Diffusion of Cybersecurity...

IN DEGREE PROJECT INDUSTRIAL ENGINEERING AND MANAGEMENT,SECOND CYCLE, 30 CREDITS

, STOCKHOLM SWEDEN 2018

Diffusion of Cybersecurity TechnologyNext Generation, Powered by Artificial Intelligence

JOHAN KANG

SEBASTIAN WESTSKYTTE

KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF INDUSTRIAL ENGINEERING AND MANAGEMENT

Diffusion of Cybersecurity Technology:

Next Generation, Powered by Artificial Intelligence

Johan Kang

Sebastian Westskytte

Master of Science Thesis ITM-EX 2018:333

KTH Industrial Engineering and Management

Industrial Management

SE-100 44 STOCKHOLM

Master of Science Thesis ITM-EX 2018:333

Diffusion of Cybersecurity Technology:Next Generation, Powered by Artificial

Intelligence

Johan Kang


Approved

2018-06-11 Examiner

Terrence Brown Supervisor

Ali Mohammedi Commissioner

Tieto Contact person

Johan Lagerros

Abstract The cyber world is growing as more information is converted from analogue to digital form. While convenience has been the main driver for this change little effort has been made on securing the data. Data breaches are growing in number and each breach is growing in severity. Combined with regulatory pressure organizations are starting to realize the importance of security. The increased threat level is also driving the security market for more potent solutions and artificial intelligence (AI) have in recent years been implemented to enhance the capabilities of security technologies.

The thesis aims to investigate the adoption of AI enabled cybersecurity technologies within the financial industry which is often perceived as the market leader regarding security. Using a qualitative method through a multiple case study, valuable insights were gained regarding how firms are working with security and what needs they have. To identify factors that influence the rate of diffusion of AI enabled security technologies the diffusion of innovation theory combined with the TOE framework was used in this study.

The thesis has contributed to the field of innovation management by enriching an area within IT innovation management by bridging the gap between security innovation and AI innovation. The study revealed that environmental factors, such as regulations and threat landscape, are forcing organizations to take action and control both how organizations work with security but also what technological attributes are perceived as advantageous. Detection and automation are two

technological attributes that the companies are looking for to fill their needs. AI solutions are already being implemented to increase detection and automation we believe that the rate of adoption for AI enabled security innovation will only continue to grow. The results and findings contribute to an expanded understanding on the factors that affect adoption of AI security innovations within the financial industry

Key words: Cybersecurity, IT-security, Artificial Intelligence, Diffusion of Innovation, Technology Adoption, IT innovation, Security Strategy

Examensarbete MMK ITM-EX 2018:333

Diffusion av Cybersäkerhetsteknologi: Nästa Generation Drivet av Artificiell Intelligens

Johan Kang


Godkänt

2016-06-11Examinator

Terrence BrownHandledare

Ali Mohammedi Uppdragsgivare

Tieto Kontaktperson

Johan Lagerros

Sammanfattning Den digitala världen fortsätter att växa eftersom mer information omvandlas från analog till digital form. Medan bekvämlighet har varit den viktigaste drivkraften för denna förändring, så har lite ansträngning gjorts för att säkra upp den data som företagen besitter. Dataintrången växer i antal, och varje ny incident får allvarligare konsekvenser än den förra. Detta faktum kombinerat med strängare regelverk har fått företagen att inse vikten av att säkra sin miljö. Den förstärkta hotbilden driver också säkerhetsmarknaden framåt med nya lösningar, och artificiell intelligens (AI) har under de senaste åren i allt större utsträckning implementerats i säkerhetslösningar för att förstärka skyddet.

Uppsatsens syfte är att undersöka spridningen av AI-säkerhetsinnovationer inom finansbranschen, som ofta uppfattas som marknadsledande när det gäller säkerhet. Med hjälp av en kvalitativ metod genom en fallstudie på tre företag erhölls värdefulla insikter om hur företagen arbetar med säkerhet och vilka behov de har. För att identifiera faktorer som påverkar spridningshastigheten för AI-säkerhetslösningar användes ”diffusion of innovation”-teorin i kombination med TOE-ramverket i denna studie.

Uppsatsen har bidragit till innovation management-området genom att berika ett område inom IT-innovation genom att brygga mellan säkerhetsinnovation och AI-innovation. Studien visade att

miljöfaktorer, såsom regelverk och hotbild, kontrollerar både hur organisationer arbetar med säkerhet och vilka tekniska egenskaper som uppfattas som fördelaktiga. Detektion och automatisering är två tekniska egenskaper som företagen har stora behov av. AI-lösningar implementeras redan för att öka de egenskaperna. Vi argumenterar för att, utifrån de behoven som företagen har kombinerat med miljöfaktorerna, kommer spridningstakten att öka för AI-säkerhetsinnovation.

Nyckelord: Cybersecurity, IT-security, Artificial Intelligence, Diffusion of Innovation, Technology Adoption, IT innovation, Security Strategy

Acknowledgements Without the initial engagement and further efforts by our kind friend, and brilliant Master Program Alumni, Vittoria Borlo, we would not have gotten the opportunity to do this Master Thesis. Vittoria, and the head players at her department at Tieto, Johan Lagerros and Erik Obitz, proposed the project idea and the initial scope to us, which we were glad to accept. The project was further made possible thanks to Janne Hanka at Tieto. Working with this investigation has given us much new valuable knowledge about cybersecurity; how the systems are constructed, and how the future of the industry might look. Last, but not least, we want to send our thanks to Ali Mohammadi for the excellent feedback he has given us, and for supporting us during rough periods.

Abbreviations AI Artificial Intelligence AV Antivirus CEO Chief Executive Officer CIO Chief Information Officer CISO Chief Information Security Officer CSO Chief Security Officer DLP Data Loss Prevention (sometimes Protection) DOI Diffusion of Innovation GDPR General Data Protection Regulation (EU) ML Machine Learning IAM Identity Access Management IT Information Technology SIEM Security Information and Event Management SOC Security Operations Center TOE Technological, Organizational, Environmental UBA User Behavior Analytics

List of Figures and Tables Figure 1: Paper Overview ................................................................................................................................. 4

Figure 2: TOE Framework, Technological - Organizational - Environmental ........................................ 9

Figure 3: Overview of the Connections between Different Security Controls ...................................... 18

Figure 4: Chain of influence ........................................................................................................................... 41

Table 1: Security Controls .............................................................................................................................. 17

Table 2: Case Company Introduction ........................................................................................................... 20

Table 3: Interview Purposes ........................................................................................................................... 21

Table 4: List of Interviewees .......................................................................................................................... 21

Table 5: Company Comparison Based on Technological Context .......................................................... 33

Table 6: Company Comparison Based on Organizational Context ......................................................... 36

Table 7: Company Comparison Based on Environmental Context ......................................................... 38

Table of Content

1. Introduction.................................................................................................................................................... 1 1.1. Background ............................................................................................................................................. 1 1.2. Commissioner ......................................................................................................................................... 2 1.3. Problematization..................................................................................................................................... 2 1.4. Purpose .................................................................................................................................................... 2 1.5. Research Questions ................................................................................................................................ 3 1.6. Possible Contribution ............................................................................................................................ 3 1.7. Structure of This Paper ......................................................................................................................... 3

2. Literature Review and Theoretical Framework ......................................................................................... 5 2.1. Previous Research on Adoption of IT Innovations .......................................................................... 5

2.1.1. Diffusion of Innovation Theory ................................................................................................... 5 2.1.2. Technology – Organization – Environment Framework ......................................................... 6 2.1.3. Combining Models ......................................................................................................................... 7 2.1.4. Preventive Innovation .................................................................................................................... 7 2.1.5. Cybersecurity as a Preventive Innovation ................................................................................... 8

2.2. Theoretical Frameworks ........................................................................................................................ 8 2.2.1. Organizational Context ................................................................................................................ 11 2.2.2. Environmental Context................................................................................................................ 11

3. Empirical Context........................................................................................................................................ 13 3.1. Regulations ............................................................................................................................................ 13

3.1.1. Financial Industry Supervision .................................................................................................... 13 3.1.2. General Data Protection Regulation .......................................................................................... 13 3.1.3. Industrial Standards ...................................................................................................................... 14

3.2. Cybersecurity Threats .......................................................................................................................... 14 3.2.1. Hacking and Attacking Methods ................................................................................................ 14 3.2.2. Incident Impact ............................................................................................................................. 15 3.2.3. Economic Significance ................................................................................................................. 16

3.3. Technicalities of Artificial Intelligence Security ............................................................................... 16

4. Methodology ................................................................................................................................................ 19 4.1. Research Design ................................................................................................................................... 19 4.2. Data Collection and Case Selection ................................................................................................... 20 4.3. Literature Review.................................................................................................................................. 22 4.4. Application of Theoretical Frameworks ........................................................................................... 22 4.5. Validity and Reliability ......................................................................................................................... 23 4.6. Ethical Aspects ..................................................................................................................................... 23 4.7. Source Criticism .................................................................................................................................... 24

5. Results and Analysis .................................................................................................................................... 25

5.1. Cases ....................................................................................................................................................... 25 5.1.1. Company A .................................................................................................................................... 25 5.1.2. Company B .................................................................................................................................... 26 5.1.3. Company C .................................................................................................................................... 29

5.2. Cross Case Analysis .............................................................................................................................. 31 5.2.1. Company Comparisons ................................................................................................................ 31 5.2.2. Technological Context ................................................................................................................. 33 5.2.3. Organizational Context ................................................................................................................ 36 5.2.4. Environmental Context................................................................................................................ 38 5.2.5. Usage and Perception of Artificial Intelligence ........................................................................ 40 5.2.6. Correlations Between Contexts .................................................................................................. 41

5.3. Additional Findings from Experts ..................................................................................................... 42 5.3.1. Technological Context ................................................................................................................. 42 5.3.2. Organizational Context ................................................................................................................ 43 5.3.3. Environmental Context................................................................................................................ 43 5.3.4. Artificial Intelligence ..................................................................................................................... 44

5.4. Bridging the Theoretical Framework with Artificial Intelligence .................................................. 45 5.4.1. Perspective on AI Enabled Security Innovation ...................................................................... 45 5.4.2. Non-technical Influences on Adoption of AI Security ........................................................... 46

6. Discussion ..................................................................................................................................................... 47 6.1. General Discussion .............................................................................................................................. 47 6.2. Comparison – Results, Literature, Industrial Reports .................................................................... 48

6.2.1. Diffusion of AI Security Innovation .......................................................................................... 48 6.2.2. Contributions to Theory .............................................................................................................. 48

6.3. A Perspective on Sustainability .......................................................................................................... 49

7. Conclusion .................................................................................................................................................... 51 7.1. Answering the Research Questions ................................................................................................... 51 7.1. Fulfilling the Purpose ........................................................................................................................... 53 7.2. Limitations and Further Research ...................................................................................................... 53

References ......................................................................................................................................................... 55

Appendix A: Interview Questions to Case Companies ................................................................................. i

Appendix B: Interview Questions with Experts ........................................................................................... ii

1

1. Introduction Security is something that affects everyone, and could, or even should, be considered in all encountered situations, whether it is appreciated or not. Cybersecurity is a concept to frame the digital part of security that most people know very little about how it works, and would preferably just want everything to work without having it interfering with everyday lives.

1.1. Background The world is getting smarter. Old systems are changed to new ones built up by connected devices that are thought to make life easier. In 2017 alone, more than 8 billion connected devices were installed around the globe, and it is expected to rise to over 20 billion by 2020 (van der Meulen, 2017). The sheer volume of data that will travel through networks will multiply and hackers will surely target that data.

While we buy more connected devices, more opportunities arise for hackers to enter. Each connected device, such as lap tops or mobile phones, acts as a possible entry point for the hackers. If the hackers manage to enter they could potentially reach all the other devices that are connected to the network and acquire or even expose valuable data (Gartner, 2018). That is why corporations spend several billion dollars in total yearly on IT security to protect themselves from malicious intrusion (Gartner, 2018).

Digitalization has caused an exponential growth of data. IDC forecasts that by 2025 the global digital data will grow to 163 zettabytes (1021) which is a staggering ten times more than there is today (Reinsel, et al., 2017). There have been studies on number of data breaches which have shown that the rate of increase of breaches have decelerated. The “2017 cost of data breach” study from the Ponemon Institute (2017) showed a global average of $3.6 million or $141 per data record which is a decrease from 2016. However, each breach is compromising a much larger volume of data sets than before indicating that the increase of digital data is causing larger data breaches (Gemalto, 2017). The same study also found that the average time for companies to identify and contain data breaches were down from the previous year, but they are still at 191 days and 66 days respectively, which means that the whole process takes in total nine months on average from the day that a breach happened to the day it was fully contained (Ponemon Institute, 2017). Those numbers are shockingly high and alarming. A challenge facing every company will be to reduce that time to nearly zero.

Artificial Intelligence is coming to the cybersecurity industry, with “Next-Generation Antivirus” leading the swarm of different security solutions. It is a breed of new security software that use behavior-based analytics on malicious activities and enriched by artificial intelligence and machine learning to defend against such threats. Signature-based or rule-based security is still the most commonly used method, but as new methods are becoming more popular and refined, they are

2

posing as threats to the traditional established technologies. This creates uncertainty for the future and makes it difficult for firms to decide on what technology to choose as the security investments are often substantial and long lasting (Morgan, 2018). It implies that technological features alone might not be enough for organizations to adopt new innovations. Thus, making it difficult to predict what the underlying factors are that influence the widespread adoption of AI in cybersecurity innovations.

1.2. Commissioner

The commissioner of this paper is Tieto, more specifically the financial services unit. Tieto is an IT service provider with a large presence in the Nordic countries. The company provides both infrastructure and applications to a wide range of companies in various industries. The company has a matrix structure and financial services is one of the silos. It specializes in providing complete solutions including infrastructure, capacity, and additional services to banks, insurance companies, and other financial institutes. Security is a central aspect in the deliveries, and there is an interest in the possibilities that AI brings to the domain and how it could be implemented into the services that Tieto provides.

1.3. Problematization Cybersecurity is getting more crucial in this digital era. The threat landscape is growing and the stakes are getting higher. While the number of breaches has decreased the last year, the impact of each incident is getting more severe. Organizations are starting to understand the importance of protecting their IT-infrastructure and there is a sense of urgency to it today. Regulatory changes are also forcing organizations to act, and hence, security is moving up the priority ladder. However, the security market is highly competitive, with multiple submarkets and it can be difficult for organizations to set up a comprehensive security strategy and to navigate through the sea of vendors.

Artificial intelligence is taking the world by storm, and the security industry is no exception. There is a strong interest to the capabilities of artificial intelligence applied to cybersecurity, but there are also cautions regarding if such technologies live up to the promises. Investigations to be found today about the impact of artificial intelligence on society are yet scarce, not least the impact on cybersecurity, leaving a research gap in an academic context.

1.4. Purpose In tandem with the emerging innovations within artificial intelligence enabled cybersecurity technology, this investigation intends to examine the most important factors that influence the diffusion of the new security technology. The purpose of the investigation is furthermore to learn

3

about how artificial intelligence is being used today, what needs the companies consider themselves having, and how artificial intelligence can be used to fill those needs.

1.5. Research Questions Before proceeding with the investigation, a research question needs to be defined to be able to fulfill the purpose of the report. The whole research question has been broken down into one main question whose answer intends to stay on a more generalizable level, and two additional sub questions aiming to elucidate what is needed for answering the main question in the specific context of this paper.

The main question reads:

What are the most important factors for influencing the diffusion of artificial intelligence enabled cybersecurity technologies?

The additional sub questions read:

What security strategies and technologies are implemented by organizations within the financial industry?

How can artificial intelligence technology be used to improve cybersecurity?

These three questions will altogether fulfill the purpose of the paper as they act as foundation for the continued investigation and for designing the research methodology.

1.6. Possible Contribution The research contributes both empirically and theoretically to the literature of innovation management. One possible contribution is to the field of diffusion of innovation research on security technologies where it could enrich an understudied field within IT innovation, as well as bridging the gap between the field of artificial intelligence and security, possibly revealing new critical factors that influence the diffusion of security innovations. The contribution is focused on exploring how firms within the financial industry are adopting artificial intelligence security innovations, and what factors influence the decision to adopt.

