Open access peer-reviewed chapter
Abstract
The role of end-users in cybersecurity continues to be understated. Despite the proliferation of cyber-attacks, security awareness programs remain largely “check-in-the-box” compliance exercises that do not yield sustainable results. This chapter advances the notion that mindfulness is the foundation and the key to establishing a robust online presence and is the precursor to cybersecurity resilience. More specifically, this chapter summarizes traditional cybersecurity risk management practices and highlights why they continue to fail given the evolving nature of cyber threats. Finally, this chapter outlines a novel blueprint to cultivate mindfulness and calls for the empowerment of individuals to take ownership of their destiny in cyberspace.
Keywords
- cybersecurity
- mindfulness
- risk management
- tipping point
- human firewall
1. Introduction
Why do we continue to struggle with cybersecurity challenges? On one hand, there is a common misconception that cyber risks can be addressed solely using technical tools and solutions [1, 2]. On the other hand, many people are quick to assume that the responsibility for cybersecurity lies with “other” stakeholders, such as information technology (IT) teams and vendors, who are better equipped to deal with cybersecurity risks. A review of prior literature indicates inconsistent and siloed cybersecurity risk management approaches that are segregated in focus with various priorities that shifted over time [3, 4, 5]. While the role of IT functions has risen to a strategic business partner in many organizations [6], cybersecurity risk management continues to lag with an IT-centric legacy [4]. The alarming increase of cyberattacks around the world and the unrelenting pace of cyber incidents [7] continue to be a stern reminder of the inadequacies of current practices for mitigating cyber risks.
While prior scholars have recognized the importance of incorporating awareness training and education as part of a multi-layered cybersecurity approach [8, 9, 10], such efforts remain largely superficial and based on unsustainable cookie-cutter methodologies [9, 11]. After all, cyber controls can be rendered ineffective by the click of a button, and it is the end-users who are ultimately responsible for following security guidelines and practicing cyber hygiene [1, 11]. Therefore, it is important to ask: What would it take to transcend cybersecurity challenges?
This chapter argues that cultivating mindfulness can play a critical role in cyberspace by empowering individuals to make conscious decisions in intertwined digital environments. Unlike generic mainstream awareness programs that usually have limited long-term efficacy [9, 12], mindfulness is a much deeper phenomenon that can be nurtured by each individual to form an interconnected and dynamic “human firewall”. Not only that mindfulness shift the responsibility of cybersecurity from “others” to each individual, but it also provides a sustainable and personal mechanism for navigating cyberspace. When properly practiced, mindfulness can bring one’s conscious attention and focus to the internal and external experiences occurring in the present moment to respond in a reflective manner [13].
This research is among the first to assimilate the fields of mindfulness and cybersecurity to go beyond traditional cybersecurity practices and empower individuals to play a fundamental role as part of a holistic socio-technical approach (see Figure 1). This chapter outlines the importance of incorporating mindfulness practice as a means to effectively and sustainably mitigate cybersecurity risks using a bottom-up approach starting at the individual level. This chapter contributes to the literature in two important ways. First, it highlights the gaps between current cybersecurity risk management approaches and traditional awareness programs that have been largely rendered ineffective. Second, this research provides a blueprint for empowering individuals to reach a tipping point for securing our digital environments driven through mindful attention and actions.
Figure 1.
Research focus.
In the next section, a review of prior literature is provided to highlight challenges and limitations in existing cybersecurity approaches and introduce the concept of mindfulness. Next, the research outlines the motivation for a new approach to manage cyber risks and discusses the role of mindfulness in cybersecurity. Finally, the chapter introduces a novel blueprint to cultivate mindfulness and concludes with future research considerations.
2. Review of existing literature
A widely known cliché in cybersecurity is that “humans are the weakest link” due to the fact that the majority of cyber incidents can be attributed in some way to human errors [8, 14]. For example, one research suggested that the majority of breaches can be attributed to email-based attacks [15], which in turn demonstrates the critical role end-users play in enforcing or overriding security controls. This section outlines the gaps in existing cybersecurity approaches and highlights the limitations of traditional cybersecurity awareness programs which continue to be susceptible to attacks that take advantage of individuals’ mindlessness. In addition, the concept of mindfulness is introduced as an alternative methodology that can be incorporated in cybersecurity risk management as the first line of defense. Replace the entirety of this text with the main body of your chapter.
