From the National Cyber Maturity to the Cyber Resilience: The Lessons Learnt from the Efforts of Turkey

In this paper, the details of critical infrastructure protection program of United States of America are shared by taking the cyber resilience into account. The academic and institutional studies on the concepts of cyber maturity, critical infrastructure protection program and cyber resilience are explained in detail. By the help of these studies and national efforts, the relations among these concepts are proposed. The key components of a cyber security strategy and action plan for a cyber resilient society is proposed by taking these three concepts into account. As the final step, the recent cyber security efforts of Turkey is shared with the reader and assesses according to the determined key components

PROJEKTOWANIE INSTRUMENTÓW PRZEZNACZONYCH DO OCENY ZAGROŻENIA RYZYKA CYBERNETYCZNEGO W WERYFIKACJI UBEZPIECZALNOŚCI

Cyber risk assessment for insurability verification has been paid a lot of research interest as cyber insurance represents a new dynamic segment of market with considerable growth potential for insurers. As customer’s practices and processes consistently lead to the final overall result, customer's behaviour has to be described in detail. The aim of the present paper is to design an instrument (questionnaire) for customer’s cyber risk assessment in insurability verification. The method for building an instrument (questionnaire) is empirical research. Empirical research is based on use of empirical evidence. A questionnaire with 11 questions is proposed.Ocena ryzyka związana z bezpieczeństwem cybernetycznym jest przedmiotem dużego zainteresowania badawczego, ze względu na to, że bezpieczeństwo cybernetyczne stanowi nowy, dynamiczny segment rynku o znacznym potencjale wzrostu dla ubezpieczycieli. Ponieważ praktyki i procesy klienta w ciągły sposób wpływają na końcową ocenę, zachowanie klienta musi być szczegółowo opisane. Celem niniejszego artykułu jest opracowanie instrumentu (kwestionariusza) do oceny ryzyka cybernetycznego klienta w ramach weryfikacji ubezpieczenia. Metoda budowy instrumentu (kwestionariusz) to badania empiryczne. Badania empiryczne opierają się na wykorzystaniu dowodów empirycznych. Zaproponowano kwestionariusz składający się z 11 pytań

Reviewing qualitative research approaches in the context of critical infrastructure resilience

Modern societies are increasingly dependent on the proper functioning of critical infrastructures (CIs). CIs produce and distribute essential goods or services, as for power transmission systems, water treatment and distribution infrastructures, transportation systems, communication networks, nuclear power plants, and information technologies. Being resilient becomes a key property for CIs, which are constantly exposed to threats that can undermine safety, security, and business continuity. Nowadays, a variety of approaches exist in the context of CIs’ resilience research. This paper provides a state-of-the-art review on the approaches that have a complete qualitative dimension, or that can be used as entry points for semi-quantitative analyses. The study aims to uncover the usage of qualitative research methods through a systematic review based on PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses). The paper identifies four principal dimensions of resilience referred to CIs (i.e., techno-centric, organisational, community, and urban) and discusses the related qualitative methods. Besides many studies being focused on energy and transportation systems, the literature review allows to observe that interviews and questionnaires are most frequently used to gather qualitative data, besides a high percentage of mixed-method research. The article aims to provide a synthesis of literature on qualitative methods used for resilience research in the domain of CIs, detailing lessons learned from such approaches to shed lights on best practices and identify possible future research directions

MANAGING CYBER HYGIENE AT A HIGHER EDUCATION INSTITUTION IN THE UNITED STATES

Higher education institutions are obligated to protect their critical data, IT assets, and infrastructures. State governed institutions develop policies and procedures based on state mandated guidelines. While policies and procedures are updated regularly, cyber hygiene is managed in a manner that is feasible financially and based on personnel resources. Savannah State University struggles with maintaining cyber hygiene given its need to manage state funding in a manner that supports operational and mandated costs, but also indirect costs like those that support cybersecurity. The Holistic Cybersecurity Maturity Assessment Framework (HCYMAF) was deployed in this study to examine cybersecurity maturity and hygiene at Savannah State University (SSU). Findings indicate that SSU is currently operating at Level 0 of the HCYMAF and needs to consider action proposed in this study to promote higher levels of cyber maturity. This research contributes to the extant literature on cyber hygiene and maturity in higher education

Developing and verifying a set of principles for the cyber security of the critical infrastructures of Turkey

