Keywords

Introduction and Background

It would be difficult to miss the multitude of cybercrime reports that have appeared in general news over the past few years. In May 2021, the US oil delivery network run by Colonia Pipeline (Turton & Mehotra, 2021), suffered a cyberattack that caused operations to cease for several days. In June 2021, meat supplier JBS was effectively shut down for five days following a cyberattack which disabled its processing operations (Claughton & Beilharz, 2021). In July 2021, Microsoftā€™s Exchange Server software was found to be compromised and NSW Department of Education was forced to take internal systems offline (NSW Government, 2021). Modern day cyberattacks now have the ability to cause substantial damage to industry with their destruction and damage of data, process and physical hardware. Overall, cybercrime appears to be increasing in both the variety of victims and the number of attacks.

Distributed Denial of Service (DDoS) attacks as an attack method have also seen a drastic rise in prominence over the last few years (Bhattacharyya & Kalita, 2016; Cook, 2021; Nicholson, 2021), highlighted by the recent large and impactful attacks such as Google in 2017 (Nicholson, 2021), Git Hub in 2018 (Chadd, 2018; Newman, 2018) and AWS in 2020 (Crane, 2020).

These attacks were notable due to their large volume but DDoS does not just rely on flooding internet pipes with high bandwidth attacks to succeed. Sophisticated DDoS attack methods can also target internal server resources, aimed at depleting functional capabilities by using methods such as amplification and malformed requests (Alyas et al., 2017; Ismail et al., 2021). The goal is the same but, whilst volumetric attacks can be easily discovered by a sudden tidal wave of data flooding in, sophisticated attacks may use a slow trickle of requests to services that take some time to complete. This way, sophisticated attacks can cause system bottlenecks and slowly strangle the service until it eventually fails (Alyas et al., 2017).

Along with their scale, the three DDoS attacks noted above were also notable due to the target being well-known organisations, however, data from sources such as Akamai suggests that target sectors are now much more evenly spread (Akamai, 2020) when compared to attacks between 2016 and 2018 (Akamai, 2016), where vandalism and gaming were the primary target (Arbor, 2018). All industry sectors may now present an equally valid target for attacker at any scale.

DDoS attacks operate differently to other forms of cyberattack as the attacker does not need to find a back door or system vulnerability to gain access to its target. DDoS leverages the insecurity of other online devices. It assumes control and directs these compromised machines to target the legitimate entry points of target services that the attacker seeks to incapacitate. This reliance of compromisable connected devices such as CCTV cameras, advertising boards and a plethora of other Internet of Things (IoT) devices could be seen as a limiting (for the attacker), but the COVID-19 inspired, rapid move to home working in combination with the rise of smart cities has inadvertently inflated the quantity of potential resources available for use by DDoS (Cvitic et al., 2021).

As employees hurried to work from home, organisational IT equipment moved from inside the quality assured and monitored organisational security boundary, to networks shared with low grade and cheap IoT devices. And worse, these networks were often connected through home grade routers which incorporate rudimentary cyber security, many of which were configured by inexperienced home owners.

The move to smart cities involves the use of an ever-increasing supply of internet connected real-time data devices (Hammi et al., 2018). Through increased understanding of infrastructure patterns, residents could be provided with improved living experiences. However, as society becomes more reliant on this new technology, it may itself become an attractive target, and these devices may also form the resources needed for future larger-scale DDoS attacks.

Given that the majority of organisations in Australia rely on internet connectivity to conduct their business, they inadvertently expose themselves to a DDoS type cyberattack. It is therefore important to understand how organisations and their employees consider the threat and its associated consequences.

