In today's digital landscape, achieving cyber maturity is crucial for businesses to protect their assets and maintain a competitive edge. Cyber maturity refers to the level of cybersecurity governance and management within an organization. It represents the organization's ability to effectively identify, assess, and mitigate cyber risks. By implementing robust cybersecurity governance practices, businesses can enhance their security posture and minimize the likelihood of cyber threats.
Cybersecurity governance encompasses the policies, processes, and controls that guide an organization's approach to managing information security. It involves establishing clear roles and responsibilities, defining risk management strategies, and ensuring compliance with relevant regulations. A strong cybersecurity governance framework provides a structured approach to safeguarding sensitive data, maintaining customer trust, and preventing financial losses.
The Significance of Effective Cybersecurity Governance
Effective cybersecurity governance is of utmost importance in today's digital landscape. It plays a vital role in establishing a robust security posture for businesses, enabling them to mitigate risks and protect their valuable assets.
Establishing a Robust Security Posture
A strong cybersecurity governance framework provides organizations with the necessary tools and strategies to establish a robust security posture. By implementing effective security measures, businesses can safeguard their networks, systems, and data from potential threats. This includes implementing firewalls, intrusion detection systems, encryption protocols, and access controls. A robust security posture not only protects against external cyberattacks but also helps prevent internal vulnerabilities and insider threats.
Maintaining Compliance and Regulatory Requirements
Compliance with industry regulations and legal requirements is essential for businesses operating in today's digital landscape. Effective cybersecurity governance ensures that organizations meet these compliance and regulatory requirements. By adhering to standards such as the General Data Protection Regulation (GDPR) or the Payment Card Industry Data Security Standard (PCI DSS), businesses can avoid penalties, legal consequences, reputational damage, and loss of customer trust. A strong cybersecurity governance framework includes regular audits, risk assessments, and incident response plans to ensure ongoing compliance.
Key Components for a Strong Cybersecurity Governance Framework
A strong cybersecurity governance framework consists of key components that are essential for effective management of cybersecurity risks.
Risk Management
Risk management is a crucial component of a strong cybersecurity governance framework. It involves identifying and assessing potential risks to an organization's information assets, systems, and networks. By conducting thorough risk assessments, businesses can understand their vulnerabilities and prioritize mitigation efforts. This includes implementing controls and safeguards to reduce the likelihood and impact of cyber threats. Regular monitoring and updating of risk management strategies ensure ongoing protection against emerging threats.
Policy and Procedure Development
Developing comprehensive policies and procedures is essential for effective cybersecurity governance. Clear guidelines provide employees with a roadmap for implementing security measures consistently throughout the organization. Policies should cover areas such as data classification, access control, incident response, employee training, and third-party vendor management. Procedures outline step-by-step instructions on how to carry out specific security tasks or respond to incidents. Regular review and updates to policies and procedures ensure alignment with evolving cyber threats and regulatory requirements.
Implementing Best Practices for Cybersecurity Governance
Implementing best practices for cybersecurity governance is crucial to ensure the effectiveness of security measures within an organization.
Employee Training and Awareness
Providing regular training and raising awareness among employees is a best practice for cybersecurity governance. Educated employees are more likely to follow security protocols and identify potential threats. Training programs should cover topics such as password hygiene, phishing awareness, social engineering, and safe browsing habits. By fostering a culture of cybersecurity awareness, businesses can empower their employees to become the first line of defense against cyberattacks. Regularly updating training materials and conducting simulated phishing exercises can further enhance employee preparedness.
Continuous Monitoring and Evaluation
Continuous monitoring and evaluation of security measures are essential for effective cybersecurity governance. Regular assessments help identify vulnerabilities and take necessary actions to address them promptly. This includes implementing intrusion detection systems, log monitoring tools, and network traffic analysis solutions. By continuously monitoring systems and networks, organizations can detect any suspicious activities or anomalies that may indicate a potential breach. Ongoing evaluation allows for the identification of gaps in security controls or emerging threats that require immediate attention.
Achieving Cyber Maturity through Governance
Effective cybersecurity governance is the key to achieving cyber maturity. By implementing a strong cybersecurity governance framework and following best practices, businesses can protect their assets and mitigate risks. A comprehensive approach to cybersecurity governance ensures that organizations have the necessary policies, procedures, and controls in place to safeguard against cyber threats. It involves continuous monitoring, risk management, employee training, and compliance with regulatory requirements. By prioritizing cybersecurity governance, businesses can enhance their security posture, maintain customer trust, and stay ahead of evolving cyber threats.
In 2009, ISACA launched a first information risk repository: Risk IT. Risk IT relies on COBIT 4, the IT governance framework that, according to ISACA, provides the missing link between traditional business risk management and information risk management and control.
One of the main ideas behind ISACA’s approach is that companies get a return on investment (ROI) by taking risks, but sometimes they try to eliminate risks that really contribute to the creation of a profit. Risk IT was designed to help companies maximize their return on opportunities by managing risks more effectively than trying to eliminate them entirely.
In April 2012, ISACA released the new COBIT 5 version of its repository. She presented this new version as a major evolution of the IS governance and management framework. One of the main novelties of COBIT 5 is to approach the Information System (IS), beyond the processes already put forward by COBIT 4.1, through complementary themes, as part of a holistic approach (holistic or systemic). As part of this upgrade, the COBIT 5 processes were adapted to better converge with other repositories such as ISO 27002, CMMI and ITIL.
With COBIT 5, Risk IT was integrated with COBIT 5 for Risk Management ( COBIT 5 for risk or COBIT 5GR in this text). In the spirit of COBIT, this version defines computer risk as an element of business risk, in particular, business risk related to the use, possession, exploitation and adoption of the business. in a company. COBIT 5GR is interested in:
to enable stakeholders to gain a better understanding of the current state and effects of risk across the enterprise
advise on how to manage risk at all levels, including a broad set of risk mitigation measures
to advise on how to put the appropriate risk culture in place
Risk assessment guidance that allows stakeholders to consider the cost of mitigation measures and the resources needed to counter the risk of loss
opportunities to integrate IT risk management with enterprise risk management.
Improving communication and understanding between all internal and external stakeholders
In this text, I propose a technique to apply COBIT 5GR to perform a risk analysis in an organization. This technique is based on the use of generic risk indicators (KRIs) that will need to be adapted for use in a specific context. This text is presented here for training purposes and to stimulate discussion with ISACA members and information risk managers. The full text will be presented in the next edition of my book on Information Risk Management. If you have comments: marcandre@leger.ca
Application of the method
As mentioned in my risk management courses and in my publications, from a theoretical point of view, risk management is accomplished through an IPM process. Identification (I) and prioritization (P) are risk analysis processes. The third phase, mobilization (M), is the implementation of the decisions of the identification (I) and prioritization phases (P). He’s from adding an Audit Phase to these phases to complete the process. The first actions to take are in the identification phase (I). These tasks are performed during the risk analysis.
In this text we present the stages of application of ISACA’s COBIT 5GR information risk analysis methodology. The elements presented here should be considered as the list of activities that the organization in general and the risk analyst in particular must perform to use the COBIT 5 for Risk methodology. This activity list can be used to create a project plan or checklist to carry out the risk analysis.
As with any risk analysis process, the main organizational benefit of using it in a different context than the one for which it was produced is the improvement in organizational maturity resulting from introspection and risk thinking.
The activity EDS03 Ensure the optimization of the risk of Cobit 5GR (EDM03 Area: Governance, Domain: Evaluate, Direct and Monitor) must be carried out initially before starting the risk analysis. In particular, the organization must put in place a risk governance framework that will be used in the risk analysis. In the context of COBIT 5GR, this is to complete the tasks EDM03.1 and EDM03.2. This exercise can be do it by doing appeal to an information risk governance committee.
EDM03.1 Evaluate risk management : The organization must constantly review and make judgments about the effect of risk on the current and future use of IT in the organization. Ask yourself if the risk appetite of the organization is appropriate and whether the organization’s risks related to the use of IT are identified and managed.
EDM03.2 Direct risk management : The organization shall direct the implementation of best risk management practices that may provide reasonable assurance that its information risk management practices are appropriate to ensure that the actual information risk does not exceed the organization’s risk tolerance, as determined by the board of directors.
Before the risk analysis begins, it is also necessary to identify the analyst who will be responsible for conducting the study. The analysis will be responsible for completing the study, creating the documents, communicating with the participants and managing the project. Thus, the risk analysis is managed as a project using project management techniques, which are not addressed in this course. He must have the necessary skills and training to carry out the risk analysis (APO12.02.4.5).
If you have not done so already, it is necessary to complete the following steps before you can do the risk analysis:
Inventory of information assets : Before starting, it is necessary to carry out an inventory of the information assets of the organization. This corresponds to activity APO12.03.1. That is, the organization must make an inventory of business processes, including processes for supporting human resources, applications, infrastructures, facilities, critical registries, suppliers and sub-contractors. contractors. It must understand and document the interdependencies between IT service management processes, information systems and technology infrastructure ( APO12.03.1.1).
Categorization of information assets : Information assets must be categorized, which is not defined in this course.Categorization should be done using an appropriate measurement scale based on the organization’s security objectives.At a minimum, it is recommended that the information asset be defined based on its availability, integrity, and confidentiality (DIC) attributes using a nominal ordinal scale (for example, low, medium, high).
Setting up a project committee : In order to monitor the risk analysis, it is recommended to set up a project monitoring committee. In addition, once the risk analysis has been completed, in order to successfully implement the risk mitigation measures and related actions, the organization will have to set up a project committee. The project committee members can be the same as the project governance committee with the addition of an experienced project manager and trained IT staff on the mitigation measures selected.
Project Plan Creation and Approval : To successfully complete an Information Risk Management (IRM) Master Plan, the organization should manage this exercise as a project. In this way, it is possible to use project management expertise and techniques to maximize the chances of success.
Determination of management frameworks : This step consists of identifying the information risk management frameworks, standardized and other, that the organization wishes to use for the management of its information assets. In this step, the use of standardized management frameworks, such as COBIT or ISO 27002, is recommended.
Current status : This step consists of identifying, in relation to the risk mitigation measures associated with each of the standard management frameworks that the organization wishes to put in place or that are already in place, the state (in place or the cost (cash and human resources or effort, measured in equivalent of an individual working full-time), management controls to ensure the effectiveness of the risk mitigation measure and to perform audits (audits) and the alleged effectiveness of the measure. It is also possible to attach notes on the risk mitigation measure or its implementation, as well as to attach attachments, such as network diagrams, PDF documents or other documents use for the understanding of users, managers or possibly auditors.
Subsequently, the analyst can begin by identifying the organization and setting the objectives for information security. The analyst will then proceed with the steps of APO12 Risk-Specific Process Practices, Inputs / Outputs, Activities and Detailed Activities . It starts with APO 12.01.
Identification phase
APO12.01 Collect data
In the identification phase, according to the IPM risk management model, the organization must identify and collect the data needed to perform risk analysis and effective reporting of information risks. More specifically, it is necessary to carry out the steps APO12.01.1, APO12.01.2, APO12.01.3 and APO12.01.4:
APO12.01.1. Establish and maintain a method for the collection, classification and analysis of data related to computer risks, which can accommodate several types of hazards, several categories of computer risks and multiple risk factors.
APO12.01.1.1 Establish and maintain a model for the collection, classification and analysis of information risk data. The aim is to identify the hazards and vulnerabilities that must be considered in the scope of the risk analysis, to define a formal approach that will allow them to be grouped into categories and to determine how they will be analyzed.
APO12.01.1.2 Predict the presence of several types of hazards and multiple categories of information risk. The analyst must put in place an approach that will ensure that there is a good coverage of the different types of risks that may influence the information risk within the scope of the analysis. The analyst must plan an approach to ensure that the risk scenarios that will be created are within the scope of the risk analysis that was determined by the Governance Committee.
APO12.01.1.3 Include filters and views to help determine how specific risk factors may affect risk. In order to limit the bias introduced by the analyst and the participants in the risk analysis, the organization must put in place a systematic approach. It is only through the implementation of a systematic approach that she can hope to approach the scientific nature of her approach. Where possible, the organization should seek sources of evidence, science and reliability as inputs to the process. One of these sources may be incident logs and other records in place. Logs, servers, or detection equipment can also be sources of evidence.
APO12.01.1.4 Establish criteria to ensure that the model can support the measurement and assessment of risk attributes across information risk domains and provide useful data to promote a risk-aware organizational culture.
Several strategies can be implemented to accomplish these activities. Depending on whether the problem is approached by hazards or vulnerabilities, it is possible to set up a watch strategy that seeks to identify various sources of hazards from literature, industry journals, business registers incidents, standards, management frameworks, focus groups or other sources. In a vulnerability approach, it is the results of the vulnerability analysis, producing evidence based on a real situation, that will generate scenarios. The important thing is to choose a systematic approach that is well documented and can be justified later in an evaluation of the risk analysis and results.
