Search results

Various organizational landscapes have evolved to improve their business processes, increase production speed and reduce the cost of distribution and have integrated their Internet with small and medium scale enterprises (SMEs) and third-party vendors to improve business growth and increase global market share, including changing organizational requirements and business process collaborations. Benefits include a reduction in the cost of production, online services, online payments, product distribution channels and delivery in a supply chain environment. However, the integration has led to an exponential increase in cybercrimes, with adversaries using various attack methods to penetrate and exploit the organizational network. Thus, identifying the attack vectors in the event of cyberattacks is very important in mitigating cybercrimes effectively and has become inevitable. However, the invincibility nature of cybercrimes makes it challenging to detect and predict the threat probabilities and the cascading impact in an evolving organization landscape leading to malware, ransomware, data theft and denial of service attacks, among others. The paper explores the cybercrime threat landscape, considers the impact of the attacks and identifies mitigating circumstances to improve security controls in an evolving organizational landscape.

The approach follows two main cybercrime framework design principles that focus on existing attack detection phases and proposes a cybercrime mitigation framework (CCMF) that uses detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface. The methods and implementation processes were derived by identifying an organizational goal, attack vectors, threat landscape, identification of attacks and models and validation of framework standards to improve security. The novelty contribution of this paper is threefold: first, the authors explore the existing threat landscapes, various cybercrimes, models and the methods that adversaries are deploying on organizations. Second, the authors propose a threat model required for mitigating the risk factors. Finally, the authors recommend control mechanisms in line with security standards to improve security.

The results show that cybercrimes can be mitigated using a CCMF to detect, assess, analyze, evaluate and respond to cybercrimes to improve security in an evolving organizational threat landscape.

The paper does not consider the organizational size between large organizations and SMEs. The challenges facing the evolving organizational threat landscape include vulnerabilities brought about by the integrations of various network nodes. Factor influencing these vulnerabilities includes inadequate threat intelligence gathering, a lack of third-party auditing and inadequate control mechanisms leading to various manipulations, exploitations, exfiltration and obfuscations.

Attack methods are applied to a case study for the implementation to evaluate the model based on the design principles. Inadequate cyber threat intelligence (CTI) gathering, inadequate attack modeling and security misconfigurations are some of the key factors leading to practical implications in mitigating cybercrimes.

There are no social implications; however, cybercrimes have severe consequences for organizations and third-party vendors that integrate their network systems, leading to legal and reputational damage.

The paper’s originality considers mitigating cybercrimes in an evolving organization landscape that requires strategic, tactical and operational management imperative using the proposed framework phases, including detect, assess, analyze, evaluate and respond phases and subphases to reduce the attack surface, which is currently inadequate.

The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.

This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.

The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.

The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.

Purpose: Small and medium enterprises (SMEs) are the most significant contributors to maximum employment generation, the gross domestic product (GDP) of many countries, and the overall global economy. It is also evident that cyber threats are becoming a big challenge for SMEs, which is directly impacting global economy.

Methodology: Existing research inputs were accessed to understand current cyber threats for SMEs and their cybersecurity posture. Additionally, this research has collected the latest insights by taking direct inputs from SMEs and conducting a well-designed research survey. It has provided a few direct inputs to designing solutions for the SME segment. For analysis and recommendations, cybersecurity best practices and core cybersecurity concepts are considered at the centre of the solution.

Findings: Implementing existing cybersecurity standards or frameworks is not easy for SMEs, as they generally have limited resources and different priorities for their business when it comes to the implementation of any cybersecurity controls. Currently, many cybersecurity standards are not able to support the implementation of business domain-specific controls.

Practical implications: Along with the research findings shared in this chapter, as a resolution to the problems faced by SMEs, the authors will propose a new framework as a solution. This framework is designed using core concepts of cybersecurity such as confidentiality, integrity, and availability (CIA triad) as well as defence in depth (DiD) mechanisms in each layer of organisation. The authors will also share a high-level idea about how reliable artificial intelligence-based software can help identify recommended controls for particular SMEs.

Modernized information systems (IS) have brought enterprises not only enormous benefits, but also linked information threats. Most enterprises solve their IS security‐related problems using technical means alone, and focus on technical rather than managerial controls, which may imply potential crises. This study examines whether the security preparation of firms matches the severity of IS threats they perceive in developing countries, especially in issues concerning “people” and “administration”. Additionally, this study discusses appropriate threat mitigation strategies for the four sectors as well.

Using an empirical study, this study explores the past and current concerns of IS threats of firms in different industries, and the countermeasures prepared by them to protect themselves from such threats. The empirical data was provided by 109 Taiwanese enterprises from four sectors.

The analytical results revealed the differences in both the IS threats concerned and the security scopes prepared among the four sectors. Moreover, the preparation scopes were not commensurate with the perceived severity of threats. All four industries rated the network as posing the strongest threat, following regulation and personnel issues, while among the countermeasures in use, these three issues have larger application deficiencies.

This study concludes that the firms do not well prepare themselves against IS threats entailed to non‐technical administration issues and discusses appropriate threat mitigation strategies for the four sectors. Specifically, firms should be aware of IS threats to their business and prepare suitable security protections.

