Cyber Trust Index: A Framework for Rating and Improving Cybersecurity Performance
Abstract
:1. Introduction
2. Cybersecurity Performance Measurement—The Past and the Present Methods
Perspective on Existing Methods
3. The Cyber Trust Index (CTI) Framework
CTI Framework Walkthrough
- Entity and Information Needed
- Attribute
- Base measure
- The Control Enabler must either mandate, support, or influence the performance of the control.
- The Control Enabler may or may not be the control itself. If the control plays its part in either mandating, supporting, or influencing the performance of other controls, then that particular control is also a Control Enabler.
- The Control Enabler must be objectively and unambiguously measurable.
- Measurement Method
- Derived Measure
- Indicator
4. Results
4.1. The State of Cybersecurity in Thailand
4.2. The Key Drivers for Cybersecurity Performance
4.3. Cybersecurity Priorities for the Next Normal
- Most critical dimensions: This group result is aligned with the Two-Tailed T-test results that were discussed earlier. It comprises the Data Security and Cloud Security dimensions, which received the lowest scores among the other groups. Policymakers and organization leaders should review and update their current cybersecurity strategy and investment initiatives to give priority to these two dimensions where possible.
- Important dimensions: This group combined related dimensions that form part of the fundamental practice for identifying and mitigating cyber risks. Some organizations received decent scores on these dimensions. Organizations that are just starting to plan and implement cybersecurity programs, e.g., startups and SMEs, may consider these dimensions as a good starting point.
- Necessary dimensions: This group mostly contains technical-oriented dimensions. All of them are necessary for building organizational capabilities to prevent, detect, respond, and recover from cyber threats. This group also has the Governance dimension, which performs the evaluate, direct, and monitor functions [28] and ensures other dimensions are strategically aligned with objectives.
4.4. Cluster Performance Analysis
5. Discussion
5.1. The Need for Cyber Regulating Body and Return on Enforcement—The External Factor
5.2. Leverage Control Enabler to Drive Cybersecurity Performance—The Internal Factor
5.3. Combining the Internal and External Driving Forces to Deliver Better Cybersecurity Performance—The Roadmap
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Vasiu, I.; Vasiu, L. Cybersecurity as an Essential Sustainable Economic Development Factor. Eur. J. Sustain. Dev. 2018, 7, 171–178. [Google Scholar] [CrossRef] [Green Version]
- Michael, K.; Kobran, S.; Abbas, R.; Hamdoun, S. Privacy, Data Rights and Cybersecurity: Technology for Good in the Achievement of Sustainable Development Goals. In Proceedings of the International Symposium on Technology and Society (ISTAS2019), Boston, MA, USA, 15–16 November 2019. [Google Scholar]
- Andrade, R.; Yoo, S.; Tello-Oquendo, L.; Ortiz-Garces, I. Cybersecurity, Sustainability, and Resilience Capabilities of a Smart City; Elsevier: Amsterdam, The Netherlands, 2021. [Google Scholar]
- Sadik, S.; Ahmed, M.; Sikos, L.; Islam, N. Toward a Sustainable Cybersecurity Ecosystem. Computers 2020, 9, 74. [Google Scholar] [CrossRef]
- IBM Security. Cost of a Data Breach Report 2020. Available online: https://www.ibm.com/security/digital-assets/cost-data-breach-report/ (accessed on 20 January 2021).
- Interpol, Cyber Crime: COVID-19 Impact. Available online: https://www.interpol.int/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19 (accessed on 12 August 2020).
- Hill, T. FBI Sees Spike in Cyber Crime Reports during Coronavirus Pandemic. Available online: https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic (accessed on 12 August 2020).
- Hedström, K.; Kolkowska, E.; Karlsson, F.; Allen, J.P. Value conflicts for information security management. J. Strateg. Inf. Syst. 2011, 20, 373–384. [Google Scholar] [CrossRef]
- ISO/IEC 27001:2013; Information Technology—Security Techniques—Information Security Management Systems—Requirements. International Organization for Standardization: Geneva, Switzerland, 2013.
- ISO/IEC 27701:2019; Security Techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management—Requirements and Guidelines. International Organization for Standardization: Geneva, Switzerland, 2019.
- NIST. Framework for Improving Critical Infrastructure Cybersecurity. 2018. Available online: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (accessed on 5 May 2020).
- Payment Card Industry Security Standards Council. Payment Card Industry (PCI) Data Security Standard; PCI SSC: Westborough, MA, USA, 2018. [Google Scholar]
- Park, C.; Jang, S.; Park, Y. A study of Effect of Information Security Management System [ISMS] Certification on Organization Performance. J. Korea Acad. Ind. Coop. Soc. 2012, 13, 4224–4233. [Google Scholar]
- Pettengill, M.; McAdam, A. Can We Test Our Way Out of the COVID-19 Pandemic? J. Clin. Microbiol. 2020, 58, e02225-20. [Google Scholar] [CrossRef] [PubMed]
- Burke, W.; Oseni, T.; Jolfaei, A.; Gondal, I. Cybersecurity Indexes for eHealth. In Proceedings of the Australasian Computer Science Week Multiconference, Sydney, Australia, 29–31 January 2019; pp. 1–8. [Google Scholar] [CrossRef]
- Prislan, K.; Mihelič, A.; Bernik, I. A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE 2020, 15, e0238739. [Google Scholar] [CrossRef] [PubMed]
- Hewlett Packard. State of Security Operations: Report of Capabilities and Maturity of Cyber Defense Organizations: Business White Paper. Palo Alto. 2015. Available online: https://ten-inc.com/presentations/HP-State-of-Security-Operations-2015.pdf (accessed on 28 May 2021).