1.7. Structure of This Paper The following chapter will cover the literature study and theoretical framework which will cover key concepts within cybersecurity as well as the research framework. Chapter 3 will thereafter explain further the concept of AI in security while providing the empirical background of this study. Chapter

4

4 will present the methodology of this report. The research design and data collection to answer the research questions will be explained. In chapter 5, the results and findings of the case studies will be presented and cross-case analyzed. Additional findings from experts and industry professionals will also be presented in chapter 5 and will answer the research questions. The following discussion will be a part of chapter 6 where the findings will be discussed and compared to the literature including industry reports and consultant reports. Chapter 7 finishes the paper with a conclusion and a summary of the investigation, see Figure 1.

Figure 1: Paper Overview

5

2. Literature Review and Theoretical Framework This chapter will present the literature study made on the topic of diffusion of IT innovation as well as the research framework that together form the foundation of the research. The TOE-framework and the diffusion of innovation theory will be explained further to understand what factors influence the adoption of new technologies.

2.1. Previous Research on Adoption of IT Innovations Adoption of IT innovation has been for the past 20 years a highly scrutinized area of research (Frambach & Schillawaert, 2002; Oliveira & Martins, 2011). With the development of internet and the widespread adoption of IT innovations, numerous studies have been made based on popular technological adoption models to break down and explain the most critical factors that influence the adoption and user acceptance of IT innovations. Common models being used have been for instance diffusion of innovation theory and the Technology – Organization – Environment (TOE) framework.

2.1.1. Diffusion of Innovation Theory

The diffusion of innovation (DOI) theory introduced by Rogers (1983) is a commonly used theory that forms the foundation for studies on adoption and diffusion of IT innovation (Mustonen-Ollila & Lyytinen, 2003). It has been identified that the perception of an innovation by decisions-makers affects their inclination to adopt a new product (Rogers, 1983). It is further suggested that relative advantage, compatibility, complexity, trialability and observability are five innovation characteristics that have an impact on the perception of innovations both positively and negatively (Rogers, 1983). The literature indicates that the theory of DOI is well established and the five characteristics have been deployed successfully in several studies about IT innovation adoption (Premkumar, et al., 1994; Mustonen-Ollila & Lyytinen, 2003). Perceived relative advantage such as ease of use and economic incentives has revealed to have a positive impact on adoption decisions (Mustonen-Ollila & Lyytinen, 2003).

Compatibility and complexity did significant impact to the adoption of material requirement planning measures (Cooper & Zmud, 1990). Premkumar et al. (1994) found that technical compatibility and relative advantage significantly increased the rate of adoption of electronic data interchange solutions. Meanwhile, Bradford and Florin (2003) did not find any significant effect of technical compatibility in their study on implementation of enterprise resources planning systems which indicates that there are some weaknesses to the consistency of DOI studies as well as the preciseness of it (Karahanna, et al., 1999). To address such weaknesses some researchers have combined it with other theories allowing for a more representative framework that address the interaction between attitude, intention and behavior. Post-adoption theories such as technology acceptance model, and theory of planned behavior have been implemented to address individuals pre- and post-adoption perceptions (Karahanna, et al., 1999).

6

In cybersecurity DOI theory has also been implemented. In a study on the individual adoption of anti-spyware software the researchers found relative advantage, compatibility, visibility and trialability to be significant factors in forming an individual’s attitude towards anti-spyware software (Lee & Kozar, 2008). However, ease of use was not significant at all. In a study about the individual’s adoption of computer information systems security measures, the findings suggested that perceived usefulness and perceived ease of use were not found to have a large impact on intention to use the measures (Jones, et al., 2010). The authors speculate that due to security measures often being mandatory the effect of ease of use and usefulness is not as strong which is contradicting literature but in line with the results from the study about adoption of anti-spyware software. Furthermore, in the context of security, organizations may emphasize more on protecting themselves against vulnerabilities rather than promoting ease of use and usefulness as key drivers. Other factors such as management support and training support did show positive influence on the intention to adopt (Jones, et al., 2010).

While successfully used in IT innovation studies, Hameed et al. (2012) have addressed another limitation to DOI besides inconsistency. It is often used to study the behavior and attitude of individuals in the adoption of innovation and fails to explain the full innovation adoption process. Thus, the DOI theory alone might be inadequate to full explain the adoption of innovations in organizations (Hameed, et al., 2012).

2.1.2. Technology – Organization – Environment Framework

The Technology – Organization – Environment (TOE) framework was developed in 1990. It identifies three dimensions of an organization’s context that influence the diffusion and adoption process of innovations (Tornatzky & Fleischer, 1990). The TOE-framework has a solid theoretical foundation and has been applied to multiple studies regarding IT adoption amongst firms (Oliveira & Martins, 2011).

In a similar study on adoption of enterprise resource planning systems among Taiwanese enterprises, the researchers applied the TOE-framework to reveal factors within each context that affected the adoption of such innovation. The study found organizational size to be positively related to adoption while perceived barriers had a negative effect. It indicates that top management support and technology readiness are two important factors to manage the perception of barriers (Pan & Jang, 2008). Interestingly, external influential factors such as competitive pressure and regulatory policy did not have any significant relationship with the adoption decision, contradicting a number of studies on IT innovation that have shown the opposite (Premkumar, et al., 1994; Wang, et al., 2010). Meanwhile, other studies did not find competitive pressure and regulatory policies to be of significance in the adoption of IT innovations (Thong, 1999). It indicates that, just as the case with DOI, there is weakness in the TOE-framework regarding the consistency.

The TOE-framework has been successful in resolving the limitations of other innovation theories by introducing the environmental context. The environmental context presents both opportunities and restriction to innovation diffusion and adoption (Oliveira & Martins, 2011). Hence, making it more

7

suitable to explain the process by which organizations adopt security innovations (Hameed & Arachchilage, 2017).

2.1.3. Combining Models

The TOE-framework have been combined with the DOI theories in many studies to address some of the limitation of the latter, by adding on dimensions of interest, such as the environmental and the organizational context (Oliveira & Martins, 2011). Furthermore, the framework is consistent with DOI theory, in which the author emphasized that individual characteristics together with internal and external characteristics of the organization drive organizational innovativeness (Rogers, 1983). As the DOI theory and its five characteristics are focused on technology it has often been combined with TOE-framework to enrich the technology context (Wang, et al., 2010).

The advantage with combining the two theories is that while DOI theory by itself only describes how an attitude is formed, it does not paint the whole picture regarding the intention to adopt (Lee & Kozar, 2008). Secondly, organizations seldom operate in a vacuum, and thus, by introducing the environmental context, valuable insights can be gained which strengthens the DOI theory, making it more suitable for studies about innovation diffusion and adoption on an organizational level (Hameed & Arachchilage, 2017).

While rich in contributions within the field of IT adoption, there have been little to no research that have applied TOE-framework combined with DOI theory to studies on diffusion and adoption of cybersecurity innovations. In an attempt to fill the gap, Hameed and Arachchilage proposed a comprehensive conceptual model including TOE and DOI, and the previously mentioned Technology Acceptance Model and Theory of Planned Behavior to address the process by which an organization adopt, implement, and continuously use security innovations (Hameed & Arachchilage, 2017). It has inspired this research to approach the study in similar fashion. However, given that this research will only regard the process by which innovations are adopted only TOE and DOI will be considered.

2.1.4. Preventive Innovation

Preventive innovations refer to innovations that are adopted to avoid unwanted consequences in the future (Rogers, 1983). The incentives to adopt such innovations are rather vague as the unwanted consequences may, or may not even occur (Rogers, 1983). Thus, the relative advantage elements of such innovations are relatively low or delayed in time compared to traditional innovations, making the motivation to adopt quite weak and the rate of adoption rather slow (Rogers, 2002). Contraceptives, seat belts and insurances are some examples of preventive innovations, and in the context of this investigation, a traditional antivirus application is considered preventive.

According to Rogers (1983), preventive innovations often require a cue-to-action such as the occurring of an event which creates a favorable attitude toward a preventive innovation. Such events can be naturally occurring, for instance, many women first adopt contraception afterwards, when they have already experienced unwanted pregnancy (Rogers, 1983). Cue-to-action can also be

8

initiated by change agencies such as regulations or governmental programs that create an incentive to adopt certain innovations (Rogers, 1983). In a meta-analysis study on preventive innovation it was indeed shown that attitude had a significant effect on the intention to adopt preventive innovations (Overstreet, et al., 2013).

2.1.5. Cybersecurity as a Preventive Innovation

Given the definition, cybersecurity can be seen as a preventive innovation. There have been a number of studies on individual user behavior with regard to the intention to adopt preventive technologies (Ng, et al., 2009; Dinev & Hu, 2005; Dodel & Mesch, 2017).

Building on the theory of preventive innovations, an early study on preventive technologies such as cybersecurity revealed that user awareness of threats from harmful technologies was a strong indicator to user behavioral intention toward the adoption of preventive technologies (Dinev & Hu, 2005). Other studies have adopted models from healthcare to address the characteristics of cybersecurity diffusion and adoption as well (Dodel & Mesch, 2017; Ng, et al., 2009). With a health belief perspective, Ng et al. (2009) looked into the factors that influenced users in organization to behave in a secure manner on the computer. They found that perceived susceptibility and perceived benefits are determinants of user behavior in the context of computer security which concurs with the nature of security as the motivation is often to mitigate risks and reduce threat likelihood (Ng, et al., 2009).

The studies on cybersecurity as a preventive innovation have taken an individual approach while neglecting the organizational context. Furthermore, the relevance of individual user acceptance of security has shown in some studies to have less influence on the overall usage of a security innovation, especially in an organizational context as security technologies are often implemented organization-wide on computers and only actively used by people working with security (Lee & Kozar, 2008; Jones, et al., 2010). However, there are implications that the factors explored could be applied to similar studies on organizations as well to explain why organizations adopt preventive technologies in general.

2.2. Theoretical Frameworks For the intended research on AI technology within cybersecurity a framework based on previous research and conceptual frameworks research model has been synthesized including TOE-framework and DOI theory. The reason why post-adoption models have been excluded although argued for in the previous chapter is due to the novelty of AI-enabled security. Therefore, it can be difficult to acquire information about the post-adoption perception of such technology. Further, cybersecurity measures are often pre-installed on the organizational devices and enforced through organizational policies, which means that employees can voice their opinion but must still conform to the policies and decisions that the organization takes (Lee & Kozar, 2008; Jones, et al., 2010).

9

The Technology – Organization – Environment (TOE) framework, created by Tornatzky and Fleisher (1990) has been successfully applied to studies about IT innovation, see Figure 2. It describes the process by which a firm adopts and implements technology innovations is influenced by technological context, organizational context and environmental context. Further, the framework has been widely used to connect and incorporate models and theories regarding the diffusion and adoption of innovation (Hameed & Arachchilage, 2017; Oliveira & Martins, 2011).

Figure 2: TOE Framework, Technological - Organizational - Environmental

Technological Context Technological context includes attributes of technologies currently used in organizations and the innovation available outside the organization. The attributes entail typical factors when adopting new technology and can be used to compare the old with the new. Thus, it plays a crucial role for the adoption of information systems and on the perception of innovations which influences pre-adoption and adoption-decisions in firms. Previous studies have shown that the DOI theory can represent the attributes and factors that explain innovation adoption within firms (Frambach & Schillawaert, 2002; Hameed, et al., 2012).

10

Relative advantage Relative advantage is the degree to which an innovation is perceived as better than the current one (Rogers, 1983). The relative advantage can refer to how implementing an innovation is more economically beneficial, gives an increase in efficiency and productivity, or reduce maintenance compared to currently deployed technologies (Rogers, 1983). In case of cybersecurity the relative advantage can be demonstrated in the form of cost saving, better security, higher automatization, or other ways that is perceived valuable and effective in protecting IT assets (Moore & Benbasat, 1991).

Compatibility Compatibility is the degree to which an innovation is perceived as being consistent with the existing values, experiences and needs of the users (Rogers, 1983). The more compatible a new idea or innovation is with existing values, beliefs, and practices, the more likely it is that it will establish itself and see wide adoption.

Information systems consist of multiple technologies that are interrelated with each other. Therefore, the more compatible new security innovations are with existing processes and systems the more likely it is to be accepted and implemented into organizations (Lee & Kozar, 2008).

Complexity Complexity is the degree to which an innovation is perceived as being difficult to use (Rogers, 1983). It usually has a negative relation to the degree to which an innovation is adopted. The easier an innovation is to use the more likely it is that it will be implemented. If it is very complex, possible investments in new resources such as in the form of training, expertise, changes in other parts might occur (Tornatzky & Klein, 1982).

Observability Observability is the degree to which the results and the advantages of an innovation are visible to others (Rogers, 1983). In general, the relative advantages of innovation are visible to external adopters and potential adopters have a positive correlation with the rate of adoption. According to Rogers (1983), technologies in the form of software are more difficult to observe hence is subdued to slower rate of adoption. However, in a more recent study on the adoption of anti-spyware, observability had a strong positive impact on the rate of adoption of anti-spyware programs (Lee & Kozar, 2008).

Trialability Trialability is the degree to which the innovation may be experimented with. Hence, innovations that can be tested on a temporary basis are more likely to be adopted. The option to try and test new innovations reduces the uncertainties for potential adopters. Therefore, there is a positive relation between the degree of trialability and the rate of adoption (Rogers, 1983). It was also found that trialability did affect individual users’ intention to adopt anti-spyware programs because it would increase the perceived benefits of such programs (Lee & Kozar, 2008).

11

2.2.1. Organizational Context

The organizational context of the TOE model is a widely studied area of IT innovation. It refers to the characteristics and resources of the firm. Organizational characteristics can be seen as the ultimate factors in predicting adoption of new innovation (Frambach & Schillawaert, 2002; Damanpour, 1991). The individual user can have a substantial impact on the adoption of technology. In an organizational context, the interaction within a system must fit into the current organizational processes and routine (Nelson & Winter, 1982). Hence, organizational characteristics can be seen as more significant in the prediction of technology adoption. Top management support, security culture, and organizational size have all shown to have positive influence on the adoption of new innovations (Hameed & Arachchilage, 2017).

Top Management Support Top management support has shown to have a positive impact on the implementation and adoption of new technologies (Bradford & Florin, 2003; Pan & Jang, 2008; Jones, et al., 2010). In a study based on small businesses the results indicated that the CEO’s attitude towards innovation has a direct impact on the likeliness to adopt new technologies (Thong, 1999).

Organizational Size Organizational size and the role it plays in technology adoption have been highly scrutinized. It not only determines the organizational structure and the decision making, but also the slack resources that are available, not to mention a larger mass (Hameed & Arachchilage, 2017). However, it could also hamper the rate of adoption as the structure becomes more complex with the increase in size (Frambach & Schillawaert, 2002).

Organizational Cybersecurity Readiness Cybersecurity readiness refers to the degree to which an organization has the knowledge, resources and commitment to adopt cybersecurity innovation. If an organization has the necessary infrastructure for future technologies they will consequently be readier for it. Cybersecurity readiness can be seen as influenced by factors like security expertise and security culture which can be achieved in various ways, not least through training and by organizational policies. (Hameed & Arachchilage, 2017)

2.2.2. Environmental Context

Rogers describes the diffusion of innovation as a process by which an innovation is communicated across a social network (Rogers, 1983). IT innovations are seldom exclusively deployed within an organization. It is often communicated with partners and other stakeholders. This means that the environment in which a firm operates can have tremendous influence on the decision making. Government policies, mass media as well as vendor marketing, social networks and competitive pressure has been verified as possible factors that affects how a new technology is viewed and subsequently adopted or rejected (Frambach & Schillawaert, 2002; Hu, et al., 1997; Hameed & Arachchilage, 2017).

12

Further, it has been shown that threat perceptions about severity of and susceptibility to breaches influence the policy attitudes of organizations as well as their employees (Ng, et al., 2009). While the findings have varied regarding the influential impact regulations and competitive pressure have on adoption of IT innovations, the literature on preventive innovations suggests that it often requires some form of cue-to-action (Rogers, 1983).

13

3. Empirical Context This section provides the empirical context to the research design and intends to give the reader a deeper knowledge about the specific industrial area this paper is narrowed down to. The concepts of cybersecurity and artificial intelligence will be briefly explained as well as information about regulations within the financial industry in Sweden.

3.1. Regulations

Some industrial areas more heavily regulated than others, hence requiring higher security standards, where companies within the Swedish financial sector are no exception. This paper does neither dive deep into exploring the backgrounds and origins of the regulations, nor their legal details, but this section intends to give the reader an overview of what the different regulations mean, and how financial firms need to attune their organizations to suit them.

