Search Results (15)

This study investigates the cybersecurity landscape of Aotearoa-New Zealand through a culturally grounded lens, focusing on the integration of Indigenous Māori values into cybersecurity frameworks. In response to escalating cyber threats, the research adopts a mixed-methods and interdisciplinary approach—combining surveys, focus groups, and case studies—to explore how cultural principles such as whanaungatanga (collective responsibility) and manaakitanga (care and respect) influence digital safety practices. The findings demonstrate that culturally informed strategies enhance trust, resilience, and community engagement, particularly in rural and underserved Māori communities. Quantitative analysis revealed that 63% of urban participants correctly identified phishing attempts compared to 38% of rural participants, highlighting a significant urban–rural awareness gap. Additionally, over 72% of Māori respondents indicated that cybersecurity messaging was more effective when delivered through familiar cultural channels, such as marae networks or iwi-led training programmes. Focus groups reinforced this, with participants noting stronger retention and behavioural change when cyber risks were communicated using Māori metaphors, language, or values-based analogies. The study also confirms that culturally grounded interventions—such as incorporating Māori motifs (e.g., koru, poutama) into secure interface design and using iwi structures to disseminate best practices—can align with international standards like NIST CSF and ISO 27001. This compatibility enhances stakeholder buy-in and demonstrates universal applicability in multicultural contexts. Key challenges identified include a cybersecurity talent shortage in remote areas, difficulties integrating Indigenous perspectives into mainstream policy, and persistent barriers from the digital divide. The research advocates for cross-sector collaboration among government, private industry, and Indigenous communities to co-develop inclusive, resilient cybersecurity ecosystems. Based on the UTAUT and New Zealand’s cybersecurity vision “Secure Together—Tō Tātou Korowai Manaaki 2023–2028,” this study provides a model for small nations and multicultural societies to create robust, inclusive cybersecurity frameworks. Full article

While security frameworks like the NIST CSF and ISO 27001 provide organizations with standardized best practices for cybersecurity, these practices must be implemented in organizations by people with the necessary skills and knowledge and be supported by effective technological solutions. This article explores the challenges and opportunities of building sustainable cybersecurity capabilities in resource-constrained organizations, specifically Norwegian municipalities. The research introduces the concept of sustainable cybersecurity capabilities, emphasizing the importance of a socio-technical approach that integrates technology, people, and organizational structure. A mixed-methods study was employed, combining document analysis of relevant cybersecurity frameworks with a modified Delphi study and semi-structured interviews with municipal cybersecurity practitioners. Findings highlight six core cybersecurity capabilities within municipalities, along with key challenges in implementing and sustaining these capabilities. These challenges include ambiguities in role formalization, skills gaps, difficulties in deploying advanced security technologies, and communication barriers between central IT and functional areas. Furthermore, the potential of artificial intelligence and cooperative strategies to enhance municipal cybersecurity is considered. Ultimately, the study highlights the need for a holistic perspective in developing sustainable cybersecurity capabilities, offering implications for both research and practice within municipalities and local government. Full article

Various standards (e.g., ISO 27000x, ISO 31000:2018) and methodologies (e.g., NIST SP 800-53, NIST SP 800-37, NIST SP 800-161, ETSI TS 102 165-1, NISTIR 8286) are available for risk assessment. However, these standards often overlook the human element. Studies have shown that adversary profiles (AP), which detail the maturity of attackers, significantly affect vulnerability assessments and risk calculations. Similarly, the maturity of the users interacting with the Information and Communication Technologies (ICT) system in adopting security practices impacts risk calculations. In this paper, we identify and estimate the maturity of user profiles (UP) and propose an enhanced risk assessment methodology, HRM (based on ISO 27001), that incorporates the human element into the risk evaluation. Social measures, such as awareness programs, training, and behavioral interventions, alongside technical controls, are included in the Human-Centric Risk Management (HRM) risk treatment phase. These measures enhance user security hygiene and resilience, reducing risks and ensuring comprehensive security strategies in SMEs. Full article

The extensive focus on information technology (IT) within organizations, along with the substantial significance of information security issues, has made information security a top priority for executives. The International Organization for Standardization 27001 (ISO-27001) policy outlines the requirements for an effective Information Security Management System (ISMS). Implementing an ISMS not only enhances the overall profitability of a firm, but it also has a significant impact in various scenarios. In this study, we examined how ISMS implementation can assist corporations financially, with a specific focus on the moderating effect of Indian national culture. We analyzed financial performance following ISMS and ISO-27001 implementation using sample data from 420 Indian small and medium-sized enterprises (SMEs). By analyzing 256 survey questionnaires from 420 SMEs, we found that national culture amplifies the strong interaction between ISMS implementation and SME performance in India. We found that ISMS implementation increased the profitability of recognized Indian firms, supporting study hypotheses. The findings provide valuable insights for SMEs seeking to enhance financial performance through ISMS implementation, emphasizing the moderating role of national culture in shaping these outcomes. Full article

