The Art of Cyber Security

Although cost-benefit analyses are an important aspect of information technology (IT) security (ITS) management, previous research focuses largely on the customer perspective and neglects the supplier side. However, since ensuring a high level of ITS in modern IT products is typically associated with a large investment, customers' willingness to pay is essential for decision making in the context of IT product development. We draw on Kano's theory of attractive quality to analyze how customers generally evaluate implemented ITS safeguards. Based on expert interviews and a large-scale empirical study involving customer company decision makers, this paper demonstrates that different customer evaluations of ITS safeguards are associated with different levels of willingness to pay. Therefore, our results will enable IT suppliers not only to understand their customers' ITS needs but also to derive optimal ITS strategies, which may provide both economic and competitive advantages. Further theoretical and practical implications are also discussed.

Information technology (IT) security, which is concerned about protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of risk, some known and some unknown. IT security risk management has gained considerable attention over the past decade due to the collapsing of some large organisations in the world. Previous investigative research in the field of IT security have indicated that despite the efforts that organisations employ to reduce IT security risks, the trend of IT security attacks are still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologist who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. Employing a formal risk based approach in managing IT security risk assist in ensuring that risks that matter to an organisation are accounted for and as a result, receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task, which is the basis of this research. The objective of this paper is to propose an approach for identifying, assessing and treating IT security risk which incorporates a robust risk analysis and assessment process. The risk analysis process aims to make use of a comprehensive IT security risk universe which caters for the complex and dynamic nature of IT security. The research will contribute to the field of IT security by using a consolidated approach that utilises coherent characteristics of the available qualitative risk management frameworks to provide a stronger approach that will enable organisations to treat IT security risk better.

Information Technology (IT) security is an issue which cannot be wished away by organizations and particularly Small and Medium Enterprises (SMEs). SMEs should embrace IT security in order to realize the benefits of IT without compromising the IT security status. Much like any other business asset, information is an asset that needs to be strategically managed and protected. It is therefore imperative that SMEs understand the value of information contained within their business systems and have a framework for assessing and implementing IT security. To address challenges faced by SMEs especially in Kenya, this research establishes an Information Technology (IT) framework that can allow Kenyan SMEs implement cost effective security measures. Particularly this work considers IT security requirements and appropriate metrics. There is evidence from the research to suggest that despite having some IT security measures in place, Kenyan SMEs still face some serious IT security challenges. In the light of the challenges faced by Kenyan SMEs, this work recommends a framework which is supposed among other things provide metrics of evaluating the effectiveness of implemented security measures. The framework is likely to assist SME stakeholders measure the effectiveness of their security enhancing mechanisms.

Cyberattacks pose a significant business risk to organizations. Although there is ample literature focusing on why people pose a major risk to organizational cybersecurity and how to deal with it, there is surprisingly little we know about cyber and information security decision-makers who are essentially the people in charge of setting up and maintaining organizational cybersecurity. In this paper, we study cybersecurity awareness of cyber and information security decision-makers, and investigate factors associated with it. We conducted an online survey among Slovenian cyber and information security decision-makers (N = 283) to (1) determine whether their cybersecurity awareness is associated with adoption of antimalware solutions in their organizations, and (2) explore which organizational factors and personal characteristics are associated with their cybersecurity awareness. Our findings indicate that awareness of well-known threats and solutions seems to be quite low for individuals in decision-making roles. They also provide insights into which threats (e.g., distributed denial-of-service (DDoS) attacks, botnets, industrial espionage, and phishing) and solutions (e.g., security operation center (SOC), advanced antimalware solutions with endpoint detection and response (EDR)/extended detection and response (XDR) capabilities, organizational critical infrastructure access control, centralized device management, multi-factor authentication, centralized management of software updates, and remote data deletion on lost or stolen devices) are cyber and information security decision-makers the least aware of. We uncovered that awareness of certain threats and solutions is positively associated with either adoption of advanced antimalware solutions with EDR/XDR capabilities or adoption of SOC. Additionally, we identified significant organizational factors (organizational role type) and personal characteristics (gender, age, experience with information security and experience with information technology (IT)) related to cybersecurity awareness of cyber and information security decision-makers. Organization size and formal education were not significant. These results offer insights that can be leveraged in targeted cybersecurity training tailored to the needs of groups of cyber and information security decision-makers based on these key factors.