This paper aims to examine discovered gaps in knowledge of DDoS and brings together new learning to create a fuller picture of DDoS threats, motivations and the potential of future collaboration. The first research question asks ā€œHow high do Australian organisations rate DDoS as a threat, when compared to other cyber security events?ā€ In particular, this research seeks to discover how employees and organisations perceive the threat, their ownership of the issues and consequences, and how they believe a future state should look. With this knowledge uncovered, a second research question asks ā€œWhere should effort be focused to ensure Australian organisations are more prepared for a DDoS event?ā€, and if the ā€˜whereā€™ is understood, the logical progression would be ā€˜by who?ā€™ The overarching aim for this study is to demystify organisationsā€™ perceptions of the risk and threat of DDoS within the cyber security context and to uncover ways to improve the use of existing and future technologies.

The remainder of this paper is structured as follows. Firstly, a brief review of the literature is presented to set a clear understanding of the current knowledge in this area. Then, following an explanation of the methodology used, including a discussion on the reasons certain choices were made, the results of the research analysis are presented. Finally, the results are discussed and a conclusion approached so that a path is identified for future studies.

Literature Review

Practitioner Review

Cyber incidents appear to be placing an increased threat on society. Whilst DDoS has its beginnings at Illinios Universityā€™s Computer-Based Education Research Laboratory (CERL) in 1974 (Dennis, 2010; Radware, 2017), cyberattacks including DDoS have increased in all forms such as scale, frequency and cost. In 2016 DYN, an Internet Domain registrar who helps the name resolution for many large, well-known, global firms including Twitter, Reddit, GitHub, Amazon.com, Netflix and Spotify (Krebs, 2016), suffered what was at the time, the largest DDoS attack, now known to be caused by the Mirai botnet. The attack at 1.2Tbps (Novinson, 2018) involved tens of millions of IP addresses (York, 2016) and was made possible by low security, poorly configured IoT (Internet of Things) devices such as security cameras (Cloudflare, 2019; Woolf, 2016; York, 2016).

In contrast to previous botnets constructed from infected PCā€™s, Miria malware seeks to infect IoT devices such as security cameras, digital video recorders and baby monitors which have low security due to users installing with the default passwords in place (Cloudflare, 2019). Once installed, the malware deletes itself from the disk, but remains active in memory until the unit is restarted. The Mirai botnet source code was made available through ā€˜Hackforumsā€™ (an Internet-based hacking community) in September 2016 (Manuel, 2018) shortly before the attack on DYN.

Then, in 2018, larger attacks occurred. In February, GitHub was attacked with a 1.3Tbs DDoS and, two months later, Netscout reported a 1.7Tbs attack against an unnamed target.

It was not a one-sided conflict though as, early in 2019, several successful prosecutions occurred:

  1. 1.

    The US Department of JusticeĀ seizedĀ 15Ā Internet domains, which they claim had been used to perform DDoS attacks on government systems, universities, gaming platforms, financial organisations and ISPs across the world (Kupreev et al., DDoS attacks in Q1 2019, 2019a).

  2. 2.

    A US courtĀ jailed a 34-year-old Massachusetts hacker (Martin Gottesfield) (Cimpanu, 2019; Wolff, 2019) for 10 years, for launching the DDoS attacks on two medical facilities including the Boston Childrenā€™s Hospital as he protested the psychiatric detention of Justina Pelletier (Wolff, 2019).

  3. 3.

    British police arrested 32-year-old Daniel Kaye who built a Miria botnet from hacked Dahua security cameras and other devices that he rented from other hackers (Daws, 2019). Kaye had been hired to ruin the reputation of Lonestar by a senior official at competitor Cellcom (a Liberian telco) (Daws, 2019).

  4. 4.

    250Ā cybercriminals were arrested in Britain and the Netherlands by Europol (the European Unionā€™s law enforcement agency),Ā following the 2018 shutdown of Webstresser.org (Krebs, 2019).

Despite these convictions, the scale, frequency and notoriety of these types of events have continued to increase such as:

  • April 2019ā€”Ecuadorian facilities became the target and very large number of cyberattacks including DDoS (Dan, 2019). Ecuador sought assistance from Israel (Kupreev et al., 2019b).

  • 2019 Septemberā€”Wikipedia was attacked with a DDoS volume of over 1Tbps over the three-day duration (Kupreev et al., 2019c).