APO12.01.2. Identify relevant data on the organization’s internal and external operating environment that could play an important role in informational risk management.
APO12.01.2.1 Record data on the organization’s operating environment that could play an important role in information risk management.
APO12.01.2.2 Consult sources within the organization, legal department, audit, compliance and the IOC office.
APO12.01.2.3 Identify major revenue sources, external computer systems, product-related legal liability, regulatory landscape, industry competition, trends in the computer industry, alignment of competitors with competitors key metrics, the relative maturity of core business and IT capabilities and geopolitical issues.
APO12.01.2.4 Identify and organize historical information risk data and loss experience of industry peers through industry-based incident records, databases and industry regarding the disclosure of frequent hazards.
This work will be the result of an analysis work based on the chosen data collection methods. This work can and should be done in collaboration with the financial services, IT teams and managers of the organization. Here again, the important thing is to choose a systematic approach that will be well documented and can be justified later in an evaluation of the risk analysis and results.
APO12.01.3. Identification and analysis of data on historical information risks and the organization’s experience with data loss, available trends, peers through hazard registers and industry incidents, databases and other industry sources regarding the disclosure of known hazards.
APO12.01.3.1 Using the data collection model, record data on hazards that have caused damage or may affect the profit / value ratio of information assets, activities, projects, operations and IT service delivery organisation.
APO12.01.3.2 Enter relevant information on issues related to information asset management. In particular, keep information about incidents, problems and investigations involving information assets.
This involves doing a literature review, researching available documents from sources like Gartner Group or industry journals. Other sources of data may be internal records of incidents or risks. Finally, IT teams can be consulted for historical data.
APO12.01.4. Record data on the hazards that caused or may cause impacts to the benefit / value ratio of information assets, the delivery of IT programs and projects, the IT operations and the service delivery of the organization. Enter relevant data on related issues, incidents, problems and investigations.
APO12.01.4.1 Organize collected data and highlight contributing factors.
APO12.01.4.2 Determine what specific conditions existed or did not exist when the hazards occurred and how the conditions might have affected the frequency of the hazards and the extent of the loss.
APO12.01.4.3 Determine the common factors that contribute across multiple hazards. Conduct periodic vulnerability analysis to identify new or emerging risks and to gain an understanding of the associated internal and external vulnerabilities.
This work (APO12.01.3 and APO12.01.4) is, here again, essentially carried out by the risk analyst, using the data of the steps APO12.01.1 and APO12.01.2. Always, the work is done according to a systematic approach which will be well documented and that it will be possible to justify later, during an evaluation of the risk analysis and the results.
Risk analysis
The previous steps involved the preparation and identification of the risk analysis framework. Once these steps are completed, this is where the risk analysis with COBIT 5GR actually begins in activities APO12.02 to. APO12.04.
APO12.02 Risk Analysis
The organization needs to deepen the information needed to support risk decisions that take into account the relevance for the organization of vulnerabilities.
APO12.02.1. Define depth ( Scope ) appropriate risk analysis efforts taking into account all the vulnerabilities and criticality of information assets in achieving business objectives. Define the scope of the risk analysis after performing a cost / benefit analysis.
APO12.02.1.1 Define the scope of the risk analysis. The organization must decide on the expected depth of the risk analysis efforts. It is necessary to consider a wide range of options that will allow the organization to have in hand all the elements that will enable it to make decisions on risk, given its level of maturity in information risk management.
APO12.02.1.2 Identify relevant vulnerabilities, the criticality of the information assets for the organization and the triggers of the hazards in the field.
APO12.02.1.3 Set objectives to optimize risk analysis efforts by fostering an expanded view based on the organization’s business processes and outputs (products and services offered) and internal structures that are not directly related to the results.
APO12.02.1.4 Define the scope of the risk analysis after a criticality review for the organization, the cost of the measures against the expected value of the information assets, the reduction of the uncertainty and its requirements global regulatory requirements.
APO12.03.2. Define and obtain an organizational consensus on IT services and IT infrastructure resources that are critical to support the smooth running of the organization’s business processes. Analyze dependencies and identify weak links.
APO12.03.2.1 Determine which IT services and IT infrastructure resources are required to maintain the functioning of the critical services and critical processes of the organization.
APO12.03.2.2 Analyze IT dependencies and weak links in all business processes and process flows.
APO12.03.2.3 Obtain consensus of business units and IT managers on the organization’s most valuable information and related technology assets.
Creating risk scenarios
APO12.02.2. Create and regularly update risk scenarios, including scenarios of hazard sequences or threat coincidences, expectations for specific controls, detection capabilities, and other incident management measures. Start with the generic risk scenarios of COBIT 5.
APO12.02.2.1 Estimate the likely frequency and probable magnitude of loss or gain associated with each of the information risk scenarios. Consider the influence of scenario vulnerabilities.
APO12.02.2.2 Estimate the maximum amount of damages that may be suffered or gains from opportunities.
APO12.02.2.3 Consider scenarios composed of hazard sequences and threat coincidences.
APO12.02.2.4 Based on the most important scenarios, identify organizational expectations for specific controls, the ability to detect hazards, and other incident management measures.
APO12.02.2.5 Evaluate known operational controls and their effect on frequency (probability), likely magnitude of damage and applicable vulnerabilities.
APO12.02.2.6 Estimate exposure levels and residual risk. Compare the residual risk with the risk tolerance of the organization and the level of acceptable risk. This exercise will help the organization to identify risks that may require special treatment
APO12.02.3. Estimate the frequency, probability and magnitude of losses or gains associated with information risk scenarios. Take into account all applicable vulnerabilities, evaluate known operational controls and estimate residual risk levels for each scenario.
APO12.02.3.1 Identify risk response options. Examine the range of risk response options (risk mitigation measures), for example: avoid, mitigate (mitigate, mitigate), transfer (outsourcing, insurance), accept risk.
APO12.02.3.2 Document the rationale and potential tradeoffs across the range of risk response options.
APO12.02.3.3 Specify high level requirements and parameters for projects or programs that, based on risk appetite, mitigate risks to acceptable levels. Identify costs, benefits and shared responsibility for project execution.
APO12.02.3.4 Develop in greater detail the organizational requirements and expectations for appropriate controls.Determine where and how they are supposed to be implemented to be effective.
The organization should create a sufficient number of scenarios to carry out its risk analysis. There is no ideal number. The number of scenarios used will depend on several factors, such as the scope of the risk analysis, the budget and time allocated to achieve it, the level of maturity of the organization in information risk management, and many others. factors.As a first step, it is suggested that a brainstorming group meeting be held with the participants in the risk analysis to identify candidate scenarios. Scenarios from a scenario bank or those included in COBIT 5 can also be used.
It should be noted that what is presented here is a reference model that can be used as a basis for risk analysis.In an application in a real situation, this model will have to be adjusted or improved to take into account the actual situation of the organization.
For each scenario, it is first of all the identifiers in a summary way. For example, the risk scenario Ζn (A, ψ, δ), where n is a single sequential integer, includes a brief description of the hazard (A) and random events or sequences, actions, decisions and related factors that made it possible to exploit a vulnerability (ψ) whose outcome is damage (δ). For example, a scenario number Z301 that deals with the hazard (A) Virus , the vulnerability (ψ) CVE1999-233 and whose damage (δ) is the loss of confidentiality, would be identified Z301 (Virus, CVE1999-233, Confidentiality ) . These summary descriptions are then enriched.
Once the scenarios have been identified and briefly described during the group meeting with the participants, the analysis will have to carry out an analysis and documentation of each of the scenarios. To this end, it is proposed to use a standard form for the documentation of information risk scenarios. The purpose of this work of analysis and documentation and to bring a greater level of detail. The minimum information required for each scenario is:
Scenario name: A name that describes the scenario. For example, a risk scenario for identity theft of an organization’s customer might be called identity theft.
Organization Name: The name of the organization for which the scenario is created.
Scenario creation date: The creation date of the scenario.
Owners cause: the individuals involved in the scenario, who should include the owners of the informational assets involved and those involved in the asset-related business processes.
Description of the risk or hazard scenario: a detailed description of the hazard (A) and the hazards or sequences of hazards, actions, decisions and related factors that made it possible to exploit a vulnerability ( ψ) whose result is damage (δ). This is to describe in more detail what will be developed with the participants in the previous step.
Vulnerability: A description of the vulnerability, vulnerability or weakness that makes this scenario possible.
Historical Data: Documentation of historical data available on situations similar to what is described in the scenario and sources of such data, such as an incident log or customer support reports.
Target of this scenario: availability, integrity, confidentiality, continuity, other.
Impacts of the realization of the scenario: descriptions of the impacts and damages that would result from the realization of the hazard that is reduced in the scenario.
Mitigation measures in place or envisaged: description of the risk mitigation measures envisaged.
Management controls in place or proposed: description of the management controls in place or proposed.
Scenario change history: Track changes to the scenario document.
It is likely, once the scenarios are detailed, that the similarities between some of the scenarios will reduce the number of scenarios by combining similar scenarios. In general, it is common to reduce by 20% the number of scenarios by the combination of similar scenarios. Then, the analysis will have to meet the participants individually in order to validate the detailed scenarios. It will be necessary to make adjustments according to the comments of the participants. The scenario creation will end with the identification of the data that will allow the organization to measure the level of risk and, more specifically, to create risk indicators based on, among other things, available evidence (incident log and others). sources of evidence) or estimates from participants in the risk analysis. In particular, it will be necessary to identify:
the probability of realization of the hazard: Pb (A) , a value between 0.01 and 0.99
the presence of the vulnerability: Pb (ψ) , usually 0 (no vulnerability) or 1 (present vulnerability)
the probability of exploitation of the vulnerability by the hazard: Pb (ψ, A) , a value between 0.01 and 0.99
the estimated damage and the maximum damage in this scenario: δ (ψ, A) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
the resilience level of the organization in this scenario: θ (ψ, A), a value between 0.01 and 0.99
the expected utility (the contribution to the organization’s profits) of the business processes or information assets involved in the risk scenario: μ (ψ, A) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
See also the section on KRIs for examples of indicators.
Prioritization phase
APO12.02.4. Compare the residual risk to the organization’s risk tolerance and identify exposures that may require a risk response.
APO12.02.4.1 Conduct a Peer Review of Information Risk Analysis.
APO12.02.4.2 Confirm that the analysis is adequately documented according to the needs of the organization.
APO12.02.4.3 Review the basis of estimates of probabilities, impacts, damages and opportunities (gains).
APO12.02.4.4 Verify that all risk analysis participants who participated in the estimation of probabilities and the quantification of metrics were not influenced by bias (if necessary ensure that mechanisms to control bias). Check that there has been no manipulation of the process to obtain a predetermined result. Verify that, where possible, a search for evidence was conducted.
APO12.02.4.5 Verify that the level of experience and qualifications of the risk analyst were appropriate for the magnitude and complexity of the risk analysis.
APO12.02.4.6 Provide an opinion on the risk analysis process, the expected reduction of unacceptable risks and whether the cost of the risk analysis process is reasonable in relation to the cost of the risk mitigation measures and the risk reduction of the foreseeable risk.
From the risk scenarios that were created during of activity 12.02.3, it is necessary to quantify them. This can be done in different ways, as discussed in the course (interviews, focus group, group meetings, etc.). The results must then be validated by all participants in the risk analysis. It is essential to conduct a peer review exercise (participants) of the results of the risk analysis before sending them to management for approval (risk governance committee) and before using them in the decision-making process. decision. This revision process reduces the bias introduced in the risk analysis and increases the reliability and the scientificity of the results.
APO12.04.1. Transmit the results of the risk analysis to all parties involved to support the organization’s decisions. Include estimates of probabilities and damage or gain with confidence levels.
APO12.04.1.1 Coordinate additional risk analysis activities as required by managers as required (eg, reports of non-compliance or changes in the scope of the risk analysis).
APO12.04.1.2 Clearly communicate context and results to assess cost / benefit ratios.
APO12.04.1.3 Identify the negative impacts of the hazards and scenarios that should guide risk mitigation decisions and the positive effects of hazards and scenarios that represent the management of opportunities that may have an impact on the strategy and objectives organizational.
APO12.04.2. Provide decision makers with the data to understand worst-case and most likely scenarios, due diligence risks, significant reputational risks, and legal or regulatory considerations.
APO12.04.2.1 In this effort are:
Key risk elements (eg frequency, magnitude, impact), vulnerabilities and their estimated effects
Magnitude of estimated probable loss or probable future gain
Maximum estimated losses based on potential gain for a scenario and the most likely losses based on earnings.
