Promoting Cybersecurity Information Sharing Across the Extended Value Chain
Olga Biedova, Lakshmi Goel, Justin Zhang, Steven A. Williamson, Blake Ives
This study analyzes an alternative cybersecurity information-sharing forum centered on the extended value chain of a single company in the forest and paper products industry. The paper explores the forum's design, execution, and challenges to provide recommendations for similar company-specific collaborations. The goal is to enhance cybersecurity resilience across interconnected business partners by fostering a more trusting and relevant environment for sharing best practices.
Problem
As cyberthreats become more complex, industries with interconnected information and operational technologies (IT/OT) face significant vulnerabilities. Despite government and industry calls for greater collaboration, inter-organizational cybersecurity information sharing remains sporadic due to concerns over confidentiality, competitiveness, and lack of trust. Standard sector-based sharing initiatives can also be too broad to address the specific needs of a company and its unique value chain partners.
Outcome
- A company-led, value-chain-specific cybersecurity forum is an effective alternative to broader industry groups, fostering greater trust and more relevant discussions among business partners. - Key success factors for such a forum include inviting the right participants (security strategy leaders), establishing clear ground rules to encourage open dialogue, and using external facilitators to ensure neutrality. - The forum successfully shifted the culture from one of distrust to one of transparency and collaboration, leading participants to be more open about sharing experiences, including previous security breaches. - Participants gained valuable insights into the security maturity of their partners, leading to tangible improvements in cybersecurity practices, such as updating security playbooks, adopting new risk metrics, and enhancing third-party risk management. - The collaborative model strengthens the entire value chain, as companies learn from each other's strategies, tools, and policies to collectively improve their defense against common threats.
Host: Welcome to A.I.S. Insights, powered by Living Knowledge, where we translate complex research into actionable business strategy. I’m your host, Anna Ivy Summers.
Host: Today, we’re talking about a challenge that keeps leaders up at night: cybersecurity. We’ll be discussing a fascinating study titled "Promoting Cybersecurity Information Sharing Across the Extended Value Chain."
Host: It explores a new model for cybersecurity collaboration, one centered not on an entire industry, but on the specific value chain of a single company, aiming to build a more trusting and effective defense against cyber threats.
Host: And to help us unpack this is our analyst, Alex Ian Sutherland. Welcome, Alex.
Expert: Great to be here, Anna.
Host: Alex, we all know cybersecurity is important, but collaboration between companies has always been tricky. What’s the big problem this study is trying to solve?
Expert: The core problem is trust. As cyber threats get more complex, especially in industries that blend physical machinery with digital networks, the risks are huge. Think of manufacturing or logistics.
Expert: Government and industry groups have called for companies to share threat information, but it rarely happens. Businesses are worried about confidentiality, losing a competitive edge, or legal repercussions if they admit to a vulnerability or a breach.
Host: So everyone is guarding their own castle, even though the attackers are collaborating and sharing information freely.
Expert: Exactly. And the study points out that even when companies join traditional sector-wide sharing groups, the information can be too broad to be useful. The threats facing a specific paper company and its logistics partner are very different from the threats facing an automotive manufacturer in the same general group.
Host: So this study looked at a different model. How did the researchers approach this?
Expert: They facilitated and analyzed a real-world forum initiated by a single large company in the forest and paper products industry. This company, which the study calls 'Company A', invited its own key partners—suppliers, distributors, and customers—to form a private, focused group.
Expert: They also brought in neutral university researchers to facilitate the discussions. This was crucial. It ensured that the organizing company was seen as an equal participant, not a dominant force, which helped build a safe environment for open dialogue.
Host: A private club for cybersecurity, but with your own business partners. I can see how that would build trust. What were some of the key findings?
Expert: The biggest finding was that this model works incredibly well. It created a level of trust and relevance that broader forums just can't match. The conversations became much more transparent and collaborative.
Host: Can you give us an example of that transparency in action?
Expert: Absolutely. One of the most powerful moments was when a company that had previously suffered a major ransomware attack openly shared its story—the details of the breach, the recovery process, and the lessons learned. That kind of first-hand account is invaluable and only happens in a high-trust environment. It moved the conversation beyond theory into real, shared experience.
Host: That’s incredibly powerful. So this open dialogue actually led to concrete improvements?
Expert: Yes, that’s the critical outcome. Participants started seeing the security maturity of their partners, for better or worse. This led to tangible changes. For instance, the organizing company completely revised its cybersecurity playbook based on new risk metrics discussed in the forum. Others updated their third-party risk management and adopted new tools shared by the group.
