Computers & Security 95 (2020) 101846

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

Validation of a socio-technical management process for optimising

cybersecurity practices
Masike Malatji a, Annlizé Marnewick a,∗, Suné von Solms b
a
Postgraduate School of Engineering Management, University of Johannesburg, Gauteng, South Africa
b
Department of Electrical and Electronic Engineering Science, University of Johannesburg, Gauteng, South Africa

a r t i c l e i n f o a b s t r a c t

Article history: This study developed a socio-technical management process to optimise both technical and non-technical
Received 16 March 2020 security measures to provide optimal, rather than adequate, enterprise security safeguards. The rationale
Accepted 19 April 2020
was that over the last decade, studies have consistently shown that the human being remains the weak-
Available online 6 May 2020
est link in the entire enterprise security chain. As a result, the majority of cyberattacks have resulted
Keywords: from human behaviour or error. Despite this, evidence suggests that many enterprises are still taking
Cybersecurity overly technocentric approaches to cybersecurity risk and this has increased the chances of missing the
Information security bigger picture. Thus, a mechanism to optimise both technical and non-technical security measures by
Optimisation identifying and closing socio-technical security gaps in existing enterprise security frameworks was re-
Socio-technical quired. The mechanism was derived from the literature and validated by industry practitioners where
Systems security it was found that practitioners could categorise security controls into social (human included), technical
and environmental dimensions. Through this, it was found that there were mainly non-technical (social
and environmental dimensions) security gaps at practitioners’ organisations. To further demonstrate how
this security challenge can be identified and addressed, a desktop application of the management process
was carried out on the COBIT 5 for Information Security framework. The results reveal the non-technical
security gaps on COBIT 5 and the management process demonstrates how these could be closed and
optimised. The importance of this study is to highlight that taking overly technocentric approaches to
enterprise security risk does not yield significantly positive results in protecting assets. A new approach
is required and the socio-technical management process is this paper’s contribution to address that se-
curity challenge.
© 2020 Elsevier Ltd. All rights reserved.

1. Introduction
The number of enterprise security attacks is constantly increas-
ing and different types are continuously evolving (Budzak, 2016).
These attacks are often characterised as cybercrime and even cy-
berwarfare (Borky & Bradley, 2019). The increase in the number
and evolution of cyberattack types is driven by various factors,
including increased digitalisation of organisational processes, so-
cial media usage and the rise of more ubiquitous edge and cloud
computing systems (Carcary et al., 2016; Gourisetti et al., 2020;
Vuorinen & Tetri, 2016). Furthermore, it seems that despite the
emergence of artificial intelligence powered enterprise security ap-
proaches, at least 90% of cyberattacks result from human error or
behaviour (Carlton et al., 2019; Willis Towers Watson, 2017). As
further evidenced by studies over the past decade (2010-2019), the
∗
Corresponding author.
E-mail address: amarnewick@uj.ac.za (A. Marnewick).
human being remains the weakest link in the entire enterprise se-
curity chain (Benson et al., 2019; Caldwell, 2012; Green et al., 2015;
Heartfield & Loukas, 2018; Lehrman, 2010; Mann, 2017; Mitnick &
Simon, 2011; Pfleeger et al., 2014; Pieters, 2013; Safa et al., 2016).
A few examples of recent data breaches and cyberattacks where
human error or behaviour was thought to have been exploited will
serve to highlight the enterprise security challenge:
• In 2017, the NotPetya ransomware caused global damage esti-
mated at $10 billion (Kaspersky, 2018).
• In 2018, Marriot hotels experienced a leakage of some of its 500
million customers’ personal information (Kaspersky, 2019b).
• In 2019, American cities of Baltimore, Maryland, incurred
damages greater than $18 million for refusing to meet ran-
somware demands, whereas Riviera Beach, Florida, elected to
settle the 65 bitcoin demands (roughly $60 0,0 0 0 in May 2019)
(Kaspersky, 2019a).
• In 2020, a Manor Independent School District in Texas, United
States of America (USA), lost approximately $2.3 million as

https://doi.org/10.1016/j.cose.2020.101846
0167-4048/© 2020 Elsevier Ltd. All rights reserved.
2 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846

a result of an incident involving a phishing email scam

(Irwin, 2020).

