Journal of Applied Security Research
ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/wasr20
A Conceptual Model for Cybersecurity Governance
Salifu Yusif & Abdul Hafeez-Baig
To cite this article: Salifu Yusif & Abdul Hafeez-Baig (2021): A Conceptual
Model for Cybersecurity Governance, Journal of Applied Security Research, DOI:
10.1080/19361610.2021.1918995
To link to this article: https://doi.org/10.1080/19361610.2021.1918995
Published online: 10 May 2021.
Submit your article to this journal
Article views: 151
View related articles
View Crossmark data
Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=wasr20
JOURNAL OF APPLIED SECURITY RESEARCH
https://doi.org/10.1080/19361610.2021.1918995
A Conceptual Model for Cybersecurity Governance
Salifu Yusifa and Abdul Hafeez-Baigb
a
BELA, School of Management and Enterprise University of Southern Queensland, Australia;
School of Management and Enterprise University of Southern Queensland Toowoomba
QLD, Australia
b
ABSTRACT
Cybersecurity is a growing problem associated with everything
an individual or an organization does that is facilitated by the
Internet. It is a multi-facetted program that can be addressed
by cybersecurity governance. However, research has shown
that many organizations face at least five basic challenges of
cybersecurity. In this study, we developed a model for an
effective cybersecurity governance that hopes to address
these challenges, conceptualized as factors that must continuously be measured and evaluated. They are: (1) Cybersecurity
strategy; (2) Standardized processes, (3) Compliance, (4) Senior
leadership oversight, and (5) Resources.
KEYWORDS
Cybersecurity; cybersecurity
governance; cybersecurity
strategy; cybersecurity risk;
cybersecurity compliance
Introduction
Cybersecurity is a growing problem associated with everything an individual or an organization does that is facilitated by Internet. It is high risk
problem and must be treated as such, given the highly unpredictability
nature of when, how, where and by whom threats may arise from. Digital
threats are constantly changing in their mode of operation, and likewise
the cybersecurity management strategies should be equally flexible in their
operation and chosen strategies (Ellis & Mohan, 2019). One key aspect of
cybersecurity is knowledge of risks, without evasive action. Cybersecurity is
the “collection of tools, policies, security concepts, security safeguards,
guidelines, risk management approaches, actions, training, best practices,
assurance and technologies that can be used to protect the cyber environment and organization and user’s assets” (ITU, 2008, p. 2). More broadly
speaking, “[cybersecurity] is the measures taken to protect network systems
and their data against attacks or intrusions” (Scala et al., 2019, p. 2119).
Cybersecurity encompasses all the reactive and proactive actions undertaken to ensure information systems assets are secured and available to
authorized persons only. Fundamentally, the phenomena of cybersecurity
CONTACT Salifu Yusif
salifusf5@gmail.com
BELA, School of Management and Enterprise University of
Southern Queensland, 37 Sinnathamby Blvd, Springfield Central QLD, Queensland 4300, Australia.
ß 2021 Taylor & Francis Group, LLC
2
S. YUSIF AND A. HAFEEZ-BAIG
in any organization can be divided into two factors—technical factors,
which are the first lines of defence and non-technical human factors, which
include behavioral human factors, and organizational culture, which is predominantly managerial (Pullin, 2018). Because “when employees are aware
of their company’s information security policies and procedures, they are
more competent to manage cybersecurity tasks than those who are not
aware of their companies’ cybersecurity policies” (Li et al., 2019). Cyber
risks associated with successful and unsuccessful incidents and corporate
enterprise value transcends immediate financial cost and tarnish to corporate reputation (Baror & Venter, 2019; Roskot et al., 2020; Sabillon et al.,
2016; Smith et al., 2019) are enough to warrant the attention of top management and governance. This awakes the interests of regulators in the participation of executive-level management in cyber risk management because
of its implications (Nolan et al., 2019). However, the exact definition of
cybersecurity is a contested question and is continually evolving. The
canonical understanding of cybersecurity is that it is perceived as the sole
responsibility of the chief information security officer/information and
communication technology (ICT) department given the far-reaching implications of any cyberattack. However, this view has shifted to include every
facet of an organization; cybersecurity now implies securing devices, data
and networks on all levels—making it the responsibility of the organization
as a whole.
The emerging active participation of governing bodies across all industry
levels, is a clear indication that an enterprise-wide digital transformation
has dominated the agenda for many organizations move to macro-level
business risk management (Siebel, 2017).
“Digital transformation is about sweeping change. It changes everything
about how products are designed, manufactured, sold, delivered, and serviced—and it forces CEOs to rethink how companies execute, with new
business processes, management practices, and information systems, as well
as everything about the nature of customer relationships” (Siebel, 2017,
p. 6). Digital transformations have compelled senior executives to rethink
their cybersecurity strategy as service failures increase and the risks to corporate reputation become salient. For example, healthcare, power generating as with transport industries have all began paying more attention to the
critical role of cybersecurity in their day to day operations, brand value and
overall service (College of Healthcare Information Management Executives,
2018). All too often, literature has emphasized the importance of the implementation of cybersecurity governance in securing cyberspace/information
systems. However, it is unclear what components make up an effective
cybersecurity governance and how these components support the overall
cybersecurity strategy in securing information systems assets. In this study,
JOURNAL OF APPLIED SECURITY RESEARCH
3
we fill this gap by laying bare how these components, such as cybersecurity
strategy and goals, resources need, etc. (the rest are discussed a little later)
and how they interconnect to achieve effective cybersecurity governance.
We believe the outcome of this research will contribute in addition to literature to practice in the context of effective implementation of cybersecurity governance. Theoretically, through the conceptual framework developed,
the paper provides foundation for further theory development and testing
for validation and adoption.
Cybersecurity policies and procedures
The increased proliferation of mobile and personal digital devices and the
need for increased access to digital services through the Internet have led
to increased online engagement by employees and customers at any workplace. This situation is estimated to cost billions of dollars in lost revenue
not only to loss of job productivity but also cost of cybersecurity incidents
(Young, 2010). For example, in initiatives such as bring your own device
(BYOD) employees are allowed to use their personal digital devices for
work purposes. Particularly during the Covid-19 pandemic, the recent
increase in remote working employees has lead to an unprecedent number
of cybersecurity attacks. Under this hybrid working environment the risk
of vulnerability to network security and cyberattacks are enormous. It will
require a change in working landscape and measures to guide how customers, employees, contractors, and other organizations’ affiliates access and
use corporate networks against policies and procedures. Due to a lack of
cybersecurity understanding, a noticeable portion of employees fail to
adhere to the information security policies of their organizations, while
underestimating the information security risks (Li et al., 2019). This stems
from a lack of cybersecurity policy awareness and education (Li et al.,
2019). The consequence of these is “human error,” responsible for more
than 95 per cent of incidents as found in IBM security services 2014 cyber
security intelligence index report (IBM, 2014). The report notes that “the
most commonly recorded form of human errors include system misconfiguration, poor patch management, use of default user names and passwords or
easy-to-guess passwords, lost laptops or mobile devices, and disclosure of
regulated information via use of an incorrect email address” (IBM, 2014, p.
3). These are clear examples of preventable incidents, caused by a lack of
awareness of the risks involved.
Policy “involves developing recommendations and guidelines to promote
the secure operation of systems and the protection of information” (Scala
et al., 2019). By the same token, policy is the broad goal statement, as
opposed to procedures, which are the objectives that support the
4
S. YUSIF AND A. HAFEEZ-BAIG
achievement of the goal statement. Procedures spell out the series of
repeatable practical steps undertaken to accomplish a set goal. As important
as these policies are, they are usually not fully adopted for reasons to do
with lack of awareness and training that include, but are not limited to,
limited resources for organizations to devote to cybersecurity and misunderstanding of the status of their cybersecurity (Madnick et al., 2016).