Host: This is the most important part for our listeners, Alex. What does this all mean for business leaders, regardless of their industry? What’s the key takeaway?
Expert: The biggest takeaway is that your company’s security is only as strong as the weakest link in your value chain. You can have the best defenses in the world, but if a key supplier gets breached, your operations can grind to a halt. This model strengthens the entire ecosystem.
Host: So it’s about taking ownership of your immediate business environment, not just your own four walls.
Expert: Precisely. You don’t need to wait for a massive industry initiative. As a business leader, you can be the catalyst. This study shows that an invitation from a key business partner is very likely to be accepted. You have the power to convene your critical partners and start this conversation.
Host: What would you say is a practical first step for a leader who wants to try this?
Expert: Start by identifying your most critical partners—those you share sensitive data or network connections with. Then, frame the conversation around shared risk and mutual benefit. The goal isn't to point fingers; it's to learn from each other's strategies, policies, and tools to collectively raise your defenses against common threats.
Host: Fantastic insights, Alex. To summarize for our audience: traditional, broad cybersecurity forums often fall short due to a lack of trust and relevance. A company-led forum, focused specifically on your own business value chain, is a powerful alternative that builds trust, encourages transparency, and leads to real, tangible security improvements for everyone involved.
Host: It’s a powerful reminder that collaboration isn’t just a buzzword; it’s a strategic imperative for survival in today’s digital world.
Host: Alex Ian Sutherland, thank you so much for your time and expertise today.
Expert: My pleasure, Anna.
Host: And thanks to all of you for listening to A.I.S. Insights, powered by Living Knowledge. Join us next time as we continue to bridge the gap between academia and business.
cybersecurity, information sharing, extended value chain, supply chain security, cyber resilience, forest products industry, inter-organizational collaboration
Unraveling the Role of Cyber Insurance in Fortifying Organizational Cybersecurity
Wojciech Strzelczyk, Karolina Puławska
This study explores how cyber insurance serves as more than just a financial tool for compensating victims of cyber incidents. Based on in-depth interviews with insurance industry experts and policy buyers, the research analyzes how insurance improves an organization's cybersecurity across three distinct stages: pre-purchase, post-purchase, and post-cyberattack.
Problem
As businesses increasingly rely on digital technologies, they face a growing risk of cyberattacks that can lead to severe financial losses, reputational harm, and regulatory penalties. Many companies possess inadequate cybersecurity measures, and there is a need to understand how external mechanisms like insurance can proactively strengthen defenses rather than simply covering losses after an attack.
Outcome
- Cyber insurance actively enhances an organization's security posture, not just providing financial compensation after an incident. - The pre-purchase underwriting process forces companies to rigorously evaluate and improve their cybersecurity practices to even qualify for a policy. - Post-purchase, insurers require continuous improvement through audits and training, often providing resources and expertise to help clients strengthen their defenses. - Following an attack, cyber insurance provides access to critical incident management services, including expert support for damage containment, system restoration, and post-incident analysis to prevent future breaches.
Host: Welcome to A.I.S. Insights, the podcast at the intersection of business and technology, powered by Living Knowledge. I’m your host, Anna Ivy Summers. Host: Today, we’re looking at a new study titled "Unraveling the Role of Cyber Insurance in Fortifying Organizational Cybersecurity." It argues that cyber insurance is much more than a financial safety net. Host: With me is our analyst, Alex Ian Sutherland, who has dug into this research. Alex, welcome. Expert: Great to be here, Anna. Host: So, let's start with the big picture. Most business leaders know cyberattacks are a threat, but what’s the specific problem this study addresses? Expert: The problem is a dangerous gap in perception. As the study highlights, the global average cost of a data breach has hit a record $4.88 million. Yet many companies still have inadequate security, viewing insurance as a simple payout for when things go wrong. Expert: This research challenges that idea, showing that insurance shouldn’t be a reactive measure, but a proactive partnership to strengthen a company's defenses *before* an attack ever happens. Host: A proactive partnership. That’s a powerful shift in thinking. How did the researchers explore this? What was their approach? Expert: They went directly to the source. The study is based on in-depth interviews with 19 key players. One group was from the insurance industry itself—the brokers and underwriters who create and sell these policies. The other group was made up of business leaders who are the actual buyers of cyber insurance. Expert: This gave them a 360-degree view of how the process really works and the value it creates beyond just the policy document. Host: So, getting perspectives from both sides of the table. What were the key findings? What did they uncover? Expert: The study breaks it down into