3.1.1. Financial Industry Supervision

At the official web page of Finansinspektionen (FI), in English: The Financial Supervisory Agency, it reads: “Finansinspektionen is Sweden's financial supervisory authority. Our role is to promote stability and efficiency in the financial system as well as to ensure an effective consumer protection.” (Finansinspektionen). Their mission is that on behalf of the Swedish Ministry of Finance, see to that organizations active in Sweden follow laws and regulations. Decisions made regarding cybersecurity may have severe consequences for the firm’s ability to uphold the laws and regulations. Much of what FI does is to prevent financial crimes, such as money laundering. Some regulations from FI however, such as FFFS 2014:5, in some cases require organizations to document precisely how they work with security, both on an organizational strategic level, and on a technical systems level. It also requires companies to classify their information and analyze risk levels. The particular regulation affects banks and securities companies, while regulations affecting other firms within the industry, such as insurance companies, usually are less controlling.

3.1.2. General Data Protection Regulation

The Swedish Personal Data Act, which was replaced by the EU General Data Protection Regulation (GDPR) at May 25th, 2018, affects all firms operating within the EU. GDPR is one of the hottest topics during the spring of 2018. It is an initiative from the EU to make sure personal information about individuals is protected and correctly processed. The public information resource website, eugdpr.org, explains the purpose of GDPR to be to protect and empower all EU-citizens data privacy and control how organizations store and process individual information. Another major purpose is to have the same legislation throughout all of EU, to be able to keep the large flow of information without too complicated holdbacks due to varying rules (Datainspektionen, 2017).

14

Violating GDPR legislation or proving non-compliant can result in large fines, up to 20 million euros, or 4% of the company’s global revenue (EU, 2016).

3.1.3. Industrial Standards

Besides the rules and regulations which companies are obliged to follow, pressure can come from other places as well. The ISO 27001, or more specifically known as ISO/IEC 27001:2017, is an industrial standard providing a framework for how to work with information security management (Rouse, 2009). Indeed, it is not obligatory to follow this standard; however, it works as a useful tool to make sure internal processes are carried out in a satisfactory way. It can additionally increase the level of trust a customer perceives towards a company, just as not following a standard can lower that trust.

3.2. Cybersecurity Threats A malicious program was written in 1981, causing a contagious outbreak which is often referred to as the first PC virus outbreak (Spafford, 1990). Cyber threats today have become much more diversified and can take on many various shapes and forms. In cybersecurity, the term malware is used for any type of unwanted malicious software like viruses, trojans and worms (Swain, 2009). These malwares can be mediated through different type of attacks to penetrate network defenses. In recent years, a major global problem has emerged in the form of ransomware, being a malware that encrypts the data and usually demands a ransom payment in return to decrypt the computer. There are a significant number of different attack methods, whereof only a few are referred to in this paper.

3.2.1. Hacking and Attacking Methods

Rob Joyce, the head chief of a US National Security Agency hacker group explained that the key area in which malicious hackers outdo their targets, is by the knowledge that they have on the targeted network (Joyce, 2016). Hackers know possibly more about the security holes in a program than the ones who created it, as security often comes as an afterthought in the development of systems or software. This allows hackers to infiltrate networks through means that their targets might not even be aware of. While exploitation of security holes, especially new ones, are common methods for hackers to infiltrate networks, the concept of social engineering has perhaps been the most widely deployed technique for hackers to gain access to seemingly secure systems (Böck, et al., 2012; Workman, 2008; Tetri & Vuorine, 2013).

Social engineering refers to gaining access to a network through exploitation of the human behavior and manipulating people by various means, the art of acquiring information through persuasion and deception of people (Mitnick & Simon, 2002). It is a practice that is used to exploit the “weakest link” in the security chain of an organization (Allen, 2007). This means that the biggest threats to organizations are perhaps not the hackers, but in fact the employees. The 2018 Cybersecurity

15

Intelligence Index by IBM (2018) revealed that more than two thirds of all compromised records came from phishing attacks on careless insiders (IBM , 2018). The report also found that financial services is one of the top targeted industries, due to the large amount of personal data information, intellectual properties, and massive amount of financial assets.

3.2.2. Incident Impact

In 2014, what was up until then said to have been the largest attack in history, American bank JP Morgan Chase was breached (Liu, et al., 2015). It affected 83 million households and small businesses (Reuters Staff, 2014). The attack exposed user account details as well as personal information such as names, addresses, and phone numbers. Just about year before the JP Morgan Chase breach, retail chain Target was breached and left personal information from up to 70 million users exposed (McGrath, 2014). In the following case regarding Equifax, the impact was even larger and the aftermath much worse; here, among other information, social security numbers, birth dates, drivers’ license numbers, and some users’ credit card numbers were exposed (Gressin, 2017).

The famous Equifax breach occurred in the late summer of 2017, hitting the US based, global information company hard. While Equifax does not actually categorize as a company within the financial industry, such as banks, they share some liabilities as they store large amounts of data, including private records and sensitive personal information about their customers. The breach exposed personal information of 143 million US customers, and possibly millions of additional UK and Canadian citizens (Hedley & Jacobs, 2017).

Incidents such as in the cases above show that the security for large companies not only needs to consider the company’s secret internal information, or protecting money, but sensitive information leaking out and getting in the wrong hands can be just as serious. Several researchers have attempted to reveal the economic effects, while others have attempted to define the costs of security countermeasures. Security breaches can create many different type of costs. Kannan, Rees, and Sridhar (2007) define two forms of costs; direct, and indirect. Direct costs refer to losses of productivity by employees because of an attack, the costs of communicating it to consumers who may have been affected by a breach, and the costs of communication with mass media (Kannan, et al., 2007).

Indirect costs include, for example, the breached firm’s higher insurance premium, and loss of market share due to loss of trust among consumers and partners. Indirect costs of an attack could sometimes even surpass the direct costs. For example, a defacement of a webpage might cause greater indirect costs than the direct costs associated with a password breach of an internal company server, due to the webpage being inaccessible. An attack such as defacement of a webpage might not be very severe from a technical perspective, as no information was violated, but it might require significant amount of communication with customer and the media to potentially gain back some of the lost trust. (Hancock, 2002)

16

3.2.3. Economic Significance

Hovav and D’Arcy (2004) investigated what impact computer virus attacks have on the share price of breached organizations, and they found that while 45% of the affected organizations’ share prices went down, the majority did not experience any negative impact (Hovav & D'arcy, 2004). They speculated that the market might expect virus attacks to be common, thus leaving stock prices unchanged. Another assumption is that, since virus attacks do not have theft of confidential information as a purpose, it leads to little reason for the stock market to react noticeably (Garg, et al., 2003). Other types of attack, such as Distributed Denial of Service (DDoS; sometimes only DoS) attacks, have greater financial impacts for affected firms (Garg, et al., 2003). The DoS attacks prevent some specific functions of an organization from working temporarily, such as web sites, mail servers, or phone systems, by overloading the capacity of the functions. These attacks have significant upfront direct costs in terms of loss of productivity and loss of commerce abilities. In some cases, such as for hospitals, DoS-attacks can even be direct life threatening.

Infringements where an organization’s consumer data about credit cards and social security numbers have been compromised still have the most significant financial consequences (Campbell, et al., 2003). The Equifax incident mentioned above was said to generate direct and indirect costs reaching nearly $440 million already by the end of 2017, and could grow to over $600 million when lawsuits and government investigations are included (McCrank & Finkle, 2018). There are additional costs related to cybersecurity which are the anticipation costs, such as security software, insurance and compliance which is a multibillion-dollar industry worldwide (Anderson, et al., 2013). These costs fund the growth of the economy of underground markets by deterring consumers, from companies who have experienced breaches, to other channels. Hackers are seeking financial returns by offering cybercrime services to the underground markets where the goal is to manipulate markets (Anderson, et al., 2013).

3.3. Technicalities of Artificial Intelligence Security

There are a number of ideas regarding what describes an artificial intelligence (AI), for instance: mimicking of the human thought process, reasoning and behavior, or being rational, meaning that it does the right thing given what it knows (Russell & Norvig, 2014). An AI should therefore have some characteristics of being autonomous in its analysis, and learn without human guidance. AI is sort of a buzzword, being utilized for marketing purposes, and machine learning (ML) is often the underlying technological method to achieve a degree of automation and self-learning (McClelland, 2017). Instead of hand-coding software routines to specific tasks, ML can be taught how to perform tasks by writing algorithms that utilize large sets of data (Russell & Norvig, 2014). AI, or rather machine learning, can essentially be taught to analyze any data, recognize patterns, and to look for specific attributes. One area where AI has been successfully applied to is computer vision, which is the ability to perceive an object (Bughin, et al., 2017; Russell & Norvig, 2014). As an example, the ability to identify faces has become a standard feature in new photography cameras.

17

The need for better detection for security has driven innovation for new device or server based products enabled by AI, such as endpoint detection and response (EDR) and security information and event management (SIEM), as well as network based preventive controls such as firewalls (Gartner, 2017). Just as in other industries, AI will be augmented with people to automate insights, discovery and data preparation, and increase the overall efficiency and efficacy of operations (Panetta, 2017). Although there is a lot more to the functionalities, some of the product segments that show the largest potential by enabling AI technologies will be explained in Table 1 below.

Table 1: Security Controls

Tool Description

SIEM

Security Information and Event Management

Any application, either endpoint or server based, produces logs containing information on occurring events in a system or a network. A SIEM collects these logs, normalizes and analyzes them. By certain pre-defined rules, it can alert security the department that can then remediate the cause of the incident. By utilizing artificial intelligence for SIEM, predictive abilities can be improved, and it can automatically help to reduce the propagation of infections and attacks (Karimi, 2018).

DLP

Data Loss Prevention (sometimes: Protection)

DLP in various forms are tools used to protect information from slipping out from the network; business strategies, employee salaries, trade secrets, to just mention a few. By regulations such as GDPR, they become even more crucial, as personal information about customers must not be exploited. With machine learning, DLP tools will be able to detect where there might be sensitive information by scanning and analyzing the data flow (Symantec, 2010).

IAM

Identity Access Management

Given that 90% of cyber-attacks come from the inability of users to protect their passwords, access management becomes very important (Identity Management Institute). Corporate policies allowing users to work from private devices, and on open networks, put a lot of pressure on allowing and restricting just the right amount of access for users in different situations. Artificial intelligence can help automating the resource demanding process of adjusting user accessibility by, for instance, analyzing user behavior.

Cybersecurity is rather complex, making it difficult understanding how everything is connected. Besides the tools described above, there are a few more functions worth mentioning before describing the whole ecosystem with a visualization in Figure 3 below. Just as the IAM system is a tool to manage personal access (Moeller, 2010), the user behavior analytics (UBA) is a tool that by

18

enabling machine learning, can analyze user behavior to assess if an event is normal or potentially harmful (Rouse, 2017). The endpoint detection and response (EDR) is in a way taking the spot from traditional antivirus (AV) applications (Firstbrook, et al., 2017). The idea of EDR is to also learn behavior, either by humans or applications. As a problem with older antivirus systems is that someone always must be infected first to identify the malware, the EDR can stop the attack by analyzing the intent of the program instead of its signature code. There are furthermore tools for vulnerability risk management (VRM) to find potential vulnerabilities by scanning the IT environment, including networks, applications, and other systems.

Figure 3: Overview of the Connections between Different Security Controls

All the tools have their unique main usage purposes, although they overlap to some extent due to their wide sophisticated functionalities, much thanks to the development of machine learning. Information about events through all these functionalities is often analyzed and processed by a team of experts, active 24/7, called the security operations center (SOC). Large corporations sometimes have a SOC of their own, while smaller firms might not afford to spare those resources, thus, often outsource the SOC function.

19

4. Methodology This chapter goes through what research methods were being used to collect the empiric data needed. Case selections are described and motivated together with the additional participators of the investigation. Furthermore, the research method is discussed regarding validity and reliability throughout this section.

4.1. Research Design The exploratory investigation is based on three organizations within the financial industry; one bank and two insurance companies, thus making it a multiple case study. Originally, the intention was to make a multiple case study on four companies. The decision to that was largely made by an article by Eisenhardt (1989), in which it was stated that with less than four cases, it can be difficult to draw conclusions on complex theories, and with more than ten cases, it becomes difficult to cope with the large amount of data. The idea was to have two banks and two insurance companies for the case study, one larger and one smaller of each kind. When planning the case interviews however, at a stage too late in the process to adjust the loss, the larger bank withdrew their participation, leaving the case study with three cases. According to Robert K. Yin (2009), two cases will still provide stronger evidence than one, motivating why three cases are enough for this sort of replicative case study.

A multiple case study is in some cases seen as one main case study with additional comparative cases, but according to Yin, a single and multiple case study are just considered different variations of the same methodological framework (Yin, 2009). This paper follows the idea by Yin, that each case is unique and equally contributing to the research. Getting answers from several cases helps when drawing conclusions from this investigation, and looking for correlation between different factors and other attributes.

Each one of the cases was classified as embedded multiple case studies, having multiple units of analysis (Yin, 2009). Whereas having only one unit of analysis would classify the case studies as holistic. The scope of the case interviews is designed relatively wide, to fit into the exploratory nature of this study, and get a good general overview of how the industry operates and cover several areas of examination, hence, each case consists of multiple units of analysis. The study is exploratory in nature as there is limited coverage from previous research within this specific field. An exploratory stance with a qualitative approach is often preferred to study topics with little to no previous research (Bryman, et al., 2015). This is to identify patterns and to form a foundation for future research (Bryman, et al., 2015).

20

4.2. Data Collection and Case Selection The data collection was performed at customers of Tieto, which is a large service provider of IT solutions. More specifically, the data collection was based on customers to the financial unit of Tieto as they are the constituents of this thesis. Due to the nature of the project, with limited time and resources, the case study was focused on Tieto's customers within the financial industry and further narrowed down to the three chosen organizations. By focusing the cases on one industry, valuable insights were gained regarding the similarities and differences between organizations in a similar context. The empirical data was analyzed based on a deductive thematic approach to categorize the data and validate the research framework (Braun & Clarke, 2006). It also allowed the research to get a depth in information and knowledge that is preferable for a multiple case study. The financial industry is heavily regulated and is often considered to be in the forefront of state-of-the-art cybersecurity due the sensitivity of the stored, and managed information. That is why it was interesting to see how organizations within the industry work with cybersecurity, and where they are lacking, see Table 2.

Table 2: Case Company Introduction

Cases Industry

Case A Insurance

Case B Banking

Case C Insurance, and pension funds

The theories have grown mainly from the academic literature study and the many tech-media sources. Together with the collected data from semi-structured interviews with Tieto’s customers the theories were tried for validity. To further strengthen the answers from the case studies, and to complement the literature theory, interviews with experts from various areas within cybersecurity were held. The selection of experts consists of individuals from within Tieto, external software- and service suppliers, and additional experts from KTH where this thesis is situated, see Table 3. Yin (2009) describes this triangulation method as “Rationale for using multiple sources of evidence”. By triangulating answers from case interviews at the participating organizations, the involved experts, both internal at Tieto and external, and the unbiased University experts, it enhances the evidence for the literature study theory.

21

Table 3: Interview Purposes

Profile Purpose (What do we want to know?)

Security experts Introduction to cybersecurity

Risk & compliance managers Introduction to the security area of risk & compliance

Distributors of security Introduction to the supply chain

Account managers Identify customer needs

Security professionals Identify market trends, customer needs and market dynamics

Case companies Identify security needs and preferences

The empirical data is gathered through semi-structured interviews as the method is suitable with the exploratory nature and qualitative approach to develop knowledge about the focus area. Semi-structured interviews allow for direct open-ended questions and are thus useful for broadening one’s view (Collis & Hussey, 2014). In Table 4, a list of all interviewees for the investigation is presented; case, internal at Tieto, and external. Where the titles are Service Provider, the interviewees are from Tieto internally, see Appendix A & B for interview questions.