- Shah, A.; Ganesan, R.; Jajodia, S.; Cam, H. A methodology to measure and monitor level of operational effectiveness of a CSOC. Int. J. Inf. Secur. 2018, 17, 121–134. [Google Scholar] [CrossRef]
- John Joseph, A.J.; Mariappan, M. A novel trust-scoring system using trustability co-efficient of variation for identification of secure agent platforms. PLoS ONE 2018, 13, e0201600. [Google Scholar] [CrossRef]
- Monteiro, S.; Magalhães, J.P. Information Security Maturity Level: A Fast Assessment Methodology. In Ambient Intelligence—Software and Applications—8th International Symposium on Ambient Intelligence (ISAmI 2017); De Paz, J.F., Julian, V., Villarrubia, G., Marreiros, G., Novais, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; pp. 269–277. [Google Scholar]
- Teufel, S.; Burri, R.; Teufel, B. Cybersecurity guideline for the utility business a swiss approach. In Proceedings of the 2018 International Conference on Smart Grid and Clean Energy Technologies, ICSGCE 2018, Kajang, Malaysia, 29 May–1 June 2018; IEEE: Beijing, China, 2018; pp. 1–6. [Google Scholar] [CrossRef]
- Szczepaniuk, E.K.; Szczepaniuk, H.; Rokicki, T.; Klepacki, B. Information security assessment in public administration. Comput. Secur. 2020, 90, 101709. [Google Scholar] [CrossRef]
- Taherdoost, H. What Is the Best Response Scale for Survey and Questionnaire Design; Review of Different Lengths of Rating Scale/Attitude, Scale Likert Scale. Int. J. Acad. Res. Manag. 2019, 8, 1–10. [Google Scholar]
- ISO/IEC/IEEE 15939:2017; Systems and Software Engineering—Measurement Process. International Organization for Standardization: Geneva, Switzerland, 2017.
- U.S. Department of Energy. Cybersecurity Capability Maturity Model Version 2.0. 2021. Available online: https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2 (accessed on 28 May 2021).
- RSA. RSA Cybersecurity Poverty Index—2016; RSA: Bedford, MA, USA, 2016. [Google Scholar]
- Tenable Network Security; CyberEdge Group. 2017 Global Cybersecurity Assurance Report Card; CyberEdge Group: Annapolis, MD, USA, 2017. [Google Scholar]
- Maleh, Y.; Ezzati, A.; Sahid, A.; Belaissaoui, M. CAFISGO: A Capability Assessment Framework for Information Security Governance in Organizations. J. Inf. Assur. Secur. 2017, 12, 209–217. [Google Scholar]
- Bernik, I.; Prislan, K. Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation. PLoS ONE 2016, 11, e0163050. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Rae, A.; Patel, A. Defining a New Composite Cybersecurity Rating Scheme for SMEs in the U.K. In Information Security Practice and Experience; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2019; Volume 11879, pp. 362–380. [Google Scholar]
- Ponemon Institute. Security Effectiveness Framework Study; Ponemon Institute: Traverse City, MI, USA, 2010; Available online: https://www.yumpu.com/en/document/view/28533958/security-effectiveness-framework-study (accessed on 28 May 2021).
- Cybersecurity and Infrastructure Security Agency. Cyber Resilience Review; CISA: Arlington, VA, USA, 2020. Available online: https://www.cisa.gov/uscert/resources/assessments (accessed on 28 May 2021).
- ITU; BDT. Cyber Security Programme Global Cybersecurity Index (GCI) Reference Model; ITU/BDT: Geneva, Switzerland, 2020. [Google Scholar]
- E-Governance Academy. National Cybersecurity Index; EGA: Tallin, Estonia, 2018. [Google Scholar]
- PwC; Iron Mountain. An Introduction to the Information Risk Maturity Index; Iron Mountain: Boston, MA, USA, 2014. [Google Scholar]
- Yu, S. Understanding the Security Vendor Landscape Using the Cyber Defense Matrix. In Proceedings of the RSA Conference, San Francisco, CA, USA, 29 February–4 March 2016. [Google Scholar]
- Yu, S. The BETTER Cyber Defense Matrix, Reloaded. In Proceedings of the RSA Conference, San Francisco, CA, USA, 4–8 March 2019. [Google Scholar]
- Bissell, K.; LaSalle, R.; Richards, K. The Accenture Security Index; Accenture: Dublin, Ireland, 2017. [Google Scholar]
- Taylor, R.G. Potential Problems with Information Security Risk Assessments. Inf. Secur. J. 2015, 24, 177–184. [Google Scholar] [CrossRef]
- Software Engineering Institute. CERT Resilience Management Model Version 1.2; SEI: Pittsburgh, PA, USA, 2016; Available online: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508084 (accessed on 6 June 2021).