three distinct stages where insurance actively improves security. The first is the "pre-purchase" or underwriting phase. Host: This is when a company is just applying for a policy, right? Expert: Exactly. And it’s not just filling out a form. Insurers demand companies meet, and I'm quoting an IT security officer from the study, "very strict cybersecurity requirements." It forces a comprehensive look at your own systems. One interviewee called it a "conscience check" for confronting neglected areas. Expert: Insurers often conduct their own vulnerability scans and provide recommendations for improvement, essentially offering a low-cost security audit before a policy is even issued. Host: So the application process itself is a security benefit. What happens after the policy is in place? Expert: That's the second stage: "post-purchase." The insurance policy isn't a one-and-done deal. It acts as a catalyst for continuous improvement. Insurers often require ongoing actions like employee training on phishing and password hygiene. Expert: They also provide resources, like access to cybersecurity experts or discounts on security software, to help clients stay ahead of new threats. It’s an ongoing relationship. Host: And the third stage, which no business wants to experience, is after an attack. How does insurance play a role there? Expert: This is where the true value becomes clear. It’s not just about the money. The study shows the most critical benefit is immediate access to "cyber-emergency professionals." Expert: When an attack happens, one expert said "seconds matter." The policy gives you a 24/7 hotline to experts in damage containment, system restoration, and forensic analysis. This rapid, expert-led response can be the difference between a minor disruption and a catastrophic failure. Host: This is fascinating. It reframes the entire value proposition of cyber insurance. So, for the business leaders and executives listening, what are the key takeaways? Why does this matter for them? Expert: There are three critical takeaways. First, treat the insurance application process as a strategic review of your cybersecurity, not a bureaucratic hurdle. It’s an opportunity to get an expert, outside-in view of your vulnerabilities. Host: So, embrace the scrutiny. Expert: Yes. Second, view your insurer as an active security partner. Use the resources they offer—the training, the threat intelligence, the expert consultations. They have a vested financial interest in keeping you safe, so their goals are aligned with yours. Host: And the third takeaway? Expert: Understand that in a crisis, the insurer’s incident response service is arguably more valuable than the financial payout. Having an elite team of experts on call, ready to contain a breach, is a capability most companies simply can't afford to maintain in-house. A chief operating officer in the study said insurance should be seen as just one part of a holistic remedy, contributing to about 10% of a company's total cyber resilience. Host: That really puts it in perspective. So to recap: The insurance application is a valuable audit, your insurer is a security partner, and their expert response team is a critical asset. Host: Alex, thank you for breaking down this insightful study for us. It’s clear that cyber insurance is evolving from a simple financial product into a core pillar of a proactive cybersecurity strategy. Expert: My pleasure, Anna. Host: And thanks to all of you for tuning in to A.I.S. Insights. We'll see you next time.
Promises and Perils of Generative AI in Cybersecurity
Pratim Datta, Tom Acton
This paper presents a case study of a fictional insurance company, based on real-life events, to illustrate how generative artificial intelligence (GenAI) can be used for both offensive and defensive cybersecurity purposes. It explores the dual nature of GenAI as a tool for both attackers and defenders, presenting a significant dilemma for IT executives. The study provides actionable recommendations for developing a comprehensive cybersecurity strategy in the age of GenAI.
Problem
With the rapid adoption of Generative AI by both cybersecurity defenders and malicious actors, IT leaders face a critical challenge. GenAI significantly enhances the capabilities of attackers to create sophisticated, large-scale, and automated cyberattacks, while also offering powerful new tools for defense. This creates a high-stakes 'AI arms race,' forcing organizations to decide how to strategically embrace GenAI for defense without being left vulnerable to adversaries armed with the same technology.
Outcome
- GenAI is a double-edged sword, capable of both triggering and defending against sophisticated cyberattacks, requiring a proactive, not reactive, security posture. - Organizations must integrate a 'Defense in Depth' (DiD) strategy that extends beyond technology to include processes, a security-first culture, and continuous employee education. - Robust data governance is crucial to manage and protect data, the primary target of attacks, by classifying its value and implementing security controls accordingly. - A culture of continuous improvement is essential, involving regular simulations of real-world attacks (red-team/blue-team exercises) and maintaining a zero-trust mindset. - Companies must fortify defenses against AI-powered social engineering by combining advanced technical filtering with employee training focused on skepticism and verification. - Businesses should embrace proactive, AI-driven defense mechanisms like AI-powered threat hunting and adaptive honeypots to anticipate and neutralize threats before they escalate.
