Advanced search
Publication Cover
Journal of Applied Security Research Volume 16, 2021 - Issue 4
Submit an article Journal homepage
2,647
Views
6
CrossRef citations to date
0
Altmetric
Articles

A Conceptual Model for Cybersecurity Governance

Salifu Yusifa BELA, School of Management and Enterprise University of Southern Queensland, AustraliaCorrespondence[email protected]
&
Abdul Hafeez-Baigb School of Management and Enterprise University of Southern Queensland Toowoomba QLD, Australia
Pages 490-513 | Published online: 10 May 2021

References

  • Abraham, C., Chatterjee, D., & Sims, R. (2019). Muddling through cybersecurity: Insights from the US healthcare industry. Business Horizons, 62(4), 539–548. https://doi.org/10.1016/j.bushor.2019.03.010
  • Adams, M., & Makramalla, M. (2015). Cybersecurity skills training: An attacker-centric gamified approach. Technology Innovation Management Review, 5(1), 5–14. https://doi.org/10.22215/timreview/861
  • Adams, R. (2018). Our approach to employee security training. [Online]. PagerDuty. Retrieved 12 November 2020 from https://www.pagerduty.com/blog/security-training-atpagerduty/
  • Ahlmeyer, M., & Chircu, A. (2016). Securing the internet of things: A review. Issues in Information Systems, 17(4), 21–28. https://orcid.org/0000-0002-7925-9191
  • Al-Sharidah, A., Syed, A., Alsannat, E., & Gaddourah, A. (2020). How cybersecurity policies enable IR 4.0 emerging technologies. International Petroleum Technology Conference. https://doi.org/10.2523/IPTC-20241-MS
  • Althonayan, A., & Andronache, A. (2018). Shifting from information security towards a cybersecurity paradigm. Proceedings of the 2018 10th International Conference on Information Management and Engineering, 68–79. https://doi.org/10.1145/3285957.3285971
  • Amankwa, E., Loock, M., & Kritzinger, E. (2018). Establishing information security policy compliance culture in organizations. Information & Computer Security, 26(4), 420–436. https://doi.org/10.1108/ICS-09-2017-0063
  • American Management Association. (2008). Electronic monitoring & surveillance survey: Over half of all employers combined fire workers for email and Internet abuse. American Management Association, March 13, 2008.
  • Ani, U., He, H., & Tiwari, A. (2019). Human factor security: Evaluating the cybersecurity capacity of the industrial workforce. Journal of Systems and Information Technology, 21(1), 2–35. https://doi.org/10.1108/JSIT-02-2018-0028
  • Ashford, W. (2016). Lack of cyber security awareness putting UK organisations at risk [Online]. ComputerWeekl.com Computer Weekly. Retrieved 6 November 2020 from http://www.computerweekly.com/news/4500278074/Lack-of-cyber-security-awarenessputting-UK-organisations-at-risk.
  • Australian Computing Society. (2016). Cybersecurity: Threats challenges opportunities (p. 51). ACS.
  • Baror, S., & Venter, H. (2019).A taxonomy for cybercrime attack in the public cloud. In International conference on cyber warfare and security (pp. 505-X). Academic Conferences International Limited.
  • Bodeau, D. (2012). Cyber security governance: A component of MITRE’s cyber prep methodology. Washington: MITRE Corporation. Disponível em:. Acesso em, 15.
  • Boerman, D. (2020). Reporting on cybersecurity performance. University of Twente.
  • Boutwell, M. (2019). Exploring industry cybersecurity strategy in protecting critical infrastructure.
  • Boyes, H. (2015). Cybersecurity and cyber-resilient supply chains. Technology Innovation Management Review, 5(4), 28–34. https://doi.org/10.22215/timreview/888
  • Bryan, E., & Larsen, A. (2017). Cybersecurity policies and procedures. In The cyber risk handbook: Creating and measuring effective cybersecurity capabilities (pp. 35–65). IRM and Willis Towers Watson.
