Chief Information Security Officer Research Articles

Chief Information Security Officer: A Vital Component of Organizational Information Security Management

Chief Information Security Officer: A Vital Component of Organizational Information Security Management

An overview of cybersecurity in Zimbabwe's financial services sector.

As nations, businesses, and individuals rely on the Internet for everyday use, so are cybercriminals manipulating systems to access information illegally and disrupting services for financial gain. The global cost of cybercrime eclipsed one trillion US Dollars in 2020, with Africa losing US $3.5 billion. A quantitative research methodology was adopted to investigate factors affecting cybercrime in Zimbabwean financial institutions. The study focused on the technical aspects of cybersecurity. Data were collected from July 2022 to October 2022, targeting technology experts in the financial services sector. Participants were recruited from 13 institutions to rank cybersecurity constructs, frameworks, and challenges associated with cybersecurity. Data was collected using a questionnaire distributed to participants. Descriptive statistics were used to extract meanings from the responses that measure mean and standard deviation. Network and data security were the most highly ranked cybersecurity constructs, while physical security was the least. The top three barriers are increasing sophistication of threats, limited skills and emerging technologies, while lack of executive support was the least. The top frameworks used are the Information Technology Infrastructure Library (ITIL) and Control Objectives for Information and Related Technologies (COBIT), while a fifth is yet to adopt cybercrime frameworks. The study proposes that financial institutions establish a cybersecurity culture to fight cybercrime, addressing cybersecurity barriers and following best practices. Financial institutions should invest in cybersecurity technologies, train security specialists, and employ a Chief Information Security Officer (CISO). The study's small sample may affect the generalisability of the results. Financial institutions should implement strategies to raise awareness and collaborate with institutions to train cybersecurity security specialists to close the skills gap.

정보보호최고책임자의 겸직과 정보보호 성과: 정보보호 공시 데이터를 중심으로

정보보호최고책임자의 겸직과 정보보호 성과: 정보보호 공시 데이터를 중심으로

There’s a Strong Wind a’Blowing re Security Disclosures: Lessons Learned from SolarWinds — An analysis of the significance of the SolarWinds case for companies with making security statements on websites and in public filings

Abstract For years now, we have been advising clients to be cautious about including overly broad, or overly detailed, statements in their online privacy policies, noting that the FTC has in the past interpreted such statements as being representations to the market - such that false or misleading statements made therein could constitute misrepresentations. The Securities Exchange Commission complaint last year filed against SolarWinds Corp. and Timothy G. Brown (between July 2017 and December 2020, the Vice President of Security and Architecture and head of the Information Security group, and as of January 2021, the Chief Information Security Officer, for SolarWinds Corp.) has now made it clear that the same risk applies to public statements regarding the state of security of an organization. The SEC complaint raises additional related issues, however: namely, to what extent are organizations required to detail instances of non-compliance with their security policies in their public security disclosures; and to what extent should software companies be held to a higher standard of cybersecurity disclosure. This article proves the background to the SEC complaint (I.); provides a overview of the SEC complaint’s critique of the online security statement published by SolarWinds, and the security disclosures in the securities filings of SolarWinds (II.); outlines the challenges posed by the SEC approach in the SEC complaint and the resulting blowback, in particular from chief information security officers (III.); highlights three key lessons learned from the SEC complaint (IV.); and concludes (V.) with a warning as to what this means for organizations publishing online security statements.

A framework for cyber-risk insurance against ransomware: A mixed-method approach

Hackers follow a standard cyber kill chain process and install ransomware payloads using phishing emails on firms belonging to critical industry, resulting in huge losses in revenue, reputation, and customer churn. This study uses a mixed-method explanatory approach to mitigate ransomware attacks. We present the quantitative Ransomware Risk Management Model (R2M2) based on protection motivation theory (PMT). The Ransomware Risk Assessment module based on the threat appraisal component of PMT and the National Institute of Standards and Technology (NIST) guidelines can help the chief information security officer (CISO) to assess the risk using predictive analytics techniques. The Ransomware Risk Quantification module uses collective risk modeling to compute the severity of a ransomware attack on an organization. The Ransomware Risk Mitigation module helps the CISO to minimize the probability and impact of a ransomware attack on their organization by (i) investing in perimeter security technologies and training to ensure prepare, deter, detect, restrain, recover, and review mitigation strategies, (ii) adopting the National Institue of Standards and Technology (NIST) Cybersecurity Framework to ensure business resilience, and (iii) mitigating the residual risk by investing in cyber-risk insurance. We validated the proposed method using a qualitative study by interviewing participants form firms affected by ransomware, managed security service providers, security consultants, and cyber-risk insurers.

