1. Introduction
Information and communication technologies (ICTs) have formidable strength to advance the lives of several individuals [
1,
2,
3] and promote economic development [
4,
5]. ICTs generate opportunities for several individuals, firms, and nations around the world [
6,
7,
8,
9]. However, with the advent of assorted technology for useful software programs and, in general, “humanitarian” technology, there is a high demand for instruments to recognize the kinds of methods that are very efficient in determining effect and sustained viability.
Some security details, such as susceptibility evaluation of current and recently added devices and actual warning and reduction of security threats, are not tackled, making those solutions incapable of dealing with advanced cybersecurity threats. This can lead to a great loss of income and repute of an organization; for example, small and medium-sized enterprises (SMEs), whose diverse and perhaps extensive substructure is practically unfeasible to maintain and manage, making them susceptible to cyberattacks. While cybersecurity methods and actions increase, social engineering assaults are becoming more predominant by taking advantage of human susceptibilities, which are difficult to identify and alleviate in a mechanized manner.
As in other countries, Greece has seen a growing number of cyberattacks, which have made the implementation of the national cybersecurity program a top priority. Until 2016, Greece has not developed a national cybersecurity strategy [
10]. The Greek government has created the National Cyber Security Authority (NCSA) to safeguard the digital transformation of the country from growing cyber threats and implement a national cybersecurity strategy. This strategy defines the objectives, priorities, policy, and regulatory measures needed to secure the public and private sectors and critical infrastructures [
11]. The existing national cybersecurity strategy focuses on risk management, emerging technologies, and security requirements, and it highlights the need for collaboration between the public and private sectors [
12].
As technology evolves, businesses face new opportunities and threats in managing their data and other forms of intellectual property. Chief information officers attempt to find technological answers to this problem [
13,
14,
15,
16,
17]. Therefore, IT managers have come to recognize the significance of information security as a factor that contributes to the long-term viability of business operations. The definition of information security policy rules and strategies is used in the execution of security-related initiatives. In addition, it is a condensed document that identifies the program’s aims, information security measures, and risk parameters [
18]. The complexity of emerging technologies, external and internal threats, and compliance regulations are just a few of the many factors that impact the development and implementation of an effective information security policy [
19].
The goal of information security, according to Hong et al. (2006) [
20], is to safeguard individuals’ private information and businesses’ valuable assets during the design, development, and implementation of associated hardware, software, and data systems. One of the primary goals of an information security strategy is to ensure that security measures are consistent with overall business objectives. Its lifecycle consists of several interrelated but distinct stages, including but not limited to business risk analysis, planning, design, development, deployment, operation, assessment, and enhancement [
17]. Accordingly, addressing issues with information security is not just a technical problem; it also involves a wide range of managerial and behavioral considerations. Managers frequently ignore these concerns [
17,
21].
These factors explain the reasons that country entities across the world have begun to formulate and implement cybersecurity strategies and recognize the safeguarding of cyberspace as a fundamental international issue [
2]. The National Cybersecurity Strategy can be considered a tool for governments to improve online security and integrity, ensure the openness and resilience of critical infrastructure, and protect the privacy of exchanged digital information. Furthermore, it determines the basic rules of an open society, constitutional freedoms, and legislative rights [
9]. All participating actors, such as public authorities, stakeholders from the private sector, or individual citizens, have to consider the increasing importance of this issue, be responsible for protecting themselves, and, if necessary, ensure a well-organized response to increase the rate of cybersecurity. Member States develop national Network and Information Security (NIS) collaboration plans in order to be activated in the case of cyber threats. These plans clearly determine their roles and responsibilities and optimize response actions [
13].
The aim of this study is to provide a model based on the ITU cybersecurity decisions, with the goal of developing a roadmap for the successful development and implementation of the National Cybersecurity Strategy in Greece.
The structure of this article is as follows: A theoretical framework in terms of information security management and strategic planning and the cybersecurity strategy is described in
Section 2. In
Section 4, the suggested framework is presented.
Section 6 presents conclusions, implications, limitations, and suggestions for further research.
3. Cybersecurity Strategy in Greece
The European Union’s 2013 Cybersecurity Strategy [
33] is regarded as its primary strategic document in the area of cybersecurity. Particularly in the European Union, the development and dissemination of national cybersecurity strategies have been clearly seen, and this process has accelerated since 2011. However, many nations still lack such strategies (in some of these countries, the strategies are being developed). Differences at the national level are always a possibility when it comes to national cybersecurity strategies; as a result, the strategies themselves and their substance may differ; nonetheless, common strategy components can be analyzed. The setting for the strategy’s implementation is tied to the rise in both purposeful and unintentional cybersecurity incidents, and it has been identified that cybercrime has a negative impact on the EU economy [
33].
