Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems, cyber risk at the edge

The Internet of Things (IoT) triggers new types of cyber risks. Therefore, the integration of new IoT devices and services requires a self-assessment of IoT cyber security posture. By security posture this article refers to the cybersecurity strength of an organisation to predict, prevent and respond to cyberthreats. At present, there is a gap in the state of the art, because there are no self-assessment methods for quantifying IoT cyber risk posture. To address this gap, an empirical analysis is performed of 12 cyber risk assessment approaches. The results and the main findings from the analysis is presented as the current and a target risk state for IoT systems, followed by conclusions and recommendations on a transformation roadmap, describing how IoT systems can achieve the target state with a new goal-oriented dependency model. By target state, we refer to the cyber security target that matches the generic security requirements of an organisation. The research paper studies and adapts four alternatives for IoT risk assessment and identifies the goal-oriented dependency modelling as a dominant approach among the risk assessment models studied. The new goal-oriented dependency model in this article enables the assessment of uncontrollable risk states in complex IoT systems and can be used for a quantitative self-assessment of IoT cyber risk posture

Towards a Qatar Cybersecurity Capability Maturity Model with a Legislative Framework

في هذا العصر، يجب على الدول وضع التشريعات التي تقيس قدرات أمنها السيبراني وتطوير برامجها، بالأخص عندما تُستخدم ثغرات الأمن السيبراني كذريعة لفرض الحصار، كما هو الحال في دولة قطر، وذلك بعد أن تم اختراق وكالة الأنباء القطرية. يقترح هذا البحث نموذجًا لتعزيز قدرات الأمن السيبراني (Q-C2M2) في دولة قطر ضمن إطار تشريعي. ويتناول البحث نموذجًا أصيلًا لتعزيز قدرات الأمن السيبراني مع تسليط الضوء على غرضه وخصائصه واعتماده. كما يعرض البحث نماذجًا لتعزيز قدرات الأمن السيبراني الحالية والمعترف بها عالميًا، ودراسة عن الأمن السيبراني في دولة قطر باستخدام الوثائق المتاحة، وذلك بناء على منهجية التحليل الموضوعي للوثائق. كما يقدم هذا البحث تحليلًا مقارنًا لنماذج تعزيز قدرات الأمن السيبراني في ضوء الأمن السيبراني القطري. وفي هذا الإطار، ساعد التحليل المقارن للوثائق في تحديد الثغرات الموجودة في سياسة تأمين المعلومات الوطنية القطرية بشكل عام، ودليل تأمين المعلومات الوطنية القطرية بشكل خاص. يهدف نموذج  (Q-C2M2) المقترح إلى تعزيز إطار عمل الأمن السيبراني في قطر من خلال توفير نموذج عملي مع عنصر تشريعي يمكن استخدامه لقياس أداء الأمن السيبراني وتطويره. كما يقترح هذا النموذج مجالات للمستخدمين “USERS” التي تتكون من الفهم (Understand)، والأمن(Secure) ، والكشف(Expose) ، والاستعادة(Recover) ، والاستدامة(Sustain) ، حيث يتضمن كل مجال مجالات فرعية، والتي بموجبها يمكن للمؤسسة إنشاء أنشطة للأمن السيبراني عند التقييم الأولي. يستخدم نموذج (Q-C2M2) المستويات الخمسة التالية لقياس تعزيز قدرات الأمن السيبراني للمنظمات: البدء والتطبيق والتطوير والتكيف والمرونة.In an age when cybersecurity vulnerabilities can be used as a pretext for a blockade, as in the case of Qatar prompted by a hack of the Qatar News Agency, it becomes incumbent upon states to consider legislating the capability maturity measurement and the development of their cybersecurity programs across the community. This paper proposes a Qatar Cybersecurity Capability Maturity Model (Q-C2M2) with a legislative framework. The paper discusses the origin, purpose and characteristics of a capability maturity model and its adoption in the cybersecurity domain. Driven by a thematic analysis under the document analysis methodology, the paper examines existing globally recognized cybersecurity capability maturity models and Qatar’s cybersecurity framework using publicly available documents. This paper also conducts a comparative analysis of existing cybersecurity capability maturity models in light of the Qatari cybersecurity framework, including a comparative analysis of cybersecurity capability maturity model literature. The comparative document analysis helped identify gaps in the existing Qatar National Information Assurance Policy and specifically the Qatar National Information Assurance Manual. The proposed Q-C2M2 aims to enhance Qatar’s cybersecurity framework by providing a workable Q-C2M2 with a legislative component that can be used to benchmark, measure and develop Qatar’s cybersecurity framework. The Q-C2M2 proposes the USERS domains consisting of Understand, Secure, Expose, Recover and Sustain. Each domain consists of subdomains, under which an organization can create cybersecurity activities at initial benchmarking. The Q-C2M2 uses the following five levels to measure the cybersecurity capability maturity of an organization: Initiating, Implementing, Developing, Adaptive and Agile

When should an organisation start vulnerability management?

