Next Article in Journal
YOLOv8-Based Estimation of Estrus in Sows Through Reproductive Organ Swelling Analysis Using a Single Camera
Previous Article in Journal
Physics Guided Neural Networks with Knowledge Graph
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Digital
Volume 4
Issue 4
10.3390/digital4040043
digital-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Cybersecurity Transformation: Cyber-Resilient IT Project Management Framework

by
Samir Al-Janabi
1,*,
Haidar Jabbar
2 and
Francis Syms
2
1
Department of Computing and Software, Faculty of Engineering, McMaster University, Hamilton, ON L8S 4L8, Canada
2
Faculty of Applied Sciences and Technology, Humber Polytechnic, Toronto, ON M9W 5L7, Canada
*
Author to whom correspondence should be addressed.
Digital 2024, 4(4), 866-897; https://doi.org/10.3390/digital4040043
Submission received: 26 August 2024 / Revised: 14 October 2024 / Accepted: 18 October 2024 / Published: 24 October 2024
Browse Figures
Versions Notes

Abstract

:
In response to the escalating threats of cybersecurity attacks and breaches, ensuring the development and deployment of secure IT products has become paramount for organizations in their cybersecurity transformation. This work emphasizes the critical need for a comprehensive and secure IT project management life cycle that safeguards products from their initial development stages through decommissioning. The primary objective is to seamlessly integrate security considerations into every facet of IT project management life cycles. This work embraces a cyber-resilient IT project management framework and advocates the inclusion of cybersecurity measures in IT projects and their strategic, organized, continuous, and systematic integration throughout the entire product life cycle. It introduces a pioneering framework that harmonizes the cybersecurity risk management process with the IT project management life cycle. This framework delineates a methodical sequence of steps, each encompassing a distinct set of activities. The effectiveness and practical applicability of the proposed framework were validated through a comprehensive case study focused on the Personal Health Record (PHR) system. The PHR case study served as a real-world scenario to assess the framework’s ability to address cybersecurity challenges in a specific domain. The results of the experiment demonstrated the framework’s efficacy in enhancing the security posture of IT projects, showcasing its adaptability and scalability across diverse applications.

1. Introduction

The current cybersecurity landscape is characterized by the regular emergence of new types of cyber threats and trends, which constantly evolve in sophistication and diversity, posing challenges for both individuals and organizations to continuously emphasize the creation of redefined secure frameworks for IT systems [1]. Technology has changed how organizations operate and their work environment globally. Software, IT services, computer hardware, mobile devices, and communications are integrated into business processes in various ways. IT spending was $4.5 trillion in 2022 with a 2.7% increase from 2021 [2]. Investing in IT projects is increasing despite the risk and costs, and the complexity of managing IT projects continues to be a challenge for many organizations. Many projects use IT, and the success of the organizations relies on these projects. A study [3] identified the following top 10 strategic technology trends for 2023 where the use of information technology forms a significant part of these projects: digital immune system; applied observability; AI trust, risk, and security management; industry cloud platforms; platform engineering; wireless-value realization; superapps; adaptive AI, metaverse; and sustainable technology. An IT-based project is an organizational investment, where resources are dedicated to creating a solution of a business value for the organization. Because organizations invest when they start IT projects, it is important to manage these projects. Project management is crucial for the success of the projects through achieving their objectives. However, the success of a project continues to be a challenge for many organizations. A study [4] examined the issues and causal factors of failures and success of information systems projects. It stated that within many organizations, leadership, stakeholder, and risk management issues are not addressed in the projects early on. Another study [5] reported that 18% of IT projects failed, that is, canceled before completion; 43% were challenged, that is, over budget, late, and/or with less than the required features; 39% were successful, that is, delivered with required features, within the budget estimate, and on time. Delivering output does not necessarily mean that a project is successful, instead, a project must deliver value to the organization and stakeholders. Examples of delivered values are improving efficiency or responsiveness, creating positive social contributions, or creating new products that meet the needs of customers [6]. During the time from the start of a project, until the system is decommissioned, the system that has been designed and implemented must remain secure in the face of cybersecurity threats, which is a challenging task to realize. Even though organizations invest in reducing issues related to IT, the use of cyberspace including the infrastructure, businesses, and people must be defended from cybercrimes as well. For example, a plentiful number of techniques have been proposed to fix data quality problems and reduce the cost of corrupted data [7,8,9]; however, it was estimated in 2020 that cybercrime did cost the world economy around 1% of global GDP [10]. Security is no longer considered a luxury feature [11].
A report issued by [12] examined 16,312 cybersecurity incidents. An incident is defined in the report as a “security event that compromises the integrity, confidentiality or availability of an information asset”, while a breach is defined as “An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. A Distributed Denial of Service (DDoS) attack, for instance, is most often an incident rather than a breach, since no data is exfiltrated. That doesn’t make it any less serious”. Out of 16,312 incidents, 5199 were confirmed data breaches. It stated that many types of industries of different sizes were victims of incidents and/or breaches such as healthcare, accommodation, finance, mining, real estate, transportation, education, agriculture, information, administration, manufacturing, construction, and retail. The breaches were spread over many regions of the world. Attackers or threat actors can be divided into the following categories: nation–state, insider threat, hacktivist, organized cybercriminal, terrorist, and thrill seekers/script kiddies [13]. Four main categories of risk that may apply to IT projects are identified by [14] including technical, business, organizational, and project management. Each main category contains subcategories including hardware, software, and network in technical; competitors, suppliers, and cash flow in business; executive support, user support, and team support in organization; and estimates, communication, and resources in project management. Cybersecurity risks related to IT must be addressed so IT systems produced by these projects should remain secured from the early stages of the project until they are decommissioned.

1.1. Organization

This paper is organized as follows. Section 1 presents the work’s rationale and an introduction to the IT project life cycle, IT project risk management, and a summary of several frameworks and standards that are related to the work. Also, it presents the contributions and framework evaluation criteria that are used to conclude whether the work achieved the objectives and fulfilled the purpose or not. Section 2 provides an overview of the related work and discusses various limitations of the related literature, frameworks, and standards. Section 3 presents and discusses the proposed framework, and how it addresses the existing gap between IT project management and cybersecurity requirements during the development of systems containing hardware and/or software. Section 4 presents a case study that is used to demonstrate the practical applicability of the proposed framework. Section 5 presents a discussion using the framework evaluation criteria. Section 6 presents the applications of the framework. Section 7 is the paper’s conclusion and future work.

1.2. Overview of IT Project Life Cycle

Projects come in different sizes, durations, and costs; however, generally, they all have common attributes such as purpose, resources, time frame, sponsor or client, development using progressive elaboration, and uncertainty. Typically, a project has a life cycle, which is a collection of project phases, from the start of the project to the finish. However, a difference between a project life cycle and a product life cycle is that when a project life cycle creates a product, the product life cycle is the whole life of this product. For example, if a project life cycle creates a mobile app product, then the product life cycle would be the whole period from the initiation phase of the project until the end of the support phase when the app is retired. During the project life cycle, the development approach is the method that is used to create and evolve the product, service, or result. The delivery cadence is the frequency and timing of project deliverables, and project deliverables can be single, multiple, or periodic deliverables. The development approach can be a predictive, adaptive, iterative, incremental, or hybrid method. How a project can be developed depends on the type of project deliverable(s) [6].
A predictive approach predicts the work that will happen in each phase where one phase finishes before the next one begins, through a series of waterfalls. The scope, schedule, and cost are defined early. Changes to the scope are more controlled than the other approaches. It is also referred to as a waterfall or plan-driven approach. An iterative approach starts with a scope, but time and cost might still be rough estimates and modified as the project is more understood. The product is developed through a series of repeated iterations to the functionality of the product. In an incremental approach, the deliverables are created through a series of iterations, where a few more features are added incrementally from the start to the final finished product. The product will not be considered complete until the final iteration ends. Adaptive approaches use iterative and incremental approaches. The scope is established at the start of the project. It works best when there is a high level of change in requirements and shorter iterations. A hybrid approach is a combination of predictive and adaptive approaches. The development approach used depends on the degree of change in requirements and the cadence of deliveries [6].

1.3. IT Project Risk Management

Risks exist throughout the life of IT projects, and risk management may result in significant improvement in their ultimate success. However, software project management is more challenging to manage than other types of software engineering because the product is intangible; that is, it is hard to see the progress by looking at the artifact that is being constructed, as compared to civil engineering projects, for example. In addition, every large project is often a one-off project, which might make previous experience not very helpful in anticipating problems, also the rapid advancement in technology might make experience obsolete. Moreover, different companies use different software processes, which might make them not very well understood, and thus harder to reliably predict when a particular software process might lead to development problems [15]. Other factors may also make managing IT projects unique compared to other industries. The IT projects are diverse in terms of hardware and software applications, and IT projects support every possible industry, where managing real estate projects, for example, may require different skills and knowledge than managing healthcare IT projects. Also, the project team members typically possess different skills and come from diverse backgrounds [14]. Projects operate in dynamic environments and face many types of risks, where positive risks are called opportunities, and negative risks are called threats. The impact of threats should be dealt with appropriately based on well-informed decisions. To identify and manage risks, a systematic project risk management process is required.

1.4. Risk Management, Cybersecurity, Governance, and Project Management Frameworks

Various frameworks and standards provide comprehensive guidance on managing cybersecurity risks and implementing best practices in cybersecurity, governance, and project management. This study focuses on several of these frameworks. Table 1 presents a comparative analysis of the selected frameworks and standards, highlighting their key features and applicability.

1.5. Contributions

The objective of this paper is to address the existing gap between IT project management and cybersecurity requirements during the development of systems containing hardware and/or software. So, the contributions consist of three parts: project management life cycle, cybersecurity risk management process, and a framework to address the gap between them, as follows:
First, building upon the work [19], we introduce a generic IT project life cycle that serves as a foundation for project managers to protect products and services against cybersecurity risks from the initial development stages through decommissioning.
Second, based on existing frameworks and standards [16,17,18,21], we introduce a cybersecurity risk management process comprising several steps, each with a set of activities that holistically consider different aspects of cybersecurity needs. This process aims to achieve effective protection and response to build resilient products capable of withstanding cybersecurity risks.
Third, we achieve the objective by proposing a cyber-resilient IT project management framework. This framework bridges the gap by harmonizing a cybersecurity risk management process with an IT project life cycle, ensuring a cohesive and comprehensive approach to cybersecurity throughout the product development and management process. It integrates the two previous components: the generic IT project life cycle and the cybersecurity risk management process.