Since the Greek government intends to boost economic growth as well as the networks and services that are provided in digital markets, both in the public and private sectors, it is necessary for Greece to develop and implement a national cybersecurity strategy. On the other hand, Greece only recently started to work on making a strategy for cybersecurity. The National Cybersecurity Strategy comprises these four fundamental tenets. The first one talks about building a strong and safe cyberspace that follows the rules, standards, and best practices that have been set at the national, EU, and international levels. Therefore, values such as freedom, justice, and openness will be protected in cyberspace, and both public and private stakeholders, as well as citizens, will be able to participate and interact safely. The second principle talks about making sure that the capabilities needed to protect against threats are always getting better and making sure that critical infrastructure is built so that it can be protected. Institutional shielding is a part of the third principle of the national cybersecurity framework. This is part of an effort to make cyberattacks less harmful. The fourth and final principle of the National Cybersecurity Strategy [
32] calls for the development of a security culture among citizens and stakeholders in the public and private sectors. This is a very important part of the strategy. However, significant components such as milestones or performance measures are not incorporated in the National Cybersecurity Strategy. Because of this, it is hard for stakeholders to keep track of the cybersecurity strategic plan to make sure that the goals and objectives are met. Benchmarks should be established in the National Cybersecurity Strategy for achieving concrete outcomes, and they should be affiliated with transparency and implementation along with performance indicators to support in deciding whether progress is being achieved. None of the people involved have a full understanding of the costs and resources, including how to justify the investment that will be needed, which is important for support [
32].
The government stresses how important it is to have a clearly defined oversight process so that agencies that are in charge of making effective cybersecurity measures can do so. This is because there are many ongoing cybersecurity problem programs aimed at information security [
39]. In addition, the National Cybersecurity Strategy does not make a reference to the implementation of risk assessment analysis at the national level. Hazard analysis research is a fundamental and technological process that is based on the recognition, assessment, and evaluation of the impact of risk, and it contributes to the creation of a plan for the protection of vital infrastructure, networks, or platforms according to the sector and/or the stakeholder. The National Cybersecurity Strategy does not make a reference to the implementation of risk assessment analysis at the national level. The process ought to incorporate all possible dangers and harmful activities in accordance with cyberattacks, in addition to the risks that are linked with natural occurrences, harmful technological malfunctions or breakdowns, and human error. The interdependency of the information systems of the stakeholders who participate in the National Cybersecurity Strategy is the root cause of these threats; consequently, stakeholders ought to conduct additional research into the breadth and depth of the repercussions at the national level [
32].
In order to address these challenges, government agencies are tasked with developing and putting into action risk-based federal and critical infrastructure programs. These programs will assist the agencies in identifying and mitigating threats posed by the online environment, as well as responding to and mitigating those threats. Other significant steps that governments can take include raising public awareness about the importance of maintaining a secure presence online, encouraging education and workforce planning, and stepping up their research and development efforts (R&D). Due to the challenges that are currently being faced by federal agencies, it will be difficult to achieve the primary goal of providing support for targeted cyber R&D. In addition, government agencies have the ability to delegate roles and responsibilities associated with international facets of cybersecurity, as well as the ability to collaborate with one another on an international level in order to address challenges associated with international cybersecurity [
39,
40].
In particular, the knowledge regarding cyber threats could be improved if citizens were informed about cyberattacks and malicious activities in relation to cybersecurity and the social impact of these activities. As a result, educational campaigns aimed at stakeholders from the public and private sectors, as well as citizens who are taking part in the development of the National Cybersecurity Strategy, might be useful. These campaigns have the potential to increase the level of protection against malicious actions, and they also have the potential to increase the level of cybersecurity in Greece [
32].
4. Suggested Framework for National Cybersecurity Strategy
In order to accomplish the objectives of the National Strategy, the first phase involves the formulation and execution of a National Strategy as well as an examination of the existing institutional structure. The second phase of the National Strategy should focus on defining the legislation, roles, and competencies of the various stakeholders involved in cybersecurity issues such as the processing of personal data, electronic communications, the waiving of confidentiality of communications, and the availability and integrity of networks. Additionally, the regulatory acts that are specialized for each industry as well as their influence to date on the support of cybersecurity should be specified in the National Strategy document. In addition, the National Cybersecurity Strategy needs to define the structures, stakeholders, and services of the public or private sector that have a role in the operational protection of cybersecurity. Additionally, current emergency plans should be developed in addition to EU and other international directives and regulations in accordance with network and information security as well as the security of critical infrastructure. In the final phase of the framework, the effectiveness of the current institutional framework is evaluated in order to describe overlaps and points that require improvement and more efficient coordination. This is performed in order to define the points at which more effective coordination is needed [
32].