- Pearse, N. Deciding on the scale granularity of response categories of likert type scales: The case of a 21-point scale. Electron. J. Bus. Res. Methods 2011, 9, 159–171. [Google Scholar]
- Wanyonyi, E.; Rodrigues, A.; Abeka, S.O.; Ogara, S. Effectiveness of Security Controls On Electronic Health Records. Int. J. Sci. Technol. Res. 2017, 6, 47–54. [Google Scholar]
- Tytarenko, O. Selection of the Best Security Controls for Rapid Development of Enterprise-Level Cyber Security; Naval Postgraduate School: Monterey, CA, USA, 2017. [Google Scholar]
- NIST. NIST SP 800-53 Rev.4 Security and Privacy Controls for Federal Information Systems and Organizations. 2013. Available online: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final (accessed on 5 May 2020).
- Center for Internet Security. CIS Controls v7.1. 2019. Available online: https://learn.cisecurity.org/CIS-Controls-v7.1 (accessed on 8 October 2020).
- SANS Institute. The CIS Critical Security Controls for Effective Cyber Defense. Available online: https://www.sans.org/critical-security-controls (accessed on 8 October 2020).
- Microsoft. About the ENISA Information Assurance Framework. Available online: https://docs.microsoft.com/en-us/compliance/regulatory/offering-enisa (accessed on 3 June 2020).
- OWASP. OWASP Top Ten. Available online: https://owasp.org/www-project-top-ten/ (accessed on 9 November 2020).
- OWASP. OWASP Mobile Top Ten. Available online: https://owasp.org/www-project-mobile-top-10/ (accessed on 9 November 2020).
- Krosnick, J. Question and Questionnaire Design. In The Palgrave Handbook of Survey Research; Palgrave: Cham, Switzerland, 2018. [Google Scholar]
- Saaty, T.L. Analytic Hierarchy Process. In Encyclopedia of Biostatistics; Armitage, P., Colton, T., Eds.; John Wiley & Sons: Hoboken, NJ, USA, 2005. [Google Scholar] [CrossRef]
- Safari, M.R.; Yu, L.Z. Assessment of IT Governance and Process Maturity: Evidence from banking Industry. In Proceedings of the Thirteenth Wuhan International Conference on E-Business, Wuhan, China, 1 June 2014; pp. 145–153. [Google Scholar]
- Elmaallam, M.; Kriouile, A. Towards A Model of Maturity For Is Risk Management. Int. J. Comput. Sci. Inf. Technol. 2011, 3, 171–188. [Google Scholar] [CrossRef]
- Salvi, V.; Kadam, A.W. Information Security Management at HDFC Bank: Contribution of Seven Enablers; ISACA: Schaumburg, IL, USA, 2014. [Google Scholar]
- Da Veiga, A. The influence of information security policies on information security culture: Illustrated through a case study. In Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA), Levos, Greece, 1–3 July 2015; Plymouth University: Plymouth, UK, 2015; pp. 22–33. [Google Scholar]
- Shriver, S.; Williams, B. Situational Leadership and Cybersecurity. Lead. Lead. 2019, 91, 44–49. [Google Scholar] [CrossRef] [Green Version]
- Kianpour, M.; Kowalski, S.; Zoto, E.; Frantz, C.; Overby, H. Designing Serious Games for Cyber Ranges: A Socio-technical Approach. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy Workshops, Stockholm, Sweden, 17–19 June 2019; pp. 85–93. [Google Scholar]
- Griffy-Brown, C.; Lazarikos, D.; Chun, M. Agile Business Growth and Cyber Risk: How do we secure the Internet of Things (IoT) environment? In Proceedings of the 2018 IEEE Technology and Engineering Management Conference (TEMSCON), Evanston, IL, USA, 28 June–1 July 2018; pp. 1–5. [Google Scholar]
- Sharma, L.; Singh, V. India towards digital revolution (security and sustainability). In Proceedings of the 2nd World Conference on Smart Trends in Systems, Security and Sustainability World, London, UK, 27 July 2020; pp. 163–171. [Google Scholar]
- Moller, D. Cybersecurity in Digital Transformation Scope and Applications; Springer: Berlin/Heidelberg, Germany, 2020. [Google Scholar]
- Van Eeten, M. Patching security governance: An empirical view of emergent governance mechanisms for cybersecurity. Digit. Policy Regul. Gov. 2017, 19, 429–448. [Google Scholar] [CrossRef] [Green Version]
- Mosteanu, N. Challenges for organizational structure and design as a result of digitalization and cybersecurity. Bus. Manag. Rev. 2020, 11, 278–286. [Google Scholar] [CrossRef]
- NIST. NIST SP 800-181. Rev.1 Workforce Framework for Cybersecurity (NICE Framework). 2020. Available online: https://doi.org/10.6028/NIST.SP.800-181r1 (accessed on 11 July 2021).
