Search results

For many innovative organisations, Industry 4.0 paves the way for significant operational efficiencies, quality of goods and services and cost reductions. One of the ways to realise these benefits is to embark on digital transformation initiatives that may be summed up as the intelligent interconnectivity of people, processes, data and cyber-connected things. Sadly, this interconnectivity between the enterprise information technology (IT) and industrial control systems (ICS) environment introduces new attack surfaces for critical infrastructure (CI) operators. As a result of the ICS cybersecurity risk introduced by the interconnectivity between the enterprise IT and ICS networks, the purpose of this study is to identify the cybersecurity capabilities that CI operators must have to attain good cybersecurity resilience.

A scoping literature review of best practice international CI protection frameworks, standards and guidelines were conducted. Similar cybersecurity practices from these frameworks, standards and guidelines were grouped together under a corresponding National Institute of Standards and Technology (NIST) cybersecurity framework (CF) practice. Practices that could not be categorised under any of the existing NIST CF practices were considered new insights, and therefore, additions.

A CI cybersecurity capability framework comprising 29 capability domains (cybersecurity focus areas) was developed as an adaptation of the NIST CF with an added dimension. This added dimension emphasises cloud computing and internet of things (IoT) security. Each of the 29 cybersecurity capability domains is executed through various capabilities (cybersecurity processes and procedures). The study found that each cybersecurity capability can further be operationalised by a set of cybersecurity controls derived from various frameworks, standards and guidelines, such as COBIT®, CIS®, ISA/IEC 62443, ISO/IEC 27002 and NIST Special Publication 800-53.

CI sectors are immediately able to adopt the CI cybersecurity capability framework to evaluate their levels of resilience against cyber-attacks, given new attack surfaces introduced by the interconnectivity of cyber-connected things between the enterprise and ICS levels.

The authors present an added dimension to the NIST framework for CI cyber protection. In addition to emphasising cryptography, IoT and cloud computing security aspects, this added dimension highlights the need for an integrated approach to CI cybersecurity resilience instead of a piecemeal approach.

The purpose of this paper is to help companies address the problem of ever-increasing cybersecurity investment that does not produce tangible business value – this is achieved by explaining the relationship between cybersecurity and competitive advantage.

The impact of cybersecurity on competitive advantage was explored through a qualitative research study – the authors conducted an extensive literature review and conducted two rounds of semi-structured interviews with executives and security professionals from companies in four countries, from the financial, IT and security industries.

The analysis of the findings enabled the conceptualization of the Cybersecurity Competitive Advantage Model that explains how to build up cybersecurity dynamic capabilities to achieve long-term competitive advantage.

The research presents the theorization of the model based on an extensive literature review, gathered information, insight from qualified respondents and the authors’ experience in the field. While we controlled for saturation and rigorously collected and analyzed the data, the inductive approach followed may limit the generalizability of the findings.

The proposed model helps explain to executives how to differentiate their company in a novel way and how to retain that competitive advantage; security professionals can use the model to organize cybersecurity and communicate to their superiors more effectively.

The presented model differs from existing literature, cybersecurity frameworks and industry standards by presenting a method of avoiding technological bias and for achieving competitive advantage.

This study aims to assess the essential elements of internal organisational capability that influence the cybersecurity effectiveness of a construction firm. An extended McKinsey 7S model is used to analyse the relationship between a construction firm's cybersecurity effectiveness and nine internal capability elements: shared values, strategy, structure, systems, staff, style, skills, relationships with third parties and regulatory compliance.

Based on a quantitative research strategy, this study collected data through a cross-sectional survey of professionals working in the construction sector in the United Kingdom (UK). The collected data was analysed using descriptive and inferential statistical methods.

The findings underlined systems, regulatory compliance, staff and third-party relationships as the most significant elements of internal organisational capability influencing a construction firm's cybersecurity effectiveness, organised in order of importance.

Future research possibilities are proposed including the extension of the proposed diagnostic model to consider additional external factors, examining it under varying industrial relationship conditions and developing a dynamic framework that helps improve cybersecurity capability levels while overseeing execution outcomes to ensure success.

The extended McKinsey 7S model can be used as a diagnostic tool to assess the organisation's internal capabilities and evaluate the effectiveness of implemented changes. This can provide specific ways for construction firms to enhance their cybersecurity effectiveness.

This study contributes to the field of cybersecurity in the construction industry by empirically assessing the effectiveness of cybersecurity in UK construction firms using an extended McKinsey 7S model. The study highlights the importance of two additional elements, third-party relationships and construction firm regulatory compliance, which were overlooked in the original McKinsey 7S model. By utilising this model, the study develops a concise research model of essential elements of internal organisational capability that influence cybersecurity effectiveness in construction firms.

This research addresses the relationships between the current, dynamic organisational cyber risk climate, organisational cybersecurity performance and changes in cybersecurity investments, with an aim to address the hostile epistemic climate for intellectual capital management presented by the dynamics of cybersecurity as a phenomenon.

Expanding on the views of digital security and resilience as a knowledge problem, the research looks at cybersecurity as a critical capability within organisations, particularly relevant in critical infrastructure sectors. The problem is studied from the perspective of 400 C-level executives from critical infrastructure sectors across the UK. Data collected at the peak of the coronavirus disease 2019 (COVID-19) pandemic, a time when critical infrastructure organisations have been under a significant strain due to an increase in cybersecurity incidents, were analysed using partial least square structural equation modelling.

