With increased inter-connectivity and the far-reaching implications of cyberattacks, it is important to consider how responsible is the design, use and governance of cybersecurity. In an exploratory study funded by Security Lancaster (Grant: IRL 1042)Professor Niki Panteli in Lancaster University Management School (LUMS), with Dr Boineelo Nthubu (LUMS), and Dr Konstantinos Mersinas (Royal Holloway University of London), sought to understand what is responsible cybersecurity and how can organizations foster it. This exploratory study draws on a series of semi-structured interviews with Cyber leaders (e.g. Chief Information Security Officers and related roles as well as cybersecurity consultants and other professionals across a range of organizations and sectors cyber leaders and other members of the senior management team to explore understandings and attributes of responsible cybersecurity and the role of the organizations in promoting this cybersecurity perspective.

Based on our findings, it is shown that responsible cybersecurity is viewed as a collective commitment where multiple stakeholders act as stewards, not only of their own data but also of their supply chain and the broader well-being and care of individuals and society. The findings highlighted five core layers of responsibility: techno-centric, focusing on technological defences; human-centric, emphasising security solutions designed with users in mind and safeguarding the well-being of security professionals and other organizational members; intra-organizational, stressing the role of team collaboration and leadership buy-in, in promoting a strong security culture; inter-organizational, concerning the security of supply chains and third-party partners; and societal, recognizing the ethical implications of security solutions on a broader societal scale. This multi-layered approach emphasises that cybersecurity is not just a technical problem that should be left in the hands of cybersecurity professionals, but a collaborative effort among diverse stakeholders at different levels. The findings contribute to an onion-shaped framework on responsible cybersecurity which can be used to frame the direction of future research. From an industry and policy-making perspective, the study has identified senior leaders as key vectors in this process, though further research is needed to explain what this entails. Finally, the scope of responsible cybersecurity can provide a lens to consider broader, society-wide cybersecurity behaviour change campaigns by governments, standards organizations, and industry bodies.

The study was published online on February 19, 2025, in Information Systems Frontiers and can be read here: https://rdcu.be/eaz13

Panteli, N., Nthubu, B. R., & Mersinas, K. (2025). Being Responsible in Cybersecurity: A Multi-Layered Perspective. Information Systems Frontiers.

For further information, please contact Niki Panteli: n.panteli1@lancaster.ac.uk