Critical infrastructures are vital assets for countries as a harm given to critical infrastructures may affect public order, economic welfare and/or national security. Today, cyber systems are extensively used to control and monitor critical infrastructures. Therefore, cyber threats have the potential to adversely affect the order of societies and countries. In this PhD study, the root causes of the susceptibility of the critical infrastructures of Turkey to the cyber threats are identified by analyzing the qualitative data with the grounded theory method. The extracted root causes are verified by two experts. The set of principles for the cyber security of the critical infrastructures are determined by introducing the root causes to six experts in a five-phased Delphi survey. A state-level cyber security maturity model to measure the readiness level of the critical infrastructure protection efforts is developed by using the set of principles. Because maturity criteria are grounded on the root causes of the susceptibility to cyber threats, the maturity model is named Vulnerability Driven National Cyber Security Maturity Model. The readiness level of the critical infrastructure protection efforts of Turkey is measured by the participation of ten former/current government officials in the maturity survey. The root causes, the set of principles, and the results of the maturity survey are compared with the relevant studies of the academia, non-profit organizations and governments

Cyber resilience, a survey of case studies

Considering the potential magnitude and impact of cyber-attacks, organizations must be able to understand their capabilities to prevent, respond and re-cover from these attacks as well to implement and refine adequate resilience plans. Due to the importance of cyber resilience, this survey aimed to review relevant case studies published in the scientific literature. The identified case studies followed different approaches since some of them were focused on risk assessment and risk management processes and the complexity of their implementation, while others were focused on the use of well-known frameworks to assess cyber resilience or on proposing new cyber resilience frameworks and tools.publishe

Human factor security: evaluating the cybersecurity capacity of the industrial workforce

Purpose: As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued to react to security concerns that threaten their businesses within the current highly competitive environment. Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber intrusion events within the industrial control system (ICS) environment. / Design/methodology/approach: A quantitative approach (statistical analysis) is adopted to provide an approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e. weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored Cyber Security Capability Evaluation approach is presented using conceptual analysis techniques. / Findings: Using a test scenario, the approach demonstrates the capacity to proffer an efficient evaluation of workforce security knowledge and skills capabilities and the identification of weakest link in the workforce. / Practical implications: The approach can enable organisations to gain better workforce security perspectives like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies. / Originality/value: This paper demonstrates originality by providing a framework and computational approach for characterising and quantify human-factor security capabilities based on security knowledge and security skills. It also supports the identification of potential security weakest links amongst an evaluated industrial workforce (human agents), some key security susceptibility areas and relevant control interventions. The model and validation results demonstrate the application of action research. This paper demonstrates originality by illustrating how action research can be applied within socio-technical dimensions to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It provides value by demonstrating how theoretical security knowledge (awareness) and practical security skills can help resolve cyber security response and control uncertainties within industrial organisations

Improving resilience in Critical Infrastructures through learning from past events

Modern societies are increasingly dependent on the proper functioning of Critical Infrastructures (CIs). CIs produce and distribute essential goods or services, as for power transmission systems, water treatment and distribution infrastructures, transportation systems, communication networks, nuclear power plants, and information technologies. Being resilient, where resilience denotes the capacity of a system to recover from challenges or disruptive events, becomes a key property for CIs, which are constantly exposed to threats that can undermine safety, security, and business continuity. Nowadays, a variety of approaches exists in the context of CIs’ resilience research. This dissertation starts with a systematic review based on PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) on the approaches that have a complete qualitative dimension, or that can be used as entry points for semi-quantitative analyses. The review identifies four principal dimensions of resilience referred to CIs (i.e., techno-centric, organizational, community, and urban) and discusses the related qualitative or semi-quantitative methods. The scope of the thesis emphasizes the organizational dimension, as a socio-technical construct. Accordingly, the following research question has been posed: how can learning improve resilience in an organization? Firstly, the benefits of learning in a particular CI, i.e. the supply chain in reverse logistics related to the small arms utilized by Italian Armed Forces, have been studied. Following the theory of Learning From Incidents, the theoretical model helped to elaborate a centralized information management system for the Supply Chain Management of small arms within a Business Intelligence (BI) framework, which can be the basis for an effective decision-making process, capable of increasing the systemic resilience of the supply chain itself. Secondly, the research question has been extended to another extremely topical context, i.e. the Emergency Management (EM), exploring the crisis induced learning where single-loop and double-loop learning cycles can be established regarding the behavioral perspective. Specifically, the former refers to the correction of practices within organizational plans without changing core beliefs and fundamental rules of the organization, while the latter aims at resolving incompatible organizational behavior by restructuring the norms themselves together with the associated practices or assumptions. Consequently, with the aim of ensuring high EM systems resilience, and effective single-loop and double-loop crisis induced learning at organizational level, the study examined learning opportunities that emerge through the exploration of adaptive practices necessary to face the complexity of a socio-technical work domain as the EM of Covid-19 outbreaks on Oil & Gas platforms. Both qualitative and quantitative approaches have been adopted to analyze the resilience of this specific socio-technical system. On this consciousness, with the intention to explore systems theoretic possibilities to model the EM system, the Functional Resonance Analysis Method (FRAM) has been proposed as a qualitative method for developing a systematic understanding of adaptive practices, modelling planning and resilient behaviors and ultimately supporting crisis induced learning. After the FRAM analysis, the same EM system has also been studied adopting a Bayesian Network (BN) to quantify resilience potentials of an EM procedure resulting from the adaptive practices and lessons learned by an EM organization. While the study of CIs is still an open and challenging topic, this dissertation provides methodologies and running examples on how systemic approaches may support data-driven learning to ultimately improve organizational resilience. These results, possibly extended with future research drivers, are expected to support decision-makers in their tactical and operational endeavors