2.1 Cybersecurity and the need for action
Cybersecurity is the process of protecting assets in cyberspace by preventing, detecting, and responding to attacks [16]. Despite the availability of advanced cyber-defense tools and solutions, cyber-attacks continue to rise and technological countermeasures alone are inadequate to manage cybersecurity risks [1]. The consistent increase in cybersecurity breaches can be attributed to three primary reasons (see Figure 2). First, the existing narrowly focused cybersecurity methodologies fail to holistically incorporate socio-technical considerations [4, 5], and thus have limited results in addressing the root cause of many cybersecurity incidents. Second, while many cybersecurity investments continue to increase exponentially at the organizational and governmental levels, cyber behavior lags behind despite best practices and threat intelligence warnings [1]. The actions of one individual can have profound implications, as demonstrated repeatedly in the example of Phishing attacks which exploit individuals’ impulses and lack of mindfulness [9]. Third, with the proliferation of the Internet of Things (IoT) and digital communications devices, cyber-attacks are no longer limited to traditional events such as the spread of a virus but include complex and sophisticated techniques, known as Advanced Persistent Threats [17].
Figure 2.
Primary cybersecurity challenges.
Recent highly publicized breaches are a stern reminder of the costs associated with unmitigated cybersecurity risks and the need to develop robust risk management strategies that take into consideration the fundamental role of individuals in securing digital grids. For example, in May 2021, DarkSide exploitation was used to stage a ransomware attack against Colonial Pipeline, a critical infrastructure energy supplier on the East Coast of the United States [18]. The attack forced Colonial Pipeline to pay approximately 75-bitcoin for the ransom, estimated to be worth upwards of US $5 million to restore the 5500-mile-long pipeline [19].
2.2 Existing cybersecurity risk management approaches
A review of prior literature points to three main schools of thought for traditionally managing cybersecurity risks: IT-centric, information security (IS)-centric, and enterprise resource management (ERM)-centric, as outlined in Figure 3 [4, 5, 20]. The IT-centric approach places IT departments and technical solutions as the primary mechanism for cybersecurity controls [21, 22]. As a result, this methodology frames risks using a technical-based lens and fails to include other social considerations to holistically identify and address cybersecurity deficiencies. On the other hand, the IS-centric approach focuses on the informational aspect of cyberspace and is primarily grounded in the confidentiality, integrity, and availability (CIA) of information principles [23]. While IS-centric provides additional considerations related to people, facilities, and processes, it remains limited due to its focus on information [5, 22, 24]. Finally, the emerging field of ERM-centric attempts to approach risk management from an enterprise level and integrate cybersecurity as part of the overall risk profile of the entity [20, 25]. However, this approach lacks specific guidance on “how” to consider environment-specific contexts for cybersecurity risks and does not synthesize the fundamental role of end-users as a primary objective in the risk management process [4]. The evaluation of existing cybersecurity practices highlights the need for an alternative methodology; one which incorporates individuals more prominently in the quest for securing our digital environments to achieve sustainable results.
Figure 3.
Traditional cybersecurity risk management approaches.
2.3 Traditional cybersecurity awareness programs
Despite the technology-heavy and action-oriented approaches to cybersecurity, the role of awareness in cultivating cyber resilience and reducing cybersecurity risks has been recognized and incorporated by scholars [1, 8, 9, 26]. However, despite the proliferation of cybersecurity awareness tools and techniques, such as training modules, campaigns, and games, questions remain unanswered as to why cybercrime is at an all-time high and shows no signs of abating [11]. Cybersecurity awareness efforts are intended to alter end-user behavior and reinforce good practices through a focus of attention on security matters [27].
However, such existing mainstream awareness programs remain limited and unsustainable in the face of the evolving threat landscape. Further, the existing literature does not offer an understanding of the elementary characteristics of such efforts [28]. A review of prior literature highlights the nature of such efforts which are largely comprised of “one-size-fits-all” and “cookie-cutter” education programs that are compliance-based and do not produce long-term results [9, 11]. More specifically, the state of cybersecurity awareness training as it exists today falls under three primary themes as outlined in Figure 4: behavioral and compliance-based programs, Artificial-Intelligence (AI)-driven efforts, and general education [1, 9, 15, 29]. Below is a discussion on the limitations of each.
Figure 4.
Mainstream cybersecurity awareness training programs.
2.3.1 Behavioral and compliance-based programs
Many organizations faced with complex cyber-attacks, such as Phishing, often implement compliance-based cybersecurity behavioral training which is completed by employees on an annual basis [9, 12]. While such efforts along with other complementary automated controls have been successful in mitigating cybersecurity attacks, they are largely rule-based and are limited in preventing new iterations of attacks. As a result, rule-based awareness initiatives tend to be less effective over time and may result in a false sense of mastery, habitual use of predetermined prompts, and lack of mindful responses stemming from divided cognitive attention [9]. Prior scholars have noted the gaps in existing rule-based awareness programs and called for a deeper mindfulness approach that allows individuals to dynamically allocate attention in a consistent manner [9, 11].