- Elkhannoubi, H.; Belaissaoui, M. A framework for an effective cybersecurity strategy implementation: Fundamental pillars identification. In Proceedings of the International Conference on Intelligent Systems Design and Applications (ISDA), Porto, Portugal, 14–16 December 2016; pp. 1–8. [Google Scholar]
- Akin, O.; Karaman, M. A novel concept for cybersecurity: Institutional cybersecurity. In Proceedings of the International Conference on Information Security and Cryptography, Ankara, Turkey, 23–24 May 2013. [Google Scholar]
- Chehri, A.; Fofona, I.; Yang, X. Security Risk Modeling in Smart Grid Critical Infrastructures in the Era of Big Data and Artificial Intelligence. Sustainability 2021, 6, 3196. [Google Scholar] [CrossRef]
- Mohammad, S.; Surya, L. Security Automation in Information Technology. Int. J. Creat. Res. Thoughts IJCRT 2018, 6, 901–905. [Google Scholar]
- Geluvaraj, B. The Future of Cybersecurity: Major Role of Artificial Intelligence, Machine Learning, and Deep Learning in Cyberspace. In International Conference on Computer Networks and Communication Technologies (ICCNCT); Springer: Singapore, 2018. [Google Scholar]
- Truong, T.; Diep, Q.; Zelinka, I. Artificial Intelligence in the Cyber Domain: Offense and Defense. Symmetry 2020, 3, 410. [Google Scholar] [CrossRef] [Green Version]
- Shaukat, K.; Luo, S.; Varadharajan, V.; Hameed, I.A.; Chen, S.; Liu, D.; Li, J. Performance Comparison and Current Challenges of Using Machine Learning Techniques in Cybersecurity. Energies 2020, 13, 2509. [Google Scholar] [CrossRef]
- Sarker, I.; Abushark, Y.; Alsolami, F.; Khan, A. IntruDTree: A Machine Learning Based Cyber Security Intrusion Detection Model. Symmetry 2020, 5, 754. [Google Scholar] [CrossRef]
- Krumay, B.; Bernroider, E.W.; Walser, R. Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework. In Proceedings of the 23rd Nordic Conference (NordSec 2018), Oslo, Norway, 28–30 November 2018; pp. 376–391. [Google Scholar]
- Andreolini, M.; Colacino, V.; Colajanni, M.; Marchetti, M. A Framework for the Evaluation of Trainee Performance in Cyber Range Exercises. Mob. Netw. Appl. 2020, 1, 236–247. [Google Scholar] [CrossRef]
- Goode, J.; Levy, Y.; Hovav, A.; Smith, J. Expert assessment of organizational cybersecurity programs and development of vignettes to measure cybersecurity countermeasures awareness. Online J. Appl. Knowl. Manag. 2018, 1, 67–80. [Google Scholar] [CrossRef]
- Ahmed, Y.; Naqvi, S.; Josephs, M. Cybersecurity Metrics for Enhanced Protection of Healthcare IT Systems. In Proceedings of the International Symposium on Medical Information and Communication Technology (ISMICT), Oslo, Norway, 8–10 May 2019. [Google Scholar]
- Hughes, J.; Cybenko, G. Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity. Technol. Innov. Manag. Rev. 2013, 8, 15–24. [Google Scholar] [CrossRef]
- De Bruin, R.; Solms, V. Cybersecurity Governance: How can we measure it? In Proceedings of the IST Africa Conference, Durban, South Africa, 11–13 May 2016. [Google Scholar]
- Andreasson, A.; Fallen, N. External Cybersecurity Incident Reporting for Resilience. In Proceedings of the 17th International Conference of Perspectives in Business Informatics Research (BIR 2018), Stockholm, Sweden, 24–26 September 2018. [Google Scholar]
- Yang, L.; Lau, L.; Gan, H. Investors’ perceptions of the cybersecurity risk management reporting framework. Int. J. Account. Inf. Manag. 2020, 1, 167–183. [Google Scholar] [CrossRef]
- Piplai, A.; Mittal, S.; Joshi, A.; Finin, T.; Holt, J.; Zak, R. Creating Cybersecurity Knowledge Graphs From Malware After Action Reports. IEEE Access 2020, 8, 211691–211703. [Google Scholar] [CrossRef]
- Dolnicar, S.; Grün, B.; Leisch, F. Quick, simple and reliable: Forced binary survey questions. Int. J. Mark. Res. 2011, 53, 233. [Google Scholar] [CrossRef]
- Norman, K.; Pleskac, T. Conditional Branching in Computerized Self-Administered Questionnaires on the World Wide Web. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 2002, 46, 1241–1245. [Google Scholar] [CrossRef]
- National Cybersecurity Agency (NCSA). Prescribing Criteria and Types of Organizations with Tasks or Services as Critical Information Infrastructure Organizations and Assigning Control and Regulation B.E. 2564. 2021. Available online: https://drive.ncsa.or.th/s/akWsCmQ7Z9oDWAY (accessed on 6 June 2021).
- Kline, R.B. Principles and Practice of Structural Equation Modeling; The Guilford Press: New York, NY, USA, 2010. [Google Scholar]
- Hair, J.; Black, W.; Babin, B.; Anderson, R. Multivariate Data Analysis: A Global Perspective; Prentice Hall: Hoboken, NJ, USA, 2010. [Google Scholar]
- George, D.; Mallery, P. SPSS for Windows Step by Step: A Simple Guide and Reference, 11.0 Update, 4th ed.; Allyn & Bacon: Boston, MA, USA, 2003. [Google Scholar]
- McKinsey & Company. Organizational Cyber Maturity: A Survey of Industries. 2021. Available online: https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/organizational-cyber-maturity-a-survey-of-industries (accessed on 14 July 2022).
