Is cyber-security the new lifeboat? An exploration of the employee’s perspective of cyber-security within the cruise ship industry Victoria Knight, Moufida Sadok University of Portsmouth, Park Building, King Henry | Street, Portsmouth, United Kingdom Abstract After the International Maritime Organisation introduced the Maritime Cyber Risk Management in Safety Management Systems Resolution in 2017, with the compliance date set for January 2021, the Maritime industry has displayed an increased focus on its cyber-security. This quantitative research, supported by the socio-technical perspective, explores the employee perceptions of cyber-security onboard cruise ships. The results show that the cruise industry has made an attempt to increase its cyber-security by introducing a formal policy and training their employees. Employees, as a consequence, perceive cyber-security to be important. However, employee perceptions are not reflective of their behaviours onboard. This is because there are various technical and organizational obstacles to their cyber-security practices which have been overlooked. As a result, the cruise industry could do more to prioritise cyber-security on a day-to-day level in order to make sure that the employee experience is in alignment with cyber-security policies. Keywords 1 Maritime, cruise ship, cyber-security, socio-technical, employee perspective, quantitative. 1. Introduction Under the International Management Code for the Safe Operation of Ships and for Pollution Prevention, the International Maritime Organisation (IMO) adopted the International Safety Management Code (ISM) [1]. This requires all passenger ships to ensure safety at sea, the prevention of human injury and avoidance of damage to the environment [2]. Up until recently, this requirement of safety management focused on the mitigation of physical threats. However, in response to the increasing evidence of cyber-attacks within the maritime industry, the Maritime Cyber Risk Management in Safety Management Systems Resolution [3] applies the requirement of Cyber Risk Management to the ISM. This is supported by the Guidelines on Maritime Cyber Risk Management [4]. The compliance date for this was January 2021 [5]. This research applies the socio-technical perspective to the maritime industry and explores an employee perspective of cyber-security within the cruise ship industry by way of a quantitative survey. A total of 155 participants completed the self-administered questionnaire which was distributed via Facebook ‘Crew Only’ groups and LinkedIn. The participants occupied positions onboard from various cruise companies, in a vast array of job roles and varying levels of authority. 7th International Workshop on Socio-Technical Perspective in IS development (STPIS 2021) 11-12 October 2021, Trento, Italy EMAIL: up603123@myport.ac.uk (A. 1);moufida.sadok@port.ac.uk (A. 2) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Wor Pr ks hop oceedi ngs ht I tp: // ceur - SSN1613- ws .or 0073 g CEUR Workshop Proceedings (CEUR-WS.org) 216 The research shows that the maritime industry could benefit from applying the socio- technical perspective to its cyber-security strategy. Currently, the day-to-day level cyber- security is being ignored by the cruise ship sector. As a result, employees are aware of the threat of a cyber-attack at sea, they perceive cyber-security to be important, they are receiving training and are aware of cyber-security policies. However, there is a disparity between their intentions and their practices which is a result of daily obstacles and challenges preventing them from following cyber-security policies. This paper will be comprised of three parts. The first, will explain the background and situate this research amongst other relevant literature. Next, an overview of the research methodology will be outlined and its limitations presented. Lastly, the paper will discuss the results, offering recommendations and suggestions for future research. 2. Background In 2017, the maritime industry was awakened to the importance of cyber-security when Maersk Shipping Solutions was hit with what the White House said to be, ‘the most destructive and costly cyber-attack in history’ [6]. Since then, the number of cyber-attacks on the maritime industry has risen, exacerbated by the dramatic impact of the COVID-19 outbreak, meaning that the majority of seafarers are working remotely with increased connectivity between devices [7]. Alarmingly, even the International Maritime Organisation (IMO) faced a cyber- attack in October 2020 which disrupted its website and networks [8]. Consequently, such attacks have highlighted the importance of maritime cyber-security and therefore should be highly prioritised [9]. Within the maritime industry, the approach to cyber-security, often focuses on highlighting the various ways that a vessel could be exploited [10] [11] [12], paying frequent attention to the navigational system vulnerabilities due to its reliance on multiple sensory digital technologies to operate [13] [14] [15] [16] [17] [18]. Attention is also often paid to considering the protection of supply chains and ports as a critical infrastructure [19] [20] [21] [22]. However, so far, the cruise ship industry has escaped focus, despite there being evidence of cyber-exploitation within the sector [23]. This needs addressing because any weak link within the maritime industry could be the means for exploitation of critical operations at sea [24]. Therefore it is important that the cruise sector’s cyber-security is efficient for the safety of both its crew and passengers as well as its contribution to the maritime industry in general [24]. Furthermore, despite the IMO guidelines highlighting the importance of the adoption of a holistic approach to cyber-security [4], the maritime industry has relied heavily on a technical approach [13] [14] [15] [16] [17] [18]. Although a technological approach to cyber-security is necessary, overly technocentric approaches