Table 4: List of Interviewees

Title Interview ID Date of Interview

Security Professor, KTH Interviewee 1 2018-03-08

Security Professor, KTH Interviewee 2 2018-03-09

Sales Manager, Distribution Company Interviewee 3 2018-03-13

Head of Sales – Security Services, Service Provider Interviewee 4 2018-03-15

Company A, Chief Information Security Officer (CISO) Interviewee 5 2018-04-12

Company B, Chief Information Security Officer (CISO) Interviewee 6 2018-05-02

Company C, Chief Security Officer (CSO) Interviewee 7 2018-05-02

Security Partner, Service Provider Interviewee 8 2018-05-04

Security Partner, Service Provider Interviewee 9 2018-05-09

Lead Security Architect Compliance, Service Provider Interviewee 10 2018-05-09

22

Lead Security Architect, Service Provider Interviewee 11 2018-05-09

4.3. Literature Review A literature review was conducted on previous studies on technology adoption and diffusion of innovation applied to relevant markets, i.e., IT innovations including security and non-security innovations. The theories provided valuable insights on the process of technological transition and entailed the influence of organizational and environmental factors that constitutes the transitions. To the most extent possible, established authors or commonly cited scientific papers were prioritized, while continuously holding a perception of critique.

Due to the novelty of artificial intelligence (AI) technology within cybersecurity, the literature was extended to industry and consultancy reports, as well as also other relevant sources, to provide a comprehensive overview of what cybersecurity looks like today and to conceptualize AI security. It is important to consider the purpose of industry and consultancy reports. They give insight into a possible future for the industry based on their definition of a certain technology and the potential it has based on that definition.

The subject of technology adoption and diffusion of IT innovations has been widely explored from pre-adoption, to adoption, and post-adoption. However, the substance of research on security is quite underwhelming in comparison. There are quite a few papers on the subject but not commonly cited and most of the research have focused on the individual adoption of security measures. More recently, a few studies have adopted a model traditionally used for health care, to incorporate factors related to fear in the individual adoption of security measures. While, this thesis doesn’t have an individual approach, it is interesting to see that the research within the area of cybersecurity is evolving and very much alive. Other areas of research within the context of security has been more thoroughly explored, such as the economics of security and security threats, as it gives a background scenario to why security is more relevant today than ever.

Security is very broad and complex and consists of many parts on different levels. AI in the context of security is possibly even more complex, and in its infant stage where the boundaries are unclear and the full potential still unexplored. Hence, the importance on focusing on application of AI that is most developed but also most relevant for the firms.

4.4. Application of Theoretical Frameworks The frameworks that are used to test the theories and the empirical findings of this study aim to verify the hypothesis from the literature (Collis & Hussey, 2014). This research is based on theories about diffusion of innovation and technology adoption, and how they have been applied to IT innovation studies. The framework is intended to be used to help understand the complexity of the

23

research area in general and what factors influence the diffusion of AI security in particular. The frameworks form the foundation of the deductive thematic analysis of the empirical data and are used with consideration to sustainability.

4.5. Validity and Reliability

In qualitative studies, validity can often present a problem because of the difficulty to measure validity as the empirical data derived from interviews often go through an interpretive analytical process (Bryman, et al., 2015). The study focuses only on the financial industry which decreases the generalizability. However, as the financial industry is heavily controlled due to the critical information and resources that are managed, it is often seen as setting the standard for other industries to follow. Digitalization is happening across more or less all industries and is not a unique concept to the financial industry. Therefore, cybersecurity will be a highly relevant subject in other industries as well, which increases the generalizability of this report. By combining multiple sources of information from literature, industry reports and interviews with experts on security, data triangulation was achieved, which additionally increase the internal validity of the study. It has been crucial for this thesis to ensure that the area of research is relevant and up to date, as the topic of security and AI is constantly changing. Since the data collection was based on a pre-study and a qualitative multiple case study with semi-structured interviews, it was especially important to constantly align the problematization with purpose, research question, literature, and methodology, which meant changing what literature was considered relevant for the thesis.

It can be difficult to ensure a high level of reliability in qualitative studies, as it is dependent on how the answers are interpreted; especially in case of semi-structured interviews (Bryman, et al., 2015). The reliability of this study might be decreased due to the confidentiality of interviewees and companies which makes it more difficult to replicate. Furthermore, the interviews were limited to one per case company making it difficult to assess if the answers are truly representative of the case companies. There is also the risk of bias as the interviewees are affiliated with different companies with different viewpoints. However, the representatives were chief of security in all cases which indicates that they do have a holistic view. By including experts with different backgrounds as interviewees the empirical data from the case studies could be complemented and tested, thus, increasing the reliability. To ensure replicability, hence external reliability, the data collection methodology is fully disclosed including title of the profiles who were interviewed, as well as the analytical process. To increase the internal reliability of this study, notes were taken during the interviews together with recordings which were then transcribed. This ensured that the empirical material was analyzed multiple times to strengthen the internal reliability.

4.6. Ethical Aspects Overall ethical considerations have been taken in align with the four areas of ethical principles presented in Bryman’s book (2015), which were broken down to areas about: harm to participants; lack

24

of informed consent; invasion of privacy; deception. Additionally, the summary found on ‘research-methodology.net’, (Dudovskiy) of the ten most important ethical principles for dissertations have been considered throughout this research project: 1. Research participants should not be subjected to harm in any ways whatsoever; 2. Respect for the dignity of research participants should be prioritized; 3. Full consent should be obtained from the participants prior to the study; 4. The protection of the privacy of research participants has to be ensured; 5. Adequate level of confidentiality of the research data should be ensured; 6. Anonymity of individuals and organizations participating in the research has to be ensured; 7. Any deception or exaggeration about the aims and objectives of the research must be avoided; 8. Affiliations in any forms, sources of funding, as well as any possible conflicts of interests have to be declared; 9. Any type of communication in relation to the research should be done with honesty and transparency; 10. Any type of misleading information, as well as representation of primary data findings in a biased way must be avoided.

The investigation originally emerged from a proposition by the project principal at Tieto, with an idea to conduct interviews with representatives from various levels of the supply chain. Having a research subject as sensitive as security management, policies, and methods, required an immediate strategy for handling information collected about both Tieto and its customers. Important when initiating communication with the external parties is to inform them about the purpose of the investigation, and how they and the data related to them will be presented in the paper. All interviewees were informed about how no sensitive information considering who they are, or about how they work with security will be traceable to them as they will be presented anonymously in the paper. The only attributes of the companies being revealed is roughly what size they are, and what branch within the financial industry their main operation belongs to.

4.7. Source Criticism The literature review is based on published peer-reviewed journals and books that critically discussed in the literature. When there has been little information from the academic library regarding certain topics such as specifics about different security tools and the latest about AI, industry reports and web sources have been used instead. It ensured that the information was up to date and they have been triangulated with theory.

25

5. Results and Analysis This chapter presents the results beginning with what the case interviews yielded, continuing with a summary covering the various interviewed experts. Each of the three cases are first presented one at a time, and later merged together in a cross-case analysis. Additional results from experts’ point of view are being considered for analyzing the case results and comparing them to what the literature says, and to the current industry trends.

5.1. Cases Three cases are presented, where the companies in question are referred to as Company A, Company B, and Company C. All three are operating within the financial sector, as well as being under the supervision of Finansinspektionen, Sweden’s financial supervisory agency. The case results below are collected and compiled entirely from the interviews with them and from information found on their public websites.

5.1.1. Company A

Company A operates within the insurance industry across several of the Nordic countries. It employs over 6000 people and offers a wide range of insurance solutions and operates both within the business-to-business (B2B) and business-to-consumer (B2C) markets. The case looks at how Company A is working with cybersecurity and how it will adapt to the changes. The organization is one of the larger players in the Nordic region but does not hold any capital as part of its business as it is controlled by its banking partner (Annual Report, Company A, 2018). The main intellectual property it holds is personal data from its customers. It is under regulatory controls from the financial supervisory authority and due to the sensitive information, GDPR will also become a major regulation that it needs to adapt to.

The organization has an information security department with 6 employees working full time with the operational aspects of security and is a part if the IT-department. The Chief Information Security Officer (CISO) who reports to Chief Information Officer (CIO) has expressed the job as being very independent meaning that there is a lot of freedom in shaping and operating the security work at the company. The CISO is also responsible for creating policies and other administrative security controls. Security has been a focal point within the company and it has become a more integral part of the development processes of its services to its customers. There are 3 to 4 employees who are purely working with penetration tests to identify vulnerabilities on the platforms and infrastructures that are developed or implemented. There is also an innovation hub that takes in new innovations and solutions and tests them to see how they fit into the organization.

Security is today something that everyone is aware of and something that is constantly discussed on a management level. Incidents around the world have slowly reshaped the mindset of the importance of security and are natural process according to the CISO. The discussion has become

26

more urgent especially with GDPR that could require a company to pay 4% of its global revenue as a penalty fee. The CISO recognizes that the end user is the weakest link in the chain and has invested in a Nano-learning tool that requires all employees to go through a short test and training on a weekly basis to improve their security awareness. However, the company is slowly moving towards more user-friendly policies like bring you own device to work and work from anywhere.

Technological Context Company A has a multi sourcing strategy not least when it comes to security tools. It made the decision to outsource tools and functions previously part of a package from a service provider to a third-party to increase competition. It is also looking for niche players that can provide the best solutions to different functions within cybersecurity. Company A is also moving more to the cloud and has a long partnership with Azure, Microsoft’s cloud services. The key drivers for Company A’s strategical advancements when it comes to security is about being compliant but even more importantly, support the customer solutions. The CISO said that security should not inhibit the main business and its initiatives. It should act as a supporting role that enforces the business and induce confidence in its work. Security is nevertheless a much more central role during the development of IT today.

GDPR is a major driver and a big focus is to implement data loss prevention (DLP) solutions. Recently a larger investment was made on a security information and event management (SIEM) solution with AI functionalities that not only handles log management and correlation but also handles user behavior analytics and advanced threats analytics which is analyzed by an external security operation center (SOC). There is an identity access management (IAM) solution implemented which is partly automated. A more modern antivirus that is behavior based is also on the discussion board to increase the detective abilities. Because of its strategy of using cloud based solutions Company A finds it very critical to have control over a cloud security platform and has chosen to develop it internally instead of buying solutions from a third party. A vulnerability risk management (VRM) tool has also been implemented and Company A is considering implementing a third-party risk management solution which is a solution that monitors and rates cybersecurity risk of third-party vendors.

5.1.2. Company B

The second case is based on a Swedish bank, mainly operating in Sweden, but extends somewhat to several neighboring countries as well. Company B employs around 300 people in Sweden, and offers its services both as B2B and B2C. The bank constitutes one branch of a larger corporation having close cooperation connections between the branches. Each branch has its own CIO, with a subordinate CISO respectively. This case study considers only the one specific branch, the banking function, referred to as Company B.

As a member of the Swedish Bankers’ Association, Company B can access information about what is going on in the industry. In addition to help with attaining compliance towards financial laws and

27

regulations, members get information and guidelines regarding IT-security and IT-infrastructure. As a bank, the laws and regulations from the Swedish government and the EU, as well as the guidelines and requirements from Finansinspektionen, restrict them in many aspects of innovation and maneuvering quick changes.

There is no differentiation between how Company B administrates IT-security and InfoSec (Information Security); they are considered the same and are both part of CISO’s accountability, as is the compliance aspect. CISO reports occasionally straight to Company B’s CEO, but more regularly directly to the CIO, who is also part of the company executive management, while CISO is part of the company IT executive team. They suggest that differentiating IT- and InfoSec can have a negative effect for the cross-function communication flow.

Company B CISO said during the interview that the information security department have good relations with the board of executives and have a high discretion regarding decision making for security questions. A previously occurring incident, performed as an insider job with harmful intent, was handled well by the IT department and was hence believed to have significantly increased the level of confidence received from the CEO.

Security is a high priority question at the IT department, where they give much effort to integrate the questions of security into the consciousness of all the employees. CISO and the closest colleagues make sure to invite themselves to team meetings all over the organization to get the conversation about security going. They talk to the teams about threat scenarios and how to assess actions from a security point of view over all aspects of everyday work, such as emails with malicious links, phishing phone calls, peculiar websites, etc. All employees are required to perform an annual interactive learning course, which is regularly updated. The CISO however does not care too much for the learning tools where the user proceeds with a click of the mouse. They prefer having an open, active dialogue about security and believe that the continuity here is more rewarding.

Public reputation is fundamentally important, because without good reputation, the business naturally fails. Customers need to be able to trust the bank, as well must the employees of the bank trust the systems internally, why all different parts of the internal operations must feel safe about the safety measures carried out by the Security department. The various functions throughout the organization need to have a sense of confidence to encourage their creativity and innovation, so that the development of new solutions does not suffer. Company B has got a work from anywhere policy, with restrictions over what functions are accessible from outside the network. While not allowing connecting an own device to the internal network, the company still allows working on private devices from the outside, as they will act as thin clients with heavily reduced administrational rights. Working from outside of the network, the thin clients acts merely as a virtual window towards the corporate endpoint. In addition, USB sticks are completely disabled on all the company’s devices.

28

Regarding the perceived threat scenarios, targeting Company B and the Swedish banking industry, the CISO believes that although state sponsored attacks today are very rare, the future is likely to show more cyber warfare attacks aimed at banks and other societal important functions. Today most threats by sheer volume come from common noise circling the internet consisting of widespread viruses, trojans, ransomwares, and much more. The biggest threat impact wise on the other hand for firms such as Company B, come from insider attacks which are targeted and much harder to protect against and can cause severe damage. Company B regularly performs penetration tests on their systems to identify vulnerabilities, although CISO does not mention any specific tools or applications used for this task.

As technology advances, so does the attacks. Because attackers constantly create more sophisticated attacks, enabled with ML or various AI algorithms to power their infringements, the CISO believes the defending side inevitably will have to turn to those kinds of technologies to protect themselves.

Technological Context Company B has not yet transitioned their functions to cloud services on any large scale, although the CISO have intentions to successively do so. There are some regulatory complications for highly controlled industries considering regulations and requirements. Finansinspektionen for instance, could not audit one of the largest cloud service providers, which was thus not allowed to use. The CISO says problems such as this one usually become fixed over time, with restrictions being slightly loosened from the authorities.

When Company B decides on what new systems to implement, it usually begins with handing out a list with specifications of requirements to the vendors. It replies, with its proposals which are examined and analyzed. Usually they keep two or three of the proposals as backup, focusing on one specific system, and if it delivers proof of concept they stick to that one. The CISO was asked if issues with running a new system in parallel with an old system for a period could impact the decision negatively, but they said it would not, as that would at most postpone the implementation of the new desired system for getting a smooth transition as possible.

New systems cannot be too complicated to use, as the gateway for employees reaching the full potential of the application may be too long. One should not need to be an expert on the application to use it, explains the CISO, while still encouraging expertise on the area in question. Applications implemented throughout the organization must not reduce accessibility for employees, as it is already a highly controlled environment with many restrictions. New systems should reduce manual labor, automate processes, and overall speed up common tasks. For specifically security purposes, the results should be clearly visible and presentable. The security information and event management (SIEM) system Company B use today is multilayered by the means that some logs are sent to an external security operations center (SOC) for analysis, while other logs are analyzed by the IT department locally. They additionally work with both user behavior analytics (UBA) and identity access management (IAM), while keen to soon improve both functions with new specialized software.

29

Company B does not have any dedicated Intrusion Prevention System (IPS) or Intrusion Detection system (IDS) system today, although having sophisticated antivirus and an advanced SIEM architecture can cover for many of the wanted features of the IPS/IDS. The CISO says they still would want to implement an IDS system, while not bothering with the IPS system due to its lack of ability to act. A strong driver for using data loss prevention (DLP) applications, which they do aggressively, is due to the high amount of personal information flowing through their systems, and GDPR which regulates what the firms can do with that information and require them to protect it. The CISO predicts that AI applications are likely to benefit from the speed of reaction of systems such as the IDS and DLP. Thanks to of the highly diversified application base, the CISO predicts that the transition towards using AI and ML enabled applications within cybersecurity will go rather smoothly.

In all decisions being carried out, the CISO tries to have a defensive depth point of view, as setting up the security systems in several layers allows for protection even though one layer or one specific application would fail. Everything should furthermore be linked together, but not under one same umbrella. If that provider (of the metaphoric umbrella) would have a critical vulnerability, the whole architecture could be compromised. The CISO prefers a diversified machinery, while it is also critical that everything must be compatible with everything else. They see a risk with having broad applications capable of doing more than just one specific task. They believe that each application basically should be built for expertise on one function alone. Therefore, they believe that a multilayered platform probably will not work very well in the cybersecurity industry, it is not defensive depth thinking.

5.1.3. Company C

Company C operates within the insurance funds and pensions funds industry and is a service provider that connects companies with fund providers. It employs more than 200 people in Sweden and operates exclusively as a B2B company. The case is focused on how Company C is currently working with cybersecurity and how it will meet the challenges that are affecting that domain.