To address the enterprise security challenge, there are numer-

ous security frameworks. These are implemented to help organi-
sations to identify and protect as well as detect, respond to and
recover from cyberattacks (Gourisetti et al., 2020). However, ev-
idence seems to suggest that most of these frameworks address
the enterprise security challenge by taking overly technocentric
approaches (Davis et al., 2014; Martin, 2018; Willis Towers Wat-
son, 2017), and for specific applications (Gourisetti et al., 2020). In
spite of all these efforts, enterprise security remains a persistent
challenge (Singh et al., 2014) for organisations in protecting their
assets.
The argument is made in this paper for a more optimised socio-
technical management process in which the effectiveness of the
social (human included) and technical enterprise systems security
controls in a given environment are considered. Thus, the aim of
this study was to validate the management process that identifies
and addresses socio-technical security gaps in existing enterprise
systems security frameworks, and how the frameworks’ security
controls could be optimised and matured. In this paper, enterprise
systems security refers to all forms of security within the organ-
isation, including information security, cybersecurity, information
technology (IT) security and physical security. The focus is on the Fig. 1. Socio-technical system.
effectiveness of security controls in an enterprise system and how
these could be socio-technically optimised to protect assets. Ac-
cording to Borky and Bradley (2019), if a system has effective se-
curity controls that could mitigate a vulnerability adequately, the system (STS) as shown in Fig. 1 and derived from Bostrom and
asset (e.g. data or critical infrastructure) is protected; otherwise, Heinen (1977), Davis et al. (2014), Hester (2014), Oosthuizen and
there could be an attack or exposure. Pretorius (2016) and Wu et al. (2015).
The paper starts by providing the research problem context dis- The STS in Fig. 1 is comprised of three dimensions, namely
cussed in this introductory section. This is followed by related the social, technical and environmental dimensions. The social
works in Section 2 where the shortcomings in the implementation and technical dimensions are subdivided further into two ca-
of existing enterprise systems security frameworks are discussed pability domains each. The social dimension is subdivided into
and an optimised solution is developed. The research methods em- the organisational structure and actors. These provide functions
ployed to validate the optimised solution are outlined in Section 3. that enable systems of authority, communication and work flow
The study findings and their implications are presented and dis- by people or stakeholders who influence and/or perform the or-
cussed in Section 4. In Section 5, a desktop application to demon- ganisational tasks (Hester, 2014). The technical dimension is fur-
strate the optimised solution is carried out. Finally, study conclu- ther subdivided into technology and work activities (Bostrom &
sions, contributions and recommendations for future research are Heinen 1977; Oosthuizen & Pretorius, 2016). These provide the
discussed in Section 6. necessary tools and resources used to carry out work activities
which are the actual day-to-day organisational tasks (Davis et al.,
2014; Hester, 2014; Wu et al., 2015). As seen in Fig. 1, both the
2. Related work
social and technical dimensions are embedded within an environ-
mental dimension that is complex and non-linear (Carayon et al.,
In this section, the main purpose is to provide an overview of
2015; Dasso et al., 2016; Friedberg et al., 2017; Washington &
the socio-technical shortcomings of the implementation of exist-
Hacker, 20 0 0).
ing enterprise security frameworks, and conceptually demonstrate
how these can be mitigated. The argument is that the biggest
threat to enterprise security remains human beings (Budzak, 2016). 2.1. Existing security frameworks: Socio-technical gaps
This is because humans are the most critical element in the man-
agement of enterprise security (Soomro et al., 2016). And yet, A detailed socio-technical analysis of 19 selected enterprise sys-
existing security frameworks consider enterprise security as pri- tems security frameworks was conducted by Malatji et al. (2019).
marily a technical issue (Laybats & Tredinnick, 2016). This is a The researchers found that only four frameworks partially ful-
shortcoming as advanced technical security measures will not filled the security requirements of the social dimension of a socio-
increase enterprise security if there are weak points elsewhere technical system. It was deduced from these conceptual findings
in the organisational system (Dán et al., 2012). It becomes ev- that the four security frameworks have the potential to expose or-
ident that a better understanding of the relationships between ganisations to cyberattacks through the social dimension security
the social and technical dimensions (Budzak, 2016; Craigen et al., gaps. The four frameworks are (Curley et al., 2017; ISACA, 2017;
2014; Laybats & Tredinnick, 2016) and their environmental influ- NIST, 2017; Rigon et al., 2014; Shen, 2014):
ences (Friedberg et al., 2016) on enterprise security is required.
The social, technical and environmental dimensions are there- • National Institute of Standards and Technology’s cybersecurity
fore the essential elements to accomplish a robust enterprise sys- framework (NIST-CF);
tems security safeguard, while maintaining acceptable levels of • ISO/IEC 27002;
organisational system performance, reliability and cost (Borky & • COBIT 5 for Information Security;
Bradley, 2019). They are the three dimensions of a socio-technical • IT capability maturity framework (IT-CMF).
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846
The ISO/IEC 27002 is a compliance framework, whereas the
COBIT 5 for Information Security is a governance framework
(Nicho, 2018). The NIST-CF and IT-CMF could be considered more
as management frameworks as they, according to Dedeke and Mas-
terson (2019), focus largely on the effective integration of IT and
organisational goals, rather than purely on enterprise systems se-
curity. In their functionality, management frameworks are essen-
tially a combination of the compliance and governance frameworks
in that, rather than just align, they also seek to seamlessly inte-
grate IT and organisational goals. However, seamless integration of
IT and organisational goals does not, in and of itself, provide effec-
tive security controls for optimised asset protection. It is the argu-
ment in this paper that a socio-technical management approach is
required to achieve this.
2.2. Existing security frameworks: Implementation approach
shortcomings
All too often, it is assumed by some organisations that en-
terprise systems security begins and ends with technical security
measures such as firewalls (Borky & Bradley, 2019; Nicho, 2018).
This leads to high incidents of security breaches that could also
be attributed to organisations’ inability to adequately pay attention
to non-technical security measures such as governance and strate-
gies (Nicho, 2018). Other organisations pursue security standards
in the hope of providing a common basis to reduce security risks
(Diesch et al., 2020). However, a major disadvantage of the security
certification approach (compliance frameworks) is that an enter-
prise could achieve compliance with a standard, e.g. ISO/IEC 27001,
without necessarily having a robust enterprise systems security
safeguard to reduce risk (Dedeke & Masterson, 2019; Diesch et al.,
2020).
But even a robust enterprise systems security safeguard against
external attacks may be vulnerable to the insider threat by autho-
rised staff members, or third-party contractors (Gourisetti et al.,
2020), due to misbehaviour or error (Borky & Bradley, 2019).
Dawson and Thomson (2018) also point out that much of exist-
ing enterprise systems security research emphasises engineering
and other technical skills while downplaying the importance of
the social and organisational influences on daily occurrences. It
is therefore necessary to explore enterprise systems security from
a holistic and non-linear perspective, which includes integrating
domain-specific security requirements and balancing sociocentric
and technocentric approaches (Tisdale & Morris, 2015). Thus, fo-
cusing solely on technical security safeguards does not necessarily
prevent data breaches. Rather, both technical and non-technical se-
curity measures, anchored by a robust security standard and gover-
nance framework, are required to provide for optimised asset pro-
tection (Nicho, 2018). In light of the above, a socio-technical man-
agement process to help optimise the technical and non-technical
security measures was developed in this study.
2.3. A socio-technical management process
The original framework system to help mitigate against the
shortcomings of the implementation of enterprise systems security
frameworks was developed by Malatji et al. (2019) from the litera-
ture. This framework system has since been revised and improved
into a socio-technical systems cybersecurity optimisation process
(STS-COP) as shown in Fig. 2.
The STS-COP is the socio-technical management process of
the study. With reference to Fig. 2, the socio-technical manage-
ment process is comprised of three system elements. The first
one is the security controls classification system element to cate-
gorise enterprise systems security controls into one of the three
3
STS dimensions. Key to the operationalisation of this system el-
ement are the attributes in Fig. 3 which were derived from
Bostrom and Heinen (1977), Davis et al. (2014), Hester (2014),
Mumford (2006), Oosthuizen and Pretorius (2016), Schuetz and
Schrefl (2017), Trist (1981) and Wu et al. (2015).
The second system element of the socio-technical management
process is the joint optimisation system element to determine the
extent to which existing enterprise systems security frameworks
exhibit socio-technical security gaps, and close and optimise them.
The third and final system element is the capability maturity indica-
tor system element to help organisations effectively monitor, mea-
sure, manage and continuously improve optimised security con-
trols.
It is worth highlighting that the revision and improvement of
the original framework system into the STS-COP resulted from the
reconfiguration of the first system element into the current secu-
rity controls classification system element. This was achieved by
taking the socio-technical system in Fig. 1, and creating a system
element operationalised by using enterprise systems security con-
trols as input data and categorising them into STS security con-
trols as output data. As previously mentioned, categorisation of the
input security controls is achieved through utilisation of the STS
dimension attributes (see Fig. 3) as a guideline. Thus, the socio-
technical management process is comprised of three system ele-
ments integrated to provide an overarching process, rather than
to be a replacement for any existing and usually domain-specific
enterprise systems security approaches. The goal is to provide or-
ganisations with a mechanism to integrate both technical and non-
technical security controls for optimised, rather than adequate, as-
set protection. To validate the socio-technical management process,
a mixed method research approach was adopted.
3. Methodology: theory validation process
The socio-technical management process was developed deduc-
tively from STS theory and systems engineering management con-
cepts. This meant that the literature-derived STS-COP in Fig. 2, as
the socio-technical management process of the study, was a ten-
tative theory to be tested. The validation process of the socio-
technical management process is summarised in Fig. 4.
As seen in Fig. 4, the socio-technical management process was
validated through the focus group and in-depth personal inter-
views, each method with completely different participants. To in-
crease validity of the focus group and the in-depth interview
findings, online surveys were completed by yet another, different
group of participants. Three main steps were carried out to vali-
date the socio-technical management process of the study.
Step 1, validation of management process by practitioners. The
three system elements (security controls classification, joint opti-
misation and capability maturity indicator) of the socio-technical
management process were validated first through a series of inter-
view questions with the focus group participants. Thereafter, the
focus group findings were used to inform the subsequent in-depth
personal interview protocol. Qualitative data from the in-depth
personal interviews was analysed concurrently and iteratively with
the interview data collection and enabled the researchers to pro-
gressively decide on how to test emerging themes from the data
(Maxwell, 2013), and which ones required follow-up (Corbin &
Strauss, 2008). A thematic content analysis technique was utilised
to analyse the data. This was achieved through the predefined
overarching themes and broader categories derived from the man-
agement process in Fig. 2. The interview protocol formed the ba-
sis upon which the survey questionnaire was created and subse-
quently distributed for triangulation of the findings.
Step 2, improvement of management process based on findings.
The validation findings of the study were utilised to revise the
4 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846

Fig. 2. Literature-derived STS-COP.

Fig. 3. STS dimension attributes.

STS-COP. This ensured that the socio-technical management pro-
cess was finalised.
Step 3, desktop application of management process. A desktop ap-
plication of the socio-technical management process was then car-
ried out to demonstrate its readiness and usefulness to practition-
ers.
4. Validation with practitioners
The validation findings and discussions of them are outlined in
this section based on the theory validation process as follows: (i)
Validation of management process by practitioners; (ii) improve-
ment of management process based on findings; and (iii) desktop
application of management process. However, the desktop applica-
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846 5

Fig. 4. Theory validation process.

Fig. 5. Predefined data coding framework.

tion of the management process will be demonstrated separately
in the next section (Section 5). Before the findings are discussed,
the validation activities with practitioners were as follows:
Focus group. The focus group was held with seven participants.
Although data generated through the focus group did not imme-
diately relate to the planned focus of analysis (Roulston, 2014), it
did prompt the researchers to revise and simplify the in-depth per-
sonal interview protocol as attached in Appendix A.
In-depth personal interviews. The data was collected face-to-face
with 22 practitioners using the revised semi-structured interview
questions in Appendix A. The levels at which interviewees exe-
cuted security work were purposefully sought and these were at
strategic level (3 participants), which is policy driven, tactical level
(11 participants), which is guideline driven, and operational level
(8 participants), which is measures driven (Singh et al., 2014). In-
terview recordings were transcribed on the same day as the inter-
view sessions and eventually coded for analysis as shown in Fig. 5.
As previously mentioned, the data analysis themes and categories
in Fig. 5 were deductively derived from the socio-technical man-
agement process in Fig. 2.
Online surveys. By the closing date, only 12 respondents had
completed the survey. Four out of 12 respondents were snow-
balled. Based on the purposive sample selection criteria, one re-
spondent did not qualify to complete the survey and the respon-
dent’s data was excluded from further analysis in this study. The
respondent had less than the required 3 years of industry/research
experience.
4.1. Validation of management process by practitioners
Security controls classification system element. Without seeing
the STS dimension attributes presented in Fig. 3, interviewees were
6 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846

asked to classify their organisations’ security controls into either
the social, technical or environmental dimension. The findings are
summarised in Table 1. In the third column of Table 1, a total of
27 STS security controls were validated by practitioners as these al-
ready existed from the literature reviewed by Malatji et al. (2019).
Moreover, practitioners added a further 76 STS security controls as
listed in the last column of Table 1.
Depending on the industry sector, the additional 76 STS security
controls utilised by practitioners could be added to existing enter-
prise systems security frameworks as appropriate. This could be
either to close the socio-technical security gaps or improve both
technical and non-technical security controls. The survey findings
of the same question indicated that 91% of the respondents were of
the opinion that it is possible to categorise security controls along
the three STS dimensions. Triangulation of the interview and sur-

Table 1
Findings on security controls classification system element.