Policy in practice is known for its frustrations not only to non-IT professional employees but also to general cyber operation in IT professionals
(Scala et al., 2019). For policy authority to be exercised, there needs to be
understanding, support, and a framework that advocates behaviors that
protect and secure the confidentiality, integrity, and availability of data,
networks, and systems appropriate to legitimate users. This must be in
complicit with business strategies for security, policies, procedures, technology, and financial resources for security (Madnick et al., 2016).
Understanding how cybersecurity risk relates to your critical
business operations
The two most commonly cyber risks are risk of service/operation disruption and risk of data breach (Murphy & Murphy, 2013; SEC, 2018). Data
breaches and other known cyber-attacks have been on the rise amid
increasing sophistication of both system protection resources and cyberattacks. According to the latest data retrieved on May 11, 2018 from
Privacy Rights Clearinghouse (PRC) by Wang and Johnson (2018) there
have been 8,137 data breach incidents made public since 2005 with a total
of 10,326,390,393 records breached. By the end of 2019 the PRC had
records show that between 2006 and 2019, there was a total of 9,015 data
breach incidents in online retail, financial and insurance and other businesses (PRC, 2021). As a result, senior managers in finance, insurance, education and information/communication have begun to prioritize
cybersecurity as opposed to the food and hospital industries that do not
rely heavily on information as a product (Vaidya, 2019). Healthcare is also
set to lead the list of target industries as it embraces digital transformation.
Figure 1 illustrates the Equifax data breach.
Abraham et al. (2019) reported 125% increase in cyberattacks on healthcare organizations in the last six years, exposing vulnerabilities in and
weakness of existing cybersecurity security strategies. 50 hospitals in UK
National Health Service were shut down because of WannaCry cyberattacks
leading to the cancelation of 600 surgeries and 19,000 appointment (Martin
et al., 2017; Morse, 2018). In 2013, Target suffered a major data breach.
This breach of data exposed personal and sensitive financial information of
its customers. This was in spite of its successful compliance audit for the
JOURNAL OF APPLIED SECURITY RESEARCH
5
Figure 1. The equifax data breach.
Source: Wang and Johnson (2018)
Payment Card Industry Data Security Standard (PCI-DSS) and the successful implementation of a sophisticated malware detection tool developed by
FireEye (Riley et al., 2014) in (Plachkinova & Maurer, 2018). The
Chairman, President and CEO of Target, Greg Steinhafel apologized for the
massive data breach when cybercriminals gained access to the systems of
Target accessing the credit card data of some 40 million customers (Pigni
et al., 2018). Elsewhere, in 2015, the Interstate Technology and Regulatory
Council (TRC) identified 781 breaches that collectively exposed 169 million
records, 63.8 per cent increase in six years and a staggering 768 per cent
increase in a decade (ITRC, 2016). Healthcare organizations have witnessed
more than 125% increase in cyberattacks within a five-year period. For
example, a hospital in Los Angeles paid $17,000 Bitcoin ransom to a hacker
of its systems with an initial asking of $3.6 million (Kaminski et al., 2017).
Incidents such as these necessitate businesses and executives to devise
cybersecurity strategies that account for and accommodate the increased
cyberattacks. For example, the cloud and its global accessibility provides a
new frontier for cybersecurity as sensitive data is now available from anywhere in the world; giving rise to new security concerns in the context of
data leaks (Murphy & Murphy, 2013).
Cybersecurity compliance
Organizations have invested in sophisticated technical systems to battle
cybersecurity problems. However, the current industry response has not
been sufficient for the overall protection of systems and data (Li et al.,
2019), a challenge usually attributed to compliance with cybersecurity policies and procedures. There is sufficient evidence to this effect. See for
6
S. YUSIF AND A. HAFEEZ-BAIG
example, (Al-Sharidah et al., 2020; Dankwa, 2020; Gundu, 2019; Posey &
Canham, 2018). This behavior does not only lower employee overall
productivity, but it also risks cyberattacks on organizations’ information
systems assets. For example, the American Management Association
(AMA) estimated that a third of companies in the US monitor the website connections of their employees out of concern about inappropriate
use of Internet, that could jeopardize the cybersecurity interests of the
company (American Management Association, 2008). Unlike technical
solutions, human factor solutions to cyberattacks are psychological and
cognitive-based and draw on heterogeneous factors. Jackson (2017) identified four major noncompliance themes relevant to insiders, namely: pressure, rationalization, and opportunity drew on a fraud triangle (Cressey,
1973) that posits that cybersecurity policy compliance is largely influenced
by the type of leadership. For example, dark leadership (a general leadership behavior that causes harm to individuals on their teams) creates
pressure that leads to demoralized behaviors that invoke revenge/or damage as with psychopathic or harming leadership traits (Fehr et al., 2015;
Mathieu et al., 2014).
Farahmand and Spafford (2013) related insider pressure to financial
problems and what their discussion captures is a driven self-interest to violate ascribed obligations, regain personal failures, employer-employee relations, business reversals, and physical isolation. For example, the authors
posit that insiders must first notice opportunity to commit crime buttressed
by position of trust and technical skills. An insider in the context of cybersecurity is a threat to an organization’s cybersecurity from people within
the organization such as employees. Insiders motivated by opportunity
make decision based on the “wrongs” others do, for example, become dishonest when they see dishonest peers. In the context of rationalization,
insiders find self-coalesce to normalize and accept wrongs as “ok,” viewing
themselves as non-criminals and comprise immorality with justification
(Farahmand & Spafford, 2013). Some insiders are made within and by their
organizations. Others come as self-made insiders. More than making
insiders is the challenge of understanding the impact of organizational factors on employees and to take corrective actions. In addition to leadership
consequences on employee behavior and cybersecurity policy noncompliance is the garner of evidence that suggest the questioning the usefulness
of cybersecurity policies among organizational leaders (Mccollum, 2015).
For example, 33 per cent of businesses lack cybersecurity policy and limited
budget allocated by businesses toward cybersecurity (Underwood, 2015).
Other businesses in a similar context allocate limited budget toward cybersecurity. Again, the 2016 Global State of Information Security Survey report
found that 76 per cent of respondents did not increase cybersecurity
JOURNAL OF APPLIED SECURITY RESEARCH
7
budgets notwithstanding their knowledge of the cybersecurity threat posed
by insiders to business operations and revenues (Jackson, 2017). As with
employees, the value of compliance may not have been made clear or sold
well to management leadership/decision makers. The answer to this question could be that “many executives are rightly frustrated about paying
huge and growing compliance costs without seeing clear benefits” (Chen &
Soltes, 2018). It is clear that supervisor must be role models who exhibit a
positive attitude toward information/cybersecurity systems security policies
to motivate others.
Cybersecurity policy developers in organizations have proposed policy-compliance actions but have been criticized for lacking empirical validation in the
context of their ability to improving employees’ adherence to cybersecurity policies; a gap that need to be addressed for such measures to be adopted by practitioners (Siponen et al., 2010). In other words, organizations have not been
effective at designing policy compliance measurement tools, parly due to the
poor evidence of the role of attitude in cybersecurity. Chen and Soltes (2018)
also note that relevant compliance measurement tools have the potential to
prompt and drive the creation of more effective programs not only with the
goal of merely getting employees to understand policies and procedures, but
also reinforce noncompliance as an unacceptable behavior.