1.6. Framework Evaluation Criteria

To develop the criteria that are used to evaluate the cyber-resilient IT project management framework, we examined related studies and research to determine the challenging factors that need to be addressed. Ref. [24] argued that risk management is essential for organizations, and it is necessary to effectively utilize a hedging risk management framework. Another study [25] showed that the effect of risk level on project success can be moderated by risk management practices. Ref. [26] proposed a framework for effective risk management by emphasizing the risk identification process. The work of [27] evaluated how effective comprehensive cybersecurity regulations and policies in the United States such as HIPPA. The work of [28] examined cloud security frameworks such as COBIT 5 and NIST guidelines on security and privacy in public cloud computing. It is considered that comprehensiveness is one of the strengths of the framework. The study [29] proposed a framework that is designed to analyze and evaluate how business and IT are aligned. Ref. [30] stated that there are benefits of business–IT alignment, and the success of IT is linked with a successful alignment with business. Ref. [31] stated that business and IT alignment plays a critical role in a company’s success and explores the challenges to improve it. A study [32] stated that adherence to cybersecurity standards, policies, and best practices may influence the firm performance. Ref. [28] also considered that alignment with industry standards is one of the strengths of a framework. A study [33] underscored the importance of continuous improvement in information security and its importance for business, especially in the context of safeguarding sensitive financial and personal data. Ref. [34] discussed the cybersecurity awareness process and how continuous review and evaluation are essential for improvement. Ref. [35] proposed an integrated cybersecurity risk management framework which includes continuous improvement through systematic identification of cybersecurity risks. We concluded five challenging factors that need to be evaluated as illustrated in Table 2.

2. Related Work

Research in the field of cybersecurity risk management has increased significantly in recent years [36]. Also, there are proposed frameworks and methodologies in the literature that address cybersecurity, risk management, or project management. Ref. [37] used a literature review to identify challenges and evaluate them, with respect to agile development and security assurance practices. The work of [38] did build on [37] to develop a framework to help managers incorporate cybersecurity risk management with respect to software development using agile development projects. Ref. [39] proposed a cyber risk management framework that shows a continuous improvement in cybersecurity performance. Ref. [35] proposed a framework to assess and manage cybersecurity risks by using machine learning. Ref. [40] analyzed 105 IT projects to identify the sources of risks and establish the relationships between them, and the work of [41] assessed the maturity level of risk management in terms of IT projects based on the popular risk management maturity models. It consists of four levels: absent, initial, random, and standardized. The work of [42] presented a framework that bridges the gap between risk assessment and risk management. It utilizes a multicriteria decision-analysis-based approach that addresses all components of threat, vulnerability, and consequences triplet and qualifies them through a set of criteria. The approach also considers the information physical and social domains in the cyber vulnerability assessment. The work of [43,44] is related to risk management in critical infrastructures. It proposed a risk management method to deal with the external and internal impact of harmful events that occurred in the critical infrastructure. The work of [45] reviewed the existing methods in cybersecurity risk assessment specifically tailored for supervisory control and data acquisition (SCADA) systems. It chooses methods based on factors such as aim, application domain, key risk management concepts covered, impact measurement, and the stages of risk management addressed. It suggests a scheme to categorize the cyber security risk assessment methods for SCADA systems. The work of [46] proposed a framework called NEON to enhance attack attribution related to advanced persistent threats (APTs). The framework provides the following components: collection of data from APT campaigns and social media; attracting the attention of potential attackers by using honeypots through virtual personas; monitoring the systems; detection and classification of incidents; collection of forensic information; response recommendation; and threat visualization. The work of [47] proposed a risk management framework to comply with national and European regulations for Telecommunications Service Providers (TSPs). It consists of two parts: a security risk management tool to support the TSPs and a platform that is used by the regulatory authority to collect and analyze the risk management reports from the TSP. Ref. [48] focused on three aspects of risk management of the critical infrastructure: assets identification; vulnerability and threat assessment; and risk identification. The goal is to predict the high risks and proactively select the control. It presents an asset focus risk management framework that (1) identifies the assets and categorizes them based on their importance to the organization; (2) identifies the vulnerabilities, causes, and consequences of threats; and finally, (3) identifies the risk of the critical infrastructure based on the cascading vulnerabilities and the threat to the assets.
NIST established the Cybersecurity Framework (CSF) [16]. The framework core 2.0 is a set of activities that has six functions: govern, identify, protect, detect, respond, and recover. CSF could be a cybersecurity management tool to strengthen existing cybersecurity practices, or it could serve as a starting point for developing a cybersecurity risk management program. Another cybersecurity risk management framework is the NIST Risk Management Framework (RMF) [20]. RMF has six steps plus a preparatory step that is used to make sure that the organization is prepared to execute the cyclical six steps, which are executed repeatedly throughout the life of the organization. The six steps are categorize, select, implement, assess, authorize, and monitor. A framework by NIST [49] is used to manage information security risk. Its process consists of four components: framing, assessing, responding, and monitoring. Microsoft Security Development Lifecycle [21] is a specialized SDLC that focused on the development of secure software to build security in every phase of software development. The secure software development process model consists of seven phases: training, requirements, design, implementation, verification, release, and response. Several checks and approvals are required before any code can be released in the verification phase. The purpose is to verify that the code conforms to the requirements and design and checks such as static code analysis and tests, such as penetration testing, are performed. After that, the software is systematically and gradually released. The training and response phases support the security phases. Another secure software development framework is NIST SSDF [22], which aimed to prepare the organization to perform secure software development with as little as possible number of vulnerabilities and the ability to respond to them. The Software Assurance Maturity Model (SAMM) [50] is an open-source project that is maintained by the Open Worldwide Application Security Project. It aimed to be a maturity model for software assurance by improving the security of the software development and maintenance process and integrating the security activities with the process. Microsoft developed a model called STRIDE for threat modeling [51]. It categorizes the threats into six categories: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. COBIT [17] is a framework created by ISACA for the governance and management of enterprise information and technology. It defined sets of governance and management objectives that should be achieved so the information and technology can contribute to the goals of the enterprise. ISO 31000 [23] is a set of standards that are related to risk management. It is a guide for risk management that an organization can use to develop a risk management strategy that aimed to manage risk, make better-informed decisions, and achieve organizational objectives. The main purpose is to integrate risk management into the activities and functions of the organization. Ref. [18] is another set of standards by ISO and IEC (the International Electrotechnical Commission) that is related to information security. It described the requirements for an information security management system and provides a framework to establish, implement, maintain, and continually improve the information security management system and secure assets. Ref. [52] elaborated more about the specifics of security controls. Ref. [19] defined a life cycle and project risk management processes. The life cycle includes four phases: (1) starting the project, (2) organizing and preparing, (3) carrying out the work, and (4) finishing the project. It also defines seven processes for project risk management. In Table 3, we discuss the limitations in the research, standards, and frameworks of related work.

3. Cyber-Resilient IT Project Management Framework

The proposed Cyber-Resilient IT Project Management (CYBITJET) Framework consists of a cybersecurity risk management process that is integrated with a generic IT project life cycle. Figure 1 shows CYBITJET framework steps and activities, including the integration between the cybersecurity risk management process and the generic IT project life cycle. The details of each part and the mapping between them are explained below.

3.1. The Generic IT Project Life Cycle

The generic IT project life cycle for systems containing hardware and/or software includes four phases each with several activities, as follows:

3.1.1. Start the Project

In this phase, the following activities are executed: Business case: An analysis, including the value which is the indicator of the success of the project, to decide whether the project continues or not. The Project charter: Authorizes the project and is used by the project stakeholders as an agreement enables the project to commence.

3.1.2. Plan the Project

In this phase, the following activities are executed: Plan project risks, including cybersecurity risks based on the cybersecurity risk management process and other risks that are not related to cybersecurity. The scope: What is part and what is not part of the project, that is, the boundaries. The deliverables of the project and product. The schedule: The phases or activities that need to be completed and the dependencies among them. The resources may include time, money, people, facilities, technology, and other assets. The budget: Estimation of the project cost based on the estimated cost of project activities. The quality that is concerned with meeting the stakeholders’ requirements. The communications that define the communications among stakeholders.
Risks associated with the plan for the project phase in CYBITJET may also happen and the project manager should take them into consideration as typical project management tasks. The scope should be controlled such that the scope is defined clearly without significant change in scope after the project starts, and in case of change, it should be performed through a scope change procedure that may include a scope change request form that justifies the change and its impact. The work breakdown structure should be deliverable oriented and the breakdown structure provides a bridge between the project’s scope and project plan and its development should involve people who will be doing the work. Different cost estimation techniques can be used such as the Delphi technique, time boxing, guesstimate, top–down, or bottom–up estimating. Estimation of each activity’s duration is a critical and crucial task. Developing a project schedule can be performed using the activity on the node (AON) tool and estimating the cost of a particular activity or task with an estimated duration involves defining what resources are needed, the quantity of the resources, and the cost of the resources for this activity or task. For example, for a task that requires work from a cybersecurity analyst who works full time for five days a week with an annual salary of $70,000, the prorated cost per day for the Task = 70,000/(52 × 5) = $269.23. Other costs may also occur such as insurance, rent, etc. In terms of cybersecurity cost, risk analysis metrics such as annualized loss expectancy (ALE) can be used, among others, to compare the potential losses associated with each type of risk. ALE is the monetary loss that the organization expects to lose to a given risk each year. ALE = single loss expectancy (SLE) × annualized rate of occurrence (ARO). For example, there is an organization that is concerned about the risk that a hurricane poses to its warehouse in a specific region. The building itself is valued at $6 million. It is determined that there is a 15% likelihood that a hurricane will strike over the course of a year. It is also determined that an average hurricane may destroy around 25% of the building. SLE is $1,500,000. ARO is 0.15. ALE is $225,000.
Managing project stakeholders and communication is another critical task. Relevant stakeholders should be identified, and the progress of the project must be communicated to the various stakeholders who may have different interests, roles, or information requirements. Quality is another aspect of the project in which not only the features of functionality are important but other attributes such as safety or dependability are also important for the customer. The project team should build the right product or system, build it the right way, and follow the processes outlined in the plan to ensure quality. Whether the project is a high-cost or low-cost project, the steps to manage the project can be defined and the project managers can tailor them as per the needs.
For a project manager who is following the CYBITJEY, risks may threaten the IT system that is being built, the project, or the organization. There are different types of risks that might affect the project and the product such as risks that come from people, software, hardware, organization, estimation, and requirements. For example, if there is a defect in the software that is used to develop the product such that it can be used to access the data in an unauthorized way then the risk is related to cybersecurity. Or maybe the project cost to develop the product is underestimated which may lead to project cancellation, which might be a risk that is not necessarily related to cybersecurity. Managing risk is a process that a project manager follows to identify and assess major risks, the probability they might happen, their impact and consequences on the project, and make plans to deal with them, whether they are cybersecurity-related risks or not.

