Search results

The purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.

The paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.

Cyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.

The presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.

This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security posture as it adapts to remote working because of the Coronavirus 2019 (COVID-19). The pandemic forced businesses to move operations from offices to remote working. Given that this happened quickly for many, some firms had little time to factor in appropriate cyber-hygiene and incident prevention measures, thereby exposing themselves to vulnerabilities such as phishing and other scams.

The exercise was designed and facilitated through Microsoft Teams. The approach used included a literature review and an experiential learning method that used scenario-based, active pedagogical strategies such as case studies, simulations, role-playing and discussion-focused techniques to develop and evaluate processes and procedures used in preventing, detecting, mitigating, responding and recovering from cyber incidents.

The exercise highlighted the value of using scenario-based exercises in cyber security training. It elaborated that scenario-based incident response (IR) exercises are beneficial because well-crafted and well-executed exercises raise cyber security awareness among managers and IT professionals. Such activities with integrated operational and decision-making components enable businesses to evaluate IR and disaster recovery (DR) procedures, including communication flows, to improve decision-making at strategic levels and enhance the technical skills of cyber security personnel.

It maintained that the primary implication for practice is that they enhance security awareness through practical experiential, hands-on exercises such as this VIRTTX. These exercises bring together staff from across a business to evaluate existing IR/DR processes to determine if they are fit for purpose, establish existing gaps and identify strategies to prevent future threats, including during challenging circumstances such as the COVID-19 outbreak. Furthermore, the use of TTXs or TTEs for scenario-based incident response exercises was extremely useful for cyber security practice because well-crafted and well-executed exercises have been found to serve as valuable and effective tools for raising cyber security awareness among senior leadership, managers and IT professionals (Ulmanová, 2020).

This paper underlines the importance of practical, scenario-based cyber-IR training and reports on the experience of conducting a virtual IR/DR tabletop exercise within a large organisation.

The purpose of this paper is to concentrate on the place of cyber security risk in the framework of global commitments adopted in 2015 to reduce disaster risks in an all-hazards approach. It explores the correlations between traditional risks associated with critical infrastructures – as understood by the Sendai framework – cyber security risks and the cascading effects characteristic of today’s complex and interrelated shocks and stresses. It takes a step further, expanding the focus of traditionally understood technological risks to explore cyber security risks, at the heart of our societies’ digital transformations,and showcase opportunities from the European context.

By reviewing existing literature on cyber security, disaster resilience and cascading disasters, this paper highlights current challenges and good practices undertaken by various governments.

Understanding disaster risks is a precondition to improving the mitigation of impacts of existing risks and preventing new risks. Effective risk reduction relies on a solid understanding of losses resulting from events to inform future actions, and on the assessment of risks relying on a robust evidence base and state-of-the-art scientific capacity to model and simulate potential hazards. In this context, embedding cyber security risks, and the complexity of cascading impacts in improving the understanding of disaster risks, calls for appropriate methods and tools allowing for a multi-risk and holistic focus to the assessment of risks and the planning of risk management capacities that follow.

Globally and in Europe, focus on interconnected risk and their impacts is steadily increasing. Risk assessments are still conservative; incorporation of cyber resilience into national and local level DRR plans is yet not visible.

Existing research is restricted to cyber security and disaster resilience, as separated subjects. This paper, for the first time, brings together the interconnection between the two topic options to address them.

This article aims to gain insights on the current state of small- and medium-sized enterprises’ (SMEs’) cyber risk management process and to derive future research directions.

This is done by collecting market insights from 37 recent industry surveys and structuring them based on the steps of the risk management process. From this analysis, major challenges are derived and future fields of research identified.

The results indicate that deficiencies in risk culture as well as the strained market for IT experts are the major obstacles with respect to the implementation of cyber risk management in SMEs, and that these challenges are similar across countries. The findings suggest that especially the relationship between cyber security culture and cyber risk management should be investigated further, and that a stronger link between the research streams on enterprise risk management and cyber risk management would be desirable.

This paper contributes to the literature by providing a systematic overview on the current state of SMEs' cyber risk management from a market perspective. The findings provide support for the existing academic literature by emphasizing the central role of cyber security culture (perception, knowledge, attitude) for a successful cyber risk management, which however should be addressed in more depth in future (empirical) research.

This article surveys why libraries are vulnerable to social engineering attacks and how to manage risks of human-caused cyber threats on organizational level; investigates Estonian library staff awareness of information security and shares recommendations concerning focus areas that should be given more attention in the future.

The data used in this paper is based on an overview of relevant literature highlighting the theoretical points and giving the reasons why human factor is considered the weakest link in information security and cyber security and studying how to mitigate the related risks in the organisation. To perform the survey, a web questionnaire was designed which included 63 sentences and was developed based on the knowledge-attitude-behaviour (KAB) model supported by Kruger and Kearney and Human Aspects of Information Security Questionnaire (HAIS-Q) designed by Parsons et al.

The research results show that the information security awareness of library employees is at a good level; however, awareness in two focus areas needs special attention and should be improved. The output of this study is the mapping of seven focus areas of information security policy in libraries based on the HAIS-Q framework and the KAB model.

The cyber awareness of library employees has not been studied in the world using HAIS-Q and KAB model, and to the best of the authors’ knowledge, no research has been previously carried out in the Estonian library context into cyber security awareness.

The development of technologies for the conduct of cyber operations represents an opportunity for states to defend their interests in international relations but also bears risks and challenges. Since the early 2000s, the United Nations “group of governmental experts (GGE) on developments in the field of information and telecommunications in the context of international security” debates on this issue. This paper aims to investigate how states are challenged in the development of international cyber norms and where capacity to act is idle, i.e. to assess how much has been reached in the international community’s debate on cyber threats and malicious behaviors in the international security context and to identify directions to move GGE work further.