Development of National Cyber Security Strategies (NCSSs), and an Application of Perspective to the Colombian Case

Üle maailma seisavad riigid silmitsi sarnaste küberohtudega, millele pööratakse tähelepanu ametlike poliitikadokumentide - küberturvalisuse strateegiate (KTS) - kaudu. KTSid koondavad eri tegevusi, võimekust, kirjeldusi, ideoloogiaid, eesmärke ja/või visioone. Valdavaks on üldistused, mille tulemuseks on üldraamistikud ja populaarsed praktilised suunised, mis on valmis tehtud, et sobida olukordadesse, kus avaldaja neid kasutada saaks. Tihti on antud raamistikud ja suunised pärit enimarenenud riikidest ning tulenevad eeldustest, et need pole kohaldatavad ülejäänud riikidele. Valitsused on hakanud mõistma, et praegu on tegemist pöördepunktiga, kus esikohale tuleb seada siseriiklike vajaduste ja võimaluste loomine ja tõendamine, et seeläbi töötada välja seadused ning poliitikad, mis oleksid võrdluses eelnevatega paremas kooskõlas tegelikkusega ja vastutustundlikumad. Samal ajal tunnistavad sidusrühmad, et küberturvalisuse näol on tegemist riikideülese fenomeniga, mis nõuab ülemailmseid pingutusi. Vaid nutika tasakaaluga erinevatel tasemetel ja sektoriteüleselt on võimalik kasvastada turvalise küberruumi kasutust ja tagada selle potentsiaali täielik rakendamine. Lõputöö üldeesmärgiks on läbi viia kontseptuaalne ja empiiriline uurimus, kus on kasutatud erinevaid metoodikaid. Valdavalt on kasutatud kvalitatiivset lähenemist, kuid lõputöö hõlmab ka lühikest kvantitatiivse uurimise analüüs. Lõputöö valmimisel kasutati järgnevaid meetodeid: võrdlev analüüs viie KTSi osas, dokumentide analüüs, veebiküsitlus ja juhtumikirjeldus. Nende meetodite kasutamise tulemusena formuleerusid töö kaks teoreetilist panust: küberturvalisuse termin ja tööriistakasti sisu. Tööriistakast koosneb suunistest, mis on kohandatavad ja ülekantavad. See loob aluse kaalutlusteks, mis on nõutavad KTSi arendamiseks. Suunised hõlmavad soovitusi peamiste tulemusindikaatorite enesehindamise loeteluks, mis kinnitaks, et mõõdetavatest parameetritest tekib kasu. Samuti on loetletud kohustuslikud osad, mida KTS peaks endas sisaldama. Järgneb Kolumbia poliitikakujunduse juhtumikirjeldus, mis illustreerib erapooletute suuniste kohaldatavust. Antud suunised saaksid olla aluseks protsesside ja standardite ümberkujundamiseks. Selle tulemusena saaks luua mõjusamaid avalikke poliitikaid ja strateegiaid.States around the world face similar cyber-threats that have been addressed in official statements of policy such as National Cyber Security Strategies (NCSS), towards diverse ends, depending on their capacities, characteristics, ideologies, purposes and/or vision. Generalisations have prevailed resulting in general frameworks and popular practical guidelines that were made to fit the situation of the issuers, commonly from the most developed countries, and departing from assumptions that are not applicable to all of the rest of states in the world. Governments began to realise the times marked a turning point for beginning to think about, and assert, the needs and possibilities of their own countries first, and for issuing more responsive and responsible laws and policies than they have ever had. At the same time, stakeholders recognise that cyber security is a transnational phenomenon that demands global efforts. A smart balance should be reached across levels and sectors to help increase the safe use of cyberspace and unfold its full potential. The general purpose of this work is to conduct conceptual and empirical research with a mixed methodology where the qualitative approach prevails, but also includes a short quantitative exploratory analysis. A comparative analysis of 5 NCSSs, document analysis, a questionnaire administered online and a case study were the methods that resulted in two theoretical contributions: A definition of cyber security, and the formulation of a set of working tools consisting of: the Adaptable and Transferable Guidelines. Both in order to establish the considerations required to complete a process of NCSS development; the suggestions on the Key Performance Indicators self-assessment list that affirms the benefits of measuring parameters; and, the format for essential components to be included in NCSSs. A case study on the Colombian policy formulation follows, and illustrates the applicability of these unbiased guidelines that could help the institutionalization of procedures and standards for more influential public policies and strategies