- Garcia Asuero, A.; Sayago, A.; González, G. The Correlation Coefficient: An Overview. Crit. Rev. Anal. Chem. 2006, 36, 41–59. [Google Scholar] [CrossRef]
- Bahuguna, A.; Bisht, R.; Pande, J. Assessing cybersecurity maturity of organizations: An empirical investigation in the Indian context. Inf. Secur. J. Glob. Perspect. 2019, 28, 164–177. [Google Scholar] [CrossRef]
- Agyeman, F.O.; Ma, Z.; Li, M.; Sampene, A.K. A Literature Review on Platform Business Model: The Impact of Technological Processes on Platform Business. EPRA Int. J. Econ. Bus. Manag. Stud. 2021, 8, 1–7. [Google Scholar] [CrossRef]
- Rohn, D.; Bican, P.; Brem, A.; Kraus, S.; Clauß, T. Digital platform-based business models—An exploration of critical success factors. J. Eng. Technol. Manag. 2021, 60, 101625. [Google Scholar] [CrossRef]
- Wu, J. Cluster Analysis and K-means Clustering: An Introduction. In Advances in K-Means Clustering; Springer: Berlin/Heidelberg, Germany, 2012. [Google Scholar] [CrossRef]
- Alhija, M. Cyber security: Between challenges and prospects. CIC Express Lett. Part B Appl. Int. J. Res. Surv. 2020, 11, 1019–1028. [Google Scholar] [CrossRef]
- Mohammed, I.A. Identity Management Capability Powered by Artificial Intelligence to Transform the Way User Access Privileges Are Managed, Monitored and Controlled. SSRN Electron. J. 2021, 9, 4719–4723. [Google Scholar]
- Pankti, D.; Thaier, H. Best Practices for Securing Financial Data and PII in Public Cloud. Int. J. Comput. Appl. 2021, 183, 1–6. [Google Scholar]
- Ministry of Digital Economy and Society. Computer-Related Crime Act B.E. 2550. 2007. Available online: https://www.mdes.go.th/law/detail/3618-COMPUTER-RELATED-CRIME-ACT-B-E--2550--2007- (accessed on 15 October 2022).
- J.P. Morgan. E-Commerce Payments Trends: Thailand. 2019. Available online: https://www.jpmorgan.com/merchant-services/insights/reports/thailand (accessed on 15 October 2022).
- Alotaibi, B.; Almagwashi, H. A Review of BYOD Security Challenges, Solutions and Policy Best Practices. In Proceedings of the 2018 1st International Conference on Computer Applications & Information Security (ICCAIS), Riyadh, Saudi Arabia, 4–6 April 2018; pp. 1–6. [Google Scholar] [CrossRef]
- Koo, J.; Kang, G.; Kim, Y.-G. Security and Privacy in Big Data Life Cycle: A Survey and Open Challenges. Sustainability 2020, 12, 10571. [Google Scholar] [CrossRef]
- Moulos, V.; Chatzikyriakos, G.; Kassouras, V.; Doulamis, A.; Doulamis, N.; Leventakis, G.; Florakis, T.; Varvarigou, T.; Mitsokapas, E.; Kioumourtzis, G.; et al. A Robust Information Life Cycle Management Framework for Securing and Governing Critical Infrastructure Systems. Inventions 2018, 3, 71. [Google Scholar] [CrossRef] [Green Version]
- ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. International Organization for Standardization: Geneva, Switzerland, 2022.
- Wermke, D.; Huaman, N.; Stransky, C.; Busch, N.; Acar, Y.G.; Fahl, S. Cloudy with a Chance of Misconceptions: Exploring Users’ Perceptions and Expectations of Security and Privacy in Cloud Office Suites. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), Online, 7–11 August 2020. [Google Scholar]
- Alabdan, R. Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, 12, 168. [Google Scholar] [CrossRef]
- Ghazi-Tehrani, A.K.; Pontell, H.N. Phishing Evolves: Analyzing the Enduring Cybercrime. Vict. Offenders 2021, 16, 316–342. [Google Scholar] [CrossRef]
- Lallie, H.; Shepherd, L.; Nurse, J.; Erola, A.; Epiphaniou, G.; Maple, C.; Bellekens, X. Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic. Comput. Secur. 2021, 105, 102248. [Google Scholar] [CrossRef]
- Yassine, H.; Shahab, S.S.; Faycal, B.; Abbes, A.; Mamoun, A. Latest trends of security and privacy in recommender systems: A comprehensive review and future perspectives. Comput. Secur. 2022, 118, 102746. [Google Scholar]
- Jensen, M.L.; Wright, R.; Durcikova, A.; Karumbaiah, S. Building the Human Firewall: Combating Phishing through Collective Action of Individuals Using Leaderboards (1 July 2020). Available online: https://doi.org/10.2139/ssrn.3622322 (accessed on 27 October 2022).