Additional relevant information to support the conclusions and recommendations of the analysis
APO12.03 Maintain a risk profile
The organization should maintain an inventory or register of known risks and risk components, ie hazards (threats), vulnerabilities and impacts (damage). These must include the estimation of their probability, the intended impact and the risk mitigation measures in place. The organization should document the associated resources, the organizational capabilities for information risk management, and the controls in place.
APO12.03.3. Aggregate the current risk scenarios (which have materialized) by category, business sector and functional area.
APO12.03.3.1 Inventory and evaluate the process capacity, skills and knowledge of the individuals in the organization.Evaluate results and performance across the information risk spectrum (eg, ROI, OCL, delivery costs, project costs, IT operations costs, and IT service delivery).
APO12.03.3.2 Determine whether the normal execution of processes can or can not provide the right controls and the ability to take acceptable risks.
APO12.03.3.3 Identify where the variability of results associated with a process can contribute to a more robust internal control structure, improve information and performance of the organization, and help seize business opportunities.
APO12.03.4. On a regular basis, the organization should identify and enter all relevant information about its risk profile.The organization must then consolidate this information into a global risk profile. This work is often done by the risk analyst in conjunction with the organization’s risk management group in a risk governance context.
APO12.03.4.1 Examine the collection of attributes (variables) and values (metrics) through which the components of the risk scenario are quantified. Examine their interconnections inherent in the impact categories of the organization.
APO12.03.4.2 Adjust data according to evolving risk conditions and emerging threats to maximize the benefits and competitive advantages of IT by considering their cost of implementation (TCO), implementation efforts the delivery of IT programs and IT projects, the cost of operating and managing IT operations and service delivery.
APO12.03.4.3 Evaluate the cost of updating information systems and information assets based on asset criticality, operating environment data and hazard data. Make links between risks that are similar to categories of risk and impact categories of the organization.
APO12.03.4.4 Catalog and aggregate hazard types by category, business sector and functional area of the organization.
APO12.03.4.5 At a minimum, update the information risk scenarios in response to significant internal or external changes and revise them annually.
APO12.03.5. Based on all risk profile data, define a set of key risk indicators (KRIs) that enable rapid identification and monitoring of risks and trends.
APO12.03.5.1 Capture the risk profile within tools such as an information risk register and enterprise risk mapping (ERM).
APO12.03.5.2 Enhance the risk profile by the results of the IT portion of the Enterprise Risk Assessment (ERM), risk scenario components, hazard data collection, continuous risk analysis risks and the results of the assessment of interdependencies.
APO12.03.5.3 For individual elements of the information risk register, update key attributes such as name, description, owner, stakeholders, actual and potential frequency, magnitude of associated scenarios, potential and real impact, and risk mitigation measures.
APO12.03.6. Gather information on the hazards of IT that have materialized, for inclusion in the information risk profile of the organization.
APO12.03.6.1 Create metrics and key risk indicators (KRIs) that can target IT hazards and incidents that can significantly affect the organization’s bottom line.
APO12.03.6.2 Base these indicators on a model that provides an understanding of the variables that may impact exposure and the organization’s capabilities for risk management in general and information risks in particular.
APO12.03.6.3 Ensure understanding of Key Risk Indicators (KRIs) by all stakeholders in the organization.
APO12.03.6.4 Regularly review the KRIs used and recommend adjustments to keep track of internal and external conditions.
Here is a selection of KRIs that are likely to be used as a starting point for the implementation of COBIT 5GR. It should be noted that these KRIs should be enriched, adapted or modified to take into account the particularities of each organization.
Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence).This is where the opportunity created by the risk element will be taken into account.
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)
Using these indicators, the organization could make a qualitative risk estimate by performing an indicator estimate in collaboration with stakeholders and risk analysis participants. In such a case, the choice of measurement scales and data collection are likely to have an effect on the degree of scientificity of the results. In the best cases, the organization will have evidence that can be used.
APO12.04.4. Review the results of objective third-party risk assessments, internal audit, and quality assurance reviews to match the organization’s risk profile. Identify gaps and risks to determine the need for additional risk analysis.
APO12.04.4.1 Take the gaps and exposures of the organization to assess risk transfer requirements or the need for additional or deeper risk analysis.
APO12.04.4.2 Help the organization understand how corrective action plans will affect the overall risk profile.
APO12.04.4.3 Identify opportunities for integration with ongoing risk management projects and activities.
APO12.04.5 . Identify, on a periodic basis, for areas of high relative risk and taking into account the risk appetite of the organization, opportunities that would allow for higher risk acceptance and increased growth.
APO12.04.5.1 Look for opportunities that allow:
Use the organization’s resources to create leverage that creates a competitive advantage.
Reduce coordination costs
Take advantage of economies of scale by using strategic resources common to several sectors of activity.
Take advantage of structural differences with competitors.
Integrate activities between business units or components of the organization’s value chain.
Mobilization phase
APO12.05 Define a Portfolio of Risk Management Projects
It is through the implementation of risk mitigation actions, in the form of projects, that the organization will be able to manage its risks. This is to reduce the unacceptable risks to an acceptable level, taking into account its risk tolerance as expressed. The identification of a set of projects for the reference period under consideration (the next budget year, for example) is in the form of a portfolio of projects.
APO12.04.3. Communicating the risk profile to all stakeholders, including the effectiveness of risk management processes, the effectiveness of controls, gaps, inconsistencies, risk acceptance, mitigation measures and their impact on the risk profile.
APO12.04.3.1 Identify the needs of different stakeholders for risk change reporting by applying the principles of relevance, effectiveness, frequency and accuracy of reporting.
APO12.04.3.2 Include the following in the statement: effectiveness and performance, issues and deficiencies, status of mitigation measures, hazards, incidents and their impact on risk profile and performance risk management processes.
APO12.04.3.3 Contribute to integrated enterprise risk management reporting.
APO12.05.1. Maintain an inventory of control activities that are in place to manage risks in line with the organization’s risk appetite and tolerance. Classify control activities and match them to specific hazards or scenarios and aggregations of information risks. Use COBIT 5 or other standards (ITIL, ISO, etc.) as a guide to determine management controls that are relevant or useful to your organization.
APO12.05.1.1 Throughout the area of risk intervention, the inventory of controls in place to manage risks and allow risk to take in line with the appetite for risk and tolerance.
APO12.05.1.2 Categorize controls (eg, predictive, preventative, detective, corrective) and identify them to specific informational risk statements (scenarios and hazards) and aggregate informational risks.
APO12.05.2. Determine whether each organizational unit monitors risk and accepts responsibility for operations within its individual tolerance levels and portfolio.
APO12.05.2.1 Monitor operational alignment with risk tolerance thresholds.
APO12.05.2.2 Ensure that each line of business accepts responsibility for operations within its individual and portfolio tolerance levels and for the integration of monitoring tools into key business processes.
APO12.05.2.3 Monitor the performance of each control, and measure the variance of thresholds against objectives.
APO12.05.3. Define a balanced set of risk reduction project proposals and projects that provide strategic opportunities, taking into account the cost / benefit ratio, the effect on the risk profile and the current risk.
APO12.05.3.1 Respond to risk exposure to discover and opportunity.
APO12.05.3.2 Choose candidate IT controls based on specific threats, the degree of risk exposure, the probable loss and the mandatory requirements specified in the IT standards.
APO12.05.3.3 monitor the evolution of the underlying operational business risk profiles and adjust the ranking of risk response projects.
APO12.05.3.4 Communicate with key stakeholders early in the process.
APO12.05.3.5 Conduct pilot testing and review of performance data to verify operation against design.
APO12.05.3.6 Plan for new and updated operational controls to mechanisms that will measure control performance over time, and prompt management of corrective actions in case of need for monitoring.
APO12.05.3.7 Identify and train staff on new procedures as they are deployed.
APO12.05.3.8 Report IT risk action plan progress. Monitor the IT risk of action plans at all levels to ensure the effectiveness of required actions and determine whether residual risk acceptance has been achieved.
APO12.05.3.9 Ensure that actions initiated are owned by the affected process owner and any discrepancies are reported to senior management.
APO12.06 Risk Mitigation
Resolutely in phase M of the IPM process. APO12.06 consists of the implementation of the risk mitigation measures adopted following the identification and prioritization of risk, in a project framework, which will allow the organization to respond to risks beyond its scope. tolerance threshold in a timely manner, by effective measures to limit the extent of damage. You can use a standard such as ISO27002: 2013 to find risk mitigation measures to implement.
Other elements of COBIT 5 will also be useful or even necessary for the risk management that must take place. Among others:
EDM03.03 Monitor risk management.
APO13.01 Establish and maintain an ISMS.
APO13.02 Define and manage an information security risk treatment plan.
APO13.03 Monitor and review the ISMS.
BAI01.10 Manage program and project risk.
BAI02.03 Manage requirements risk.
BAI04.04 Monitor and review availability and capacity.
BAI06.02 Manage emergency changes
DSS02.02 Record, classify and priority requests and incidents.
DSS02.03 Verify, approve and fulfill service requests.
DSS02.04 Investigate, diagnosis and allocate incidents.
DSS02.05 Resolve and recover from incidents.
DSS02.06 Close service requests and incidents.
DSS03.01 Identify and classify problems.
DSS03.02 Investigate and diagnose problems.
DSS03.03 Raise known errors.
DSS03.04 Resolve and close problems.
DSS03.05 Perform proactive problem management.
DSS04.01 Define the business continuity policy, objectives and scope.
DSS04.02 Maintain a continuity strategy.
DSS04.03 Develop and implement a business continuity response.
DSS04.04 Exercise, test and review the BCP.
DSS04.05 Review, maintain and improve the continuity plan.
DSS04.06 Conduct continuity plan training
DSS04.07 Manage backup arrangements.
DSS04.08 Conduct post-resumption review.
DSS05.01 Protect against malware.
DSS05.02 Manage network and connectivity security.
DSS05.03 Manage endpoint security.
DSS05.04 Manage user identity and logical access.
DSS05.05 Manage physical access to IT assets.
DSS05.06 Manage sensitive documents and output devices.
DSS05.07 Monitor the infrastructure for security-related events.
The set of controls of Monitor, evaluate & Assess (MEA)
The organization will have to put in place an audit process to retroactively validate the results of previous risk analyzes. It will also have to repeat the risk analysis process when there are major changes in its environment, situation, information assets or when it becomes necessary to do so. At a minimum, it should have a risk analysis by budget cycle and at least once a year.
Metric and KRI
Here is a selection of KRIs that are used as a starting point for the implementation of COBIT 5GR. It should be noted that these KRIs must be enriched, adapted or modified to take into account the particularities of each organization.
Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)
Using these indicators, the organization could make a qualitative risk estimate by performing an indicator estimate in collaboration with stakeholders and risk analysis participants. In such a case, the choice of measurement scales and data collection are likely to have an effect on the degree of scientificity of the results. In the best cases, the organization will have evidence that can be used.
Risk appetite of the organization
Symbol: Ar (organization)
Description: Risk appetite represents the aggregate level of risk that an organization agrees to take in order to continue its business and achieve its strategic objectives. It is necessary to identify the risk appetite of the organization to adjust the damage and utility to obtain the expected utility as perceived by the organization. Low appetite means risk aversion.The result is an increase in the expected utility of the element at risk, that is, it is more valuable to the organization and its decision-makers than its real or book value. On the other hand, a propensity to risk, which signifies a high appetite for risk, results in a decrease in the expected utility.
Qualitative value: between 0.01 and 0.99
Qualitative Data Source: The slider scale can be used to assess risk appetite. The neutral value is 0.5, a value of more than 0.5 is used to indicate risk aversion. A value between 0.01 and 0.49 represents a risk propensity.
Quantitative value: This variable can not be measured quantitatively.
Quantitative data sources: None
Risk scenario
Symbol: Zn (A, ψ, δ)
Description: The risk scenario is a document that tells a story. It describes in a structured approach, the history of a hazard or sequence of hazards and threats, which exploits a vulnerability of an informational asset causing harm.
Risk element
Symbol: In
Description: Information asset that is subject to a risk scenario
Qualitative value: Unique nominative code that identifies each information asset or risk element that is included in a risk analysis.
Qualitative data source: Determined by the risk analyst or assigned during an inventory of information assets.
Probability of realization of the hazard
Symbol: Pb (A)
Description: During the meetings the analysis will also have to evaluate, with the participants, the probability of the realization of a scenario. To do this, he will use slider scales to evaluate the damage and probability of scenario realization.Slider scales are printed and distributed to participants.
The presented cursor scale is used to the evaluation of the probability of realization of the presented scenario.
Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high).The central, neutral or average value is located at the center of the scale of measurement, which represents 0.5, or 50%.