In order to ascertain the frameworks and indices for minimizing cyber risks based on important information and communication systems, it is necessary to construct a National Cyberspace Contingency Plan. Participants include those who have an interest in restoring the services they provide to society as part of the National Cybersecurity Strategy [
32].
These features and components should be incorporated into the national strategy so that it can better serve as a guide for resource and government bodies, hold those responsible for its creation to account, and have the greatest possible impact on the national level [
39]. It is crucial that the authorities in charge of each country’s NIS work together to develop a plan for coordinating prevention, detection, mitigation, and response activities.
Problems arising from worldwide interconnected networks affect individuals, businesses, and authorities. In order to secure network equipment and reduce occurrences, national-level coordination of prevention, response, and recovery efforts is required. Through coordination, government agencies, corporate sector actors, academic institutions, and regional and international organizations will be better able to identify risks and implement solutions. Funding, human resources, technological capabilities, training, collaboration between the public and private sectors, and regulatory requirements are all required for effective incident management [
29,
40]. Because of the lack of a legal structure [
41], Greece finds it difficult to share its cybersecurity assets across borders or with other Member States. Actions that must be taken include the construction of organizational structures at the national and regional levels; the promotion of communications; information dissemination; and the acknowledgment of digital credentials across different countries. However, further activities are needed at the global level, and international cooperation is needed among these many entities [
29].
Information exchange between corporate and public sector participants in the National Cybersecurity Strategy and the National Cyber Security Authority is necessary for the successful execution of the National Cybersecurity Strategy, as described above. The private sector can benefit from the open sharing of data about the information and communication systems they manage, the security policies they have developed, and the cyber dangers and security attacks they face. The same can be said for the public sector; information sharing among actors may jeopardize security. This data is essential for determining the severity of incidents related to the state of cybersecurity in the country [
32,
40]. To reduce events and difficulties related to cyberspace security, businesses and public stakeholders are working together to share knowledge and experience, with the goal of jointly developing appropriate steps to address the problem [
31,
40].
The proposed framework can be thought of as a fluid model because it incorporates the human, legal, technological, and international relations peculiar to a given country, as well as important principles that might impact the cybersecurity operations of that country. Because stakeholders may learn about the context in which cybersecurity is operating and the tools at their disposal, this framework can be seen as a preventative model that aids national strategists in developing policies and launching initiatives to raise cybersecurity standards.
According to this plan, the federal government will implement significant upgrades to better deal with cybersecurity threats. Agencies with a greater focus on cybersecurity design and implement risk-based programs, reduce and mitigate events, increase research and development activities, promote education and awareness, and plan for and recruit a skilled workforce. Based on the strategy and previous recommendations, agencies must make a plan to deal with the most important cybersecurity issues. The roadmap should incorporate key elements of the National Cybersecurity Strategy, such as annual evaluations of management, operational, and technical controls; and periodic controls and assessments of the effectiveness of information security policies, practices, and procedures to be implemented based on risk. Additionally, other suggested steps for inclusion in the roadmap creation process are to keep and grow the Member States’ scientific, engineering, and market leadership in IT. It is also important to raise public understanding of the cybersecurity risks they face. Supporting organizations and individuals to implement effective actions as they manage risk [
39] and training the workforce to secure the country’s competitive advantage are two other steps that should be taken into consideration when designing the roadmap.
Lastly, to reach the goal of working with other countries to build an open, interoperable, secure, and reliable information and communications infrastructure [
39], it is the job of each government to create and maintain an environment in which laws of responsible behavior guide the actions of nations, keep collaborations going, and support the rule of law in cyberspace.
The framework that has been suggested is based on the institutional framework that already exists, as well as the goals and difficulties outlined in the National Cybersecurity Strategy. It includes the elements that are lacking in the National Cybersecurity Strategy as well as the entities that are involved in the process of developing the National Cybersecurity Strategy. It also involves the desirable qualities of the National Cybersecurity Strategy.
Figure 1 provides a presentation of the framework.