  • Camillo, M. (2017). Cybersecurity: Risks and management of risks for global banks and financial institutions. Journal of Risk Management in Financial Institutions, 10, 196–200.
  • Chabinsky, S. (2010). Cybersecurity strategy: A primer for policy makers and those on the front line. Journal of National Security Law & Policy, 4, 27.
  • Chen, H., & Soltes, E. (2018). Why compliance programs fail—and how to fix them. Harvard Business Review, 96, 115–125.
  • Cohen, L., & Felson, M. (1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44(4), 588–608. https://doi.org/10.2307/2094589
  • College of Healthcare Information Management Executives. (2018). Healthcare’s Most Wired 2018. CHIME.
  • Cook, A., Janicke, H., Smith, R., & Maglaras, L. (2017). The industrial control system cyber defence triage process. Computers & Security, 70, 467–481. https://doi.org/10.1016/j.cose.2017.07.009
  • Corradini, I., & Nardelli, E. (2018). Building organizational risk culture in cyber security: The role of human factors. In International Conference on Applied Human Factors and Ergonomics (pp. 193–202), Springer.
  • Cressey, D. (1973). Introduction to the reprint edition. In Other people’s money. A study in the social psychology of embezzlement, 2.
  • Dankwa, K. (2020). Deciphering the myth about non-compliance and its impact on cyber security and safety. In Modern theories and practices for cyber ethics and security compliance. IGI Global.
  • Debra Cascardo, M. (2016). Insights into cyber security risks: The key to survival is resiliency. The Journal of Medical Practice Management, 32, 169.
  • Dempsey, K., Chawla, N., Johnson, A., Johnston, R., Jones, A., Orebaugh, A., Scholl, M., & Stine, K. (2012). Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations: National Institute of Standards and Technology Special Publication 800–137. CreateSpace Independent Publishing Platform.
  • Donaire, N. (2018). Cybersecurity: A to-do list for your board [Online]. Retrieved 10 November 2020 from https://diligent.com/au/e1-cybersecurity-a-to-do-list-for-your-board/
  • Ellis, R., & Mohan, V. (2019). Rewired: Cybersecurity governance. John Wiley & Sons.
  • Eugen, P., & Petruţ, D. (2018). Exploring the new era of cybersecurity governance. Ovidius University Annals, Series Economic Sciences, 18, 361
  • Farahmand, F., & Spafford, E. (2013). Understanding insiders: An analysis of risk-taking behavior. Information Systems Frontiers, 15(1), 5–15. https://doi.org/10.1007/s10796-010-9265-x
  • Fehr, R., Yam, K., & Dang, C. (2015). Moralized leadership: The construction and consequences of ethical leader perceptions. Academy of Management Review, 40(2), 182–209. https://doi.org/10.5465/amr.2013.0358
  • Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13–23. https://doi.org/10.1016/j.dss.2016.02.012
  • Gross, A. (2018). Effective security training requires change in employee behavior [Online]. Health IT Answers. Retrieved 12 November 2020 from https://www.hitechanswers.net/effective-security-training-requires-change-in-employee-behavior/
  • Gundu, T. (2019). Acknowledging and reducing the knowing and doing gap in employee cybersecurity complaince. In ICCWS 2019 14th International Conference on Cyber Warfare and Security (pp. 94–102).
  • Gyunka, B., & Christiana, A. (2017). Analysis of human factors in cyber security: A case study of anonymous attack on Hbgary. Computing & Information Systems, 21.
  • Hadlington, L. (2018). The “human factor” in cybersecurity: Exploring the accidental insider. In Psychological and behavioral examinations in cyber security. IGI Global.