2.3.2 AI-driven efforts
With the advancements in the AI field, a plethora of technologies such as Machine Learning (ML) and Large Language Models (LLMs) have been increasingly used by researchers and practitioners to improve cybersecurity awareness [10, 15, 29, 30]. Such efforts often consist of utilizing an AI-based conversational chatbot as a tool to improve awareness and assist employees in detecting threats. The reliance on AI across many industries is not surprising given its recent popularity; however, its use in awareness efforts is concerning given that it can potentially further remove individuals from the decision-making process and shift the responsibility yet again to technical solutions. Work in Ref. [31] highlighted potential drawbacks of relying on AI in cybersecurity due to risks such as “hallucinations”, where AI technologies provide conflicting, false, and inaccurate information for decision-making.
2.3.3 General education
General cybersecurity education efforts are often created by governmental and non-profit organizations and may consist of learning modules, games, comics, and other mechanisms designed to improve end-user awareness of cybersecurity fundamentals and threats. However, such tools often tend to focus “traditional” topics, such as passwords, while omitting emerging technologies and evolving threats. Further, many of these available tools have not been fully evaluated and rely on a general-purpose post-test that does not incorporate the interdisciplinary aspects that are important for fending off complex attacks [1].
Despite the existence of frameworks such as the National Initiative for Cybersecurity Education (NICE), which was developed by the National Institute of Standards and Technology (NIST) as a model for cybersecurity education, mainstream awareness programs remain largely rule-based and superficial initiatives. Further, such efforts do not assist individuals with cultivating a deeper and more robust state of mindfulness to dynamically allocate attention, increase context awareness, and respond in a reflective manner [9, 11, 13]. In the next section, the concept of mindfulness is introduced as an alternative methodology to engage individuals at a deeper level to make sound and conscious decisions in cyberspace. The role of mindfulness in cybersecurity is further discussed in this chapter.
2.4 Mindfulness
Humans have been gifted with a magnificent cognitive ability that is aware of the passage of time, and thus, we spend most of our time thinking about the future or the past, ruminating about “what ifs” and contemplating a wide range of scenarios that may never come to pass [32]. While this cognitive leap allows us to better plan and reflect on our lives, overusing it comes at a price: we are no longer anchored in the present moment or fully aware of the stream of emotions, feelings, and environments that unfolding in the now [32, 33]. The proliferation of technology and social media makes it even more difficult to recognize and process data that is constantly competing for our attention. As a result, many humans tend to go through life in a “zombie” state, making impulsive decisions based on biases and other influences without being fully aware of their decisions and triggers. For example, one study showed that our minds wander at least 47% of the time and a wondering mind is an unhappy and ungrounded mind [32, 34].
Mindfulness is derived from the word sati meaning “to remember” in the Pali language, signifying the quality of presence of mind [35]. It is about “waking up” and harnessing the power of now. Mindfulness is the ability to intentionally attend in an open, non-judgmental, and discerning manner to the present moment [13, 35, 36]. It is a state of deliberate action and receptive attention to present events and experiences [35]. While the concept of mindfulness is mostly associated with Buddhist schools of thought, its phenomenological nature can be found in many traditions, as well as Western philosophical and psychological approaches [35, 36]. Perhaps the concept of mindfulness can be better illustrated by contrasting it with mindlessness, the state of being on “autopilot”, lacking presence and critical thinking abilities. Examples of mindlessness include: rushing through activities without attentiveness, making impulsive decisions, spilling or breaking things due to carelessness, lack of attention or ability to remember an individual’s name shortly after we have heard it, and being preoccupied in future events or past memories [33, 35].
Further, it is important to distinguish the concept of mindfulness from awareness; the former deals with intentionally directing one’s attention in an open and receptive manner through a deep knowing that manifests as freedom from reflexive conditioning, while the latter has to do with merely the ability to observe and be conscious of several possible stimulus states, including one’s experience, including bodily sensations, thoughts and emotions, and external happenings [37, 38]. Both concepts are highly intertwined and are a quality of consciousness; however, mindfulness embodies a deeper and intentional ability to respond to and be present in the now (see Figure 5).
Figure 5.
Mental states iceberg model.
