Reference no: EM133555400

Human Factors in Cybersecurity

Part A: Executive Proposal

Part B: Video PowerPoint Presentation Recording

Part C: Self and Peer Evaluation

Learning outcome 1: Assess the economic impact of and financial implications of investing in human factors in cyber security and propose cost-effective risk management strategies.

Learning outcome 2: Develop a comprehensive cyber security culture, education and engagement strategy within an organisational context, whilst employing professional skills in evaluative judgement, team building, negotiation, and high-level communication across diverse environments.

SCENARIO
‘Sherwood' Local City Council in Victoria, Australia

Overview
‘Sherwood' City Councilis in the northeastern suburbs of a major metropolitan area, is responsible for serving a large and diverse community, providing a broad range of services to meet the varied needs of its residents.

The Cybersecurity team at Sherwood City Councilrecently assessed its current cybersecurity culture and awareness state by conducting surveys and incident data reports. The findings, supported by real-world incident data, provide a clear snapshot of the organisation's current stance. The data underscores areas for improvement, and the reported incidents offer examples of challenges faced. Together, they set a baseline for Sherwood City Council'sfuture enhancement efforts.

Based on the recent survey findings, data, and incident reports, the CEO and executive leadership team recognise the urgent need to strengthen the organisation's "human firewall" through enhanced cybersecurity culture and awareness. The CEO has instructed the Cybersecurity team to formulate a 12-month proposal to uplift cybersecurity culture, awareness, and engagementin the organisation to be tabled as a four-page executive proposal and video presentation pitch at the next executive board meeting. This proposal aims to drive significant improvements in Sherwood City Council's cybersecurity culture and awareness posture and overall resilience.
Sherwood City CouncilStaff numbers and roles

With an approximate strength of 350 employees and external stakeholders, Local City Councilmember roles can be categorised as:
• Executive Leadership (18 members): This includes roles like the CEO, CFO, CIO, Directors of various departments.
• Middle Management (53 members): Department heads, team leaders, and managers for different functional areas.
• Human Resources (18 members)
• IT & Cybersecurity Team (11 members)
• Market & Public Relations Team(18 members)
• Finance and administration(18 members)
• Urban planners(18 members)
• Front Line staff (140 members): administration, customer service, sanitation, green waste, maintenance, public work,and community facilities
• External Stakeholders (approximately 60 members)

Divisions:
The SherwoodCity Council is organised into several divisions, including:
1. Urban planning and infrastructure - responsible for the design, planning, and maintenance of the city's infrastructure.
2. Community services - handling parks, recreational facilities, libraries, and community events.
3. Finance - overseeing the council's budget, finance, HR, and admin functions.
4. Environment andsustainability - managing the city's green initiatives, waste management, and sustainability projects.
5. IT anddigital transformation - ensuring smooth technological operations, digital transformations, and cybersecurity.
6. Public works - overseeing maintenance works, road repairs, and other public facility improvements.
Snapshot of current Cybersecurity culture and awareness findings

Here is a snapshot of the recent Cybersecurity culture and awareness findings including incidents and situations that may underline a need for improvement in cybersecurity culture and awareness.
1. Attitudes
• Employees who believe security is a priority: 120 (49% of surveyed)
• Employee satisfaction score regarding security protocols and training: 2.8/5
• During a department meeting, when the topic of security was raised, several members openly stated that they saw cybersecurity measures as a hindrance to their daily tasks and not a priority.
• A survey revealed that many employees feel that security protocols are overly complex and not user-friendly.
2. Behaviours
• Reported security incidents caused by human error in a month: 30
• Employees who updated passwords in the last 90 days: 100 (28.57%)
• A senior executive clicked on a phishing link, thinking it was a genuine email from the IT department, leading to a data breach.
• Multiple employees have been using the same passwords for over a year, with some even using the same password across multiple critical applications.
3. Cognition
• Employees who successfully completed security awareness training out of those required: 150/245 (61.22%)
• Average score of employees on security knowledge quizzes: 62/100
• Despite mandatory training, a group of employees (especially frontline staff) failed the post-training security quiz, displaying a lack of understanding about basic security concepts.
• During a simulated phishing test, a significant number of employees failed to recognise the fraudulent email and clicked on the link.
4. Communication
• Security-related communications distributed to employees per month: 2
• Sum of employee scores on effectiveness of security communications: 610/1225 (49.80%) (Considering a max score of 5 for each of 245 employees)
• The IT department sent out a critical alert regarding a new malware threat, but it was buried in the middle of a lengthy newsletter, leading many to overlook it.
• Employees have expressed that the security advisories they receive are filled with jargon and hard to understand.
5. Compliance
• Employees who have read and acknowledged the security policy: 200 (57.14%)
• Number of non-compliance incidents reported in a month: 20
• An internal audit discovered that a majority of employees have not read or acknowledged the updated security policy.
• Several employees were found sharing confidential data via unencrypted personal emails, a direct violation of the company's security policy.
6. Norms
• Remote workers using secured networks: 40/100 (Assuming 100 remote employees) (40%)
• Feedback score on peer-to-peer security interactions: 2.5/5
• three remote workers accessed company resources using public Wi-Fi without a VPN, leading to a potential vulnerability.
• During a team meeting on a video call, an employee was overheard saying they bypass the company's VPN because "it makes the internet slow."
7. Responsibilities
• Employees who have read and acknowledged the security policy: 200
• Number of non-compliance incidents reported in a month: 20
• An employee noticed their computer behaving oddly but decided not to report it, thinking it wasn't a big deal. It turned out to be a malware infection that spread to other systems.
• During a feedback session, employees mentioned they weren't sure about what kind of incidents should be reported, indicating a lack of understanding of their security responsibilities.
These incidents reflect a lack of cybersecurity culture and awareness and emphasise the importance of ongoing training, clear communication, and strong leadership in these areas.