Whilst achieving 100% compliance of policies and procedures may
sound too ambitious, Page and Page (2000) contend that it is possible
under right circumstances. Namely, circumstances that not only enable
successful completion of policy compliance training programs, but also
provide post-training support. For example, several existing cybersecurity
training and awareness programs and interventions have been found lacking the necessary motivation to participate in security awareness programs (Gross, 2018; Kostadinov, 2018), as well as non-updated/repeated
programs (Adams, 2018). Other programs fall victim to a one-sized fit-all
philosophy not tailored to solving specifically identified/existing noncompliance challenges (Winkler, 2018). There is also the problem of uninteresting compliance training programs, which may include watching long,
out-dated videos and lacking interactivity (Adams, 2018). Page and Page
(2000) offered that organizations should strive to lay down standards for
acceptable compliance levels, the highest being “Six Sigma” or 99.99966%
compliance. Standards do not work in isolation. They must have been
integrated into existing systems and processes. These need to be seen in
the “organizations’ mission and vision statement as a commitment of
management to the policies and procedures infrastructure and the goals
and objectives of the policies procedures department” (p.v). In fact, there
needs to be a shift from compliance-based approach to that of strategic,
thus, governance.
8
S. YUSIF AND A. HAFEEZ-BAIG
Cyber risk and governance
Cyber risk and cyber risk management remain high on the agenda of company executives to ensure that they understand the risks, have the right
resources to respond and manage cybersecurity risks as they unfold
(Camillo, 2017). Cyber risk is the likelihood of exposure to or loss from
cyberattack on the information systems of an enterprise. Better still, RSA
defined cyber risk as the “potential of loss or harm related to technical
infrastructure or the use of technology within an organization” (RSA,
2016). According to PwC, “Cyber risk is any risk associated with financial
loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems” (PWC,
2017). Common to all three definitions is the loss in finance, reputation,
and post-attack opportunities. On the one hand, the RSA expound that
cyber risk revolves around intent—to act in the context of a hacker/attacker
aiming to deliberately comprise sensitive information. On the other hand,
potential unintentional exposure, and attack from human factors such as
user error, pose a security risk. These sources of risk could be internal,
external or both. In fact, everyone is a source of cyber risk. With the
understanding or knowledge of sources of cyber risks, the begging question
is: how is cyber risk managed?
Conventionally, technical and IT department deals with end-to-end
information systems and security problems management. However, more
recently, the composition of those now responsible for cybersecurity and
cyber risk has widened to include the non-technical and the C-suite ranks.
Thus the responsibility of cybersecurity falls not just with the day-to-day
desk worker, but also the influencers and decision-makers in an organization (Donaire, 2018; RSA, 2016). Cybersecurity must be ingrained in
the culture of organization, implicitly making cybersecurity a top and
organization-wide agenda.
RSA (2016) quoted Deloitte Advisory Cyber Risk Services adding that:
for many organizations, becoming truly resilient to cyberattacks requires more than
incremental improvements. It requires organizational transformation that broadens
the scope of involvement at the top of the organization and instils focus on business
risk, rather than technology controls. It requires the ability to focus investments on
mitigating likely outcomes, based on a broad understanding of attacker motives and
the ability to anticipate high-impact scenarios.
It requires good risk governance and an understanding of how individuals make decisions as a motivation for better superior decision-making
(Scala et al., 2019).
Governance is a set of responsibility exercised by those responsible for
an enterprise (Bodeau, 2012). Cybersecurity governance then refers to the
aspect of enterprise governance that addresses risks associated with
JOURNAL OF APPLIED SECURITY RESEARCH
9
cybersecurity with strategic focus. This implies that organizations must
ensure that data security is part of their strategic plan (Pullin, 2018). It is
the fundamental goal of corporate/cybersecurity governance that is achieved
through set objectives in the form of cyber policies and procedures defined
by cybersecurity governance. The implication for top management is the
need to understanding cybersecurity (motives of attackers) to move from
modes of fear and risk to gaining insight into business operations and how
the later relates to the former. The truth, however, is when it comes to
security, risk can never totally be eliminated. The closest might only be
minimization and mitigation. Many board members/top managers who
make decisions on cybersecurity risk simply lack the relevant knowledge
occasioned by limited fund to manage cybersecurity. They need to abreast
themselves with cybersecurity risk and management, be cybersecurity-ready
and keep it on their agenda.
“Good cybersecurity readiness encompasses an understanding of risks and
threats to assets and information relevant to the organization and its people,
monitoring and detecting cybersecurity threats regularly, protecting critical
systems and information, ensuring the organization meets all relevant standards compliance, has incident response plans in place in the event”
(Australian Computing Society, 2016, p. 51). To keep cybersecurity on top
management’s agenda, on-going cybersecurity workshops and presentations
by relevant functional managers as with presenters from independent contractors will go a long way to keeping cybersecurity alive with top management (Donaire, 2018). Governance is characterized by discipline,
transparency, independence, accountability, responsibility, and fairness
(Oliver & Foscarini, 2014). As with several studies, the findings of a study
conducted by Swinton and Hedges (2019) suggest that several organizations
struggle with five fundamental challenges to cybersecurity governance,
namely: (1) cybersecurity strategy; (2) Standardized processes, (3)
Enforcement and accountability, (4) Senior leadership oversight, and (5)
Resources. We expound on these challenges to develop a conceptual framework.
Cybersecurity Strategy and goals
The evolution of cybersecurity strategy continues to depend upon the continuous progress of supporting IT programs that include compliance and
training (Adams & Makramalla, 2015; Boutwell, 2019; Pham et al., 2017).
Cybersecurity strategy encompasses system technologies also referred to as
technical and human behavior or human factor (Cook et al., 2017; Gyunka
& Christiana, 2017; Han et al., 2017; Pham et al., 2017). The understanding
of existing and foreseeable vulnerabilities that threaten the networks of an
10
S. YUSIF AND A. HAFEEZ-BAIG
organization during communication about potential threats and mitigation
strategies is crucial when developing a cybersecurity strategy. Information
sharing is an important cybersecurity strategy and must be carried out
safely to protect proprietary information, through secure and private information exchange (Romero-Mariona et al., 2015). A cybersecurity governance can facilitate these requirements. Cybersecurity governance in
organizations must address and clearly define its risk management guidelines/policies, goals, and relevant objectives to support the achievement of
those goals. It is worth noting, though, that it is difficult to develop not
only a comprehensive but also an effective cybersecurity strategy. A first
step is the recognition of the full extent of threat vectors to pave way for
the introduction of the concept of risk and threats (Chabinsky, 2010).
Cybersecurity strategy must be built from the perspectives of resiliency and
active cyber defence. In other words, cybersecurity strategy should not only
be viewed from vulnerability perspective. A dynamic cybersecurity strategy
is one that depends largely upon the organization securing its information
and architectures using a deep awareness and understanding of existing
information, operations, and communication technologies that form the
basis of enterprise environment (Lee & Lim, 2016) in (Boutwell, 2019).