Haavoittuvuuksien hallinnan aloittaminen voi olla suuri haaste monille organisaatioille, mutta näillä organisaatioilla on vaatimuksia tehdä haavoittuvuuksien hallintaa esimerkiksi standardien, regulaatioiden tai bisnessuhteiden kautta. Tutkimuksen tavoitteena oli tuottaa helposti ymmärrettävä dokumentaatio kyberturvallisuudesta, joka avustaa organisaatioita haavoittuvuuksien hallinnan aloittamisessa. Kyberturvallisuuden tueksi haavoittuvuuksien hallinnan aloittamiselle tarvittiin vertailua eri kyberturvallisuusviitekehyksistä, kyberturvallisuuden kypsyysmalleista ja haavoittuvuuksien hallinnan käyttöönottoprosesseista. Tutkimus aloitettiin etsimällä sopivia tutkimuskohteita kyberturvallisuusviitekehyksistä, kyberturvallisuuden kypsyysmalleista ja haavoittuvuuksien hallinnan käyttöönottoprosesseista. Löydettyihin tutkimuskohteisiin perehdyttiin ja niiden ominaisuuksia vertailtiin analyyttisesti. Tutkimuskohteiden vertailussa tutkimuskohteista löydettiin niiden vahvuuksia ja heikkouksia sekä ominaispiirteitä. Tutkimuksen johtopäätöksenä voitiin todeta, että lopullista kaikille organisaatioille sopivaa kyberturvallisuuden viitekehystä, kyberturvallisuuden kypsyysmallia tai haavoittuvuuksien hallinnan käyttöönottoprosessia ei löytynyt. Voidaan kuitenkin todeta, että tutkimus tuotti riittävän dokumentaation organisaatioiden kyberturvallisuuden rakentamiselle ja haavoittuvuuksien hallinnan aloittamiselle.Organisations may find vulnerability management very difficult to start conducting, but they are obligated to perform vulnerability management due to various requirements which may come from standards, regulations or business relationships. The objective of the research was to compile an easy to understand document about cyber security program for an organisation which allows them to begin vulnerability management. To support this cyber security program a strong base for vulnerability management cyber security frameworks and cyber security maturity models needed to be compared and presented. The research started by searching good research subjects for cyber security frameworks, cyber security maturity models and vulnerability management implantation processes. Once these research subjects were studied and similar features were compared analytically. The comparison results and analysis found some strengths and weaknesses of the research subjects. As the conclusion for the research there was no definite answer for all organisations, about cyber security frameworks, cyber security maturity models or vulnerability management models. The research should provide decent support for organisations to build strong basis for their cyber security program and beginning the vulnerability management

AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity

In today’s world, private and government organizations are legally obligated to prioritize their information security. They need to provide proof that they are continually improving their cybersecurity compliance. One approach that can help organizations achieve this goal is implementing information security maturity models. These models provide a structured framework for measuring performance and implementing best practices. However, choosing a suitable model can be challenging, requiring cultural, process, and work practice changes. Implementing multiple models can be overwhelming, if possible. This article proposes a prioritization strategy for public institutions that want to improve their information security maturity. We thoroughly analyzed various sources through systematic mapping to identify critical similarities in information security maturity models. Our research led us to create the AIM (Awareness, Infrastructure, and Management) Triad. This triad is a practical guide for organizations to achieve maturity in information security practices.This work received partial support from Proyecto DIUFRO DI21-0079 and Proyecto DIUFRO DI22-0043, Universidad de La Frontera, Temuco. Chile

A NIS Directive compliant Cybersecurity Maturity Model

The EU NIS Directive introduces obligations related to the security of the network and information systems for Operators of Essential Services and for Digital Service Providers. Moreover, National Competent Authorities for cybersecurity are required to assess compliance with these obligations. This paper describes a novel Cybersecurity Maturity Assessment Framework (CMAF) that is tailored to the NIS Directive requirements. CMAF can be used either as a self-assessment tool from Operators of Essential Services and Digital Service Providers or as an audit tool from the National Competent Authorities for cybersecurity

Cybersecurity Awareness and Training (CAT) Framework for Remote Working Employees

