Jens Christian Opdenbusch (Ruhr University Bochum), Jonas Hielscher (Ruhr University Bochum), M. Angela Sasse (Ruhr University Bochum, University College London)

Boards are increasingly required to oversee the cybersecurity risks of their organizations. To make informed decisions, board members have to rely on the information given to them, which could come from their Chief Information Security Officers (CISOs), the reports of executives, audits, and regulations.
However, little is known about how boards decide after receiving such information and how their relationship with other stakeholders shapes those decisions. Here, we present the results of an in-depth interview study with n=18 C-level managers, board members, CISOs, and C-level consultants of some of the largest UK-based companies.
Our findings suggest that a power imbalance exists: board members will often not ask the right questions to executives and CISOs since they fear being exposed as IT novices. This ultimately makes boards highly dependent on those providing them with cybersecurity information, leading to losing their oversight function. Furthermore, cybersecurity risk is abstracted to budget decisions with no further involvement in cybersecurity strategies through boards.
We discuss possible ways to strengthen boards' oversight functions, such as releasing industry benchmarks through public cyber agencies or implementing support structures within the company - such as standing (cybersecurity) risk and audit committees.

View More Papers

Fuzzing Space Communication Protocols

Stephan Havermans (IMDEA Software Institute), Lars Baumgaertner, Jussi Roberts, Marcus Wallum (European Space Agency), Juan Caballero (IMDEA Software Institute)

Read More

Rondo: Scalable and Reconfiguration-Friendly Randomness Beacon

Xuanji Meng (Tsinghua University), Xiao Sui (Shandong University), Zhaoxin Yang (Tsinghua University), Kang Rong (Blockchain Platform Division,Ant Group), Wenbo Xu (Blockchain Platform Division,Ant Group), Shenglong Chen (Blockchain Platform Division,Ant Group), Ying Yan (Blockchain Platform Division,Ant Group), Sisi Duan (Tsinghua University)

Read More

RContainer: A Secure Container Architecture through Extending ARM CCA...

Qihang Zhou (Institute of Information Engineering, Chinese Academy of Sciences), Wenzhuo Cao (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Xiaoqi Jia (Institute of Information Engineering, Chinese Academy of Sciences), Peng Liu (The Pennsylvania State University, USA), Shengzhi Zhang (Department of Computer Science, Metropolitan College,…

Read More

BitShield: Defending Against Bit-Flip Attacks on DNN Executables

Yanzuo Chen (The Hong Kong University of Science and Technology), Yuanyuan Yuan (The Hong Kong University of Science and Technology), Zhibo Liu (The Hong Kong University of Science and Technology), Sihang Hu (Huawei Technologies), Tianxiang Li (Huawei Technologies), Shuai Wang (The Hong Kong University of Science and Technology)

Read More