Jens Christian Opdenbusch (Ruhr University Bochum), Jonas Hielscher (Ruhr University Bochum), M. Angela Sasse (Ruhr University Bochum, University College London)

Boards are increasingly required to oversee the cybersecurity risks of their organizations. To make informed decisions, board members have to rely on the information given to them, which could come from their Chief Information Security Officers (CISOs), the reports of executives, audits, and regulations.
However, little is known about how boards decide after receiving such information and how their relationship with other stakeholders shapes those decisions. Here, we present the results of an in-depth interview study with n=18 C-level managers, board members, CISOs, and C-level consultants of some of the largest UK-based companies.
Our findings suggest that a power imbalance exists: board members will often not ask the right questions to executives and CISOs since they fear being exposed as IT novices. This ultimately makes boards highly dependent on those providing them with cybersecurity information, leading to losing their oversight function. Furthermore, cybersecurity risk is abstracted to budget decisions with no further involvement in cybersecurity strategies through boards.
We discuss possible ways to strengthen boards' oversight functions, such as releasing industry benchmarks through public cyber agencies or implementing support structures within the company - such as standing (cybersecurity) risk and audit committees.

View More Papers

I Know What You Asked: Prompt Leakage via KV-Cache...

Guanlong Wu (Southern University of Science and Technology), Zheng Zhang (ByteDance Inc.), Yao Zhang (ByteDance Inc.), Weili Wang (Southern University of Science and Technolog), Jianyu Niu (Southern University of Science and Technolog), Ye Wu (ByteDance Inc.), Yinqian Zhang (Southern University of Science and Technology (SUSTech))

Read More

Cross-Origin Web Attacks via HTTP/2 Server Push and Signed...

Pinji Chen (Tsinghua University), Jianjun Chen (Tsinghua University & Zhongguancun Laboratory), Mingming Zhang (Zhongguancun Laboratory), Qi Wang (Tsinghua University), Yiming Zhang (Tsinghua University), Mingwei Xu (Tsinghua University), Haixin Duan (Tsinghua University)

Read More

Magmaw: Modality-Agnostic Adversarial Attacks on Machine Learning-Based Wireless Communication...

Jung-Woo Chang (University of California, San Diego), Ke Sun (University of California, San Diego), Nasimeh Heydaribeni (University of California, San Diego), Seira Hidano (KDDI Research, Inc.), Xinyu Zhang (University of California, San Diego), Farinaz Koushanfar (University of California, San Diego)

Read More

ProvGuard: Detecting SDN Control Policy Manipulation via Contextual Semantics...

Ziwen Liu (Beihang University), Jian Mao (Beihang University; Tianmushan Laboratory; Hangzhou Innovation Institute, Beihang University), Jun Zeng (National University of Singapore), Jiawei Li (Beihang University; National University of Singapore), Qixiao Lin (Beihang University), Jiahao Liu (National University of Singapore), Jianwei Zhuge (Tsinghua University; Zhongguancun Laboratory), Zhenkai Liang (National University of Singapore)

Read More