How Suboptimal is Work-From-Home Security in IT/ICS Enterprises? A Strategic Organizational Theory for Managers

Abstract

The COVID-19 pandemic (e.g., especially the first and second COVID waves) had forced firms (organizations) to radically shift a considerable (if not all) proportion of their employees to serve in a work-from-home (WFH) mode. Industry statistics showcase that despite ushering in significant work-flexibility (and other) benefits, the WFH mode has also expanded an organization’s cyber-vulnerability space, and increased the number of cyber-breaches in IT and IT-OT systems (e.g., ICSs). This leads us to an important fundamental question: is the WFH paradigm detrimental to IT and IoT-driven ICS security in general? While vulnerability reasoning and empirical statistics might qualitatively support an affirmative answer to this question, a rigorous, practically motivated, and strategic cost-benefit analysis is yet to be conducted to establish in principle whether and to what degree WFH-induced cyber-security in an IT/ICS system is sub-optimal when compared to that in the non-WFH work mode. We propose a novel and rigorous strategic method to dynamically quantify the degree of sub-optimal cyber-security in an IT/ICS organization of employees, all of whom work in heterogeneous WFH “siloes”. We first derive as benchmark for a WFH setting - the centrally-planned socially optimal aggregate employee effort in cyber-security best practices at any given time instant. We then derive and compute (using Breton’s Nash equilibrium computation algorithm for stochastic dynamic games) for for the same setting - the distributed time-varying strategic Nash equilibrium amount of aggregate employee effort in cyber-security. The time-varying ratios of these centralized and distributed estimates quantify the free riding dynamics, i.e., a proxy concept for security sub-optimality, within an IT/ICS organization for the WFH setting. We finally compare the free-riding ratio between WFH and non-WFH work modes to gauge the (possible) extent of the increase (lower bound) in security sub-optimality when the organization operates in a WFH mode. We counter-intuitively observe through extensive real-world-trace-driven Monte Carlo simulations that the maximum of the time-dependent median increase in the related security sub-optimality ranges around 25% but decreases fast with time to near 0% (implying security sub-optimality in the WFH mode equals that in the non-WFH mode) if the impact of employee security effort is time-accumulative (sustainable) even for short time intervals.