Firms have increasingly invested in information technology (IT) security to protect their information resources. Nevertheless, deciding when to invest in IT security is rather difficult for executives because of the irreversibility of spending and uncertainty of IT security investments performance. A review of the literature on IT security investments reveals that previous studies largely neglected the strategy and timing of investments. Basing on real options theory, this research examines IT security investments for the commercial exploitation strategy versus the IT security improvement strategy in terms of proactive and reactive investments. An event methodology is used to estimate the effect of IT security investment timing on the stock performance of the investments. Our results show that reactive investments for IT security improvement and proactive investments for commercial exploitation earn positive abnormal returns. Moreover, the market reacts more positively to aligned than misaligned IT security investments. The implications of the research findings are presented and discussed.

Digital transformation has established itself as an omnipresent term in the new millennium. Often considered synonymous with the so-called Fourth Industrial Revolution, the term describes the convergence of information technology and the ubiquity of data in private life as well as in business and social lives. Inherent to the term "revolution" is radical change and the upheaval of existing processes and relationships. Translated into a business context, revolution leads to the transformation of business models and established work processes as well as the increasing dependence on data and new technologies. In times of digital transformation, managers and organizational decision-makers are faced with constant, potentially business-critical, decisions regarding these new technologies and the maintenance of information and data security. The analysis of management decisions, therefore, plays a crucial role in comprehending and researching digital transformation. This dissertation, therefore, seeks to improve our understanding of decision-making processes regarding the adoption of cloud computing solutions and data protection measures as well as investments in information technology (IT) security in primarily small and medium-sized enterprises. Article A examines the influence of status quo bias and reference dependency in the decision to adopt cloud computing solutions. Based on the tenets of prospect theory, findings suggest that rather inexperienced decision-makers are taking their evaluation of the existing technology more into account when assessing a cloud-based replacement technology. As a consequence, status quo thinking leads to a more negative assessment of the new technology, which hinders its potentially beneficial introduction to the organizational IT service architecture. Article B investigates decision-making processes related to end-user data protection measures and the impact of psychological ownership on the motivation to protect data. In a questionnaire study and based on the protection motivation theory, the influence of psychological ownership on the decision-making behavior of individuals in both private and work contexts is analyzed. The results demonstrate that psychological ownership exerts a stronger impact on the protection motivation of participants in a private context. The analysis further indicates that employees partly relinquish their responsibility regarding security responses to protect data in their work context. Fostering feelings of psychological ownership could possibly counteract such detrimental effects and improve the adoption of data protection measures in a work context. In Article C, the previously demonstrated cognitive and behavioral aspects of decision-making are contextualized into a holistic conceptual framework. Based on a comprehensive literature analysis and an interview study, this study finds that decisions regarding IT security in companies are influenced by organizational, economic, environmental, cognitive, and behavioral aspects. The literature analysis further demonstrates that existing research still emphasizes economic aspects based on the assumption of purely rational decision-makers. Studies that shed light on IT security decisions from a behavioral, environmental or organizational perspective are significantly less frequent, although the analysis of the expert interviews emphasizes the influence of these aspects. Article D validates that decision-makers in companies are influenced by a variety of aspects when making investment decisions in IT security. The studies of both Article D and Article E aim at decision-makers from small and medium-sized enterprises (SMEs), since an in-depth literature review of existing research in the area of organizational IT security indicates that organizational IT security in SMEs has been largely neglected. The analysis of expert interviews conducted with SME decision-makers, however, indicates that implications of existing research can be transferred only to a limited extent due to unique constraints and their influence on decisions in the SME context. The studies, therefore, investigate and validate the impact of these SME-specific constraints regarding IT security decisions. The findings imply that invest-ment decisions with regard to organizational IT security are strongly influenced by SME-specific characteristics such as insufficient IT budget planning, undocumented processes, or multiple roles due to lack of resources. Consequently, this dissertation provides valuable insights for both practice and research regarding typical and frequent decision-making processes in the context of digital transformation. In particular, this study examines the influence of biases and non-rational aspects in the decision-making process regarding new technologies or measures to ensure their security as well as the effects of SME-specific constraints demonstrate and emphasizes the need for further behavioral research in technology adoption and IT security.