3.1.3. Execute the Plan

This phase is concerned with the development and completion of the IT product or service in terms of hardware, network, and/or software. In terms of software systems, many of the software development activities occur in this phase. A common product life cycle of software systems is the Systems Development Life Cycle (SDLC), which is a framework for describing the phases of information systems development. It consists of the following phases: (1) planning, (2) analysis, (3) design, (4) implementation, (5) testing, and (6) maintenance. It is critical to select an adequate development approach such as predictive or iterative; otherwise, the project may fail to meet the goals and objectives. In addition, cybersecurity must be taken into consideration to ensure that it is interwoven into the implementation of whatever model(s) has been used for software development. A secure systems development life cycle is important because it becomes very hard to add security once the system is implemented; therefore, it must be performed proactively where cybersecurity must be taken into consideration during the system design phase or revised after each significant change in the system. This phase is also concerned with other aspects of the project including project security controls based on the cybersecurity risk management process, and the management of project scope, schedule, budget, quality, communications, and resources.
Agile development can be considered as an adaptive approach [6]. For each iteration (also known as a sprint), users and developers work closely together to define and prioritize features, then they are designed, coded, and tested. Once the feature is delivered, the maintenance phase starts. So even if the development approach is agile in the SDLC of Figure 1, CYBITJET can still perform normally. For example, for a company that needs a B2B e-commerce website to sell products online to its business partners. The initial high-level requirements are defined and developed. The development team would also produce multiple deliveries, each adding new functionality through a series of iterations based on the remaining requirements that are defined progressively. A potential project life cycle of the system with an adaptive development approach. For a company that needs a gas detection system for a waste processing facility, such a safety-critical system requires a lot of up-front analysis before implementation, and the changes in scope would be minimal as well. A potential project life cycle of the system with a predictive development approach which ends with the system delivery and maintenance phase. For both approaches, CYBITJET would follow similar steps and activities.

3.1.4. Finish the Project

In this phase, the following activities are executed: Install or deploy the IT product or service. Decide how to manage the operations of the IT product or service and how to handle any change in code or other parts once the system is operational. Agree on the closure of the project among related stakeholders. Evaluate whether the project was successful or not.

3.2. The Cybersecurity Risk Management Process: An Overview

The cybersecurity risk management process comprises a systematic collection of steps, each with a set of activities as follows. The details of the steps are explained in Section 3.4.
  • Project Cybersecurity-based Governance: To guide the project and cybersecurity decisions
  • Project Threat Modeling (PTM): To evaluate the IT design in terms of threats
  • Project Asset Identification and Categorization: To do asset valuation
  • Project Risk Assessment: To identify risk and set criticality priorities
  • Project Risk Strategy: To decide about the best defense
  • Project Security Controls Selection: To select security controls
  • Project Risk Monitor: To continuously monitor systems and controls
  • Project Risk Response: To act against incidents
  • Project Risk Recovery and Evaluation: To restore normal operation and learn lessons

3.3. The Mapping Between IT Project Management and Cybersecurity Risk Management

Our project life cycle is integrated with the cybersecurity risk management process to consider the security in the project and its product. Table 4 shows the mapping between the generic IT project life cycle phases and cybersecurity risk management activities in CYBITJET. Following this mapping leads to strengthened system security.

3.4. The Cybersecurity Risk Management Process: Detailed Steps

This section explains the details of the steps of the cybersecurity risk management process including the description and activities of each step.
PCG: Project Cybersecurity-based Governance
Description
Successful risk management governance is crucial for project management as project risk-based decisions are always taken in organizations. Cybersecurity needs to be managed and governed throughout the organization because it is an organization process not only an IT department activity. Project cybersecurity-based governance guides all the project decisions taken by the project manager and team so that the created product, service, or result will meet the strategic, tactical, and operational goals successfully, including the security aspect. The context and environment where the decisions are made need to be described as well before any risk-related activities start.
PCG01: Establish and monitor security governance and commitment from all project stakeholders to the entire risk management process.
PCG02: Improve the security of the business over time in alignment with the strategy, goals, mission, and objectives of the organization.
PCG03: Allocate resources such as people, time, technology, and budget adequately.
PCG04: Develop and review security policy, standards, guidelines, and procedures to produce reliable and efficient cybersecurity-based IT projects.
PCG05: Develop and test business continuity and disaster recovery plans periodically to control and limit the damage to get faster recovery time.
PCG06: Govern supply chain risk management to ensure that suppliers and vendors are trustworthy, reliable, and reputable.
PCG07: Determine organizational processes including acquisitions, mergers, and divestitures as they might increase the level of risk.
PCG08: Define roles in the organization so that responsibilities, reliabilities, delegation schemes, and hierarchical management can be identified and managed more easily.
PTM: Project Threat Modeling
Description
Threat modeling is a process that is used to evaluate the design of computer software, hardware, and networks in terms of cybersecurity threats. It is important because threats may exploit vulnerabilities.
PTM01: Evaluate the design of systems to analyze and identify the potential threats against the organization’s valuable assets.
PTM02: Use the list of threats with assets that are vulnerable to them and evaluate each asset.
PTM03: Prioritize the threats against the organization’s valuable assets.
PTM04: Provide a security awareness program about threats, security basics, and trends in cybersecurity and train the employees on how to perform IT-related tasks securely.
Careful consideration should be taken in the case of a wider range of threats chosen as threat modeling might end up with different types of threats that focus on assets that the organization does not possess or have no vulnerabilities.
PAI: Project Asset Identification and Categorization
Description
To protect critical assets such as data, software, people, or hardware against cybersecurity attacks and their consequences, a list of assets is first produced, and then assets valuation takes place. After that, a process for threat identification that can cause harm to them starts.
PAI01: Identify and list the organization’s assets.
PAI02: Assign valuation to the assets in the list.
PAI03: Prioritize the assets based on their value to the organization.
PAI04: Identify the threats that can cause harm to the assets.
PAI05: Create awareness of security between employees and make them receive training about assets, the threats that may harm them, and how to perform secure IT-related tasks.
Careful consideration should be taken in the case of starting with asset listing as it may lead to an inventory of a wide range of assets that are related to low-value threats, which might be a time-consuming process. An evaluation for each asset–threat pair can be conducted, and its related risk is assessed as the next step.
PRA: Project Risk Assessment
Description
Project risk assessment or project risk analysis determines what threats require attention or response, that is, it identifies risks and sets critical priorities. There are two main approaches to analyzing risk: quantitative and qualitative.
PRA01: Implement a qualitative risk analysis which is a subjective analysis based on the experience, judgment, feelings, or intuition of the project stakeholders. It assigns intangible value to the loss of assets.
PRA02: Implement a quantitative risk analysis which is based on mathematical or statistical techniques, and it assigns monetary figures to the risk levels, potential losses, countermeasures cost, and safeguards values.
PRA03: Combine qualitative and quantitative analysis to provide more valuable insight.
PRS: Project Risk Strategy
Description
To determine the suitable and best defense for each identified risk. However, it might not be feasible or advisable to respond to each threat. Several factors should be considered when determining the response to a project risk such as the delivered value, the project objectives, scope, budget, quality, and schedule. There are several strategies for responding to risk.
PRRS01: Avoidance: It is the strategy of taking steps to avoid the risk altogether or selecting alternate options to prevent the threat from occurring possibility.
PRRS02: Mitigation: It is the process of reducing the impact and/or the probability of risk by implementing safeguards, security controls, and countermeasures. Typically, a residual risk remains after risk reduction.
PRRS03: Acceptance: The stakeholders may accept the risk when they are not worried about it, or the cost of countermeasures or safeguards outweighs the possible cost of loss that occurs because of the risk. However, a formal statement should indicate why this strategy was chosen, by whom, and who’s responsible if a threat occurs.
PRRS04: Assignment: It assigns or transfers the responsibility of the loss due to risk onto someone else or a third party. This may end up adding cost to the management of the risk.
PRRS05: Deterrence: This strategy employs deterrents against potential violations of security.
PRRS06: Rejection: The organization or entity denies the existence of a risk and ignores it. Note that this might be an unacceptable choice as it may cause issues in the courts.
PSCS: Project Security Controls Selection
Description
Security controls may help to prevent, detect, and/or correct problems that are related to security incidents. Security controls can be divided into three categories. Management controls that focus on the management of risk such as policies, procedures, standards, baselines, and guidelines. Technical controls involve the use of hardware and software to secure systems such as ACLs, firewalls, and encryption. Physical controls are the things that someone can touch such as cameras, locks, fire extinguishers, fences, mantraps, and lighting.
PSCS01: Preventive controls: Focus on preventing security incidents from occurring.
PSCS02: Detective controls: Identify the incident either in progress or after it has occurred.
PSCS03: Corrective controls: Takes action to reverse the effects of an incident and return the system to normal working status as efficiently as possible.
PSCS04: Compensating controls: Deployed to provide other options in case the primary control is not feasible or is unavailable.
PSCS05: Deterrent controls: Discourage the would-be attackers from attempting an attack or even deter users from violating policies.
PSCS06: Recovery controls: Considered an extension of corrective controls, but they have more advanced capabilities and attempt to repair or recover the system.
PSCS07: Directive controls: Mandated to encourage or force compliance with security policies.
Typically, security incidents must be prevented whenever possible, and when they occur, they must be detected, and then corrected. Some security controls can belong to more than one type, for example, the antivirus software running on a user’s desktop system can detect malware on a USB flash drive inserted into the system, and remove it as well, that is, correct the problem. The selection of controls depends on organizational decisions based on the project risks.
PRM: Project Risk Monitor
Description
Monitoring the systems and the associated controls continuously is necessary to keep track of various project risks, detect attacks as soon as possible, and maintain an ongoing awareness of the project security situation.
PRM01: Implement, throughout the project life cycle, risk reviews and audits from internal and external members, respectively, to verify whether the organizational mission and business objectives, processes, policies, procedures, and standards are satisfied or not.
PRM02: Monitor and record any cybersecurity events and anomalies against assets and information systems such as computer hardware, software, communications, networks, people, and the physical environment.
PRM03: Analyze cybersecurity incidents.
PRM04: Document changes to the systems and infrastructure.
PRM05: Determine the ongoing effectiveness of countermeasures or safeguards.
PRR: Project Risk Response
Description
Once a cybersecurity incident occurs and is detected, action must be taken to address the incident, limit its harm, reduce its cost, and minimize the recovery time.
PRR01: The project risk persons who are responsible must take appropriate courses of action.
PRR02: The incident including its impact is analyzed and understood. Answering questions such as the time it occurred, how it occurred, the damage caused, and who caused it would help in the analysis.
PRR03: Investigate the logging system records of events and activities.
PRR04: Communicate, coordinate, and present the incident info with the relevant stakeholders.
PRRE: Project Risk Recovery and Evaluation
Description
Effective and quick recovery and keeping operations running continuously is a critical task. After a cybersecurity incident or breach, it is important to restore any services or capabilities that were impaired due to the incident or breach. In addition, after any disaster recovery, an evaluation of the entire process of risk management takes place.
PRRE01: Activate business continuity and recovery plans where incident evaluation and notification take place.
PRRE02: Resume the original functionality of the operations.
PRRE03: Use the lessons learned after the cybersecurity incident to update the steps in PCG, PTM, PAI, PRA, PRS, PSCS, PRM, and PRR and to identify best practices that can be shared throughout the organization or with various stakeholders.
PRRE04: Update business continuity and disaster-recovery plans based on the lessons learned.