5. Discussion
As a result of globalization, it is essential that cyberspace be safeguarded not only on a national level but also between and across nations. To make sure cybersecurity policies are followed and to lessen or stop the negative effects of possible cyberattacks, agencies in these cultures must create an environment that makes it easy to come up with national strategies and international agreements with other countries [
29,
31,
42].
5.1. Theoretical and Practical Contribution
This paper contributes by providing a model based on the ITU cybersecurity decisions, with the goal of developing a roadmap for the successful development and implementation of the National Cybersecurity Strategy in Greece. This article’s main contribution is the creation of a cybersecurity framework. This cybersecurity framework has the potential to pave the way for the creation of a globally applicable and systemic cybersecurity strategy. The development of such a plan will boost a country’s capabilities in the areas of cybersecurity, information technology, and innovation. Concurrently, it can help legislators and policymakers craft better laws and design more effective cybersecurity technology, both of which are essential to ensuring that cyberspace operations are secure, effective, and trustworthy. The proposed framework could be put to the test and evaluated by using data on a national level collected by international organizations and appropriate methodologies created for constructing composite indices. The primary focus of Member States at present is on taking a comprehensive approach to cybersecurity. Previous decades have seen governments take a piecemeal approach to cybersecurity.
Some implications can be seen on both the domestic and international levels. At the national level, people with a lot of power in the public and private sectors, such as the top managers, government officials, and academics, work together to come up with ways to reduce attacks. Regarding the worldwide platform, community enterprises from various nations work together to increase awareness of cybersecurity threats and create a universal global awareness that occurrences in cyberspace are highly hazardous, and they come to an agreement not to use them. By signing an agreement against the use of cyberspace, for instance, countries can increase cooperation between their different national intelligence entities and share data about cybercrimes and incidents. Such policies have many advantages, including boosting international cooperation and agreements, strengthening public-private partnerships, raising public awareness, and encouraging human capital to become educated on cybersecurity challenges, work together to develop effective solutions, and divide the burden of preventing cybercrime among all relevant community members.
5.2. Limitations and Suggestions for Future Research
This article has some limitations. An empirical survey to verify conceptual understanding with ground realities has not been conducted on the conceptual framework. The identified organizational factors and the factors related to information security policy, as well as their integration, were only studied in one country. Consequently, recommendations for further study are provided. The world’s governments could be given some recommendations for improving cybersecurity and responding to cyberattacks. As part of a larger, more holistic framework, the indicators collected can be used to optimize these initiatives. A country’s policymakers, strategists, and economists can use the foregoing implications to inform the development of an analytical model that identifies gaps, incorporates threat assessments, defines vulnerabilities, and develops appropriate responses. This systemic method can be used to develop a complete strategy for dealing with the issue of cyberspace. The outcomes of the cyberattacks the sector has been experiencing, as well as the singularity of the country’s assets in terms of critical infrastructures, national security, and economic security, should inform the developed responses.
National stakeholders must develop a comprehensive strategic model to lessen the chances of cyber threats and incidents, as both government agencies and the country’s cyber-critical infrastructure face a growing number of challenges. This strategic method would allow us to pinpoint the most pressing issues and efficiently allocate resources. As an added bonus, a convincing model could be developed to justify expenses; stakeholders’ roles and responsibilities could be defined; goals and priorities could be established; and participants who are accountable for achieving the goals could be specified. Although governments have begun to recognize the importance of considering such factors as milestones and performance measures, specific roles and responsibilities of stakeholders, and costs and sources of funding when developing a cybersecurity strategy, this process is still in its infancy. The current strategy does not include priority actions, who is in charge of doing them, or when they should be performed. Because of this, the nation’s integrated cybersecurity strategy is still not clear and is not fully formed.
The modeling of cybersecurity strategy assists countries in aligning it with operations and processes to understand better their vision, mission, goals, and culture. Thus, policymakers, through the visualization of the country’s cybersecurity strategy, should be aware of its strategy, goals, and structure to effectively use the necessary resources and develop digital tools that help the country digitalize its processes and increase its efficiency. As scholars conclude that strategic planning in enterprise architecture (EA) can improve the traceability between a country’s strategic planning and EA choices, and EA can also be used for strategy formulation, the modeling of cybersecurity strategy in EA is a significant step toward this alignment. Without being able to envision what that process looks like, it becomes difficult to fully comprehend what is required for success. Therefore, scholars suggest more practical case studies should be conducted in order to improve the ease of use and clarity of cybersecurity strategy concepts.