Currently, cybersecurity plays an essential role in computing and information technology due to its direct effect on organizations’ critical assets and information. Cybersecurity is applied using integrity, availability, and confidentiality to protect organizational assets and information from various malicious attacks and vulnerabilities. The COVID-19 pandemic has generated different cybersecurity issues and challenges for businesses as employees have become accustomed to working from home. Firms are speeding up their digital transformation, making cybersecurity the current main concern. For software and hardware systems protection, organizations tend to spend an excessive amount of money procuring intrusion detection systems, antivirus software, antispyware software, and encryption mechanisms. However, these solutions are not enough, and organizations continue to suffer security risks due to the escalating list of security vulnerabilities during the COVID-19 pandemic. There is a thriving need to provide a cybersecurity awareness and training framework for remote working employees. The main objective of this research is to propose a CAT framework for cybersecurity awareness and training that will help organizations to evaluate and measure their employees’ capability in the cybersecurity domain. The proposed CAT framework will assist different organizations in effectively and efficiently managing security-related issues and challenges to protect their assets and critical information. The developed CAT framework consists of three key levels and twenty-five core practices. Case studies are conducted to evaluate the usefulness of the CAT framework in cybersecurity-based organizational settings in a real-world environment. The case studies’ results showed that the proposed CAT framework can identify employees’ capability levels and help train them to effectively overcome the cybersecurity issues and challenges faced by the organizations

Does High Cybersecurity Capability Lead to Openness in Digital Trade? The Mediation Effect of E-Government Maturity

Cybersecurity risks threaten the digital economy, including digital trade enabled by digital technologies. As parts of cybersecurity capability building, governments implement fragmented, in-flux policies to manage cybersecurity threats from cross-border digital activities. However, the lack of shared understandings of cybersecurity within cross-border digital innovations raises an increasing debate about how cybersecurity capability building policies can impact digital trade restrictions. This study develops a National Cyber Trade Behavior model to examine the relationship between national cybersecurity capability and digital trade restrictions. Utilizing the PLS-SEM-based path analysis, we draw empirical evidence to verify the developed model and reveal that building cybersecurity capability can indirectly support an open digital trade system, mediated by E-government maturity

Dynamic Capabilities in Cybersecurity Intelligence: A Meta-Synthesis to Enhance Protection Against Cyber Threats

Advanced cybersecurity threats with automated capabilities are on the rise in industries such as finance, healthcare, technology, retail, telecoms, and transportation, as well as government. It is necessary to conduct analyses of cybersecurity-related resources and capabilities to build cybersecurity intelligence (CI). The purpose of this paper is to suggest a dynamic capability in a cybersecurity intelligence (DCCI) model based on existing literature that helped firms reduce risks of cyber violations and advance the development of systems and the life cycle of firms. Through a meta-synthesis, an abduction and induction approach through eight methodological steps analyzed in forty-seven case studies the presence of cybersecurity capabilities to build CI. Combining theoretical and practical information security maturity models as a foundation, we understand capabilities building to improve the predictability of cyber incidents. The results evidenced four second-order dimensions to build CI named doing, enabling, improving, and managing cybersecurity, and eight first-order outcomes to represent the DCCI model. This research makes an unprecedented contribution to international and national scenarios, as it will allow firms to innovate their resource management processes and abilities to enable better cybersecurity projects and reduce the impacts of potential cyberattacks with the probability of eradicating vulnerabilities

Designing Extended Zero Trust Maturity Model – From Technical to Socio-Technical

Recent successful cybersecurity attacks have exploited trust to compromise organizational information systems. Scholars and practitioners agree that the issue originates from the organizational perimeter security approach, within which perimeter trust is assumed. To improve the situation, building security principles on the idea that trust is not inherent but earned has been proposed, coined as Zero Trust. However, the current discussions spearheaded by technology-minded practitioners have focused mostly on trust at the network security and architecture levels, largely omitting the organizational aspects of security. To address this gap, we build on socio-technical approach and maturity models to develop a novel artifact with security experts, addressing the need for organizational Zero Trust through the Extended Zero Trust Maturity Model. Our research contributes to discussions on holistic information security management by extending the principles of Zero Trust from technical into socio-technical approach and responds to calls to reconsider foundational assumptions of IS security

Simplifying Cyber Security Maturity Models through National Culture: A Fuzzy Logic Approach

Different assessment models exist to measure a country's cyber security maturity levels. These levels serve as a benchmark for indicating how well prepared a nation is against a cyber security attack and how resilient it would be in recovering from such an attack. However, results from these maturity assessments are either too general, overly complex, or resource intensive to apply and guide important national cyber security strategies and frameworks. To address this we propose a model to link national culture with a country's cyber security maturity through fuzzy logic mapping to ensure that a more uniform reflection of the cyber security maturity level within a country can be measured. In this paper, we present additional research towards optimising our model. The extended model incorporates input from two cyber security assessment models, and validates the refined output models on 11 countries to compare the maturity levels from the traditional assessment model with our optimised fuzzy model. Our results show that it is viable to reduce the resources required to conduct a national cyber security maturity assessment