4. Case Study

To demonstrate the applicability of CYBITJET, we conducted a detailed and insightful case study focusing on the Personal Health Record (PHR) system that includes hardware and software. We delve into the practical application of our framework within the dynamic and sensitive realm of healthcare data management. The choice of PHR as the subject of our case study stems from the critical nature of healthcare information, demanding the highest standards of confidentiality and integrity. As healthcare systems increasingly digitize personal health records, the vulnerability to cybersecurity threats becomes more pronounced. The following pages present a detailed exploration of the PHR case study, providing a comprehensive analysis of how our framework operates in a real-world scenario. The outcomes of this case study not only showcase the adaptability and effectiveness of our proposed framework in securing healthcare information but also contribute valuable insights for its broader application across diverse domains within the IT landscape. The proposed project involves developing a secure Personal Health Record (PHR) system in the healthcare domain that includes hardware and software. The goal is to create a platform that securely manages and maintains personal health records, ensuring the confidentiality, integrity, and availability of sensitive medical information. The cyber-resilient IT project management framework is applied to guide the project through various phases, integrating security measures into each step, from governance and threat modeling to risk assessment, response, and recovery. The framework emphasizes continuous monitoring and improvement to maintain the security of the PHR system throughout its lifecycle. Figure 2 shows the use-case diagram of the system. This system has three objectives as follows:
  • To enable patients to access, share, and manage their health data
  • To enable clinicians to access the shared patients’ health data
  • To enable patients to exchange health information with healthcare systems
Such a safety-critical system requires a lot of up-front analysis before implementation, and the changes in scope would be minimal as well. A life cycle of the system with a predictive development approach shall be selected. Figure 3 shows the resilient system architecture of PHR. There is a redundancy strategy with a backup server, database backup, integrity checker, and transaction log.
We focus on activities from the IT project life cycle phases that are more highly relevant to cybersecurity including Business Case, Project Charter, Plan Project Risk, Implement Project Response, Develop Secure IT System, Deploy IT Product or Service, and Manage System Maintenance.
START THE PROJECT PHASE
  • Business Case Document: One main purpose of this document is the analysis of the risks of several alternatives for achieving business value. Therefore, the following steps are added:
(A)
Project Threat Modeling
Related cybersecurity risk management process activities:
PTM01: Evaluate the design of systems to analyze and identify the potential threats against the organization’s valuable assets.
During the development of the PHR system, the design of the network architecture for an alternative is assessed to identify potential threats. This involves examining how personal health data are stored, transmitted, and accessed within the system.
Example:
Network Design Analysis: The network consists of an internal network where the PHR system is hosted, in addition to a screened subnet (also known as DMZ) for publicly accessible servers including web servers and email servers. The screened subnet is connected to the Internet. A multihomed firewall is used with one interface connected to the Internet, a second interface connected to the screened subnet, and the last interface connected to the internal network.
Potential Threat: The inbound mail network traffic might not stay confined to the segment containing the web servers.
PTM02: Use the list of threats with assets that are vulnerable to them and evaluate each asset.
The threats were identified and analyzed in terms of their impact on assets.
Example 1:
Threat: Unauthorized access to personal health records that may result in data tampering.
Vulnerable Asset: Personal health records
Valuation of assets.
Example 2:
Asset valuation: Personal health records are sensitive information, so they are deemed highly valuable assets.
PTM03: Prioritize the threats against the organization’s valuable assets.
Prioritization is made based on the potential harm each threat poses to personal health data. Threats related to data integrity and confidentiality are prioritized higher due to the critical nature of health information.
Example:
Personal health records asset has the highest priority.
PTM04: Provide a security awareness program about threats, security basics, and trends in cybersecurity and train the users how to perform IT-related tasks securely.
Stakeholders who are involved with the PHR system undergo training on cybersecurity threats, emphasizing the importance of safeguarding personal health data.
Example:
Provide awareness about social engineering attacks and emerging cybersecurity trends for PHR end users.
Relevant Industry Standards Examples
COBIT 2019: APO12.01, APO12.02, APO12.03, APO12.04
ISO/IEC 27001:2013: A.18.2.3
NIST SP 800-53 Revision 5: PM-12. PM-16, SI-5
(B)
Project Asset Identification and Categorization
Related cybersecurity risk management process activities:
PAI01: Identify and list the organization’s assets.
Assets in the PHR system include personal health records, the software application itself, servers, and databases. These assets are listed comprehensively to understand the scope of what needs protection.
PAI02: Assign valuation to the assets in the list.
The valuation process considers factors such as the potential impact on the owner of data reputation.
Example:
The server that hosts the PHR system is assigned a high valuation.
PAI03: Prioritize the assets based on their value to the organization.
Assets are prioritized based on their criticalness. Personal health records, being the primary focus of the PHR system, are given the highest priority, followed by the software application, and supporting infrastructure.
PAI04: Identify the threats that can cause harm to the assets.
Threats are identified in terms of their potential harm to personal health records and the overall functionality of the PHR system.
Example:
Unauthorized access, data breaches, and denial of service.
PAI05: Create awareness of security between users and make them receive training about assets, the threats that may harm them, and how to perform secure IT-related tasks.
Example:
Users attend sessions about security basics. Also, they are provided with the knowledge and skills that are tailored to their roles and responsibilities related to IT systems.
Relevant Technical Standard Examples
NIST SP 800-53 Revision 5: CM-8
COBIT 2019: BAI09.01, BAI09.02
ISO/IEC 27001:2013: A.8.1.1, A.8.1.2
2.
Project Charter Document: One main purpose of this document is the identification of the project’s governance structure and the risks. Therefore, the following step is added:
(C)
Project Cybersecurity-based Governance
Related cybersecurity risk management process activities:
PCG01: Establish and monitor security governance and commitment from all project stakeholders to the entire risk management process.
The PHR project manager conducts a kickoff meeting involving healthcare executives, IT professionals, legal representatives, and data privacy officers.
During the meeting, the project manager emphasizes the criticality of personal data security and obtains commitments from all stakeholders to adhere to security measures throughout the project.
A security governance framework is introduced, outlining the responsibilities of each stakeholder in ensuring the confidentiality, integrity, and availability of personal health records.
Regular follow-up meetings are scheduled to monitor and reinforce security commitments, ensuring continuous alignment with the project’s security goals.
PCG02: Improve the security of the business over time in alignment with the strategy, goals, mission, and objectives of the organization.
The healthcare organization invests in regular security assessments and updates to enhance the security posture of the PHR system.
Security policies are reviewed and revised to align with the latest healthcare regulations, ensuring compliance with standards such as HIPAA.
Ongoing cybersecurity training programs are provided to healthcare staff to keep them informed about evolving threats and best practices in handling personal health information.
The organization allocates resources to stay abreast of emerging security technologies that can enhance the PHR system’s overall security.
PCG03: Allocate resources such as people, time, technology, and budget adequately.
The budget is allocated for the procurement of advanced security technologies such as encryption tools, intrusion detection systems, and secure authentication mechanisms.
Skilled cybersecurity professionals are hired to manage and implement security protocols within the PHR system.
Regular time slots are scheduled in the project timeline for security reviews, vulnerability assessments, and updates to security measures.
Technology resources, including servers and databases, are upgraded to meet the security requirements of the PHR system.
PCG04: Develop and review security policy, standards, guidelines, and procedures to produce reliable and efficient cybersecurity-based IT projects.
A comprehensive security policy document is created, outlining guidelines for secure access, data encryption, and incident response within the PHR system.
Security standards are established based on healthcare regulatory requirements and best practices.
Regular reviews of security policies and guidelines are conducted to ensure they remain up-to-date and effective in safeguarding personal health records.
Procedures for reporting security incidents, conducting risk assessments, and implementing security controls are documented and communicated to related staff.
PCG05: Develop and test business continuity and disaster-recovery plans on a periodic basis to control and limit the damage and get faster recovery time.
Business continuity and disaster-recovery plans specific to the PHR system are developed, including procedures for regular data backup and system restoration.
Tabletop exercises are conducted to simulate scenarios of data breaches or system failures, testing the effectiveness of the recovery plan.
Emergency response teams are trained to handle potential crises, ensuring a rapid and coordinated response to mitigate the impact on personal health data.
Lessons learned from the testing phases are used to refine and improve the business continuity and disaster recovery plans for the PHR system.
PCG06: Govern supply chain risk management to ensure that suppliers and vendors are trustworthy, reliable, and reputable.
Establish supplier and vendor criteria: Define criteria for selecting trustworthy, reliable, and reputable suppliers and vendors.
Conduct an initial risk assessment: Perform an initial risk assessment of potential suppliers and vendors.
Develop a security governance framework: Establish a governance framework that outlines security expectations and standards.
Implement continuous monitoring: Put in place continuous monitoring mechanisms to track the cybersecurity practices of suppliers and vendors.
Provide cybersecurity training: Offer cybersecurity training to suppliers and vendors to enhance their awareness and capabilities.
Regularly review and update security measures: Schedule regular reviews of security measures to adapt to evolving threats.
Foster Collaboration and Transparency: Encourage open communication and transparency between the PHR project and suppliers/vendors.
Periodic risk reassessment: Periodically reassess the risks associated with suppliers and vendors.
Escalation and mitigation: Establish clear escalation paths for identified risks and implement mitigation strategies.
PCG07: Determine organizational processes including acquisitions, mergers, and divestitures as they might increase the level of risk.
Before acquiring a new healthcare facility, a cybersecurity risk assessment is conducted to identify potential risks and vulnerabilities.
Cybersecurity experts are involved in the due diligence process to assess the security posture of the new entity, aligning it with existing security practices.
Integration plans include cybersecurity considerations, and measures are taken to harmonize security practices across the entire healthcare organization.
Continuous monitoring is implemented post-acquisition to address and mitigate any emerging cybersecurity risks.
PCG08: Define roles in the organization so that responsibilities, reliabilities, delegation schemes, and hierarchical management can be identified and managed more easily.
Roles related to cybersecurity within the PHR system are clearly defined, including a chief information security officer (CISO), security analysts, and data custodians.
Example:
Define data custodian role: Responsible for integrity and protection of data including storage, backup, and recovery of the PHR system.
Responsibilities for managing access controls, monitoring security logs, and responding to incidents are outlined for each role.
Delegation schemes ensure that individuals responsible for cybersecurity have the authority to implement security measures and respond effectively to incidents.
A hierarchical management structure is established for effective communication and coordination in handling cybersecurity matters within the PHR system.
Relevant Technical Standard Examples
NIST SP 800-53 Revision 5: PM-9, PM-11
COBIT 2019: EDM01.01, EDM03.02, DSS04.01, DSS04.02, APO01.03
ISO/IEC 27001:2013: A.5.1.1
PLAN THE PROJECT PHASE
Part of plan the project is risk assessment and response strategy. Therefore, the following steps are added:
(A)
Project Risk Assessment
Related cybersecurity risk management process activities:
PRA01: Implement a qualitative risk.
Conducting interviews, surveys, and workshops to gather insights from the PHR stakeholders. Qualitatively assess risks related to unauthorized access to personal health records, data integrity issues, and potential service disruptions.
Example 1:
Risk: Unauthorized access to personal health records.
Likelihood: High, given the sensitive nature of health data.
Impact: Critical, as it could compromise privacy and violate regulations.
Example 2:
Risk: Data loss due to system failure.
Likelihood: Medium, considering robust backup systems.
Impact: High, especially if recent health data are affected.
Example 3:
Risk: Regulatory compliance issues.
Likelihood: Medium, as regulations may change.
Impact: High, as non-compliance can lead to legal consequences.
PRA02: Implement a quantitative risk analysis.
Quantifying risks using statistical methods. Assign monetary values to potential losses associated with a data breach, system downtime, or regulatory fines. This provides a basis for comparing and prioritizing risks.
Example 1:
Risk: Unauthorized access to PHR.
Estimated Cost: $150,000 for implementing advanced access controls.