STS dimension Capability domain Literature STS security controls STS security controls added by practitioners

Social Organisational Communication Continuous self-learning by cybersecurity team

structure (Functions)
Actors (People)
Technical Technology (Tools &
resources)
Work activities (Tasks)
Cybersecurity change management activities Cybersecurity operations centre management
Cybersecurity governance Cybersecurity team management
Cybersecurity team training Organisational structure impact on cybersecurity
Human resources (HR) onboarding activities of new Organisational culture-driven cybersecurity activities
employees Phishing campaigns
HR employee management during employment Understanding information security standards
Other physical security activities
Physical access controls
Frequent user awareness training
User awareness campaigns
User identity awareness
Business managers Artisans
Chief information security officer Chief executive officer
Employees (new, existing, leaving) Chief information officer
Chief technology officer
Cybersecurity team
Data governance officer
Executives (other)
Finance team
Governance, risk and compliance specialist
Hospital manager
HR executive
Internal auditors
IT auditor
IT governance and risk director
IT governance and security manager
IT manager
IT security officer
IT team
Legal team
Managing director
Security guard
Software developers
Systems administrator
Antimalware Active directory
Antivirus software Application layer filtering
Firewall Assets management policy
Host-based intrusion prevention system Back-up-as-a-service
User awareness policy Cloud security policy
Cybersecurity policy
Cybersecurity standards
Data breach policy
E-mail security
Honeypot
Network authentication controls
Password policy
Steganography
Cyberrisk assessments and analysis (internal and Systems access control
external) Systems hardening
Disaster recovery and business continuity Video surveillance
Cybersecurity audit (internal and external)
Data encryption
Data leakage protection
Documentation of cybersecurity practices
Identity and access management
Incident response and management
Network segmentation
Network traffic monitoring
Patching and systems security updates
Penetration testing (red team exercise)
Virtual private network configuration
Vulnerability scans and assessments
(continued on next page)
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846
Table 1 (continued)
STS dimension Capability domain Literature STS security controls
Environmental Customers
External service providers (suppliers)
Government
Office space
Regulatory compliance and statutory requirements
Service level agreements
Fig. 6. Cybersecurity STS dimension attributes.
vey findings was therefore achieved for the security controls clas-
sification system element.
The implication of the findings of the security controls clas-
sification system element is that during categorisation of secu-
rity controls, some interviewees viewed systems-driven policies
as technical and governance-driven policies as organisational and
human-related. Additionally, other interviewees distinguished be-
tween human-driven and systems-driven physical security (e.g.
video surveillance integrated with facial recognition and related
technologies). These findings implied that the original STS dimen-
sion attributes in Fig. 3, as the key driver of the security controls
classification system element, needed to be revised with additional
attributes as shown in italics in Fig. 6.
Joint optimisation system element. Upon classification of the
security controls listed in Table 1, interviewees were asked if, in
their experience, it would be possible to optimise their enterprise
systems security controls along the three STS dimensions. It should
be recalled that joint optimisation refers to harnessing the best of
both the social and technical dimensions of enterprise practices
7
STS security controls added by practitioners
Basel accords
Contracts with customers
Contracts with external service providers
Cybercrimes and cybersecurity bill
Datacentre
Earthquakes
Financial Intelligence Centre Act
General Data Protection Regulation (GDPR)
Health Insurance Portability and Accountability Act
International data privacy laws
Minimum information security standards
Payment Card Industry Data Security Standard
(PCI-DSS)
Private security industry regulatory authority
Protection of Personal Information Act
Reserve banks
Sarbanes-Oxley
South African Revenue Service
with equal emphasis in a contextual environment (Emery, 1982;
Mumford, 2006). Interviewees were asked, firstly, if it would be
possible to determine the security baseline optimisation state in
order to identify socio-technical security gaps in their existing se-
curity frameworks. The joint optimisation interview question was
whether it would be possible to determine the security joint opti-
misation state in order to close identified socio-technical security
gaps. This question inquired about socio-technically categorised se-
curity controls actively in operation that interviewees did not have.
Thus, only expert opinions were sought to test for validation of
the joint optimisation system element. The following three themes
emerged from their responses in order of prominence: (i) Secu-
rity optimisation is possible; (ii) unspecified; and (iii) security op-
timisation is not possible. Unspecified means that responses could
not be coded as either ‘optimisation is possible, or not’. Responses
from the ‘unspecified’ theme, for example, stated that:
“…technical and environmental equally so (important) because
they work hand in hand.” (I5);
8 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846
“The strength…no, you can’t make them equally stronger. The only
thing you can strengthen is security tools. Your measures.” (I7);
“…with artificial intelligence we are going to depend on techni-
cal. So, my answer to you is that artificial intelligence, sorry, (the)
technical (dimension) is going to hold more power, if I can put it in
that way, than (the) social and environmental (dimensions).” (I22).
Further analysis of some of the ‘unspecified’ responses indi-
cated that the interviewees were, in fact, not really opposed to
the possibility of enterprise systems security optimisation. They
were merely emphasising STS dimensions that were more impor-
tant in their environments. To confirm this interpretation by the
researchers, a follow-up question was asked to rate whether the
three STS dimensions were equally important. Views expressed es-
sentially corroborated (or contradicted) responses already given to
the ‘optimisation possibility’ interview question. This is because
the two questions were exactly the same, just asked differently.
Five themes emerged from the data on the follow-up question and
these were denoted as: (i) Equally important; (ii) social is impor-
tant; (iii) technical is important; (iv) social and technical are im-
portant; and (v) unspecified.
The findings show that the ‘equally important’ theme was sig-
nificantly dominant. This means that the majority of interviewees
thought that the three STS dimensions were equally important.
This is a concise definition of joint optimisation in STS theory ac-
cording to Bostrom and Heinen (1977), Carayon et al. (2015),
Emery (1982), Mumford (2006), Oosthuizen and Preto-
rius (2016) and Walker et al. (2007). That is, ‘equally important’
and ‘optimisation is possible’ mean exactly the same thing in joint
optimisation parlance. Thus, the dominant themes were consistent
in both questions and the researchers’ interpretation was correct.
To triangulate this finding, the same two questions were asked
through surveys. The majority of the survey respondents provided
contradictory answers to both the same questions. Due to this
contradiction, it can be inferred that the majority of the survey
respondents either misinterpreted the two questions, did not
understand the concept of joint optimisation, or they truly had no
idea if and how it is possible to optimise STS security controls.
Triangulation was therefore not achieved for the joint optimisation
system element.
The implication of the findings of the joint optimisation sys-
tem element is that, since it was validated through expert opin-
ion by interviewees, a more quantitative validation of the socio-
technical management process should be carried out in a longi-
tudinal study. Moreover, an empirical, theoretical and/or practical
explanation for dissonance (Flick, 2018; Salkind, 2010) between the
survey and interview findings is required. This is provided in detail
in Section 4.2.
Capability maturity indicator system element. Through the in-
depth personal interviews, it was found that some practitioners
performed what they referred to as cybersecurity maturity assess-
ments. The dominant results theme indicates that the majority of
interviewees performed cybersecurity maturity assessments with
security frameworks that are embedded with a capability maturity
model (CMM). However, other practitioners did indicate that non-
CMM tools are available that could be utilised for the same pur-
pose, e.g. Plan-Do-Check-Act (PDCA). To determine maturity levels
for enterprise systems security capabilities, interviewees indicated
the types of CMMs utilised, as shown in Table 2.
On average, a 5-level CMM is used across enterprises to carry
out cybersecurity (capability) maturity assessments. It can also be
seen from Table 2 that CMMs are in fact enterprise systems secu-
rity frameworks. To express this correctly, enterprise systems se-
curity frameworks have embedded CMMs within them. For the
same question, the survey findings indicate that 81% of respon-
dents agreed that maturity assessments were performed. Of these,
36% indicated that a CMM was the only tool they used to deter-
mine maturity levels and 45% said that other non-CMM tools were
available that could be used for the same purpose. Triangulation
was therefore achieved for the capability maturity indicator system
element.
The implication of the findings of the capability maturity indi-
cator system element is that a 5-level CMM is used by the ma-
jority of enterprises to carry out maturity assessments. Consis-
tent with the literature, the 5-level CMM can be represented in
Table 3 as derived from Borrett et al. (2013), Curley et al. (2017),
Dorville (2014), ISACA (2017), Le and Hoang (2016), NIST (2017),
Ross et al. (2016), The Open Group (2011) and USA Department of
Energy (2014). Level 0 is not counted in this paper. It is merely
used to signify the absence of the implementation of a formalised
socio-technical management process.
In light of the implications of the study findings discussed, the
literature-derived STS-COP in Fig. 2 is revisited.
4.2. Improvement of management process based on findings
Triangulation of the findings was achieved for two of the three
system elements of the socio-technical management process. These
are, firstly, the ability of the security controls classification system
element to categorise enterprise systems security controls along
the three STS dimensions, and secondly, the ability of the capabil-
ity maturity indicator system element to effectively monitor, mea-
sure, manage and continuously improve optimised security con-
trols. Both system elements have therefore been validated. How-
ever, triangulation could not be achieved for testing validity of the
ability of the joint optimisation system element to identify and
close socio-technical security gaps. According to Bazeley (2018),
some of the potential sources of dissonance include research meth-
ods, design and context, as well as participants and researchers.
Analysis of the sources reveals that there are three options to rec-
oncile dissonance between the interview and survey findings. This
variety of options is called bracketing (Given, 2008), and involves
the focusing in and reduction of a phenomenon to its essential
elements by suspending or bracketing out its external and inter-
nal suppositions so that it can be seen as it is (Denzin, 2002;
Schwandt, 2007).
The first bracketing option considers outliers to general trends
in the data patterns and themes (Bazeley, 2018). However, there
were no outliers in either method. The first option therefore
fails to provide an explanation for dissonance. The second op-
tion could simply be to rerun the online surveys with a larger
sample size because it is thought to produce more accurate re-
sults (Denscombe, 2014). This option points to the survey research
method as the possible source of dissonance. However, even with
a larger sample size, if participants misinterpreted the questions
due to insufficient theoretical context, or for whatever reasons, the
causes of dissonance would still be present. The second option
therefore also fails to provide an explanation for dissonance.
The third and final bracketing option considers the context of
the overall data collection and analysis phases. Oliver-Hoyo and
Allen (2006) acknowledge that it is impossible for researchers to
identify possible misinterpretation of questions by survey respon-
dents, without context, as it is with interviewees. This means that,
because self-administered survey questionnaires do not allow re-
spondents to explain their choices (Denscombe, 2014), it becomes
impossible to infer an accurate estimate. Given that the findings of
the joint optimisation system element discussed in Section 4.1 pro-
vide a context for the contradiction in responding to the two ques-
tions that are exactly the same but phrased differently, it is con-
cluded that either the survey respondents misinterpreted one or
both questions or the joint optimisation concept was not clear.
Therefore, this renders the survey finding for the joint optimisa-
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846 9