Executive Proposal
Cybersecurity Culture, Awareness, and Engagement Uplift Program Plan

1. PURPOSE
State the purpose of the document. Highlight the scope of the proposed program plan and key topics/areas the document covers (50-word approx.)

2. BACKGROUNDAND KEY CHALLENGES
Brief on relevant historical events or trends leading to the current situation and key challenges. (50-word approx.)

3. OBJECTIVES
Clearly state the primary objectives/goals of the proposed program plan (50-word approx.)

4. CONSTRAINTS AND STAFF TIME COMMITMENT
Identify any program constraints and limitations; and estimate the amount of staff time commitment required in hours across the stakeholders (50-word approx.)

5. EXPECTED OUTCOMES
Describe Identify what the expected outcomes are after completing the plan (100-word approx.)
- Short-term: describe immediate results or changes anticipated upon implementation. Consider metrics.
- Long-term: discuss the broader, future implications and results expected. Consider metrics.
- Benefits/Intangible benefits: Highlight potential intangible benefits, e.g. improved staff morale or enhanced reputation.

6. CALL TO ACTION
Reiterate the importance of the proposed program plan proposal and end with a call to action or next steps (50-word approx.)

7. REFERENCES
Include any references using APA7 style (not included in word count)

PEER EVALUATION TASK

INSTRUCTIONS:
1. Complete a peer-evaluation for ONE of your peer's DRAFT Video PowerPoint Presentation slides with two strengths and two suggested improvements. Template provided below.
Suggested word count: ~200 words

Strengths: Identify TWO areas where your peer excelled in their DRAFT Video Presentation PPT slides:

Areas for Improvement: Identify TWO areas where your peer could enhance their DRAFT Video Presentation PPT slides based on your evaluation:

INITIAL and FINAL SELF EVALUATION TASK

INSTRUCTIONS:
1. Complete an INITIAL self-evaluation using the marking rubric for your DRAFT Executive Proposal & Video Presentation PPT slides with two suggested improvements. Template provided below.

Suggested word count: ~200 words
Tips: Once you have a draft of your executive proposal and video presentation, self-evaluate using the marking rubric. All students learn at different paces and styles. Give yourself adequate time (e.g. this ‘time' varies between individuals, it could be at least a week to a few days) to reflect and improve your work. Take your time. Be honest with yourself. The aim is to learn and improve. It takes time to self-evaluate and think about improvements you can make.
2. Complete your FINAL self-evaluation using the marking rubric for your FINAL Executive Proposal & Video Presentation and comment on how you have incorporated the improvements in your FINAL Executive Proposal & Video Presentation. Template provided below.
Suggested word count: ~100 words |Due: Monday 13 Nov 11:59PM AEDT
Tips: Please review the peer evaluation you have received. Reflect on how you have applied the feedback from your peers in your final work. After incorporating these improvements into your FINAL Executive Proposal and Video Presentation, assess your own performance using the marking rubric. Be honest and thoughtful; the goal is to learn and grow, not to artificially boost your score. Approach this as a meaningful self-reflection process, akin to having a constructive conversation with yourself about your learning journey and outcomes.
3. Complete the FINAL self-reflection task - What, So What and Now What. Template is provided.
Tips: This task should be completed as the final activity at the end of your self-evaluations of your FINAL Executive Proposal & Video Presentation and before your final assessment 3 submission.

Suggested word count: ~100 words
Why does practicing self and peer evaluation matter to your learning and cybersecurity?
The practice of self-evaluation helps to enhance your critical thinking skills so you can critically assess the quality of your own work to build your capacity to make judgements about what constitutes good work at industry standards. Whereas, peer evaluation helps to build your evaluative judgement, strengthen your constructive feedback skills, foster trust and mutual respect as well as foster collaborative working environment. Through self-evaluation, it also helps with taking ownership of your learning experiences and aligning your perception with reality. Reflective practice is essential for professional fields such as cybersecurity where ongoing improvements and instilling a habit of continual reflection is necessary, and where we must adapt to evolving standards and technologies.