  • 2020 Februaryā€”AWS reported an attack on its Connectionless Lightweight Directory Access Protocol (CLDAP) at a volume of 2.3Tbps.

In mid to late 2021, three DDoS attacks brought further increases in scale. The first, Cloudflare, which is a content delivery service, announced details of an attack on their infrastructure at a rate of 17.2 million bogus requests per second (rps) (Yoachimik, 2021). To put this in perspective, Cloudflareā€™s average legitimate load is in the order of 25 million rps, so this attack occupied near 70% of its average capacity. Shortly after, a Russian tech company, Yandex reported an attack which started at 5.7 million rps in early August but peaked at 22 million rps one month later (Marrow & Stolyarov, 2021). Cyber security author Brian Krebs was also a target, announcing an attack in September 2021 which was delivered by the same botnet responsible for the attacks on Cloudflare and Yandex. This new botnet, called Meris, was first seen in June 2021 and was facilitated by approximately 250,000 compromised MikroTik routers (Krebs, 2021).

The incredible scale of these attacks is worrying, but more so is the fact that they have started to break away from the virtual world. For example, in 2005, Iranā€™s nuclear development was impacted as an attack (Stuxnet) targeted supervisory control and data acquisition (SCADA) systems leading to destruction of physical centrifuge devices (Fruhlinger, 2017). In September 2007, the Israeli Airforce acquired control of Syriaā€™s air defence systems just prior to their military bombers targeting and destroying a Syrian nuclear installation (Holmes, 2018). Then, in March 2019, a DDoS focused on an electricity regulation computer system causing difficulties for various districts of Los Angeles and Salt Lake City. As a consequence, California and Wyoming also experienced power supply problems (Fazzini & DiChristopher, 2019).

More recently, in September 2020, a group mistakenly targeted the Dusseldorf University hospital and the disruption led to the death of a person who needed immediate and acute medical care (Tidy, 2020).

Trends are moving from small extortion-driven groups towards politically-motivated occurrences and, in addition, larger groups that use increased complexity and sophistication are becoming more prominent (Mansfield-Devine, 2015; Nazario, 2008). For example, secondary outcomes such as the insertion of malware or the theft of financial/personal data during an attack, highlight that DDoS is starting to be used as a cover for other nefarious activities (Pitlik, 2019; Wueest, 2014). In its study period, research company Neustar reported that 36% of responders had found malware installed during the event and 43% of finance sector responders also found malware further supporting that, DDoS attacks could be used as a diversion, masking the true purpose of theft (Sooraj, 2012). However, whilst geopolitical-motivated activism (hacktivism) has used this theft distraction method, they also use DDoS to show support or opposition over an issue.

Overall, the practitioner literature indicates that the DDoS phenomenon is growing, not just in scale, but also in its reach as it expands outside of the digital realm and begins to seriously impact the daily lives of ordinary people. However, this view, whilst supported by many independent sources (Chigada & Madzinga, 2021; De Donno et al., 2018; Snehi & Bhandari, 2021), is largely conveyed by technology vendors and authors who sit outside of the organisations directly impacted by these reported attacks. As such, the literature is unable to provide any supporting evidence to answer the first research question ā€œHow high do Australian organisations rate DDoS as a threat, when compared to other cyber security events?ā€.

In addition, the second research question ā€œWhere should effort be focused to ensure Australian organisations are more prepared for a DDoS event?ā€ becomes equally difficult to answer using practitioner literature as most information is written by technology experts and focuses on technology mitigation options as opposed to a holistic view that also considers people and process.

Academic Review

Overall, several motivators for DDoS use have been noted (Anstee et al., 2017; Bienkowski, 2016) including Vandalism, State/activism, Extortion and Distraction, and although gaming related motivations appear high, criminal motivations are on the rise (Arbor, 2018; Bienkowski, 2016; Mansfield-Devine, 2015, 2016).