Qualitative data source: The evaluation of the probability of occurrence of hazards can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value : real number
Quantitative data sources: historical data or evidence from research or data collection.
Presence of the vulnerability
Symbol: Pb (ψ)
Description: The objective of this indicator is to assess the presence (Pb (ψ) = 1) or the absence (Pb (ψ) = 0) of vulnerability under consideration in a risk scenario.
Value: 0 (absence) or 1 (presence)
Qualitative Data Source: Analysis by Specialist
Quantitative Data Source: Scan Analysis (NVAS) or another tool
Probability of exploiting vulnerability by hazard
Symbol: Pb (ψ, A)
Description: This indicator is used to estimate the probability that the hazard considered in the risk scenario could exploit the vulnerability.
Qualitative value: between 0.01 and 0.99
Qualitative data source: The probability assessment can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: historical data or evidence from research or data collection.
Estimated damage
Symbol: δe (ψ, A)
Description: Measurement of the impact of the achievement of the most likely scenario. If sources of evidence or historical data are available, these data should be preferred. Otherwise, the slider scale can be used. The slider scale presented is used to assess the impact of the presented scenario.
Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high). The central, neutral or average value is located at the center of the scale of measurement, which represents 0.5, or 50%.
Qualitative data source: The impact evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: historical data or evidence from research or data collection.
Maximum damage
Symbol: δm (ψ, A)
Description: Measurement of the impact of scenario realization in the worst case. If sources of evidence or historical data are available, these data should be preferred. Otherwise, the slider scale can be used. The slider scale presented is used to assess the impact of the presented scenario.
Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high).The central, neutral or average value is located at the center of the scale of measurement, which represents 0.5, or 50%.
Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: historical data or evidence from research or data collection.
Resiliency level
Symbol: θ (ψ, A)
Description: The level of individual or organizational resilience in relation to the risk scenario presented.
Qualitative value: The values assigned to this variable are between 0.01 and 0.99, or between 1% (low) and 99% (high).The central, neutral or average value is located in the center of the scale of 0.5, or 50%
Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest. The slider scale presented is used to assess the impact of the presented scenario.
Quantitative value: real number
Quantitative data sources: historical data or evidence from research or data collection.
Here again, the slider scale can be used.
Expected utility
Symbol: μ (E)
Description: The value of the risk element, its contribution to the business objectives of the organization or its replacement value.
Qualitative value: between 0.01 and 0.99
Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: historical data or evidence from research or data collection.
Mitigation measures
Symbol: MMn (Zn)
Description: Risk mitigation measures.
Qualitative value: between 0.01 and 0.99
Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: historical data or evidence from research or data collection.
Reduction of damage caused by exploitation of vulnerability by hazard with the mitigation measure in place
Symbol: δr (ψ, A, MMn)
Description: Existing risk mitigation measures.
Qualitative value: between 0.01 and 0.99
Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: validation by an information security expert, historical data or evidence from research or data collection.
Reduced likelihood of exploitation of vulnerability by hazard with the mitigation measure in place
Symbol: Pb (ψ, A, MMn)
Description: The effect of the risk mitigation measure that reduces the likelihood of exploitation of vulnerability by the hazard with the mitigation measure in place.
Qualitative value: between 0.01 and 0.99
Qualitative data source: The evaluation can be done during a group meeting (focus group, brainstorming, etc.). In this case, the value used must result from the consensus of the participants in the meeting. It is also possible to use a white board or other means with the participants. The main thing is to let the participants indicate the estimated level according to the element evaluated, on a continuous line between the lowest and the highest.
Quantitative value: real number
Quantitative data sources: validation by an information security expert, historical data or evidence from research or data collection.
Example of a qualitative risk calculation
Here is a model for estimating the risk index based on the use of qualitative data. In a real context, the model must be adjusted to take into account the peculiarities of each organization.
The KRIs used in this example:
Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)
Calculation of the estimated risk for the Z001 risk scenario (virus, email, loss of reputation), this is the risk of loss of reputation by the disclosure of private information of clients of the organization caused by a virus a computer sent by e-mail opened by a misguided employee:
Ar (organization) = 0.3 (light)
Pb (A) = 0.7 (high)
Pb (ψ) = 1 (presence)
Pb (ψ, A) = 0.5 (medium)
δe (ψ, A) = 0.4 (medium)
δm (ψ, A) = 0.9 (very high)
θ (ψ, A) = 0.5 (medium)
μ (E) = 0.6 (medium)
MM001 (Z001) = $ 45000 (DLP system)
δr (ψ, A, MM001) = 0.82
Pb (ψ, A, MM001) = 0.75
Qualitative estimate of the estimated risk index:
Re (Z001) = (Pb (A) * Pb (ψ) * Pb (ψ, A) * δe (ψ, A) * μ (E)) / θ (ψ, A)
Re (Z001) = (0.7 * 1 * 0.5 * 0.4 * 0.6) / 0.5
Re (Z001) = 0.084 / 0.5
Re (Z001) = 0.168
Qualitative estimate of the maximum risk index:
Rm (Z001) = (Pb (A) * Pb (ψ) * Pb (ψ, A) * δm (ψ, A) * μ (E)) / θ (ψ, A)
Rm (Z001) = (0.7 * 1 * 0.5 * 0.9 * 0.6) / 0.5
Rm (Z001) = 0.189 / 0.5
Re (Z001) = 0.378
Qualitative estimate of the tolerated risk index:
Rt (Z001) = (Pb (A) * Pb (ψ) * Pb (ψ, A) * Ar (org) * μ (E))) / θ (ψ, A)
Rt (Z001) = (0.7 * 1 * 0.5 * 0.3 * 0.6) / 0.5
Rt (Z001) = 0.063 / 0.5
Rt (Z001) = 0.126
Qualitative estimate of the mixed risk index with the use of risk mitigation measure MM001 (Z001), adata loss prevention (DLP) system that costs $ 45,000:
Rmm001 = Re (Z001) * δr (ψ, A, MM001) * Pb (ψ, A, MM001)
Rmm001 = 0.168 * 0.82 * 0.75
Rmm001 = 0.103
Example of quantitative risk calculation
Here is a model for estimating the risk index based on the use of quantitative data. In a real context, the model must be adjusted to take into account the peculiarities of each organization.
The KRIs used in this example:
Risk appetite of the organization: Ar (organization)
Risk scenario: Zn (A, ψ, δ )
Element at risk: In
Probability of realization of the hazard: Pb (A)
Presence of the vulnerability: Pb (ψ)
Probability of exploiting vulnerability by hazard: Pb (ψ, A)
Estimated damage: δe (ψ, A)
Maximum damage: δm (ψ, A)
Resilience level: θ (ψ, A)
Expected utility: μ (E) , a value between 0.01 and 0.99 (qualitative) or a real number (scientific approach and evidence)
Mitigation measures: MMn (Zn)
Damage reduction caused by exploitation of the vulnerability by the hazard with the mitigation measure in place: δr (ψ, A, MMn)
Reduction of the probability of exploitation of the vulnerability by the hazard with the mitigation measure in place: Pb (ψ, A, MMn)
Calculation of the estimated risk for the Z001 risk scenario (virus, email, loss of reputation), this is the risk of loss of reputation by the disclosure of private information of clients of the organization caused by a virus a computer sent by e-mail opened by a misguided employee:
Ar (organization) = 0.3 (light)
Pb (A) = 0.6 (this happened 3 times in the last 5 years in our organization and the industry figures are similar for companies like ours)
Pb (ψ) = 1 (the vulnerability is present in our organization)
δe (ψ, A) = $ 1,000,000 (average of 3 known incidents)
δm (ψ, A) = 4,000,000 (the worst case here)
θ (ψ, A) = 1 (the current resilience has no effect)
μ (E) = $ 10,000,000 (contribution of informational assets to organizational objectives)
MM001 (Z001) = $ 45000 (DLP system)
δr (ψ, A, MM001) = 0.82
Pb (ψ, A, MM001) = 0.75
Quantitative estimate of the estimated risk index:
Re (Z001) = (Pb (A) * Pb (ψ) * δe (ψ, A)) / θ (ψ, A)
Rt (Z001) = (Pb (A) * Pb (ψ) * Ar (org) * μ (E))) / θ (ψ, A)
Rt (Z001) = (0.6 * 1 * 0.3 * 10,000,000) / 1
Rt (Z001) = $ 1,800,000
Qualitative estimate of the mixed risk index with the use of risk mitigation measure MM001 (Z001), adata loss prevention (DLP) system that costs $ 45,000:
Rmm001 = Re (Z001) * δr (ψ, A, MM001) * Pb (ψ, A, MM001)
Rmm001 = $ 600,000 * 0.82 * 0.75
Rmm001 = $ 369,000
Bibliography
Léger, Marc-André (2013) Introduction to Information Risk Management , Hochelaga-Maisonneuve Research Center, Montreal, Quebec, Canada
This article presents a simple strategy to accelerate literature reviews. The approach was developed for new graduate students wishing to engage in scientific research with little knowledge of how to perform a systematic search using academic sources and scientific journals on a particular topic. However, it may be useful for many others. The approach was used successfully by a research team to perform literature reviews supported by tools such as Zotero and LitMap, and specialized websites, such as Scopus, Web of Science and Engineering Village.
Many years ago, I was very fortunate to have a high school teacher with a Ph.D. who taught us about methodological approaches. At the time, I had no idea that this is going to be of any importance to me, nor did I have any inclinations of doing a Ph.D. myself one day. Of course, today, I understand how important it is to take a systematic approach to resolving problems and how a scientific method can be used to build up some form of proof as to the validity of the answers I would be provided to resolving these questions. Since, I have taken many research methodologies courses, written a few dissertations, articles and other papers, and introduced students to the scientific method.
Of the many steps in getting started on this path for those new to scientific research, I have noticed that many struggle with how to get started on their initial literature review. This is a critical early step in scientific enquiry that is used to get a grasp on the current state of knowledge on a topic. It is also when many researchers define the scope of the project, identify initial hypothesis, and determine an initial research question. Of course, hypothesis and research questions may evolve further at a later stage in the process but at least with this initial work, researchers have a starting point for discussions with colleagues or a research director, material to use in funding requests, and peer-reviewed sources to start writing a research proposal. Hence, this article is particularly intended to help students get started on their path into scientific research, with the hope that they can rely less on Wikipedia, blogs, and Google when they write the papers that they submit.
The strategy proposed for conducting an initial literature review is to use available tools and take a simple systematic approach. Using databases and resources available in most university libraries, they can identify reliable, peer-reviewed sources to document the current state of scientific knowledge on their research topic. The next sections present the proposed steps. This starts with choosing a research topic.
A scientific research project starts with a subject to be explored. There are many manners in which this subject can be chosen, from a personal interest of a researcher, a course assignment or to take advantage of a funding opportunity. Nearly all subjects can be valid opportunities for scientific enquiry. In a new or innovative area, the subject can be relatively vague or ill-defined. However, as the field matures and the researcher gains expertise on the topic, it can become quite narrow.
Since this article needs examples, it is necessary to determine a topic. As the principal field of research of the authors of this article is cybersecurity, this is formed the basis for the topic determination for a first example. Therefore, for the first example, the search presented in this article is on the general topic of information security. This is based on a personal interest. Since this is a very broad topic, to make it a bit more realistic, the article will investigate information security applied to operational technologies, those used for the management of critical infrastructures. For readers more familiar with information technologies (IT), the technologies used in organizations to help them manage information, operational technologies (OT) are technologies used to manage infrastructure and industrial equipment by monitoring and controlling them. These OT’s include, but are not limited to, critical infrastructures such as the electrical grid of a country, region, or province, in the case of Canada. In the project used as an example, we are focusing on their use in monitoring and controlling a particular critical infrastructure, the electrical grid providing electrical power to cities in Canada.
At this point it is possible to create a concept map, to help better define the topic before going on to the next. Concept map, such as mind maps, have been very helpful to get a better grasp on a topic and decompose it into core concepts. It is not presented in this article, but there are many good tutorials on how to do these. Concept maps are something performed in class with students to help them. Therefore, the topic is:
Information security of operational technologies in Canada
This is what is used for the next steps as an example.
As mentioned, information security of operational technologies in Canada, is selected as a topic for the project described. Computer security and cybersecurity are also used as synonyms for information security and is added to the initial search. In a real-world scenario, the input of advisors, professors and research team members can contribute to defining the initial keywords. From this topic three main concepts are identified:
Information security, with the synonym’s computer security, cybersecurity
The first element will help to identify the articles in the general topic. The second and third elements will help to narrow down the results to be more relevant. As well as the recommendations of co-researchers, Google and online thesaurus can be used to identify synonyms, which can help in the initial searches. This may require some trial an error to refine, as is explained later. Table 1 presents an overview of the search results in Polytechnique Montreal’s and Concordia University’s online library search engine for the selected keywords, as well as the results from Google Scholar. Identifying and validating the appropriate keywords, operators (AND, OR, NOT) and combinations thereof, may require multiple trials, errors and improvements. While this will become easier as the researchers gains experience, it may be a long, and relatively tedious, process. There is no magic number of articles needed, as research projects differ. In this case, for a relatively small project, with a relatively small team, an initial number below 1000 articles is targeted. Again, readers need to keep in mind that this is at a very early stage in the project and in the literature search. At the end of the process then number should be much lower, well under 100 in most cases.