The methodology uses an extensive text-based desk research and relies on a thorough collection, analysis and interpretation of the United Nations (UNs) documents. When specific substantial topics are addressed in the GGE, the content of the debate was confronted with issue-specific academic literature on those matters.

The results highlight that the GGE managed to gather consensus on a number of cooperation and normative measures in this politically highly sensitive topic and more deliverables are expected during this and next year. The paper identifies a weakness in terms of operational implementation though. The paper proposes a few examples of concrete headways that could complement existing consensus, especially on the implementation side.

Because of its political sensitivity, the GGE has worked with discretion and has attracted little academic attention. This paper is an original and timely attempt to assess the achievements and possible outlook of this endeavor of the international community, including the incipient work of a recently established open-ended working group. It also attempts to connect the subject matter discussed in the UN with related academic literature, including in respect of definitional and conceptual issues.

Although risks are present in any organisation and the importance of their study is obvious, the authors find that risk analysis is an area still in its infancy, as reflected in the small number of existing publications on this topic. Human resources tend to understand risk in an elementary way. The ability of human resources to perceive risk is the ability and competence to identify a potential threat that does not always appear.

Aim: The aim of the this chapter was to provide additional knowledge on human resource competencies, in order to avoid the emergence and spread of risks at the organisational and cyber level.

Methodology: The authors used the quantitative–comparative analysis, by presenting all the details regarding the competencies of the human resource in order to manage the risks at organisational and cybernetic level.

Findings: The findings of this chapter show that the compulsory competencies of the human resource influence both the general competencies and the special competencies: information technology and communications, security ethics and economic ones. These, in turn, can improve or diminish cyber security competencies by almost 50%.

Originality of the Study: This study is highlighted by results obtained from the analysis of the capacity of human resources, to integrate theoretical knowledge and practical competencies on the perception of cyber risk. Of particular importance for this research are the analysis of data and the interpretation of results on human resources competencies. In this sense, throughout the chapter are assessed the skills of human resources, necessary for the management of cyber risks at the organisational level. In terms of future research implications, it could be important research to identify a method of assessing the competencies acquired by human resources applied from the perspective of cyber risk.

There is a research gap in the explanation of cyber incident response approaches in management to increase cyber maturity for small–medium-size enterprises (SMEs). Therefore, based on the literature analysis, the chapter aims to (1) provide cyber incident response characteristics, (2) show the importance for SMEs, (3) identify cyber incident response feasibility and causal factors, (4) provide scenarios for consideration to create an incident response plan (IRP), and (5) discuss the cyber incident response and managerial approaches in SMEs. The authors used content analysis of scientific and professional articles to develop the theoretical foundation of incident response approaches in management for SMEs. The authors start from the fundamentals to obtain knowledge and understanding of the latest threats and opportunities, and how to defend themselves using the limited capacity of resources might be the starting point to building an extensive incident response capability. Incident response capabilities and maturity levels vary widely between various organisations. There is no simple one-size-fits-all process for incident response; each case is unique and requires continuous refinement. Differentiation and adaptation to different types of SMEs are pivotal to developing cyber maturity and defining requirements that fit the market’s needs and are therefore more efficient in achieving the goal of increasing cyber security (CS) among business management. SMEs may not have a mature IRP, but at least one readiness indicator could lead to the preparation of a mature IRP. Implementation of the secure undertakings and information processes requires using modern information and communication technologies, incident response processes, and other modules that could enhance support for decision-making processes in management. The approach requires a systematic approach to issues related to constructing these solutions. The authors highlight that building efficient incident response approaches in management to improve cyber maturity will begin with infrastructure and people factors.

This paper aims to propose a new method to derive custom dynamic cyber risk metrics based on the well-known Goal, Question, Metric (GQM) approach. A framework that complements it and makes it much easier to use has been proposed too. Both, the method and the framework, have been validated within two challenging application domains: continuous risk assessment within a smart farm and risk-based adaptive security to reconfigure a Web application firewall.

The authors have identified a problem and provided motivation. They have developed their theory and engineered a new method and a framework to complement it. They have demonstrated the proposed method and framework work, validating them in two real use cases.

The GQM method, often applied within the software quality field, is a good basis for proposing a method to define new tailored cyber risk metrics that meet the requirements of current application domains. A comprehensive framework that formalises possible goals and questions translated to potential measurements can greatly facilitate the use of this method.

The proposed method enables the application of the GQM approach to cyber risk measurement. The proposed framework allows new cyber risk metrics to be inferred by choosing between suggested goals and questions and measuring the relevant elements of probability and impact. The authors’ approach demonstrates to be generic and flexible enough to allow very different organisations with heterogeneous requirements to derive tailored metrics useful for their particular risk management processes.

The purpose of this paper is to propose a holistic cyber security implementation framework (HCS-IF) that lays out the ground for a conceptual, coherent, systematic, overarching and consolidated approach to implement cyber security strategies (CSSs).

The HCS-IF is conceptually proposed to address the actual needs that are extracted from literature review. The HCS-IF uses and integrates a set of high-level conceptual security controls, solutions, processes, entities, tools, techniques or mechanisms that are already known in the domains of information security management, software engineering and project management to address the identified needs.

The HCS-IF components and controls collectively interact and cooperate to implement CSSs. The proposed framework is compared with other related frameworks, and the results show that the HCS-IF outperforms other frameworks on most of the suggested comparison criteria.

From a practical standpoint, governments and practitioners alike stand to gain from the findings of this research. Governments who want to implement CSSs on a national level will find the proposed framework useful in overseeing cyber security implementation. Practitioners will be prepared to address the anticipated cyber security implementation challenges and the required controls needed to facilitate cyber-security implementation in a holistic overarching manner.