Table 2
Findings on capability maturity indicator system element.

Capability maturity model

Centre for Internet Security (CIS®)

Capability Maturity Model Integration (CMMI)
COBIT 5 for Information Security
ISO/IEC 27002
Information Security Forum (ISF)
NIST-CF
Payment Card Industry Data Security Standard (PCI-DSS)
PDCA
Formerly, Information Technology Infrastructure Library (ITIL); Now IT Service Management

Table 3
Cybersecurity capability maturity indicator.

Maturity level Maturity requirements

0 (Non-existent) No socio-technical systems cybersecurity optimisation programme in place.

1 (Haphazard) The organisation has realised the need to address cybersecurity with equal emphasis on the social
and technical dimensions of security within a complex environment. However, no standardised
socio-technical systems cybersecurity management processes exist; instead, there are haphazard
and disorganised socio-technical systems security approaches.
2 (Basic) Although no formal socio-technical systems cybersecurity optimisation programme is in place, some
basic processes are being followed. However, these are followed by different competency areas (or
business units) with no standardised procedures. There is strong reliance on the knowledge of
individuals and therefore a tendency to make mistakes.
3 (Formalised processes) There is a formal socio-technical systems cybersecurity optimisation programme in place. Processes
have been formally defined and documented. Policies, processes and procedures have also been
communicated through awareness and training. The procedures themselves are not yet advanced
but are the mandated and formalised practices.
4 (Measurable outcomes) Proactive performance monitoring and evaluation of the socio-technical systems cybersecurity
optimisation practices are done by management. Where processes appear not to be effective,
mitigating actions are undertaken. Limited usage of automated tools is supplemented by continuous
process improvement.
5 (Optimising) The socio-technical systems cybersecurity optimisation programme has been terminated and
processes are now embedded within daily practices. In addition, socio-technical systems
cybersecurity optimisation practices have become fully automated and seamlessly integrated into
the overall security strategy of the business.

tion system element unreliable. Instead of triangulation, bracketing
has been achieved. The researchers further acknowledge that this
aspect may need future research but the in-depth personal inter-
views have given some indication that enterprise systems security
joint optimisation is likely possible.
Based on the validation findings discussed here, the STS-COP
in Fig. 2 is revised and improved as follows: Firstly, the opera-
tionalisation of the security controls classification system element
can be summarised by the classify process activity where security
controls are categorised into either the social, technical or envi-
ronmental dimension. Secondly, the operationalisation of the joint
optimisation system element is driven primarily by equation [1]
which is used to compute what Washington and Hacker (20 0 0) re-
fer to as the systems equivalence and it is called the joint optimi-
sation score in this paper.
optimisation system element can be summarised by the optimise
process activity. Lastly, the operationalisation of the capability ma-
turity indicator system element can be summarised by the ma-
ture process activity where optimised security controls are mon-
itored, measured, managed and continuously improved for an ef-
fective enterprise systems security safeguard. As shown in Fig. 7,
the practitioner-validated socio-technical management process is a
systematic amalgamation of the following three process activities:
(i) Classify; (ii) optimise; and (iii) mature. Moreover, each of the
three process activities contains three process tasks. As can be seen
in Fig. 7, an effective enterprise systems security safeguard should
be anchored by good corporate governance, of which cybersecu-
rity governance is a part (De Bruin & Von Solms, 2016), and risk

Systems equivalence (SE )

{Max. systems score (social, technical, environmental ) − Min. systems score(social, technical, environmental )}
= (1)
Average score (social, technical, environmental)