Host: Welcome to A.I.S. Insights, powered by Living Knowledge. I’m your host, Anna Ivy Summers. Host: Today, we're diving into a critical topic for every business leader: cybersecurity in the age of artificial intelligence. Host: We'll be discussing a fascinating study from the MIS Quarterly Executive, titled "Promises and Perils of Generative AI in Cybersecurity." Host: It explores how GenAI has become a tool for both attackers and defenders, creating a significant dilemma for IT executives. Host: To help us unpack this, we have our expert analyst, Alex Ian Sutherland. Welcome, Alex. Expert: Great to be here, Anna. Host: Alex, let's start with the big picture. The study summary mentions an 'AI arms race'. What is the core problem that business leaders are facing right now? Expert: The problem is that the game has fundamentally changed. For years, cyberattacks were something IT teams reacted to. But Generative AI has supercharged the attackers. Expert: Malicious actors are now using what the study calls 'black-hat GenAI' to create incredibly sophisticated, large-scale, and automated attacks that are faster and more convincing than anything we've seen before. Expert: Think of phishing emails that perfectly mimic your CEO's writing style, or malware that can change its own code in real-time to avoid detection. This technology makes it easy for even non-technical criminals to launch devastating attacks. Host: So, how did the researchers actually go about studying this fast-moving threat? Expert: They used a very practical approach. The study presents a detailed case study of a fictional insurance company, "Surine," that suffers one of these advanced attacks. Expert: But what's crucial is that this fictional story is based on real-life events and constructed from interviews with actual cybersecurity professionals and their clients. It’s not just theory; it’s a reflection of what’s happening in the real world. Host: That's a powerful way to illustrate the risk. So, after analyzing this case, what were the main findings? Expert: The first, and most important, is that GenAI is a double-edged sword. It’s an incredible weapon for attackers, but it's also an essential shield for defenders. This means companies can no longer afford to be reactive. They must be proactive. Host: What does being proactive look like in this context? Expert: It means adopting what the study calls a 'Defense in Depth' strategy. This isn't just about buying the latest security software. It’s a holistic approach that integrates technology, processes, and people. Host: And that people element seems critical. The study mentions that GenAI is making social engineering, like phishing attacks, much more dangerous. Expert: Absolutely. In the Surine case, the attackers used GenAI to craft a perfectly convincing email, supposedly from the CIO, complete with a deepfake video. It tricked employees into giving up their credentials. Expert: This is why the study emphasizes the need for a security-first culture and continuous employee education. We need to train our teams to have a healthy skepticism. Host: It sounds like fighting an AI-powered attacker requires an AI-powered defender. Expert: Precisely. The other key finding is the need to embrace proactive, AI-driven defense. The company in the study fought back using AI-powered 'honeypots'. Host: Honeypots? Can you explain what those are? Expert: Think of them as smart traps. They are decoy systems designed to look like valuable targets. A defensive AI uses them to lure the attacking AI, study its methods, and learn how to defeat it—all without putting real company data at risk. It’s literally fighting fire with fire. Host: This is all so fascinating. Alex, let’s bring it to our audience. What are the key takeaways for business leaders listening right now? Why does this matter to them? Expert: First, recognize that cybersecurity is no longer just an IT problem; it’s a core business risk. It requires a company-wide culture of security, championed from the C-suite down. Expert: Second, you must know what you're protecting. The study stresses the importance of robust data governance. Classify your data, understand its value, and focus your defenses on your most critical assets. Expert: Third, you have to shift from a reactive to a proactive mindset. This means investing in continuous training, running real-world attack simulations, and adopting a 'zero-trust' culture where every access attempt is verified. Expert: And finally, you have to leverage AI in your defense. In this new landscape, human teams alone can't keep up with the speed and scale of AI-driven attacks. You need AI to help anticipate and neutralize threats before they escalate. Host: So the message is clear: the threat has evolved, and so must our defense. Generative AI is both a powerful weapon and an essential shield. Host: Business leaders need a holistic, culture-first strategy and must be proactive, using AI to fight AI. Host: Alex Ian Sutherland, thank you for sharing these invaluable insights with us today. Expert: My pleasure, Anna. Host: And thank you to our listeners for tuning in to A.I.S. Insights, powered by Living Knowledge. Join us next time as we continue to explore the intersection of business and technology.