Criminals are learning to exploit the vulnerabilities that exist through the human interpretation of technology applications. The human factor often facilitates a weak link in cyber security (Wiederhold, 2014). As technology becomes ā€˜smarterā€™, it is moved from simple automation of repetitive tasks to assisting where decision-making is required and this advancement of technology has led to infrastructure and systems often being operated by individuals with little computer expertise (Ghafir et al., 2018). These individuals perceive their own level of threat, but as their experience of cyber threats varies greatly, threat perceptions amongst operators can be wide ranging and therefore, the actions they take in response may be equally diverse. In addition, individuals that consider the protection of their online identity a low priority may carry over this perception to the workplace, exposing organisations to cyber threats (Huang et al., 2010). The way individuals react to the discovery of an attack can be influenced by their own internal needs (McClelland, 2010) and these influences can stem from the community and culture in which they developed (Nisbett et al., 2001). As such, despite the agnostic nature of technology, its application by individuals and groups may differ and this may affect how cyber defence operations are conducted. Similar technology could be in place, but ultimate vulnerability may be highly variable.

However, organisational durability is demonstrated by robustness. That is to say, even those who have sustained significant attacks often continue to operate and address their vulnerabilities. They learn from experience and protect against human error with process, and against ā€˜shadow ITā€™ with policy. Learning from experience can kick start reactive innovation which helps to advance and develop organisational improvements but, with a lack of public transparency and knowledge sharing, this appears to occur in isolation.

The continued development of attack vectors shows attacking groups have also advanced, sharing vulnerability information and methods with other groups (Biros et al., 2008). Each side shows similarities in scale as there are small firms protecting their business and countries protecting their sovereignty, just as there are individuals aiming to infiltrate systems and countries aiming to gain advantage over their adversaries, but cyber security events are not weight-matched fights.

Despite this, generally, the balance of power has always sat with the defensive team. Organisations recover and continue to operate, even when affected by business-crippling attacks. However, COVID-19, may have adjusted that power balance (Lallie et al., 2021; Pranggono & Arabo, 2020). Rather than move slowly and iterate new cyber security developments, organisations had to respond rapidly to a dispersed workforce (Ostiguy, 2021; Pranggono & Arabo, 2020). COVID-19 brought organisational staffā€™s equipment out from under the protective wing of IT systems administrators and placed the burden of remote connectivity on to home grade un-tested infrastructure (Lewis, 2020), which often resembled the very same untrained-configured shadow IT that policies and processes aimed to eradicate. In this rapid environmental change, organisations that were comfortable with a minority of remote workers suddenly found themselves with the task of migrating hundreds or thousands of employees to home-based offices with little time to prepare and less time to test their solutions (Lewis, 2020). This increase in remote staff and the associated increase of IoT devices creates an environment where the attack vectors and entry points for cyberattacks have expanded exponentially (Khan et al., 2020; Pranggono & Arabo, 2020).

Whilst academic sources tend to agree that the threat of cyberattacks is increasing, the majority of the information used to express this view has been collated from literature provided by practitioner sources. It is therefore difficult to state the level of threat as perceived by Australian organisations, as there is little data to support any accretion. Thus, a gap in knowledge was identified, and whilst an answer to the first research question is proposed, it remains non-validated.

Similarly, for our second research question regarding the focus of effort, academic sources show collaboration, knowledge sharing, and training of a diverse workforce is likely to improve capabilities, but direct information from organisations is lacking. Therefore, a second gap in knowledge has been uncovered and the research in this area has merit.

Methodology

This study investigates from three perspectives: existing literature; published organisational information; and personal perspectives of those who work in industries.

As information was scarce, causal research, which is used to investigate causal relationships between dependant variables, would not suit the studyā€™s needs (Oppewal, 2010). So exploratory research, which is often used to develop research objectives, combined with an element of descriptive research, which is useful when objects require descriptive investigation, was chosen as the preferable initial approach. However, the majority of the study was qualitative in nature, supported by descriptive analysis that quantified the gathered data when required to help develop meaningful interpretations.