Prior literature has highlighted the numerous benefits of mindfulness in a number of areas, including a limited number of studies in the field of cybersecurity [9, 11, 13, 35]. For example, in the field of clinical psychology, it has been widely used to help patients manage anxiety, habitual reactivity, pain management, and maladaptive behavior [13, 35, 36]. Further, in the field of education, Ref. [39] demonstrated that daily mindfulness practices positively affected teachers’ classroom management skills and improved distress tolerance and physical symptoms. Furthermore, in cybersecurity, limited empirical research showed that mindfulness can provide a more sustainable and effective mechanism to address cyber threats than traditional awareness programs, by boosting the cognitive ability to dynamically allocate attention and frame situational context [9, 11]. Implementing a mindfulness-based state of mind can play a role in improving well-being, immune system function, self-regulation, cognitive flexibility, clarity, and concentration [13, 35, 36].
3. Motivation for a new approach
Albert Einstein referred to insanity as repetitively doing the same thing and expecting different results [40]. Existing efforts to guard against cyber threats have reached a certain level of insanity given the uniformity of cybersecurity implementation: exponential increase in technical investments, heavy reliance on technology, delegation of responsibility, and the removal of end-users from the decision-making process. Yet, cybercrime shows no signs of recession and cyber incidents continue to evolve every year and take advantage of individuals’ mindlessness. Further, despite the incorporation of awareness training programs, the majority of recorded cyberattacks and high-profile breaches can be attributed to human errors [8]. If “humans are the weakest link” and can override complex security controls with a single click as it has been consistently documented [8, 11, 14], is not it time to consider a different approach?
This research is a call to action; an opportunity to change how we approach problems and related solutions. We can continue to pretend that cybersecurity issues can be resolved through technical solutions and undermine the fundamental role of end-users, or we can collectively and individually acknowledge and cultivate the role of mindfulness in living a healthier life. This chapter proposes that a shift in how we approach cybersecurity efforts is needed to address the root cause of many breaches: end-users’ mindlessness. Such a change entails a deliberate, disciplined, and coordinated effort by organizations, governments, and individuals to develop the quality of mindfulness as a force for living a more authentic, present, and discerning life. In cyberspace, end-user mindfulness and the associated benefits of increased concentration, clarity, self-regulation, and improved cognitive abilities can hold the key to significantly improving cybersecurity resilience at the individual and collective levels.
While this proposal may sound vague, difficult to achieve, and unrealistic, consider similar dilemmas such as environmental pollution, where each individual plays a critical role that is fundamental to making any meaningful progress in the health of our shared planet. Further, things that are worthwhile are often difficult and challenging; after all, a shift in human mental states in cyberspace is not an easy task, but nonetheless, it is an essential one. If one is not sure where to start, individuals can begin with themselves as the building blocks of mindful communities, where each person can play a role in reaching a tipping point for developing mindful cyber citizens.
It is important to note that while cultivating mindfulness would have a significant positive impact on how individuals navigate cyberspace [9, 11], its benefits encompass all other aspects of human life given the proven advantages in other fields such as clinical psychology. Further, while governments and organizations can invest resources to recognize, facilitate, and promote mindfulness, the process is personal and has to be nurtured by each individual to develop such a mental state. The following section discusses the role of mindfulness in cybersecurity and offers recommendations for governments, organizations, and individuals.
4. The role of mindfulness in cybersecurity
Mindfulness can play a critical role in cyberspace through the cultivation of qualities that can help individuals stay ahead of cybercriminals. It can help equip end-users with the ability to fend off attacks that are designed to exploit human emotions, take advantage of mindlessness, and manipulate the human psyche. Well-documented mindfulness benefits such as concentration, self-regulation, clarity, presence, dynamic allocation of attention, and improved cognitive skills [9, 11, 13, 35, 41] can assist end-users in minimizing cyber threats. In the digital age where communication devices and social media outlets constantly compete for end-users’ attention, mindfulness can make a difference in cybersecurity outcomes which often come down to split-second decisions in the midst of constant data streams.
Further, malicious perpetrators are well aware of the human factor in cyberspace and continue to employ manipulative techniques to trick end-users into overriding security controls and divulging sensitive information. Despite existing cybersecurity awareness efforts, the ability of threat actors to exploit the emotional triggers of individuals continues to be underestimated [11]. Consider, for example, the nature of Phishing attacks which are social engineering exploits that aim to take advantage of individuals’ lack of attention and manipulate users into revealing personal information or clicking on malicious links [42, 43]. These attacks are primarily based on emotional exploits designed to trick users into reflexively executing certain actions, and often succeed the most when individuals are distracted, multitasking, and fail to properly evaluate the situational context.
