Cybersecurity Awareness and Training (CAT) Framework for Remote Working Employees

Currently, cybersecurity plays an essential role in computing and information technology due to its direct effect on organizations’ critical assets and information. Cybersecurity is applied using integrity, availability, and confidentiality to protect organizational assets and information from various malicious attacks and vulnerabilities. The COVID-19 pandemic has generated different cybersecurity issues and challenges for businesses as employees have become accustomed to working from home. Firms are speeding up their digital transformation, making cybersecurity the current main concern. For software and hardware systems protection, organizations tend to spend an excessive amount of money procuring intrusion detection systems, antivirus software, antispyware software, and encryption mechanisms. However, these solutions are not enough, and organizations continue to suffer security risks due to the escalating list of security vulnerabilities during the COVID-19 pandemic. There is a thriving need to provide a cybersecurity awareness and training framework for remote working employees. The main objective of this research is to propose a CAT framework for cybersecurity awareness and training that will help organizations to evaluate and measure their employees’ capability in the cybersecurity domain. The proposed CAT framework will assist different organizations in effectively and efficiently managing security-related issues and challenges to protect their assets and critical information. The developed CAT framework consists of three key levels and twenty-five core practices. Case studies are conducted to evaluate the usefulness of the CAT framework in cybersecurity-based organizational settings in a real-world environment. The case studies’ results showed that the proposed CAT framework can identify employees’ capability levels and help train them to effectively overcome the cybersecurity issues and challenges faced by the organizations

Towards a Qatar Cybersecurity Capability Maturity Model with a Legislative Framework

في هذا العصر، يجب على الدول وضع التشريعات التي تقيس قدرات أمنها السيبراني وتطوير برامجها، بالأخص عندما تُستخدم ثغرات الأمن السيبراني كذريعة لفرض الحصار، كما هو الحال في دولة قطر، وذلك بعد أن تم اختراق وكالة الأنباء القطرية. يقترح هذا البحث نموذجًا لتعزيز قدرات الأمن السيبراني (Q-C2M2) في دولة قطر ضمن إطار تشريعي. ويتناول البحث نموذجًا أصيلًا لتعزيز قدرات الأمن السيبراني مع تسليط الضوء على غرضه وخصائصه واعتماده. كما يعرض البحث نماذجًا لتعزيز قدرات الأمن السيبراني الحالية والمعترف بها عالميًا، ودراسة عن الأمن السيبراني في دولة قطر باستخدام الوثائق المتاحة، وذلك بناء على منهجية التحليل الموضوعي للوثائق. كما يقدم هذا البحث تحليلًا مقارنًا لنماذج تعزيز قدرات الأمن السيبراني في ضوء الأمن السيبراني القطري. وفي هذا الإطار، ساعد التحليل المقارن للوثائق في تحديد الثغرات الموجودة في سياسة تأمين المعلومات الوطنية القطرية بشكل عام، ودليل تأمين المعلومات الوطنية القطرية بشكل خاص. يهدف نموذج  (Q-C2M2) المقترح إلى تعزيز إطار عمل الأمن السيبراني في قطر من خلال توفير نموذج عملي مع عنصر تشريعي يمكن استخدامه لقياس أداء الأمن السيبراني وتطويره. كما يقترح هذا النموذج مجالات للمستخدمين “USERS” التي تتكون من الفهم (Understand)، والأمن(Secure) ، والكشف(Expose) ، والاستعادة(Recover) ، والاستدامة(Sustain) ، حيث يتضمن كل مجال مجالات فرعية، والتي بموجبها يمكن للمؤسسة إنشاء أنشطة للأمن السيبراني عند التقييم الأولي. يستخدم نموذج (Q-C2M2) المستويات الخمسة التالية لقياس تعزيز قدرات الأمن السيبراني للمنظمات: البدء والتطبيق والتطوير والتكيف والمرونة.In an age when cybersecurity vulnerabilities can be used as a pretext for a blockade, as in the case of Qatar prompted by a hack of the Qatar News Agency, it becomes incumbent upon states to consider legislating the capability maturity measurement and the development of their cybersecurity programs across the community. This paper proposes a Qatar Cybersecurity Capability Maturity Model (Q-C2M2) with a legislative framework. The paper discusses the origin, purpose and characteristics of a capability maturity model and its adoption in the cybersecurity domain. Driven by a thematic analysis under the document analysis methodology, the paper examines existing globally recognized cybersecurity capability maturity models and Qatar’s cybersecurity framework using publicly available documents. This paper also conducts a comparative analysis of existing cybersecurity capability maturity models in light of the Qatari cybersecurity framework, including a comparative analysis of cybersecurity capability maturity model literature. The comparative document analysis helped identify gaps in the existing Qatar National Information Assurance Policy and specifically the Qatar National Information Assurance Manual. The proposed Q-C2M2 aims to enhance Qatar’s cybersecurity framework by providing a workable Q-C2M2 with a legislative component that can be used to benchmark, measure and develop Qatar’s cybersecurity framework. The Q-C2M2 proposes the USERS domains consisting of Understand, Secure, Expose, Recover and Sustain. Each domain consists of subdomains, under which an organization can create cybersecurity activities at initial benchmarking. The Q-C2M2 uses the following five levels to measure the cybersecurity capability maturity of an organization: Initiating, Implementing, Developing, Adaptive and Agile

AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity

In today’s world, private and government organizations are legally obligated to prioritize their information security. They need to provide proof that they are continually improving their cybersecurity compliance. One approach that can help organizations achieve this goal is implementing information security maturity models. These models provide a structured framework for measuring performance and implementing best practices. However, choosing a suitable model can be challenging, requiring cultural, process, and work practice changes. Implementing multiple models can be overwhelming, if possible. This article proposes a prioritization strategy for public institutions that want to improve their information security maturity. We thoroughly analyzed various sources through systematic mapping to identify critical similarities in information security maturity models. Our research led us to create the AIM (Awareness, Infrastructure, and Management) Triad. This triad is a practical guide for organizations to achieve maturity in information security practices.This work received partial support from Proyecto DIUFRO DI21-0079 and Proyecto DIUFRO DI22-0043, Universidad de La Frontera, Temuco. Chile

Cyber Security Maturity Model Capability at The Airports

Cybersecurity is an important facilitator for essential aviation safety. The adoption rate for levels of cyber-security protocols at commercial airports is the focus of this research. Scope of this research is limited to cybersecurity maturity model capability norms covering fourteen domains. The paper presents primary data collected from several airport authorities. This survey-based study will be useful in identifying areas for improving operational procedures and developing strong cybersecurity governance at airports. This will allow airports to understand risks and respond proactively by adopting cybersecurity best practices and resilience measures. This study includes domestic, international, privately owned airports, airstrips, or aerodromes. This research found that level one of cyber-security maturity model is the most followed while proactive and advance levels i.e., level 4 and 5 are least adhered to. Most airports appear to have some resources allocated to cyber protection and resilience

Cyber defensive capacity and capability::A perspective from the financial sector of a small state

This thesis explores ways in which the financial sectors of small states are able todefend themselves against ever-growing cyber threats, as well as ways these states can improve their cyber defense capability in order to withstand current andfuture attacks. To date, the context of small states in general is understudied. This study presents the challenges faced by financial sectors in small states with regard to withstanding cyberattacks. This study applies a mixed method approach through the use of various surveys, brainstorming sessions with financial sector focus groups, interviews with critical infrastructure stakeholders, a literature review, a comparative analysis of secondary data and a theoretical narrative review. The findings suggest that, for the Aruban financial sector, compliance is important, as with minimal drivers, precautionary behavior is significant. Countermeasures of formal, informal, and technical controls need to be in place. This study indicates the view that defending a small state such as Aruba is challenging, yet enough economic indicators indicate it not being outside the realm of possibility. On a theoretical level, this thesis proposes a conceptual “whole-of-cyber” model inspired by military science and the VSM (Viable Systems Model). The concept of fighting power components and governance S4 function form cyber defensive capacity’s shield and capability. The “whole-of-cyber” approach may be a good way to compensate for the lack of resources of small states. Collaboration may be an only out, as the fastest-growing need will be for advanced IT skillsets

Capturing the Dynamic Nature of Cyber Risk: Evidence from an Explorative Case Study

In this research, we developed a novel approach to enable a dynamic cyber risk management strategy as the dynamic nature of cyber risk is rarely considered in current decision support tools. Our explorative case study shows that many management challenges such as investment decisions, priority setting, and “shelf time” analyses can be continuously analyzed. Our research using system thinking and modelling provides valuable insights about these challenges to support current strategic decision-making practices and improve managerial learning. These insights enable management to identify and analyze the effectiveness of future cyber risk management strategies before implementing them