Examination of exiting literature used sources from both academic and practitioner sources to form a more complete and balanced view. Literature from professional and technical sources helped inform what was currently known about DDoS and the scale of threat, as perceived by industry and the methods of mitigation. Academic literature was examined so that previous research knowledge could be understood and compared to current and historical industry knowledge. In both cases, literature was gathered from books (physical libraries and book shops) and electronic sources such as: digital searches made through UNEā€™s online library and their affiliates; Google Scholar; and ResearchGate, which led to information sources including websites, interviews (video and transcribed), white papers and commercial cyber security reports.

These wide range of sources were combined to develop a baseline of knowledge from which to build new understanding of the perceptions of individuals in Australian Organisations related to the DDoS cyber threat. The information gathered led to the discovery of several gaps in existing knowledge and this helped develop the research questions set the basis for deeper research.

As the literature review neared completion, 30 employees from small and medium Australian organisations were interviewed to gain their perspectives on the DDoS subject. In addition, websites from 47 Australian organisations were analysed with a mix of interviewed organisational staff and those that were approached but declined to participate. These participants and websites were sourced from a wide range of industry sectors including education, mining, construction and information media & technology. This method was used so that the results would have a mix of those organisations with employees who were willing to share insights and those who were not, with the potential that this may expose, differences between the two groups.

Data gathered during the website analysis was recorded in Microsoft Excel. This facilitated high level observations and simplified calculations during readability examination. The low quantity of academic and practitioner information fuelled the need for more targeted research into organisational perspectives of DDoS. The research began with broad observations of cyber security subject matter before drilling down to more specific DDoS-related information. However, due to the lack of DDoS-specific and Cyber Security information in general, primary data collection via interviews became a necessity.

Interviews were conducted via a mix of videoconference and face-to-face meetings, with audio recorded for later transcription. Once transcribed, transcriptions were imported into NVivo12. The move from face-to-face meetings to videoconference occurred as a result of COVID-19 restrictions that limited personal contact.

Excel and NVivo12 were then used to explore the data and produce analysis aligned with macro and micro themes. Macro themes were listed initially before being examined more deeply to uncover micro themes derived from the collected website information and the perceptions and opinions of the interviewed individuals. These new insights were considered along with the analysis of existing literature to bring new understanding of DDoS and the perceptions of Australian organisations.

Results and Discussion

The exploratory research began with the analysis of 48 industry websites, made up of organisations whose employees had been interviewed (19) and organisations that had not (29).

For the initial observation of whether the organisations shared security information on their website, the results showed that 48% of the websites analysed, publically shared some security information. Further examination showed that whilst the near half shared security information, most of those who did not also declined to be interviewed. This could be indicative of a fear of sharing sensitive information, a competition-driven reluctance to collaborate or priority-based decisions.

Participant response statistics may partially support a reluctance to share. Of the 110 participants approached, whilst only 2% formally declined, 61% did not respond and a further 10% who initially agreed ceased contact when interview arrangements were attempted (Fig.Ā 1).

Fig. 1
A pie chart represents participant response statistics. The components are no reply 61%, complete 27%, ghosted 10%, and no 2%.

Response statistics

Full size image

However, as shown in Fig.Ā 2, whilst a greater number of male invitees were approached, proportionally more female respondents agreed to participate. This supports the Hofstead et al. (2010) view that feminine cultures show traits of nurturing, collaboration and protection.

Fig. 2
A double doughnut chart of gender-invitee versus participants. The inner ring represents the male and female of the invitee gender. The outer ring represents the male and female of the respondent gender. Male participants are higher than the female.

Invitee versus respondent (Gender)

Full size image

The information that was shared covered a variety of categories. In some cases, organisations limited their information to policies and procedures that more applied to employees than customers. This occurred even when the organisations business permitted use of its technology and systems. In other cases, especially with vendor organisations, technology and product related information was made available. However, in many cases, and in contrast to ā€˜privacy statementsā€™ and ā€˜terms and conditionsā€™ information, cyber security information was not easily located. Often, the information required a site search or the reader to follow a convoluted path to locate this type of information. Under Australian consumer law, all Australian websites are required to display terms and conditions for organisations that collect any customer or visitor information, privacy statements become a mandatory inclusion (OAIC, 2021). This is not the case for cyber security information as there are no current legal requirements to include this type of information. Any information shared is done so voluntarily and any organisation which does so is likely driven by organisational objectives.