The continuous evolution and revolution of industry technologies and
IoT devices, and their adoption usually led to increased opportunities for
potential system compromises and evolving threats and risks. As such,
cybersecurity strategies must be flexible to enable them to continue to
adapt to future changes, whilst being holistically reviewed to ensure relevance with workflows and organizational knowledge gaps (Ahlmeyer &
Chircu, 2016; Boutwell, 2019). As a high-level document, the cybersecurity
strategy establishes the roadmap for the overall maintenance and risk management plan (Swinton & Hedges, 2019). The roadmap encompasses definition of cybersecurity scope, identification of cybersecurity needs and
objectives, determination of key performance indicators, resource needs,
risk appetite, monitoring and evaluation, organizational culture, and human
factor. These concepts/themes are discussed below:
Defining cybersecurity scope
The early focus of cybersecurity has “switched,” metamorphosed and
expanded over time into a form of a risk control function and governance
(Althonayan & Andronache, 2018). As businesses continue to depend on
evolving and advancing technologies and internet of things (IoTs), it
becomes more imperative for individuals and groups at the helm of businesses to have an understanding of the potential extent of and impacts of
threats and any successful cyberattack incidents may have business operations and processes (Tam & Jones, 2018). It is more of acquiring the
JOURNAL OF APPLIED SECURITY RESEARCH
11
knowledge and staying put to the trends in cyber technologies, cyber actors,
threats, vulnerabilities and to understand the nature of cyber-attack processes for better scoping of risk and threat and effectively mitigate them
(Hoffmann et al., 2020). This can be done by assessing the current and
future technologies, “the scenarios of the following section analyze what
policy changes can increase cyber-safety against a range of possible attacks
and outcomes facing the evolving shipping industry” (Tam & Jones, 2018).
True capture the scope of cybersecurity for assessment, strategy development and implementation are important as deviating from true meaning
affects the type of control in place and directly impacts on cybersecurity
scope, derivations, meanings and respectively, implementation (Althonayan
& Andronache, 2018).
Identify cybersecurity needs and develop objectives
PACKT (2020) has outlined the various tyeps of cybersecurity as: critical
infrastructure, networks, cloud security, application/system security, user
security, and internet of things (IoT) security. To be well protected it is
essential to outline how these types of cybersecurity relate to individuals
and organizations. Critical infrastructure security includes traffic lights,
electricity grids, water supply systems, and healthcare facilities as they
become increasingly digitized; network security in the context of attacks on
individual and corporate networks; and other forms attacks including
denial of service (DoS), cloud security, application/system security, user
security, and internet of things (IoT) security The cyber risk landscape has
become too complex to manage alone; it can only be done within a community. And you need the benefit of the experience of others to be able to
identify your assets in need of protection; to identify the many, everchanging ways in which they could be threatened; and to become aware of
the vulnerabilities of your organization to those threats.
Establishing key performance indicators (KPIs)
The US National Institute for Standards and Technology (NIST) has developed a framework for improving cybersecurity that organizations can use
within their established systematic processes to identify, assess, and manage
cybersecurity risks. Using the framework as a cybersecurity risk management tool, an organization can determine activities that are most important
to critical service delivery and prioritize expenditures to maximize the
impact of the investment” (NIST, 2018). According to NIST, organizations
can use measures and metrics to set goals or benchmarks against, which
compliance can be determined. The essence of the framework provides key
cybersecurity outcomes that are helpful in managing cybersecurity risk:
12
S. YUSIF AND A. HAFEEZ-BAIG
identify, protect, detect, respond and recover (Boerman, 2020). The framework is also applicable throughout the life cycle phases of plan, design,
build/buy, deploy, operate, and decommission keeping in mind that the
plan could change during the life cybersecurity lifecycle. It is important
that organizations ensure that all KPIs are relevant to measuring cybersecurity performance and gaps of their organizations.
Determining resource needs
How cyber risks and counter strategies are communicated to the management leadership has a large impact in determining the resources needed in
the context of understanding risks, impact, ownership, and governance
(PWC, 2017). For example, quantifying the overall cost/benefit of adding
connections and access to a network with the objective of helping decision
makers formally assess tradeoffs and set priorities given limited resource.
Cybersecurity resource availability differ from company size to industry
type. For example, unlike small companies, larger companies are better
equipped to address cyber security issues (Smith & Pate-Cornell, 2018). In
the healthcare industry, on the one hand, there is a chronic shortage of
healthcare providers. On the other hand, as digitization in the healthcare
industry continues to gain traction, concerns over the susceptibility of
cloud-based electronic health records (EHR) to cyberattacks has continued
to grow (Debra Cascardo, 2016). When investing in cyber security resources, authorities have to follow effective decision-making strategies, i.e., the
cyber security investment challenge (Fielder et al., 2016). Where applicable
a probabilistic risk analysis framework may be needed to address such
investment challenges (Smith & Pate-Cornell, 2018).
Determining risk appetite
Cybersecurity risk in its literal statements does not provide sufficient information for decision makers to embark on proactive risk management process. Unless they are translated into format or language that allow decision
makers to calibrate those risks against their exposure and potential impact
on business processes and operations, it is a major barrier (PWC, 2017).
The ability to quantify cyber risk and make informed decisions about cyber
risk appetite will often be the difference between success and failure for
modern enterprises (RSA, 2016). Cyber risk appetite is the level of tolerance an organization would make room for. It is set by those with decision
making right or cybersecurity governance body and brought to the attention of everyone in the organization. Using the appetite as a benchmark,
cyber risk can be quantified. Generally, quantification removes a large
amount of ambiguity and the risk of several thoughts and feelings from the
JOURNAL OF APPLIED SECURITY RESEARCH
13
assessment of cyber risk (PWC, 2017). What is required to manage cyber
risk is the integration of cyber risk management plans at C-suite levels, as
with external partners/contractors/subcontractors (Camillo, 2017). Least
mentioned throughout literature is physical cyber risks in the context of
the presence of physical and environmental risks. These seem to be ignored
by many risk managers, when talking about cyber risks (Boyes, 2015).
These physical risks range from theft of tangible cyber/information system
such as servers, switches, routers, etc. to natural disasters, which include
flood, bush fires, tornados disrupting the functioning of cyber equipment/
physical resources (Oliver & Foscarini, 2014; Tran et al., 2016; Urciuoli &
Hintsa, 2017).
Establishing continuous monitoring and evaluation
The last decade has witnessed a substantial shift in business operation from
conventional brick and mortar and hardcopy/product-based to online
digital/information/virtual-based. This trend continues and is revolutionizing how products and services are offered in nearly every industry. With
the opportunities in this shift come cybersecurity threats. A fundamental
goal is “to provide near-real time security status-related information to
organizational officials so they may take appropriate risk mitigation actions
and make cost-effective, risk-based decisions regarding the operation of the
information systems” (Malin & VAN Heule, 2013). The US NIST defines
risk monitoring as “maintaining ongoing awareness of an organizations
risk environment, risk management program, and associated activities to
support risk decisions” (Dempsey et al., 2012). Given the evolving nature
of digitization, and the continuously changing and unpredictable nature of
cyberattacks, there is need for continuous monitoring to stay up to date
with both situations—technology changes and changes in cyberattacks. This
will ensure that the set of deployed security controls continue to be effective over time. The implication of the enhanced rate of change is one of
unsustainability, which requires continuous monitoring and evaluation of
cyber risks and existing cybersecurity. Rather than carry out scheduled tests
on information systems during accreditation and certification, continuous
monitoring is necessary to ensure the security controls that are most vital
and most volatile in a computer system are tested continuously to assure a
high level of system security (Malin & VAN Heule, 2013).
Organizational culture
Organizations have always been busy at work to protect their information
systems and assets from cyberattacks, a responsibility that used to be the
remit of only the chief information officer (CIO) and his department.
