Litcius/Paper detail

The security mindset: characteristics, development, and consequences

Koen Schoenmakers, Daniel Greene, Sarah E. Stutterheim, Herbert Lin, Megan J. Palmer

2023Journal of Cybersecurity24 citationsDOIOpen Access PDF

Abstract

Abstract The world is facing a cybersecurity skills gap as cybercrime and cyberwarfare grow in importance. One often-discussed quality that is potentially relevant to cybersecurity recruitment and education is the so-called “security mindset”: a way of thinking characteristic of some security professionals that they believe to be especially advantageous in their work. Although some employers express a desire to hire people with a security mindset, and initiatives to cultivate the security mindset are being implemented, it has no common definition and little is known about its characteristics, its development, and its consequences. We interviewed 21 cybersecurity professionals who strongly identified as having a security mindset based on a minimal description drawn from existing literature. Thematic analysis of the interview data suggests that the security mindset can be conceptualized as consisting of three interconnected aspects—“monitoring” for potential security anomalies, “investigating” anomalies more deeply to identify security flaws, and “evaluating” the relevance of those flaws in a larger context. These three aspects develop in different ways and have different personal and professional consequences. Participants mostly spoke positively of the security mindset, but they also mentioned several disadvantages not mentioned by existing security-mindset literature, such as mental health pressures, workplace tensions, and negative effects on personal relationships. We discuss the implications of these findings for future study of the security mindset and suggest practical implications for cybersecurity management, education, and recruitment.

Topics & Concepts

MindsetThematic analysisContext (archaeology)Public relationsComputer securityEngineering ethicsCritical security studiesInformation securityBusinessPolitical scienceComputer scienceEngineeringSecurity serviceSociologyQualitative researchNetwork security policySocial scienceArtificial intelligencePaleontologyBiologyInformation and Cyber SecurityBullying, Victimization, and AggressionCybercrime and Law Enforcement Studies