In the high-stakes world of Australian cybersecurity, the governance conversations are usually dominated by technical perspectives; adopting encryption, zero-trust architecture, and multi-million-dollar software stacks are often considered to be the primary steps to complete cyber safety. However, as the Social Cyber Group (SCG) - a Canberra-based think tank and consultancy - posits, we are missing the "social" half of the equation too often.
We sat down with Glenn Withers and Greg Austin from the SCG, to discuss why technical tools are only a partial shield and how businesses should approach the human side of security.
The Problem with "Technical-Only" Budgets
A typical board of a large corporation will often approve an annual cyber budget in the tens of millions, focused largely on engineering. However, the Social Cyber Group argues this creates a massive blind spot.
"A company approves an annual budget for cybersecurity... and it's almost entirely spent on technical aspects... They don't look closely enough at what sort of structural mechanisms they should put in place in their company to manage the social science aspects like insider threat or psychology." – Greg Austin.
The group points to a philosophy recently echoed by industry titans like Kevin Mandia: the first step to security is knowing your organisation. This means understanding power maps, social relationships, and how outcomes are "dictated consciously or unconsciously by the sets of social relationships that exist between different parts of the corporation."
Defining "Social Cyber Value"
The term "Social Cyber Value" (SCV) might sound abstract, but for large organisations, it is essential to consider. SCV relies on mapping out social threats to cybersecurity within an organisation and building resilience in the real-time. It also focuses on ways for the brand to recover after cyber-attacks, by altering management and decision-making processes.
"We looked at Standard & Poor’s 500 to see the effect of cyber-attacks on their share value ... What really mattered was how they responded. If you prove to the investors that you are actually on top of responding well, and can go ahead better into the future, then you can improve your share value, above the pre-attack mark." – Glenn Withers.
In short, technical tools provide short-term prevention, but social science provides long-term defence frameworks and successful roads to recovery. Ultimately, if a company merely "remedies" a technical glitch without addressing the management culture that allowed it, they often lose long-term value.
Moving Forward: A Security "Once-Over"
What should a proactive board do? The Social Cyber Group suggests that if you are spending millions on technologies for cyber resilience, you shouldn’t hesitate to invest in a social science audit.
"If you’re mainly looking at the technical aspect of cyber security, you’re really doing yourself no favour … We propose that big companies should think about spending at least a million dollars to get a team of social scientists to come in and give their company the once-over... cybersecurity is so important in corporate success that you’ve got to cover off all aspects of it." – Greg Austin.
Canberra is an unquestionable powerhouse when it comes to building cyber resilience at every organisational level, thanks to a talented and most inter-connected cyber community. Canberra hosts a multitude of thought leaders, like Greg and Glenn, who continue to reshape the cyber industry by leveraging research, case studies and innovating on approaches to building cyber capabilities. The ACT is at the forefront of establishing a future where businesses are resilient and proactive in their cyber strategies, and insightful conversations like these, showcase exactly why, and exactly how businesses should aim to ensure their most valued assets are safe.
The Social Cyber Group will also be exhibiting at the Canberra Cyber Career Symposium 2026 on the 31st of March. Learn more on our landing page and join our free event, to meet the authors and ask any questions you might have!