do not provide effective protection [25] [26] [27]. This is because, as highlighted by the socio-technical perspective, there are many other factors, aside from the technical which influence the cyber-security of an organisation [25] [28]. Currently, there is extremely limited discussion of cyber-security from humanistic approach. However, the human factor is a vital contribution and is in need of attention [29]. The literature provided from the socio-technical perspective adopts an employee perspective in order to try to understand user behaviour. Oftentimes, users are aware of their 217 role in cyber-security, but their intentions do not match their practices [28]. Therefore, it is important to consider how to maximise the efficacy of training in order to alter their behaviours for the long term. For instance, Bada et al. explains that, ‘people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so’ [30]. It is therefore vital to explain why cyber-security practices are important in order for them to be adopted [31]. Furthermore, all humans have different processes of understanding information and decision making regarding cyber-security behaviour, therefore training should reflect this and should be uniquely delivered and matched with the learning style of the individual in order to be most effective [32] [33]. Similarly, it is not sufficient to just train employees because workplace cyber-security practices degrade overtime [34].Therefore, it is important that cyber-security awareness is maintained, most effectively through actively involving users with training and awareness as opposed to passive forms of maintenance [35]. Aside from understanding and changing user behaviour, the socio-technical perspective highlights that there are other factors which influence employee’s practices. Oftentimes there are many social and organisational factors acting as an obstacle to employee’s cyber-security which are overlooked. For instance, the needs of the designers, compared to the needs of the users are not in alignment [36]. Similarly, managerial expectations, and organisational policies are frequently out of touch with workplace routines [37]. Employees, as a result, are not able to balance the needs of the organisation with the demands of cyber-security policies, meaning that they do not highly prioritise cyber-security practices or workaround them [37] [38]. By adopting a socio-technical approach, a shift can be made from humans as a problem, to humans as a solution [39]. Therefore, in order to be successful, cyber-security practices must be influenced by the employees who are affected by security controls [37]. It is also important that the organisational culture is in alignment with the cyber-security policies in order to encourage good cyber-security practices. This helps to communicate the importance of cyber-security to employees and promote compliance with cyber-security policies [40]. There is evidence that the maritime industry could greatly improve its cyber-security by considering the socio-technical in its strategy. Interestingly, after the Maersk attack, the U.S. Coast Guard discovered that crew members were aware that computers onboard had been compromised, they avoided using them for personal tasks out of fear of being compromised but disregarded the threat when conducting professional tasks. It was therefore said that “simple cyber hygiene would have prevented this issue… it’s in the day-to-day that these things happen” [41]. This evidence highlights the dangers of relying heavily on a technical approach to cyber-security and ignoring the humanistic elements of cyber-security. Consequently, the maritime industry should adopt a holistic approach to cyber-security, considering people, processes and technology combined [42]. This research therefore seeks to apply the socio-technical perspective to the maritime industry to see if this environment could also gain the benefits of adopting the perspective to its cyber-security strategy. The research assumption is that staff members onboard are conducting common practices which could be putting cruise ships at risk of a cyber-attack. These behaviours are the result of daily challenges which are acting as an obstacle for staff members. This research therefore aims to gain an employee perspective of cyber-security 218 onboard cruise ships and apply the socio-technical perspective in order to understand the reasons behind their behaviour. 3. Methodology Using a quantitative method, this research was conducted via the use of a computerised self-administered questionnaire design [43] which was formed mostly of closed-ended questions [44]. The justification for the appropriateness of this method, is that cyber-security is generally something that not everyone is particularly knowledgeable about. Many people consider it to be an expert subject and are intimidated about discussing the topic. Additionally, given that cruise ship employees come from all over the world and speak many different languages, using qualitative research to explore the perceptions of someone whose first language is not English would potentially discourage participants from taking part. Instead, asking participants to simply select a number as a response, rather than requiring them to attempt to express their answer about an expert subject in their second language, was considered more appropriate. Consequently, in order to gain responses which were useful, a quantitative design was adopted to give structure and support to the participants’ responses. To provide explanation for the selected responses, an interpretivist epistemology [45] was used with inductive reasoning. The questions were answered on a five-point Likert Scale [46] in order to assess the level of agreement with the statement proposed [47] ranging from ‘Strongly agree’ to ‘Strongly disagree’. Open-ended questions, producing qualitative data, were also used in the questionnaire, giving participants the chance to offer a subjective response