While being a part of the financial industry, Company C does not actually hold any capital in its business. It is however a piece in a larger chain where money is transferred through its systems. The main intellectual property that it has is personal data from millions of Swedish citizens. With the regulatory transformation happening right now in Europe, and the increasing frequency of larger security breaches Company C is in an exposed position given the nature of its IP.

The organization has divided its administration of security into two parts: IT-security which is led by a chief security officer (CSO) and information security which is led by a CISO. The CISO specifies security requirements that the organization should have and gives it to the CSO who has the responsibility to realize the requirements through operational measures by introducing technical controls. In the organizational structure both CSO and CISO are parts of IT-operations which is a part of the IT-department meaning that they are four levels under the CEO. However, given the smaller size of the company, the CSO have full top management support and a lot of freedom in

30

what technical controls to introduce and the overall operational strategy of the security. As the CSO is the only one working with cybersecurity it is of absolute importance that there is management support as it would be impossible for them to get the budget they need because in the end, security takes time from the main business initiatives. There has not always been a presence of security awareness amongst the employees at Company C. The previous CISO had struggled with achieving the desired impact among the executives but when the CSO stepped in around two years ago they worked well together and got increasingly more support which could be traced back to regulatory pressure from GDPR as well as a major breach at the Swedish Transport Agency which made the management at Company C realize that they did not want to be like them.

Today, the company is much more aware of the risks. It has experienced attacks through phishing mails as well as an insider breach which helped security become a recurring topic at every board meeting. There are stricter policies internally and the employees must undergo weekly so-called Nano-learning training that teaches and tests the employees about safe behavior on the internet. USB-drivers are strictly prohibited on work computers to inhibit the risk of data extraction. Currently, it is not allowed to work from anywhere or to bring your own devices to work but there are discussions to change that to increase availability for the employees.

Technological Context Company C is moving more and more of its operations to the cloud and multi sourcing of services is a prevalent strategy that it must have a flexibility regarding market changes but also to diversify the risk by having multiple systems. However, there are still old systems running on windows 7 that must be maintained and that are critical systems meaning that they can’t be moved to the cloud. The CSO believes that the old physical hardware and the old school of IT is hamstringing the firm’s ability to be secure and creates a “technical debt” by not being able to move to the latest versions and it will leave some holes unpatched. Regarding security and only one person working with it the overall strategy is to buy everything as a service. The key drivers for change has been expressed as being compliant with current and new regulations which trickles down to improving the firm’s security by improving its detective and forensic abilities, as well as increasing the visibility and traceability.

The CSO is looking for solutions that can increase the efficacy through automating processes. They are working on building a centrally owned platform in which all systems are connected. Through the platform a comprehensive stream of data logs can be linked to a security information and event management (SIEM) solution which is under procurement. A data loss prevention (DLP) tool is also a high priority given the information that the firm is handling. The CSO has already implemented a Next-Gen antivirus (AV) on all the clients which is an AI based AV. The same vendor is also to extend its products to include user behavior analytics (UBA) and Company C will implement it as soon as it is ready. Identity access management (IAM) is integrated as part of the SAP solution (SAP) being an enterprise resource planning software). Intrusion prevention and detection systems are integrated in the firewall but the CSO believes that it will lose relevance with the progress made in other parts of the security as well as the cloudification that is happening. A vulnerability

31

assessment tool has just been implemented and integrated with a third-party threat intelligence solution that use machine learning to narrow down the threats to the most critical ones on a weekly basis. The vulnerability assessment tool generates hundreds, maybe thousands of possible vulnerabilities and the threat intelligence tool helps Company C to focus on the most crucial ones.

The CSO have had experience with AI enabled security innovations before they came to Company C. At the previous workplace the CSO had first-hand experience of the potential of an AI enabled AV solution. That is also the reason why they chose to implement a Next-Gen AV. They expressed themselves as quite religious regarding AI technologies but try to have an unbiased standpoint, looking for the solutions that can generate the most value based on functionalities and not the underlying technologies. Contrarily, due to the exponential growth of data volume it is almost impossible to manually analyze everything in real time and some sort of AI will be inevitable to handle the analysis of all data. Automation must happen and GDPR will have a positive effect on the adoption of AI innovations.

5.2. Cross Case Analysis The results from each case will now go through a cross-case analysis where similarities and differences will reveal themselves. To some extend this has already been done within each case. Additionally, by reviewing the cases in the lights of the framework, additional insights can be gained.

5.2.1. Company Comparisons

To begin with, both Company A and Company C operate in less regulated markets than Company B which operates as a bank. Company C differs from the other two by offering exclusively B2B services, while Company A and Company B offer both B2B and B2C. Company A is the largest, employing over 6000 people, Company B employs 300, and Company C employs around 200 people. All three have their main operations in Sweden, but both Company A and Company B extend their operations to several neighboring countries as well. Company B is a member of the Swedish Bankers’ Association, while Company A and Company C are members of their respective equivalence. The hierarchical structure of all three companies are similar, but with one difference that Company C separates IT and information security, while Company A and Company B administrates security under one person.

All three companies land under the supervision of Finansinspektionen, and they are all critical subjects to compliance, and to regulations such as GDPR. As a bank, Company B has in some ways even stronger restrictions and higher requirements than the other case companies, due to increased risks when handling money. Company B would for instance have been additionally forced to work with PCI DSS, which formulates several specific requirements on how to work with information security, if they had not outsourced their card services to a third-party vendor.

32

Technological Controls Regarding what security controls the case companies have enabled with AI or rather ML, either today or intent to implement soon, they had some varying answers. Company A had just until recently basically no dedicated AI systems, but has done larger investments on a SIEM solution with AI functionalities. It has its own SIEM and outsources the SOC function. It has IAM implemented, which is partly automated, and bringing in a Next-Gen antivirus based on behavior recognition is being discussed with the executive management. Because of GDPR, there is a large focus on implementing DLP solutions at Company A. The CISO is however questioning the way AI is being presented in media today, as it often refers only too well written scripts, with no actual machine-driven decisions.

Company B runs DLP applications aggressively, using two different tools as help, much because of the importance of keeping personal information safe due to GDPR. They use a sophisticated AV on several levels, but they would not refer to it as an AI driven AV. The CISO (Chief Information Security Officer) plans to implement an Intrusion Detection System (IDS), however, having a good SIEM reduces the importance of the IDS (Interviewee 6, 2018). They are currently implementing a new IAM system, which should reduce their manual work significantly, as well as working together with the UBA tool. The UBA they use today is not optimal, and they work actively on improving it. They do use case analytics using the same tool as they use for SIEM, which the CISO says is an incredibly powerful tool. They do however outsource the SIEM part specifically.

Company C could be perceived as more progressive considering AI enabled systems, as the firm has already implemented a Next-Gen AV. The CSO speaks highly of the ML enabled EPP system they have implemented, and as an example comparing its 1.2 million indicator counts per sample to an incumbent’s corresponding system which would count 200 indicators per the same sample (MC). Taking into consideration that one system could receive up to 5 million samples per day, hence signature based AV just cannot keep up (Interviewee 7, 2018). Company C is implementing SIEM, much because of GDPR. Multi sourcing is becoming more common, and Company C chose to have the SIEM locally, to be able to plug in services from several providers. They do not run any UBA, but it is included in their roadmap to implement it, however they run a roll based IAM system. They have a sophisticated DLP system built into the firewall system, of which some parts are driven by ML. They still lack a few vital parts of the DLP, which is in fact on its way in after the discussions about what system to choose are finished. GDPR is a major driver for running an advanced DLP system. Company C uses a combination of two ML driven tools for vulnerability assessment, which presents a qualitative priority list of potential vulnerabilities to act on based on current threats from external centralized sources.

The cases will be analyzed within each context and then analyzed in the entirety of the framework to get insights into possible correlations between factors and context.

33

5.2.2. Technological Context

In Table 5, each of the five factors from the Diffusion of Innovation framework by Rogers, filling the technological context in TOE-framework, is presented together with referring quotes from each interviewee respectively.

Table 5: Company Comparison Based on Technological Context

Company A Company B Company C

Relative advantage

Automation: “The volume is driving the need for automation…” Costs: “Security is about finding balance between risk, benefits, and costs and we are talking about total costs…” Detection: “since we changed SIEM the detective ability has improved...”

Automation: “We often want a product to minimize some form of manual labor…” “Automation is a driver. Machines seldom makes mistakes in a way human do …” Detection: “We will increase our detective ability...” Ease of Use: “...you should be able to operate a product without being a specialist on it”

Automation: “...ability to create an automatic analysis to quickly give a picture of something is something everyone need today. Automation must happen…” Detection: “SIEM is on its way in to improve our detective ability…” Visibility & Traceability: “...is the alpha and omega of security…”

Compatibility “Security does not control what solutions we have, security should adapt to our solutions. If it isn’t compatible with our solutions then we can just stop what we’re doing”

“It is especially important for log management. If you can get logs encrypted, and in a good format then our SIEM can handle it” “Everything should be linked together, but not under one same umbrella… considering that provider might miss something.”

“It is a prerequisite. IT-security should not be visible. It should be there to make sure that you can’t do anything wrong… the technique should compensate for the lacking user”

Complexity “Avoid complexity… Try to find simple solutions that are good enough.... It should not be difficult for the end user to do something. It takes time and will in the end create costs for the company”

“Complexity is often bad. You want products that do what they are aimed to do” “There is a safety value in keeping things simple and easily manageable”

“It can’t be too complex. It should be transparent with sufficient protection… It must be good enough… If we want to protect every vulnerability it will become too costly and too complex.”

34

Observability “We are looking for solutions that can fulfill a business value… Some innovative solutions are not even considered due to uncertainties”

“We observe all incidents, and have daily contact with risk control…” “... they [SOC] have a machine standing with us … they are 24/7, so they can find attempted intrusions at any time.”

“...Vendors need to be able to show a snazzy report… It needs to be measurable. If the investments can’t be justified it will soon become an unjustifiable cost”

Trialability “We have a test lab where we try to test as much as possible…”

“We examine several alternatives and we always run Proof of Concept …”

“We have a security partner that helps us choose the best candidates based on our requirement list. Then we chose the best ones and test them”

Relative Advantage When it comes to relative advantages there is a consensus that improved detection and automation are two key characteristics that all three case companies are looking for in new technologies which indicates that both detection and automation have a positive influence on diffusion and adoption of security innovation (Interviewee 5, 2018; Interviewee 6, 2018; Interviewee 7, 2018). There is an obvious desire for reducing manual work and speeding up the processes of scanning data flow, and analyzing logs. By implementing sophisticated SIEM and detection systems, statistics can be put together and be used to user behavior analysis. Cost is mentioned as an obvious consideration for decision making by all interviewees, like what Company A CISO said, the security work is about finding the balance between the value of what you want to protect, estimated risk, and how much resources can be disposed for protecting it (Interviewee 5, 2018). Another driver is well summarized by Company B, that a product needs to be easy to use and should not require expertise in that specific application (Interviewee 6, 2018).

Compatibility Company B CISO talked about how everything should be linked together but not under the same umbrella (Interviewee 6, 2018). Turning back to the SIEM again, having one capable of managing logs from any application is highly appreciated. Company A CISO expressed rather harshly how they might as well just stop doing what they are doing if the security systems are not compatible with their own solutions (Interviewee 5, 2018). The same CISO said that you want to avoid putting all eggs in the same basket. Both because of the risk situation with a single provider getting exposed for a vulnerability and not having a defensive depth with multilayered protection, also as Company B said, that having everything under one same umbrella limits the ability to be flexible on the market (Interviewee 6, 2018). This problem can occur when for instance relying too much on one provider of a cloud service for many systems applications.

35

None of the interviewees said that they have transitioned their systems to cloud based services on any larger scale, although all three have cloud based applications to some extent. Cloud services are marketed as to for instance ease up the work with compliance and IT management (Interviewee 6, 2018). The interviewees had a slightly strained relationship to cloud services. All three however, said that they have intentions to move more of their operations to the cloud. This is generally not regarding the actual security applications, but rather the business operation applications.

Defensive depth will continue to be important. The interviewees from Company B and Company C both acknowledge the technical debt that they are building up by not changing their old infrastructure (Interviewee 6, 2018; Interviewee 7, 2018). The cost of changing systems has been expressed as one major factor to why it hasn’t happened yet (Interviewee 7, 2018). However, the interviewee from Company B explained that they would not opt out from a new system just because it wasn’t compatible with the old ones, but the implementation could take some time (Interviewee 6, 2018).

The security, as Company C CSO stated, “… should not be visible. It should be there to enable you to make mistakes.” (Interviewee 7, 2018), which is a view that all interviewees said they had. Saying that however, goes somewhat against how they work in some manners, as Company C differs in a way from the other two companies, in the way freedom is given to the users. Company A and Company B values usability for the employees in the way that they intend to allow users to have as much freedom as possible, restricting as little as possible. Company C on the other hand restricts the user freedom by denying users per default to install software that are prevented by the antivirus-client, and only makes occasional exceptions to allow user preferences. Thus, compatibility with the technical aspects seem to be more important than compatibility with organizational values.

Complexity There was a consensus to the answer regarding how complexity affects the companies’ ability to be innovative. It is mostly bad and unfavorable for system applications to be too complex, keeping it simple and easily manageable provides a safety value (Interviewee 6, 2018). It can be linked to what interviewee at Company A said about finding a balance between cost, risk, and benefit and that solutions must be good enough, not best in class in every aspect of security (Interviewee 5, 2018). It must be, and should not be more than good enough. If it is too complex, as in too extensive, it will become too expensive (Interviewee 7, 2018). All three interviewees share the idea that cost needs to be weighed against the estimated threat level and the value of what is being protected.

Observability The observability will become even more important as the market is characterized by smaller niche vendors that make big claims about their respective products. It is essential for vendors to gain traction by showing in a compelling way how their products are the best but will also help security departments to justify their costs for the executive management (Interviewee 7, 2018). The case companies have different capabilities when it comes to observing and testing new potential security innovations. Company A and Company B are choosing to keep control over analyzing the market

36

and look for new solutions while Company C has opted for outsourcing that service to its security partner which acts like an advisor.

Trialability All three companies test the systems before they make their decisions. Company A has a test lab where the security department can order test runs of different applications. Company B selects a few options and does a proof of concept run on the most likely option. If the test run shows satisfying results then they usually choose that first one. Company C has close relations to a security partner at a provider company. The security partner helps with filtering the market and picking out the best candidates, then they test a few of them to pick out the best one. It entails the importance that vendors offer an option for testing new security products.


In Table 6, the factors representing the organizational context from the TOE framework are presented together with quotes from each case interview regarding the perception of the factors in their organization.

Table 6: Company Comparison Based on Organizational Context


Top Management Support

“I’m under the CIO but have a fairly independent role. If we want to implement something and believe that it is important then there are no issues for us to do it.”

“I have great freedom and trust from the CEO (also the owner) and there is a big emphasis on security. I can push through a lot. The management has been highly engaged in increasing the level of security and minimizing the operational risks within IT and information security.”

“Together with the previous CISO we’ve managed to push through a lot… Without management you won’t get anywhere...Otherwise it will be impossible with the budget as security takes time from the main business initiatives.”

37

Security Readiness

“...Today, security is on a board level. It is one of the more important issues that the management has to handle.” “We have a Nano-learning tool on a weekly basis which is mandatory.” “There is a test lab where we try to test as much as possible.” “We have a platform decision group that have the responsibility to keep operations secure.” “We are 4 people in my team with background in software development. It makes it easier for us to speak to our developers about security because we speak the same language.”

“...The management has been highly engaged in increasing the level of security and minimizing the operational risks within IT and information security” “We have an interactive education which we update continuously and it is mandatory for all employees to take it yearly. My security team are part of all team meetings where we get 15 minutes to talk about security and especially about awareness.” “We are part of the quality risk and analysis group where all larger initiatives are discussed and examined based on security.”

“We have a management that is well in tuned so IT-security is high up on the agenda at every meeting and a lot have happened. It is high up on the agenda and we are very clear about transparency.” “We have a Nano-learning tool that are on a weekly basis… We are talking much more about security today between employees which has made the security culture much stronger…” “I’m aiming to buy everything as a service”

All three interviewees said that they have very good relationship with the executive management, and they have been given a high level of trust and can manage their security work independently (Interviewee 5, 2018; Interviewee 6, 2018; Interviewee 7, 2018). When asked about how the level of trust for cybersecurity departments have changed in the industry over the years, and what could have been the greatest drivers for that change, they all agree that security in general has become more important and more integrated in organizational strategies than before. They believe major incidents have impact on the industry and the attitude towards security from an executive management perspective increases. One interviewee mentioned a previous internal incident hitting them, which was said to have been handled very well by the CISO, hence, the confidence for the security department increased.