Potential Loss: $1,500,000 in fines andlegal costs.
Example 2:
Risk: Data loss.
Estimated Cost: $100,000 for implementing redundant storage.
Potential Loss: $250,000 in data recovery.
PRA03: Combine qualitative and quantitative analysis.
Integrate qualitative and quantitative assessments to gain a comprehensive understanding of risks. This holistic approach ensures that both tangible and intangible aspects of risks are considered, providing a nuanced view for decision-making.
Example:
Prioritizing measures to prevent unauthorized access.
Relevant Industry Standards Examples
NIST SP 800-53 Revision 5: RA-2, RA-3
COBIT 2019: APO12.02
ISO/IEC 27001:2013: A.18.2.3
(B)
Project Risk Strategy
Related cybersecurity risk management process activities:
PRS01: Avoidance.
Select measures to avoid the risks to the PHR system.
Example:
Multi-factor authentication and encryption.
PRS02: Mitigation.
Select security controls and countermeasures to reduce the impact of identified risks.
Example:
Intrusion detection systems and regular security audits.
PRS03: Acceptance.
Stakeholders of PHR accept certain risks if the cost of mitigation outweighs the potential losses.
Example:
Stakeholders may decide to accept a certain risk associated with data access latency during peak usage periods in the PHR system. Despite the potential delay in user access to health records during high-demand periods, stakeholders might find that the cost of implementing additional resources to eliminate this latency risk is disproportionate to the overall system benefits. By accepting this specific risk, stakeholders prioritize resource optimization and cost-effectiveness, ensuring that the PHR system remains functional and available even during periods of increased user activity.
PRS04: Assignment.
Transfer the responsibility of certain risks to the PHR system.
Example:
Purchase cybersecurity insurance coverage against a particular financial loss resulting from a data breach.
PRS05: Deterrence.
Select deterrent strategies to secure the PHR system.
Example:
Audit trails and legal consequences against anyone who participates in cybercrime.
PRS06: Rejection.
Not selected as a risk response strategy for the PHR.
Relevant Industry Standards Examples
NIST SP 800-53 Revision 5: IR-4
COBIT 2019: APO12.05
ISO/IEC 27001:2013: A.12.6.1
(C)
Project Cybersecurity-based Governance
Related cybersecurity risk management process activities:
Revise PCG01 through PCG08 to ensure they are aligned with project objectives.
EXECUTE THE PLAN PHASE
  • Develop the IT System.
    Secure systems development of the PHR system includes the following:
    (1)
    Functional requirements specifications, including security functional requirements that describe the features that provide security protection against attacks and failures.
    (2)
    Non-functional requirements specifications, including non-functional security requirements that include the features that provide availability, confidentiality, safety, integrity, resilience, and reliability.
Example 1:
A patient and a health care system want to exchange keys using the Diffie–Hellman key exchange algorithm. A risk may arise from a hacker intercepting the key exchange. This can be represented by a use case with a black color as shown in Figure 4. The sequence diagram of a possible Man-in-the-Middle attack in the PHR system is shown in Figure 5. The attacker intercepts and sends the public keys PKa1 and PKa2 instead of the real keys. Therefore, the patient and healthcare system do not share a secret key; instead, the patient shares the key K2 with the attacker and the healthcare system shares the key K1 with the attacker. In this case, when the patient sends message E(K2,M), for example, to the health care system, the attacker intercepts the message, decrypts it, and recovers M. Then the attacker sends the health care system the message (or maybe altered version). This might be detected by using detective control such as PSCS02 as shown below in the project security controls selection section by using a digital signature and public-key certificate. Using real-time monitoring and IDS in PSCS02 can also help detect different cases because one sign of an MITM attack is a sequence of failed login attempts followed by a successful login.
(1)
Secure software design that includes the following:
  • Design of software architecture that can protect the assets and minimize the effect of the attacks.
  • Implement secure system design guidelines that may include the following:
    -
    Defense in depth which avoids a single point of failure through layering or using multiple controls.
    -
    How to respond to and handle failures and what to choose between fail-safe, fail-fail-secure, fail-open, or fail-closed. In the case of the PHR system, the choice is fail-secure to protect the assets.
    -
    Logging user and system events.
    -
    System input validation.
    -
    Use of the need-to-know principle to ensure users or subjects should only have access to the information that they need for their work tasks.
    -
    Use of the least privilege principle to ensure that every user or subject operates using the least set of privileges necessary to perform the work.
    -
    The balance between security, functionality, and usability.
    -
    Authentication and session management.
(2)
Use of secure systems coding principles.
(3)
Testing the software, including security testing.
Example 2:
The network design would be DMZ-based as shown in Figure 6.
2.
Part of execute the project phase is the implementation of project responses. Therefore, the following steps are added:
(A)
Project Security Controls Selection
Related cybersecurity risk management process activities:
PSCS01: Preventive controls.
Implement preventive measures to secure the PHR system.
Example:
Written policies and procedures, intrusion prevention systems, background checks on employees, encryption access controls, and regular security training for staff to prevent unauthorized access and data breaches.
PSCS02: Detective controls.
Deploy systems for detecting and identifying security incidents promptly.
Example:
Use digital signature and public-key certificate, implement intrusion detection systems, log analysis, and real-time monitoring.
PSCS03: Corrective controls.
Implement measures to correct the effects of a security incident and restore the PHR system’s normal functionality.
Example:
Disaster recovery plan, data backup, and incident response procedures.
PSCS04: Compensating controls.
Alternative controls are to be deployed in case primary controls are ineffective or unavailable.
Example:
Implementing additional security measures if the primary firewall system fails.
PSCS05: Deterrent controls.
Implement controls that discourage potential security violations.
Example:
Warning banners, announce legal consequences against anyone who participates in cybercrime, and strong access controls.
PSCS06: Recovery controls.
Advanced controls that are focused on recovering the PHR system after a security incident.
Example:
Implement specialized recovery procedures and technologies in the system after a disaster.
PSCS07: Directive controls.
Controls are mandated to ensure compliance with security policies.
Example:
Perform regular security audits and assessments.
Relevant Industry Standards Examples
Microsoft Security Development Lifecycle (SDL)
NIST SP 800-53 Revision 5: IA-2, AC-2, PS-3, PE-2, SC-7
COBIT 2019: DSS05.04, DSS05.03
ISO/IEC 27001:2013: A.9.2.1, A.9.2.2, A.9.2.3
(B)
Project Cybersecurity-based Governance
Related cybersecurity risk management process activities:
Revise PCG01 through PCG08 to ensure they are aligned with project objectives.
FINISH THE PROJECT
  • Deploy IT Product or Service: Deploying an IT product or service focuses on releasing or installing the system that was developed. Releasing the system can take more than one approach such as direct cutover, phased, and parallel each with advantages and disadvantages. For example, the phased approach is less risky, but it may take longer time than the cutover. Whatever approach is taken, cybersecurity must be taken into consideration.
  • Manage System Maintenance: Part of finishing the project is managing system maintenance. After a system becomes operational, maintenance management deals with maintaining the system using various processes and methodologies such as configuration management, maintenance release, version control, and security. Monitoring, response, and evaluation will be there even after the system is released. Therefore, the following steps are added:
(A)
Project Risk Monitor
Related cybersecurity risk management process activities:
PRM01: Implement risk reviews and audits.
Conduct internal risk reviews by the project team.
External audit by a cybersecurity expert to verify compliance with security standards and regulations.
Example:
Engage an external cybersecurity firm to perform quarterly audits and review access logs, system configurations, and adherence to security policies.
PRM02: Monitor and record any cybersecurity events.
Utilize network and host-based monitoring solutions to track and record cybersecurity events. This includes monitoring access logs, system behavior, and potential security incidents.
Example:
Deploy Security Information and Event Management (SIEM) software to monitor and analyze logs in real time and generate alerts for suspicious activities.
PRM03: Analyze cybersecurity incidents.
In-depth analysis of incidents to understand their impact, identify patterns, and determine the effectiveness of existing security controls. This involves assessing the scope and severity of incidents.
Example:
In case of a detected anomaly, perform a detailed analysis of the incident, including the time of occurrence, affected systems, and potential vulnerabilities exploited.
PRM04: Document changes to the systems and infrastructure.
Maintain an accurate record of changes made to the PHR system and its infrastructure. This includes software updates, security patches, and modifications to access controls.
Example:
Maintain a change log documenting any updates or modifications to the PHR system, including software updates, configuration changes, or access permission adjustments.
PRM05: Determine the ongoing effectiveness of countermeasures or safeguards.
Regularly assess the effectiveness of security controls to ensure they remain robust against evolving threats. This may involve periodic penetration testing and vulnerability assessments.
Example:
Conduct periodic penetration testing to evaluate the resilience of the system against simulated cyber-attacks and identify areas for improvement.
Relevant Industry Standards Examples
NIST SP 800-53 Revision 5: CA-7, SI-4, CM-3
COBIT 2019: DSS05.07, DSS03.05, DSS05.07
ISO/IEC 27001:2013: A.12.4.1, A.12.4.3
(B)
Project Risk Response
Related cybersecurity risk management process activities:
PRR01: Take appropriate courses of action.
Initiate incident response procedures, including isolating affected systems, disabling compromised accounts, and activating backup systems to maintain essential functionality.
Example:
In the event of a cybersecurity incident, the response team, led by the Chief Information Security Officer (CISO), initiates predefined response procedures, including incident containment and resolution.
PRR02: Analyze the incident and understand its impact.
Thoroughly investigate the incident, including determining when it occurred, how it occurred, and the extent of the damage. This involves analyzing logs, system behavior, and any potential indicators of compromise.
Example:
After identifying a potential breach, the response team conducts a detailed analysis, investigating how the incident occurred, the extent of the damage, and the parties involved.
PRR03: Investigate the logging system records of events and activities.
Examine system logs to reconstruct the sequence of events leading up to and during the incident. This assists in understanding the attack vectors and potential points of vulnerability.
Example:
Review system logs and event records to trace the sequence of events leading up to the incident, aiding in the understanding of the attack vector.
PRR04: Communicate, coordinate, and present the incident info with the relevant stakeholders.
Communicate incident details with relevant stakeholders such as IT personnel, project managers, and sponsors. Coordinate response efforts and present findings to support informed decision-making.
Example:
Develop a communication plan outlining how and when to communicate incident details to stakeholders, including internal teams, patients, regulatory authorities, and the public if necessary.
Relevant Industry Standards Examples
NIST SP 800-53 Revision 5: IR-3, IR-4, IR-8, AU-7
COBIT 2019: APO12.06, DSS03.04
ISO/IEC 27001:2013: A.7.2.2, A.16.1.4, A.16.1.7
(C)
Project Risk Recovery and Evaluation
Related cybersecurity risk management process activities:
PRRE01: Activate business continuity and recovery plans.
Activate predefined business continuity and recovery plans to ensure a swift response to the incident. This involves identifying critical assets, prioritizing recovery efforts, and implementing measures to minimize downtime.
Example:
Upon detecting a cybersecurity incident affecting the PHR system, the recovery team activates the business continuity plan, outlining steps for a seamless transition to backup systems.
PRRE02: Resume the original functionality of the operations.
Gradually bring up the PHR system, starting with restoring the most critical assets. This includes verifying the integrity of personal health records, ensuring data accuracy, and conducting thorough testing before fully resuming operations.
Example:
Begin the recovery process by bringing up the disaster recovery systems, starting with restoring the most critical assets such as patient records, ensuring minimal disruption to healthcare services.
PRRE03: Use the lessons learned for improvement.
Conduct a comprehensive evaluation of the incident, identifying strengths and weaknesses in the response. Use this analysis to derive lessons learned and improve incident response procedures for future incidents.
Example:
Conduct a post-incident analysis to determine the root causes, vulnerabilities exploited, and the effectiveness of response strategies. Use this information to enhance cybersecurity measures and update the related steps in the cybersecurity risk management process.
PRRE04: Update business continuity and disaster-recovery plans.
Document and update business continuity and disaster-recovery plans based on the lessons learned from the incident. This ensures that the organization is better prepared for similar incidents in the future.
Example:
Revise the business continuity and disaster-recovery plans based on the identified weaknesses and strengths observed during the incident. This ensures that future incidents can be handled even more effectively.
Relevant Industry Standards Examples
NIST SP 800-53 Revision 5: CP-2, CP-10
COBIT 2019: MEA03.02, DSS03.04
ISO/IEC 27001:2013: A.6.1.4, A.16.1.5, A.16.1.6
(D)
Project Cybersecurity-based Governance
Related cybersecurity risk management process activities:
Revise PCG01 through PCG08 to ensure they are aligned with project objectives.