In addressing the challenges of cyber threats in the South African construction sector, the study employed a quantitative methodology involving a questionnaire retrieved from 86 of the study’s respondents. It employed tools like mean item score (MIS), standard deviation (SD), and the pattern matrix of exploratory factor analysis (EFA). The findings revealed critical cybersecurity measures, including adherence to international information security standards such as the General Data Protection Regulation (GDPR), ISO 27001, or the Cybersecurity Framework by NIST, two-factor authentication, and strategic planning. The implications of these findings underscore the importance of robust cybersecurity frameworks and heightened awareness. This research contributes insights for enhancing cyber resilience in the construction industry, urging stakeholders to prioritize protective measures against cyber risks. Full article

The differences between medical institutions in the security management of information systems were investigated by comparing the differences and the means used by personnel in different units in public and private hospitals. Personnel responsible for information security require the protocol of relevant units to solve information security issues. Based on ISO 27001 as a reference standard, a questionnaire survey was conducted to investigate the need for information security management in medical institutions. The information system security in each unit of medical institutions needs to pursue the goal of more perfection for a fully optimized information system. To help medical institution personnel understand the importance of information security and allow appropriate decision making, the results of this study can be used as a reference. Full article

The issue of Automated Meter Management (AMM), an integral part of modern energy smart grid systems, has become a hot topic in recent years. With the current energy crisis, and given the new approaches to smart energy and its regulation, implemented at the level of the European Union, the gradual introduction of AMM as a standard for the regulation and management of the distribution system is an absolute necessity. Modern smart grids incorporate elements of smart regulation that rely heavily on the availability and quality of the data generated or used during AMM as part of the smart grid. In this paper, based on an analytical view of AMM as a whole and guided interviews with the sponsors of each service and owners of each dataset, criteria are proposed and a Business Impact Analysis (BIA) is implemented, the results of which are used to determine security measures for the safe and reliable running of the AMM system. This paper offers a unique view of the AMM system as an integral part of modern smart grid networks from a data-driven perspective that enables the subsequent implementation and fulfillment of security requirements by ISO/IEC 27001 and national security standards, as the AMM system is also a critical information system under the EU directive regarding the cybersecurity of network and information systems, which are subject to newly defined security requirements in the field of cybersecurity. Full article

Information security policy (ISP) plays a crucial role in maintaining the availability, confidentiality, and integrity of sensitive data. However, it is of high complexity and heterogeneity due to the variety and redundancy of security policy practices and complexity of organisational systems. Various and duplicate ISP models and frameworks have been offered in the literature. The duplicate security policy practices, procedures, and processes in the existing models have made ISP disorganised, unstructured, and unclear to organisational users. As a result, there is still a need for a standardised and integrated model to make it simpler to share, manage, and reuse ISP practices amongst the organisations. The main objective of this study is to construct a metamodel to unify, organise, and structure ISP practices. By identifying, recognising, extracting, and combining the common information security policy practices from various ISP models in a built ISP metamodel called ISPM, we seek to make it simple for users and field specialists to derive/instantiate security policy models for their organisations. The development and validation process of the ISPM is based on the common security frameworks such as ISO 27001 frameworks. The developed ISPM consists of 19 common security practices: organisation, risk management, access control policy, edit, review, compliance, business management, backup and recovery, incident response, SETA program, security awareness, security training, security education, email security policy, cloud security policy, network security policy, website security policy, physical security policy, and privacy security policy. Each common security practice consists of several operations and attributes. The performance of the developed ISPM was compared to that of other models to evaluate its completeness and logicalness. Using ISO 27001 as a framework, the findings confirmed the comprehensiveness of ISPM. Therefore, it can contribute to organisations’ security by helping them to develop their own security policy models. Full article

The use of information technology and the automation of control systems in the energy sector enables a more efficient transmission and distribution of electricity. However, in addition to the many benefits that the deployment of intelligent and largely autonomous systems brings, it also carries risks associated with information and cyber security breaches. Technology systems form a specific and critical communication infrastructure, in which powerful control elements integrating IoT principles and IED devices are present. It also contains intelligent access control systems such as RTU, IDE, HMI, and SCADA systems that provide communication with the data and control center on the outer perimeter. Therefore, the key question is how to comprehensively protect these specialized systems and how to approach security implementation projects in this area. To establish rules, procedures, and techniques to ensure the cyber security of smart grid control systems in the energy sector, it is necessary to understand the security threats and bring appropriate measures to ensure the security of energy distribution. Given the use of a wide range of information and industrial technologies, it is difficult to protect energy distribution systems using standard constraints to protect common IT technologies and business processes. Therefore, as part of a comprehensive approach to cyber security, specifics such as legislative framework, technological constraints, international standards, specialized protocols or company processes, and many others need to be considered. Therefore, the key question is how to comprehensively protect these specialized systems and how to approach security implementation projects in this area. In this article, a basic security concept for control systems of power stations, which are part of the power transmission and distribution system, is presented based on the Smart Grid domain model with emphasis on substation intelligence, according to the Purdue model. The main contribution of the paper is the comprehensive design of mitigation measures divided into mandatory and recommended implementation based on the standards defined within the MITRE ATT&CK matrix specified, concerning the specifications of intelligent distribution substations. The proposed and industry-tested solution is mapped to meet the international security standards ISO 27001 and national legislation reflecting the requirements of NIS2. This ensures that the security requirements will be met when implementing the proposed Security Baseline. Full article