All three companies work actively to educate their respective coworkers to increase the security awareness, although having slightly varying approaches for doing so. All three companies use interactive learning tools of various formats. Two of the interviewees called them Nano-learning, and said they put much focus on these tools which are required by all employees to participate in regularly, believing this was one of the most effective ways to keep people up to date (Interviewee 5, 2018; Interviewee 7, 2018). Another said they indeed have interactive learning tools, although not being very optimistic about them as people can just click their way past the questions without really acknowledging the depth of the subject. Instead, they rather put their efforts in visiting all the teams

38

regularly, speaking about different threats in person, to keep the staff updated and to get the dialogue about security going (Interviewee 6, 2018).

Both Company A and Company B have an internal decision group that discusses how to keep their operations secure. It is also evident that due to its size, Company A has the resources to build up a test lab where new innovations and solutions can be tested frequently. Company A and B seem to both work towards a development process with security being an integral part of the process. Another difference is the number of people who work in the security team. Company A has 6, Company B has 2 and there is only one person at Company C, the CSO who works with the operational part of security. The latter expressed that there is no need for more people because of the small size of the company and that is why they are aiming to buy everything as a service (Interviewee 7, 2018). All companies have an outsourcing strategy and buy much of the functions as a service to be nimble and responsive to the security market’s technological transformation.


For the factors within the environmental context, quotes from the case interviews can be seen in Table 7, referring to the factors respectively.

Table 7: Company Comparison Based on Environmental Context


Perceived Threat

“The drivers for change for the company has been the incidents that have happened, not least in the world…”

“We faced a larger incident which I handled which gave the CEO and owner confidence in my work.” “We had a ransomware that infected one device but got stopped before it could spread.”

“Transport agency’s incident was a great thing. It made the management realize that we didn’t want to be like them...” “Often there need to be an internal or external incident to get things going. We had an insider incident that made us buy a firewall solution from Palo Alto.”

Government Policies

“Compliance is a big driver as well. If you look at GDPR, the management doesn’t want to have any penalty fees… It is completely unacceptable…”

“We are heavily controlled regarding how user accounts and rights are assigned and I could therefore have negative impact on our quickness in adopting the latest innovations.”

“SIEM is on its way in due to its detective abilities. It will be implemented especially because of GDPR.”

39

Social Networks

“In our business association we share information about threats and threats scenarios but we do not exchange anything about our experience of security solutions because insurance companies also sell cyber insurances…”

“We are a part of an industry network where all the CISOs meet each quarter to discuss threats and share experiences of security tools and solutions that have been used. We are not competing here…”

“We are a part of an industry wide association where we meet 4 times per year to discuss the current landscape of cybersecurity, the threats, but also about how we protect ourselves. We are not competing in this domain…”

Other Partner advisory: “We have chosen to have an external security partner that helps us filter the market… They recommend the best fits based on our size, budget and requirements. It is too difficult for us to keep us á jour with everything.”

The three case representatives agree on the fact that the increased threat levels and the potential severity of breaches indeed influence the executive management to gain respect for the cybersecurity departments and to allocate more resources to assist their work. Major publicly noticed incidents can also change the perceptive importance of the security work, as one company used the Swedish Transport’s Agency incident as a bad example (Interviewee 7, 2018); that you do not want to end up as a company in that kind of situation. The security departments are working much closer with the rest of the business and have gained more trust to pursue their vision regarding security.

All three companies are members of their corresponding associations. The interviewees said that these social networks are great for sharing information both regarding current threats and the future landscape of cybersecurity. They also share experiences of security solutions with one exception. The interviewee at Company A said that in their network they don’t share experiences of solutions because the insurance companies are competing in cyber insurance offerings and that it could be disadvantageous to be too open about it (Interviewee 5, 2018). However, the interviewee also said that they are part of a collegium, which would be in a more casual setting than the larger association, hence shared information can be more openly shared including more personal experiences as well.

One of the strongest drivers of security work for companies within the financial sector is the governmental regulations and compliance. Due to GDPR for instance, all three companies have given much focus to find the necessary means for being compliant, and to not become exposed to the risk of being guilty to pay very high fines, or losing valuable reputation in the market.

The relationship that the companies have with their service providers can also influence on what innovations they will adopt. Company C has a close relationship with its security partner and have trusted them with finding the best solutions based on its needs whereas both Company A and Company B look for solutions themselves.

40

5.2.5. Usage and Perception of Artificial Intelligence

The interviewees were asked about their stance on the Next-Gen security applications, which usually come from smaller startups, with new revolutionizing or in some way disruptive technology. For this question, the Next-Gen applications referred mainly to AI enabled antivirus software. One of the interviewees had a strong belief for the new technology, and had it implemented in the organization as soon as it was possible. Worth noting here is that, this person had worked with the same specific software previously at another job and had already great experience with it, why it perhaps should not be regarded as a radical experiment for the specific company. The other two were more reserved about implementing these kind of software, they would not consider the AI systems found today yet mature enough to be fully trusted. They also believe that AI systems are vulnerable by potentially being able to deceive, making it believe that the attack is part of normal behavior, and that getting access to control the AI for an attack can make massive amounts of harm. Nevertheless, they expressed the need for AI technologies to handle the sheer volume of data created today.

The CISO at Company A does not believe that cybersecurity will transition to being fully operated by AI. An AI can help by analyzing and presenting what it thinks should be reviewed, but the human factor will need to evaluate and decide what it is. To be able to cope with the constantly increasing volumes of data flow will require machine learning (ML), as a computer can be taught to handle repetitive tasks and to recognize patterns. AI will additionally be used to create code and building applications (Interviewee 5, 2018). Expertise in AI will be provided by external sources, most companies will not have the capability and resources to develop AI by themselves. Speeding up processes will be one of the most useful functions of the AI according to Company A CISO.

Company B CISO agrees with Company A CISO regarding how AI and ML is presented in the media, in that many people talk about ML while they just mean statistics databases and writing rules for how to interpret the data. Company B believes that AI will initially bring bugs and various problems, such as tricking the AI. They still predict however, that the application of AI and ML for cybersecurity should go seamlessly. Just as Company A, Company B expects AI applications will emerge initially for pattern recognition, preventive and detective controls, and automation for analytic tasks. Company B CISO believes that ML will be necessary for analyzing data flows, to learn patterns and to find abnormalities (Interviewee 6, 2018). This goes hand in hand with what was said when interviewing both Company A and Company C.

CSO of Company C sees AI and ML as buzzwords everyone is pursuing. There are a great number of incidents happening all the time, and with the constantly expanding market the questions regarding cybersecurity is always on the agenda. The large data volumes, is where ML becomes a vital tool, to automate analytics and to identify patterns. A strength for AI systems is that it takes care of itself to a large extent, it renders an extremely maintenance-free environment. (Interviewee 7, 2018)

41

5.2.6. Correlations Between Contexts

There are some interesting intercorrelating relationships between the different contexts in the light of the previous findings, see Figure X. Environmental context affects how organizations form and shape their structure and strategy surrounding cybersecurity, and how they perceive what technological characteristics they deem as advantageous.

Figure 4: Chain of influence

GDPR is a major driver for improved security as there now are concrete monetary consequences to security breaches. It is forcing companies to take responsibility for their security around personal data, or the lack thereof. It has been necessary due to digitalization and the increasing threat landscape that has come with it.

The case companies are now taking imperative actions to stay compliant by increasing user awareness through continuous training, and the ability to detect and respond to incidents much faster than before. Internal incidents have also been major drivers for the companies to take actions and become more susceptible to security innovations as can be seen in the case of Company C where the management decided to purchase one of the better firewall solutions out there after an insider incident (Interviewee 7, 2018). External incidents also influence the companies to take suitable measures such as the big incident at Transportstyrelsen, the Swedish transport agency.

It should be clarified that both Company A and Company B have linked security closely to the business for some time but there is a clear shift in the urgency now with GDPR coming into force.

42

In addition, AI technologies are coming strong within the security market and seem to gain traction due to GDPR and the threat landscape.

5.3. Additional Findings from Experts In this part, the empirical material from industry professionals and security experts with insights in the security industry is presented. The focus is on drivers for change as presented in the framework and AI in security technologies.

5.3.1. Technological Context

Regarding factors that influence diffusion of security innovations, there is a consensus among all experts interviewed that organizations are looking to improve their abilities to detect security threats through increased visibility and responsiveness. In today’s fast moving digital world, organizations try to focus more on proactive security measures. Organizations must understand their network and system infrastructure better if they want to stay ahead of the hackers. Several of the interviewees believe that by building an ecosystem consisting of different security technologies from different vendors, necessary visibility and detective ability to enable a proactive security strategy will be achieved (Interviewee 3, 2018) (Interviewee 4, 2018). It entails a future where different controls will work together to provide security operations with better insights and information to base decisions on. Furthermore, availability and accessibility of critical business functions is something that they see will be key drivers in the future. All organizations, especially those who have a social responsibility such as the financial industry which controls the flow of capital will require 100% availability, or no down time of their applications (Interviewee 8, 2018) (Interviewee 1, 2018). To make this possible it not only requires certain technological capabilities from security products but in a world where much of the infrastructure is still based on old technologies compatibility will be important (Interviewee 11, 2018). Innovations must also be compatible with regulations, in other words compliant, but must be up to date and compatible with the latest technologies that they aim to protect (Interviewee 11, 2018).

Complexity only has a negative effect on security innovations because it can create new vulnerabilities (Interviewee 4, 2018). It increases the implementation time, which in turn prolongs the time for vendors to achieve the right solution for their customers (Interviewee 11, 2018). Moreover, the high market competition and market segmentation is causing confusion and unnecessary complexity because vendors within each niche of the market work independently toward the same enterprise customers (Interviewee 3, 2018). Nevertheless, it will be important to find a balance in an organization’s security strategy (Interviewee 10, 2018). By only focusing on endpoint security other vulnerabilities might appear in other parts in the technical infrastructure. An evenly distributed security strategy to protect the systems or applications with highest priority

43

combined with risk management, cost and compliance will be crucial to build a successful security strategy (Interviewee 10, 2018).

One of the challenges soon is for organization to be responsive to alarms. Multi sourcing will create inertia in the responsiveness of the reactive abilities (Interviewee 11, 2018). The analytical tools and security operations centers can only alarm organizations about breaches but if they are third-party sources they won’t have the ability to act on the alarms because they don’t have the authority due to governance policies as it would present a security risk because the server environments can be quite complex (Interviewee 9, 2018).


Security will only increase in importance and organization will start to build their security strategies based on the specific company’s risks and threats as well as compliance. It is going through a similar development like IT did 10-15 years ago when management were skeptical to every IT initiative, and the potential of IT (Interviewee 1, 2018) (Interviewee 3, 2018). Security personnel will have to work closer with the rest of the organization to gain insights which will help them to better implement solutions and measures that satisfies all parts of the organization, which will increase their innovativeness (Interviewee 2, 2018). It is also believed that the widely accepted software practice of DevOps will incorporate security more in the future and DevSecOps is something that will become commonplace (Interviewee 1, 2018) (Interviewee 10, 2018). It could drastically change the future of the security industry which has traditionally focused on patching up “flawed” technologies in terms of security instead of ensuring products based on codes of high quality.

Multi sourcing, while being a common strategy among the case companies seemed to generate quite mixed response from the respondents. One interviewee believes that it is healthy for market competition and innovativeness and that it is good from a security viewpoint to mitigate the risks by diversifying the cluster of systems (Interviewee 9, 2018). However, most of the interviewees believe that multi sourcing will soon revert to single sourcing because organizations won’t be able to handle everything themselves (Interviewee 4, 2018) (Interviewee 9, 2018) (Interviewee 11, 2018). Another take on it is that the providers of cloud servers like Google, Amazon and Microsoft are consolidating security technologies into the base platform which could potentially eliminate the need for organizations to look for other vendors (Interviewee 10, 2018). Nevertheless, outsourcing will continue to be an important strategy moving forward to acquire the expertise that organizations want (Interviewee 2, 2018).


The constant flood of security breaches combined with regulatory controls such as GDPR will continue to drive the security landscape forward. It will be a constant cat and mouse game between firms and hackers (Interviewee 4, 2018). According to one of the interviewees, an organization’s business will be on the top in the hierarchy, the surrounding world want to control that by introducing regulations and policies (Interviewee 10, 2018). Organizations must be compliant which

44

will affect the choice of security measures and the overall security strategy. He believes that security measures will increase initially but as the quality of products and services increase, the need for security will slowly decrease.

The security industry is experiencing a shortage of competences and is characterized by high degree of acquisitions (Interviewee 10, 2018). There is an underlying trend of consolidation where the big actors within security are acquiring niche players. It was stated that Symantec, one of the largest security vendors have around 300 security products today (Interviewee 11, 2018). The big cloud service providers are also taking large strides toward security and are including more into their services. As mentioned, this could potentially be the disrupting factor soon and could change the dynamics of the security industry as organizations are moving more of their systems and infrastructures to the cloud (Interviewee 10, 2018).

5.3.4. Artificial Intelligence

There was a consensus regarding if AI technology would come. It is not even a consideration to not implement it, it will happen and it needs to happen if organizations want to keep up with the digital transformation (Interviewee 9, 2018). The interviewees expressed the importance of automation and that it is not only about automating operative processes but also in response to compliance. AI augmentation will be an important aspect to speed up the processes of handling risk and compliance issues (Interviewee 9, 2018). Due to GDPR, the Swedish data Protection Authority will require incidents and breaches to be reported as soon as they are discovered which leaves little time for organization to do a forensic analysis and to see if any laws were broken. AI will be able to generate data-metrics and risk indicators lightning fast and organization can get security reports on an hourly basis (Interviewee 9, 2018). Forensic analytics which is a manual process today will be based on AI. It will be able to make decision based on the data and improve itself over time but there will always be a human there to surveil it (Interviewee 11, 2018). Vulnerability scans based on AI will be applied to software development which will increase the quality control and could make the software impenetrable in the long run (Interviewee 10, 2018).

The organizations that have the largest data flows will also have an undeniable leverage when it comes to developing AI with high precision. Google, Amazon, and Microsoft will have an advantage that will be difficult for smaller players to compete with (Interviewee 9, 2018; Interviewee 10, 2018).

Perhaps the biggest drawback with AI technology is the high false positive rates which can only be remediated through large volumes of correct data and in their position, Google, Amazon and Microsoft will inevitably have better capabilities to solve those issues. According to an interviewee, regulations must come that democratize access to data to counteract Google’s, Amazon’s and Microsoft’s sole right to the data (Interviewee 9, 2018).

It is also believed that AI will in the long run take over support functions from humans and security operations centers could be fully automated (Interviewee 10, 2018). However, one of the interviewees believe that there will be an increase of SOC initially because more organizations,

45

especially smaller ones will require it and through AI there could be cheaper alternatives (Interviewee 2, 2018).

Even though there was a consensus among the experts regarding being the future of security some were still hesitant and cautious especially about the Next-Gen of antivirus solutions. There was no disagreement of the improvements Next-Gen AV brings to the table but the big concern was about the efficacy. False positives was a major concern, that it would lead to more work than contrary with organizations having to manually whitelist all programs and applications that could possibly be detected and prevented from executing due to false positives (Interviewee 4, 2018) (Interviewee 11, 2018).

5.4. Bridging the Theoretical Framework with Artificial Intelligence In this part, the findings from the case studies will be enhanced or discussed regarding the additional findings on AI within cybersecurity, to come closer to answering the main research question about what influences the diffusion of AI enabled security innovations.

5.4.1. Perspective on AI Enabled Security Innovation

All case companies have stated that they want to increase detection abilities as well as automation. Given what AI can do it is evident that it has the relative advantage regarding those two attributes and as such, will be able to fulfill the companies need. The companies have already started to implement AI enabled security technologies like Next-Gen AV, SIEM and AI solutions for improved threat intelligence.