An overview of cybersecurity in Zimbabwe’s financial services sector

Background: As nations, businesses, and individuals rely on the Internet for everyday use, so are cybercriminals manipulating systems to access information illegally and disrupting services for financial gain. The global cost of cybercrime eclipsed one trillion US Dollars in 2020, with Africa losing US $3.5 billion. Methods: A quantitative research methodology was adopted to investigate factors affecting cybercrime in Zimbabwean financial institutions. The study focused on the technical aspects of cybersecurity. Data were collected from July 2022 to October 2022, targeting technology experts in the financial services sector. Participants were recruited from 13 institutions to rank cybersecurity constructs, frameworks, and challenges associated with cybersecurity. Data was collected using a questionnaire distributed to participants. Descriptive statistics were used to extract meanings from the responses that measure mean and standard deviation. Results: Network and data security were the most highly ranked cybersecurity constructs, while physical security was the least. The top three barriers are increasing sophistication of threats, limited skills and emerging technologies, while lack of executive support was the least. The top frameworks used are the Information Technology Infrastructure Library (ITIL) and Control Objectives for Information and Related Technologies (COBIT), while a fifth is yet to adopt cybercrime frameworks. Conclusions: The study proposes that financial institutions establish a cybersecurity culture to fight cybercrime, addressing cybersecurity barriers and following best practices. Financial institutions should invest in cybersecurity technologies, train security specialists, and employ a Chief Information Security Officer (CISO). The study’s small sample may affect the generalisability of the results. Financial institutions should implement strategies to raise awareness and collaborate with institutions to train cybersecurity security specialists to close the skills gap.

Chief Information Security Officer

Chief Information Security Officer

Information Visualization for a Comprehensive Cybersecurity Risk Quantification and Measurement

This paper presents an innovative dashboard design for cybersecurity risk management, addressing the urgent need for effective visualization and quantification of cyber threats in organizations. Through semi-structured interviews with security executives, we identify key challenges in cybersecurity operations and propose a user-centric dashboard. This tool integrates an overall risk score, trend analysis, global threat mapping, and a three-step workflow from risk insights to remediation, all aimed at enhancing decision-making for Chief Information Security Officers (CISOs) and their teams. Usability testing underscores its effectiveness and user-friendliness, signaling a significant step forward in cybersecurity risk management by providing a comprehensive, intuitive, and actionable overview of an organization’s security posture

Design and evaluation of a self-paced cybersecurity tool

PurposeThis paper aims to present the evaluation of a self-paced tool, CyberSecurity Coach (CYSEC), and discuss the adoption of CYSEC for cybersecurity capability improvement in small- and medium-sized enterprises (SMEs). Cybersecurity is increasingly a concern for SMEs. Previous literature has explored the role of tools for awareness raising. However, few studies validated the effectiveness and usefulness of cybersecurity tools for SMEs in real-world practices.Design/methodology/approachThis study is built on a qualitative approach to investigating how CYSEC is used in SMEs to support awareness raising and capability improvement. CYSEC was placed in operation in 12 SMEs. This study first conducted a survey study and then nine structured interviews with chief executive officers (CEOs) and chief information security officers (CISO).FindingsThe results emphasise that SMEs are heterogeneous. Thus, one cybersecurity solution may not suit all SMEs. The findings specify that the tool’s adoption varied quite widely. Four factors are primary determinants influencing the adoption of CYSEC: personalisation features, CEOs’ or CISOs’ awareness level, CEOs’ or CISOs’ cybersecurity and IT knowledge and skill and connection to cybersecurity expertise.Originality/valueThis empirical study provides new insights into how a self-paced tool has been used in SMEs. This study advances the understanding of cybersecurity activities in SMEs by studying the adoption of CYSEC. Moreover, this study proposes significant dimensions for future research.

Managing Variable Cyber Environments with Organizational Foresight and Resilience Thinking

