Responsible Cybersecurity: Layers, Significance and Research Agenda

With increasing interconnectivity and reliance on digital technologies within and between organisations, use of the Internet-of-Things, dependence on cloud computing and the popularity of hybrid work, maintaining robust cybersecurity becomes a necessity. This is a time when cybersecurity attacks are becoming increasingly prominent and are a constant threat to organisations. However, cybersecurity is not an issue that affects only organisations and their employees but rather relates to every digitally connected individual in advanced societies. As such cybersecurity is best described as pervasive, spanning from individuals’ everyday lives and activities, to organisations and society. Though there has been an emphasis on employees compliance and the need to increase employees’ awareness of the numerous possible gateways to cyberattacks, there is also a need to consider employees’ needs and emotional wellbeing at a time of increasing cyber threats and attacks on organisations. Against this background that encompasses multiple, diverse and networked stakeholders, we posit for a focus on responsible cybersecurity.

Recently, there has been an increasing literature on responsible digital with AI attracting most of the attention in this space (e.g. Mikalef et al. 2022; Trocin et al. 2023) with Vassilakopoulou et al. 2022 aligning responsible AI to a human-centred approach where the technology is trusted and complies with human values. According to Pappas et al. (2023) a responsible perspective facilitates co-creation and engagement with diverse stakeholders whilst fostering the generation of shared value that benefits all stakeholders within a wider spectrum of society and not just a few. Drawing on this literature, we seek to lay the foundations for a responsible perspective in cybersecurity. The need for responsible cybersecurity, both in terms of understanding what this means and also in terms of promoting it, stems from a realisation that there is limited knowledge on important, human, organisational and societal issues that are impacted by cybersecurity breaches.

Having interviewed cybersecurity professionals across a number of organisations and industries, we introduce a new theoretical framework on responsible cybersecurity. The framework which encompasses different and diverse layers that span across techno-centric, human-centric, organisational (intra and inter) and societal-centric dimensions, is important as it shows the scope and scale of responsibility that surrounds cybersecurity. While techno, human, and intra-organisational centric dimensions relate to responsibilities to securing technology, people and the internal organisational environment, inter-organisational centric and societal-centric extend beyond the organisation and concerns the security of the supply chain and the wider society. Further, framework represents an integrative and balanced approach of not only different views that can be represented in the responsibility domain but also the multiple and diverse stakeholders who have an interest in cybersecurity and who may be affected by potential attacks. Collectively, these diverse perspectives emphasize the interconnected responsibilities of different stakeholders both within and beyond the organisation. Responsible cybersecurity is realised when all these layers are addressed. Further research is needed to expose the inter-connections between the different layers of the framework. Though the study provides evidence on the links between specific layers, there is a need for a deeper understanding of how different layers interact with and impact each other opening up the agenda for further research in responsible cybersecurity.