Generative AI, Cybersecurity, Black-hat AI, White-hat AI, Threat Hunting, Social Engineering, Defense in Depth
How Siemens Empowered Workforce Re- and Upskilling Through Digital Learning
Leonie Rebecca Freise, Eva Ritz, Ulrich Bretschneider, Roman Rietsche, Gunter Beitinger, and Jan Marco Leimeister
This case study examines how Siemens successfully implemented a human-centric, bottom-up approach to employee reskilling and upskilling through digital learning. The paper presents a four-phase model for leveraging information systems to address skill gaps and provides five key recommendations for organizations to foster lifelong learning in dynamic manufacturing environments.
Problem
The rapid digital transformation in manufacturing is creating a significant skills gap, with a high percentage of companies reporting shortages. Traditional training methods are often not scalable or adaptable enough to meet these evolving demands, presenting a major challenge for organizations trying to build a future-ready workforce.
Outcome
- The study introduces a four-phase model for developing human-centric digital learning: 1) Recognizing employee needs, 2) Identifying key employee traits (like self-regulation and attitude), 3) Developing tailored strategies, and 4) Aligning strategies with organizational goals. - Key employee needs for successful digital learning include task-oriented courses, peer exchange, on-the-job training, regular feedback, personalized learning paths, and micro-learning formats ('learning nuggets'). - The paper proposes four distinct learning strategies based on employees' attitude and self-regulated learning skills, ranging from community mentoring for those low in both, to personalized courses for those high in both. - Five practical recommendations for companies are provided: 1) Foster a lifelong learning culture, 2) Tailor digital learning programs, 3) Create dedicated spaces for collaboration, 4) Incorporate flexible training formats, and 5) Use analytics to provide feedback.
Host: Welcome to A.I.S. Insights — powered by Living Knowledge, the podcast where we break down complex research into actionable business strategy. I'm your host, Anna Ivy Summers.
Host: Today, we're diving into a fascinating case study called "How Siemens Empowered Workforce Re- and Upskilling Through Digital Learning." It examines how the manufacturing giant successfully implemented a human-centric, bottom-up approach to employee training in the digital age. With me to unpack this is our analyst, Alex Ian Sutherland. Welcome, Alex.
Expert: Great to be here, Anna.
Host: Alex, let's start with the big picture. We hear about digital transformation constantly, but this study highlights a serious challenge that comes with it. What's the core problem they're addressing?
Expert: The core problem is a massive and growing skills gap. As manufacturing becomes more automated and digitized, the skills employees need are changing faster than ever. The study notes that in Europe alone, a staggering 77% of companies report skills shortages.
Expert: The old model of sending employees to a week-long training course once a year just doesn't work anymore. It's not scalable, it's not adaptable, and it often doesn't stick. Companies are struggling to build a future-ready workforce.
Host: So how did the researchers get inside this problem to find a solution? What was their approach?
Expert: They conducted an in-depth case study at Siemens Digital Industries. This wasn't about looking at spreadsheets from a distance. They went right to the source, conducting detailed interviews with employees from all levels—from the factory floor to management—to understand their genuine needs, challenges, and motivations when it comes to digital learning.
Host: Taking a human-centric approach to the research itself. So, what did they find? What were the key takeaways from those conversations?
Expert: They uncovered several critical insights, which they organized into a four-phase model for success. The first and most important finding is that you have to start by recognizing what employees actually need, not what the organization thinks they need.
Host: And what do employees say they need? Is it just more training courses?
Expert: Not at all. They need task-oriented training that’s directly relevant to their job. They want opportunities to exchange knowledge with their peers and mentors. And they really value flexible, bite-sized learning—what Siemens calls 'learning nuggets'. These are short, focused videos or tutorials they can access right on the factory floor during a short production stop.
Host: That makes so much sense. It's about integrating learning into the workflow. What else stood out?
Expert: A crucial finding was that a one-size-fits-all approach is doomed to fail because employees are not all the same. The research identified two key traits that determine how a person engages with learning: their attitude, meaning how motivated they are, and their skill at self-regulated learning, which is their ability to manage their own progress.
Expert: Based on those two traits, the study proposes four distinct strategies. For an employee with a great attitude and high self-regulation, you can offer a rich library of personalized courses and let them drive. But for someone with a low attitude and weaker self-regulation skills, you need to start with community mentoring and guided support to build their confidence.
Host: This is the most important part for our listeners. Alex, what does this all mean for a business leader? Why does this matter and how can they apply these lessons?