Scant existing research demonstrated that cultivating a mindfulness approach is more advantageous than traditional rule-based awareness programs in detecting difficult cues in cyberspace and preventing attacks such as Phishing [9, 11]. More specifically, mindfulness has been credited with enabling individuals to dynamically allocate attention during message evaluation to determine proper actions, improve situational context through active questioning, and self-regulate actions in cyberspace [9]. For example, mindfulness practices that prompt end-users to pause and consider the situational context and related environment [9, 44], can eliminate mindless processing of information and assist individuals in evaluating critical details, such as message reasonableness and relevancy, to prevent Phishing attacks [9]. However, reaping the benefits of mindfulness requires a shift in how cybersecurity challenges are approached. This chapter promotes the notion that cultivating mindfulness can play a critical role in cybersecurity through the adoption of a bottom-up approach that begins with each individual. A deliberate effort and investment are required to transcend cyber challenges in a sustainable manner and to empower each person to take responsibility for cybersecurity and become a human firewall.
It is important to note that this research does not negate the important role of technical and strategic considerations in combating cyber threats, instead, it suggests that end-users’ mindfulness is the cornerstone of cybersecurity as part of a holistic multidimensional approach. Since eliminating all cybersecurity risks is an unrealistic task, it is beneficial to think of cybersecurity controls in terms of “layers” that comprise defense-in-depth methodologies to mitigate risk. As outlined in Figure 6, developing and promoting mindfulness is the first line of defense or “layer” as part of several layers that entail other processes, technology, and strategic considerations. While this chapter frames mindfulness as an irreplaceable and essential quality in cyberspace, it can be further complemented by other means such as artificial intelligence (AI) technologies. The following section outlines a blueprint for cultivating, facilitating, and promoting mindfulness by governments, organizations, and individuals.
Figure 6.
Mindfulness blueprint.
5. Mindfulness blueprint
While there are several means in which mindfulness can be developed, practiced, and facilitated, the following blueprint offers practical recommendations that can help foster this quality of being as the first line of defense in cybersecurity (see Figure 6). The blueprint consists of framing strategies for governments, cybersecurity mindfulness programs (CMP) that can be implemented by organizations, and the practice of meditation for individuals. The blueprint is geared toward developing mindful cyber communities starting with each individual using a bottom-up approach, and deviates from traditional cybersecurity methodologies which emphasize technical solutions and compliance programs.
Below is a discussion on each of the blueprint’s components.
5.1 Framing strategies
Despite numerous cybersecurity frameworks, such as the ones issued by NIST, and governmental initiatives across the globe [43], many individuals continue to underestimate cyber risks and behave in a manner that does not reflect the cybersecurity sense of urgency at the national level [7]. The inconsistency of communication by policy makers and governments is a large contributor to this issue. Many of the national initiatives and related messaging are driven by different agendas, do not frame cybersecurity as an individual responsibility, and fail to provide actionable guidance on how to foster cybersecurity awareness in a sustainable manner. For example, in March 2023, the United States issued a National Cybersecurity Strategy that consisted of five pillars: Defend critical infrastructure, Disrupt and dismantle threat actors, Shape market forces to drive security and resilience, Invest in a resilient future, and Forge international partnerships [45]. These pillars do not meaningfully address the responsibility of cybersecurity by end-users and do not provide guidance on the nature and extent of individuals’ engagement in the process. As a result, many people tend to selectively participate in such efforts [7], dismiss their role in minimizing cyber risks, and continue their “business as usual” behavior in cyberspace. Therefore, there is a necessity to rethink message framing at the national level to communicate the multidimensional cybersecurity challenge in a clear, understandable, and consistent manner. Such message framing would highlight the critical role that end-users play in defending cyberspace and outline strategies for promoting mindfulness as a means to improve people’s ability to recognize, prevent, and respond to cyber-attacks.
5.2 Cybersecurity mindfulness programs (CMP)
This research coins the term CMP as an alternative methodology to traditional cybersecurity awareness programs that tend to follow “check-in-the-box” exercises. Such a transformation would entail a deeper sense of awareness that nurtures individuals’ ability to navigate cyberspace in a more effective and self-sufficient manner. CMP are more holistic than generic awareness training and would require organizations to provide opportunities that encourage and facilitate the cultivation of mindfulness. Instead of a rule-based approach, CMP curriculum would emphasize mindfulness techniques in cybersecurity that prompt end-users to pause and consider the situational context and related environment. Further, CMP efforts would also facilitate the cultivation of mindfulness in individuals to optimize mental qualities such as concentration, resilience, self-regulation, and clarity. Organizations can play a critical role in this process through deliberately fostering a culture that encourages employees to incorporate mindfulness practices at work. As such, mindfulness can be integrated in many of the wellness programs that companies often sponsor to optimize the health and cognitive benefits of employees. For example, organizations may engage a mindfulness coach, organize mindfulness retreats and conferences, and develop mindfulness champions to facilitate and support mindfulness among employees.