14
S. YUSIF AND A. HAFEEZ-BAIG
According to Schein, culture is “a set of basic tacit assumptions about how
the world is and ought to be that a group of people share and that determines their perceptions, thoughts, feelings, and, to some degree, their overt
behavior” (Schein, 1996, p. 11). Put differently and more broadly, culture is
the way a group of people live. When used in the context of organization,
culture, i.e., organizational culture is the belief system that distinguishes
one organization from another in even the minutest way, encompassing
values, expectations, and practices that guide all its members. When made
an integral component of the organization, cybersecurity culture would be
perceived as an aspect of organizational culture. Cybersecurity culture will
define its policies and processes motivated by overarching organizational
values, expectations and social principles owed to the organization. Whilst
technical/system security has remained the first line of cybersecurity, the
impact of organizational culture on the efficiency of cybersecurity system
remains enormous in the circumstances of noncompliance, reasons attributed to organizational belief system. The most advanced technological
security cannot protect an organization from a cyberattack if the organizational and cybersecurity cultures respectively do not reflect the perceptions
of employees—being careful and protective (Huang & Pearlson, 2019).
Reports analyzing cyberattacks concurred this—employee opening malicious/phishing emails, attached files, and falling victims to social engineering attacks. As a result, cybersecurity-education and training will be
regarded as an important complementary defense to technical security.
Employee’s cybersecurity risk perception is a key indicator that a tailormade training program will be invaluable (Corradini & Nardelli, 2018).
Human factor
The risk of “insiders” in organizations pose increasing threat to information
systems assets.
On 29 January 2019, six months after the Singhealth data breach, confidential
records of 14,200 people who had been diagnosed with HIV were stolen from the
Singapore Ministry of Health (“MOH”) and leaked online. In what may be
considered a “classic” insider attack, the perpetrator had allegedly gained access to
the confidential records by exploiting a personal relationship with a Singapore doctor
who had authorised access to the MOH’s HIV registry. In March 2019, it was
reported that compromised login credentials of Singapore government agency
personnel were found to be leaked and put up for sale on the dark web (Hooi, 2019,
p. 2).
Unlike systems,’ human behavior is unpredictable and errors from these
behaviors can cost individuals and organizations more in the cyberspace.
The human factor in cyber security represents actions and events where
human error, lack of attention to detail, poor planning, and ignorance have
JOURNAL OF APPLIED SECURITY RESEARCH
15
led to successful incident giving rise to “unintentional insider” (Hadlington,
2018; Sotira, 2018), a challenge organizations have not consistently paid
attention to. Cybercriminals have shifted their attack from technology to
people exploiting their vulnerabilities through errors of judgment, share
lack of knowledge, psychological manipulation or social engineering and
betrayal of trust in the case of insiders when initiating, implementing, management of industrial processes. Weak cybersecurity knowledge and skills
in the workforce and leadership have atop the list of several human vulnerabilities in the minds of corporate decision makers, governments, and academic researchers (Ani et al., 2019) . Routinization of activities in an
organization not only reduces uncertainties and errors but it also reduces
exposure of business processes to risk. A business process is defined as an
interrelated set of tasks that are carried out, resulting in a business objective or policy goal being achieved (Maines et al., 2016). As such, standardization increases optimal output and consistency in the context of
management solutions to cyber risks. Consistency is a necessary ingredient
to successfully achieve cybersecurity policy compliance among employees as
with strengthening the case for resource commitment (Swinton & Hedges,
2019). However, it does not necessarily imply a culture of repetition. For
example, a routine cybersecurity program including un-updated compliance
training programs in terms of content and application may end up becoming unproductive due to a lack of interest from employees, thus, not supporting cybersecurity strategy (Li et al., 2017). Routine Active Theory
(RAT) (Cohen & Felson, 1979) has outlined three criteria that must be present for a crime to take place—the offender, a target and the absence of
prevention of threat in the context of routine day-to-day activities and sensitive data generated. Information, communication and technology (ICT)
has become an integral part of society in the way it has infiltrated into all
critical infrastructure providing opportunities for novel attackers (Liu et al.,
2018). For example, given the incorporation of Internet connectivity with
operations and communication technologies, IT has become an extension
of the respective critical infrastructures (Shackelford et al., 2017).
Enforcement and accountability are about cybersecurity policy compliance (discussed earlier). They are the infrastructure put in place to ensure
that employees comply with available cybersecurity policies, education and
training and implementation (Ashford, 2016).
Standardized processes, enforcement, and accountability
Routinization of activities in an organization not only reduces uncertainties
and errors but it also reduces exposure of business processes to risk. A
business process is defined as an interrelated set of tasks that are carried
16
S. YUSIF AND A. HAFEEZ-BAIG
out, resulting in a business objective or policy goal being achieved (Maines
et al., 2016). As such, standardization increases optimal output and consistency in the context of management solutions to cyber risks. Consistency is
a necessary ingredient to successfully achieve cybersecurity policy compliance among employees as with strengthening the case for resource commitment (Swinton & Hedges, 2019). However, it does not necessarily imply a
culture of repetition. For example, a routine cybersecurity program including un-updated compliance training programs in terms of content and
application may end up becoming unproductive due to a lack of interest
from employees, thus, not supporting cybersecurity strategy (Li et al.,
2017). Routine Active Theory (RAT) (Cohen & Felson, 1979) has outlined
three criteria that must be present for a crime to take place—the offender,
a target and the absence of prevention of threat in the context of routine
day-to-day activities and sensitive data generated. Information, communication and technology (ICT) has become an integral part of society in the
way it has infiltrated into all critical infrastructure providing opportunities
for novel attackers (Liu et al., 2018). For example, given the incorporation
of Internet connectivity with operations and communication technologies,
IT has become an extension of the respective critical infrastructures
(Shackelford et al., 2017).
Enforcement and accountability are about cybersecurity policy compliance (discussed earlier). They are the infrastructure put in place to ensure
that employees comply with available cybersecurity policies, education and
training and implementation. A cybersecurity policy is a high-level instrument developed by organizations to inform employees about their rights
and responsibilities toward data/information risks and safety to prevent
cyberattacks and incidents in an era of widespread reality of work environment where instant information, mobility and social networks are the
norm of its operation. Risk management and security and private capabilities must be embedded in information systems development life cycle as
with effective communication among senior management team (Swinton &
Hedges, 2019).
Management leadership oversight
Cybersecurity governance is an organization-wide phenomenon that
requires the full participation and attention of management leadership who
must consistently show support for the cybersecurity program by providing
oversight to ensure that the process is achieving its goals (Swinton &
Hedges, 2019). Moreover, the role of management leadership is fundamentally to provide cybersecurity governance with relevant support and stay
the course to ensure cyber risk management is successful. The senior
JOURNAL OF APPLIED SECURITY RESEARCH
17
Figure 2. Proposed conceptual model for cybersecurity model.
leadership oversight will champion efforts of the governance and individuals with decision right to steer and institutionalize rules, standards and
practices that manage and minimize the risks associated with engagement
in cyberspace (Mueller, 2017). Additionally, management leadership enforces appropriate behavior through accountability in the valuation, creation,
storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and
efficient use of information in enabling an organization achieve its goals”
(Proença et al., 2016, p. 33). With the decision-making mandate, management leadership oversight, a surrogate of cybersecurity governance can
employ some of the best cybersecurity practices and procedures to successfully protect data and ensure governance is of the highest standard, while
remaining effective and relevant. Management leadership can enforce the
maintenance of “security patches and updates; accomplish and test backups;
use the principle of least privilege; use two-factor authentication; handle passwords securely; change default passwords for the IoT (Internet of Things)
devices; physical security measures; human resource security measures; educate users; encrypt data; employ access controls regularly test incident
response; implement a network monitoring, analytics and management tool;
implement network security devices; implement a comprehensive endpoint
security solution” (Eugen & Petruţ, 2018, p. 361) (Figure 2).