Expert: It matters because it offers a clear roadmap to solving the skills gap, and it creates immense business value through a more engaged and capable workforce. The study boils it down to five key recommendations. First, you have to foster a lifelong learning culture. Siemens's company-wide slogan is "Making learning a habit." It has to be a core value, not just an HR initiative.
Host: Okay, so culture is number one. What’s next?
Expert: Second, tailor the learning programs. Move away from generic content and use technology to create personalized learning paths for different roles and skill levels. This is far more cost-efficient and effective.
Host: You mentioned peer exchange. How does that fit in?
Expert: That’s the third recommendation: create dedicated spaces for collaboration. This can be digital or physical. Siemens successfully uses "digi-coaches"—employees who are trained to help their peers use the digital learning tools. It builds a supportive ecosystem.
Expert: The fourth is to incorporate flexible training formats. Those 'learning nuggets' are a perfect example. It respects the employee's time and workflow, which boosts engagement.
Expert: And finally, number five: use analytics to provide feedback. This isn't for surveillance, but to help employees track their own progress and for managers to identify where support is needed. It helps make learning a positive, data-informed journey.
Host: So, to summarize, the old top-down training model is broken. This study of Siemens proves that the path forward is a human-centric, bottom-up strategy. It's about truly understanding your employees' needs and tailoring learning to them.
Host: It seems that by empowering the individual, you empower the entire organization. Alex, thank you for these fantastic insights.
Expert: My pleasure, Anna.
Host: And thank you for tuning in to A.I.S. Insights. Join us next time as we continue to connect knowledge with opportunity.
digital learning, upskilling, reskilling, workforce development, human-centric, manufacturing, case study
Establishing a Low-Code/No-Code-Enabled Citizen Development Strategy
Björn Binzer, Edona Elshan, Daniel Fürstenau, Till J. Winkler
This study analyzes the low-code/no-code adoption journeys of 24 different companies to understand the challenges and best practices of citizen development. Drawing on these insights, the paper proposes a seven-step strategic framework designed to guide organizations in effectively implementing and managing these powerful tools. The framework helps structure critical design choices to empower employees with little or no IT background to create digital solutions.
Problem
There is a significant gap between the high demand for digital solutions and the limited availability of professional software developers, which constrains business innovation and problem-solving. While low-code/no-code platforms enable non-technical employees (citizen developers) to build applications, organizations often lack a coherent strategy for their adoption. This leads to inefficiencies, security risks, compliance issues, and wasted investments.
Outcome
- The study introduces a seven-step framework for creating a citizen development strategy: Coordinate Architecture, Launch a Development Hub, Establish Rules, Form the Workforce, Orchestrate Liaison Actions, Track Successes, and Iterate the Strategy. - Successful implementation requires a balance between centralized governance and individual developer autonomy, using 'guardrails' rather than rigid restrictions. - Key activities for scaling the strategy include the '5E Cycle': Evangelize, Enable, Educate, Encourage, and Embed citizen development within the organization's culture. - Recommendations include automating governance tasks, promoting business-led development initiatives, and encouraging the use of these tools by IT professionals to foster a collaborative relationship between business and IT units.
Host: Welcome to A.I.S. Insights — powered by Living Knowledge. I’m your host, Anna Ivy Summers. Host: Today, we’re diving into a fascinating new study titled "Establishing a Low-Code/No-Code-Enabled Citizen Development Strategy". Host: It explores how companies can strategically empower their own employees—even those with no IT background—to create digital solutions using low-code and no-code tools. Joining me to unpack this is our analyst, Alex Ian Sutherland. Alex, welcome. Expert: Great to be here, Anna. Host: So, let’s start with the big picture. Why is a study like this so necessary right now? What’s the core problem businesses are facing? Expert: The problem is a classic case of supply and demand. The demand for digital solutions, for workflow automations, for new apps, is skyrocketing. But the supply of professional software developers is extremely limited and expensive. This creates a huge bottleneck that slows down innovation. Host: And companies are turning to low-code platforms as a solution? Expert: Exactly. They hope to turn regular employees into “citizen developers.” The issue is, most companies just buy the software and hope for the best, a sort of "build it and they will come" approach. Expert: But without a real strategy, this can lead to chaos. We're talking security risks, compliance issues, duplicated efforts, and ultimately, wasted money. It's like giving everyone power tools without any blueprints or safety training. Host: That’s a powerful analogy. So how did the researchers in this