Further website examination sought to uncover information related to strategic cyber security partnerships. This was included as notification of a partnership may indicate a preferred method of protection and an informal endorsement of a providerā€™s capability. In the websites analysed, listed, partnerships were rare and only one website linked to the Australian Governmentā€™s ā€˜Scamwatchā€™ program. Where as, others included links to vendors, who are often treated as partners and essentially did not operate in the security sector. Information about security partnerships were practically non-existent. Overall, very few mentioned any of their partners and, where they did, security partnerships were not included.

With little information publically presented, customers and consumers may be left to their own assumptions and understanding to invoke safe practices whilst using online resources. This initiates two considerations:

  • Is the technology being used cyber secure by design?

  • Is the technology being used configured for optimal cyber security?

As of October 2021, in Australia, minimum standards of cyber security for internet connected devices do not exist. Any network-compatible product purchased may or may not have cyber security features such as firewalls, encryption or access control lists. In fact, some devices, such as security cameras, may still operate with simple, well-known passwords (Shadman, 2017), despite this type of deviceā€™s inclusion in the 2016 Mirai DDoS attack (Vlajic & Zhou, 2018).

In interviews, respondents raised the issue with product standards. Whilst Australian Consumer law directs minimum levels of safety and consumer satisfaction for all products available in Australia, it has no information directly related to the cyber security level of these products (The Australian Consumer Law, 2016). Products must be safe to use and function as advertised, but there is no legislation to ensure that they prevent unauthorised access or control. Similarly, whilst the ACCC has powers to govern compliance with legislation, it has no powers with respect to cyber security. Insecure products are still available in Australia and bad actors remain keen to exploit the vulnerabilities. It seems, only when consumers become aware of the risks, do they provoke change through purchasing preference (Blythe, 2020). Therefore, the pressure for manufacturers to develop safe and secure computer, network and IoT devices is driven by sector competition and consumer preference and, unfortunately, this comes at a cost (Blythe, 2020). As such, whilst the introduction of minimum levels of cyber security defence or standards for internet connected products and software could be one way to raise the level of protection for Australiaā€™s public and private infrastructure, it must be done jointly with methods of governance and auditing compliance.

Access to ā€˜secure by designā€™ technology is only one aspect of a secure implementation. Network connectable devices are often highly configurable and within the many options are choices that increase or decrease the level of security offered as a default by manufactures. As individuals may be influenced by their own threat perceptions, they have the ability to adjust the level of device protection so it is important that those configuring network devices have threat perceptions that are compatible with organisational decision-makers. In our interviews, most participants (20 of 30 interviewed) considered their perception of the threat of DDoS to be in line with their organisations. However, seven said that their organisation was less concerned than they were, with the remaining three stating their organisation was more concerned than themselves. This level of perception had an effect on cyber security budget approvals. Participants commented that justification for cyber security budget was more easily accepted if the organisation had experienced an attack, whereas those that possessed only theoretical knowledge were less keen to invest in prevention.

Information on attacks is scarce. Only one of the websites analysed listed details of a publicly-reported data breach, despite details of public data breaches being available for a further three organisations, from alternate public sources.