  • Han, J., Kim, Y., & Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers & Security, 66, 52–65. https://doi.org/10.1016/j.cose.2016.12.016
  • Hoffmann, R., Napiórkowski, J., Protasowicki, T., & Stanik, J. (2020). Risk based approach in scope of cybersecurity threats and requirements. Procedia Manufacturing, 44, 655–662. https://doi.org/10.1016/j.promfg.2020.02.243
  • Hooi, E. (2019). Cyber security: Beware the human factor (p. 2). Nanyang Technological University.
  • Huang, K., & Pearlson, K. (2019). For what technology can’t fix: Building a model of organizational cybersecurity culture. Proceedings of the 52nd Hawaii International Conference on System Sciences. https://doi.org/10.24251/HICSS.2019.769
  • IBM. (2014). IBM security services 2014 cyber security intelligence index (p. 3). IBM.
  • IBM (2014). IBM security services 2014 cyber security intelligence index. IBM.
  • ITRC (2016). Breach Statistics 2005–2015 [Online]. ITRC. Retrieved 1 March 2020 from http://www.idtheftcenter.org/images/breach/2005to2015multiyear.
  • ITU. (2008). ITU-T X.1205, Overview of cybersecurity (p. 2). International Telecommunication Union.
  • Jackson, C. (2017). Cybersecurity policy: Exploring leadership strategies that influence insider compliance. Capella University.
  • Kaminski, P., Rezek, C., Richter, W., Sorel, M. (2017). Protecting your critical digital assets: Not all systems and data are created equal. McKinsey and Company. https://www.mckinsey.com/business-functions/risk/our-insights/protecting-your-critical-digital-assets-not-all-systems-and-data-are-created-equal.
  • Kostadinov, D. (2018). The components of a successful security awareness program. [Online]. Infosec. Retrieved 12 November 2020 from https://resources.infosecinstitute.com/components-successful-security-awareness-program/#gref
  • Lee, K., & Lim, J. (2016). The reality and response of cyber threats to critical infrastructure: A case study of the cyber-terror attack on the Korea Hydro & Nuclear Power Co., Ltd. KSII Transactions on Internet & Information Systems, 10.
  • Li, J., Yu, F., Deng, G., Luo, C., Ming, Z., & Yan, Q. (2017). Industrial internet: A survey on the enabling technologies, applications, and challenges. IEEE Communications Surveys & Tutorials, 19(3), 1504–1526. https://doi.org/10.1109/COMST.2017.2691349
  • Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13–24. https://doi.org/10.1016/j.ijinfomgt.2018.10.017
  • Liu, X., Dong, M., Ota, K., Yang, L., & Liu, A. (2018). Trace malicious source to guarantee cyber security for mass monitor critical infrastructure. Journal of Computer and System Sciences, 98, 1–26. https://doi.org/10.1016/j.jcss.2016.09.008
  • Madnick, S., Jalali, M., Siegel, M., Lee, Y., Strong D., Wang, R., Ang, W., Deng, V., & Mistree, D. (2016) Measuring stakeholders’ perceptions of cybersecurity for renewable energy systems. In International workshop on data analytics for renewable energy integration (pp. 67–77). Springer.
  • Maines, C., Zhou, B., Tang, S., & Shi, Q. (2016). Adding a third dimension to BPMN as a means of representing cyber security requirements. In 2016 9th International Conference on Developments in eSystems Engineering (DeSE) (pp. 105–110). IEEE.
  • Malin, A., & VAN Heule, G. (2013).Continuous monitoring and cyber security for high performance computing. In Proceedings of the first workshop on Changing landscapes in HPC security (pp. 9–14). https://doi.org/10.1145/2465808.2465810
  • Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare: How safe are we? BMJ, 358:j3179. https://doi.org/10.1136/bmj.j3179.
  • Mathieu, C., Neumann, C., Hare, R., & Babiak, P. (2014). A dark side of leadership: Corporate psychopathy and its influence on employee well-being and job satisfaction. Personality and Individual Differences, 59, 83–88. https://doi.org/10.1016/j.paid.2013.11.010
  • Mccollum, T. (2015). Cyber disconnect [Online]. The Institute of Internal Auditors. Retrieved 20 January 2020 from http://www.theiia.org
  • Morse, A. (2018). Investigation: WannaCry cyber attack and the NHS. Report by the National Audit Office.
