A Developmental Study on Assessing the Cybersecurity Competency of Organizational Information System Users

Organizational information system users (OISUs) that are open to cyber threats vectors are contributing to major financial and information losses for individuals, businesses, and governments. Moreover, technical cybersecurity controls may be rendered useless due to a lack of cybersecurity competency of OISUs. The main goal of this research study was to propose and validate, using subject matter experts (SMEs), a reliable hands-on assessment prototype tool for measuring the knowledge, skills, and abilities (KSAs) that comprise the cybersecurity competency of an OISU. Primarily using the Delphi methodology, this study implemented four phases of data collection using cybersecurity SMEs for proposing and validating OISU: (a) KSAs, (b) KSA measures, (c) KSA measure weights, and (d) cybersecurity competency threshold. A fifth phase of data collection occurred measuring the cybersecurity competency of 54 participants. Phase 1 proposed and validated three OISU cybersecurity abilities, 23 OISU cybersecurity knowledge units (KU), and 22 OISU cybersecurity skill areas (SA). Phase 2 proposed and validated 90 KSA measures for 47 knowledge topics (KT) and 43 skill tasks (ST). Phase 3 proposed and validated the weights for four knowledge categories (KC) and four skill categories (SC). Phase 4 proposed and validated an OISU cybersecurity competency threshold (index score) of 80%. Phase 5 of this study measured the cybersecurity competency of 54 OISUs using the MyCyberKSAsTM prototype cybersecurity competency assessment tool. Phase 5 conducted data analysis by computing levels of dispersion and one-way analysis of variance (ANOVA), which indicated that annual cybersecurity training and job function are significant, providing evidences for significant differences in OISU cybersecurity competency

BIM-enabled facilities management (FM): a scrutiny of risks resulting from cyber attacks

Purpose Building information modelling (BIM) creates a golden thread of information of the facility, which proves useful to those with the malicious intent of breaching the security of the facility. A cyber-attack incurs adverse implications for the facility and its managing organisation. Hence, this paper aims to unravel the impact of a cybersecurity breach, by developing a BIM-facilities management (FM) cybersecurity-risk-matrix to portray what a cybersecurity attack means for various working areas of FM. Design/methodology/approach This study commenced with exploring cybersecurity within various stages of a BIM project. This showcased a heightened risk of cybersecurity at the post-occupancy phase. Hence, thematic analysis of two main domains of BIM-FM and cybersecurity in the built environment led to the development of a matrix that illustrated the impact of a cybersecurity attack on a BIM-FM organisation. Findings Findings show that the existing approaches to the management of cybersecurity in BIM-FM are technology-dependent, resulting in an over-reliance on technology and a lack of cybersecurity awareness of aspects related to people and processes. This study sheds light on the criticality of cyber-risk at the post-occupancy phase, highlighting the FM areas which will be compromised as a result of a cyber-attack. Originality/value This study seeks to shift focus to the people and process aspects of cybersecurity in BIM-FM. Through discussing the interconnections between the physical and digital assets of a built facility, this study develops a cyber-risk matrix, which acts as a foundation for empirical investigations of the matter in future research

Lei geral de proteção de dados: uma proposta de implantação e adequação acessível aos pequenos provedores de acesso à internet

The world scenario has been changing regarding the protection of personal data. And in Brazil it could not be different, aiming to establish rights and responsibilities of all involved, the General Data Protection Law was created. Therefore, this work was designed to achieve the main purpose, which is to propose an accessible LGPD implementation guide for the adaptation of small internet access providers, for which some important challenges will be faced, such as the need for planning through steps and procedures , possibility of investments and the adequacy of data protection policies in some sectors of the company, thus, it is necessary to develop an instrument that helps in the use of the best practices in terms of data protection. This work is based on current data protection legislation, with the support of concepts and practices recognized in several countries addressing techniques and references; guiding companies in implementing and conducting data protection. Finally, it is noteworthy that the topic addressed involved the most different fields such as: technology, management and law.O cenário mundial vem mudando em relação a proteção de dados pessoais. E no Brasil não poderia ser diferente, visando estabelecer direitos e responsabilidades de todos os envolvidos foi criada a Lei Geral de Proteção de Dados. Portanto, o presente trabalho foi elaborado para alcançar o propósito principal que é propor um guia de implantação da LGPD acessível para adequação dos pequenos provedores de acesso à internet, para tal serão enfrentados alguns desafios importantes como a necessidade de um planejamento através de etapas e procedimentos, possibilidade de investimentos e a adequação de políticas de proteção de dados em alguns setores da empresa, desta forma, se faz necessário o desenvolvimento de um instrumento que auxilie na utilização das melhores práticas existente no tocante a proteção de dados. Esse trabalho é baseado nas legislações de proteção de dados vigente, com o suporte de conceitos e práticas reconhecidas em vários países abordando técnicas e referências; direcionando empresas na implantação e na condução da proteção de dados. Por fim vale ressaltar, que o tema abordado envolveu os mais diferenciados campos como: tecnologia, gestão e do direito