All the companies also demand centralization of data, meaning that they want all data logs and other event data from their service provider to go through them. This puts them in prime position to mandate what and where data should flow. DLP and IAM will become even more significant, due to regulations and if these controls can be connected to one central function such as a SIEM which is powered by AI then new opportunities will present themselves. The difficulty is to do it in a way that is simple for the adopters to comprehend and use. AI solutions must also be able to show their effectiveness visually and must offer the possibility to test them as well. However, some type of solutions might be difficult to test as it can be difficult to do tests on a smaller scale such as IAM (Interviewee 11, 2018). Further, the case study revealed that all case companies have a multi-sourcing strategy to be susceptible to market changes as well as staying in control. Compatibility between solutions and systems will be critical also for AI technologies and there will be a need for platforms that can provide easy connection and implementation of different solutions especially as the companies are moving more of their operations to the cloud. Compatibility can however, present a possible issue regarding complexity of analysis. If organizations are required to spend time on configuring and setting up new solutions to work and interact properly with each other, then, the implementation process might have a negative effect on the adoption of AI technologies.

46

The interviewee at Company B has expressed that they might want to develop AI in-house to customize the learning based on their specific needs, which means that the right competences will be required to make it possible.

5.4.2. Non-technical Influences on Adoption of AI Security

In the case studies, it was revealed just how important top management support is to an organization’s innovativeness. As all interviewee at the case companies expressed their interest in AI as well as having implemented AI solutions already there will be a positive effect regarding the diffusion and adoption of such security innovations. Further, it was found that previous experiences and biases for those in charge can have an impact on the willingness to adopt AI security innovations (Interviewee 7, 2018).

Organizational size did not seem to have any larger effect on the innovativeness of a company but there are differences in how innovativeness is managed. Due to its size, Company A has the resources to run a test lab but there are more people involved in making decisions. Company B and Company C, while smaller in size, are more flexible, resulting in them being more receptive towards new solutions especially due to servitization, or pay-per-use as a common business model. In addition, organizational readiness regarding security does have a positive effect on the innovativeness as the increased awareness have shown to have a positive effect on the willingness from the executive management to focus more on security. It will also be important for AI solutions to be adaptable to the organizational cultures and policies and not inhibit on user-friendliness as the companies are moving towards “bring your own device” and “work from anywhere” policies.

Government regulations, such as GDPR have had a tremendous impact on security. It is forcing organizations to have security as a key aspect of the overall business. In the studies, it was clear that because of GDPR, there is a bigger focus on detection and automation which favors AI solutions. However, if these solutions start to use sensitive information such as individual user behaviors then there might appear a conflict between GDPR and AI.

The threat landscape has also shown to have a positive effect on organizations’ willingness to adopt new innovations. Combined with the increase of data volume, organizations have realized that AI must be part of future solutions to manage the changes.

47

6. Discussion In this chapter the outcome from the previous chapter will be compared to previous studies linked to theoretical concepts as well as other studies and industry reports about diffusion of innovation and artificial intelligence. The aim is to generalize the results and analysis of this paper beyond the realm of the financial industry.

6.1. General Discussion What runs as a thread through this whole investigation is that data volumes will increase significantly in a near future. All interviewees, both within the case study and the various experts express how they believe that the data flow will increase, and to manage them AI will be a necessary tool as human capability will simply not be enough to analyze it. Hand in hand with the data collection, the importance of keeping the data safe increases, which is why the security departments are likely to get more resources to reach their goals. The last decades, the questions about security have gone from being something the cat dragged in, to be of highest importance and part of almost every development discussion agenda.

In addition to keeping the data safe from malicious attacks, it is in many ways crucial to keep the data safe from honest mistakes made by employees. GDPR for instance, requires companies to keep personal information about their customers safe, which puts pressure on both company policy and expertise, and having effective DLP systems and IAM systems implemented to prevent accidental data leakages. It implies that the identified environmental factors: threat landscape, and regulation are cue-to-actions for the companies.

There is a wide spread trend for organizations to digitalize their businesses and transitioning their applications to the cloud. This simplifies things in the way that if you invest in a cloud provider, much of compliance will be taken care of. However, it complicates things by sometimes reducing observability for the security department, due to data flow not being concentrated through a server and compatibility to other applications could be problematic. To remain in control over logging, analytics, and specific parts of the security, the interviewees prefer putting only some parts in the cloud. Multi sourcing is additionally the go to sourcing strategy, giving the companies, ability to mitigate risk by diversifying the pool of vendors and systems in use. It also enables them to be flexible and responsive to new innovations. This does not directly go very well hand in hand with transitioning into the cloud, since it would require a lot more from the developers to fit the APIs from all unique applications to the cloud services. There is however a consolidation happening right now amongst the largest cloud service providers where they are integrating more security and compliance into the base platform which could possibly disrupt the current market dynamics, leaving only space to the niche security players with unique solutions. The interviewees were also positive to the potential convenience of such measures which implies that they might change their multi-sourcing strategy if a provider can present a compelling enough service.

48

6.2. Comparison – Results, Literature, Industrial Reports This part will discuss how the results and analysis of this report compares to consultancy reports and industry reports regarding the future of security as well as the diffusion of artificial intelligence.

6.2.1. Diffusion of AI Security Innovation

There are some industry research leaders like Gartner, Forrester, and ESG that have published multiple articles including comparative tests on different security technologies to identify market leaders as well as forecasts on the future of security. However, none was found to use diffusion of innovation theories on security technologies.

There is a report by ESG that explores the future of cybersecurity by looking at security with a wider lens, where organizations from multiple industries were surveyed. The study looked at how organizations are working with security today and what they wanted to see in the future. Moreover, the report studied if security will need to work in a more web based manner such as an ecosystem where different controls are interacting with each other to maximize the capabilities of an organization’s cybersecurity. The findings revealed that the cybersecurity operations and analytics are getting more difficult due to the evolving threat landscape, the lack of skills and an abundance of tools. Organizations are consolidating their security operation to make use of the data growth which can enrich and contextualize their security analysis and improve the overall security intelligence. Automation of operations is a high priority and ML is gaining interest. (Otlsik & Poller, 2017)

6.2.2. Contributions to Theory

Multiple studies have been made on the diffusion of IT innovations, both on an organizational perspective as well as individual perspective. However, when it comes to security there has been lack of studies based on TOE-framework and DOI theory on an organizational level. There is research on risk and compliance which are two closely related topics to organizational security overall. While cybersecurity is a subgroup of IT there are still some unique aspects that have been revealed in the light of this report. The research reveals that TOE-framework together with DOI theory works well to study diffusion of security innovations on an organizational level. Moreover, by perceiving security as preventive in nature the study also fills a gap in research by revealing that companies require cue-to-action like threat landscape, and regulation to adopt such innovations which differs from how previous studies have approached it.

Further, regarding AI there is still a lack of research in general and the only study that was found using DOI theory came from a consultancy report from McKinsey which took a more general approach to the topic of AI (Bughin, et al., 2017). With this study, valuable insights have been obtained through the multiple case study regarding the diffusion of security innovations and by combining it with the potential of AI in some of the more common technologies found within cybersecurity a contribution has been made in the intersection between the fields of cybersecurity

49

and AI as well as enriching the already well-established theories within the fields of technology adoption and diffusion of innovation.

6.3. A Perspective on Sustainability In this part there will be a general discussion about the possible implications that the future of security will have on sustainability. The discussion will be about security and AI in general and how it might impact the three pillars of sustainability as presented by the Brundtland Commission (1987): Environmental, Social, and Economic sustainability.

Economic Sustainability The emerging threat of cyber-attacks has steadily pushed the security market forward. While there is an abundance of solutions today, organizations are starting to take cybersecurity seriously which will help the economic growth of the security market. Simultaneously, through the introduction of AI technology in cybersecurity, organizations will be able to automate processes which in turn will increase the efficacy which would translate to economic benefits. Also, through consolidation of data along with security technologies the organizations will become better at protecting themselves from costly incidents and breaches.

Some potentially disrupting forces could change the security industry completely. First, tech giants, such as Google, Amazon, and Microsoft, are starting to fortify their services by consolidating a lot of the traditional security technologies into their offerings, which could displace many of the current companies that are providing the same kind of technologies, thus only niche players will have the ability to thrive. Second, AI requires massive amounts of training data which will be exclusive for a few players such as Google, Amazon and Microsoft which would skew the market and only benefit the largest players.

Social Sustainability The introduction of AI enabled security will empower the employees by giving them leeway in making mistakes. As the dimensions of analysis increases there is however a risk that every aspect of user behavior will be monitored putting employee’s integrity at risk. In China there are already use cases with AI in surveillance cameras that can identify people and give them fines for misbehavior such as jaywalking. GDPR will to some extend protect people on an individual level but with AI technology evolving much faster than lawmakers are there will inevitably be new ways to get around GDPR. The society will need to stand up and solidify norms that will enforce the integrity of everyone.

There have been multiple sources that believe that AI will initially lead to more jobs. It is inevitable that when AI technologies reach a certain level of quality and consistency, more routine based jobs will disappear. So is the case of SOC in security and in the long run it might very well be subjected to the same fate as blue-collar jobs. Another aspect is that when repetitious jobs fade away and become replaced by AI, someone needs to develop the AI systems, hence resources needs to be

50

reallocated to other positions which require a higher skill level, both inside and outside of the company in question.

Environmental Sustainability Cybersecurity as well as IT in general requires massive amount of resources to be able to function. The data growth combined with cloudification will prompt for even more data halls to be built around the world. This could have a negative impact on the environment by changing it permanently. Moreover, data centers require massive amounts of energy to power the IT infrastructure and there must always be a supply of energy as there might be critical functions that are not allowed to have any down time. It is suggested that over the next two decades, 50% of all electricity in the US will go to powering internet related functions (Whitehead, et al., 2014). Furthermore, it is estimated that data center sector accounts for 1.4% of the global CO2 emission and it is the fastest growing carbon footprint within the ICT sector (Bertoldi, et al., 2017). There is a large demand for data storage and it will only grow with cloudification and AI becoming more common. This means that firms who use such services as well as produce the services must take this into consideration and take responsibility for such actions that could potentially harm the environment.

There is also the risk of manipulating AI along with the usage of AI for hackers as well. AI security to critical infrastructure related to finance or energy might be subjected to attacks and in the future, there might be the risk of hackers gaining access to power plants, or ATMs and disrupting the environment as well as the society. It enforces the fact that cybersecurity will be critical to sustain the functionality and security of critical infrastructures.

51

7. Conclusion This chapter aims to answer the research questions one by one, followed by a discussion about to what extent the purpose of the investigation has been fulfilled, and lastly, recommendations for further studies based on what was found in this investigation.

The security industry is evolving as more organizations are digitalizing their businesses, and realizing the value of protecting and securing their digital assets. The threat landscape is also evolving, making the cyberspace much more insecure than ever before. Regulations put pressure on organizations to incorporate security in more central role of the business. AI is coming in strong into cybersecurity and has a strong use case for improving the overall efficacy of operations.

This study aimed to explore the factors and drivers that influence the diffusion and adoption of AI enabled security innovations through the TOE-framework. Three companies within the financial industry were investigated to gain insights into the wants and needs that they have regarding new security innovations as well as thoughts regarding AI technologies.

7.1. Answering the Research Questions The two research sub questions, followed by the main question will hereby be answered and motivated.

Sub Question 1 What security strategies and technologies are implemented by organizations within the financial industry?

As part of this study, it was identified and investigated how the case companies within the financial industry work with security, and what strategies and technologies were commonly deployed. Defensive depth is a key concept that all company representatives expressed as a leading strategy to protect against cyber threats. Putting all eggs in one basket can jeopardize organizations in the case of a serious vulnerability being exposed at the system being used. Building protective layers on different levels of the infrastructure, will minimize the risk of major breaches. The employees are the first line of defense, as well as the weakest link in the security chain, which has prompted all three case companies to focus on organization security policies and security trainings to increase the awareness, adding on a layer of protection to their defensive depth.

Another key strategy shared among the case companies was multi-sourcing. The companies can mitigate some of the risks of a major breach by diversifying the pool of systems and software. It adds an insurance to potential incidents which would be contained to one system compared to an IT environment based on one provider’s infrastructure where every part is connected. Combined with servitization as a common business model among security vendors, the interviewee at Company B expressed that multi-sourcing allows the company to be flexible and susceptible to changes in the

52

market by being able to switch a solution for a better one if needed. On the other hand, both Company A and Company C expressed that they want to move more to Azure, Microsoft’s cloud service, which would be convenient regarding compatibility of different platforms if they are based on the same system. Cloud service providers, such as Azure, already have multiple security controls integrated which make them a tempting option for CISOs and CSOs.

The companies have deployed a wide range of security technologies to combat the intensifying cyber threats. All three companies have SIEM solutions to analyze and correlate the disparate data. One of the companies has integrated UBA to their SIEM solutions. IAM solutions are also deployed, but one of the companies does not have a dedicated solution for that as they have it partially in their enterprise resource planning system. Company C is the only case where a Next-Gen AV solution has been implemented, however, Company A is looking to explore the solutions as well. Company B has chosen to focus on other layers that can provide the same kind of capabilities. Company B is also the only company that has implemented DLP solutions extensively, but both Company A and C have stated that it is highly prioritized due to GDPR.

It has become clear by the investigation, that cybersecurity over the last decades has gained attention throughout all the hierarchy ladder at the organizations. Security questions are being brought up to board level at the companies and are included in business strategies. The departments working with information security have gotten more resources and more freedom.

Sub Question 2 How can artificial intelligence technology be used to improve cybersecurity?

There are multiple aspects of cybersecurity that can be improved depending on the solution and its purpose. Speeding up processes, finding patterns in big data, and reducing manual work seem to be key aspects of AI potential. As AI technologies can analyze large data volume and find patterns in a very short amount of time, the study indicates that security systems with analytical functions will benefit most from such technology. AI has created new possibilities for security solutions, such as antivirus, to detect and prevent malicious files based on behavioral analytics instead of signature and rule based methods. Analytical systems, such as SIEM, are becoming more proactive through improved threat intelligence and efficacy of analysis and correlation of data. AI technologies also enable consolidation of analytical tools. Other solutions, such as UBA and DLP, can additionally be integrated into the core functions given the processing power of AI.

AI technologies will likely be able to empower people working with security to help them make better decisions. AI augmentation will happen both regarding prioritization of threats and vulnerabilities to act on, and in managing risk and compliance. In the future there is additionally the possibility of using AI as quality control for software development which could potentially improve new software to the extent that preventive security measures won’t be needed anymore.

53

Main Research Question: What are the most important factors for influencing the diffusion of artificial intelligence enabled cybersecurity technologies?

The paper argues that environmental factors, such as regulations and cyber threats, have the biggest impact on the diffusion for AI enabled cybersecurity technologies. They influence not only the perception of what technological attributes are advantageous, but also the level of importance that security has for organizations. The case study revealed that both internal and external incidents have influenced organizations in their perception of security and its importance, which has led to increased security focus. Together with GDPR, an urgent pursuit has emerged for companies to adopt innovative security technologies to stay up front with the security work. Security has gotten a more central role in strategic decision making on an executive board level, giving security operatives increased top management support, which in turn has given them greater freedom in doing their job.

Detection and automation are two technological attributes that are highly sought after, indicating on a positive effect on the diffusion for AI technologies, given what AI enables. The study also revealed the importance of compatibility, observability, and trialability for new security innovations. Moreover, the studied case companies all have strategies that allow them to be flexible and nimble, and as they are sourcing most of the solutions, the barrier for adopting AI technologies is rather low. Their mindsets regarding AI also indicate that the adoption of such technologies on a wider basis will happen sooner than later if service providers and vendors can provide them with the right products that can fulfill their needs.

7.1. Fulfilling the Purpose The purpose of the investigation was to examine how the new technologies and security innovations diffuse on the market. Considering all research questions were thoroughly answered, with information gathered regarding all aspects of the TOE framework, the purpose has arguably been achieved.

7.2. Limitations and Further Research This study has several limitations that present as opportunities for future research. To gain additional depth to the results relating to the TOE framework, an investigation would require further focusing on the specific areas. The investigation was initially set in action through an idea from someone at Tieto, why most of the interviewed experts were from Tieto internally, and could hence be considered biased in some questions. The internal interviews were however supplemented by an interview from a prior level in the supply chain, as well as external experts; two data security professors from KTH. It is possible that different answers would have stood out among the results, had there been more external interviewees. As stated in the methodology chapter, the case study was conducted at three companies, from two different parts of the financial industry; one large and one

54

small insurance company, and one small bank. An additional interview with a large bank would have added a valuable dynamic to the comparison between the companies. Furthermore, the study was limited to the financial industry. Future studies could include other industries to make a comparative study cross-industries, as well as being conducted as a quantitative study. It is also worth noting that the study is limited to looking at pre-adoption and adoption and neglects the implementation, and post-adoption.