5. Discussion

In this section, we discuss the challenging factors evaluation and discuss the indicators that CYBITJET revealed with examples as shown in Table 5.
We conclude from Table 5 that CYBITJET is an effective tool for organizations seeking to enhance their cybersecurity posture in IT project management. The structured approach to risk management in CYBITJET allows organizations to prioritize their cybersecurity efforts based on potential threats and vulnerabilities, ensuring a more secure and resilient IT environment. Its comprehensive nature ensures that all aspects of governance are considered and enables organizations to address various IT-related challenges. By fostering alignment between cybersecurity strategies and business objectives, it enhances the organization’s ability to achieve its business objectives. Its ability to integrate with other standards allows organizations a unified approach to governance and management. Its focus on continuous improvement enables organizations to adapt to evolving threats and improve their overall security defenses.

6. Applications of the Framework

This section provides insights into how organizations can adopt and integrate this framework into their IT project management practices, ensuring a stronger security posture throughout their IT project life cycle.

6.1. Integration into Existing Organizational Processes

The CYBITJET framework is designed to seamlessly integrate with an organization’s existing project management processes and cybersecurity risk management practices. Organizations can incorporate the framework into their project life cycles by following these key steps:
  • Risk-Based Approach: From the initiation of the project, CYBITJET emphasizes identifying cybersecurity risks early and continuously addressing them throughout the life cycle. Organizations can use the framework to prioritize risks based on their impact on business objectives.
  • Governance and Stakeholder Engagement: The framework encourages strong governance by involving all relevant stakeholders, including project managers, cybersecurity teams, and business executives. This ensures alignment between project goals and the organization’s security objectives, making the adoption of cybersecurity measures a collective responsibility.

6.2. Practical Implementation of the Framework

To ensure successful adoption, organizations can implement the CYBITJET framework through the following practical steps:
  • Customized Threat Modeling: Based on the organization’s specific industry and project, the framework can be adapted to perform threat modeling early in the project to identify vulnerabilities unique to the organization. For example, in a healthcare project, as shown in our case study, the system architecture and patient data security were assessed using threat modeling tailored to healthcare-specific risks.
  • Risk Assessment and Mitigation Strategies: Organizations can adopt the risk assessment and mitigation strategies outlined in the framework. By conducting both qualitative and quantitative risk analyses, the framework helps organizations develop comprehensive responses, whether through risk avoidance, mitigation, or acceptance, tailored to the unique needs of each project.

6.3. Adaptability Across Various IT Project Types

CYBITJET is designed to be scalable and adaptable to different types of IT projects. Whether an organization is managing a small software development project or a large-scale infrastructure deployment, the framework’s modular approach allows for flexibility. For example:
  • Small Projects: For projects with limited scope, the framework allows for a simplified application, focusing on critical security aspects such as data protection and access control.
  • Complex Projects: For larger projects, such as those involving cloud deployments or cross-organizational systems, the framework’s continuous risk monitoring and governance integration ensure that cybersecurity is an ongoing priority throughout the project’s life cycle.

6.4. Practical Benefits for Organizations

By adopting the CYBITJET framework, organizations can achieve several practical benefits as follows:
  • Enhanced Cybersecurity Posture: The integration of cybersecurity into each phase of project management ensures that security is not an afterthought but an integral part of the project’s development and execution.
  • Compliance with Industry Standards: Organizations can ensure compliance with key industry standards, such as ISO/IEC 27001, NIST, and COBIT, as the framework maps directly to these standards, facilitating easier integration and audit preparation.
  • Improved Project Success Rate: By addressing cybersecurity risks proactively, organizations reduce the likelihood of project failure due to security breaches or other cybersecurity-related incidents.

6.5. Framework Adaptation for Organizational Needs

Organizations can tailor the CYBITJET framework to their specific security needs and risk tolerance. For example:
  • Organizations with High Regulatory Requirements: For industries such as healthcare and finance, where regulatory compliance is critical, the framework provides a structured approach to ensuring that data privacy and security are maintained throughout the project life cycle.
  • Agile Development Environments: CYBITJET can also be adapted to agile methodologies, allowing for iterative security assessments and integrations, ensuring that each iteration of the project is reviewed for security risks.
By adopting and adapting the CYBITJET framework, organizations can build a more resilient cybersecurity posture, aligning their IT project management practices with the growing need for robust cybersecurity measures. This framework is flexible enough to fit various organizational structures and project management methodologies while maintaining a focus on continuous improvement and risk management.

7. Conclusions and Future Work

The security of a system is an intrinsic and integral process, rather than an appended feature. This study emphasizes the significance of integrating cybersecurity considerations into the realm of IT project management. This proactive approach ensures the integration of security measures into the product’s life cycle, spanning from its initial phases to eventual decommissioning. Adherence to such a methodology results in the development of more secure products with fewer vulnerabilities. The introduced framework offers a resilient and systematic integration of the cybersecurity risk management process with the IT project management lifecycle. This integration is essential for the continuous protection of products, ensuring the sustained functionality of critical assets under diverse circumstances.
In future work, our focus will extend to the incorporation of positive risks, exploring their impact on project objectives and elucidating strategies for managing cybersecurity while maximizing potential opportunities. Also, we plan to include a criterion for evaluating the maturity level of the framework. Additionally, we aim to integrate the privacy discipline into our framework, addressing concerns related to data privacy maintenance. Furthermore, our future work will explore the integration of artificial intelligence (AI) into the framework by utilizing machine learning models for anomaly detection, natural language processing for automated incident reporting, and predictive analytics to forecast potential cybersecurity threats. Leveraging AI can significantly enhance IT project management and cybersecurity, such as optimizing resource allocation during incident response, enabling real-time behavior analysis of network activities, and improving the precision and speed of threat identification and mitigation.