PurposeThe aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value.Design/methodology/approachThe study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches.FindingsThe results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer.Research limitations/implicationsThe findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities.Originality/valueThe need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.

Formulating the problem in general form and its connection with important scientific and practical tasks. The high dependence of all spheres of the state’s vital activity on information and the comprehensive spread of digital technologies, in particular in the field of public administration, has led to the emergence of challenges and threats of a new technological level. Also, with the development of digital technologies themselves, there is an increase in the technical level of tools for the implementation of cyber threats, as well as an increasing trend in the proportion of cyber threats in the spectrum of threats to national security. Considering the expanding landscape of cyber threats and the increasing complexity of the tools for their realization, the governments of leading countries are taking measures to improve national cybersecurity systems and change strategies to counter cyber threats. In this regard, there is an urgent problem of forming a balanced and effective national cybersecurity system that would be able to flexibly adapt to changes in the security environment, to guarantee the citizens of our country the safe functioning of the national segment of cyberspace. One of the most pressing problems in the field of national cybersecurity is the identification of key strategic problems and ways to solve them in order to implement effective and efficient cybersecurity mechanisms. Analysis of recent publications on the issue and identification of previously unresolved parts of the overall problem. Researches of such Ukrainian scientists as M. Ryzhkov and A. Ruban, S. Kavin, Y. Kotukh, D. Melnyk, and others are devoted to problematic issues of forming of ways and applying instruments to protect national interests in cyberspace in the context of threats to Ukraine's national security. However, in modern conditions of globalization, new challenges and problematic issues in the field of cybersecurity constantly arise, which require a change in approaches to defining the features of cyber threats, clarifying the ways and mechanisms of protecting national interests in cyberspace, which increases the relevance of the topic of the selected research. The purpose of the article is to analyze the main provisions of the EU’s Cybersecurity Strategy for the Digital Decade in the context of identifying opportunities for adopting best practices of European experience in the field of state cybersecurity and their adaptation to Ukrainian realities. Outline of the main results and their justification. The world is witnessing an increase in the intensity of interstate confrontation and intelligence and subversive activities in cyberspace, an increase in cybercrime, the use of cyberspace by terrorist organizations to commit acts of cyberterrorism. The COVID-19 pandemic also has exacerbated, among other things, the issue of cybersecurity. Global trends in cyberspace and related cybersecurity challenges and risks are having an increasing impact on the development of the national cybersecurity system. One of the bases for the development and implementation of an updated cybersecurity strategy of Ukraine can be the experience of leading countries in the field of cybersecurity, in particular the best practices of European experience. The EU's Cybersecurity Strategy in the Digital Decade contains how the EU will shield its people, businesses and institutions from cyber threats, and how it will advance international cooperation and lead in securing a global and open Internet. Building on the progress made under the previous strategies, the new EU's Cybersecurity Strategy contains concrete proposals for the use of three main instruments - regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. Among the new EU's strategic initiatives, it is appropriate to highlight the following: An EU-wide Cyber Shield through a network of AI-enabled Security Operations Centres that can detect signs of cyberattack and enable preventive action before damage occurs. A Joint Cyber Unit that will help to better protect the EU from the most impactful cybersecurity attacks, especially cross-border ones. European solutions for strengthening Internet security globally. Regulation to ensure an Internet of Secure Things and prevent a single badly protected object becoming a single point of failure. Regulation for high standards of cyber and information security in EU institutions, bodies and agencies. Also, the EU is planning to undertake further efforts to strengthen the cooperation with international partners to advance the shared understanding of the threat landscape, develop cooperation mechanisms and identify cooperative diplomatic responses. In addition, the EU efforts will support the development of legislation and policies of partner countries in line with relevant EU cyber diplomacy policies and standards. In our opinion, our country needs to unify approaches, methods, and means of cybersecurity with the established EU practices, to take other measures agreed with key foreign partners. Conclusions and prospects for further research. Based on the conceptual provisions of the EU's Cybersecurity Strategy in the Digital Decade, taking into account the key cybersecurity risks and cyber threats, strategic objectives, concrete proposals have been developed for the further improvement of the national cybersecurity system. Emphasis is placed on the need to strengthen cyber dialogue with the EU and international organisations, as well as further intensifying work with international partners to developing and advancing a global, open, stable and secure cyberspace, where international law, human rights, fundamental freedoms and democratic values are respected. Keywords: cybersecurity, cyber resilience, cybersecurity strategy, European Union, national cybersecurity system.

