Hadi, would you tell more about your background and your position at Aalto University?
My name is Hadi Ghanbari, and I am an Assistant Professor of Information Systems at Aalto University School of Business in Finland. Simultaneously, I am a Research Fellow at the FinEst Centre for Smart Cities in Estonia, where I used to lead the Urban Analytics and Data research theme. I primarily conduct empirical research on the socio-technical aspects of digital innovation and cybersecurity. I teach several cybersecurity modules designed for master's students, executives, and the general public. In the past, I was involved in several industry-driven EU projects related to cybersecurity and digitalization, and I worked in multiple positions in the IT industry for over eight years.
Regarding your research topics, could you provide some examples of topics you have conducted recently in the cybersecurity field?
I mainly focus on three areas. First, I examine cyber threats and the structural root causes of cyber incidents (i.e., cyberattacks and data breaches), as well as their costs and consequences for organizations and society. I usually examine these incidents from a business and organizational perspective. For instance, I have studied various high-profile incidents, such as the Vastaamo data breach and the SolarWinds cyberattack. Second, I study individuals' attitudes and behaviors related to information security and privacy. For instance, I have examined why and under which conditions users disclose personal or sensitive information to different digital solutions, such as mobile health apps or Generative AI tools. Third, I focus on proposing and developing innovative solutions for enhancing cybersecurity in organizations. For instance, with my colleagues, we have been developing a Virtual Reality-based Security Education, Training, and Awareness (SETA) solution to enhance employees' cybersecurity skills and competencies, which in turn contributes to their organization's overall cybersecurity preparedness.
Our research contributes to enhancing individuals' and organizations' awareness of cyber threats and risks, and goes beyond mere exploration of issues to provide novel solutions that improve cybersecurity."
How do you see your research's impacts on people, prosperity, and society? On what timescale?
As I am primarily interested in studying the socio-technical aspects of cybersecurity, my research and teaching contribute to enhancing individuals' and organizations' awareness of cyber threats and risks associated with developing and using various digital services, as well as the antecedents and consequences of cyber incidents. I am particularly interested in going beyond the mere exploration of practical issues and challenges to propose novel solutions that help individuals and organizations address these issues. As I mentioned, we have been developing an innovative SETA module that helps employees learn about less-obvious security threats and misbehaviours that occur in their working environment. Or, I have proposed a taxonomy of cyberattacks for conducting a lightweight analysis and presenting an overview of cyberattacks to non-technical stakeholders, especially executives and directors.
My ambition is to expand my research team at Aalto University School of Business, thereby maintaining our position as the leading business-oriented cybersecurity research and education unit in Finland and the Nordic region. I ultimately hope to help increase not only the overall level of cybersecurity awareness in our society but also the accountability of organizations to avoid irresponsible practices, enabling cyber incidents, and mitigate their societal costs.
Earlier, you mentioned reviewing cyber incidents from an organisational and business viewpoint. Can you list some recommendations for senior leaders and executives based on your research?
First, empower your employees to become the strongest link in cybersecurity. Provide them with customized training and help them understand the value and importance of cybersecurity for their roles and how it affects their professional duties. In addition, encourage (not force) them to play an active role in enhancing the organization's cybersecurity posture, for example, by constantly improving their security behavior and reporting suspicious events or incidents to your security teams.
Empower your employees, understand the value that cybersecurity provides to your business, and ensure you know your partners' cyber capabilities to collaborate effectively with them."
Second, remember that no matter how capable your security experts are, you should have a deep understanding of the value of cybersecurity for your organization or department. You are responsible for ensuring that cybersecurity contributes to your organization's or department's value generation capabilities, and at the same time, you will be held accountable for making any decisions that might lead to cyber incidents and business disruptions.
Third, your firm's value creation capability depends on your network of partners and suppliers. Your organization may have a solid cybersecurity posture, but attackers might target you through less prepared suppliers and partners. Therefore, ensure that you have proper monitoring and oversight procedures in place to validate the cybersecurity preparedness of your partners and suppliers and to ensure they comply with industry-specific standards and best practices. At the same time, try to increase your collaboration and coordination with these partners to protect your supply chains collectively. If any readers are interested in learning more about supply chain attacks, I have discussed them in the Operations Leadership podcast.
What inspires you in teaching executives and senior experts at Aalto EE programs?
The executives and senior experts I have met at Aalto EE programs are among the best in their fields. The participants are coming from various fields and backgrounds. They have gathered an invaluable amount of experience over the years. It is always inspiring to meet such diverse groups of experts in the same room and have the opportunity to hear their first-hand stories and real-life experiences. I understand cybersecurity concepts and am familiar with practical cybersecurity issues in certain domains, but discussing with experts from various profiles helps me become more aware of the challenges and opportunities that can impact cybersecurity practices across domains. Obviously, the executives and senior experts are also very curious and, in some cases, have challenged my perspectives, which makes our discussions even more interesting and fruitful.
I hope to help increase cybersecurity awareness in society and organisations and build responsible practices to avoid societal costs."
You mentioned the socio-technical approach to cyber security. What are its elements?
I believe that we must address cybersecurity holistically by considering various business, technical, social, legal, and ethical issues. Therefore, I have developed the holistic information security model, which is shown in the figure below. This model informs my approach to cybersecurity research and teaching. This is the approach in the Cyber Security for Executives program, which enables participants to gain a comprehensive, business-oriented perspective on cyber security.
Figure 1. Holistic information security model (Ghanbari, 2025). Copyright ©2025 Hadi Ghanbari.
