Organisations could be better protected from cybercrime by investing in more leadership and staff decision-making, a University of Queensland study has found.
Dr Ivano Bongiovanni (pictured below) from the UQ Cyber Research Centre sat down with UQ News to discuss key findings from new research showing technology alone can't improve cybersecurity.
In our Q&A, Dr Bongiovanni shares why business leaders must ensure cybersecurity becomes a shared responsibility to better protect their organisations and the customer data entrusted to them.
Why do organisations with seemingly strong cybersecurity still experience data breaches?
Cybersecurity is not just a technology problem - it's a technology, people and process problem.
Investing in technical controls is essential, but it's only one part of the picture. Organisations also need to invest in staff capability and effective internal processes.
A common saying in cybersecurity is that defenders need to be right all the time, while attackers only need to be right once.
That imbalance makes breaches difficult to prevent entirely.
What role do human factors play in cybersecurity failures?
Human factors are under-recognised when it comes to shaping effective cybersecurity policies, but they are one of the most complex challenges because every person in an organisation has a different level of awareness and understanding of what safe behaviour looks like.
Our research involved interviewing people across different organisational roles - from operational security employees to senior executives and board members - and we found cybersecurity decisions are influenced by a wide range of factors, from industry regulations to individual attitudes and behaviours.
Even in small organisations, staff turnover, lack of training and inconsistent awareness can create vulnerabilities.
In larger organisations, the scale of the workforce multiplies the challenge.
How has new technology like AI changed the risk landscape?
New technology often arrives faster than organisations can fully understand the risks it introduces.
And while AI tools are powerful and bring clear benefits, they also create new cybersecurity considerations.
Employees might use these tools in different ways and may not always be aware of the risks involved.
That makes ongoing education and clear organisational guidance increasingly important.
Is technology evolving faster than decision‑makers can keep up?
That's always been the case.
Throughout history, technology has developed faster than regulation and governance frameworks.
But what has changed is regulators and organisations are becoming more agile.
Still, there is no such thing as perfect security.
Cyber risk management involves judgment calls based on budgets, organisational culture, threat levels and external events such as geopolitical conflict.
So, should consumers be more understanding when major data breaches occur?
It's difficult to expect consumers to be understanding when they pay for services and entrust organisations with their personal information.
People reasonably expect their data, money and access to services will be protected.
At the same time, cybersecurity is inherently difficult and 100 per cent security doesn't exist.
Rather than being more forgiving or understanding, the public should be better informed about the challenges organisations face and the trade‑offs involved in managing cyber risk.
Dr Ivano Bongiovanni from the UQ Cyber Research Centre.
(Photo credit: The University of Queensland)
Is there a one‑size‑fits‑all approach to cybersecurity?
No. Cybersecurity regulation needs to be proportionate and industry‑specific.
Highly regulated industries such as banking face strict cybersecurity requirements because the potential harm from breaches is severe.
Other sectors may face fewer regulatory obligations, but baseline expectations have risen for everyone.
All organisations are expected to meet minimum 'cyber hygiene' standards, then build on those depending on their size, risk profile and sensitivity of the data they handle.
Cybersecurity maturity is a journey and there's no single solution that fits every organisation.
What should business leaders and boards be doing differently?
Cybersecurity should be treated as a shared responsibility and an ongoing conversation, not just an IT issue.
Many organisations, particularly smaller ones, outsource cybersecurity but leadership still needs visibility and oversight.
You can outsource execution, but you can't outsource control.
Cybersecurity needs to be part of enterprise-risk discussions at the executive and board level, so organisations can better understand their current cybersecurity health and identify where improvement is needed.
What practical guidance does your research offer businesses?
Our study doesn't prescribe a single best-practice approach, but it helps organisations understand where to focus.
We identified 4 key levels to consider:
- Industry: sector regulations and external expectations
- Organisation: risk appetite, history and investment decisions
- Team: clear responsibility for cybersecurity - even if outsourced
- Individual: internal champions, staff motivation and awareness.
By reflecting on these 4 levels, organisations can better understand their current cybersecurity position and identify where improvement is needed.
Read the research in Computers & Security.
Collaboration and acknowledgements
The research was led by Dr Niamh Dawson, who is now working at The University of Sydney, with co-authors Dr Emma Knight from Australian National University and Dr Richard O'Quinn from The University of Queensland.
