Hack the Human : A qualitative research study exploring the human factor and social engineering awareness in cybersecurity and risk management among Swedish organizations.

Abstract: Background: With the rapid advancements in technology, cybersecurity has become a topic of great importance. However, the weakest link in cybersecurity programs is mainly due to human error. Proper cyber-behavior training and up-to-date information are crucial for employees to defend against cybercrimes, as criminals continue to exploit human vulnerabilities. Cybersecurity has become a critical aspect of today's digital world, necessitating comprehensive policies and practices that align with an organization's overall risk management strategy. Social engineering, a tactic employed by cybercriminals, exploits human weaknesses and biases, making prevention and detection more challenging. There are limited understanding of how human behavior affects leaders in engaging with social engineering practices, as well as a lack of consensus on implementing policies related to social engineering. Purpose: Considering the limited understanding of human behavior in cybersecurity, the purpose of this thesis is to investigate and analyze how different Swedish organizations perceive, enact, and are influenced by the awareness of social engineering in cybersecurity and risk management. Method: This is a qualitative thesis that has followed a case study research design and a positivism research philosophy, the approach has been inductive, and data has been collected through semi-structured interviews. Conclusion: Cybersecurity is an ongoing arms race with no foreseeable end in sight, as strategies and methods of attack are constantly evolving. With the data gathered, we discovered that there is a lack of awareness of how the threats can be approached and how to manage them, as well as different strategies that different organizations had employed to tighten the margin of error. The findings suggest a need for increased awareness and education to improve cybersecurity in Swedish organizations. We became aware that organizations exhibit a greater level of naivety than previously assumed, accompanied by the presence of optimism bias. Considering these findings, we strongly advise raising awareness through comprehensive employee education and adopting the Principle of Least Privilege (POLP) to enhance security measures and the awareness that is necessary. To adopt a more holistic perspective, we have derived a modified version of the risk appetite framework that can effectively facilitate the implementation of these recommendations.