- Edegbeme-Beláz, A.; Zsolt, S. The Human Firewall—The Human Side of Cybersecurity; Óbuda University: Budapest, Hungary, 2020. [Google Scholar]
- Brewer, R. Could SOAR save skills-short SOCs? Comput. Fraud. Secur. 2019, 2019, 8–11. [Google Scholar] [CrossRef]
- Pham, H. Information security burnout: Identification of sources and mitigating factors from security demands and resources. J. Inf. Secur. Appl. 2019, 46, 96–107. [Google Scholar] [CrossRef]
- Nobles, C. Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem. HOLISTICA J. Bus. Public Adm. 2022, 13, 49–72. [Google Scholar] [CrossRef]
Methods | Mechanisms | Sources | ||||
---|---|---|---|---|---|---|
Indicator & Questions | Point-Scale | Performance Scale | Weight | Score Calculation | ||
Cybersecurity Capability Maturity Model (C2M2) | 10 domains 43 objectives 342 questions | Four-point scale | 0–3 | None | Highest maturity scale achieved represents the score (final maturity level) | 25 |
Cybersecurity Poverty Index | 5 functions 18 questions | Five-point scale | 1–5 | None | Summation and average | 26 |
Global Cybersecurity Assurance Report Card | 11 IT components 12 questions | Five-point scale | 0–100 | None | Adding the percentage of top two responses of each question | 27 |
Capability Assessment Framework for Information Security Governance in Organizations | 5 key areas 21 objectives 80 controls 100 questions | 0–1 | 0–5 | Yes | Summation of weighted average points | 28 |
ISP 10 × 10 M | 10 CSFs 100 KPIs | Five-point scale | 1–6 | Yes | Summation of point-scale multiply by weight of indicator | 29 |
Composite Cybersecurity Rating Scheme | 2 layers 4 segments in L1 5 controls in L2 | 5 × 5 matrix (1–25 points) | 1–5 | None | Summation of behavioral scoring (L1) and technical risk matrix (L2) | 30 |
Security Effectiveness Framework | 6 metrics 5 key resources 13 objectives | Five-point scale | (−2.0)–2.0 | None | Summation and average | 31 |
Cyber Resilience Review | 10 domains 42 goals 299 questions | Three-response type (Y, N, Incomplete) | 0–5 | None | Maturity level is achieved when all goals in such level are achieved | 32 |
Dimension | Control | Cluster |
---|---|---|
Governance | 1. Cybersecurity Objective | Policy and Procedure |
2. Information Security Policy/Cybersecurity Policy | ||
3. Cybersecurity Roles and Responsibilities | ||
4. Legal and Regulatory Requirements regarding Cybersecurity | Legal | |
5. Supplier Management | Third Party Management | |
6. External Parties Personnel Management | ||
7. External Parties Services and Delivery | ||
Asset management | 8. Inventory of Asset | Asset management |
9. Asset Categorization | ||
10. Vulnerabilities of Asset | ||
11. Use of Asset | ||
12. Mobile Devices and BYOD | Mobile and BYOD management | |
Risk management | 13. Establishing the Context and Risk Process | Risk management |
14. Risk Assessment | ||
15. Risk Treatment | ||
End User management | 16. Position Risk Designation | Human resource management |
17. Prior to Employment | ||
18. During Employment | ||
19. Termination and Change of Employment | ||
Access control | 20. Access Right Management | Access management |
21. Audit Trails linked to Individual Users | ||
22. Authentication for Transaction | ||
23. Physical Access | Physical access management | |
24. Remote Access | Remote management | |
25. Remote Maintenance Control | ||
26. Credential Management | Privilege management | |
Data security | 27. Data-at-Rest | Data management |
28. Data-in-Transit | ||
29. Integrity Checking Mechanisms | ||
30. Data Disposal | ||
31. Data Leaks Protection | Encryption management | |
Network security | 32. Network Communication Diagram | Network security management |
33. Network Control | ||
34. Network Segregation | ||
35. Baseline of Network Traffic | ||
Secure System Installation | 36. Initialization | Baseline security |
37. Anti-virus Program | Anti-virus management | |
Application Security | 38. Development Environment | Application security management |
39. Security of Software Development Process | ||
40. Change Control Process | Change management | |
Cloud security | 41. Cloud Service Management | Cloud service management |
Operation | 42. Logging and Log Review | Log management |
43. Analysis of Event | ||
44. Event Aggregation | ||
45. Capacity Management | Capacity management | |
46. Cybersecurity Events Detection | Vulnerability management | |
47. Physical Security Detection | ||
48. Personnel Suspicious Activity Detection | ||
49. Malicious File Detection | ||
50. Unauthorized Mobile Code Detection | ||
51. Detection of Cybersecurity Event from External Service Provider | ||
52. Unauthorized Access Detection | ||
53. Vulnerability Scanning | ||
54. Roles and Responsibilities for Detection | ||
55. Compliance of Detection Activities | ||
56. Continual Improvement of Detection Processes | ||