based on their own experience and support the inductive reasoning. The sample of cruise ship employees was obtained through a nonprobability purposive sampling method [48] obtained through Facebook ‘Crew Only’ groups and LinkedIn. The researcher was already a member of many of these closed groups on Facebook but selected specific groups based on the diversity of the members, ensuring it was comprised of employees in differing job roles and varying cruise ship companies. This enabled a wider exploration of the perceptions and also was an attempt to avoid reputational damage to any one company in particular. Once permission was obtained from the group administrators, the researcher posted a message in the groups, informing members of the research, containing a link to the questionnaire if the participant wanted to participate. Those who were in a job role that had access to an IT system between 2018-2020 were invited to take part. The IMO guidelines were released in 2017, so the time frame selected enabled companies the chance to respond, and ensured that the exploration of the perceptions of employees was from the time which there was cyber-security awareness within the maritime industry. According to the Facebook group descriptions, there was approximately 50,000 group members combined. However, it is difficult to determine how many of these members were actively engaging in the group at the time. It is also important to highlight that these groups are for social purposes and so, many members are no longer employed, nor have been in a long time. As a result, they may not have been working for a cruise company when cyber-security was a priority and therefore not eligible to partake in the research. 219 A total of 155 participants completed the questionnaire. The responses from the closed- ended questions were analysed using descriptive statistics [49]. IBM SPSS software was used to facilitate this to avoid human error. Confidence intervals of the proportion were also calculated using the modified Wald method [50]. 3.1. Limitations The researcher will now briefly outline the limitations of this research so that the results within their given context. Due to the quantitative method adopted and questionnaire design, the exploration of employee perceptions was limited in scope. Therefore inductive reasoning, supported by the answers from the qualitative questions, was used to give further explanation to results. This therefore means that the research is not completely objective and has an element of researcher influence. The questionnaire was also conducted in English by many participants who are not fluent speakers. Given that cyber-security is considered a complex subject, there is a chance that some participant’s comprehension of the questions may have been reduced. Some staff members who were not entirely comfortable with partaking in the research due to it being conducted in English may have even been put off taking part. Embracing the use of the internet to conduct the research was a useful aid during a pandemic. Without such a tool, it would have been extremely challenging to obtain the perceptions of employees who were scattered around the globe. However, not all employees are connected to the internet, nor are necessarily on social media, or a part of Crew Groups on Facebook. Therefore, by embracing this method of sampling, the generalisability of the results to the entire population is reduced. Furthermore, the sample obtained was a size which enabled an exploration to be obtained into the perceptions of employees. However, the results represent a snap-shot of the number of staff members employed in total across the entire industry. The researcher would also like to highlight that the cruise industry has paused its operations for over a year. Therefore this research required employees to recall their experiences. This means that their responses may have been influenced by lack of memory. Furthermore, in the year that has passed, the cruise industry may have taken more steps to improve its cyber- security which has yet to be rolled out to employees. 4. Findings The key findings of the research are: 1. The cruise ship industry is raising cyber-security awareness amongst employees This explains the employee awareness of cyber-security policies, their experience of training onboard and the maintenance of their awareness. 2. Employee cyber-security intentions do not match their behaviour 220 This explains employee perceptions of a cyber-attack/the importance of cyber-security. It then proceeds to discuss employee’s onboard behaviour. 3. Day-to-day level cyber-security is being ignored This explains the various obstacles which are influencing employee’s cyber-security practices onboard. This section will be comprised of three parts, presenting a discussion of each of these key findings. 4.1. Key Finding One: Cyber-security awareness amongst employees This finding will be discussed in three parts. The first part will present the findings from the exploration of the employee’s experience of training. The second part will focus on the maintenance of their training and awareness. The third part will discuss the impact of the current approach to training and awareness maintenance. The results show that the cruise industry appears to be attempting to improve its cyber- security in accordance with the IMO guidelines. A formal cyber-security policy has been introduced, which 68.4% of employees confirmed had already been established (90% CI [0.6197, 0.7418]). Alongside this, 67.7% of employees received cyber-security training (90% CI [0.6130, 0.7358]). which was given to employees occupying the full range of job roles onboard. However, there are limitations to the cruise ship industry’s efforts which will be outlined below. The training was not always conducted prior to the employee using an IT system onboard, due to employees being left to ‘settle in’ before being given cyber-security training. Employees also explained that the cyber-security