The research found a significant correlation between the board's perception of a change in their cybersecurity risk climate and patterns of both the development of cybersecurity management capabilities and cybersecurity investments. The authors also found that a positive correlation exists between the efforts placed by critical infrastructure organisations in cybersecurity training and the changes in investment in their cybersecurity, particularly in relation to their intellectual capital development efforts.

To the best of the authors’ knowledge, this is the first paper that explores the board's perception of cybersecurity in critical infrastructure organisations both from the intellectual capital perspective and in the dynamic cyber risk climate derived from the COVID-19 crisis. The authors’ findings expand on the growing perception of cybersecurity as a knowledge problem, and thus inform future research and practice in the domain of intellectual capital management and its role in supporting the cybersecurity and digital resilience of business and society.

This paper aims to present the evaluation of a self-paced tool, CyberSecurity Coach (CYSEC), and discuss the adoption of CYSEC for cybersecurity capability improvement in small- and medium-sized enterprises (SMEs). Cybersecurity is increasingly a concern for SMEs. Previous literature has explored the role of tools for awareness raising. However, few studies validated the effectiveness and usefulness of cybersecurity tools for SMEs in real-world practices.

This study is built on a qualitative approach to investigating how CYSEC is used in SMEs to support awareness raising and capability improvement. CYSEC was placed in operation in 12 SMEs. This study first conducted a survey study and then nine structured interviews with chief executive officers (CEOs) and chief information security officers (CISO).

The results emphasise that SMEs are heterogeneous. Thus, one cybersecurity solution may not suit all SMEs. The findings specify that the tool’s adoption varied quite widely. Four factors are primary determinants influencing the adoption of CYSEC: personalisation features, CEOs’ or CISOs’ awareness level, CEOs’ or CISOs’ cybersecurity and IT knowledge and skill and connection to cybersecurity expertise.

This empirical study provides new insights into how a self-paced tool has been used in SMEs. This study advances the understanding of cybersecurity activities in SMEs by studying the adoption of CYSEC. Moreover, this study proposes significant dimensions for future research.

As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment.

A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques.

Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce.

The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.

This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations.

This study aims to determine the impacts of the Bahrain Government framework [cyber-trust program (CTP)] on the cybersecurity maturity of government entities and how the CTP can impact the cybersecurity of government entities in the Kingdom of Bahrain.

The authors used a quantitative and qualitative approach. The data were collected by conducting semi-structured interviews with the information technology experts in the Bahrain Government entities participating in the CTP. Also, quantitative data was obtained through a questionnaire distributed to relevant people in the information technology field.

The findings of this study suggest that the CTP had a significant impact on the cybersecurity assurance of the government entities that participated in the CTP; it increased the employees’ awareness, reduced the number of cyberattacks and optimized the available resources. The findings also highlighted the role of top management in the success of the implementation of the CTP. The results also ensure that the CTP’s maturity model affected the cybersecurity compliance of an organization and the implementation of cybersecurity policies and controls.

This study enhances cybersecurity researchers’ and practitioners’ understanding of the impact of the CTP and its components and evaluates its influence on Bahrain’s cybersecurity assurance.

This study implies that to achieve better cybersecurity, managers should focus on implementing the policies and controls provided by cybersecurity frameworks to enhance cybersecurity assurance.

Industry 4.0 refers to the interconnection of cyber-physical systems, which connects the physical and digital worlds by collecting digital data from physical objects/processes, and using this data to drive automation and optimisation. Digital technologies used in this revolution gather and handle massive volumes of high-velocity streams while automating field operations and supply chain activities. Cybersecurity is a complicated process that helps sort out various hacking issues of Industry 4.0. This purpose of this paper is to provide an overview on cybersecurity and its major applications for Industry 4.0.

The rise of Industry 4.0 technologies is changing how machines and associated information are obtained to evaluate the data contained within them. This paper undertakes a comprehensive literature-based study. Here, relevant research papers related to cybersecurity for Industry 4.0 are identified and discussed. Cybersecurity results in high-end products, with faster and better goods manufactured at a lesser cost.

Artificial intelligence, cloud computing, internet of things, robots and cybersecurity are being introduced to improve the Industry 4.0 environment. In the starting, this paper provides an overview of cybersecurity and its advantages. Then, this study discusses technologies used to enhance the cybersecurity process. Enablers, progressive features and steps for creating a cybersecurity culture for Industry 4.0 are discussed briefly. Also, the research identified the major cybersecurity applications for Industry 4.0 and discussed them. Cybersecurity is vital for better data protection in many businesses and industrial control systems. Manufacturing is getting more digitised as the sector embraces automation to a more significant level than ever before.

This paper states about Industry 4.0 and the safety of multiple business process systems through cybersecurity. A significant issue for Industry 4.0 devices, platforms and frameworks is undertaken by cybersecurity. Digital transformation in the Industry 4.0 era will increase industrial competitiveness and improve their capacity to make optimum decisions. Thus, this study would give an overview of the role of cybersecurity in the effective implementation of Industry 4.0.