Discussion
Neither cybercrime nor cybersecurity is a new concept. However, the evolving mechanics or the mode of operandi of cybercrimes and the need for
cybersecurity programs to be sophisticated to keep up with the pace make
18
S. YUSIF AND A. HAFEEZ-BAIG
these two “rivals” being treated as such. Organizations have sought to
leverage the Internet as a global resource to drive cost down and improve
employee and customer satisfactions. By doing so they will increase their
global presence, productivity, and competitive advantage in the wake of
developments cloud computing, Internet of Things (IoTs) and initiatives
such as BYOD (Bryan & Larsen, 2017). An effective cybersecurity governance is required for organizations to successfully embrace the exposure to
cyber risks as with promoting the institutionalization of cybersecurity practice among individuals and organizations (Ng & Kwok, 2017).
Cybersecurity is an important program for all organizations not only to
secure data but also human safety (Al-Sharidah et al., 2020). Consequently,
cybersecurity governance, encompasses cybersecurity policies; procedures,
standards and guidelines developed; and enforcement by cybersecurity governance to secure Information Systems, data and digital economy.
Enforcing cybersecurity strategy-policies and procedures in the context of
compliance requires an understanding of human factors, too. Compliance
is not a once-off practice. It is continuous and must be monitored,
reviewed, and supported/supplemented with relevant cybersecurity policy
and awareness programs in a dynamic business environment.
Organizational culture impacts cybersecurity compliance. For example, factors such as supportive organizational culture—leadership and peers, and
significant end-user involvement substantially impact on employees’ attitude and behavioral intention toward compliance of information systems
security policy (Amankwa et al., 2018). On the contrary, a poor organizational culture has a high propensity to develop insiders as they seek opportunities, rationalization and neutralize pressure. Cyber security is everyone
is responsibility, but it is management’s responsibility to provide a healthy
landscape against cybercrime by formulating appropriate policies and procedures in the cybersecurity space.
Conclusion
Cybersecurity attacks on organizations have not abated, nor will they ever.
More and more organizations are embracing Internet empowered processes
and solutions to business operations, increasing reliance on information.
The natural consequence of this is more exposure to cyber risks and vulnerabilities, eventual cyberattacks and far-reaching consequences for incidents as service failures increase. Human factors are responsible for more
than 95 per cent of incidents with the most common being misconfiguration, poor patch management, lost devices, etc. As such, noncompliance
of cybersecurity policies remains a deeply underated challenge that emanates from pressure, rationalization, opportunity, leadership behavior, and
JOURNAL OF APPLIED SECURITY RESEARCH
19
organizational culture. Relevant measures guiding how employees, contractors, and other organizations’ affiliates access and use corporate networks
against standards should be enforced by cybersecurity governance. For
cybersecurity governance to be effective, it must address concepts that
include but may not be limited to: cybersecurity strategy and goals; compliance/enforcement and accountability; standardized, compliance/enforcement and accountability, and resources. These standards need to be
integrated into existing systems and processes and remain on the agenda of
management leadership. Cybersecurity strategy as a component of governance must be built on the premise of resilience and active cyber defence
and encompass technology and human factors. Management leadership
oversight is critical for effective cybersecurity governance and a strong
voice for cybersecurity awareness, education and training programs that are
based on best practices attributed by accountability, fun, hands-on, interactivity, just-in-time training, and personalization.
References
Abraham, C., Chatterjee, D., & Sims, R. (2019). Muddling through cybersecurity: Insights
from the US healthcare industry. Business Horizons, 62(4), 539–548. https://doi.org/10.
1016/j.bushor.2019.03.010
Adams, M., & Makramalla, M. (2015). Cybersecurity skills training: An attacker-centric
gamified approach. Technology Innovation Management Review, 5(1), 5–14. https://doi.
org/10.22215/timreview/861
Adams, R. (2018). Our approach to employee security training. [Online]. PagerDuty.
Retrieved 12 November 2020 from https://www.pagerduty.com/blog/security-trainingatpagerduty/
Ahlmeyer, M., & Chircu, A. (2016). Securing the internet of things: A review. Issues in
Information Systems, 17(4), 21–28. https://orcid.org/0000-0002-7925-9191
Al-Sharidah, A., Syed, A., Alsannat, E., & Gaddourah, A. (2020). How cybersecurity policies
enable IR 4.0 emerging technologies. International Petroleum Technology Conference.
https://doi.org/10.2523/IPTC-20241-MS
Althonayan, A., & Andronache, A. (2018). Shifting from information security towards a
cybersecurity paradigm. Proceedings of the 2018 10th International Conference on
Information Management and Engineering, 68–79. https://doi.org/10.1145/3285957.
3285971
Amankwa, E., Loock, M., & Kritzinger, E. (2018). Establishing information security policy
compliance culture in organizations. Information & Computer Security, 26(4), 420–436.
https://doi.org/10.1108/ICS-09-2017-0063
American Management Association. (2008). Electronic monitoring & surveillance survey:
Over half of all employers combined fire workers for email and Internet abuse.
American Management Association, March 13, 2008.
Ani, U., He, H., & Tiwari, A. (2019). Human factor security: Evaluating the cybersecurity
capacity of the industrial workforce. Journal of Systems and Information Technology,
21(1), 2–35. https://doi.org/10.1108/JSIT-02-2018-0028
20
S. YUSIF AND A. HAFEEZ-BAIG
Ashford, W. (2016). Lack of cyber security awareness putting UK organisations at risk
[Online]. ComputerWeekl.com Computer Weekly. Retrieved 6 November 2020 from
http://www.computerweekly.com/news/4500278074/Lack-of-cyber-security-awarenessputting-UK-organisations-at-risk.
Australian Computing Society. (2016). Cybersecurity: Threats challenges opportunities (p.
51). ACS.
Baror, S., & Venter, H. (2019).A taxonomy for cybercrime attack in the public cloud. In
International conference on cyber warfare and security (pp. 505-X). Academic
Conferences International Limited.
Bodeau, D. (2012). Cyber security governance: A component of MITRE’s cyber prep methodology. Washington: MITRE Corporation. Disponıvel em:. Acesso em, 15.
Boerman, D. (2020). Reporting on cybersecurity performance. University of Twente.
Boutwell, M. (2019). Exploring industry cybersecurity strategy in protecting critical
infrastructure.
Boyes, H. (2015). Cybersecurity and cyber-resilient supply chains. Technology Innovation
Management Review, 5(4), 28–34. https://doi.org/10.22215/timreview/888
Bryan, E., & Larsen, A. (2017). Cybersecurity policies and procedures. In The cyber risk
handbook: Creating and measuring effective cybersecurity capabilities (pp. 35–65). IRM
and Willis Towers Watson.
Camillo, M. (2017). Cybersecurity: Risks and management of risks for global banks and
financial institutions. Journal of Risk Management in Financial Institutions, 10, 196–200.
Chabinsky, S. (2010). Cybersecurity strategy: A primer for policy makers and those on the
front line. Journal of National Security Law & Policy, 4, 27.
Chen, H., & Soltes, E. (2018). Why compliance programs fail—and how to fix them.
Harvard Business Review, 96, 115–125.
Cohen, L., & Felson, M. (1979). Social change and crime rate trends: A routine activity
approach. American Sociological Review, 44(4), 588–608. https://doi.org/10.2307/2094589
College of Healthcare Information Management Executives. (2018). Healthcare’s Most
Wired 2018. CHIME.
