a set of interviews exploring practitioners' perceptions. We compare alignment with the recommendations of security standards and requirements of cyberinsurance policies to validate findings. Although still exploratory, we believe this methodology would help in identifying points of improvement in cybersecurity investment, describing specific potential benefits.

Item Type: Conference or workshop item (Proceeding)
DOI/Identification number: 10.1145/3465481.3470038
Uncontrolled keywords: Cybersecurity Risk, Control Effectiveness
Subjects: H Social Sciences > HF Commerce
Q Science > QA Mathematics (inc Computing science)
T Technology
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Jason Nurse
Date Deposited: 18 Jun 2021 09:11 UTC
Last Modified: 11 Feb 2022 16:01 UTC
Resource URI: (The current URI for this page, for reference purposes)
Nurse, Jason R. C.:
  • Depositors only (login required):


Downloads per month over past year