Measuring Cybersecurity Competency: An Exploratory Investigation of the Cybersecurity Knowledge, Skills, and Abilities Necessary for Organizational Network Access Privileges

Organizational information system users (OISU) that are victimized by cyber threats are contributing to major financial and information losses for individuals, businesses, and governments. Moreover, it has been argued that cybersecurity competency is critical for advancing economic prosperity and maintaining national security. The fact remains that technical cybersecurity controls may be rendered useless due to a lack of cybersecurity competency of OISUs. All OISUs, from accountants to cybersecurity forensics experts, can place organizational assets at risk. However, that risk is increased when OISUs do not have the cybersecurity competency necessary for operating an information system (IS). The main goal of this research study was to propose and validate, using subject matter experts (SME), a reliable hands-on prototype assessment tool for measuring the cybersecurity competency of an OISU. To perform this assessment, SMEs validated the critical knowledge, skills, and abilities (KSA) that comprise the cybersecurity competency of OISUs. Primarily using the Delphi approach, this study implemented four phases of data collection using cybersecurity SMEs for proposing and validating OISU: KSAs, KSA measures, KSA measure weights, and cybersecurity competency threshold. A fifth phase of data collection occurred measuring the cybersecurity competency of 54 participants. Phase 1 of this study performed five semi-structured SME interviews before using the Delphi method and anonymous online surveys of 30 cybersecurity SMEs to validate OISU cybersecurity KSAs found in literature and United States government (USG) documents. The results of Phase 1 proposed and validated three OISU cybersecurity abilities, 23 OISU cybersecurity knowledge units (KU), and 22 OISU cybersecurity skill areas (SA). In Phase 2, two rounds of the Delphi method with anonymous online surveys of 15 SMEs were used to propose and validate OISU cybersecurity KSA measures. The results of Phase 2 proposed and validated 90 KSA measures for 47 knowledge topics (KT) and 43 skill tasks (ST). In Phase 3, using the Delphi method with anonymous online surveys, a group of 15 SMEs were used to propose and validate OISU cybersecurity KSA weights. The results of Phase 3 proposed and validated the weights for four knowledge categories (KC) and four skill categories (SC). When Phase 3 was completed, the MyCyberKSAsTM prototype assessment tool was developed using the results of Phases 1-3, and Phase 4 was initiated. In Phase 4, using the Delphi method with anonymous online surveys, a group of 15 SMEs were used to propose and validate an OISU cybersecurity competency threshold (index score) of 80%, which was then integrated into the MyCyberKSAsTM prototype tool. Before initiating Phase 5, the MyCyberKSAsTM prototype tool was fully tested by 10 independent testers to verify the accuracy of data recording by the tool. After testing of the MyCyberKSAsTM prototype tool was completed, Phase 5 of this study was initiated. Phase 5 of this study measured the cybersecurity competency of 54 OISUs using the MyCyberKSAsTM prototype tool. Upon completion of Phase 5, data analysis of the cybersecurity competency results of the 54 OISUs was conducted. Data analysis was conducted in Phase 5 by computing levels of dispersion and one-way analysis of variance (ANOVA). The results of the ANOVA data analysis from Phase 5 revealed that annual cybersecurity training and job function are significant, showing differences in OISU cybersecurity competency. Additionally, ANOVA data analysis from Phase 5 showed that age, cybersecurity certification, gender, and time with company were not significant thus showing no difference in OISU cybersecurity competency. The results of this research study were validated by SMEs as well as the MyCyberKSAsTM prototype tool; and proved that the tool is capable of assessing the cybersecurity competency of an OISU. The ability for organizations to measure the cybersecurity competency of OISUs is critical to lowering risks that could be exploited by cyber threats. Moreover, the ability for organizations to continually measure the cybersecurity competency of OISUs is critical for assessing workforce susceptibility to emerging cyber threats. Furthermore, the ability for organizations to measure the cybersecurity competency of OISUs allows organizations to identify specific weaknesses of OISUs that may require additional training or supervision, thus lowering risks of being exploited by cyber threats

Analyzing Small Business Strategies to Prevent External Cybersecurity Threats

Some small businesses’ cybersecurity analysts lack strategies to prevent their organizations from compromising personally identifiable information (PII) via external cybersecurity threats. Small business leaders are concerned, as they are the most targeted critical infrastructures in the United States and are a vital part of the economic system as data breaches threaten the viability of these organizations. Grounded in routine activity theory, the purpose of this pragmatic qualitative inquiry was to explore strategies small business organizations utilize to prevent external cybersecurity threats. The participants were nine cybersecurity analysts who utilized strategies to defend small businesses from external threats. Data were collected via online semistructured interviews and the National Institute of Standards and Technology documentation as well as analyzed thematically. Six major themes emerged: (a) applying standards regarding external threats, (b) evaluation of cybersecurity strategies and effectiveness, (c) consistent awareness of the external threat landscape, (d) assessing threat security posture, (e) measuring the ability to address risk and prevent attacks related to external threats, and (f) centralizing communication across departments to provide a holistic perspective on threats. A key recommendation for cybersecurity analysts is to employ moving the target defenses to prevent external cybersecurity threats. The implications for positive social change include the potential to provide small business cybersecurity analysts with additional strategies to effectively mitigate the compromise of customer PII, creating more resilient economic infrastructures while strengthening communities