Cook, A., Janicke, H., Smith, R., & Maglaras, L. (2017). The industrial control system cyber
defence triage process. Computers & Security, 70, 467–481. https://doi.org/10.1016/j.cose.
2017.07.009
Corradini, I., & Nardelli, E. (2018). Building organizational risk culture in cyber security:
The role of human factors. In International Conference on Applied Human Factors and
Ergonomics (pp. 193–202), Springer.
Cressey, D. (1973). Introduction to the reprint edition. In Other people’s money. A study in
the social psychology of embezzlement, 2.
Dankwa, K. (2020). Deciphering the myth about non-compliance and its impact on cyber
security and safety. In Modern theories and practices for cyber ethics and security compliance. IGI Global.
Debra Cascardo, M. (2016). Insights into cyber security risks: The key to survival is resiliency. The Journal of Medical Practice Management, 32, 169.
Dempsey, K., Chawla, N., Johnson, A., Johnston, R., Jones, A., Orebaugh, A., Scholl, M., &
Stine, K. (2012). Information Security Continuous Monitoring (ISCM) for Federal
Information Systems and Organizations: National Institute of Standards and Technology
Special Publication 800–137. CreateSpace Independent Publishing Platform.
Donaire, N. (2018). Cybersecurity: A to-do list for your board [Online]. Retrieved 10
November 2020 from https://diligent.com/au/e1-cybersecurity-a-to-do-list-for-yourboard/
JOURNAL OF APPLIED SECURITY RESEARCH
21
Ellis, R., & Mohan, V. (2019). Rewired: Cybersecurity governance. John Wiley & Sons.
Eugen, P., & Petruţ, D. (2018). Exploring the new era of cybersecurity governance. Ovidius
University Annals, Series Economic Sciences, 18, 361
Farahmand, F., & Spafford, E. (2013). Understanding insiders: An analysis of risk-taking
behavior. Information Systems Frontiers, 15(1), 5–15. https://doi.org/10.1007/s10796-0109265-x
Fehr, R., Yam, K., & Dang, C. (2015). Moralized leadership: The construction and consequences of ethical leader perceptions. Academy of Management Review, 40(2), 182–209.
https://doi.org/10.5465/amr.2013.0358
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13–23.
https://doi.org/10.1016/j.dss.2016.02.012
Gross, A. (2018). Effective security training requires change in employee behavior [Online].
Health IT Answers. Retrieved 12 November 2020 from https://www.hitechanswers.net/
effective-security-training-requires-change-in-employee-behavior/
Gundu, T. (2019). Acknowledging and reducing the knowing and doing gap in employee
cybersecurity complaince. In ICCWS 2019 14th International Conference on Cyber
Warfare and Security (pp. 94–102).
Gyunka, B., & Christiana, A. (2017). Analysis of human factors in cyber security: A case
study of anonymous attack on Hbgary. Computing & Information Systems, 21.
Hadlington, L. (2018). The “human factor” in cybersecurity: Exploring the accidental
insider. In Psychological and behavioral examinations in cyber security. IGI Global.
Han, J., Kim, Y., & Kim, H. (2017). An integrative model of information security policy
compliance with psychological contract: Examining a bilateral perspective. Computers &
Security, 66, 52–65. https://doi.org/10.1016/j.cose.2016.12.016
Hoffmann, R., Napiorkowski, J., Protasowicki, T., & Stanik, J. (2020). Risk based approach
in scope of cybersecurity threats and requirements. Procedia Manufacturing, 44, 655–662.
https://doi.org/10.1016/j.promfg.2020.02.243
Hooi, E. (2019). Cyber security: Beware the human factor (p. 2). Nanyang Technological
University.
Huang, K., & Pearlson, K. (2019). For what technology can’t fix: Building a model of
organizational cybersecurity culture. Proceedings of the 52nd Hawaii International
Conference on System Sciences. https://doi.org/10.24251/HICSS.2019.769
IBM. (2014). IBM security services 2014 cyber security intelligence index (p. 3). IBM.
IBM (2014). IBM security services 2014 cyber security intelligence index. IBM.
ITRC (2016). Breach Statistics 2005–2015 [Online]. ITRC. Retrieved 1 March 2020 from
http://www.idtheftcenter.org/images/breach/2005to2015multiyear.
ITU. (2008). ITU-T X.1205, Overview of cybersecurity (p. 2). International
Telecommunication Union.
Jackson, C. (2017). Cybersecurity policy: Exploring leadership strategies that influence insider
compliance. Capella University.
Kaminski, P., Rezek, C., Richter, W., Sorel, M. (2017). Protecting your critical digital assets:
Not all systems and data are created equal. McKinsey and Company. https://www.mckinsey.com/business-functions/risk/our-insights/protecting-your-critical-digital-assets-not-allsystems-and-data-are-created-equal.
Kostadinov, D. (2018). The components of a successful security awareness program. [Online].
Infosec. Retrieved 12 November 2020 from https://resources.infosecinstitute.com/components-successful-security-awareness-program/#gref
22
S. YUSIF AND A. HAFEEZ-BAIG
Lee, K., & Lim, J. (2016). The reality and response of cyber threats to critical infrastructure:
A case study of the cyber-terror attack on the Korea Hydro & Nuclear Power Co., Ltd.
KSII Transactions on Internet & Information Systems, 10.
Li, J., Yu, F., Deng, G., Luo, C., Ming, Z., & Yan, Q. (2017). Industrial internet: A survey
on the enabling technologies, applications, and challenges. IEEE Communications Surveys
& Tutorials, 19(3), 1504–1526. https://doi.org/10.1109/COMST.2017.2691349
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of
cybersecurity policy awareness on employees’ cybersecurity behavior. International
Journal of Information Management, 45, 13–24. https://doi.org/10.1016/j.ijinfomgt.2018.
10.017
Liu, X., Dong, M., Ota, K., Yang, L., & Liu, A. (2018). Trace malicious source to guarantee
cyber security for mass monitor critical infrastructure. Journal of Computer and System
Sciences, 98, 1–26. https://doi.org/10.1016/j.jcss.2016.09.008
Madnick, S., Jalali, M., Siegel, M., Lee, Y., Strong D., Wang, R., Ang, W., Deng, V., &
Mistree, D. (2016) Measuring stakeholders’ perceptions of cybersecurity for renewable
energy systems. In International workshop on data analytics for renewable energy integration (pp. 67–77). Springer.
Maines, C., Zhou, B., Tang, S., & Shi, Q. (2016). Adding a third dimension to BPMN as a
means of representing cyber security requirements. In 2016 9th International Conference
on Developments in eSystems Engineering (DeSE) (pp. 105–110). IEEE.
Malin, A., & VAN Heule, G. (2013).Continuous monitoring and cyber security for high
performance computing. In Proceedings of the first workshop on Changing landscapes in
HPC security (pp. 9–14). https://doi.org/10.1145/2465808.2465810
Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and
healthcare: How safe are we? BMJ, 358:j3179. https://doi.org/10.1136/bmj.j3179.
Mathieu, C., Neumann, C., Hare, R., & Babiak, P. (2014). A dark side of leadership:
Corporate psychopathy and its influence on employee well-being and job satisfaction.
Personality and Individual Differences, 59, 83–88. https://doi.org/10.1016/j.paid.2013.11.
010
Mccollum, T. (2015). Cyber disconnect [Online]. The Institute of Internal Auditors.
Retrieved 20 January 2020 from http://www.theiia.org
Morse, A. (2018). Investigation: WannaCry cyber attack and the NHS. Report by the
National Audit Office.