Search expression
Results Polytechnique
Results Concordia
Google Scholar
Information security OR computer security OR cybersecurity
430 719
536 309
4 110 000
« Information security » OR « computer security » OR cybersecurity
68 820
87 133
426 000
« Operational technologies » OR « critical infrastructures »
605
3836
17 100
« Operational technologies » AND « critical infrastructures »
0
5
224
(« Information security » OR « computer security » OR cybersecurity) AND (« Operational technologies » OR « critical infrastructures »)
790
878
17 800
Table 1: Initial searches
While the results are helpful, it can be observed that the sheer number remains too large to be useful in an initial literature review within the scenarios that have been identified in this article. However, in this case the last query that is used could be appropriate for the intended purpose at this point while adding further limits, as described in the next step. Therefore, the next step will proceed with the following query:
(« Information security » OR « computer security » OR cybersecurity) AND (« Operational technologies » OR « critical infrastructures »)
Starting from what is done in the previous steps, restrictions to limit the results to scientific articles published in peer-reviewed journals during the last ten years in English are added. This is done as the intention is, at least in part, to assess the current state-of-the-art of knowledge in the research domain of the study. The definition of current is initially seen as going back only 10 years. Since the number of results may still be high, the restriction can also be set to 5 years. Therefore, the final search expression from the previous step is used, (« Information security » OR « computer security » OR cybersecurity) AND (« Operational technologies » OR « critical infrastructures »), with different restrictions, as shown in table 2.
Search restrictions
Results Polytechnique
Results Concordia
Google Scholar
No restrictions
791
878
17 800
Limited to last 10 years
587
652
16 600
Limited to last 5 years
380
415
10 800
Limited to articles from the last 5 years
291
304
639
Limited to articles in scientific journals from the last 5 years
89
96
N/A
Limited to articles in English, in scientific journals from the last 5 years
55
59
629
Table 2: searches with restrictions
The results are at a volume that appears more reasonable for an initial search. It would seem appropriate to use this as the focus of the literature review for the project. In the next step, further research is done to try to identify the most influential and most cited scientific articles on the topic at hand. On this basis, the search will continue using the following query:
(« Information security » OR « computer security » OR cybersecurity) AND (« Operational technologies » OR « critical infrastructures »), limited to articles in English, in scientific journals from the last 5 years.
In this example, adding English as a limit could be omitted, since the previous limits resulted in a number just below the 100 articles that had been identified as a workable limit. However, at a later stage, articles that are not in English will still have to be eliminated if the reviewers are not able to read the articles. But anecdotal evidence shows that publication language is not always reliably determined in the databases.
To help students who might be doing this for a first time, arbitrary limits are mentioned. Students like to have specific numbered goals. What would be recommended for them is a minimum of 50 articles for master’s level research and 100 for Ph.D. level, 200 for a Ph.D. dissertation, multiplied by the number of individuals in the team. These highly subjective limits would only be used as guidance for unexperienced researchers, as experienced researchers should set their own limits in accordance with experience, resources, and time available for the project.
Retrieving the documents is done using databases available on the Polytechnique Montréal library and the Concordia University library websites. They are selected as these are the libraries available to the authors of this article. As both universities have different database subscriptions, this allows for additional sources to be identified. However, it may result in many duplicates. The duplicates can be easily resolved later. This is a good strategy for research teams or post-graduate students that often have affiliations to different institutions. As shown in table 2, this resulted in 55 and 59 articles. They are all exported directly into the Zotero reference manager, using a web navigator plugin.
In this next step, databases that aggregate scientific articles or that offer larger data samples are used. This allows to cast a wide net to increase the likelihood of including important literature in the project. In particular, the following databases are used, as they are the best known and most used databases for citations counts:
Scopus.com
Web of Science
Engineering Village
Google Scholar
Scopus
As described online (https://www.elsevier.com/solutions/scopus ), Scopus provides an abstract and citation database for scholarly literature. It provides metrics that is useful to determine the impact of peer-reviewed scientific journal articles. In the context discussed in this article, Scopus is used to identify influential articles on the topic at hand.
Using the query identified in the previous section, (« Information security » OR « computer security » OR cybersecurity) AND (« Operational technologies » OR « critical infrastructures »), the query in Scopus produced 267 results, that are sorted by number of citations. The top 50 references are exported to a file in Bibtext format. As well, the complete Scopus results can be exported to be used later to perform a bibliometric analysis, described in Strategy 2, later in this article. As is described in the later section, this bibliometric analysis can serve as validation of the relevance of the process and the results. The bibliometric analysis can also provide additional insights into the domain.
Web of Science
Web of science is similar to Scopus. It provides access and queries to a large citations database. However, as it is managed by a different media group, it offers different results to Scopus. The objective of using both is to catch the most cited articles on the topic. As duplicates is removed in a later step, this should limit the effect of any biases created by the different databases. Using the same query as in previous steps produced 103 results, that are sorted by number of citations. The top 50 are exported to a file in Bibtext format. Here as well, the complete Web of Science results can be exported to be used later for a bibliometric analysis.
Engineering Village
Engineering village is a database of scientific journal articles that specializes in the fields of applied science and engineering. It is used to complement the previous searches. The search in this database produced 222 results, sorted by relevance. The top 50 are exported to a file in Bibtext format.
Google Scholar
Google Scholar is a service of the Google search engine that specializes in scientific publications. It is used in this search strategy to complement the previous searches with additional material. The search in this database produced 649 results, that are sorted by relevance. The top 40, which corresponds to the two first pages of results, are exported using the web browser plugin.
Using the previous queries, the results from the library searches are imported into Zotero using the Google Chrome plugin. For this purpose, a library named Critical Infrastructure is created in the Zotero account. Zotero is chosen due to the familiarity of the research team with the product and because it is a recommended tool by librarians. However, there are many other similar tools that can be used to achieve the same result. For the Scopus search, it is necessary to export the results from the Scopus website in Bibtext format, adding Abstracts to the default export settings in the export menu on Scopus. This generates a file named Scopus.bib that can then be imported into Zotero. This is done in Zotero in the File – Import menu. A similar process is used for Web of Science and Engineering Village but with different default filenames that are created by the sites. For Google Scholar, the Chrome web browser plugin is used. In this example, for Google Scholar, only the first 40 entries, sorted by relevance, are imported. The number of Google Scholar results that is saved may vary based on available time and resources involved in the project, but a maximum number of 100 would be more than sufficient in most cases.
After all the references are imported into Zotero, it is necessary to remove duplicates in Zotero. This is required as the results from the different queries will overlap from one database to the other. It is done using a specific remove duplicates function in Zotero. In the example, once this is complete, there are 181 documents remaining.
The results are then submitted to a first review, looking only at the title of the articles and the abstract. This is done to quickly ensure articles are relevant and ready to be used for the next steps. In the example described here, 20 articles are removed as they did not indicate a link to the research subject. This step is also an opportunity to help identify terms and keywords that may become useful later in the process. These should be noted, as is done in this project in the list presented here:
critical infrastructure
public utilities (power grid, electricity production, nuclear power generation plant, wind turbines, gas distribution network, drinking water production and distribution)
From there, a reference mapping tool is used to again try to ensure that all the important references are found and included in the project. The web tool LitMap was chosen for this project (https://app.litmaps.co/ ) and a bibtext file export of the articles remaining after the triage step are imported.
Figure 1: LitMap graph
The LitMap tool then suggests new articles, which are potentially relevant based on what is there. It also allows the research team to get a visual outlook of the literature, helping them to get a better understanding of what is there and helping to identify the evolution of knowledge in this fields, the connections in the literature and significant articles that are more connected to the corpus of knowledge.
Using LitMap, it is possible to identify additional relevant articles that are connected to the journal articles resulting from the previous steps. There may be several factors that come into play as to determining relevance, such as shared references, keywords, authors, and themes. By using the Run Explore feature of LitMap, a list of these suggested articles. By looking at their title and abstract, it can be determined if they should be added. Generally, it would be suggested to add articles that would appear most likely to add value to the work should be added at this point. Articles published at an earlier date than what is determined at step 3 should also be added if they are highly cited and relevant, as they may identify a key source that have a high impact in the research domain. Figure 2 gives an example of the Explore function of LitMap.
Figure 2 : Explore fonction of LitMap
By using this feature of LitMap and refreshing after adding a few articles to the map, it is possible to add many other relevant articles that are highly connected to this map. An example is presented in figure 3. In the search performed in this article, after a few cycles of adding and refreshing, the map grew to 171 articles.
Following the previous step, a group of articles that is used in the literature review are identified. Using the export map to Bibtext functionality in LitMap will produce a file that can then be imported into a new library in Zotero. This library will contain all the articles. Depending on the options selected in the import and if a new library collection is used, it may be necessary to remove duplicates if there are any. A good reason not to delete previous references and proceed to remove duplicates instead may be to take advantage of full-text copies of the articles to be included in the existing Zotero references. Keeping these will save time in the next step, when all the articles are retrieved.
As mentioned, some of the articles are linked directly to Zotero, as they are already included in previous steps. However, for the next steps, it is necessary to have copies of all the articles available. Performing a literature review involves reading the articles, so having a copy of them is an obvious necessity. The process of retrieving the articles may be done in different ways. The recommended way is to add a copy of the article directly into Zotero, using the Add a copy of a file option. This requires a local copy of the PDF file of the article to be downloaded, which can usually be done by selecting the reference and double-clicking on it in Zotero, which opens the article from the library’s database. Do note that finding all the articles may take some time, depending on the number of articles. A ballpark estimate would consider 5 to 10 minutes per missing reference. An PDF icon will appear next to articles that are added. In some cases, it may be necessary to copy the article title to a Google search, which generally makes it possible to find a link to access and download the article.
When saving a local copy of the article, using a standardized pattern will make a later identification possible. Any scheme would be fine if there is consistency throughout the project and the team. After a thorough search, articles that can’t be located, if it is a small number, they should be removed, as they would not be useful for the next steps.
Once all the articles have been downloaded a mode in-depth review can be made to assess their relevance. This step could be done by a team of researchers with the assistance of students. It requires that inclusion and exclusion criterions be identified. At this point there should be enough domain knowledge to make this feasible. If the number of articles is not too large, it might be acceptable to omit this step. As presented later in this article, a strategy that might be considered is to perform a review by looking at the abstracts only to assess relevance for inclusion or exclusion. Then a review can be performed by reading more comprehensive machine-generated summaries. This would be followed by the lecture of the full articles that make it through the process.
Using the final selection of articles, this step requires one of two strategies: read or automate. Reading involves, as it would imply, that the articles be read, that key information be highlighted and that notes be taken, using Zotero or another tool, such as Microsoft OneNote or another tool that team members are familiar with. Automation would involve using natural language processing (NLP), perhaps by writing Python code for this purpose. Much analysis can also be done with R Studio, applying some document analysis capabilities that are well documented online. Other strategies involve using specialized off-the shelf document analysis tools or bibliometric tools, which can be purchased. This article makes no specific recommendations for this, as there are too many factors at play in determining the best strategy but will present further steps that can be used in an upcoming section. Students or new researchers would be better off to read the articles and prepare notes to learn and experiment the process.
Once all the steps are completed, it becomes possible to use the material for the intended purpose, such as write a literature review or perform further analysis, as presented in an upcoming section of this article. The next section demonstrates an example of the application of this method on a different topic, IT compliance management.
This section presents an example of the application of the process that is described in the previous part of this article. It is done by applying the various steps for a research project on IT compliance management.
Removed unrelated documents: tax compliance, customs risk and compliance, environmental compliance, healthcare related compliance, such as medication or treatment, Occupational Safety and Health Administration (OHSA) compliance
Removed: articles not in English
Removed: articles that did not appear to be at an appropriate level or too basic to be considered scientific.
At this point all the documents are merged into a single Zotero collection, a last review for duplicates is performed, all PDF files are located, and article summaries are added when not present. A few articles are removed as it is not possible, after many attempts using different sources, to locate a PDF version of the article. In the end, 107 articles remained for analysis. A list of the remaining articles is presented in appendix A.