This lack of transparency could indicate a lack of trust between organisations and a lack of trust can prevent inter-organisational collaboration, as trust between people is an essential component of collaboration (Mitchell et al., 2011; Olson, 2019). Further, as cyber security relies on people as well as processes and technology (Herath & Rao, 2009), individuals carrying their own perception of online risk into the workplace (Huang et al., 2010) may support beliefs that the human factor remains the weakest link for cyber security (Kolenko, 2019; Wiederhold, 2014) and this can bring a significant effect on organisational vulnerability (Kolenko, 2019; Wiederhold, 2014). The human ability to assess threats relies heavily on human sensory detection (Blanchard et al., 2011), of which much is hidden when threats occur through digital methods. It is therefore necessary to provide training to improve human reasoning and behaviour. However, as psychological processes are susceptible to community and cultural influence, training and processes between groups may vary (Nisbett et al., 2001). It is therefore likely that outcomes can be different when technologies are implemented by differing groups and cultures and these differences may shift advantage to the defence. If cyber defence groups were able to collaborate more, they may be able to take advantage of differing perspectives and we may see more effective defence concepts being implemented even when using the same technology. This is a view supported by many respondents who, whilst claiming that more subject specific training was needed, also expressed a desire to see more real-world experience sharing between industries, countries, cultures, genders and ages, as a whole.

Conclusions

The field of cyber security is an interesting and fast paced place to be in the early 2020s. The explosion of IoT devices, greater than ever interconnectivity and organisational hunger for personal analytical data of life has further entangled continually innovated technology into our daily lives. Whilst this is partially driven by the need to efficiently reduce workloads and gain ever more understanding of our environments, it comes at a cost, as not all users of the data we generate, manipulate and share, have good intentions. Such is the rate of change, it can prove difficult to keep pace with daily new and evolving cyber threats that are continually discovered.

This study aimed to demystify some of the perceptions and assumptions of people and organisations and how they consider cyber threats against their personal and professional environments. This was a difficult task as little is written about the subject, but the exploratory research and qualitative analysis of the semi-structured interviews revealed some interesting new knowledge.

Firstly, despite the increase in network connected devices (including IoT), no product standards exist for cyber security products sold in Australia. This leaves consumers, including those with lower levels of computer literacy, holding the decision-making power without the protection of any consumer guarantees as to the products suitability for secure implementation. The introduction of an Australian standard would be one way to encourage manufacturers to design beyond a minimum requirement and, if policies are implemented intelligently, they could cover device configuration methods as, currently, consumers without adequate training face the task of configuring highly complex equipment in a way that protects their valuable digital resources.

The setup of standards may be one way to encourage greater collaboration. This study found little evidence of existing inter-organisational collaboration and very minimal transparency regarding each organisationā€™s own cyber security defences. The difficulty in attracting participants further highlighted the reluctance of organisational staff to share knowledge that may help their peers. However, the study statistics showed that more female respondents agreed to participate than their male counterparts, which may further support the need for greater diversity in this area.

This study was undertaken during the COVID-19 pandemic and this had some effects on the cyber security landscape and the process of the study itself. During the pandemic, many staff needed to work from home and this placed a great load on organisation remote infrastructure. In many cases, urgency was focused on a rapid workable solution with security being a second consideration. For example, whilst company-owned laptops may have policy-driven security configurations, little to no audit would be performed on the home-based infrastructure to which it was connected. Therefore, COVID-19 rapidly changed the field of study and, with that, may have influenced the thoughts of the interview participants. This may also have had an effect on their willingness to participate but, at the very least, the interview process needed to adjust. Without the capability to perform face-to-face interviews, videoconferencing was used, altering the dynamic of the planned semi-structured conversations.

The implications of this study are broad. In one area, practitioners should aim for greater collaboration, as knowledge sharing and the opportunity to incorporate greater diversity of ideas and methods, may fuel development of more comprehensive implementations. In another, it is clear that, to date, greater academic focus has been placed on the technology and understanding how attacks are propagated and this has left the human side of cyber security under-researched. In a third area, more needs to be done regarding the way technology is designed along with attention to how adopters will configure the vast array of parameters available. Whilst manufacturers may begin to establish quality levels, policies may be required to ensure minimum standard are met.

This study was limited in scale due to the difficulty in obtaining enough participants to interview, but for future research, a deeper understanding of the motivation of people as they seek to protect their digital assets and further understanding of how they measure threat and risk when cyber security events cannot be seen or heard would be interesting to pursue and this may overlap into other areas of risk assessment where physical indicators are less obvious.