training was ‘not taken seriously’. Furthermore, not all employees who are using an IT system are being trained; those in job roles that are more centred around IT are more likely to receive training at 71.4% (90% CI [0.5471, 0.6748]), compared to those who said that they used an IT system as part of their role but not centrally, with only 45.5% receiving training (90% CI [0.0381, 0.1058]). Furthermore, although the training was given to those in varying levels of authority, those with increased authority were more likely to receive cyber-security training, as displayed in the bar graph below. Cyber-security training amongst authority levels 100 78.4% 80 70.5% 60 51.6% 40 20 0 Senior Management Departmental Management Team Member Management 221 Figure 1: Bar chart showing training levels compared to level of authority Employees also explained that oftentimes the training was not job specific and ‘quite generic’. An employee explained: ‘each position has different levels of access (a media manager has open access to the internet - entertainment hosts is an intranet so closed access) the risks for these 2 roles for example would be different’. This meant that only 45.8% (90% CI [0.7212, 0.8305]) of employees strongly agreed that cyber-security was important for their job role. Therefore, the standardised training given to employees in varying job roles, meant that they disregard it and considered it irrelevant to their role onboard. Similarly, given that cyber-security is considered a complex subject for most, and that the cruise ship environment is made up of employees speaking many different languages, it was also suggested that the training not only be more job specific, but also employee specific. For instance, an employee explained: ‘Have important training like cyber security be offered in multiple languages for easier understanding. Cyber security training uses specific vocabulary that may be difficult for crew members who speak English as an additional language’. Therefore, the exploration of the employee experience of training, shows that there is more work to be done to make it as efficient as it could be. Next, the researcher will discuss the maintenance of training and awareness. The results show that only 16.1% of participants received any further additional training to maintain their knowledge (90% CI [0.1182, 0.2160]). Instead, passive forms of cyber-awareness, such as publications were the main source of maintenance. The bar graph below presents the various methods that were used to keep employees up-to-date with cyber-security. Ways in which employee cyber-security awareness was maintained 50 42.6% 40 30 21.3% 18.15% 16.1% 20 10 1.9% 0 Publications Departmental I was not kept Additional Other meetings up-to-date training Figure 2: Graph showing cyber-security awareness maintenance Lastly, this section will discuss the impact of the current approach to training and awareness maintenance. The implications of the sporadic training, conducted with a 222 standardised, generic session, suggests to the employees that cyber-security is, at present, not something which is considered as everyone’s responsibility onboard. As a result, employees perceived cyber-security as an IT department responsibility only. When asked how they would respond to a suspicious threat, participants most commonly selected that they would contact the IT department. This resulted, in some instances, with the IT department becoming overburdened. For instance, an employee explained: ‘…IT was prompt with fixing the issue when reported but it was hard to get a hold of them via either phone or email. Typically I did not come across security problems but if I had, not much was promoted in terms of equipping managers with the tools they’d need to combat or prepare against’. Furthermore, the lack of maintenance of cyber-security awareness is implying that cyber-security training is a tick box exercise. As a result, employees are disregarding their training on a practical day-to-day level, and putting the trust in the IT department to mitigate threats. 4.2. Key Finding Two: Employee’s cyber-security perceptions compared to cyber-practices This finding will discuss the perceptions of the employee and their practices onboard. Employee perceptions surrounding cyber-security and cyber threats appear to be reflective of the increased concerns of the maritime industry in general. 76.1% of employees strongly agreed or agreed that a cyber-attack on a cruise ship is a threat (90% CI [0.7006, 0.8130]) and 92.9% of the employees believed that cyber-security onboard is important (90% CI [0.8865 to 0.9569]). The employee’s perceptions surrounding cyber-security appear to be influenced by the training that they received, as demonstrated in the table below. Perceptions of cyber-security compared to training 120 97.1% 100 84% 79.1% 80 70% 60 40 20 0 Threat of cyber-attack Importance of cyber-security Training No Training Figure 3: Graph showing the perceptions of cyber-security compared to training However, when examined more closely, the results show that the employees seem to be more concerned about cyber-security than is evident from their practices. Despite these perceptions, 81.8% of employees conducted practices onboard that could result in a cyber- attack (99% CI [0.5485, 0.7423]), therefore showing that there is a disparity between the 223 intentions of the employees and their conduct onboard, which supports the findings of Albrechsten [28]. The graph below shows the type of behaviours and the level of commonality. Employee behaviour onboard Connected a personal device to a professional IT 22.3% system Used a personal device to conduct professional tasks 11.8% Linked a company email to a personal device 6.8% Conducted personal tasks on a professional IT system 16.9% Used a USB stick between a personal and professional IT systems 24% None of the above 18.2% 0 5 10 15 20 25 30 Figure 4: Graph showing common cyber-security behaviours onboard It was found that the training did have some level of impact on the employee’s conduct. Of the participants who received training, 78.6% selected behaviours (90% CI [0.3190, 0.4464]), compared to 87.5% of participants selecting behaviours who did not receive training (90% CI [0.8380, 0.9601]). However, due to the limitations of the training which were discussed above, the influence of training on the employee’s practices is limited. 