In equation [1], the Max. systems score (social, technical, environ-
mental) variable refers to the usage of only the highest score from
the three STS dimensions; likewise the Min. systems score (social,
technical, environmental) refers to the lowest score (Washington &
Hacker, 20 0 0). The Average (social, technical, environmental) vari-
able, on the other hand, refers to the average score of the secu-
rity controls from the three STS dimensions. Therefore, the joint
management, as cybersecurity impacts both the internal stakehold-
ers (boards of directors, executive directors, security guards, etc.)
and external stakeholders (regulators, customers, suppliers, etc.)
(Susskind, 2014).
As with many architecture strategies (Borky & Bradley, 2019),
the flow of the socio-technical management process is also highly
iterative. This implies that the outcomes at any process activity
10 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846
Fig. 7. Socio-technical management process.
of the management process may iteratively trigger a return to an
earlier process activity to, for example, perform additional security
controls classifications, refine security controls requirements or
address one or more challenges. To that effect, the three process
activities of the management process are linked by two feedback
loops. The first feedback loop is the maturity event, which is an
annual event (proactive) in which capability maturity assessments
of enterprise systems security practices are carried out. This event
is triggered iteratively from the mature to the optimise process
activity. The second feedback loop is the cyberincident (reactive)
which gets triggered from the optimise to the classify process
activity every time there is a successful cyberattack. Organisations
should therefore strive to have effective capabilities to respond
and recover under critical cyberincidents (Gourisetti et al., 2020).
Testing for readiness and usefulness of the socio-technical man-
agement process in real-life settings requires good implementation
and governance procedures.
5. Desktop application of management process
A desktop application of the socio-technical management pro-
cess was carried out on the COBIT 5 for Information Security
framework by executing 9 process tasks and 15 process steps as
shown in Fig. 8. This figure was derived from the operationalisation
steps of the literature-derived STS-COP in Fig. 2 (and discussed in
Section 2), and the socio-technical management process in Fig. 7.
The COBIT 5 for Information Security framework (ISACA, 2012) was
chosen because it was the most frequently mentioned enterprise
systems security framework during the in-depth personal inter-
views, followed by ISO/IEC 27002 and NIST-CF, respectively. More-
over, it is one of the 19 enterprise systems security frameworks
reviewed in detail by Malatji et al. (2019) for the development of
the original framework system later revised into the STS-COP in
this paper.
The application of the socio-technical management process fol-
lowed the classify, optimise and mature process activities as dis-
cussed next.
Classify. Application of the classify process activity on the CO-
BIT 5 for Information Security framework yielded categorised se-
curity controls listed in Appendix B. These were categorised by
mapping each security control to the applicable STS dimension at-
tribute (see Fig. 3). Compared to the study findings listed in the
third column of Appendix B, the categorised COBIT 5 security con-
trols in the last column of Appendix B are missing all the envi-
ronmental dimension security controls. For example, the suppliers
(vendor/contractor security management) and general data protec-
tion regulation (GDPR) security controls are missing. According to
Politou et al. (2018), compliance with the GDPR is now mandatory
for all business activities carried out in the European Union (EU) as
of 25 May 2018. These and other potentially missing security con-
trols are referred to as socio-technical security gaps that should be
closed for optimisation of enterprise systems security. The COBIT 5
for Information Security framework thus needs to be updated. The
caution, however, is that the seemingly “missing” COBIT 5 security
controls in Appendix B do not necessarily mean that every single
STS dimension attribute should have a corresponding security con-
trol. For example, under the technical dimension, the equipment
and machines attribute (see Fig. 3) may not necessarily apply in
a professional services firm. It may only apply in heavy industri-
als and pharmaceutical companies. It all depends on the industry
sector in which an enterprise systems security framework is im-
plemented.
Optimise. To optimise the categorised COBIT 5 security controls
in Appendix B, all the relevant stakeholders in the organisation
(e.g. business process owners and their key users) such as IT, HR,
legal, and so on, should be convened to allocate an effectiveness
score for each categorised security control. Tables 4 and 5 illustrate
this better using the COBIT 5 security controls separated into the
social and technical dimensions, respectively. Notice that there is
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846 11

Fig. 8. Implementation steps - socio-technical management process.

Table 4.
Effectiveness score for social dimension security controls.

Capability domain Categorised security controls Effectiveness score

Organisational structure • Behaviours X1

(Functions) • Information security governance X2
• Information security policy X3
• Information security principles X4
• Policies X5
• Security awareness X6
• Specific information security policies driven by other functions within the enterprise X7
Actors (People) • Chief information security officer X8
• Enterprise risk management committee X9
• Information custodians/business owners X10
• Information security manager X11
• Information security steering committee X12 
Xn
Aggregate score Xb = n

no third table for the environmental dimension security controls
for reasons outlined above (missing). This means that the environ-
mental dimension’s aggregate score denoted by Zb is zero. As seen
in Table 4, the aggregate score for a certain number n of security
controls is denoted by Xb , which is the baseline average score for
all the social dimension effectiveness scores (Xn ) as indicated by
the formula in the table. In this case, n = 12 security controls.
Furthermore, the COBIT 5 categorised security controls (see
Appendix B) for the technical dimension are listed in Table 5. Simi-
larly, as seen in Table 5, the aggregate score for a certain number n
of security controls is denoted by Yb , which is the baseline average
score for all the technical dimension effectiveness scores (Yn ) as
indicated by the formula in the table. In this case, n = 32 security
controls.
As can be seen in Tables 4 and 5, there is only one cell per
categorised security control. This means that various effectiveness
scores from different stakeholders concerning the same security
control should be averaged into one score. Once all the controls
have been allocated an effectiveness score, an aggregate score (ag-
gregate scores Xb , Yb and Zb ) should be computed. The baseline
measurements are therefore used to compute or determine the se-
curity baseline optimisation state. The lower effectiveness scores in
12 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846

Table 5.
Effectiveness score for technical dimension security controls.

Capability domain Categorised security controls Effectiveness score

Technology • Adequate incident response Y1

(Tools & resources) • Adequate protection against malware Y2
• Adequately secured & configured systems, aligned with security requirements & security architecture Y3
• Awareness material Y4
• Information security budget Y5
• Information security dashboard Y6
• Information security plan Y7
• Information security policy Y8
• Information security requirements Y9
• Information security review reports Y10
• Information security stakeholders’ template Y11
• Information security strategy Y12
• Policies Y13
• Secure development Y14
• Security architecture Y15
• Specific information security policies driven by the information security function Y16
• User access & access rights in line with business requirements Y17
Work activities • Align, plan & organise Y18
(Tasks) • Build, acquire & implement Y19
• Deliver, service & support Y20
• Evaluate, direct & monitor Y21
• External attacks and intrusion attempts Y22
• Information assessment, testing & compliance Y23
• Information risk management Y24
• Information security architecture development Y25
• Information security operations Y26
• Information security strategy formulation Y27
• Monitor, evaluate & assess Y28
• Monitoring & alert services for security-related events Y29
• Security assessments Y30
• Security testing Y31
• Security awareness leadership Y32 
Yn
Aggregate score Yb = n

Table 6.
Joint optimisation score.

STS dimension Baseline measurement Follow-up measurement

Social Xb Xa
Technical Yb Ya
Environmental Zb Za
Max (Xb ,Yb ,Zb ) − Min (Xb ,Yb ,Zb ) Max (Xa ,Ya ,Za ) − Min (Xa ,Ya ,Za )
JO score JObe f ore = Average (Xb ,Yb ,Zb )
JOa f ter = Average (Xa ,Ya ,Za )

these measurements are the socio-technical security gaps and, ac-
cording to Washington and Hacker (20 0 0), this is where interven-
tion efforts for improvement should be introduced. To determine
the security baseline optimisation state, the joint optimisation (JO)
score before security improvement intervention efforts (JObefore )
should be computed. This is achieved by utilising equation [1] dis-
cussed earlier in Section 4. The second column in Table 6 sum-
marises why the baseline measurements should be taken and how
the security baseline optimisation state (identify socio-technical
security gaps) should be determined/computed.
Once the security intervention efforts to improve the lower ef-
fectiveness scores (socio-technical security gaps) have been given
time, say a year, to take effect, follow-up measurements should
be carried out. This is to determine the security joint optimisa-
tion state where follow-up measurements should be carried out
to compute the joint optimisation score after (JOafter ) security im-
provement intervention efforts have taken effect. The last column
of Table 6 summarises why the follow-up measurements should be
taken and how the security joint optimisation state (close socio-
technical security gaps) should be determined/computed. In this
column, Xa , Ya and Za represent the follow-up measurements for
the effectiveness of the social, technical and environmental dimen-
sion security controls, respectively, after security improvement in-
tervention efforts have taken effect. To determine the security joint
optimisation state of an enterprise, three scenarios should be un-
derstood. Firstly, if JObefore < JOafter , then the enterprise systems
security performance has deteriorated and appropriate improve-
ment intervention efforts are urgently required to close identi-
fied socio-technical security gaps for potential cyberattacks. Sec-
ondly, if JObefore = JOafter , then the enterprise systems security per-
formance has neither improved nor deteriorated from the base-
line score. This means that any socio-technical security gaps were
identified during the baseline measurements have not been closed
and the organisation is still vulnerable to potential cyberattacks.
Lastly, if JObefore > JOafter , then the enterprise systems security per-
formance has improved and the security joint optimisation state
of an enterprise has been achieved. All that is required is con-
tinuous improvement through a capability maturity model ow-
ing to the changing enterprise risk posture and environmental
conditions.
Mature. Although no theoretical COBIT 5 security capability
maturity assessment scenario was possible to demonstrate the ca-
pability maturity level of its optimised security controls, the CO-
BIT 5 for Information Security framework has the same number of
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846
embedded CMM levels as those in the literature (see Table 3) and
findings (see Table 2). Ultimately, the purpose is to evaluate each
optimised security control according to set criteria, such as those
in Table 3, to determine the level at which an enterprise is mature
in terms of the security joint optimisation state.
6. Conclusion and recommendations
The aim of this paper was to validate the management pro-
cess that identifies and addresses socio-technical security gaps
in existing enterprise systems security frameworks, and how the
frameworks’ security controls could be optimised and matured. A
socio-technical management process with three main system el-
ements was developed from the literature to achieve this aim.
To validate it, practitioners were able to categorise security con-
trols along the three socio-technical systems dimensions (secu-
rity controls classification system element), potentially identify and
close socio-technical security gaps in existing enterprise systems
security frameworks (joint optimisation system element) and ma-
ture socio-technically optimised enterprise systems security prac-
tices with a 5-level CMM (capability maturity indicator system
element). Moreover, the readiness and usefulness of the socio-
technical management process to practitioners was demonstrated
through a desktop application on the COBIT 5 for Information
Security framework. A comparison of the practitioner (validation
findings) and COBIT 5 security controls is attached in Appendix B.
Appendix B demonstrates the inadequacy of the COBIT 5 for Infor-
mation Security framework to provide optimised, rather than ade-
quate, enterprise systems security. This is the practical contribution
of the study. The theoretical contribution of the study is that the
validation findings advance the application of STS theory to other
domains as there is little research on its extension, especially to
enterprise systems security.
It is therefore recommended that enterprise systems security be
treated as a holistic business function rather than a bloated stack
of security tasks within an IT department. In this regard, organ-
isations should adopt a multidisciplinary approach to enterprise
systems security as conventional information security approaches
13
have proven to be inadequate. Specifically, the purely governance-
and compliance-based enterprise systems security frameworks are
no longer adequate. Only a combination of these provides ade-
quate protection of assets. But even that is no longer enough to
guard against evolving cyberthreats and attacks. A seamless inte-
gration of both the governance- and compliance-based enterprise
systems security frameworks that considers effectiveness of both
technical and non-technical security controls provides optimised
protection of assets. The socio-technical management process facil-
itates this seamless integration for enterprise systems security op-
timisation. Finally, as a recommendation for future research, three
opportunities have been identified. Firstly, there is a need to de-
ploy the socio-technical management process in real-life settings
to quantitatively validate its readiness and usefulness to practition-
ers. This requires a longitudinal study. Secondly, the application
of the socio-technical management process to non-security disci-
plines such health and safety, risk management, and so on, and
other security-related disciplines such as cloud computing, Internet
of Things and cyber-physical systems, should be explored. Lastly,
the application of linear programming and other advanced math-
ematical algorithms could tremendously improve and potentially
automate the computation of the enterprise systems security joint
optimisation state more than is currently proposed in the study.
In conclusion, socio-technical thinking in enterprise systems secu-
rity requires courage and immersion by all stakeholders from the
boards of directors and executive directors to security guards.
Supplementary material
Supplementary material associated with this article can
be found, in the online version, at https://doi.org/10.1108/
ICS- 03- 2018- 0031.
Declaration of Competing Interest
The authors would like to declare that they have no known per-
sonal relationships or competing financial interests that could have
influenced the outcome of this paper.
14 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846