This paper asked professionals in the legal system to evaluate the current state and effectiveness of laws to identify and deter computer crime. Responses were evaluated with a formal structural equation model. The results generally show that legal professionals believe potential jurors have minimal knowledge of computer crime issues. More importantly, they also believe that judges have little knowledge or experience. A similar lack of knowledge by defense attorneys indicates that it could be difficult for a person accused of computer related infractions to find adequate representation. On the other hand, more experienced participants do not believe computer laws present an effective deterrent to computer crime. The bottom line is that all levels of the legal profession will need more education and training in aspects of computer security laws.

While many organizations offer certifications associated with information technology (IT) security, there is no single overarching accrediting organization that has identified the body of knowledge and experience necessary for success in the IT security field. In order for an IT security workforce to be acknowledged and recognized throughout the world as possessing a proven level of education, knowledge, and experience in IT security, a formal process for certifying IT security professionals must be developed. This research effort suggests that the IT security community use the Project Management Institute’s process for certifying Project Management Professionals (PMPs) as a model for developing an open and easily accessible IT Security Body Of Knowledge (ITSBOK) and an associated international certification process for IT security professionals.

Information technology (IT) security design and management are a major concern and substantial challenge for IT management. Today's highly complex business and technological environments and the need to effectively communicate and justify IT security requirements and controls demand methodical support. The modeling method presented in this paper addresses this demand. The method is based on the assumption that enriched enterprise models integrating technological, business, organizational and strategic aspects provide an effective foundation for developing and managing IT security systems and facilitating communication and understanding between stakeholders. The proposed modeling method for designing and managing IT security in organizations accounts for different perspectives and is based on multi-perspective enterprise modeling. The core components of the method, based on analysis of requirements at different levels of abstraction, are: modeling language concepts specifically designed to address security issues, process models that guide the use of the resulting language, and a modeling environment. The method facilitates elaborate representations of the various aspects of IT security at different levels of abstraction and covers the entire lifecycle of IT security systems. It not only supports multi-perspective requirement analysis and design but also enables monitoring and analysis of IT security at runtime. The presented artifact is evaluated with recourse to a research method that enables the configuration of multi-criteria justification procedures.

PurposeThis paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps.Design/methodology/approachThe authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings.FindingsThe authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks.Originality/valueThe training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.

