Abstract
Despite the emergence of artificial intelligence-powered enterprise systems security solutions, it was found that at least 90% of malicious cyberattacks resulted from human behaviour or error. This and various other studies over the past 11 years confirmed that the human being remains the weakest link in the entire enterprise systems security chain. In addition, evidence seemed to suggest that many enterprises are still taking overly techno-centric approaches to cybersecurity risk and increase the chances of missing the bigger picture. With that, the study sought to understand how a bigger enterprise systems security picture could be realised. In particular, the aim of this study was to identify and address socio-technical security gaps in existing enterprise systems security frameworks, which encompass information security, cybersecurity, information technology security and physical security. The importance of the study was to highlight that taking overly techno-centric approaches to enterprise systems security risk has not yielded significantly positive results for organisations. A big picture approach is required to attain a holistic enterprise systems security optimisation state. A socio-technical approach to enterprise systems security was adopted to develop the ‘big picture’ solution. This was achieved through the application of the socio-technical systems theory to the enterprise systems security domain. The cornerstone and foundation of the socio-technical systems approach is joint optimisation, which is a technique that is more concerned with harnessing the best of both the technical and social (including human) aspects of an enterprise structure and processes. This culminated into the development of an integrated management process to identify and address socio-technical security gaps in existing enterprise systems security programs. A mixed-methods research approach where the focus group, in-depth personal interviews and online surveys were employed to test for the validation of the integrated management process was adopted. This resulted in the finalisation and desktop application of the integrated management process on the COBIT® 5 for Information Security framework. Thus, the management process for security joint optimisation would benefit the information security, cybersecurity and information technology security community of practitioners to holistically optimise enterprise systems security practices. Moreover, the management process would benefit, especially those, who practice enterprise systems security at strategic (policy driven) and tactical (guideline driven) levels for security joint optimisation at operational level.
D.Ing. (Engineering Management)