5.3 Meditation
The role of meditation practice by individuals cannot be understated. As discussed, while governments and organizations may facilitate the process, mindfulness is a quality that needs to be deliberately and consistently cultivated by each person. Scholars and practitioners have outlined techniques in which mindfulness can be cultivated. For example, using the breath as an anchor to bring one’s attention to the present moment throughout the course of the day, observing or “watching” thoughts and feelings as they arise in the mind without having over-analyze or react to them, and self-regulating attention to break automatic habitual pattern of reactivity [13, 38]. There are many books on the subject, such as the Power of Now by Eckhart Tolle and You Are Here: Discovering the Magic of the Present Moment by Thich Nhat Hanh that promote mindful practices. Further, it is important to note that cultivating mindfulness does not need to be a lengthy and cumbersome effort; individuals can benefit from taking short breaks throughout the day to disconnect from their external environment and rebalance. There are many services and mobile applications on the market that facilitate short mindfulness practices. Regardless of the method employed, beginning the practice of mindfulness can provide practitioners with a sense of adventure as they discover and navigate their journey to become mindful citizens in cyberspace and beyond.
Ultimately, mindfulness is about healing; healing from our tendency to overthink, act impulsively, seek others’ attention and approval, and forgo self-regulation in our daily lives. Mindfulness provides individuals with a “big picture” mentality to stop, think, and evaluate situations and actions in cyberspace to stay ahead of cybercriminals. While this may seem difficult, each individual must take the first step on this journey, there is no other way. The goal is to reach a mindfulness tipping point, which occurs when the actions of enough individuals become significant enough to thrust a system beyond a certain threshold into a new state, to create mindful communities across the globe. For example, the small country of Bhutan, nested in the Himalayas, took on a similar challenge; it became the first country to reach carbon neutrality while other resourceful countries consistently failed to meet emissions targets [46]. Such an effort became possible through community-based collaboration, commitment, and individuals’ engagement and accountability. The same can be achieved in cyberspace, where we can perceive our interconnected digital grid as a shared resource and take ownership to keep it safe and secure.
6. Conclusion
Cybersecurity awareness training continues to be largely an afterthought. Despite the pervasiveness of such efforts, they remain largely superficial and unsustainable considering the dynamic and evolving nature of cyber-attacks. The research outlines challenges of traditional cybersecurity practices and offers a blueprint for organizations, organizations, and individuals to nurture mindfulness as a quality to improve cybersecurity resilience. Future researchers are encouraged to build on this research and examine the relationship between mindfulness and cybersecurity through empirical evaluation. This chapter introduces a novel approach as an alternative to navigate cybersecurity challenges through the cultivation of mindfulness as the first line of defense in cyberspace.
References
- 1.
Zhang-Kennedy L, Chiasson S. A systematic review of multimedia tools for cybersecurity awareness and education. ACM Computing Surveys. 2021; 54 :1-39. DOI: 10.1145/3427920 - 2.
Khan O, Sepulveda D. Supply chain cyber-resilience: Creating an agenda for future research. Technology Innovation Management Review. 2015; 5 :6-12. DOI: 10.22215/timreview/885 - 3.
Servaes H, Tamayo A, Tufano P. The theory and practice of corporate risk management. Journal of Applied Corporate Finance. 2009; 21 :60-78. DOI: 10.1111/j.1745-6622.2009.00250.x - 4.
Jarjoui S, Murimi R. A framework for Enterprise cybersecurity risk management. In: Daimi K, Peoples C, editors. Advances in Cybersecurity Management. Cham: Springer; 2021. DOI: 10.1007/978-3-030-71381-2_8 - 5.
Althonayan A, Andronache A. Resiliency under strategic foresight: The effects of cybersecurity management and enterprise risk management alignment. In: International Conference on Cyber Situational Awareness, Data Analytics and Assessment. Oxford, UK: Cyber SA; 2019. pp. 1-9. DOI: 10.1109/CyberSA.2019.8899445 - 6.
