What is it about?

Is Work-From-Home (WFH) really bad for enterprise cyber-security when compared to non-WFH? Empirical statistics and market studies (obtained from surveying a few companies) on the number of enterprise cyber-incidents (with potential financial consequences) during the peak COVID period suggest/hint that WFH degrades the security of enterprises. In this paper, we strive to mathematically prove/disprove this "conjecture" for a general enterprise, backed up by real-world enterprise data and large-scale computer simulations (that alleviate generality drawbacks of empirical and market survey studies). As our main result, we surprisingly prove (against conventional intuition) that enterprise cyber-security is not necessarily worse in WFH environments when compared to non-WFH environments.

Featured Image

Why is it important?

Our research is unique because it is the first work in mathematical economics of cyber-security that formally proves (over a broad family of enterprises) that WFH is not necessarily detrimental to enterprise cyber-security (when compared to non-WFH). It is extremely timely given the 'forced' push during the peak COVID time on employees to WFH. The research is extremely important to enterprise management (including the board) to decide based on cost-benefit tradeoffs whether to push for employees getting back to office post-COVID (at least on the dimensions of improving cyber-security and cyber-resilience). This, given that employees around the globe are increasingly preferring WFH to better balance out work and home activities.

Perspectives

I hope this article is thought-provoking to enterprise management (including the board) that WFH can make both employees (willing to continue WFH post COVID) and organizations (for or against WFH) reach a 'win-win' state when it comes to cost-effectively alleviating concerns about boosting enterprise cyber-security and cyber-resilience. The main open challenge we faced in our research was to precisely capture, in a mathematical economic theory, the heterogeneous dynamics of employee behavior towards putting effort in cybersecurity practices during WFH (and non-WFH) over a period of time and comparing it to the ideal best effort possible during that time. The resulting gaps help enterprise management to figure out whether WFH is indeed detrimental to enterprise cyber-security when compared to non-WFH. We are extremely pleased that we have now shown the cyber-security research community a method on how to find such gaps.

Ranjan Pal
Massachusetts Institute of Technology

Read the Original

This page is a summary of: How Suboptimal is Work-From-Home Security in IT/ICS Enterprises? A Strategic Organizational Theory for Managers, ACM Transactions on Management Information Systems, February 2023, ACM (Association for Computing Machinery),
DOI: 10.1145/3579645.
You can read the full text:

Read

Contributors

The following have contributed to this page