4.3. Key Finding Three: Day-to-day level cyber-security The results show that despite the indication of an attempt to increase cyber-security onboard, cyber-security on a day-to-day level is not being prioritised. This is resulting in many organisational obstacles for the employees. This section will present a deeper understanding of the factors which are influencing their practices. Firstly, there is a misalignment between cyber-security practices, and the needs of the employees in executing their job role. This is consistent with the work of Hooper & McKissask [36]. Only 41.3% of employees strongly agreed that the cyber-security rules were easy to follow when carrying out their daily tasks (90% CI [0.3499, 0.4789]), and only 31% of employees strongly agreed that cyber-security rules were useful within their job role (99% CI [0.2232, 0.4118]). As a result, in support of Koppel et al. [38], employees would often workaround cyber-security practices, opting for efficiency and convenience over security. Similarly, a lack of connectivity onboard meant that employees were left with no choice but to work around cyber-security policies. For instance, an employee explained: 224 ‘I was also required to take company electronics off of the ship into insecure internet connections in order to complete program updates as the ship internet was not strong enough to do so’. This suggests that the cruise ship companies are not prioritising cyber-security on a practical level. This is supported by the fact that another significant reason for employee workarounds onboard was simply, a lack of resources. Employees were left with no choice but to use their own, potentially insecure devices, to conduct professional tasks because they did not have the resources needed. Lastly, a cruise ship is an environment which encompasses employees living and working in the same space whilst being detached from the outside world. This presents obstacles to employees which need to be considered when forming cyber-security policies. For instance, a lack of connectivity both in port and onboard, as well as the high cost of Wi-Fi for crew, meant that employees commonly explained that they used onboard, professional devices and networks to conduct their personal correspondence. For instance, a participant explained: ‘I was in the middle of a house purchase and needed to scan and send documents over- there is often no time or appropriate place in ports we visit to do this.’ Therefore, it is not just the professional tasks of employees which are encouraging workarounds, but also personal factors, that have not been considered as part of the cyber- security strategy, which are forcing them to disregard cyber-security policies. There is also a misalignment between the corporate policies and the workplace routines, consistent with the findings of Sadok et al. [37]. For instance, oftentimes, employees explained that their behaviours onboard were at the request of shoreside management who had assigned them tasks that were not achievable unless they ignored cyber-security rules. Furthermore, although employees knew that their practices were jeopardising the cyber-security of the vessel, they explained commonly that they were ‘normal’. For instance, an employee explained: ‘I can't say I have ever really thought twice about the security risk factor in doing so and everybody does it so it seems like the normal thing to do.’ In some instances, these behaviours were even encouraged, or considered a benefit to the position onboard. For instance, an employee explained: ‘I also used my office computer to do personal things, yet was never told not to do so on it. I was actually advised by head office that it was one of the “perks” of my job.’ Consequently, the misalignment between the organisational cyber-security policies and the culture onboard, implies to employees that on a day-to-day basis, breaking cyber-security rules is normal and acceptable. 4.4. Recommendations Overall, although the results outlined above indicate that the cruise ship industry has attempted to improve its cyber-security strategy with increased training and awareness amongst 225 employees, there is still progress to be made. The researcher recommends that training is given more thoroughly across departments to every employee, and is more job specific, to communicate the relevancy of cyber-security to each crew member. IT is also strongly recommended, that the training sessions are delivered in various languages for those who do not speak English as their first. It is also the recommendation of the researcher that the training sessions and awareness of employees onboard is maintained. As per Albrechsten & Hovden, this should be most beneficially conducted through the use of interactive methods of cyber-security awareness [35], such as refresher training sessions or drills (which will be discussed below). This would encourage employees to continually be aware of cyber-security and enhance the change in behaviour over a longer period of time. The researcher also recommends that the cyber-security culture onboard also needs to be addressed. As per Alshaikha, this has been seen to improve cyber-security for a sustained amount of time. There are various ways that the culture could be achieved [40]. Firstly, it must be communicated to employees that cyber-security is everyone’s responsibility and not just the role of the IT department. Ultimately, at sea, every crew member’s supreme priority is safety. For instance, an employee explained: ‘Safety is our number one priority it is very important that we see different aspect on how we can deal on such incidents. This training should be considered as very important as this is a safety issue.’ Currently onboard, employees often experience safety drills to maintain their knowledge of safety procedures, as well as keep safety as a forefront priority. The cruise industry should seek to treat cyber-security as just as important, by consistently reinforcing employee’s awareness that vessels are made up of complex, interlinking cyber-physical systems [51] and adopting good cyber-security practices is vital to protect the overall safety of the vessel. It should also be communicated often to employees that adopting good cyber- security practices is a necessity of every crew member onboard to prevent harm coming to all those onboard. Employees should also be informed often of what could be suspicious and how they should act if they see such occurrences. This could be done on a large scale with a drill in order to reinforce not only the importance, but also the notion that it is everyone’s responsibility onboard. As suggested by Alshaikha another way that the cyber-security culture onboard could be improved could be through the use of incentives, similar to ‘employee of the month’ which would reward individuals who have raised awareness of a threat or conducted good cyber- security onboard [40]. This would ignite a collective call to action, acting as a reminder to be cyber-security mindful, and alter the perceptions that poor cyber-security practices are ‘normal’ and acceptable onboard. The researcher also recommends that the organisational approach to cyber-security adopts a more employee centric approach in order to mitigate some of the challenges that they face which are ultimately impacting their cyber-security practices. As per Sadok et al., it is vital that cyber-security practices are influenced by the employees who are affected by security controls [37]. 226 Time and time again, employees blamed a lack of resources, and inconvenience as a reason for their behaviours onboard. This could be mitigated by increasing the number of secure portable devices which are available to employees so that they do not opt to use their personal device. Lastly, it is important not just to mitigate the misalignments in the employees professional experience, but also their personal conduct also. The cost of crew Wi-Fi, and poor connectivity, is deterring employees from using the correctly assigned network. Employee’s must have the ability to contact home and carry out personal tasks onboard, easily and affordably. If this is not the case, their personal needs will take priority over cyber-security measures. 5. Conclusion To conclude, employees are aware of the importance of cyber-security onboard, yet they are conducting practices onboard which are putting cruise ships at risk of exploitation. Although employees appear to be the weak link in the cyber-security onboard, their behaviours are influenced by many, humanistic and organisational factors. Their practices are therefore the product of organisational weaknesses which have arisen because the employee perspective, and the practical day-to-day level cyber-security, have not been considered. Therefore, the cruise ship industry could take cyber-security more seriously. Although employees are receiving training, it is rolled out amongst employees sporadically, delivered through sessions which are standard and generic across many different job roles. This means that employees consider cyber-security as irrelevant to them. Furthermore, after the training has been conducted, it is not maintained, meaning that there has been little consideration about how to actually change the behaviour of employees in the long term. This means that employees are trusting the cruise ship companies and IT departments to maintain the cyber-security of the vessel, without fully considering their role, and the potential impacts of their behaviours. There are also misalignments between the corporate cyber-security policies, the manager’s expectations and the experience of employees when trying to balance their tasks and the cyber- security practices. This means that employees are working around them or disregarding them. Furthermore, the organisational cyber-security culture does not mirror the culture onboard. This communicates to employees that cyber-security does not really matter. This research highlights the dangers of relying heavily on a technical approach to cyber- security within the maritime industry. Applying the socio-technical perspective to the maritime environment produces results which are consistent with the perspective’s previous research. Therefore, this research shows that there are many benefits, discussed throughout, which could be gained from applying the socio-technical perspective to the cyber-security of the cruise ship sector, and the maritime industry more generally. By adopting a socio-technical perspective within the maritime industry, a more holistic cyber-security strategy will be formed, which will ultimately provide more efficient protection. The findings of this research were mostly as expected, particularly surrounding the level of common behaviours that are conducted onboard, potentially putting cruise ships at risk. However, particularly surprising was the perceptions of employees. The researcher assumed that employees were unaware of the threat of a cyber-attack/did not perceive cyber-security to be important, which would explain why frequent common bad practices were being conducted 227 onboard. This research suggests the opposite, which although, initially was alarming to discover, upon reflection, was actually reassuring. This therefore means that it is the obstacles which are impacting employee behaviour, which ultimately can be addressed more easily than altering people’s perceptions. This research hopes to encourage the application of the socio-technical approach within the maritime industry more so in the future. There are many areas to