The case study for this paper was performed by interviewing one person per company, with the person respectively being the one mostly working hands on the security on an operative level. Expanding the case study by interviewing people higher in the hierarchy, up to the board and CIO could have added valuable information about how security questions are being brought up and regarded at the executive management level.

Starting off the project by looking at what scope to construct the investigation around, it quickly became obvious that everything in security management is connected in such a way, requiring a holistic perspective. The results from this paper, used as a pre-study, encourages to diving deeper into certain aspects of the TOE framework, or focusing on the innovations within specific technical controls, such as UBA or DLP. From the initial pre-study, it was said that large banks usually run their own SOC, and considering the comprehensive investments that requires, it would be interesting to learn more about how they work and their perspectives on how AI could aid them. Another interesting study is to focus an investigation on how the organizational contexts of readiness and top management support has changed historically on a business strategic level.

The research did have a customer approach to the diffusion and adoption of security innovations with little exposure towards other parts of the supply chain. Some findings in this study indicated how large corporations such as Microsoft and Google are affecting the market. It could be of interest, both to study how that is changing the dynamics of the security market, for vendors and for service providers, as well as to provide possible strategies on how to adapt and to cope with these changes.

55

References Allen, M., 2007. Social Engineering: A Means To Violate A Computer System, SANS Institute.

Anderson, R. et al., 2013. Measuring the Cost of Cybercrime. In: The Economics of Information Security and Privacy. Berlin: Springer-Verlag, pp. 265-300.

Bertoldi, P., Avgerinou, M. & Castellazzi, L., 2017. Trends in data centre energy consumption under the European Code of Conduct for Data Centre Energy Efficiency, Luxembourg: Publications Office of the European Union.

Bradford, M. & Florin, J., 2003. Examining the role of innovation diffusion factors on the implementation success of enterprise resource planning systems. International Journal of Accounting Information Systems, 4(3), pp. 205-225.

Braun, V. & Clarke, V., 2006. Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), pp. 77-101.

Brundtland, G. H., 1987. eport of the World Commission on Environment and Development: Our Common Future.

Bryman, A., Bell, E., Mills, A. J. & Yue, A. R., 2015. Business Research Methods. s.l.:Oxford university Press.

Bughin, J. et al., 2017. ARTIFICIAL INTELLIGENCE: THE NEXT DIGITAL FRONTIER?, McKinsey & Company.

Böck, B., Klemen, M. D. & Weippl, E. R., 2012. Social Engineering. In: Handbook of Computer Networks, Network Planning, Control, and Management. Hoboken, NJ, USA: John Wiley & Sons, Inc, pp. 384-402.

Campbell, K., Gordon, L. A., Loeb, m. P. & Zhou, L., 2003. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, Volume 11, pp. 431-448.

Collis, J. & Hussey, R., 2014. Business Research - a practical guide for undergraduate and postgraduate students. London: Palgrave.

Cooper, R. B. & Zmud, R. W., 1990. Information Technology Implementation Research: A Technological Diffusion Approach. Management Science, 36(2), pp. 123-139.

Damanpour, F., 1991. Organizational Innovation: A Meta-analysis of Effects of Determinants and Moderators. Academy of management Journal, 34(3), p. 555.

56

Datainspektionen, 2017. Dataskyddsförordningens syfte. [Online] Available at: https://www.datainspektionen.se/dataskyddsreformen/dataskyddsforordningen/introduktion-till-dataskyddsforordningen/dataskyddsforordningens-syfte/

Dinev, T. & Hu, Q., 2005. The Centrality of Awareness in the Formation of User Behavioral Intention Toward Preventive Technologies in the Context of Voluntary Use.

Dodel, M. & Mesch, G., 2017. Cyber-victimization preventive behavior: A health belief model approach. Computers in Human behavior, Volume 68, pp. 359-367.

Dudovskiy, J., n.d. Ethical Considerations. [Online] Available at: https://research-methodology.net/research-methodology/ethical-considerations/ [Accessed 16 March 2018].

Eisenhardt, K. M., 1989. Building theories from case study research. Academnt of Management Review, 14(4), p. 532(19).

EU, 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council, Article 83.

Finansinspektionen, n.d. About FI. [Online] Available at: https://www.fi.se/en/about-fi/ [Accessed 16 March 2018].

Firstbrook, P., Ouellet, E. & McShane, I., 2017. Redefining Endpoint Protection for 2017 and 2018 (ID:G00337106),

Frambach, R. T. & Schillawaert, N., 2002. Organizational innovation adoption A multi-level framework of detreminants and oppirtunities for future research. Hournal of Business Research, Volume 55, pp. 163-176.

Garg, A., Curtis, J. & Halper, H., 2003. Quantifying the financial impact of IT security breaches. Information Managemnt & Computer Security, 11(2), pp. 74-83.

Gartner, 2017. Gartner Says Detection and Response is Top Security Priority for Organizations in 2017. [Online] Available at: https://www.gartner.com/newsroom/id/3638017 [Accessed 13 February 2018].

Gartner, 2018. Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018. [Online] Available at: https://www.gartner.com/newsroom/id/3869181 [Accessed 25 03 2018].

Gemalto, 2017. 2017 The year of Internal Threats and Accidental Data Breaches, s.l.: Gemalto.

57

Gressin, S., 2017. The Equifax Data Breach: What to Do, s.l.: Federal Trade Commission Consumer Information.

Hameed, M. A. & Arachchilage, N. A. G., 2017. A Conceptual Model for the Organisational Adoption of Information System Security Innovations. Journal of Computer Engineering & Information Technology, 6(2).

Hameed, M. A., Counsell, S. & Swift, S., 2012. A conceptual model for the process of IT innovation adoption in organizations. Journal of Enigneering and Technology Management, 29(3), pp. 358-390.

Hancock, B., 2002. Security crisis management - the basics. Computer & Security, 21(5), pp. 397-401.

Hedley, D. & Jacobs, M., 2017. The shape of things to come: the Equifax breach, the GDPR and open-source security. Computer Fraud & Security, 2017(11), pp. 5-7.

Hovav, A. & D'arcy, J., 2004. The Impact of Virus Attack Announcements on the Market Value of Firms. Information Systems Security, 13(3), pp. 32-40.

Hu, Q., Saunders, C. & Gebelt, M., 1997. Research Report: Diffusion of Information Systems Outsourcing: A Reevaluation of Influence Sources. Information Systems Research, 8(3), pp. 288-301.

IBM , 2018. IBM X-Force Threat Intelligence Index 2018, Armonk, NY: IBM Security.

Jones, C. M., McCarthy, R. V., Halawi, L. & Mujtaba, B., 2010. Utilizing the Technology Acceptance Model to Asses the Employee Adoption of Information Systems Security Measures. Issues in Information Systems, XI(1).

Joyce, R., 2016. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers,

Kannan, K., Rees, J. & Sridhar, S., 2007. Market Reactions to Information Security Breach Announcements: An Empirical Analysis. International Journal of Electronic Commerce, 12(1), pp. 69-91.

Karahanna, E., Straub, D. & Chervany, N., 1999. Information technology adoption across time: A cross-sectional comparison of pre-adoption and post-adoption beliefs. MIS Quarterly, 23(2), pp. 183-213.

Karimi, H., 2018. emystifying AI in Cybersecurity. [Online] Available at: https://www.securitymagazine.com/articles/88888-demystifying-ai-in-cybersecurity [Accessed 10 May 2018].

Lee, Y. & Kozar, K. A., 2008. An empirical investigation of anti-spyware software adoption: A multitheoretical perspective. Information & Management, 45(2), pp. 109-119.

Liu, Y. et al., 2015. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. USENIX Security Symposium, pp. 1009-1024.

58

McClelland, C., 2017. The Difference Between Artificial Intelligence, Machine Learning, and Deep Learning. [Online] Available at: https://medium.com/iotforall/the-difference-between-artificial-intelligence-machine-learning-and-deep-learning-3aa67bff5991 [Accessed 25 March 2018].

McCrank, J. & Finkle, J., 2018. Equifax breach could be most costly in corporate history. [Online] Available at: https://www.reuters.com/article/us-equifax-cyber/equifax-breach-could-be-most-costly-in-corporate-history-idUSKCN1GE257 [Accessed 25 03 2018].

McGrath, M., 2014. Target Data Breach Spilled Info On As Many As 70 Million Customers. [Online] Available at: https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#6078b54ae795

Mitnick, K. D. & Simon, W. L., 2002. THE ART OF DECEPTION. New York: Wiley.

Moeller, R., 2010. Chapter 22: Identity and Access Management. In: IT Audit, Control and Seurity. Hoboken, NJ: John Wiley & Sons, Inc.

Moore, G. C. & Benbasat, I., 1991. Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation. Information Systems Research, 2(3), pp. 192-222.

Morgan, S., 2018. Top 5 cybersecurity facts, figures and statistics for 2018. [Online] Available at: https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html [Accessed 17 February 2018].

Mustonen-Ollila, E. & Lyytinen, K., 2003. Why organizations adopt information system process innovations: a longitudinal study using Diffusion of Innovation theory. Information Systems Journal, Volume 13, pp. 275-297.

Nelson, R. R. & Winter, S. G., 1982. An Evolutionary Theory of Economic Change.

Ng, B.-Y., Kankanhalli, A. & Xu, Y., 2009. Studying users' computer security behavior: A health belief perspective. Decision Support Systems, Volume 46, pp. 815-825.

Oliveira, T. & Martins, M. F., 2011. Literature Review of Information Technology Adoption Models at Firm Level. Journal of Inofrmation Systems Evaluation , 14(1), pp. 110-12.

Otlsik, J. & Poller, J., 2017. Automation and Analytics versus the Chaos of Cybersecurity Operations, ESG.

Overstreet, R. E., Cegielski, C. & Hall, D., 2013. Predictors of the intent to adopt preventive innovations: a meta‐analysis. Journal of Applied Social Psycholigy, 43(5), pp. 936-946.

59

Panetta, K., 2017. Gartner Top 10 Strategic Technology Trends for 2018. [Online] Available at: https://www.gartner.com/smarterwithgartner/gartner-top-10-strategic-technology-trends-for-2018/ [Accessed 10 May 2018].

Pan, M. J. & Jang, W. Y., 2008. Determinants of the adoption of enterprise resource planning within the technology-organization-environment framework: Taiwan's communications. Journal of Computer Information Systems, 48(3), pp. 94-102.

Ponemon Institute, 2017. 2017 Cost of Dat Breach Study.

Premkumar, G., Ramamurthy, K. & Nilakanta, S., 1994. Implementation of Electronic Data Interchange: An Innovation Diffusion Perspective. Journal of Management Information Systems, 11(2), pp. 157-186.

Reinsel, D., Gantz, J. & Rydning, J., 2017. Data Age 2025: The evolution of Dat to Life-Critical [White paper], IDC.

Reuters Staff, 2014. JPMorgan hack exposed data of 83 million, among biggest breaches in history. [Online] Available at: https://www.reuters.com/article/us-jpmorgan-cybersecurity/jpmorgan-hack-exposed-data-of-83-million-among-biggest-breaches-in-history-idUSKCN0HR23T20141003 [Accessed 16 March 2018].

Rogers, E. M., 1983. Diffusion of Innovation. 3rd ed. New York: The Free Press.

Rogers, E. M., 2002. Diffusion o f preventive innovations. Addictive Behaviors, Volume 27, pp. 989-993.

Rouse, M., 2009. What is ISO 27001?. [Online] Available at: https://whatis.techtarget.com/definition/ISO-27001

Rouse, M., 2017. user behavior analytics (UBA). [Online] Available at: https://searchsecurity.techtarget.com/definition/user-behavior-analytics-UBA [Accessed 18 05 2018].

Russell, S. & Norvig, P., 2014. Artificial Intelligence: Pearson New International Edition. Essex: Pearson Education Limited .

Russell, S. & Norvig, P., 2014. Introduction. In: Artificial Intelligence A Modern Approach. Essex: Pearson Education Limited, pp. 1-34.

Spafford, E. H., 1990. Computer Viruses--A Form of Artificial Life?. Department of Computer Science Technical Reports. Paper 837.

Swain, B., 2009. What are malware, viruses, Spyware, and cookies, and what differentiates them?. [Online] Available at: https://www.symantec.com/connect/articles/what-are-malware-viruses-spyware-and-

60

cookies-and-what-differentiates-them#comments-begin [Accessed 23 03 2018].

Symantec, 2010. Machine Learning Sets New Standard for Data Loss Prevention: Describe, Fingerprint, Learn.

Tejaswini, H. & Rao, H., 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, Volume 47, pp. 154-165.

Tetri, P. & Vuorine, J., 2013. Dissecting social engineering. Behaviour & Information Technology, 32(10), pp. 1014-1023.

Thong, J. Y. L., 1999. An Integrated Model of Information Systems Adoption in Small Businesses. Journal of Management Information Systems, 15(4), pp. 187-214.

Thong, J. Y. L. & Yap, C. S., 1995. CEO characteristics, organizational characteristics and information technology adoption in small businesses. Omega, 23(4), pp. 429-442.

Tornatzky, L. & Fleischer, M., 1990. The Processes of Technological Innovation. Lexington, Massachussets: Lexington Books.

Tornatzky, L. G. & Klein, K. J., 1982. Innovation characteristics and innovation adoption-implementation: A meta-analysis of findings. IEEE Transactions on Engineering Management, 29(1), pp. 28-45.

van der Meulen, R., 2017. Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016. [Online] Available at: https://www.gartner.com/newsroom/id/3598917 [Accessed 13 02 2018].

Wang, Y.-M., Wang, Y.-S. & Yang, Y.-F., 2010. Understanding the determinants of RFID adoption in the manufacturing industry. Technologies Forecasting & Social Change, Volume 77, pp. 803-815.

Whitehead, B., Andrews, D., Shah, A. & Maidment, G., 2014. Assessing the environmental impact of data centres part 1: Background, energy use and metrics. Building and Environment, Volume 82, pp. 151-159.

Workman, M., 2008. Wisecrackers: A Theory-Grounded Investigation of Phishing and Pretext Social Engineering Threats to Information Security. JOURNAL OF THE AMERICAN SOCIETY FOR INFORMATION SCIENCE AND TECHNOLOGY, 59(4), pp. 1-12.

Yin, R. K., 2009. Collecting Case Study Evidence. In: Case Study Research: Design and Methods. 4th ed. s.l.:SAGE Publication, Inc, pp. 99-126.

Yin, R. K., 2009. Designing Case Studies. In: Case Study Research: Design and Methods. 4th ed. s.l.:SAGE Publications, Inc, pp. 25-66.

i

Appendix A: Interview Questions to Case Companies

1. How will the security industry change?

2. What are the main drivers to the changes?

3. How are you working with security today?

4. What technologies have you implemented?

5. What administrative controls have you implemented?

6. What is your focus area within security?

7. How does the threat landscape look like for you?

8. What are your priorities in terms of what to protect?

9. How do you evaluate threats?

10. What are your needs regarding cybersecurity?

11. What will change for you?

12. What is your view on artificial intelligence within cybersecurity?

13. What are the benefits and risks of such innovations?

14. How can artificial intelligence help you achieve your needs?

15. Do you use any artificial intelligence today?

16. If not, do you have plans on doing that?

ii

Appendix B: Interview Questions with Experts

1. Can you describe your industry?

2. What type of products and services does your company offer?

3. What features creates value and makes your service successful?

4. What demands are you experiencing?

5. Which services do you think have the largest potential to meet the

demand?

6. What are the main weaknesses of your value proposition within security?

7. Who are your customers and how are they doing their business?

8. Who is the market leader in your industry?

9. What technologies do they use?

10. What are the main drivers behind the changes within the industry?

11. Has the strategy/business model changed?

12. What defines a market leader in the industry?

13. What are the main challenges your customers have to cope with?

14. What are the challenges your providers have to cope with?

15. What has changes in terms of customer demand or preferences the

recent 5-10 years?

16. How will artificial intelligence impact the security industry?

17. Would you like to add something to this discussion?

TRITA ITM-EX 2018:333

www.kth.se

Diffusion of Cybersecurity...

Documents

Transcript of Diffusion of Cybersecurity...