Appendix A. Improved personal interview protocol

Focus group interview questions Revised and improved personal interviews questions

IQ1. Which information and cybersecurity controls can be IQ1. In your experience, which information and cybersecurity practices
classified as having social aspects of security? and/or controls do you consider having any of the following attributes:
IQ2. Which information and cybersecurity controls can be a) Social
classified as having technical aspects of security?
IQ3. Which information and cybersecurity controls can be b) Technical
classified as having environmental aspects of security?
c) Environmental
IQ4. Which aspect of information and cybersecurity IQ2. In your opinion, do you think any of the three attributes (social,
controls is more important than the others: Is it the technical, environmental) is more important than the others regarding
social, technical, environmental, or none? information and cybersecurity practices and/or controls? Please elaborate.
If you responded above that a particular aspect of
information and cybersecurity controls is more important
than the others, why do you think that is?
However, if you did respond that none of the three
aspects of information and cybersecurity controls is more
important than the others, why do you think that is?
IQ5. (Once classified, the information and cybersecurity IQ3. In your experience, do you think it is possible to optimise (i.e., give
controls are now referred to as the socio-technical mutually beneficial or interdependent weight to) these STS information and
systems information and cybersecurity controls). Do you cybersecurity controls when implementing
think it is possible, or even necessary, to optimise (give
equivalent weight to) these socio-technical systems
information and cybersecurity controls by using a
Likert-type rating scale?
If so, why?
If not, why not and which methods can be used?
IQ6. (Once optimised, the socio-technical systems IQ4. In your experience, how do you think we can measure, manage and
information and cybersecurity controls are referred to as improve upon practicing the joint optimisation security controls in order to
the joint optimisation security controls). How do you achieve a capability maturity?
think we can measure, manage and improve upon the
joint optimisation security practices in order to achieve a
capability maturity of a system?
IQ7. Can a capability maturity model be used to measure, IQ5. In your opinion, can a capability maturity model (CMM) be used to
manage and improve upon the joint optimisation security measure, manage and improve upon practicing the joint optimisation
practices? security practices? Please elaborate.
If yes, why do you think that is?
If not, why not and which methods can be used?
IQ8. Assuming that a capability maturity model (CMM) IQ6. If a CMM were to be adopted for measuring, managing and improving
has been adopted for measuring, managing and upon practicing the joint optimisation security controls, is there an
improving upon the joint optimisation security practices, appropriate number of maturity levels, in your opinion, a CMM should have
is there an appropriate number of maturity levels a CMM to be considered suitable? Please elaborate.
should have to be considered suitable?
If yes, why do you think that is?
If not, why do you think that is?

Legend: IQ = Interview question

Appendix B. COBIT® 5 for Information Security framework

The table below compares the practitioner security controls in the third column and COBIT 5 security controls in the last column. It
can be seen in the table that the COBIT 5 for Information Security framework is missing all the environmental dimension related security
controls, for example the general data protection regulation.

STS dimension Capability domain Practitioner security controls COBIT 5 security controls

Social Organisational Communication Behaviours

structure
(Functions)
Continuous self-learning by cybersecurity team Information security principles
Cybersecurity change management activities Specific information security policies driven by other
functions within the enterprise
Cybersecurity operations centre management Information security governance
(continued on next page)
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846 15

STS dimension Capability domain Practitioner security controls COBIT 5 security controls

Cybersecurity governance Information security policy

Cybersecurity team management Policies
Cybersecurity team training Security awareness
HR onboarding activities of new employees
HR employee management during employment
Organisational structure impact on cybersecurity
Organisational culture-driven cybersecurity activities
Other physical security activities
Phishing campaigns
Physical access controls
Frequent user awareness training
Understanding information security standards
User awareness campaigns
User identity awareness
Actors (People) Artisans Chief information security officer
Business managers Information custodians/business owners
Chief executive officer Information security manager
Chief information officer Enterprise risk management committee
Chief information security officer Information security steering committee
Chief technology officer
Cybersecurity team
Data governance officer
Employees (new, existing, leaving)
Executives (other)
Finance team
GRC specialist
Hospital manager
HR executive
Internal auditors
IT auditor
IT governance and risk director
IT governance and security manager
IT manager
IT security officer
IT team
Legal team
Managing director
Security guard
Software developers
Systems administrator
Technical Technology (Tools Active directory Adequate incident response
& resources)
Antimalware Adequate protection against malware
Antivirus software Awareness material
Application layer filtering User access and access rights in line with business
requirements
Assets management policy Adequately secured and configured systems aligned with
security requirements and security architecture
Back-up-as-a-service Information security stakeholders’ template
Cloud security policy Information security budget
Cybersecurity policy Information security dashboard
Cybersecurity standards Information security plan
Data breach policy Information security requirements
E-mail security Information security review reports
Firewall Information security strategy
Host-based intrusion prevention system Policies
Honeypot Security architecture
Network authentication controls Secure development
Password policy Specific information security policies driven by the
information security function
Steganography Video surveillance
User awareness policy
Work activities Systems access control Build, acquire and implement
(Tasks)
Systems hardening Deliver, service and support
Video surveillance Evaluate, direct and monitor
Cyberrisk assessments and analysis (internal and External attacks and intrusion attempts
external)
Cybersecurity audit (internal and external) Information assessment, testing and compliance
Data encryption Information security architecture development
Data leakage protection Information risk management
Disaster recovery and business continuity Information security operations
Documentation of cybersecurity practices Information security strategy formulation
Identity and access management Monitoring and alert services for security-related events
Incident response and management Monitor, evaluate and assess
(continued on next page)
16 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846

STS dimension Capability domain Practitioner security controls COBIT 5 security controls