Combining business continuity management (BCM) and systematic cyber threat intelligence (CTI) can improve cyber situational awareness to support decision-making through the phases of the resilience cycle (plan, absorb, recover, adapt) to ensure the continuity of organizational operations when encountered by cyber disruptions. End-user needs, human factors, high ethical standards, and social impacts can best be adapted when professionals from different fields work together with end-users to refine and co-develop selected tools into a platform. A resilience assessment that combines BCM and CTI enables 1) quick or detailed assessment of the investigated industry and its critical processes, 2) measurement of performance goals based on information received from end users, where artificial intelligence-based self-learning approaches can be used for functional descriptions, 3) information on the sensitivity of the investigated industry and vulnerability and 4) resilience and BCM throughout the entire resilience cycle. A new Horizon Europe project DYNAMO (Dynamic Resilience Assessment Method including a combined Business Continuity Management and Cyber Threat Intelligence solution for Critical Sectors) works towards combining BCM and CTI to generate a situational picture for decision support. Having this in mind, certain cybersecurity and BCM tools will be developed, refined, and integrated into the DYNAMO platform to provide decision support and awareness to chief information security officers, cybersecurity practitioners, and other stakeholders. This paper reports a case study that explores how combining CTI and BCM can help in the case of a cyber-attack. The research material consists of the news articles by the largest newspaper in Finland, Helsingin Sanomat (HS) of how the cyber attack against the therapy center Vastaamo progressed during the first week after the attack. The results show that cyber threat intelligence when flexibly integrated into the BCM approach could create better conditions for improved organizational foresight to react to unpredictable cyber threats to ensure business continuity.

Captcha-Based Honey Net Model against Malicious Codes

The rate of passive and active attacks has been on the increase lately affecting both individuals and institutions. Even when internal control procedures are in place, malicious codes from intruders into the network have left so much to be desired. As a result, many Chief Information Security Officers have grown grey hair because of their inability to effectively handle attacks from various ends. Various attempts and technologies have been made in the time past with a measure of success. Intrusion Detection Software (IDS), Intrusion Prevention Software, firewall, honey pots and honey nets have been deployed and with great respite from losses arising from cyber-attacks. Cyber security is the duty of everyone and all must see it as such. As tiers of government and law enforcement agents are doing their best, everybody must be seen to play their parts. Fraudsters have also not seemed to be tired of seeking vulnerabilities to exploit. Then, cyber security experts should not let off their guards but make efforts to harden their security. A way of doing is to intelligently provide a solution that has the capability of detecting and proactively hardening security. This paper proposes a honey net model that is captcha-based and capable of extracting details from hackers with a view to building a robust defense against black hat attackers. This research was able to prevent the botnet with the use of captcha and also redirect suspected traffic to the honeynet which was then captured for the purpose of improving the security of the network. The result showed that any bandwidth greater than the set threshold was not allowed to go into the network but redirected to honeynet where details were logged. Also, with a threshold of 100 mbs, inbound traffic of higher bandwidth such as 110 mbs and 150 mbs was denied access thereby giving 100% detection rate.

"Cyber security is a dark art": The CISO as Soothsayer

Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term 'cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.

Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis

PurposeThe purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.Design/methodology/approachInvestment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.FindingsNot all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.Practical implicationsThe results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.Originality/valueTo the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.

ON HIRING A CISO: CHANGES TO GRAMM-LEACH-BLILEY’S “SAFEGUARDS RULE” MANDATE HIRING OF A QUALIFIED INDIVIDUAL TO MANAGE ORGANIZATIONAL SECURITY

Pending changes to the Gramm-Leach-Bliley-Act "Safeguards Rule" will soon mandate the hiring of a qualified individual to manage firm IT and security needs. This requirement will force many firms to hire a Chief Information Security Officer ("CISO") for the first time. Due to the uniquely difficult nature of a CISO's role, the dearth of available talent, and the high costs associated with hiring a qualified professional, firms require a sound understanding of elements to consider in making this choice. In this light, this paper examines essential in-depth factors to consider in finding and retaining the right CISO. While finding the right CISO is a tough challenge, hiring the right person should yield substantial positive contributions to organizational security and the best interests of stakeholders, clients, and the firm itself.

Model‐based risk assessment evaluation

Risk assessment (RA) belongs to the core parts of an organizational risk management process. The primary goals of a RA are the identification, estimation and prioritization of risk(s) to organizational operations. The existing quantitative analysis of RA is focusing on the risk factors, that is, threat or vulnerability. However, the quantitative metrics of the assessment have not been formally defined and modeled yet. Consequently, it is essential to define a formal model and relevant security metrics for RA within an organization. In this study, we will use a complete lattice to analyze risk factors. Moreover, a formal model will be defined to describe the RA process. The reachability of the model will be discussed. Quantitative metrics will be defined to provide insight on the risk estimation. The model can be expressed using colored Petri nets. This study can assist chief information security officers analyze security risks in their organizations and help them balance the security budget in their organizations.