The integration of IT, OT, and human factor elements in maritime assets is critical for their efficient and safe operation and performance. This integration defines cyber physical systems and involves a number of IT and OT components, systems, and functions that involve multiple and diverse communication paths that are technologically and operationally evolving along with credible cyber security threats. These cyber security threats and risks as well as a number of known security breach scenarios are described in this paper to highlight the evolution of cyber physical systems in the maritime domain and their emerging cyber vulnerabilities. Current industry and governmental standards and directives related to cyber security in the maritime domain attempt to enforce the regulatory compliance and reinforce asset cyber security integrity for optimum and safe performance with limited focus, however, in the existing OT infrastructure and systems. The use of outside-of-the-maritime industry security risk assessment tools and processes, such the API STD 780 Security Risk Assessment (SRA) and the Bow Tie Analysis methodologies, can assist the asset owner to assess its IT and OT infrastructure for cyber and physical security vulnerabilities and allocate proper mitigation measures assuming their similarities to ICS infrastructure. The application of cyber security controls deriving from the adaptation of the NIST CSF and the MITRE ATT&CK Threat Model can further increase the cyber security integrity of maritime assets, assuming they are periodically evaluated for their effectiveness and applicability. Finally, the improvement in communication among stakeholders, the increase in operational and technical cyber and physical security resiliency, and the increase in operational cyber security awareness would be further increased for maritime assets by the convergence of the distinct physical and cyber security functions as well as onshore- and offshore-based cyber infrastructure of maritime companies and asset owners.

Summary form only given. The trend of integrating power systems with advanced computer and communication technologies has introduced serious cyber security concerns, especially in a smart grid environment where the cyber system is no longer regarded as 100% reliable to support power system communications and control as before. Power system security therefore extends to potential cyber security domain in the smart grid era. Risks from the cyber system as well as non-conventional physical power system contingencies start to contributing to the overall grid security. This will be particularity important considering the potential risks from targeted attacks on vulnerable system components which may bring done the overall system. The presentation gives an overview of the work done by the research team on power system security, including conventional stability as well as cyber security assessment. A framework for smart grid cyber security and vulnerability assessment will be illustrated as well. The framework includes two main components, which are respectively cyber system security assessment and fast power system security assessment. Complex networks theory and data mining based approaches are also employed to identify the vulnerable components of the physical power system. The proposed cyber system models can be integrated with existing power system models to study the complex interactions between the cyber and physical parts of the smart grid. Advanced modeling tools are proposed to model cybThe trend of integrating power systems with advanced computer and communication technologies has introduced serious cyber security concerns, especially in a smart grid environment where the cyber system is no longer regarded as 100% reliable to support power system communications and control as before. Power system security therefore extends to potential cyber security domain in the smart grid era. Risks from the cyber system as well as non-conventional physical power system contingencies start to contributing to the overall grid security. This will be particularity important considering the potential risks from targeted attacks on vulnerable system components which may bring done the overall system. The presentation gives an overview of the work done by the research team on power system security, including conventional stability as well as cyber security assessment. A framework for smart grid cyber security and vulnerability assessment will be illustrated as well. The framework includes two main components, which are respectively cyber system security assessment and fast power system security assessment. Complex networks theory and data mining based approaches are also employed to identify the vulnerable components of the physical power system. The proposed cyber system models can be integrated with existing power system models to study the complex interactions between the cyber and physical parts of the smart grid. Advanced modeling tools are proposed to model cyber attacks and evaluate their impacts on smart grid security have been developed as well.er attacks and evaluate their impacts on smart grid security have been developed as well.

This research examines the joint effects of information technology (IT) strategies and security investments on organizational security breaches. We focus on two forms of IT strategies: digitalization and embeddedness in IT outsourcing networks. Our longitudinal analysis of U.S. hospitals demonstrates that IT security investments reduce security breaches in less digitalized organizations but increase security breaches for highly digitalized organizations. Investing in technical network control security systems such as anti-virus and intrusion detection systems reduces external breaches. Implementing identity and access management security systems such as biometric scanning and user authentication decreases internal breaches but increases external breaches. However, organizations’ embeddedness in IT outsourcing networks weakens the impacts of these technologies investments on external breaches but amplifies the negative relationship between identity and access management security systems and internal breaches. Our results offer an alternative understanding of organizational IT security investments and explain contrary results found in prior studies. Practical guidelines on organizational IT security strategies are discussed.