Author Contributions

Conceptualization, S.A.-J.; methodology, S.A.-J., H.J. and F.S.; software, S.A.-J.; validation, S.A.-J., H.J. and F.S.; formal analysis, S.A.-J. and H.J.; investigation, S.A.-J. and H.J.; resources, S.A.-J., H.J. and F.S.; data curation, S.A.-J. and H.J.; writing—original draft preparation, S.A.-J. and H.J.; writing—review and editing, S.A.-J., H.J. and F.S.; visualization, S.A.-J. and F.S.; supervision, S.A.-J., H.J. and F.S.; project administration, S.A.-J.; funding acquisition, H.J. and F.S. All authors have read and agreed to the published version of the manuscript.

Funding

Funded by Digital Tech Hub at Humber Polytechnic.

Data Availability Statement

The original contributions presented in this study are included in the article. For any further inquiries, please contact the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Admass, W.S.; Munaye, Y.Y.; Diro, A.A. Cyber security: State of the art, challenges and future directions. Cyber Secur. Appl. 2024, 2, 100031. [Google Scholar] [CrossRef]
  2. Gartner Inc. Gartner Forecasts Worldwide IT Spending to Grow 4.3% in 2023. Available online: https://www.gartner.com/en/newsroom/press-releases/2023-07-19-gartner-forecasts-worldwide-it-spending-to-grow-4-percent-in-2023 (accessed on 20 August 2023).
  3. Gartner Inc. Gartner Top 10 Strategic Technology Trends for 2023. Available online: https://www.gartner.com/en/articles/gartner-top-10-strategic-technology-trends-for-2023 (accessed on 21 August 2023).
  4. McManus, J.; Wood-Harper, T. A Study in Project Failure. Available online: https://www.bcs.org/articles-opinion-and-research/a-study-in-project-failure (accessed on 25 July 2023).
  5. CHAOS Manifesto. Think Big, Act Small. The Standish Group International Inc. Available online: https://www.standishgroup.com/sample_research_files/CM2013.pdf (accessed on 20 July 2023).
  6. Project Management Institute. The Standard for Project Management and a Guide to the Project Management Body of Knowledge (PMBOK Guide); Project Management Institute Inc.: Newtown Square, PA, USA, 2021. [Google Scholar]
  7. Al-Janabi, S.; Janicki, R. Data Repair of Density-based Data Cleaning Approach Using Conditional Functional Dependencies. Data Technol. Appl. 2022, 56, 429–446. [Google Scholar] [CrossRef]
  8. Razmak, J.; Al-Janabi, S.; Kharbat, F.; Bélanger, C. Lean Database: An Interdisciplinary Perspective Combining Lean Thinking and Technology. Int. Arab. J. Inf. Technol. 2021, 18, 25–35. [Google Scholar] [CrossRef] [PubMed]
  9. Rekatsinas, T.; Chu, X.; Ilyas, I.F.; Re, C. Holoclean: Holistic data repairs with probabilistic inference. VLDB Endow. 2017, 10, 1190–1201. [Google Scholar] [CrossRef]
  10. InfoSecurity. Cybercrime Costs World Economy over 1% of Global GDP. Available online: https://www.infosecurity-magazine.com/news/cybercrime-costs-1trillion (accessed on 19 August 2023).
  11. Aboud, S.J.; AL-Fayoumi, M.A.; Al-Fayoumi, M.; Jabbar, H.S. An Efficient RSA Public Key Encryption Scheme; Fifth International Conference on Information Technology: Las Vegas, NV, USA, 2008; pp. 127–130. [Google Scholar]
  12. Verizon Communications Inc. 2023 Data Breach Investigations Report. Available online: https://www.verizon.com/business/resources/reports/dbir/ (accessed on 20 August 2023).
  13. Syms, F.; Smith, D. Cybersecurity in Canada: Operations, Investigations, and Protection; Emond Publishing: Toronto, ON, Canada, 2023. [Google Scholar]
  14. Schwalbe, K. Information Technology Project Management; Cengage Learning Inc.: Boston, MA, USA, 2018. [Google Scholar]
  15. Sommerville, I. Software Engineering; Pearson Education Limited: New York, NY, USA, 2016. [Google Scholar]
  16. NIST CSF. Framework for Improving Critical Infrastructure Cybersecurity. Available online: https://www.nist.gov/cyberframework (accessed on 31 August 2023).
  17. ISACA. COBIT 2019 Framework: Governance and Management Objectives; ISACA: Schaumburg, IL, USA, 2018. [Google Scholar]
  18. ISO/IEC 27000: 2018; Information Technology-Security Techniques-Information Security Management Systems-Overview and Vocabulary. International Organization for Standardization/International Electrotechnical Commission: Geneva, Switzerland, 2018.
  19. Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide); Project Management Institute Inc.: Newtown Square, PA, USA, 2017. [Google Scholar]
  20. NIST RMF. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Available online: https://csrc.nist.gov/pubs/sp/800/37/r2/final (accessed on 31 August 2023).
  21. SDL. Microsoft Security Development Lifecycle (SDL). Available online: https://learn.microsoft.com/en-us/compliance/assurance/assurance-microsoft-security-development-lifecycle (accessed on 3 September 2023).
  22. NIST SSDF. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf (accessed on 15 September 2023).
  23. ISO 31000:2018; Risk Management-Guidelines. International Organization for Standardization: Geneva, Switzerland, 2018.
  24. Shakatreh, M.; Rumman, A.; Mugableh, I. Reviewing the Framework of Risk Management: Policy and Hedging. Int. J. Prof. Bus. Rev. 2023, 8, 1–20. [Google Scholar] [CrossRef]
  25. Zwikael, O.; Ahn, M. The Effectiveness of Risk Management: An Analysis of Project Risk Planning Across Industries and Countries. Risk Anal. 2011, 31, 25–37. [Google Scholar] [CrossRef]
  26. Mishra, B.K.; Rolland, E.; Satpathy, A.; Moore, M. A framework for enterprise risk identification and management: The resource-based view. Manag. Audit. J. 2019, 34, 162–188. [Google Scholar] [CrossRef]
  27. Oluomachi, E.; Ahmed, A.; Ahmed, W.; Samson, E. Assessing The Effectiveness of Current Cybersecurity Regulations and Policies in the US. Int. J. Sci. Res. Publ. 2024, 14, 78–85. [Google Scholar] [CrossRef]
  28. Chauhan, M.; Shiaeles, S. An Analysis of Cloud Security Frameworks, Problems, and Proposed Solutions. Network 2023, 3, 422–450. [Google Scholar] [CrossRef]
  29. Aversano, L.; Grasso, C.; Tortorella, M. A Literature Review of Business/IT Alignment Strategies. Procedia Technol. 2012, 5, 462–474. [Google Scholar] [CrossRef]
  30. Njanka, S.; Sandula, G.; Colomo-Palacios, R. IT-Business Alignment: A Systematic Literature Review. Procedia Comput. Sci. 2021, 181, 333–340. [Google Scholar] [CrossRef]
  31. Gilbert, A.; Waal, B.; Smit, J. Business and IT Alignment; Answers and Remaining Questions; Pacific Asia Conference on Information Systems: Ho Chi Minh, Vietnam, 2009. [Google Scholar]
  32. Daud, M.; Rasiah, R.; George, M.; Asirvatham, D.; Thangiah, G. Bridging the Gap between Organisational Practices and Cyber Security Compliance: Can Cooperation Promote Compliance in Organisations? Int. J. Bus. Soc. 2018, 19, 161–180. [Google Scholar]
  33. Abrahams, T.; Farayola, O.; Amoo, O.; Ayinla, B.; Osasona, F.; Atadoga, A. Continuous improvement in information security: A review of lessons from superannuation cybersecurity uplift programs. Int. J. Sci. Res. Arch. 2024, 11, 1327–1337. [Google Scholar] [CrossRef]
  34. Chaudhary, S.; Vasileios, G.; Sokratis, K. Developing metrics to assess the effectiveness of cybersecurity awareness program. J. Cybersecur. 2022, 8, tyac006. [Google Scholar] [CrossRef]
  35. Kure, H.; Islam, S.; Mouratidis, H. An integrated cyber security risk management framework and risk predication for the critical infrastructure protection. Neural Comput. Appl. 2022, 34, 15241–15271. [Google Scholar] [CrossRef]
  36. Durst, S.; Hinteregger, C.; Zieba, M. The Effect of Environmental Turbulence on Cyber Security Risk Management and Organizational Resilience. Comput. Secur. 2024, 137, 103591. [Google Scholar] [CrossRef]
  37. Oueslati, H.; Rahman, M.; Othmane, L. Literature Review of the Challenges of Developing Secure Software Using the Agile Approach. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security, Toulouse, France, 24–28 August 2015; pp. 540–547. [Google Scholar]
  38. Salin, H.; Lundgren, M. Towards Agile Cybersecurity Risk Management for Autonomous Software Engineering Teams. J. Cybersecur. Priv. 2022, 2, 276–291. [Google Scholar] [CrossRef]
  39. Lee, I. Cybersecurity: Risk management framework and investment cost analysis. Bus. Horiz. 2021, 64, 659–671. [Google Scholar] [CrossRef]
  40. Nikolaenko, V.; Sidorov, A. Analysis of 105 IT Project Risks. J. Risk Financ. Manag. 2023, 16, 33. [Google Scholar] [CrossRef]
  41. Nikolaenko, V.; Sidorov, A. Assessing the Maturity Level of Risk Management in IT Projects. Sustainability 2023, 15, 12752. [Google Scholar] [CrossRef]
  42. Ganin, A.; Quach, P.; Panwar, M.; Collier, Z.; Keisler, J.; Marchese, D.; Linkov, I. Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management. Risk Anal. 2020, 40, 183–199. [Google Scholar] [CrossRef] [PubMed]
  43. Bialas, A. Risk Management in Critical Infrastructure—Foundation for Its Sustainable Work. Sustainability 2016, 8, 240. [Google Scholar] [CrossRef]
  44. Aboud, S.J.; Alnuaimi, M.; Jabbar, H.S. Efficient Password Scheme Without Trusted Server. Int. J. Aviat. Technol. Eng. Manag. (IJATEM) 2011, 1, 52–57. [Google Scholar] [CrossRef]
  45. Cherdantseva, Y.; Burnap, P.; Blyth, A.; Eden, P.; Jones, K.; Soulsby, H.; Stoddart, K. A review of cyber security risk assessment methods for SCADA systems. Comput. Secur. 2016, 56, 1–27. [Google Scholar] [CrossRef]
  46. Pitropakis, N.; Panaousis, E.; Giannakoulias, A.; Kalpakis, G.; Rodriguez, R.; Sarigiannidis, P. An Enhanced Cyber Attack Attribution Framework. In Trust, Privacy and Security in Digital Business, Proceedings of the 15th International Conference, TrustBus 2018, Regensburg, Germany, 5–6 September 2018; Springer International Publishing: New York, NY, USA; pp. 213–228.
  47. Mayer, N.; Aubert, J. A Risk Management Framework for Security and Integrity of Networks and Services. J. Risk Res. 2021, 24, 987–998. [Google Scholar] [CrossRef]
  48. Kure, H.; Islam, S. Assets Focus Risk Management Framework for Critical Infrastructure Cybersecurity Risk Management. IET Cyber-Phys. Syst. Theory Appl. 2019, 4, 332–340. [Google Scholar] [CrossRef]
  49. NIST Special Publication 800-39. Managing Information Security Risk: Organization, Mission, and Information System View. Available online: https://csrc.nist.gov/pubs/sp/800/39/final (accessed on 2 September 2023).
  50. SAMM. Software Assurance Maturity Model. Available online: https://owasp.org/www-project-samm/ (accessed on 15 September 2023).
  51. STRIDE. Microsoft Threat Modeling Tool Threats—STRIDE Model. Available online: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model (accessed on 14 September 2023).
  52. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection-Information Security Management Systems—Requirements. International Organization for Standardization/International Electrotechnical Commission: Geneva, Switzerland, 2022.
