This paper identifies and explains five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: ...identifying key cyber security behaviors, establishing a 'cyber security champion' network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with internal and external campaigns. These key initiatives have helped organizations exceed minimal standards-compliance to create functional cyber security cultures. This paper discusses why these initiatives have been effective and provides practical guidance on their integration into organizational security program
Security breaches are prevalent in organizations and many of the breaches are attributed to human errors. As a result, the organizations need to increase their employees' security awareness and their ...capabilities to engage in safe cybersecurity behaviors. Many different psychological and social factors affect employees' cybersecurity behaviors. An important research question to explore is to what extent gender plays a role in mediating the factors that affect cybersecurity beliefs and behaviors of employees. In this vein, we conducted a cross-sectional survey study among employees of diverse organizations. We used structural equation modelling to assess the effect of gender as a moderator variable in the relations between psychosocial factors and self-reported cybersecurity behaviors. Our results show that gender has some effect in security self-efficacy (r = -0.435, p < 0.001), prior experience (r = -0.235, p < 0.001) and computer skills (r = -0.198, p < 0.001) and little effect in cues-to-action (r = -0.152, p < 0.001) and self-reported cybersecurity behaviors (r = -0.152, p < 0.001).
•The role of gender in employees' self-reported cybersecurity behaviors is explored.•Results show gender-wise differences for cybersecurity self-efficacy and behavior.•Training is needed to close the gender gap in cybersecurity self-efficacy.
In the contemporary ever-evolving digital landscape, the paramount importance of fortifying national cybersecurity for safeguarding national security is unequivocal. Cybersecurity stands as a ...critically strategic field, demanding in-depth strategic planning. This research delves into the complexities of cybersecurity strategy, evaluation, and its myriad challenges, moving beyond conventional methodologies to illuminate this essential sector. A key contribution of our work is the creation of an innovative taxonomy that precisely classifies and categorizes strategic cybersecurity challenges, thereby enriching the discipline's lexicon and deepening the understanding of the cybersecurity environment. Additionally, this study conducts a thorough review of prevailing guidelines, models, standards, and frameworks for the assessment of cybersecurity, its maturity, and cyber power, rendering this research indispensable for decision-makers. It also methodically examines and presents a mathematical formulation for assessment indices. This provision of critical insights supports the crafting of holistic and adaptable cybersecurity strategies, promoting a robust cyber ecosystem. Consequently, nations are better positioned to adeptly manage the shifting sands of cyber threats, bolstering their global cybersecurity stature and ensuring the protection of national and international digital security interests.
Investigating the cybersecurity threat landscape is important as it increases situational awareness and defensive agility. Therefore, in this study the cybersecurity threat landscape for Botswana was ...investigated from the perspective of Information Technology (IT) and Cybersecurity professionals in Botswana. Since Botswana has no publicized empirical data on cyber threats, a cybersecurity incidences dataset from the United Kingdom (UK) was first analyzed to understand cybersecurity trends there. Insights obtained from the UK dataset were used as a baseline to design a questionnaire which was sent out to 31 participants from 20 organizations in Botswana. The findings obtained from the questionnaire were analyzed and compared to findings from the UK. This work showed that a coordinated response to cybersecurity and collection of information related to threats and mitigations can help improve situational awareness and defensive agility.
Cybersecurity is a growing problem associated with everything an individual or an organization does that is facilitated by the Internet. It is a multi-facetted program that can be addressed by ...cybersecurity governance. However, research has shown that many organizations face at least five basic challenges of cybersecurity. In this study, we developed a model for an effective cybersecurity governance that hopes to address these challenges, conceptualized as factors that must continuously be measured and evaluated. They are: (1) Cybersecurity strategy; (2) Standardized processes, (3) Compliance, (4) Senior leadership oversight, and (5) Resources.