Tallon P. Inside the adaptive enterprise: An information technology capabilities perspective on business process agility. Information Technology and Management. 2009; 9 :21-36. DOI: 10.1007/s10799-007-0024-8 - 7.
Bruijn H, Janssen M. Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly. 2017; 34 :1-7. DOI: 10.1016/j.giq.2017.02.007 - 8.
Khader M, Karam M, Fares H. Cybersecurity awareness framework for academia. Information. 2021; 12 :1-20. DOI: 10.3390/info12100417 - 9.
Jensen M, Dinger M, Wright R, Thatcher J. Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems. 2017; 34 :597-626. DOI: 10.1080/07421222.2017.1334499 - 10.
Dash B, Ansari M. An effective cybersecurity awareness training model: First defense of an organizational security strategy. International Research Journal of Engineering and Technology (IRJET). 2022; 9 :1-6 - 11.
Roghanizad M, Choi E, Mashatan A, Turetken O. Mindfulness and cybersecurity behavior: A comparative analysis of rational and intuitive cybersecurity decisions. In: Proceedings of AMCIS. 2021; 13 :1-10. Available from:https://aisel.aisnet.org/amcis2021/info_security/info_security/13 - 12.
Sannicolas-Rocca T, Schooley B, Spears J. Designing effective knowledge transfer practices to improve IS security awareness and compliance. In: 47th Hawaii International Conference on System Sciences. Waikoloa, HI, USA: IEEE; 2014. pp. 3432-3441. DOI: 10.1109/HICSS.2014.427 - 13.
Bishop S, Lau M, Shapiro S, Carlson L, Anderson D, Carmody J, et al. Mindfulness: A proposed operational definition. Clinical Psychology: Science and Practice. 2004; 11 :230-241. DOI: 10.1093/clipsy.bph077 - 14.
Sasse M, Brostoff S, Weirich D. Transforming the ‘weakest link’—A human/computer interaction approach to usable and effective security. BT Technical Journal. 2001; 19 :122-131. DOI: 10.1023/A:1011902718709 - 15.
El Hajal G, Daou R, Ducq Y. Human firewall: Cyber awareness using whatApp AI chatbot. In: IEEE 3rd International Multidisciplinary Conference on Engineering Technology (IMCET). Beirut, Lebanon: IEEE; 2021. pp. 66-70. DOI: 10.1109/IMCET53404.2021.9665642 - 16.
Barrett M. Framework for Improving Critical Infrastructure Cybersecurity. Gaithersburg, Maryland, USA: National Institute of Standards and Technology; 2018. Available from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - 17.
Alshamrani A, Myneni S, Chowdhary A, Huang D. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials. 2019; 21 :1851-1877. DOI: 10.1109/COMST.2019.2891891 - 18.
Newman L. Colonial Pipeline Paid a $5M Ransom and Kept a Vicious Cycle Turning [Internet]. 2021. Available from: https://www.wired.com/story/darkside-ransomware-colonial-pipeline-response [Accessed: September 01, 2023] - 19.
Geller E, Matishak M. A Federal Government Left ‘Completely Blind’ on Cyberattacks Looks to Force Reporting [Internet]. 2021. Available from: https://www.politico.com/news/2021/05/15/congress-colonial-pipeline-disclosure-488406 [Accessed: September 01, 2023] - 20.
Stine K, Quinn S, Witte G, Gardner R. Integrating Cybersecurity and Enterprise Risk Management (ERM). Gaithersburg, Maryland, USA: National Institute of Standards and Technology; 2020. DOI: 10.6028/NIST.IR.8286 - 21.
Humphreys E. Information security management standards: Compliance, governance and risk management. Information Security Technical Report. 2008; 13 :247-255. DOI: 10.1016/j.istr.2008.10.010 - 22.
Ramirez R, Choucri N. Improving interdisciplinary communication with standardised cyber security terminology: A literature review. IEEE Access. 2016; 4 :2216-2243. DOI: 10.1109/ACCESS.2016.2544381 - 23.
Agarwal A, Agarwal A. The security risks associated with cloud computing. International Journal of Computer Applications. Engineering Sciences. 2011; 1 :257-259. Available from:https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=6bcb9009cb4548802c377951677870cbb0416756 - 24.
Yaokumah W, Brown S. An empirical examination of the relationship between information security/business strategic alignment and information security governance domain areas. Journal of Business Systems, Governance and Ethics. 2015; 9 :50-65. DOI: 10.15209/jbsge.v9i2.718 - 25.
Suroso J, Harisno NJ. Implementation of COSO ERM as security control framework in cloud service provider. Journal of Advanced Management Science. 2017; 5 :322-326. DOI: 10.18178/joams.5.4.322-326 - 26.