57. Sharing of Protection Technology Effectiveness Information | ||
Response and Recovery | 58. Business Impact Analysis | Business continuity planning |
59. Recovery Communication | ||
60. Redundancies | Backup management | |
61. Information Backup | ||
62. Assessment of Event Impact | Incident management | |
63. Incident Alert Thresholds | ||
64. Communication of Event | ||
65. Incident Response | ||
66. Incident Response Communication | ||
67. Incident Response Analysis | ||
68. Incident Response Mitigation | ||
69. Incident Response Recovery | ||
70. Incident Response Improvement |
Candidate Enabler | Mandate | Support | Influence | Priority Weight | Priority Weight (%) | Ranking |
---|---|---|---|---|---|---|
Weight | 0.283 | 0.643 | 0.074 | |||
Automation | 0.034 | 0.109 | 0.005 | 0.148 | 14.81 | 2 |
Awareness | 0.007 | 0.033 | 0.005 | 0.044 | 4.41 | |
Culture | 0.007 | 0.033 | 0.005 | 0.044 | 4.41 | |
DR | 0.007 | 0.055 | 0.005 | 0.066 | 6.59 | |
Experience | 0.007 | 0.055 | 0.005 | 0.066 | 6.59 | |
Measurement | 0.048 | 0.055 | 0.011 | 0.113 | 11.34 | 5 |
Org Structure with Role & Responsibility (R&R) | 0.048 | 0.076 | 0.015 | 0.140 | 13.97 | 3 |
Reporting | 0.048 | 0.076 | 0.011 | 0.135 | 13.52 | 4 |
Skill & Competency | 0.007 | 0.076 | 0.005 | 0.088 | 8.77 | |
Policies & Procedures | 0.069 | 0.076 | 0.011 | 0.156 | 15.59 | 1 |
Control Enabler | Descriptions | References |
---|---|---|
Organization Direction and Process (OP) | Organization Direction and Process refers to how organizations document, mandate, and communicate their cybersecurity direction in the form of policies or procedures. | [52,53,54,55,56,57,58,59,60] |
Organization Structure (OS) | Organization Structure refers to how organizations clearly define roles and responsibilities for cybersecurity controls or tasks and assign resources accordingly. | [52,54,61,62,63,64,65] |
Automation (AT) | Automation refers to the degree to which security controls are performed automatically to ensure that the controls are continuously operated and updated with minimum human intervention. | [54,66,67,68,69,70,71] |
Performance Evaluation (PE) | Performance Evaluation refers to how an organization defines metrics for security control outcomes, performs measurements to validate the outcome, and takes corrective or improvement actions as necessary. | [18,54,72,73,74,75,76,77] |
Reporting (RP) | Reporting refers to how the output or key information produced from security controls is reported to the intended audience. | [54,77,78,79,80] |
Control Enabler | Capability | |||||
---|---|---|---|---|---|---|
Tier 0 | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 | |
Not Performed | Performed Informally | Planned and Tracked | Well Defined | Proactively Controlled | Continuously Improving | |
Organization Direction and Process (OP) | No policy or internal process | Policy and process defined, but not documented | Policy and process defined and published | Policy and process communicated to stakeholders | Policy and process implemented consistently | Continuously review and improvement of the policy and process |
Organization Structure (OS) | No one taking care of the control | Someone may take care of the control, but no role and responsibility defined | Clear role and responsibility defined, but no dedicated role for security | Clear role and responsibility defined with dedicated role for security | Role and responsibility reviewed and updated at least on annual basis | Role and responsibility reviewed and updated on ongoing basis |
Automation Tool (AT) | No tool to support the control | Control is performed manually | Semi-automated human and tool mix-operations | Highly automated, human intervention at some points only | Fully automated (less to non human intervention) | Automation tool is monitored and continuously updated |
Performance Evaluation (PE) | No measurement or metric | Ad-hoc measurement (no metric defined) | Metric defined and measurement performed for critical policies or processes | Metric defined and measurement performed for all policies and processes | Metric reviewed and updated at least on annual basis. Measurement performed regularly | Metric reviewed and updated regularly. Measurement performed continuously |
Reporting (RP) | No reporting | Ad-hoc reporting, not documented | Periodic reporting, partial documented | Routine reporting, fully documented | Routine reporting, fully documented and sent to concerned individual or entity | Reporting requirements established, regularly reviewed and updated |
Grade | Score | Description | Inherent Risk and Required Actions |
---|---|---|---|
A | 81–100 | Very Good cyber rating | Very low risk, improvement is optional. |
B | 71–80 | Good cyber rating | Low risk, improvement would be beneficial. |