Digital 04 00043 g001
Figure 1. CYBITJET framework steps and activities.
Figure 1. CYBITJET framework steps and activities.
Digital 04 00043 g001
Digital 04 00043 g002
Figure 2. Use-case diagram for the PHR system.
Figure 2. Use-case diagram for the PHR system.
Digital 04 00043 g002
Digital 04 00043 g003
Figure 3. PHR-resilient system architecture.
Figure 3. PHR-resilient system architecture.
Digital 04 00043 g003
Digital 04 00043 g004
Figure 4. The use-case diagram of a Man-in-the-Middle attack against the PHR system.
Figure 4. The use-case diagram of a Man-in-the-Middle attack against the PHR system.
Digital 04 00043 g004
Digital 04 00043 g005
Figure 5. The sequence diagram of Man-in-the-Middle attack against PHR system.
Figure 5. The sequence diagram of Man-in-the-Middle attack against PHR system.
Digital 04 00043 g005
Digital 04 00043 g006
Figure 6. DMZ-based design of the PHR system.
Figure 6. DMZ-based design of the PHR system.
Digital 04 00043 g006
Table 1. Comparison between frameworks and standards.
Table 1. Comparison between frameworks and standards.
Framework/StandardFocus
NIST CSF [16]It is designed for critical infrastructure and commercial organizations. It consists of six functions that could improve existing cybersecurity practices or be used as a starting point for developing cybersecurity risk management.
COBIT 2019 [17]Created for the governance and management of enterprise information and technology. It addresses many IT-related disciplines such as security, governance, and management. It connects IT with business objectives.
ISO/IEC 27000:2018 [18]Describes the requirements for an information security management system and provides a framework to establish, implement, maintain, and continually improve the information security management system and secure assets.
PMBOK Guide [19]Defines components of the project such as project management knowledge areas (e.g., project risk management and project time management), project management processes, project phases, and project life cycle.
NIST RMF [20]It is a risk management process to identify and respond to cybersecurity threats. It consists of six cyclical steps plus a preparatory step. It establishes mandatory security and privacy requirements for federal agencies.
Microsoft SDL [21]Microsoft’s security development lifecycle focuses on the development of secure software to build security in every phase of software development. It consists of seven phases that address the development while addressing the security.
NIST SSDF [22]A secure software development framework describes high-level practices based on established standards, guidance, and secure software development practice documents.
ISO 31000 [23]Set of standards that relate to risk management to help organizations develop risk management strategies that integrate risk management into the activities and functions of the organization.
Table 2. Factors that are used to evaluate the cyber-resilient IT project management framework.
Table 2. Factors that are used to evaluate the cyber-resilient IT project management framework.
FactorEvaluation Criterion
Risk-based approachHow the proposed framework addresses the cybersecurity-related risks in IT project management
ComprehensivenessHow the proposed framework covers various aspects of cybersecurity governance in IT project management
Alignment with business objectivesHow the proposed framework aligns IT project management with business objectives
Integration with industry standardsHow the proposed framework integrates easily with recognized standards in IT project management
Continuous improvementWhether the proposed framework supports continuous improvement over time in IT project management
Table 3. Related work limitations.
Table 3. Related work limitations.
WorkLimitations
[16,20,50]They focus on managing security risks, but they lack the effective integration of cybersecurity into the fabric of IT project management.
[21,22]They focus on developing secure codes only without a holistic approach to how to manage IT projects and harmonizing cybersecurity risk management with the IT project management life cycle.
[51]STRIDE focuses on threat modeling.
[17,18,23]There is no clear direct connection between their steps in terms of cybersecurity and IT project management.
[19]Although it acknowledges the significance of project management, it does not focus on the cybersecurity of IT products during the project management life cycle.
[35,36,37,38,39]They do not address IT project management explicitly.
[40,41]Both works do not elaborate in detail on the cybersecurity risks and how to mitigate them.
[42,43,45,46,47,48]They are mainly about cybersecurity or how to protect the infrastructure, but there is a notable gap in the seamless integration of these elements into IT project risk management.
Table 4. Mapping of the generic IT project life cycle activities and cybersecurity risk management process.
Table 4. Mapping of the generic IT project life cycle activities and cybersecurity risk management process.
Cybersecurity
Risk Management
Activities		IT Project PhasesStart the ProjectPlan the ProjectExecute the PlanFinish the Project
- Project Cybersecurity-based Governance- Project Threat Modeling
- Project Asset Identification and Categorization		- Business Case
- Project Charter
- Project Risk Assessment
- Project Risk Strategy 		- Plan Project Risk
- Plan Project Scope
- Plan Project Schedule
- Plan Project Budget
- Plan Project Quality
- Plan Project Communications
- Plan Project Resources
- Project Security Controls Selection - Implement Project Response
- Develop Secure IT System
- Manage Project Scope
- Manage Project Schedule
- Manage Project Budget
- Manage Project Quality
- Manage Project Communications
- Manage Project Resources
- Project Risk Monitor
- Project Risk Response
- Project Risk Recovery and Evaluation		 - Deploy IT Product or Service
- Manage System Maintenance
- Close the Project
- Evaluate the Project
Table 5. Evaluated factors based on the criteria.
Table 5. Evaluated factors based on the criteria.
FactorsEvaluation CriteriaIndicatorsExamples
Risk-based approachHow the proposed framework addresses the cybersecurity-related risks in IT project managementAs demonstrated in the case study, from the early phases of the project, CYBITJET focuses on the identification and prioritization of cybersecurity risks to help organizations allocate and manage resources efficiently, which mitigates the most critical cybersecurity risks first. Furthermore, CYBITJET provides flexibility in managing risks because the order of the steps of the cybersecurity risk management process does not necessarily mean the sequence of implementation.It is up to the organization to perform the project threat modeling, project asset identification, and categorization or alternate between them as each way has its capabilities. Furthermore, CYBITJET provides capabilities to select risk strategies and controls, secure development, and monitoring that help to prioritize and take actions in IT project development based on the risk level posed to the project or product.
ComprehensivenessHow the proposed framework covers various aspects of cybersecurity governance in IT project managementCYBITJET integrates cybersecurity governance and IT project management where risk management is part of IT project management, to ensure that risk management is an integral part of decision-making and governance. The outcomes of the project cybersecurity-based governance step inform, direct, establish, and monitor how the other steps achieve their outcomes.As shown in the case study, depending on the governance steps, the threat modeling can be performed in the early phases of the project, and/or after the product is deployed in the maintenance phase after the project is closed to respond to the future or unpredicted threats. It provides a structured process that covers all aspects of risk management.
Alignment with business objectivesHow the proposed framework aligns IT project management with business objectivesCYBITJET is process-oriented, focusing on cybersecurity risk management throughout the IT project management. As shown in the case study, CYBITJET can align with the organization’s strategic goals and objectives.The PRRS06: Rejection is not selected as a risk response strategy for the PHR system because it is not a valid due care and due diligence response to risk, as per the strategy, goals, mission, and objectives of the organization, that are determined in the project cybersecurity-based governance steps.
Integration with industry standardsHow the proposed framework integrates easily with recognized standards in IT project managementAs demonstrated in the case study, CYBITJET steps can be integrated with different industry standards such as ISO/IEC 27001:2013 and COBIT 2019.The PSCS01: Preventive controls can be implemented using ISO/IEC 27001:2013: A.9.2.3. This shows its interoperability and compatibility such that any organization that is already adhering to these standards can integrate CYBITJET into their existing cybersecurity programs across different aspects of their operations.
Continuous improvementWhether the proposed framework supports continuous improvement over time in IT project managementCYBITJET promotes continuous improvement that helps organizations evolve cybersecurity capabilities in response to changing business requirements and threats.As shown in the case study in the monitoring and recovery activity of the cybersecurity risk management process, the product or the result of the generic IT project life cycle would still be monitored and logged even after release and until it is decommissioned. Also, updating the plans based on the lessons learned allows organizations to detect and respond to emerging threats and vulnerabilities in a timely manner.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Al-Janabi, S.; Jabbar, H.; Syms, F. Cybersecurity Transformation: Cyber-Resilient IT Project Management Framework. Digital 2024, 4, 866-897. https://doi.org/10.3390/digital4040043

AMA Style

Al-Janabi S, Jabbar H, Syms F. Cybersecurity Transformation: Cyber-Resilient IT Project Management Framework. Digital. 2024; 4(4):866-897. https://doi.org/10.3390/digital4040043

Chicago/Turabian Style

Al-Janabi, Samir, Haidar Jabbar, and Francis Syms. 2024. "Cybersecurity Transformation: Cyber-Resilient IT Project Management Framework" Digital 4, no. 4: 866-897. https://doi.org/10.3390/digital4040043

APA Style

Al-Janabi, S., Jabbar, H., & Syms, F. (2024). Cybersecurity Transformation: Cyber-Resilient IT Project Management Framework. Digital, 4(4), 866-897. https://doi.org/10.3390/digital4040043

Article Metrics

Back to TopTop