  • Mueller, M. (2017). Is cybersecurity eating internet governance? Causes and consequences of alternative framings. Digital Policy, Regulation and Governance, 19(6), 415–428. https://doi.org/10.1108/DPRG-05-2017-0025
  • Murphy, D., & Murphy, R. (2013). Teaching cybersecurity: Protecting the business environment. In Proceedings of the 2013 on InfoSecCD’13: Information Security Curriculum Development Conference (pp. 88–93).
  • Ng, A., & Kwok, B. (2017). Emergence of Fintech and cybersecurity in a global financial centre. Journal of Financial Regulation and Compliance, 25(4), 422–434. https://doi.org/10.1108/JFRC-01-2017-0013
  • NIST. (2018). Framework for improving critical infrastructure cybersecurity. NIST.
  • Nolan, C., Lawyer, G., & Dodd, R. (2019). Cybersecurity: Today’s most pressing governance issue. Journal of Cyber Policy, 4(3), 425–441. https://doi.org/10.1080/23738871.2019.1673458
  • Oliver, G., & Foscarini, F. (2014). Information culture: An essential concept for next generation records management. In DLM Forum-7th Triennial Conference (p. 31).
  • PACKT (2020). The scope of cybersecurity [Online]. Retrieved 1 December 2020 from https://subscription.packtpub.com/book/networking_and_servers/9781788836296/1/ch01lvl1sec12/the-scope-of-cybersecurity
  • Page, S., & Page, S. (2000). Achieving 100% compliance of policies and procedures. Policies and Procedures.
  • Pham, H., Pham, D., Brennan, L., & Richardson, J. (2017). Information security and people: A conundrum for compliance. Australasian Journal of Information Systems, 21. https://doi.org/10.3127/ajis.v21i0.1321
  • Pigni, F., Bartosiak, M., Piccoli, G., & Ives, B. (2018). Targeting Target with a 100 million dollar data breach. Journal of Information Technology Teaching Cases, 8(1), 9–23. https://doi.org/10.1057/s41266-017-0028-0
  • Plachkinova, M., & Maurer, C. (2018). Security breach at target. Journal of Information Systems Education, 29, 11–20.
  • Posey, C., & Canham, M. (2018). A Computational social science approach to examine the duality between productivity and cybersecurity policy compliance within organizations. In International Conference on Social Computing, Behavioralcultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS).
  • PRC. (2021). Cost of data breach study [Online]. Retrieved 1 March 2021 from https://www.ibm.com/security/databreach
  • Proença, D., Vieira, R., & Borbinha, J. (2016). A maturity model for information governance. In International Conference on Theory and Practice of Digital Libraries (pp. 33, 15–26). Springer.
  • Pullin, D. (2018). Cybersecurity: Positive changes through processes and team culture. Frontiers of Health Services Management, 35(1), 3–12. https://doi.org/10.1097/HAP.0000000000000038
  • PWC. (2017). Cyber risk – Enlightenment through information risk management. PWC.
  • Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014). Missed alarms and 40 million stolen credit card numbers: How target blew it. In Bloomberg Businessweek. Bloomberg.
  • Romero-Mariona, J., Hallman, R., Kline, M., Palavicini, G., Bryan, J., San Miguel, J., Kerr, L., Major, M., & Alvarez, J. (2015). An approach to organizational cybersecurity. In International workshop on enterprise security (pp. 203–222). Springer.
  • Roškot, M., Wanasika, I., & Kroupova, Z. (2020). Cybercrime in Europe: Surprising results of an expensive lapse. Journal of Business Strategy, 42(2), 91–98. https://doi.org/10.1108/JBS-12-2019-0235
  • RSA. (2016). Cyber risk appetite: Defining and understanding risk in the modern enterprise. RSA.