Network segmentation Security assessments

Network traffic monitoring Security testing
Patching and systems security updates Align, plan and organise
Penetration testing (red team exercise) Security awareness leadership
Virtual private network configuration
Vulnerability scans and assessments
Environmental Basel accords
Contracts with customers
Contracts with external service providers
Customers
Cybercrimes and cybersecurity bill
Datacentre
Earthquakes
External service providers (suppliers)
Financial Intelligence Centre Act
General Data Protection Regulation (GDPR)
Government
Health Insurance Portability and Accountability Act
International data privacy laws
Minimum information security standards
Office space
Payment Card Industry Data Security Standard (PCI-DSS)
Private security industry regulatory authority
Protection of Personal Information Act
Regulatory compliance and statutory requirements
Reserve banks
Sarbanes-Oxley
Service level agreements
South African Revenue Service

CRediT authorship contribution statement
Masike Malatji: Conceptualization, Methodology, Data curation,
Investigation, Writing - original draft. Annlizé Marnewick: Super-
vision, Validation, Writing - review & editing. Suné von Solms: Su-
pervision, Validation, Writing - review & editing.
References
Bazeley, P., 2018. Exploring dissonance and divergence. In: Bazeley, P. (Ed.), Integrat-
ing Analyses in Mixed Methods Research. Sage, London, England: United King-
dom, pp. 263–276. doi:10.4135/9781526417190.
Benson, V., McAlaney, J., Frumkin, L.A., 2019. Emerging threats for the human el-
ement and countermeasures in current cyber security landscape. In: Manage-
ment Association (Ed.), Cyber Law, Privacy, and Security. IGI Global, Hershey,
Pennsylvania: United States, pp. 1264–1269.
Borky, J.M., Bradley, T.H., 2019. Protecting information with cybersecurity. Effective
Model-Based Systems Engineering. Springer, Cham: Switzerland.
Borrett, M., Buecker, A., Arunkumar, S., Blackshaw, B., Brittenham, P., Flegr, J., Ja-
cobs, J., Jeremic, V., Johnston, M., Mark, C., Marx, G., Van Daele, S., Vereecke, S.,
2013. Using the IBM Security Framework and IBM Security Blueprint to realize
Business-driven Security, 3rd Edition Redbooks, IBM Corporation, Armonk, New
York.
Bostrom, R.P., Heinen, J.S., 1977. MIS problems and failures: a socio-technical per-
spective; part I: the causes. MIS Q. 1 (3), 17–32.
Budzak, D., 2016. Information security – the people issue. Bus. Inf. Rev. 33 (2),
85–89.
Caldwell, T., 2012. Training – the weakest link. Comput. Fraud Secur. 2012 (9), 8–14.
Carayon, P., Hancock, P., Leveson, N., Noy, I., Sznelwa, L., Van Hootegem, G., 2015.
Advancing a sociotechnical systems approach to workplace safety – developing
the conceptual framework. Ergonomics 58 (4), 548–564.
Carcary, M., Renaud, K., McLaughlin, S., O’Brien, C., 2016. A framework for informa-
tion security governance and management. IT Prof. 18 (2), 22–30.
Carlton, M., Levy, Y., Ramim, M., 2019. Mitigating cyber attacks through the mea-
surement of non-IT professionals’ cybersecurity skills. Inf. Comput. Secur. 27 (1),
101–121.
Corbin, J., Strauss, A., 2008. Basics of Qualitative Research, 3rd Edition Sage, Thou-
sand Oaks, California: United States.
Craigen, D., Diakun-Thibault, N., Purse, R., 2014. Defining cybersecurity. Technol. In-
nov. Manag. Rev. 4 (10), 13–21.
Curley, M., Kenneally, J., Carcary, M., Kavanagh, D., 2017. IT-CMF – A Management
Guide: Based on the IT Capability Maturity Framework (IT-CMF), 2nd Edition
Van Haren, Zaltbommel: Netherlands.
Dán, G., Sandberg, H., Ekstedt, M., Björkman, G., 2012. Challenges in power system
information security. IEEE Secur. Privacy 10 (4), 62–70.
Dasso, A., Funes, A., Montejano, G., Riesco, D., Uzal, R., Debnath, N., 2016. Model
based evaluation of cybersecurity implementations in information technology:
new generations. In: Proceedings of the 13th International Conference on Infor-
mation Technology. Springer Verlag, pp. 303–313.
Davis, M.C., Challenger, R., Jayewardene, D.N.W., Clegg, C.W., 2014. Advancing so-
cio-technical systems thinking: a call for bravery. Appl. Ergonom. 45 (2A),
171–180.
Dawson, J., Thomson, R., 2018. The future cybersecurity workforce: going beyond
technical skills for successful cyber performance. Front. Psychol. 9 (744), 1–12.
De Bruin, R., Von Solms, S.H., 2016. Cybersecurity governance: how can we mea-
sure it? In: Proceedings of the 11th IST-Africa Week Conference. Durban: South
Africa.
Dedeke, A., Masterson, K., 2019. Contrasting cybersecurity implementation frame-
works (CIF) from three countries. Inf. Comput. Secur. 26 (1), 10–38.
Denscombe, M., 2014. The Good Research Guide: For Small-scale Social Research,
5th ed. McGraw Hill Education, Berkshire, England: United Kingdom.
Denzin, N., 2002. The interpretive process. In: Huberman, A.M., Miles, M.B. (Eds.),
The Qualitative Researcher’s Companion. Sage, Thousand Oaks, California:
United States, pp. 349–366. doi:10.4135/9781412986274.
Diesch, R., Pfaff, M., Krcmar, H., 2020. A comprehensive model of information secu-
rity factors for decision-makers. Comput. Secur. 92 (1), 1–21. https://doi.org/10.
1016/j.cose.2020.101747.
Dorville, K. (2014). Department of Homeland Security: Cybersecurity capability
maturity model, version 1.0. Available from: https://niccs.us-cert.gov/sites/
default/files/Capability%20Maturity%20Model%20White%20Paper.pdf?trackDocs=
Capability%20Maturity%20Model%20White%20Paper.pdf, (Accessed 06 January
2018).
Emery, F.E., 1982. Sociotechnical foundations for a new social order? Hum. Relat. 35
(12), 1095–1123.
Friedberg, I., McLaughlin, K., Smith, P., Laverty, D., Sezer, S., 2017. SafeSec: Safety
and security analysis for cyber-physical systems. J. Inf. Secur. Appl. 34, 183–
196.
Flick, U., 2018. Triangulation in data collection. In: Flick, U. (Ed.), The SAGE Hand-
book of Qualitative Data Analysis. London, England: United Kingdom, pp. 527–
544. doi:10.4135/9781526416070.
Given, L.M., 2008. The SAGE Encyclopedia of Qualitative Research Methods (Vols. 1-
0). Sage, Thousand Oaks, California: United States doi:10.4135/9781412963909.
Gourisetti, S.N., Mylrea, M., Patangia, H., 2020. Cybersecurity vulnerability mitiga-
tion framework through empirical paradigm: enhanced prioritized gap analysis.
Future Gener. Comput. Syst. 105, 410–431.
Green, B., Prince, D., Busby, J., Hutchison, D., 2015. The impact of social engineering
on industrial control systems security. In: Proceedings of the 1st ACM Workshop
on Cyber-Physical Systems Security and Privacy. Denver, Colorado: United States.
Heartfield, R., Loukas, G., 2018. Detecting semantic social engineering attacks with
the weakest link: Implementation and empirical evaluation of a human-as-a-se-
curity-sensor framework. Comput. Secur. 76, 101–127.
Hester, A.J., 2014. Socio-technical systems theory as a diagnostic tool for examining
underutilization of wiki technology. Learn. Organ. 21 (1), 48–68.
 M. Malatji, A. Marnewick and S. von Solms / Computers & Security 95 (2020) 101846
Irwin, L. (2020). List of data breaches and cyber attacks in January 2020 – 1.5
billion records breached. Available from: https://www.itgovernance.co.uk/blog/
list- of- data- breaches- and- cyber- attacks- in- january- 2020- 1- 5- billion- records-
breached, (Accessed 24 February 2020).
ISACA. (2012). COBIT 5 for Information Security. ISACA, Rolling Meadows, Illinois:
United States.
ISACA. (2017). What is COBIT 5.0? Available from: https://www.isaca.org/COBIT/
Pages/default.aspx, (Accessed 25 March 2017).
Kaspersky. (2018). The top 5 most notorious cyberattack. Available from: https:
//www.kaspersky.com/blog/five- most- notorious- cyberattacks/24506/, (Accessed
24 July 2019).
Kaspersky. (2019a). Encrypted cities. Available from: https://www.kaspersky.com/
blog/encrypted-city-administrations/27452/, (Accessed 24 July 2019).
Kaspersky. (2019b). The true value of digital privacy: are consumers sell-
ing themselves short. Available from: https://www.kaspersky.com/blog/
privacy-report-2019/, (Accessed 24 July 2019).
Laybats, C., Tredinnick, L., 2016. Information security. Bus. Inf. Rev 33 (2), 76–80.
Lehrman, Y., 2010. The weakest link: the risks associated with social networking