study figure out what the right approach should be? Expert: They went straight to the source. They conducted in-depth interviews with leaders, managers, and citizen developers at 24 different companies that were already on this journey. They analyzed their successes, their failures, and the best practices that emerged. Host: A look inside the real-world lab. What were some of the key findings that came out of that? Expert: The study's main outcome is a seven-step strategic framework. It covers everything from coordinating the technology architecture to launching a central support hub and tracking successes. Host: Can you give us an example? Expert: One of the most critical findings was the need for balance between control and freedom. The study found that rigid, restrictive rules don't work. Instead, successful companies create ‘guardrails.’ Expert: One manager used a great analogy, saying, "if the guardrails are only 50 centimeters apart, I can only ride through with a bicycle, not a truck. Ultimately, we want to achieve that at least cars can drive through." It’s about enabling people safely, not restricting them. Host: I love that. So it's not just about rules, but about creating the right environment. Expert: Precisely. The study also identified what it calls the ‘5E Cycle’: Evangelize, Enable, Educate, Encourage, and Embed. This is a process for making citizen development part of the company’s DNA, to build a culture where people are excited and empowered to innovate. Host: This is where it gets really practical. Let's talk about why this matters for a business leader. What are the key takeaways they can act on? Expert: The first big takeaway is to promote business-led citizen development. This shouldn't be just another IT project. The study shows that the most successful initiatives are driven by the business units themselves, with 'digital leads' or champions who understand their department's specific needs. Host: So, ownership moves from the IT department to the business itself. What else? Expert: The second is to automate governance wherever possible. Instead of manual checks for every new app, companies can use automated tools—often built with low-code itself—to check for security issues or compliance. This frees up IT to focus on bigger problems and empowers citizen developers to move faster. Host: And the final key takeaway? Expert: It’s about fostering a new, symbiotic relationship between business and IT. For decades, IT has often been seen as the department of "no." This study shows how citizen development can be a bridge. One leader admitted that building trust was their biggest hurdle, but now IT is seen as a valuable partner that enables transformation. Host: It sounds like this is about much more than just technology; it’s a fundamental shift in how work gets done. Expert: Absolutely. It’s about democratizing digital innovation. Host: Fantastic insights, Alex. To sum it up for our listeners: the developer shortage is a major roadblock, but simply buying low-code tools isn't the answer. Host: This study highlights the need for a clear strategy, one that uses flexible guardrails, builds a supportive culture, and transforms the relationship between business and IT from a source of friction to a true partnership. Host: Alex Ian Sutherland, thank you so much for breaking that down for us. Expert: My pleasure, Anna. Host: And thank you to our listeners for tuning into A.I.S. Insights. Join us next time as we continue to explore the ideas shaping the future of business.
Citizen Development, Low-Code, No-Code, Digital Transformation, IT Strategy, Governance Framework, Upskilling
Balancing fear and confidence: A strategic approach to mitigating human risk in cybersecurity
Dennis F. Galletta, Gregory D. Moody, Paul Benjamin Lowry, Robert Willison, Scott Boss, Yan Chen, Xin “Robert” Luo, Daniel Pienta, Peter Polak, Sebastian Schuetze, and Jason Thatcher
This study explores how to improve cybersecurity by focusing on the human element. Based on interviews with C-level executives and prior experimental research, the paper proposes a strategy for communicating cyber threats that balances making employees aware of the dangers (fear) with building their confidence (efficacy) to handle those threats effectively.
Problem
Despite advanced security technology, costly data breaches continue to rise because human error remains the weakest link. Traditional cybersecurity training and policies have proven ineffective, indicating a need for a new strategic approach to manage human risk.
Outcome
- Human behavior is the primary vulnerability in cybersecurity, and conventional training programs are often insufficient to address this risk. - Managers must strike a careful balance in their security communications: instilling a healthy awareness of threats ('survival fear') without causing excessive panic or anxiety, which can be counterproductive. - Building employees' confidence ('efficacy') in their ability to identify and respond to threats is just as crucial as making them aware of the dangers. - Effective tools for changing behavior include interactive methods like phishing simulations that provide immediate feedback, gamification, and fostering a culture where security is a shared responsibility. - The most effective approach is to empower users by providing them with clear, simple tools and the knowledge to act, rather than simply punishing mistakes or overwhelming them with fear.