The first part of this article presented a method to be used to identify journal articles and scientific literature that can be used in scientific research. The second part presented an example that concerned IT Compliance management. As mentioned, getting started on a literary review for a research project can often be a difficult task for individuals starting in empirical research and new graduate students. These are the prime targets for this article. In the next sections we will propose different tools and strategies to accelerate the process. It should be mentioned that some of the proposed approaches could be misused and produce results that could be considered plagiarism or academic fraud. Any use of the material in a dissertation needs to be discussed with research advisors and ethical concerns investigated. However, the authors of this article believe that using tools to assist in research, can be very beneficial, when done appropriately.
The final part presents a few strategies that can be used to assist in the literature search process. The first strategy proposes to use some tools to automate the creation of expanded text summaries that may be helpful to evaluate the usefulness of documents in more depth that what is provided by author provided summaries. The second and third strategies use R Studio to perform bibliometric analysis of the documents to help gather initial insights into the corpus of knowledge that was assembled, to help accelerate the initial phases of research.
To accelerate the review of many articles, tools can be used, as mentioned in step 11. In this article, wordtune read (https://app.wordtune.com/read ) is used to produce this initial analysis. A similar result can also be achieved by using python code with machine learning libraries. However, a quicker approach is privileged using an off-the-shelf solution. With this tool, once all the PDF version of the articles have been located, as presented in step 10, they can simply be dragged-and-dropped from Zotero onto wordtune read to generate an initial summary. This summary can then be copied back into the notes section of Zotero, associated with the article. While an initial selection is made by reading the abstracts, this summary can then be used to perform a further review and selection. Of course, readers need to be reminded that this summary should not be used as-is to create an assignment, an article or material intended for publication.
The process to generate an automated summary:
Select a citation in Zotero
Open the tab
Right-click on the PDF file and select Locate document
Drag-and-drop the PDF file on wordtune read
Wait for the summary to be created
Use the Copy All option in wordtune
Create a new note
Give the note a title, such as wordtune summary, to avoid misuse later
Paste the summary the note
Once summaries of articles are produced, they can be used to perform a second level of review, remembering that the first review is done by reading the author’s abstract, available from the publisher. Using the wordtune produced abstract provides further material to determine the relevance of the article for the study. As well, at this stage, a checklist of inclusion and exclusion criterion can be created to help the process. Eventually, python and NLP could be used to perform a selection based on the summary, should there be too many articles to review manually with the available human resources in the project.
There are many different bibliometric approaches that can be useful to help get started. Keeping in mind that the primary audience for the authors of this article are in the Sciences, Technology, Engineering and Math (STEM) fields, the use of a statistical analysis tool called R-Studio is proposed. Using text analysis tool can help identify more significant references that can emerge from the documents identified previously. An example, with sample code, is presented. The article does not go into the installation and configuration of R Studio, which can easily be performed using information found online.
Statistical article analysis
The first analysis that is presented in this article consists of using R-Studio to investigate the most significant keywords that can be found in the corpus of documents that is put together from the process described earlier. From these, after generating the automated summaries desca few
The code used is:
# This R script is used to analyse large volumes of PDF files # Created by Dr Marc-André Léger # This version 28 June 2022 # This is the output Excel file nale excel_out <- « words_analysis_102.xlsx » # load the required libraries library(« xlsx ») require(pdftools) # reads pdf documents require(tm) # text mining analysys # get all the files files <- list.files(« documents », pattern= »pdf$ », full.names=TRUE, recursive=TRUE) opinions <- lapply(files, pdf_text) length(opinions) # make sure how many files are loaded lapply(opinions,length) # and the length in pages of each PDF file # create a PDF database for the wordcloud and the stemmed analysis pdfdatabase <- Corpus(URISource(files),readerControl = list(reader = readPDF)) pdfdatabase <- tm_map(pdfdatabase, removePunctuation, ucp = TRUE) opinions.tdm <- TermDocumentMatrix(pdfdatabase,control = list(removePunctuation = TRUE, stopwords = TRUE, tolower = TRUE, stemming = FALSE, removeNumbers = TRUE, bounds = list(global = c(3,Inf)))) inspect(opinions.tdm[10:20,]) #examine 10 words at a time across documents opinionstemmed.tdm <- TermDocumentMatrix(pdfdatabase,control = list(removePunctuation = TRUE, stopwords = TRUE, tolower = TRUE, stemming = TRUE, removeNumbers = TRUE, bounds = list(global = c(3,Inf)))) inspect(opinionstemmed.tdm[10:20,]) #examine 10 words at a time across documents # prepare the word matrix ft <- findFreqTerms(opinions.tdm, lowfreq = 100, highfreq = Inf) as.matrix(opinions.tdm[ft,]) ft.tdm <- as.matrix(opinions.tdm[ft,]) df <- sort(apply(ft.tdm, 1, sum), decreasing = TRUE) # prepare the word matrix for the word analysis ft2 <- findFreqTerms(opinionstemmed.tdm, lowfreq = 100, highfreq = Inf) as.matrix(opinionstemmed.tdm[ft2,]) ft2.tdm <- as.matrix(opinionstemmed.tdm[ft2,]) df2 <- sort(apply(ft2.tdm, 1, sum), decreasing = TRUE) #print (ft.tdm) # this might be used for debugging #print (df) # this might be used for debugging # save the results output1 <- data.frame(df) output2 <- data.frame(ft.tdm) output3 <- data.frame(df2) output4 <- data.frame(ft2.tdm) # then export them to an Excel file tmp1 <- write.xlsx(output1, excel_out, sheetName = « Articles », col.names = TRUE, row.names = TRUE, append = FALSE) tmp2 <- write.xlsx(output2, excel_out, sheetName = « Words », col.names = TRUE, row.names = TRUE, append = TRUE) tmp3 <- write.xlsx(output3, excel_out, sheetName = « Articles_Stemmed », col.names = TRUE, row.names = TRUE, append = TRUE) tmp4 <- write.xlsx(output4, excel_out, sheetName = « Words_Stemmed », col.names = TRUE, row.names = TRUE, append = TRUE)
This example makes it possible to produce an excel file with the results from the documents that have identified. Table x presents the ten most frequent words from the documents.
Word
Occurrences
compliance
7770
information
3753
security
3475
management
3195
business
3185
process
3185
data
2343
can
2284
research
2218
model
2087
Table x: The ten most frequent words from the documents
From there, further analysis in excel, selecting the most relevant words in stemmed format makes it possible to create insights that will help identify documents that would be likely to bring significant insights to the project. As presented in table x, the results of this inquiry.
Reference
complianc
secur
risk
control
audit
govern
noncompli
cybersecur
Relevance
Hashmi2018d
682
29
43
83
50
22
25
0
934
Akhigbe2019
253
32
2
2
0
19
0
0
308
Ali2021
249
476
9
43
0
7
119
4
907
Rinderle.Ma2022
234
3
19
20
6
1
1
0
284
Castellanos2022
231
15
9
21
4
9
2
6
297
Hashmi2018c
227
4
3
9
11
2
11
0
267
Haelterman2020
222
9
82
55
9
11
1
0
389
Yazdanmehr2020
220
90
5
39
0
2
13
0
369
Cabanillas2020
200
3
2
61
5
5
1
0
277
Usman2020
198
7
3
0
0
3
1
0
212
Mustapha2018
193
2
19
32
2
2
0
0
250
Mustapha2020
190
7
1
26
1
3
1
0
229
Meissner2018
187
6
30
8
3
14
7
0
255
Kim2020
187
4
19
11
1
4
4
0
230
Konig2017
173
71
2
26
3
0
5
0
280
Mubarkoot2021
166
38
7
5
7
16
2
0
241
Gorgon2019
159
7
145
20
8
30
6
0
375
Donalds2020
149
295
13
7
0
3
1
77
545
Cheng2018
143
40
6
38
21
5
2
0
255
Chen2018
138
197
2
44
0
2
1
0
384
Lin2022
132
0
28
2
1
45
17
0
225
Huising2021
129
3
21
18
18
85
2
0
276
Alqahtani2021
129
197
6
2
0
14
4
10
362
Jin2021
125
4
72
4
2
0
1
0
208
Banuri2021
123
2
11
8
21
4
3
0
172
Alotaibi2019
119
199
3
6
0
3
44
0
374
Pathania2019
118
19
1
4
0
0
0
0
142
Asif2019
117
1
6
4
14
27
3
0
172
Hendra2021
112
5
8
3
1
3
3
0
135
Pand2020
112
4
10
0
5
3
72
0
206
Hashmi2018b
110
3
6
3
0
2
1
0
125
Arogundade2020
109
2
13
27
1
1
0
0
153
Niedzela2021
108
7
18
13
9
1
9
0
165
Petersson2021
93
158
9
4
0
4
31
0
299
Rahmouni2021
84
30
5
35
60
6
3
3
226
Nietsch2018
84
4
28
20
3
26
8
0
173
Wang2020
82
2
25
12
284
6
11
0
422
Hanrahan2021
78
51
93
9
0
20
1
0
252
Moody2018
77
245
9
79
0
1
9
0
420
DArcy2019
75
94
2
23
0
1
6
0
201
Corea2020
73
0
0
3
5
3
1
0
85
Cunha2021
69
8
3
6
1
0
1
1
89
Dai2021
68
0
1
38
4
7
5
0
123
Koohang2020
67
104
4
9
0
2
0
0
186
Bussmann2019
67
0
7
27
0
2
1
0
104
Asif2020
64
1
24
4
15
35
13
0
156
Koohang2020
61
112
4
9
0
0
0
1
187
Winter2020
60
3
0
1
0
0
1
0
65
Torre2019
57
9
2
24
1
0
1
0
94
Cammelli2022
50
5
10
5
16
22
19
0
127
Ragulina2019
48
1
1
3
1
10
0
0
64
Barlow2018
46
224
5
9
0
1
11
0
296
Scope2021
45
8
2
4
2
13
1
0
75
Salguero.Caparros2020
45
0
17
6
3
1
14
0
86
Gaur2019
44
2
36
10
2
12
3
0
109
Becker2019
43
2
27
3
2
2
6
0
85
Hashmi2018
40
128
8
16
4
6
0
0
202
Lembcke2019
38
74
2
9
0
0
1
0
124
Painter2019
38
0
23
9
13
17
0
0
100
Norimarna2021
34
0
70
6
2
44
0
1
157
Ophoff2021
34
106
2
0
2
4
56
15
219
Becker2020
30
0
28
9
0
3
0
2
72
Sackmann2018
23
1
0
0
0
0
0
0
24
Pudijanto2021
22
3
21
6
126
17
0
0
195
Culot2021
19
112
23
28
7
33
0
16
238
Pankowska2019
13
7
40
32
0
26
0
0
118
Johannsen2020
10
33
8
2
0
8
0
1
62
Mukhopadhyay2019
10
172
99
16
6
10
1
1
315
Widjaya2019
9
23
4
7
3
28
0
0
74
Hofman2018
6
0
1
1
0
5
3
0
16
Al.Anzi2014
6
62
7
14
2
5
0
0
96
Na2019
2
141
19
4
0
7
0
1
174
Jensen1976
1
17
28
29
2
6
0
0
83
Offerman2017
1
0
0
1
0
6
0
0
8
Costa2016
0
0
0
3
0
0
0
0
3
Alshehri2019
0
0
0
0
0
0
0
0
0
Total
7760
3723
1321
1179
769
747
569
139
16207
Document count
74
64
70
71
47
65
53
14
76
What the data from table x reveals is the significance of certain articles in relation to the research subject, as well as in relation to the different terms of interest for the project. In the table, the first column contains the occurrence of the stem variations on compliance in the articles. This would include compliance and many variations on that word stem. As this is the main topic of our inquiry, it would be quite logical that this is the most frequent term. As well, the document with the highest count of the word compliance also have a high frequency of other keywords that are highly correlated to our research subject. The occurrence of significant keywords is noted in the last column, relevance. This column indicates the relative importance of a particular article for research subject. The combination of high count of the most important keyword for our project and the highest relevance of all the keyword would place this document as having a high potential of being very relevant for our project. It should be a high priority on our reading list for the project.
