Trustworthy and effective communication of cybersecurity risks: A review

Abstract

Slowly but surely, academia and industry are fully accepting the importance of the human element as it pertains to achieving security and trust. Undoubtedly, one of the main motivations for this is the increase in attacks (e.g., social engineering and phishing) which exploit humans and exemplify why many authors regard them as the weakest link in the security chain. As research in the socio-technical security and trust fields gains momentum, it is crucial to intermittently pause and reflect on their progress while also considering related domains to determine whether there are any established principles which may be transferred. Comparison of the states-of-the-arts may assist in planning work going forward and identifying useful future directions for the less mature socio-technical field. This paper seeks to fulfil several of these goals, particularly as they relate to the emerging cybersecurity-risk communication domain. The literature reviews which we conduct here are beneficial and indeed noteworthy as they pull together a number of the key aspects which may affect the trustworthiness and effectiveness of communications on cybersecurity risks. In particular, we draw on information-trustworthiness research and the established field of risk communication. An appreciation of these aspects and precepts is imperative if systems are to be designed that play to individuals' strengths and assist them in maintaining security and protecting their applications and information.