Al Shamsi A. Effectiveness of cyber security awareness program for young children: A case study in UAE. International Journal of Information Technology and Language Studies (IJITLS). 2019; 3 :8-29. DOI: 10.13140/RG.2.2.28488.14083 - 27.
Wilson M, Hash J. Building an Information Technology Security Awareness and Training Program. Gaithersburg, Maryland, USA: National Institute of Standards and Technology; 2003. DOI: 10.6028/NIST.SP.800-50 - 28.
Karjalainen M, Siponen M. Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems. 2011; 12 :518-555. DOI: 10.17705/1jais.00274 - 29.
Fung Y, Lee L. A chatbot for promoting cybersecurity awareness. In: Agrawal D, Nedjah N, Gupta B, Perez G, editors. Cyber Security, Privacy and Networking. Singapore: Springer; 2022. pp. 379-387. DOI: 10.1007/978-981-16-8664-1_33 - 30.
Gupta B, Jain A. Phishing attack detection using a search engine and heuristics-based technique. Journal of Information Technology Research (JITR). 2020; 13 :94-109. DOI: 10.4018/JITR.2020040106 - 31.
Gupta M, Akiri C, Aryal K, Parker E, Praharaj L. From ChatGPT to hreatGPT: Impact of generative AI in cybersecurity and privacy. IEEE Access. 2023; 11 :80218-80245. DOI: 10.1109/ACCESS.2023.3300381 - 32.
Killingsworth M, Gilbert D. A wandering mind is an unhappy mind. Science. 2010; 330 :932. DOI: 10.1126/science.1192439 - 33.
Germer C. What is mindfulness? Insight Journal. 2004; 22 :24-29. Available from:https://www.drtheresalavoie.com/storage/app/media/insight-germermindfulness.pdf - 34.
Creswell J. Mindfulness interventions. Annual Review of Psychology. 2017; 68 :491-516. DOI: 10.1146/annurev-psych-042716-051139 - 35.
Brown K, Ryan R, Creswell JD. Mindfulness: Theoretical foundations and evidence for its salutary effects. Psychological Inquiry. 2007; 18 :211-237. DOI: 10.1080/10478400701598298 - 36.
Shapiro S. The integration of mindfulness and psychology. Journal of Clinical Psychology. 2009; 65 :555-560. DOI: 10.1002/jclp.20602 - 37.
Merikle P. Toward a definition of awareness. Bulletin of the Psychonomic Society. 1984; 22 :449-450. DOI: 10.3758/BF03333874 - 38.
Brown K, Ryan R. The benefits of being present: Mindfulness and its role in psychological well-being. Journal of Personality and Social Psychology. 2003; 84 :822-848. DOI: 10.1037/0022-3514.84.4.822 - 39.
Harris A, Jennings P, Katz D, Abenavoli R, Greenberg M. Promoting stress management and well-being in educators: Outcomes of the CALM intervention. Mindfulness. 2016; 7 :143-154. DOI: 10.1007/s12671-015-0451-2 - 40.
Wilczek F. Einstein's Parable of Quantum Insanity [Internet]. 2015. Available from: https://www.scientificamerican.com/article/einstein-s-parable-of-quantum-insanity [Accessed: September 03, 2023] - 41.
El-Sabaawi M, Shapiro S, Carlson L. The art and science of mindfulness: Integrating mindfulness into psychology and the helping professions. American Psychological Association. 2010; 1 :64-66. DOI: 10.1007/s12671-010-0002-9 - 42.
Alabdan R. Phishing attacks survey: Types, vectors, and technical approaches. Future Internet. 2020; 12 :1-39. DOI: 10.3390/fi12100168 - 43.
Jarjoui S, Murimi R, Murimi R. Hold my beer: A case study of how ransomware affected an Australian beverage company. In: International Conference on Cyber Situational Awareness, Data Analytics and Assessment. Dublin, Ireland: Cyber SA; 2021. pp. 1-6. DOI: 10.1109/CyberSA52016.2021.9478239 - 44.
Langer E. The Power of Mindful Learning. Reading, MA: Addison-Wesley; 1997 - 45.
National cybersecurity strategy [Internet]. 2023. Available from: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf [Accessed: September 03, 2023] - 46.
Shelby T. “Carbon Negative” — The First of its Kind [Internet]. 2022. Available from: https://hir.harvard.edu/carbon-negativity-in-bhutan-an-inverse-free-rider-problem [Accessed: September 03, 2023]