Metrics are a set of numbers that are used to obtain information about the operation of a process or system. In our case, metrics are used to assess the level of information security of information and communication infrastructure facilities. Metrics in the field of information security are used to quantify the possibility of damage due to unauthorized hacking of an information system, which make it possible to assess the cyber sustainability of the system. The purpose of the paper is to improve information security metrics using multicriteria decision–making methods (MCDM). This is achieved by proposing aggregated information security metrics and evaluating the effectiveness of their application. Classical information security metrics consist of one size or one variable. We obtained the total value by adding at least two different metrics and evaluating the weighting factors that determine their importance. This is what we call aggregated or multicriteria metrics of information security. Consequently, MCDM methods are applied to compile aggregated metrics of information security. These are derived from expert judgement and are proposed for the three management domains of the ISO/IEC 27001 information security standard. The proposed methods for improving cyber sustainability metrics are also relevant to information security metrics. Using AHP, WASPAS and Fuzzy TOPSIS methods to solve the problem, the weights of classical metrics are calculated and three aggregated metrics are proposed. As a result, to confirm the fulfilment of the task of improving information security metrics, a verification experiment is conducted, during which aggregated and classical information security metrics are compared. The experiment shows that the use of aggregated metrics can be a more convenient and faster process and higher intelligibility is also achieved. Full article

The large amount of information handled by organizations has increased their dependance on information technologies, which has made information security management a complex task. This is mainly because they cover areas such as physical and environmental security, organization structure, human resources and the technologies used. Information security frameworks can minimize the complexity through the different documents that contain guidelines, standards, and requirements to establish the procedures, policies, and processes for every organization. However, the selection of an appropriate framework is by itself a critical and important task, as the framework must adapt to the characteristics of an organization. In this paper, a general vision of the newest versions of the NIST CSF, ISO/IEC 27001:2022, and MAGERIT frameworks is provided by comparing their characteristics in terms of their approaches to the identification, assessment, and treatment of risks. Furthermore, their key characteristics are analyzed and discussed, which should facilitate the consideration of any of these frameworks for the risk management of complex manufacturing organizations. Full article

In order to handle their regulatory and legal responsibilities and to retain trustworthy strategic partnerships, enterprises need to be dedicated to guaranteeing the privacy, accessibility, and authenticity of the data at their disposal. Companies can become more resilient in the face of information security threats and cyberattacks by effectively integrating security strategies. The goal of this article is to describe a plan that a corporation has implemented in the information technology industry in order to ensure compliance with International Organization for Standardization (ISO) 27001. This research demonstrates an examination of the reasons that force enterprises to make a investment in ISO 27001 in addition to the incentives that might be acquired from having undergone this process. In addition, the research examines the reasons that push firms to make an investment in ISO 27001. More particularly, the research investigates an international IT consulting services institution that is responsible for the implementation of large-scale business assistance insertion and projects. It demonstrates the risk management framework and the administrative structure of the appropriate situations so that its procedures are adequate and also in line with the guidelines founded by ISO 27001. In conclusion, it discusses the problems and difficulties that were experienced. Full article

The adaptation of the Internet of Medical Things (IoMT) has provided efficient and timely services and has transformed the healthcare industry to a great extent. Monitoring patients remotely and managing hospital records and data have become effortless with the advent of IoMT. However, security and privacy have become a significant concern with the growing number of threats in the cyber world, primarily for personal and sensitive user data. In terms of IoMT devices, risks appearing from them cannot easily fit into an existing risk assessment framework, and while research has been done on this topic, little attention has been paid to the methodologies used for the risk assessment of heterogeneous IoMT devices. This paper elucidates IoT, its applications with reference to in-demand sectors, and risks in terms of their types. By the same token, IoMT and its application area and architecture are explained. We have also discussed the common attacks on IoMT. Existing papers on IoT, IoMT, risk assessment, and frameworks are reviewed. Finally, the paper analyzes the available risk assessment frameworks such as NIST, ISO 27001, TARA, and the IEEE213-2019 (P2413) standard and highlights the need for new approaches to address the heterogeneity of the risks. In our study, we have decided to follow the functions of the NIST and ISO 270001 frameworks. The complete framework is anticipated to deliver a risk-free approach for the risk assessment of heterogeneous IoMT devices benefiting its users. Full article

Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered. Full article

The automotive industry has successfully collaborated to release the ISO 26262 standard for developing safe software for cars. The standard describes in detail how to conduct hazard analysis and risk assessments to determine the necessary safety measures for each feature. However, the standard does not concern threat analysis for malicious attackers or how to select appropriate security countermeasures. We propose the application of ISO 27001 for this purpose and show how it can be applied together with ISO 26262. We show how ISO 26262 documentation can be re-used and enhanced to satisfy the analysis and documentation demands of the ISO 27001 standard. We illustrate our approach based on an electronic steering column lock system. Full article