Mueller, M. (2017). Is cybersecurity eating internet governance? Causes and consequences
of alternative framings. Digital Policy, Regulation and Governance, 19(6), 415–428.
https://doi.org/10.1108/DPRG-05-2017-0025
Murphy, D., & Murphy, R. (2013). Teaching cybersecurity: Protecting the business environment. In Proceedings of the 2013 on InfoSecCD’13: Information Security Curriculum
Development Conference (pp. 88–93).
Ng, A., & Kwok, B. (2017). Emergence of Fintech and cybersecurity in a global financial
centre. Journal of Financial Regulation and Compliance, 25(4), 422–434. https://doi.org/
10.1108/JFRC-01-2017-0013
NIST. (2018). Framework for improving critical infrastructure cybersecurity. NIST.
Nolan, C., Lawyer, G., & Dodd, R. (2019). Cybersecurity: Today’s most pressing governance
issue. Journal of Cyber Policy, 4(3), 425–441. https://doi.org/10.1080/23738871.2019.
1673458
Oliver, G., & Foscarini, F. (2014). Information culture: An essential concept for next generation records management. In DLM Forum-7th Triennial Conference (p. 31).
JOURNAL OF APPLIED SECURITY RESEARCH
23
PACKT (2020). The scope of cybersecurity [Online]. Retrieved 1 December 2020 from
https://subscription.packtpub.com/book/networking_and_servers/9781788836296/1/
ch01lvl1sec12/the-scope-of-cybersecurity
Page, S., & Page, S. (2000). Achieving 100% compliance of policies and procedures. Policies
and Procedures.
Pham, H., Pham, D., Brennan, L., & Richardson, J. (2017). Information security and people:
A conundrum for compliance. Australasian Journal of Information Systems, 21. https://
doi.org/10.3127/ajis.v21i0.1321
Pigni, F., Bartosiak, M., Piccoli, G., & Ives, B. (2018). Targeting Target with a 100 million
dollar data breach. Journal of Information Technology Teaching Cases, 8(1), 9–23. https://
doi.org/10.1057/s41266-017-0028-0
Plachkinova, M., & Maurer, C. (2018). Security breach at target. Journal of Information
Systems Education, 29, 11–20.
Posey, C., & Canham, M. (2018). A Computational social science approach to examine the
duality between productivity and cybersecurity policy compliance within organizations.
In International Conference on Social Computing, Behavioralcultural Modeling &
Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS).
PRC. (2021). Cost of data breach study [Online]. Retrieved 1 March 2021 from https://
www.ibm.com/security/databreach
Proença, D., Vieira, R., & Borbinha, J. (2016). A maturity model for information governance. In International Conference on Theory and Practice of Digital Libraries (pp. 33,
15–26). Springer.
Pullin, D. (2018). Cybersecurity: Positive changes through processes and team culture.
Frontiers of Health Services Management, 35(1), 3–12. https://doi.org/10.1097/HAP.
0000000000000038
PWC. (2017). Cyber risk – Enlightenment through information risk management. PWC.
Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014). Missed alarms and 40 million stolen credit card numbers: How target blew it. In Bloomberg Businessweek. Bloomberg.
Romero-Mariona, J., Hallman, R., Kline, M., Palavicini, G., Bryan, J., San Miguel, J., Kerr,
L., Major, M., & Alvarez, J. (2015). An approach to organizational cybersecurity. In
International workshop on enterprise security (pp. 203–222). Springer.
Roskot, M., Wanasika, I., & Kroupova, Z. (2020). Cybercrime in Europe: Surprising results
of an expensive lapse. Journal of Business Strategy, 42(2), 91–98. https://doi.org/10.1108/
JBS-12-2019-0235
RSA. (2016). Cyber risk appetite: Defining and understanding risk in the modern enterprise.
RSA.
Sabillon, R., Cano, J., Cavaller Reyes, V., & Serra Ruiz, J. (2016). Cybercrime and cybercriminals: A comprehensive study. International Journal of Computer Networks and
Communications Security, 4 (6).
Scala, N., Reilly, A., Goethals, P., & Cukier, M. (2019). Risk and the five hard problems of
cybersecurity. Risk Analysis, 39(10), 2119–2126. https://doi.org/10.1111/risa.13309
Schein, E. (1996). Three cultures of management: The key to organizational learning. Sloan
Management Review, 38, 9–20.
SEC. (2018). Commission statement and guidance on public company cybersecurity disclosures. SEC.
Shackelford, S., Sulmeyer, M., Deckard, A., Buchanan, B., & Micic, B. (2017). From Russia
with love: Understanding the Russian cyber threat to us critical infrastructure and what
to do about it. Nebraska Law Review, 96, 320.
24
S. YUSIF AND A. HAFEEZ-BAIG
Siebel, T. (2017). Why digital transformation is now on the CEO’s shoulders. McKinsey
Quarterly, 4, 1–7.
Siponen, M., Pahnila, S., & Mahmood, M. (2010). Compliance with information security
policies: An empirical investigation. Computer Magazine, 43(2), 64–71. https://doi.org/10.
1109/MC.2010.35
Smith, K., Jones, A., Johnson, L., & Smith, L. (2019). Examination of cybercrime and its
effects on corporate stock value. Journal of Information, Communication and Ethics in
Society, 17(1), 42–60. https://doi.org/10.1108/JICES-02-2018-0010
Smith, M., & Pate-Cornell, M. (2018). Cyber risk analysis for a smart grid: How smart is
smart enough? a multiarmed bandit approach to cyber security investment. IEEE
Transactions on Engineering Management, 65(3), 434–447. https://doi.org/10.1109/TEM.
2018.2798408
Sotira, N. (2018). The human factor in cyber security. Cyber Security: A Peer-Reviewed
Journal, 1, 326–330.
Swinton, S., Hedges, S. (2019). Cybersecurity Governance, Part 1: 5 Fundamental Challenges
[Online]. Retrieved 9 November 2020 from https://insights.sei.cmu.edu/insider-threat/
2019/07/cybersecurity-governance-part-1-5-fundamental-challenges.html
Tam, K., & Jones, K. (2018). Maritime cybersecurity policy: The scope and impact of evolving technology on international shipping. Journal of Cyber Policy, 3(2), 147–164. https://
doi.org/10.1080/23738871.2018.1513053
Tran, T., Childerhouse, P., & Deakins, E. (2016). Supply chain information sharing:
Challenges and risk mitigation strategies. Journal of Manufacturing Technology
Management, 27(8), 25.
Underwood, K. (2015). Protiviti 2015 IT priorities survey. EDPACS, 52(1), 14–16. https://
doi.org/10.1080/07366981.2015.1063931
Urciuoli, L., & Hintsa, J. (2017). Adapting supply chain management strategies to security
– An analysis of existing gaps and recommendations for improvement. International
Journal of Logistics Research and Applications, 20(3), 276–295. https://doi.org/10.1080/
13675567.2016.1219703
Vaidya, R. (2019). Cyber security breaches survey 2019. Assets. publishing.service.gov.uk.
Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: A case study of the equifax data breach. Issues in Information Systems, 19.
Winkler, I. (2018). The fundamental flaw in security awareness programs. InformationWeek.
[Online]. Retrieved 12 November 2020 from https://www.darkreading.com/endpoint/thefundamental-flaw-in-security-awareness-programs/a/d-id/133230
Young, K. (2010). Policies and procedures to manage employee Internet abuse. Computers
in Human Behavior, 26(6), 1467–1471. https://doi.org/10.1016/j.chb.2010.04.025