pursue, the avenues of which can vary depending on the corporate level. For instance, on a higher level, the researcher would suggest that an exploration of the designer perspective would be useful. Are they aware of the lives of crew members onboard and do they take it into account when they are designing the policies? Similarly, an exploration into the efficiency of the corporate approach to training and awareness could be conducted. For instance, given that the cruise ship industry, and the maritime industry in general is made up of employees from all over the globe, future research could consider cyber-security perceptions across varying nationalities. This research suggests that employees speaking different languages may find it more difficult to comprehend the training. Therefore, the researcher would recommend future exploration surrounding the efficacy of conducting cyber-security training in various different languages for the employees who do not speak English as their first language. If cyber-security awareness and training was not only more job specific, but more tailored to the employee’s learning needs, would their practices improve? Alternatively, on a more managerial level, it would also be useful to explore the perceptions of the shoreside employees. As mentioned, oftentimes the employee behaviours onboard are the result of a request at shoreside. Future research could investigate whether the perceptions of the two sides are similar, the challenges that shoreside face and how these two elements of the organisation come together in order to reduce the conflict which is currently occurring. Lastly, this exploration encompasses employees from various cruise lines. However, future research could focus on one single cruise ship and explore the perceptions and experience of employees in greater depth. This would allow a deeper understanding of the cyber-security practices on a more specific level rather than generically across the entire industry. Ultimately, this research aims to encourage the adoption of a more holistic approach to cyber-security within the maritime industry, particularly with the support of the socio-technical perspective, to not only understand, but also alter user behaviour. Now is the time to take an employee centric approach to understand how to secure vessels. The researcher hopes that this is the start of employees onboard being seen as a solution to cyber-security, rather than part of the problem. 228 6. References [1] G.A. Res. A. 741(18). (Nov. 4, 1993). https://www.palaureg.com/product/resolution-a-74118- international-management-code-for-the-safe-operation-of-ships-and-for-pollution-prevention- international-safety-management-ism-code/ [Accessed July 28, 2021]. [2] International Maritime Organisation, The International Safety Management (ISM) Code, 2019. URL: https://www.imo.org/en/OurWork/HumanElement/Pages/ISMCode.aspx [3] G.A. Res. 428(98). (June. 16, 2017). https://wwwcdn.imo.org/localresources/en/KnowledgeCentre/IndexofIMOResolutions/MSCReso lutions/MSC.428(98).pdf [Accessed July 28, 2021]. [4] G.A. Res. 1/Circ.3. (July. 5, 2019). http://www.gard.no/Content/23896593/MSC-FAL.1- Circ.3.pdf [Accessed July 28, 2021]. [5] International Maritime Organisation, Maritime Cyber Risk, 2019. URL: https://www.imo.org/en/OurWork/Security/Pages/Cyber-security.aspx [6] White House, Statement from the Press Secretary, 2018. URL: https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/ [Accessed July 28, 2021]. [7] B. Shajari, Cyber Risk Series – Emergency Response and Facility Security Perspectives, 2020. URL: https://open.spotify.com/episode/5yU5Da1V2lc1431gx2AtPb?si=bOg74vydSWSpHM321SZpC A [8] CSIS, Significant Cyber Incidents, 2021. URL: https://www.csis.org/programs/strategic- technologies-program/significant-cyber-incidents [9] United States Coast Guard, Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels, 2019. URL: https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf [10] D. Sepulveda Estay, R. Sahay, W. Meng, C. Jensen, M. Barfod, Exploring Cybership Vulnerabilities Through a Systems Theoretic Process Approach, Ocean Engineering Journal (2020). http://dx.doi.org/10.2139/ssrn.3753663 [11] K. Tam, K. Jones, Maritime cyber security policy: the scope and impact of evolving technology on international shipping, Journal of Cyber Policy 3 (2018). doi:10.1080/23738871.2018.1513053. [12] K. Tam, K. Jones, MaCRA: a model-based framework for maritime cyber-risk assessment, World Maritime University Journal of Maritime Affairs 18 (2019). https://doi.org/10.1007/s13437-019-00162-2 [13] Government Office for Science. (2017). Future of the Sea: Cyber security. URL: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file /671824/Future_of_the_Sea_-_Cyber_Security_Final.pdf [14] M. Lund, O. Sveinung Hareide, Ø. Jøsok, An Attack on an Integrated Navigation System, Necesse 3 (2018). doi: 10.21339/2464-353x.3.2.149. [15] B. Svilicic, I. Rudan, V. Frančić, M. Doričić, Shipboard ECDIS cyber security: third-party component threats, Scientific Journal of Maritime Research 33 (2019). https://doi.org/10.31217/p.33.2.7. [16] B. Svilicic, D. Brčić, S. Žuškin, D. Kalebić, Raising awareness on cyber security of ECDIS, TransNav: The International Journal of Maritime Navigation and Safety of Sea Transportation 13 (2019). doi: 0.12716/1001.13.01.24. [17] B. Svilicic, M. Kristić, S. Žuškin, Paperless ship navigation: cyber security weaknesses, Journal of Transport Security 13 (2020). https://doi.org/10.1007/s12198-020-00222-2 [18] B. Svilicic, I. Rudan, V. Frančić, D. Mohović, Towards a Cyber Secure Shipboard Radar, Journal of Navigation 73 (2020). doi: 10.1017/S0373463319000808. [19] S. Carnovale, S. Yeniyurt, S. (Ed.), Cyber Security and Supply Chain Management: Risks, Challenges, and Solutions, World Scientific, 2021. [20] N. Polemi, Port Cybersecurity, Elsevier, Amsterdam, NL, 2018. 