C | 61–70 | Moderate cyber rating | Medium risk, needs to plan for improvement. |
D | 51–60 | Weak cyber rating | High risk, needs improvement as soon as possible. |
F | 0–50 | Very weak cyber rating | Extreme risk, needs immediate improvement. |
Coefficients | Std Err | LCL | UCL | T Stat | p-Value | |
---|---|---|---|---|---|---|
Intercept | 13.432 | 8.916 | −5.228 | 32.093 | 1.507 | 0.148 |
OP | 7.990 | 3.411 | 0.851 | 15.129 | 2.343 | 0.030 |
OS | 1.656 | 2.575 | −3.733 | 7.045 | 0.643 | 0.528 |
AT | 3.041 | 2.565 | −2.327 | 8.410 | 1.186 | 0.250 |
PE | 3.085 | 2.481 | −2.107 | 8.277 | 1.244 | 0.229 |
RP | 2.695 | 2.648 | −2.848 | 8.238 | 1.018 | 0.322 |
Dimension | Mean | SD | t-Score | p (2-Tailed) |
---|---|---|---|---|
Governance | 57.371 | 6.676 | −0.544 | 0.590 |
Asset Management | 55.200 | 4.889 | −1.186 | 0.244 |
Risk Management | 73.086 | 6.951 | 1.739 | 0.091 |
End User Management | 57.000 | 5.592 | −0.715 | 0.479 |
Access Control | 64.000 | 5.821 | 0.515 | 0.610 |
Data Security | 45.029 | 6.130 | −2.605 | 0.014 ** |
Network Security | 69.429 | 5.929 | 1.421 | 0.164 |
Secure System Installation | 77.857 | 4.681 | 3.601 | 0.001 * |
Application Security | 62.171 | 6.245 | 0.188 | 0.852 |
Cloud Security | 38.429 | 7.342 | −3.074 | 0.004 ** |
Operation Security | 63.914 | 6.085 | 0.479 | 0.635 |
Respond and Recovery | 71.914 | 5.088 | 2.145 | 0.039 * |
Dimension | D1 | D2 | D3 | D4 | D5 | D6 | D7 | D8 | D9 | D10 | D11 | D12 |
---|---|---|---|---|---|---|---|---|---|---|---|---|
D1 Governance | 1.000 | 0.596 | 0.483 | 0.392 | 0.730 | 0.547 | 0.721 | 0.488 | 0.736 | 0.345 | 0.654 | 0.733 |
D2 Asset Management | 0.596 | 1.000 | 0.344 | 0.540 | 0.500 | 0.418 | 0.487 | 0.283 | 0.413 | 0.280 | 0.352 | 0.517 |
D3 Risk Management | 0.483 | 0.344 | 1.000 | 0.478 | 0.523 | 0.442 | 0.323 | 0.239 | 0.534 | 0.382 | 0.519 | 0.455 |
D4 End User Management | 0.392 | 0.540 | 0.478 | 1.000 | 0.592 | 0.535 | 0.348 | 0.332 | 0.455 | 0.475 | 0.413 | 0.427 |
D5 Access Control | 0.730 | 0.500 | 0.523 | 0.592 | 1.000 | 0.826 | 0.717 | 0.495 | 0.826 | 0.596 | 0.728 | 0.722 |
D6 Data Security | 0.547 | 0.418 | 0.442 | 0.535 | 0.826 | 1.000 | 0.587 | 0.508 | 0.757 | 0.684 | 0.641 | 0.598 |
D7 Network Security | 0.721 | 0.487 | 0.323 | 0.348 | 0.717 | 0.587 | 1.000 | 0.580 | 0.706 | 0.331 | 0.646 | 0.800 |
D8 Secure System Installation | 0.488 | 0.283 | 0.239 | 0.332 | 0.495 | 0.508 | 0.580 | 1.000 | 0.681 | 0.345 | 0.673 | 0.597 |
D9 Application Security | 0.736 | 0.413 | 0.534 | 0.455 | 0.826 | 0.757 | 0.706 | 0.681 | 1.000 | 0.653 | 0.832 | 0.809 |
D10 Cloud Security | 0.345 | 0.280 | 0.382 | 0.475 | 0.596 | 0.684 | 0.331 | 0.345 | 0.653 | 1.000 | 0.444 | 0.433 |
D11 Operation Security | 0.654 | 0.352 | 0.519 | 0.413 | 0.728 | 0.641 | 0.646 | 0.673 | 0.832 | 0.444 | 1.000 | 0.773 |
D12 Respond and Recovery | 0.733 | 0.517 | 0.455 | 0.427 | 0.722 | 0.598 | 0.800 | 0.597 | 0.809 | 0.433 | 0.773 | 1.000 |
Cluster | 1 | 2 | 3 |
---|---|---|---|
Number of objects by cluster | 6 | 4 | 2 |
Sum of weights | 6 | 4 | 2 |
Within-cluster variance | 12,272.067 | 28,362.500 | 18,581.500 |
Minimum distance to centroid | 85.522 | 125.482 | 96.389 |
Average distance to centroid | 100.265 | 144.974 | 96.389 |
Maximum distance to centroid | 124.121 | 165.534 | 96.389 |
D1 Governance | D2 Asset Management | D6 Data Security | |
D5 Access Control | D3 Risk Management | D10 Cloud Security | |
D7 Network Security | D4 End User Management | ||
D9 Application Security | D8 Secure System Install | ||
D11 Operation Security | |||
D12 Respond and Recovery |
Research AVG | I-R | H-R | |
---|---|---|---|
L-R | 55.94% | 174.07% | 197.53% |
Research AVG | - | 20.76% | 31.09% |
Group | Beginner | Intermediate | Advanced | Leader |
---|---|---|---|---|
Capability Tier | 0–2 | 2–3 | 3–4 | 4+ |
Enabler Score | 0–1.9 | 2–2.9 | 3–3.9 | 4+ |
Org CTI Score | ≤50 | 51–70 | 71–80 | 81–93 |
Grade | F | D–C | B | A |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Malaivongs, S.; Kiattisin, S.; Chatjuthamard, P. Cyber Trust Index: A Framework for Rating and Improving Cybersecurity Performance. Appl. Sci. 2022, 12, 11174. https://doi.org/10.3390/app122111174
Malaivongs S, Kiattisin S, Chatjuthamard P. Cyber Trust Index: A Framework for Rating and Improving Cybersecurity Performance. Applied Sciences. 2022; 12(21):11174. https://doi.org/10.3390/app122111174
Chicago/Turabian StyleMalaivongs, Sasawat, Supaporn Kiattisin, and Pattanaporn Chatjuthamard. 2022. "Cyber Trust Index: A Framework for Rating and Improving Cybersecurity Performance" Applied Sciences 12, no. 21: 11174. https://doi.org/10.3390/app122111174
APA StyleMalaivongs, S., Kiattisin, S., & Chatjuthamard, P. (2022). Cyber Trust Index: A Framework for Rating and Improving Cybersecurity Performance. Applied Sciences, 12(21), 11174. https://doi.org/10.3390/app122111174