Host: Welcome to A.I.S. Insights — powered by Living Knowledge. I’m your host, Anna Ivy Summers. Today, we’re looking at a critical issue that costs businesses billions: cybersecurity. But we're not talking about firewalls and encryption; we’re talking about people. Host: We're diving into a fascinating new study titled "Balancing fear and confidence: A strategic approach to mitigating human risk in cybersecurity." It proposes a new strategy for communicating cyber threats, one that balances making employees aware of dangers with building their confidence to handle them. Host: Here to break it down for us is our analyst, Alex Ian Sutherland. Alex, welcome. Expert: Great to be here, Anna. Host: So, Alex, let's start with the big picture. We invest so much in security technology, yet we keep hearing about massive, costly data breaches. What's the core problem this study addresses? Expert: The core problem is that despite all our advanced tech, the human element remains the weakest link. The study highlights that data breaches are not only increasing, they’re getting more expensive, averaging nearly 9.5 million dollars per incident in 2023. Host: Nine and a half million dollars. That’s staggering. Expert: It is. And the research points out that about 90% of all data breaches result from internal causes like simple employee error or negligence. So, the traditional approach—annual training videos and dense policy documents—clearly isn't working. We need a strategic shift. Host: So how did the researchers approach this? It sounds like a complex human problem. Expert: It is, and they took a very practical approach. They combined findings from their own prior experiments on how people react to threats with a series of in-depth interviews. They spoke directly with ten C-level executives—CISOs and CIOs—from major companies in healthcare, retail, and manufacturing. Host: So, this isn't just theory. They went looking for a reality check from leaders on the front lines. Expert: Exactly. They wanted to know what actually works in the real world when it comes to motivating employees to be more secure. Host: Let’s get to their findings. What was the most significant discovery? Expert: The biggest takeaway is the need for a delicate balance. Managers need to instill what the study calls a healthy 'survival fear'—an awareness of real threats—without causing panic or anxiety, which just makes people shut down. Host: 'Survival fear' is an interesting term. Can you explain that a bit more? Expert: Think of it like teaching a child not to touch a hot stove. You want them to have a healthy respect for the danger, not to be terrified of the kitchen. One executive described it as an "inverted U" relationship: too little fear leads to complacency, but too much leads to paralysis where employees are too scared to do their jobs. Host: So you make them aware of the threat, but then what? You can’t just leave them feeling anxious. Expert: And that’s the other half of the equation: building their confidence, or what the study calls 'efficacy.' It’s just as crucial to empower employees with the belief that they can actually identify and respond to a threat. Fear gets their attention, but confidence is what drives the right action. Host: What did the study find were the most effective tools for building that confidence? Expert: The executives universally praised interactive methods over passive ones. The most effective tool by far was phishing simulations. These are fake phishing emails sent to employees. When someone clicks, they get immediate, private feedback explaining what they missed. It's a safe way to learn from mistakes. Host: It sounds much more engaging than a PowerPoint presentation. Expert: Absolutely. Gamification, like leaderboards for spotting threats, also works well. The key is moving away from a culture of punishment and toward a culture of shared responsibility, where reporting a suspicious email is seen as a positive, helpful action. Host: This is the critical part for our listeners. Alex, what are the practical takeaways for a business leader who wants to strengthen their company's human firewall? Expert: There are three key actions. First, reframe your communication. Stop leading with fear and punishment. Instead, focus on empowerment. The goal is to instill that healthy ‘survival fear’ about the consequences, but immediately follow it with simple, clear actions employees can take to protect themselves and the company. Host: So, it's not "don't do this," but "here's how you can be a hero." Expert: Precisely. The second takeaway is to make security easy. The executives pointed to the success of simple tools, like a "report this email" button that takes just one click. If security is inconvenient, people will find ways around it. Remove the friction from doing the right thing. Host: And the third action? Expert: Make your training relevant and continuous. Ditch the generic, annual "check-the-box" training that employees just play in the background. Use those phishing simulations, create short, engaging content, and tailor it to different teams. The threats are constantly evolving, so your training has to as well. Host: So, to summarize, it seems the old model of just telling employees the rules is broken. Host: The new approach is a delicate balance: make people aware of the risks, but immediately empower them with the confidence and the simple tools they need to become an active line of defense. It's about culture, not just controls. Host: Alex, this has been incredibly insightful. Thank you for making this complex topic so clear. Expert: My pleasure, Anna. Host: And thanks to all of you for tuning in to A.I.S. Insights — powered by Living Knowledge. Join us next time as we translate another key piece of research into actionable business strategy.
Cybersecurity, Human Risk, Fear Appeals, Security Awareness, User Actions, Management Interventions, Data Breaches