For many innovative organisations, Industry 4.0 paves the way for significant operational efficiencies, quality of goods and services and cost reductions. One of the ways to realise these benefits is to embark on digital transformation initiatives that may be summed up as the intelligent interconnectivity of people, processes, data and cyber-connected things. Sadly, this interconnectivity between the enterprise information technology (IT) and industrial control systems (ICS) environment introduces new attack surfaces for critical infrastructure (CI) operators. As a result of the ICS cybersecurity risk introduced by the interconnectivity between the enterprise IT and ICS networks, the purpose of this study is to identify the cybersecurity capabilities that CI operators must have to attain good cybersecurity resilience.

A scoping literature review of best practice international CI protection frameworks, standards and guidelines were conducted. Similar cybersecurity practices from these frameworks, standards and guidelines were grouped together under a corresponding National Institute of Standards and Technology (NIST) cybersecurity framework (CF) practice. Practices that could not be categorised under any of the existing NIST CF practices were considered new insights, and therefore, additions.

A CI cybersecurity capability framework comprising 29 capability domains (cybersecurity focus areas) was developed as an adaptation of the NIST CF with an added dimension. This added dimension emphasises cloud computing and internet of things (IoT) security. Each of the 29 cybersecurity capability domains is executed through various capabilities (cybersecurity processes and procedures). The study found that each cybersecurity capability can further be operationalised by a set of cybersecurity controls derived from various frameworks, standards and guidelines, such as COBIT®, CIS®, ISA/IEC 62443, ISO/IEC 27002 and NIST Special Publication 800-53.

CI sectors are immediately able to adopt the CI cybersecurity capability framework to evaluate their levels of resilience against cyber-attacks, given new attack surfaces introduced by the interconnectivity of cyber-connected things between the enterprise and ICS levels.

The authors present an added dimension to the NIST framework for CI cyber protection. In addition to emphasising cryptography, IoT and cloud computing security aspects, this added dimension highlights the need for an integrated approach to CI cybersecurity resilience instead of a piecemeal approach.

This paper aims to explore the evolution of a trend in which countries are developing or adopting cybersecurity implementation frameworks that are intended to be used nationally. This paper contrasts the cybersecurity frameworks that have been developed in three countries, namely, Australia, UK and USA.

The paper uses literature review and qualitative document analysis for the study. The paper developed and used an assessment matrix as its coding protocol. The contents of the three cybersecurity frameworks were then scored to capture the degree to which they covered the themes/items of the cybersecurity assessment matrix.

The analysis found that the three cybersecurity frameworks are oriented toward the risk management approach. However, the frameworks also had notable differences with regard to the security domains that they cover. For example, one of the frameworks did not offer guidelines with regard to what to do to respond to attacks or to plan for recovery.

The results of this study are beneficial to policymakers in the three countries targeted, as they are able to gain insights about how their cybersecurity frameworks compares to those of the other two countries. Such knowledge would be useful as decision-makers take steps to improve their existing frameworks. The results of this study are also beneficial to executives who have branches in all three countries. In such cases, security professionals could deploy the most comprehensive framework across all three countries and then extend the deployment in each location to meet country-specific requirements.

This paper proposes a holistic, proactive and adaptive approach to cybersecurity from a service lens, given the continuously evolving cyber-attack techniques, threat and vulnerability landscape that often overshadow existing cybersecurity approaches.

Through an extensive literature review of relevant concepts and analysis of existing cybersecurity frameworks, standards and best practices, a logical argument is made to produce a dynamic end-to-end cybersecurity service system model.

Cyberspace has provided great value for businesses and individuals. The COVID-19 pandemic has significantly motivated the move to cyberspace by organizations. However, the extension to cyberspace comes with additional risks as traditional protection techniques are insufficient and isolated, generally focused on an organization's perimeter with little attention to what is out there. More so, cyberattacks continue to grow in complexity creating overwhelming consequences. Existing cybersecurity approaches and best practices are limited in scope, and implementation strategies, differing in strength and focus, at different levels of granularity. Nevertheless, the need for a proactive, adaptive and responsive cybersecurity solution is recognized.

This paper presents a model that promises proactive, adaptive and responsive end-to-end cybersecurity. The proposed cybersecurity continuity and management model premised on a service system, leveraging on lessons learned from existing solutions, takes a holistic analytical view of service activities from source (service provider) to destination (Customer) to ensure end-to-end security, whether internally (within an organization) or externally.

This paper aims to report on a study that aimed at analyzing the relationships between information security and records management (RM), both as programs/functions established in organizations. Similar studies were not found in relevant literature.

The study used the classic grounded theory methodology. Pursuing the general curiosity about the information security-RM relationship in organizations, the study selected the United States (US) Federal Government as its field of entrance and followed the process of the classic grounded theory methodology that starts from the letting of the emergence of the research question to the formulation of a substantive theory that answered the question.

On the emergent question that why, despite the legislative establishment of agency RM programs and the use of the term records in their work, the US Federal Government information security community considered RM a candidate for deletion (CFD), the study coded the truncated application of the encompassing definition of records as the underlying reason. By this code, along with its three properties, i.e. limitations by the seemingly more encompassing coverage of information, insufficient legislative/regulatory support and the use of the terms of evidence and preservation in the records definition, the CFD consideration and the associated phenomena of unsound legislative/regulatory conceptualization, information shadow, information ignorance and archival shadow were explained.

The study results suggested the data for subsequent theoretical sampling to be the operational situations of individual agency RM programs.

The rationale presented in the study regarding the encompassing nature of records and the comprehensive scope of RM program can be used for building strong RM business cases.

The study appears to be the first of its kind, which examined the RM–information security relationship in a very detailed setting.