  • Sabillon, R., Cano, J., Cavaller Reyes, V., & Serra Ruiz, J. (2016). Cybercrime and cybercriminals: A comprehensive study. International Journal of Computer Networks and Communications Security, 4 (6).
  • Scala, N., Reilly, A., Goethals, P., & Cukier, M. (2019). Risk and the five hard problems of cybersecurity. Risk Analysis, 39(10), 2119–2126. https://doi.org/10.1111/risa.13309
  • Schein, E. (1996). Three cultures of management: The key to organizational learning. Sloan Management Review, 38, 9–20.
  • SEC. (2018). Commission statement and guidance on public company cybersecurity disclosures. SEC.
  • Shackelford, S., Sulmeyer, M., Deckard, A., Buchanan, B., & Micic, B. (2017). From Russia with love: Understanding the Russian cyber threat to us critical infrastructure and what to do about it. Nebraska Law Review, 96, 320.
  • Siebel, T. (2017). Why digital transformation is now on the CEO’s shoulders. McKinsey Quarterly, 4, 1–7.
  • Siponen, M., Pahnila, S., & Mahmood, M. (2010). Compliance with information security policies: An empirical investigation. Computer Magazine, 43(2), 64–71. https://doi.org/10.1109/MC.2010.35
  • Smith, K., Jones, A., Johnson, L., & Smith, L. (2019). Examination of cybercrime and its effects on corporate stock value. Journal of Information, Communication and Ethics in Society, 17(1), 42–60. https://doi.org/10.1108/JICES-02-2018-0010
  • Smith, M., & Paté-Cornell, M. (2018). Cyber risk analysis for a smart grid: How smart is smart enough? a multiarmed bandit approach to cyber security investment. IEEE Transactions on Engineering Management, 65(3), 434–447. https://doi.org/10.1109/TEM.2018.2798408
  • Sotira, N. (2018). The human factor in cyber security. Cyber Security: A Peer-Reviewed Journal, 1, 326–330.
  • Swinton, S., Hedges, S. (2019). Cybersecurity Governance, Part 1: 5 Fundamental Challenges [Online]. Retrieved 9 November 2020 from https://insights.sei.cmu.edu/insider-threat/2019/07/cybersecurity-governance-part-1-5-fundamental-challenges.html
  • Tam, K., & Jones, K. (2018). Maritime cybersecurity policy: The scope and impact of evolving technology on international shipping. Journal of Cyber Policy, 3(2), 147–164. https://doi.org/10.1080/23738871.2018.1513053
  • Tran, T., Childerhouse, P., & Deakins, E. (2016). Supply chain information sharing: Challenges and risk mitigation strategies. Journal of Manufacturing Technology Management, 27(8), 25.
  • Underwood, K. (2015). Protiviti 2015 IT priorities survey. EDPACS, 52(1), 14–16. https://doi.org/10.1080/07366981.2015.1063931
  • Urciuoli, L., & Hintsa, J. (2017). Adapting supply chain management strategies to security – An analysis of existing gaps and recommendations for improvement. International Journal of Logistics Research and Applications, 20(3), 276–295. https://doi.org/10.1080/13675567.2016.1219703
  • Vaidya, R. (2019). Cyber security breaches survey 2019. Assets. publishing.service.gov.uk.
  • Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: A case study of the equifax data breach. Issues in Information Systems, 19.
  • Winkler, I. (2018). The fundamental flaw in security awareness programs. InformationWeek. [Online]. Retrieved 12 November 2020 from https://www.darkreading.com/endpoint/the-fundamental-flaw-in-security-awareness-programs/a/d-id/133230
  • Young, K. (2010). Policies and procedures to manage employee Internet abuse. Computers in Human Behavior, 26(6), 1467–1471. https://doi.org/10.1016/j.chb.2010.04.025

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.