Based on a comprehensive literature survey, the constructs of the cybersecurity information sharing ecosystem have been defined in detail. Using this ecosystem, the interrelationships among the ...stakeholders with respect to cybersecurity information sharing are analyzed, the value parameters are determined, the value functions are defined, and the values obtained by the stakeholders through simulation are calculated. Furthermore, it is investigated whether the stakeholders involved in this ecosystem can create sufficient value to sustain in the market. The outcome of this research includes an economic model for evaluating the value creation and distribution among the stakeholders. This model is a critical step forward to better align the values (i.e., utilities and profits) of stakeholders. The simulation results of the model show that end users are the main source of value generation. Cybersecurity solution providers and cybersecurity information providers get benefits from a growing installed base of end users. However, in saturated markets, there is a risk of un-sustainability of the ecosystem, as the cost of cybersecurity solutions and cybersecurity information cannot be recovered through their fees. The simulation model and the findings of this study can help business managers to make better decisions related to business strategies, sustainability, and pricing schemes for cybersecurity solution and cybersecurity information. Moreover, a working cybersecurity information sharing ecosystem is essential for the adoption of cloud computing and, especially, edge computing. It allows capturing, disseminating, and aggregating cybersecurity information from a large number of computing devices and computing providers reliably and accurately.
•Cybersecurity information sharing ecosystem was defined based on literature survey.•Distribution of value from cybersecurity information sharing was analyzed.•Simulation results specified the conditions for the sustainability of the ecosystem.•Discrepancy between information sharing and business sustainability was identified.•Security information sharing is needed for wide adoption of cloud and edge computing.
As the amount of information, critical services, and interconnected computers and “things” in the cyberspace is steadily increasing, the number, sophistication, and impact of cyberattacks are ...becoming more and more significant. In the last decades, governmental and non-governmental organisations have become aware of this problem. However, the existing cybersecurity workforce has not been sufficient for satisfying the increasing demand for qualified cybersecurity professionals, and the shortfall will increase in the next years. Meanwhile, to address the increasing demand for cybersecurity professionals, academic institutions have been establishing cybersecurity programs, particularly, cybersecurity master programs.
This paper aims at analysing which cybersecurity topics are covered by existing cybersecurity master programs of top universities and how these topics are distributed through courses. It starts by reviewing the evolution and maturation of the cybersecurity discipline, focusing on the ACM efforts, which include the early addition of the Information Assurance and Security Knowledge Areas to the computer science curricula and, more recently, the development of curricular recommendations to support the definition of post-secondary cybersecurity programs. These latest guidelines are used to analyse and review 21 cybersecurity master programs, focusing on the contents of their courses, structure, admission requirements, duration, requirements for completion, and evolution.
Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working ...relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team. Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this. Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges. This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included. What You Will Learn Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan Who This Book Is For Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your business
Organizational ambidexterity balances exploitative and exploratory behaviors so that organizations are able to exploit their existing competencies while simultaneously exploring new opportunities. ...Similarly, ambidextrous cybersecurity (AMBI-CYBER) focuses on the protection of data, systems, and networks, while fostering the rapid introduction of new technologies within a company. This balance is linked to cybersecurity absorptive capacity and defines the "Cybersecurity Efficient Frontier." In this paper, we view AMBI-CYBER as a combination of organizational as well as technological and cultural competences which rely upon a multifaceted, multimodal, multinodal, and multilevel set of skills and capabilities. We outline the anatomy of the AMBI-CYBER architecture adopting a balanced scorecard, multistage approach under a 7Ps stage gate model (Patient, Persistent, Persevering, Proactive, Predictive, Preventive, and Preemptive). Such an approach emphasizes the need to enable a complex, nonlinear, adaptive process of dynamic intangible organizational assets, resources, and capabilities across a performance frontier where we aim to optimize safety, security, and privacy effectiveness and efficiency. We also suggests that the Quadruple/Quintuple Helix Innovation model may promote AMBI-CYBER enabling a locus-centric and triple-bottom-line-centric entrepreneurial process of discovery followed by development, exploration, exploitation, and deployment.