websites. J. Strat. Secur. 3 (2), 63–72.
Le, N.T., Hoang, D.B., 2016. Can maturity models support cyber security? In: Pro-
ceedings of the 35th IEEE International Performance Computing and Communi-
cations Conference. Las Vegas, Nevada: United States.
Malatji, M., Von Solms, S., Marnewick, A., 2019. Socio-technical systems cy-
bersecurityfFramework. Inf. Comput. Secur. 27 (2), 233–272. doi:10.1108/
ICS- 03- 2018- 0031.
Mann, I., 2017. Hacking the Human: Social Engineering Techniques and Security
Countermeasures. Routledge, London, England: United Kingdom.
Martin, K. (2018). 5 questions to ask your cybersecurity professional. Avail-
able from: https://www.nist.gov/blogs/manufacturing- innovation- blog/
5- questions- ask- your- cybersecurity- professional, (Accessed 27 May 2019).
Maxwell, J.A., 2013. Qualitative Research Design: An Interactive Approach. Sage,
Thousand Oaks, California: United States.
Mitnick, K.D., Simon, W.L., 2011. The Art of Deception: Controlling the Human Ele-
ment of Security. Wiley, Indianapolis, Indiana: United States.
Mumford, E., 2006. The story of socio-technical design: feflections on its successes,
failures and potential. Inf. Syst. J. 16 (4), 317–342.
Nicho, M., 2018. A process model for implementing information systems security
governance. Inf. Comput. Secur. 26 (1), 10–38.
NIST. (2017). Framework for improving critical infrastructure cybersecurity, draft
version 1.1. Available from: https://www.nist.gov/sites/default/files/documents///
/draft- cybersecurity- framework- v1.11.pdf, (Accessed 01 September 2017).
Oliver-Hoyo, M., Allen, D., 2006. The use of triangulation methods in qualitative ed-
ucational research. J. College Sci. Teach. 35, 42–47.
Oosthuizen, R., Pretorius, L., 2016. Assessing the impact of new technology on com-
plex socio-technical systems. South Afr. J. Ind. Eng. 27 (2), 15–29.
Pfleeger, Y., Sasse, M.A., Furnham, A., 2014. From weakest link to security hero:
transforming staff security behaviour. J. Homeland Secur. Emerg. Manag. 11 (4),
489–510.
Pieters, W., 2013. Defining “the weakest link” comparative security in complex sys-
tems of systems. In: Proceedings of the IEEE 5th International Conference on
Cloud Computing Technology and Science. Bristol, England: United Kingdom.
Politou, E., Alepis, E., Patsakis, C, 2018. Forgetting personal data and revoking con-
sent under the GDPR: challenges and proposed solutions. J. Cybersecur. 4 (1),
1–20. doi:10.1093/cybsec/tyy001.
Rigon, E.A., Westphall, C.M., Dos Santos, D.R., Westphall, C.B., 2014. A cyclical evalu-
ation model of information security maturity. Inf. Manag. Comput. Secur. 22 (3),
265–278.
Ross, R.S., McEvilley, M. & Oren, J. (2016). National institute of standards and tech-
nology special publication 800-160, systems security engineering - Considera-
tions for a multidisciplinary approach in the engineering of trustworthy secure
systems, Available from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-160.pdf, (Accessed 04 January 2018).
Roulston, K., 2014. Analysing interviews. In: Flick, U. (Ed.), The SAGE Handbook of
Qualitative Data Analysis. Sage, London, England: United Kingdom, pp. 297–312.
doi:10.4135/9781446282243.
Safa, N.S., Von Solms, R., Futcher, L., 2016. Human aspects of information security in
organisations. Comput. Fraud Secur. 2016 (2), 15–18.
Salkind, N.J., 2010. Encyclopedia of Research Design. Sage, Thousand Oaks, Califor-
nia: United States doi:10.4135/9781412961288.
Schuetz, C.G., Schrefl, M., 2017. Towards formal strategy analysis with goal models
and semantic web technologies. In: De Cesare, S., Frank, U. (Eds.), Advances in
Conceptual Modelling. Springer, Cham: Switzerland, pp. 144–153.
17
Schwandt, T.A., 2007. The SAGE Dictionary of Qualitative Inquiry. Sage, Thousand
Oaks, California: United States doi:10.4135/9781412986281.
Shen, L., 2014. The NIST cybersecurity framework: overview and potential impacts.
J. Internet Law 18 (6), 3–6.
Singh, N.A., Gupta, M., Ojha, A., 2014. Identifying factors of ‘organizational informa-
tion security management’. J. Enterprise Inf. Manag. 27 (5), 644–667.
Soomro, Z.A., Shah, M.H., Ahmed, J., 2016. Information security management needs
more holistic approach: a literature review. Int. J. Inf. Manag. 36 (2), 215–
225.
Susskind, N.G., 2014. Cybersecurity compliance and risk management strategies:
what directors, officers and managers need to know. NYUJL Bus. 11 (5), 73–
76.
The Open Group. (2011). The Open Group releases maturity model information
security management. Available from: https://http://www.opengroup.org/news/
press/open-group-releasesmaturity-model-information-security-management,
(Accessed 26 October 2017).
Tisdale, S.M., Morris, R., 2015. Cybersecurity: challenges from a systems, complexity,
knowledge management and business intelligence perspective. Issues Inf. Syst.
16 (3), 191–198.
Trist, E., 1981. The Evolution of Socio-Technical Systems. Quality of Working Life
Center, Toronto.
USA Department of Energy. (2014). Oil and natural gas subsector: cybersecurity
capability maturity model version 1.1. Available from: https://energy.gov/sites/
prod/files/2014/03/f13/ONG- C2M2- v1- 1_cor.pdf, (Accessed 27 November 2017).
Vuorinen, J., Tetri, P., 2016. Paradoxes in information security. IEEE Potent. 35 (5),
36–39.
Washington, M., Hacker, M., 20 0 0. Joint optimisation system element: the applica-
tion of joint optimization. Measur. Bus. Excell. 4 (4), 18–24.
Willis Towers Watson (2017). When it comes to cyber risk,
businesses are missing the human touch. Available from:
https://www.willistowerswatson.com/en-US/press/2017/03/
when- it- comes- tocyber- risk- businesses- are- missing- the- human- touch, (Ac-
cessed 27 May 2019).
Walker, G.H., Stanton, N.A., Jenkins, D., Salmon, P., Young, M., Aujla, A., 2007. So-
ciotechnical theory and NEC system design. In: Harris, D. (Ed.), Engineering Psy-
chology and Cognitive Ergonomics. Springer-Verlag, Berlin: Germany.
Wu, P.P., Fookes, C., Pitchforth, J., Mengersen, K., 2015. A framework for model in-
tegration and holistic modelling of socio-technical systems. Decis. Support Syst.
71, 14–27.
Masike Malatji is a technology management practitioner with over 19 years of in-
dustry experience and is currently working as a research associate at the postgrad-
uate school of engineering management of the University of Johannesburg, South
Africa. He is also a part-time lecturer of mainly one but sometimes both of the
following courses at the Tshwane University of Technology Business School, Preto-
ria, South Africa: (i) Management of technology & innovation; and (ii) Technology
entrepreneurship. His current research interests are in engineering and technology
management in the context of the fourth industrial revolution and associated tech-
nologies. He completed his doctor of engineering in engineering management de-
gree at the University of Johannesburg in November 2019.
Annlizé L. Marnewick received a BIng in Electrical & Electronic Engineering from
Potchefstroom University, a BSc Honours in Applied Mathematics at the Rand
Afrikaans University, and MIng and DIng in Engineering Management at Univer-
sity of Johannesburg. She worked in industry for 14 years as a requirements en-
gineer. She is currently an associate professor at the Postgraduate School of En-
gineering Management, University of Johannesburg. Her research focus is solving
cross-discipline industry problems through the application of systems engineering
principles. She is a registered Professional Engineer.
Suné von Solms is an Associate Professor at the Faculty of Engineering and the
Built Environment at the University of Johannesburg, South Africa. She is a reg-
istered professional engineer with the Engineering Council of South Africa (ECSA)
and a National Research Foundation (NRF) rated researcher. Her research interests
include networks and communication, engineering education and the social and
human aspects of engineering. She is actively involved in engineering and com-
munity engagement projects within rural communities. Suné is also involved in
research relating to cybersecurity-related skills and competency development of
engineers.