Wordcloud
Wordclouds present a graphical representation of the most significant words that appear in the corpus of documents. The relative size of the words representing their frequency in all of the documents. The code used is:
# This R script is used to create a wordcloud from PDF files # Created by Dr Marc-André Léger # This version 28 June 2022 # uncomment in this section if not already installed # install.packages(« wordcloud ») # install.packages(« RColorBrewer ») # install.packages(« wordcloud2 ») # load the required libraries library(« wordcloud ») library(« wordcloud2 ») library(« RColorBrewer ») require(pdftools) # reads pdf documents require(tm) # text mining analysys # get all the files files <- list.files(« documents », pattern= »pdf$ », full.names=TRUE, recursive=TRUE) opinions <- lapply(files, pdf_text) length(opinions) # make sure how many files are loaded lapply(opinions,length) # and the length in pages of each PDF file # create a PDF database for the wordcloud and the stemmed analysis pdfdatabase <- Corpus(URISource(files),readerControl = list(reader = readPDF)) pdfdatabase <- tm_map(pdfdatabase, removePunctuation, ucp = TRUE) opinions.tdm <- TermDocumentMatrix(pdfdatabase,control = list(removePunctuation = TRUE, stopwords = TRUE, tolower = TRUE, stemming = FALSE, removeNumbers = TRUE, bounds = list(global = c(3,Inf)))) # prepare the word matrix for the wordcloud ft <- findFreqTerms(opinions.tdm, lowfreq = 100, highfreq = Inf) as.matrix(opinions.tdm[ft,]) ft.tdm <- as.matrix(opinions.tdm[ft,]) freq1 <- apply(ft.tdm, 1, sum) # finally the wordcloud set.seed(1234) wordcloud(words = ft, freq = freq1, min.freq = 10, max.words=200, random.order=FALSE, rot.per=0.35, colors=brewer.pal(8, « Dark2 »))
In this example, the un-stemmed version of the words is used to provide more readable results. This can be helpful in presenting the research or for communications on the research topic. Another use of this can be to confirm the choices made in identifying the keywords used for the literature review or to help validate the corpus in relation to the research topic. The wordcloud should show the more frequent words align with the research topic. The result can be seen in figure 4.
Further analysis of the corpus of documents can be performed to gather additional insights into the research subject. Bibliometric analysis allows to better understand the links between the documents, the authors, and the research field. What is proposed is the use of a bibliometric analysis tool called Bibliometrix, available online https://www.bibliometrix.org/home/. Other tools, such as Quanteda can also be used for this purpose. For novice researchers, Bibliometrix have a graphical user interface, called Shiny, that can be used, which is documented online. Some examples of the information that can be extracted from this tool is presented in this article. However, more information is available on how to get all the benefits from this tool.
In the example below the scopus.bib and wos.bib files from step are used. Starting RStudio, the following instructions are used to start BiblioShiny:
library(bibliometrix) # load bibliometrix package
biblioshiny() # start the graphical user interface
Figure 5 shows the graphical user interface with the Scopus data loaded from an earlier example on compliance. This can be done by Data – Load Data. The data can then be used to help validate the information identified. The Overview – Main Information menu will provide a better overview of the data, as is shown on figure 6.
Figure 5: Bibliometrix Shiny graphical interface
Figure 6 is showing that there are 530 different sources, covering a timespan from 1973 to 2022. In earlier analysis, data from 2018 to 2022 is used to focus on recent sources of scientific data on the research topic. What this is showing is that Scopus contains articles from 1973 on this topic. Further investigation, using Google Scholar, will show the evolution of the domain.
Figure 6: overview of the data
A scan of Google Scholar, Scopus and Web of Science citations is presented in figure 7. This indicates that there is a surge in publications around 1999-2000. This would make sense for those familiar with the domain, as anecdotal evidence suggests that there is a significant increase in the interest in the topic of compliance since that period, when a few well know financial scandals brought this topic to the forefront. As well, there is a significant increase in Governance, Risk and Compliance issues since.
By exploiting the data and using the different reports further insights can be gathered. We can see identify the most cited authors, presented in table x. In using the source material, these authors should be included. Of course, the articles need to be reviewed and taken into context, but material from theses authors should be prioritized.
Author
Citations
GOVERNATORI G
172
HINA S
162
DOMINIC DD
161
HASHMI M
146
SOMMESTAD T
103
HALLBERG J
92
KUMAR A
89
RINDERLE-MA S
86
BUKSA I
78
RUDZAJS P
78
Table x shows the most cited articles. Here as well, these articles show a high potential of being very important to this field of enquiry. This should be confirmed by reading the articles, but they need to be included in the next phases of literature review.
Document
Year
Local Citations
Global Citations
BULGURCU B, 2010, MIS QUART MANAGE INF SYST
2010
161
1076
HERATH T, 2009, EUR J INF SYST
2009
120
788
HERATH T, 2009, DECIS SUPPORT SYST
2009
83
534
IFINEDO P, 2012, COMPUT SECUR
2012
78
435
VANCE A, 2012, INF MANAGE
2012
71
417
SIPONEN M, 2014, INF MANAGE
2014
61
290
SADIQ S, 2007, LECT NOTES COMPUT SCI
2007
60
306
PAHNILA S, 2007, PROC ANNU HAWAII INT CONF SYST SCI
Aria M, Cuccurullo C (2017). “bibliometrix: An R-tool for comprehensive science mapping analysis.” Journal of Informetrics, 11(4), 959-975. https://doi.org/10.1016/j.joi.2017.08.007.
Abbasipour, M., Khendek, F., & Toeroe, M. (2018). Trigger correlation for dynamic system reconfiguration. Proceedings of the ACM Symposium on Applied Computing, 427‑430. https://doi.org/10.1145/3167132.3167383
Afrifah, W., Epiphaniou, G., Ersotelos, N., & Maple, C. (2022). Barriers and opportunities in cyber risk and compliance management for data-driven supply chains.
Akhigbe, O., Amyot, D., & Richards, G. (2019). A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance. Requirements Engineering, 24(4), 459‑481. https://doi.org/10.1007/s00766-018-0294-1
Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance : A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383.
Alotaibi, M. J., Furnell, S., & Clarke, N. (2019). A framework for reporting and dealing with end-user security policy compliance. 27(1), 2‑25. https://doi.org/10.1108/ICS-12-2017-0097
Alqahtani, M., & Braun, R. (2021). Reviewing influence of UTAUT2 factors on cyber security compliance : A literature review. Journal of Information Assurance & Cyber security.
Alshammari, S. T., Alsubhi, K., Aljahdali, H. M. A., & Alghamdi, A. M. (2021). Trust Management Systems in Cloud Services Environment : Taxonomy of Reputation Attacks and Defense Mechanisms. IEEE Access, 9. https://doi.org/10.1109/ACCESS.2021.3132580
Alshehri, F., Kauser, S., & Fotaki, M. (2019). Muslims’ View of God as a Predictor of Ethical Behaviour in Organisations : Scale Development and Validation. Journal of Business Ethics, 158(4), 1009‑1027. https://doi.org/10.1007/s10551-017-3719-8
Antonucci, Y. L., Fortune, A., & Kirchmer, M. (2021). An examination of associations between business process management capabilities and the benefits of digitalization : All capabilities are not equal. Business Process Management Journal, 27(1), 124‑144. https://doi.org/10.1108/BPMJ-02-2020-0079
Arsenijević, O., Podbregar, I., Šprajc, P., Trivan, D., & Ziegler, Y. (2018). The Concept of Innovation of User Roles and Authorizations from View of Compliance Management. ORGANIZACIJA IN NEGOTOVOSTI V DIGITALNI DOBI ORGANIZATION AND UNCERTAINTY IN THE DIGITAL AGE, 747.
Asif, M. (2020). Supplier socioenvironmental compliance : A survey of the antecedents of standards decoupling. Journal of Cleaner Production, 246, 118956.
Asif, M., Jajja, M. S. S., & Searcy, C. (2019). Social compliance standards : Re-evaluating the buyer and supplier perspectives. Journal of Cleaner Production, 227, 457‑471.
Banuri, S. (2021). A Behavioural Economics Perspective on Compliance. Banuri, Sheheryar.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2018). Don’t Even Think About It ! The Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance. Journal of the Association for Information Systems. https://doi.org/10.17705/1JAIS.00506
Becker, M., Merz, K., & Buchkremer, R. (2020). RegTech—the application of modern information technology in regulatory affairs : Areas of interest in research and practice. Intelligent Systems in Accounting, Finance and Management, 27(4), 161‑167. https://doi.org/10.1002/isaf.1479
Brandis, K., Dzombeta, S., Colomo-Palacios, R., & Stantchev, V. (2019). Governance, risk, and compliance in cloud scenarios. Applied Sciences (Switzerland), 9(2). https://doi.org/10.3390/app9020320
Bussmann, K. D., & Niemeczek, A. (2019). Compliance through company culture and values : An international study based on the example of corruption prevention. Journal of Business Ethics, 157(3), 797‑811.
Cabanillas, C., Resinas, M., & Ruiz-Cortes, A. (2020). A Mashup-based Framework for Business Process Compliance Checking. https://doi.org/10.1109/TSC.2020.3001292
Castellanos Ardila, J. P., Gallina, B., & Ul Muram, F. (2022). Compliance checking of software processes : A systematic literature review. Journal of Software: Evolution and Process, 34(5), e2440.
Chen, X., Chen, L., & Wu, D. (2018). Factors That Influence Employees’ Security Policy Compliance : An Awareness-Motivation-Capability Perspective. Journal of Computer Information Systems. https://doi.org/10.1080/08874417.2016.1258679
Cheng, D. C., Villamarin, J. B., Cu, G., & Lim-Cheng, N. R. (2018). Towards end-to-end continuous monitoring of compliance status across multiple requirements. 9(12), 456‑466. https://doi.org/10.14569/IJACSA.2018.091264
Cheng, D. C., Villamarin, J. B., Cu, G., & Lim-Cheng, N. R. (2019). Towards Compliance Management Automation thru Ontology mapping of Requirements to Activities and Controls. In S. Z. Abidin K.A.Z. Mohd M. (Éd.), Proceedings of the 2018 Cyber Resilience Conference, CRC 2018. Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/CR.2018.8626817
Coglianese, C., & Nash, J. (2020). Compliance Management Systems : Do they make a difference? Cambridge Handbook of Compliance (D. Daniel Sokol & Benjamin van Rooij eds., Cambridge University Press, Forthcoming), U of Penn, Inst for Law & Econ Research Paper, 20‑35.
Corea, C., & Delfmann, P. (2020). A Taxonomy of Business Rule Organizing Approaches in Regard to Business Process Compliance. Enterprise Modelling and Information Systems Architectures (EMISAJ). https://doi.org/10.18417/EMISA.15.4
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard : Literature review and theory-based research agenda. The TQM Journal.
Cunha, V. H. C., Caiado, R. G. G., Corseuil, E. T., Neves, H. F., & Bacoccoli, L. (2021). Automated compliance checking in the context of Industry 4.0 : From a systematic review to an empirical fuzzy multi-criteria approach. Soft Computing, 25(8), 6055‑6074.
Dai, F. (2021). Labor control strategy in china : Compliance management practice in the socialist workplace. 21(3), 86‑101.
Danielis, P., Beckmann, M., & Skodzik, J. (2020). An ISO-Compliant Test Procedure for Technical Risk Analyses of IoT Systems Based on STRIDE. In A. S. I. Chan W.K. Claycomb B. ,. Takakura H. ,. Yang J. J. ,. Teranishi Y. ,. Towey D. ,. Segura S. ,. Shahriar H. ,. Reisman S. (Éd.), Proceedings—2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020 (p. 499‑504). Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/COMPSAC48688.2020.0-203
D’Arcy, J., & Teh, P.-L. (2019). Predicting employee information security policy compliance on a daily basis : The interplay of security-related stress, emotions, and neutralization. Information & Management. https://doi.org/10.1016/J.IM.2019.02.006
Donalds, C. M., & Osei-Bryson, K.-M. (2020). Cybersecurity compliance behavior : Exploring the influences of individual decision style and other antecedents. International Journal of Information Management. https://doi.org/10.1016/J.IJINFOMGT.2019.102056
Ekanoye, F., & James, O. (2018). Global Market Access Regulations, Compliance Management in Developing Countries : A Brief Case Study of Three African Countries. 2018 IEEE Symposium on Product Compliance Engineering (SPCEB-Boston), 1‑6.
Fdhila, W., Rinderle-Ma, S., Knuplesch, D., & Reichert, M. (2020). Decomposition-based Verification of Global Compliance in Process Choreographies. Proceedings – 2020 IEEE 24th International Enterprise Distributed Object Computing Conference, EDOC 2020, 77‑86. https://doi.org/10.1109/EDOC49727.2020.00019
Gallina, B. (2020). A Barbell Strategy-oriented Regulatory Framework and Compliance Management. Communications in Computer and Information Science, 1251 CCIS, 696‑705. https://doi.org/10.1007/978-3-030-56441-4_52
Gaur, A., Ghosh, K., & Zheng, Q. (2019). Corporate social responsibility (CSR) in Asian firms : A strategic choice perspective of ethics and compliance management. 13(4), 633‑655. https://doi.org/10.1108/JABS-03-2019-0094
Ghiran, A.-M., Buchmann, R. A., & Osman, C.-C. (2018). Security requirements elicitation from engineering governance, risk management and compliance. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 10753 LNCS, 283‑289. https://doi.org/10.1007/978-3-319-77243-1_17
Gorgoń, M., Raczkowski, K., & Kraft, F. (2019). Compliance Risk Management in Polish and German Companies. Journal of Intercultural Management, 11(4), 115‑145.