229 [21] National Institute of Standards and Technology, Framework for improving critical infrastructure Cybersecurity, 2018. URL: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf [22] S. Schauer, N. Polemi, H. Mouratidis, MITIGATE: a dynamic supply chain cyber risk assessment methodology, Journal of Transportation Security 12 (2019). https://doi.org/10.1007/s12198-018-0195-z [23] S. Cobel, Carnival Confirms Passenger Data Comprimised, 2020. URL: https://www.infosecurity-magazine.com/news/carnival-confirms-passenger-data/ [24] Emergency Risk Brief, Maritime Cyber Threat Intelligence and Vulnerability Landscape, 2021. URL: https://fortressinfosec.com/blog/maritime-cyber-threat-intelligence-report-current- vulnerability-landscape [25] J. Jeong, J. G. Mihelcic, C. Oliver, Rudolph, Towards an Improved Understanding of Human Factors in Cybersecurity, in: 5th International Conference on Collaboration and Internet Computing (CIC), IEEE, Los Angeles, CA, 2019, pp. 338-345 doi: 10.1109/CIC48465.2019.00047. [26] M. Malatjia, A. Marnewicka, S. Solmsb, Validation of a socio-technical management process for optimizing cyber security practices, Computers & Security 95 (2020). https://doi.org/10.1016/j.cose.2020.101846 [27] A. Totade, S. Godbole, Culture and Human Factors, in: D. Antonucci (Ed.), The cyber risk handbook: Creating and measuring effective cybersecurity capabilities, 1st. ed., John Wiley and Sons Incorporated, Hoboken, NJ, 2017, pp.243-255. ISBN: 111930972 [28] E. Albrechtsen, A qualitative study of users’ view on information security, Computers & Security, 26 (2007). doi:10.1016/j.cose.2006.11.004. [29] T. Pseftelis, G. Chondrokoukis. A Study about the Role of the Human Factor in Maritime Cybersecurity, Journal of Economics and Business 71 (2021). https://spoudai.unipi.gr/index.php/spoudai/article/download/2887/2724 [30] M. Bada, A. Sasse, J. Nurse. Cyber Security Awareness Campaigns: Why do they fail to change behaviour?, arXiv https://arxiv.org/pdf/1901.02672.pdf [31] K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, C. Jerram, Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q), Computers & Security 42 (2014). https://doi.org/10.1016/j.cose.2013.12.003 [32] R. Protcor, J. Chen, The Role of Human Factors/Ergonomics in the Science of Security: Decision Making and Action Selection in Cyberspace, Human Factors 57 (2015). doi:10.1177/0018720815585906. [33] M. Pattinson, M. Butavicius, M. Lillie, B. Ciccarello, K. Parsons, D. Calic, A. McCormac, Matching training to individual learning styles improves information security awareness, Information and Computer Security 28 (2020). https://doi.org/10.1108/ICS-01-2019-0022 [34] R. McEvoy, S. Kowalski, Deriving Cyber Security Risks from Human and Organizational Factors – A Socio-technical Approach, Complex Systems Informatics and Modeling Quarterly (CSIMQ) 105 (2019). doi: 10.7250/csimq.2019-18.03 [35] E. Albrechtsen, J. Hovden, Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study, Computers & Security, 29 (2010). doi:10.1016/j.cose.2009.12.005. [36] V. Hooper, J. McKissask, The Emerging Role of the CISO, Business Horizons 59 (2016). https://doi.org/10.1016/j.bushor.2016.07.004 [37] M. Sadok, S. Alter, P. Bednar, It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs, Information and Computer Security, 28 (2020). https://doi.org/10.1108/ICS-01-2019-0010 [38] R. S. Koppel, S. Smith, J. Blythe, V. Kothari, Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies in Health and Technology Informatics 208 (2015) 220-251. doi:10.3233/978-1-61499-488-6-215. [39] V. Zimmermann, K. Renaud, Moving from a ‘human-as-problem” to a ‘human-as-solution” cyber security mindset, International Journal of Human-Computer Studies 131 (2019). https://doi.org/10.1016/j.ijhcs.2019.05.005 230 [40] M. Alshaikha, Developing cybersecurity culture to influence employee behaviour: A practice perspective, Computers & Security, 98 (2020). https://doi.org/10.1016/j.cose.2020.102003 [41] I. Bramson, Cyber Risk Series – United States Coast Guard, 2020. URL: https://open.spotify.com/episode/2hqSRYPsLHo0a2r5D5FUk5?si=PQN0UmIHThCb531DFgJ7k w&nd=1 [42] A. Garcia-Perez, M. Thurlbeck, E. How, Towards cyber security readiness in the Maritime industry: A knowledge-based approach (2017). https://pure.coventry.ac.uk/ws/portalfiles/portal/12219284/Towards_Cyber_Security_Readiness_ In_The_Maritime_Industry.pdf [43] V. Vehovar, K. Manfreda, Overview: online surveys, in: N. Fielding, R. Lee, G. Blank. (Ed.), The Sage Handbook of online research methods. 2nd. ed., Sage Publications Ltd, London, UK, 2017, pp. 143-161. https://www.doi.org/10.4135/9781473957992 [44] C. Leddy-Owen, Questionnaire Design, in: N. Gilbert, P. Stoneman (Ed.), Researching Social Life, 4th ed., Sage Publications, London, UK, 2016., pp. 245-257. ISBN: 9781412946629 [45] V. D. Alexander, H. Thomas, A. Cronin, J. Feilding, J. Moran-Ellis, Mixed Methods, in: N. Gilbert, P. Stoneman (Ed.), Researching Social Life, 4th ed., Sage Publications, London, UK, 2016., pp. 119-139. ISBN: 9781412946629 [46] R. Likert, A technique for the measurements of attitudes, Archives of Psychology 22 (1932) 5- 56. [47] A. Bryman, Social Research Methods, 5th ed., Oxford University Press, New York, NY, 2016. [48] E. Ruel, W. Wagner |||, B. Gillespie, Nonprobability sampling and sampling hard-to-find populations, in: E. Ruel, W. Wagner |||, B. Gillespie (Ed.), The practice of survey research, Sage Publications, London, UK, 2016, pp. 149-159. https://www.doi.org/10.4135/9781483391700 [49] P. Stoneman, Analysis Survey Data, in: N. Gilbert, P. Stoneman (Ed.), Researching Social Life, 4th ed., Sage Publications, London, UK, 2016., pp. 389-411. ISBN: 9781412946629 [50] A. Agresti, B. Coull, Approximate Is Better than "Exact" for Interval Estimation of Binomial Proportions, The American Statistician 52 (1998) https://doi.org/10.2307/2685469 [51] V. Bolbot, G. Theotokatos, L. Bujorianu, E. Boulougouris, D. Vassalos, Vulnerabilities and safety assurance methods in Cyber-Physical Systems: A comprehensive review, Reliability Engineering & System Safety, 182 (2019). https://doi.org/10.1016/j.ress.2018.09.004 231