UQ study urges leaders to share cyber risk oversight

University of Queensland research argues that organisations need to invest in leadership and staff decision-making to strengthen cybersecurity. It says cyber risk should be treated as a shared organisational issue, not just a technical one.

The study drew on interviews with professionals ranging from operational security staff to senior executives and board members. It found that human factors remain under-recognised in cybersecurity policy design and day-to-day security decisions.

Technical controls alone do not address how people behave under pressure or how organisations make choices with incomplete information. The researchers examined decision-making in real-world settings and argued that it is central to preventing and responding to cyber incidents.

Dr Ivano Bongiovanni of the UQ Cyber Research Centre said the problem affects organisations of different sizes in different ways. Smaller businesses can be exposed by staff turnover, limited training and inconsistent awareness, while larger organisations face the challenge of maintaining standards across a broader workforce.

"Cyber attacks are becoming more frequent, costly and visible, but our research shows that human factors are under-recognised when it comes to shaping effective cybersecurity policies and making appropriate cybersecurity decisions," said Dr Ivano Bongiovanni, researcher at the UQ Cyber Research Centre.

"But human factors are also one of the most complex challenges, as everyone has a different level of awareness and understanding of what safe behaviour looks like."

"In small organisations, staff turnover, lack of training and inconsistent awareness can create vulnerabilities, while in larger organisations, the scale of the workforce multiplies the challenge."

"Organisations must therefore invest in staff capability and effective internal processes."

The study adds to a wider debate about how boards and executives should oversee cyber risk as attacks become more disruptive and visible to customers, regulators and investors. It argues that cybersecurity decisions are shaped not only by software and systems, but also by management priorities, accountability and workplace culture.

Decision pressures

A key point in the research is that best practice is difficult to define in a field where threats evolve quickly. Interviewees described an environment in which decisions are often made without complete information, making rigid rules harder to apply across every sector.

The authors therefore argue for proportionate, industry-specific regulation. Sectors where a breach could cause greater harm, such as banking, face stricter obligations, while others may have fewer formal requirements even as baseline expectations continue to rise.

"A common saying in cybersecurity is that defenders need to be right all the time, while attackers only need to be right once," Bongiovanni said.

"That imbalance makes breaches difficult to prevent entirely," Bongiovanni said.

"Effective cybersecurity does not only depend on finding the perfect technical solution but also on understanding how people and organisations actually make decisions under pressure," Bongiovanni added.

The researchers said all organisations are now expected to meet minimum standards of cyber hygiene, with further measures shaped by their size, risk profile and the sensitivity of the data they hold. In practice, that means the bar has been rising even in less regulated industries.

Four levels

The study sets out four areas organisations should examine: industry, organisation, team and individual. At industry level, it points to regulation and external expectations. At organisational level, it highlights risk appetite, history and investment choices. At team level, it stresses clear responsibility for cybersecurity even when work is outsourced. At individual level, it points to internal champions, staff motivation and awareness.

This framework places management choices alongside frontline behaviour. It also suggests that outsourcing does not remove responsibility from leadership teams, particularly for strategic oversight and accountability.

"Cybersecurity regulation needs to be proportionate and industry specific," Bongiovanni said.

"Highly regulated industries, such as banking, face strict cybersecurity requirements because the potential harm from breaches is severe," Bongiovanni said.

"Other sectors may face fewer regulatory obligations but baseline expectations have risen for everyone," Bongiovanni said.

"All organisations are expected to meet minimum 'cyber hygiene' standards, then build on those depending on their size, risk profile and sensitivity of the data they handle," Bongiovanni added.

The paper was led by Dr Niamh Dawson, now at the University of Sydney, with co-authors Dr Emma Knight of Australian National University and Dr Richard O'Quinn of the University of Queensland. It was published in Computers & Security.

For company leaders, the research points to a governance issue as much as an operational one. It argues that boards and executives should view cyber risk through the same lens as other enterprise risks, particularly in organisations that rely on external providers for security functions.

"Cybersecurity should be treated as a shared responsibility and an ongoing conversation, not just an IT issue," Bongiovanni said.

"Many organisations, particularly smaller ones, outsource cybersecurity, but leadership still needs visibility and oversight," Bongiovanni said.

"You can outsource execution, but you can't outsource control," Bongiovanni noted.

"Cybersecurity needs to be part of enterprise-risk discussions at the executive and board level, so organisations can better understand their current cybersecurity health and identify where improvement is needed," Bongiovanni added.