Analyzing Small Business Strategies to Prevent External Cybersecurity Threats

Some small businesses’ cybersecurity analysts lack strategies to prevent their organizations from compromising personally identifiable information (PII) via external cybersecurity threats. Small business leaders are concerned, as they are the most targeted critical infrastructures in the United States and are a vital part of the economic system as data breaches threaten the viability of these organizations. Grounded in routine activity theory, the purpose of this pragmatic qualitative inquiry was to explore strategies small business organizations utilize to prevent external cybersecurity threats. The participants were nine cybersecurity analysts who utilized strategies to defend small businesses from external threats. Data were collected via online semistructured interviews and the National Institute of Standards and Technology documentation as well as analyzed thematically. Six major themes emerged: (a) applying standards regarding external threats, (b) evaluation of cybersecurity strategies and effectiveness, (c) consistent awareness of the external threat landscape, (d) assessing threat security posture, (e) measuring the ability to address risk and prevent attacks related to external threats, and (f) centralizing communication across departments to provide a holistic perspective on threats. A key recommendation for cybersecurity analysts is to employ moving the target defenses to prevent external cybersecurity threats. The implications for positive social change include the potential to provide small business cybersecurity analysts with additional strategies to effectively mitigate the compromise of customer PII, creating more resilient economic infrastructures while strengthening communities

Integration of Cybersecurity in BIM-enabled Facilities Management Organisations

Building Information Modelling (BIM) enables the creation, exchange and storage of digital information which represents digital and physical assets within a facility. The data within the in-use phase of a BIM project life cycle incorporates the highest level of details, where the as-built data of the facilities are managed and maintained by the facilities management (FM) organisations. The connection of BIM with the FM systems facilitates access to as-built and as-maintained data of all components within a facility, which may enable control of the devices and systems within the facility. Hence, facilities and their occupants become ever more vulnerable to cyber-attacks with malicious intentions of harming the occupants or disrupting and destructing the facilities. Thus, effective cybersecurity management is required to protect data. Findings from the review of literature were summarised in a cybersecurity risk matrix, to bridge the concepts of cybersecurity and BIM in FM by unveiling the impact of a cybersecurity attack, resulting in a compromise of the integrity, availability, and confidentiality of data in various task areas of a BIM-enabled FM (BIM-FM) organisation. Hence, emphasising the significance of effective and efficient management of cybersecurity in preserving the benefits associated with the implementation of BIM in FM. Review of the literature showed that both academia and industry are more focused on the technical aspects of using BIM in FM, which is often coupled with an overdependency on technical cybersecurity measures. Thus, investing in a mature implementation of BIM, that includes cybersecurity considerations from a people and process perspective, is often overlooked in FM organisations. This has resulted in an increased vulnerability to a cybersecurity attack that may compromise the potential BIM benefits in FM. Therefore, this study sought to shift focus to the people and process aspects of the issue of cybersecurity in BIM-enabled FM, by exploring the people and process related BIM and cybersecurity determinants that contribute to a more cybersecure BIM-FM. An inductive approach to the research facilitated a multi-disciplinary exploration of the concepts of BIM and cybersecurity, which resulted in the demarcation of the research focus to the BIM enabled facilities management organisations. This was followed by a literature review and qualitative analysis of secondary data from BIM maturity models and cybersecurity best practice guidelines to investigate the requirements of a cybersecure implementation of BIM in FM. Findings were structured to form the primary research framework, that was further enhanced and improved using the empirical findings collected via 25 semi-structured interviews with facilities management professionals. Findings from the thematic analysis of the interviews were coalesced with the literature review findings to develop the BIMCS-FM framework upon the primary research framework. The BIMCS-FM framework presents the determinants of a cybersecure BIM in FM and their interconnections, to assist BIM-FM organisations in their approach to cybersecurity management. The framework was validated using expert opinion that was carried out using semi-structured questionnaire, that was qualitatively analysed to make final revisions on the framework. The BIMCS-FM framework acts as a prompting mechanism for BIM-FM organisations to integrate cybersecurity within all aspects of BIM in FM. This framework expands the scope of BIM maturity, by incorporating cybersecurity considerations as part of the management of BIM in FM. Hence, creating a unified approach towards the management of both BIM and cybersecurity in FM. The application of this framework to BIM-FM can benefit from the future development of process models to enable the build-up of knowledge, skill sets, awareness and culture that is required for a cybersecure implementation of BIM. This study also provides a foundation for future research into the complexities of cybersecurity in protecting the digital information in various task areas of a BIM-FM organisation