Impact of CISO Appointment Announcements on the Market Value of Firms

Previous studies concerning the economic impact of security events on publicly listed companies have focussed on the negative effect of data breaches and cyberattacks with a view to encouraging firms to improve their cyber security posture to avoid such incidents. This paper is an initial study on the impact of investment in human capital related to security, specifically appointments of chief information security officers (CISO), chief security officers (CSO) or similar overall head of security roles. Using event study techniques, a dataset of 37 CISO type appointment announcements spanning multiple world markets between 2012 and 2019 was analysed and statistically significant (at the 5% level) positive cumulative abnormal returns (CAR) of around 0.8% on average were observed over the three-day period before, during and after the announcement. Furthermore, this positive CAR was found to be highest, at nearly 1.8% on average, within the financial services sector and showing statistical significance at the 1% level. In addition to the industry sector, other characteristics were investigated such as job title, reporting structure, comparison of internal versus external appointments, gender and variations between markets. Although these findings were not as conclusive they are, nevertheless, good pointers for future research in this area. This overall positive market reaction to CISO related announcements is a strong case for publicly listed firms to be transparent in such appointments and to, perhaps, review where that function sits within their organisation to ensure it delivers the greatest benefits. As 24% of the firms analysed were listed outside the US, this study also begins to counter the strong US bias seen in similar and related studies. This research is expected to be of interest to business management, cyber security practitioners, investors and shareholders as well as researchers in cyber security or related fields.

Future Needs of the Cybersecurity Workforce

Expected growth of the job market for cyber security professionals in both the US and the UK remains strong for the foreseeable future. While there are many roles to be found in cyber security, that vary from penetration tester to chief information security officer (CISO). One job of particular interest is security architect. The rise in Zero Trust Architecture (ZTA) implementations, especially in the cloud environment, promises an increase in the demand for these security professionals. A security architect requires a set of knowledge, skills, and abilities covering the responsibility for integrating the various security components to successfully support an organization’s goals. In order to achieve the goal of seamless integrated security, the architect must combine technical skills with business, and interpersonal skills. Many of these same skills are required of the CISO, suggesting that the role of security architect may be a professional stepping-stone to the role of CISO. We expected degreed programs to offer courses in security architecture. Accredited university cyber security programs in the United Kingdom (UK) and the United States of America (USA) were examined for course offerings in security architecture. Results found the majority of programs did not offer a course in security architecture. Considering the role of the universities in preparing C-suite executives, the absence of cyber security architecture offerings is both troubling and surprising.

Cyber security and the Leviathan

Dedicated cyber-security functions are common in commercial businesses, who are confronted by evolving and pervasive threats of data breaches and other perilous security events. Such businesses are enmeshed with the wider societies in which they operate. Using data gathered from in-depth, semi-structured interviews with 15 Chief Information Security Officers, as well as six senior organisational leaders, we show that the work of political philosopher Thomas Hobbes, particularly Leviathan, offers a useful lens through which to understand the context of these functions and of cyber security in Western society. Our findings indicate that cyber security within these businesses demonstrates a number of Hobbesian features that are further implicated in, and provide significant benefits to, the wider Leviathan-esque state. These include the normalisation of intrusive controls, such as surveillance, and the stimulation of consumption. We conclude by suggesting implications for cyber-security practitioners, in particular, the reflexivity that these perspectives offer, as well as for businesses and other researchers.

The modern CISO: where marketing meets security

Chief information security officers (CISOs) have evolved from technical experts to become business leaders in their own right. They are building relationships and developing strong marketing and communication skills to influence others, and their storytelling is also bringing them closer to the board at a time when cyber security needs to be clearly and simply understood. As a result, CISOs are working differently with their teams, inviting them to look at the bigger picture and consider the real-world impact of projects, and acting as stewards, advisers, mentors and coaches.

PCAM: A Data-driven Probabilistic Cyber-alert Management Framework

We propose PCAM , a Probabilistic Cyber-Alert Management framework, that enables chief information security officers to better manage cyber-alerts. Workers in Cyber Security Operation Centers usually work in 8- or 12-hour shifts. Before a shift, PCAM analyzes data about all past alerts and true alerts during the shift time-frame to schedule a given set of analysts in accordance with workplace constraints so that the expected number of “uncovered” true alerts (i.e., true alerts not shown to an analyst) is minimized. PCAM achieves this by formulating the problem as a bi-level non-linear optimization problem and then shows how to linearize and solve this complex problem. We have tested PCAM extensively. Using statistics derived from 44 days of real-world alert data, we are able to minimize the expected number of true alerts that are not manually examined by a team consisting of junior, senior, and principal analysts. We are also able to identify the optimal mix of junior, senior, and principal analysts needed during both day and night shifts given a budget, outperforming some reasonable baselines. We tested PCAM ’s proposed schedule (from statistics on 44 days) on a further 6 days of data, using an off-the-shelf false alarm classifier to predict which alerts are real and which ones are false. Moreover, we show experimentally that PCAM is robust to various kinds of errors in the statistics used.