Haelterman, H. (2020). Breaking Silos of Legal and Regulatory Risks to Outperform Traditional Compliance Approaches. European Journal on Criminal Policy and Research, 28(1), 19‑36. https://doi.org/10.1007/s10610-020-09468-x
Hanrahan, P., & Bednall, T. (2021). From Stepping-Stones to Throwing Stones : Officers’ Liability for Corporate Compliance Failures after Cassimatis. Federal Law Review, 49(3), 380‑409.
Hashmi, A., Ranjan, A., & Anand, A. (2018). Security and Compliance Management in Cloud Computing. International Journal of Advanced Studies in Computer Science and Engineering, 7(1), 47‑54.
Hashmi, M., Casanovas, P., & de Koker, L. (2018). Legal compliance through design : Preliminary results of a literature survey. TERECOM2018@ JURIX, Technologies for Regulatory Compliance http://ceur-ws. org, 2309, 06.
Hashmi, M., & Governatori, G. (2018). Norms modeling constructs of business process compliance management frameworks : A conceptual evaluation. Artificial Intelligence and Law, 26(3), 251‑305. https://doi.org/10.1007/s10506-017-9215-8
Hashmi, M., Governatori, G., Lam, H.-P., & Wynn, M. T. (2018). Are we done with business process compliance : State of the art and challenges ahead. Knowledge and Information Systems : An International Journal, 57(1), 79‑133. https://doi.org/10.1007/s10115-017-1142-1
Hendra, R. (2021). Comparative Review of the Latest Concept in Compliance Management & The Compliance Management Maturity Models. RSF Conference Series: Business, Management and Social Sciences, 1(5), 116‑124.
Hofmann, A. (2018). Is the Commission levelling the playing field? Rights enforcement in the European Union. Journal of European Integration, 40(6), 737‑751. https://doi.org/10.1080/07036337.2018.1501368
Huising, R., & Silbey, S. S. (2021). Accountability infrastructures : Pragmatic compliance inside organizations. Regulation & Governance, 15, S40‑S62.
Javed, M. A., Muram, F. U., & Kanwal, S. (2022). Ontology-Based Natural Language Processing for Process Compliance Management. Communications in Computer and Information Science, 1556 CCIS, 309‑327. https://doi.org/10.1007/978-3-030-96648-5_14
Jin, L., He, C., Wang, X., Wang, M., & Zhang, L. (2021). The effectiveness evaluation of system construction for compliance management in the electricity market. IOP Conference Series: Earth and Environmental Science. https://doi.org/10.1088/1755-1315/647/1/012024
Kavitha, D., & Ravikumar, S. (2021). Software Security Requirement Engineering for Risk and Compliance Management.
Koohang, A., Nord, J. H., Sandoval, Z. V., & Paliszkiewicz, J. (2020). Reliability, Validity, and Strength of a Unified Model for Information Security Policy Compliance. Journal of Computer Information Systems. https://doi.org/10.1080/08874417.2020.1779151
Koohang, A., Nowak, A., Paliszkiewicz, J., & Nord, J. H. (2020). Information Security Policy Compliance : Leadership, Trust, Role Values, and Awareness. Journal of Computer Information Systems. https://doi.org/10.1080/08874417.2019.1668738
Labanca, D., Primerano, L., Markland-Montgomery, M., Polino, M., Carminati, M., & Zanero, S. (2022). Amaretto : An Active Learning Framework for Money Laundering Detection. IEEE Access, 10. https://doi.org/10.1109/ACCESS.2022.3167699
Lahann, J., Scheid, M., & Fettke, P. (2019). Utilizing machine learning techniques to reveal VAT compliance violations in accounting data. In N. D. Becker J. (Éd.), Proceedings—21st IEEE Conference on Business Informatics, CBI 2019 (Vol. 1, p. 1‑10). Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/CBI.2019.00008
Lembcke, T.-B., Masuch, K., Trang, S., Hengstler, S., Plics, P., & Pamuk, M. (2019). Fostering Information Security Compliance : Comparing the Predictive Power of Social Learning Theory and Deterrence Theory. americas conference on information systems.
Liu, B. (2021). Construction of enterprise compliance management and supervision system based on ADR mechanism in Internet Environment. Proceedings – 2021 International Conference on Management Science and Software Engineering, ICMSSE 2021, 314‑317. https://doi.org/10.1109/ICMSSE53595.2021.00073
Luo, M., Wu, C., & Chen, Y. (2019). Construction of ping an airport’s total risk monitoring indicator system. ICTIS 2019 – 5th International Conference on Transportation Information and Safety, 829‑832. https://doi.org/10.1109/ICTIS.2019.8883586
Meissner, M. H. (2018). Accountability of senior compliance management for compliance failures in a credit institution. Journal of Financial Crime.
Mohamed, A. A., El-Bendary, N., & Abdo, A. (2021). An Essential Intelligent Framework for Regulatory Compliance Management in the Public Sector : The Case of Healthcare Insurance in Egypt. Proceedings of the Computational Methods in Systems and Software, 397‑409.
Moody, G. D., Siponen, M. T., & Pahnila, S. (2018). Toward a Unified Model of Information Security Policy Compliance. Management Information Systems Quarterly. https://doi.org/10.25300/MISQ/2018/13853
Mubarkoot, M., & Altmann, J. (2021a). Software Compliance in different Industries : A Systematic Literature Review.
Mubarkoot, M., & Altmann, J. (2021b). Towards Software Compliance Specification and Enforcement Using TOSCA. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 13072 LNCS, 168‑177. https://doi.org/10.1007/978-3-030-92916-9_14
Mukhopadhyay, A., Chatterjee, S., Bagchi, K. K., Kirs, P. J., & Shukla, G. K. (2019). Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance. Information Systems Frontiers : A Journal of Research and Innovation, 21(5), 997‑1018. https://doi.org/10.1007/s10796-017-9808-5
Mustapha, A. M., Arogundade, O. T., Misra, S., Damasevicius, R., & Maskeliunas, R. (2020). A systematic literature review on compliance requirements management of business processes. International Journal of System Assurance Engineering and Management, 11(3), 561‑576.
Mustapha, A. M., Arogundade, O. T., Vincent, O. R., & Adeniran, O. J. (2018). Towards a compliance requirement management for SMSEs : A model and architecture. 16(1), 155‑185. https://doi.org/10.1007/s10257-017-0354-y
Na, O., Park, L. W., Yu, H., Kim, Y., & Chang, H. (2019). The rating model of corporate information for economic security activities. Security Journal, 32(4), 435‑456. https://doi.org/10.1057/s41284-019-00171-z
Niedzela, L., Kuehnel, S., & Seyffarth, T. (2021). Economic Assessment and Analysis of Compliance in Business Processes : A Systematic Literature Review and Research Agenda.
Nietsch, M. (2018). Corporate illegal conduct and directors’ liability : An approach to personal accountability for violations of corporate legal compliance. Journal of Corporate Law Studies, 18(1), 151‑184. https://doi.org/10.1080/14735970.2017.1365460
Nizan Geslevich Packin. (2018). Regtech, Compliance and Technology Judgement Rule. Chicago-Kent Law Review, 93(1).
Norimarna, S. (2021). Conceptual Review : Compatibility of regulatory requirements of FSA to Insurance industry in Indonesia for Integrated GRC. RSF Conference Series: Business, Management and Social Sciences, 1(5), 105‑115.
Oosthuizen, A., van Vuuren, J., & Botha, M. (2020). Compliance or management : The benefits that small business owners gain from frequently sourcing accounting services. The Southern African Journal of Entrepreneurship and Small Business Management, 12(1). https://doi.org/10.4102/sajesbm.v12i1.330
Ophoff, J., & Renaud, K. (2021). Revealing the Cyber Security Non-Compliance « Attribution Gulf ». hawaii international conference on system sciences. https://doi.org/10.24251/HICSS.2021.552
Ozeer, U. (2021). ϕ comp : An Architecture for Monitoring and Enforcing Security Compliance in Sensitive Health Data Environment. Proceedings – 2021 IEEE 18th International Conference on Software Architecture Companion, ICSA-C 2021, 70‑77. https://doi.org/10.1109/ICSA-C52384.2021.00017
Painter, M., Pouryousefi, S., Hibbert, S., & Russon, J.-A. (2019). Sharing Vocabularies : Towards Horizontal Alignment of Values-Driven Business Functions. Journal of Business Ethics, 155(4), 965‑979. https://doi.org/10.1007/s10551-018-3901-7
Pang, S., Yang, J., Li, R., & Cao, J. (2020). Static Game Models and Applications Based on Market Supervision and Compliance Management of P2P Platform. 2020. https://doi.org/10.1155/2020/8869132
Pankowska, M. (2019). Information technology outsourcing chain : Literature review and implications for development of distributed coordination. Sustainability, 11(5), 1460.
Pathania, A., & Rasool, G. (2019). Investigating power styles and behavioural compliance for effective hospital administration : An application of AHP. International Journal of Health Care Quality Assurance.
Petersson, J., Karlsson, F., & Kolkowska, E. (2021). Information Security Policy Compliance—Eliciting Requirements for a Computerized Software to support Value-Based Compliance Analysis. Computers & Security. https://doi.org/10.1016/J.COSE.2021.102578
Petkevičienė, M. (2021). Compliance management development for C-level management in Lithuanian companies [Master’s Thesis].
Prakash, A. M., He, Q., & Zhong, X. (2019). Incentive-driven post-discharge compliance management for chronic disease patients in healthcare service operations. IISE Transactions on Healthcare Systems Engineering, 9(1), 71‑82. https://doi.org/10.1080/24725579.2019.1567630
Pudjianto, W. (2021). Process mining in governance, risk management, compliance (GRC) and auditing : A systematic literature review. Journal of Theoretical and Applied Information Technology, 99(18).
Ragulina, J. V. (2019). Compliance Approaches and Practices for Increasing Competitiveness of Industrial Enterprises : Current Research and Future Agenda. The International Scientific and Practical Forum “Industry. Science. Competence. Integration”, 903‑909.
Rahmouni, H., Munir, K., Essefi, I., Mont, M., & Solomonides, T. (2021). An Ontology-based Compliance Audit Framework for Medical Data Sharing across Europe. INTERNATIONAL ARAB JOURNAL OF INFORMATION TECHNOLOGY, 18(2), 158‑169. https://doi.org/10.34028/iajit/18/2/4
Ramachandran, G. S., Deane, F., Malik, S., Dorri, A., & Jurdak, R. (2021). Towards Assisted Autonomy for Supply Chain Compliance Management. Proceedings – 2021 3rd IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications, TPS-ISA 2021, 321‑330. https://doi.org/10.1109/TPSISA52974.2021.00035
Riehle, D. M. (2019). Checking Business Process Models for Compliance – Comparing Graph Matching and Temporal Logic. Lecture Notes in Business Information Processing, 342, 403‑415. https://doi.org/10.1007/978-3-030-11641-5_32
Rinderle-Ma, S., & Winter, K. (2022). Predictive Compliance Monitoring in Process-Aware Information Systems : State of the Art, Functionalities, Research Directions. arXiv preprint arXiv:2205.05446. https://doi.org/10.48550/arXiv.2205.05446
Sackmann, S., Kuehnel, S., & Seyffarth, T. (2018). Using business process compliance approaches for compliance management with regard to digitization : Evidence from a systematic literature review. International Conference on Business Process Management, 409‑425.
Salguero-Caparrós, F., Pardo-Ferreira, M. del C., Martínez-Rojas, M., & Rubio-Romero, J. C. (2020). Management of legal compliance in occupational health and safety. A literature review. Safety science, 121, 111‑118.
Schneider, A., & Mauve, M. (2018). Compliance management for P2P systems. 2017 23rd Asia-Pacific Conference on Communications: Bridging the Metropolitan and the Remote, APCC 2017, 2018-January, 1‑6. https://doi.org/10.23919/APCC.2017.8303961
Scope, N., Rasin, A., Heart, K., Lenard, B., & Wagner, J. (2021). The Life of Data in Compliance Management.
Sothilingam, R., Pant, V., Shahrin, N., & Yu, E. (2021). Towards a Goal-Oriented Modeling Approach for Data Governance. CEUR Workshop Proceedings, 3045, 69‑77.
Sumaryadi, S., & Kusnadi, K. (2021). THE INFLUENCE OF STRATEGIC PLANNING AND PERSONNEL COMPETENCE ON ORGANIZATIONAL PERFORMANCE OF THE TNI MATERIAL FEASIBILITY SERVICE MEDIATED BY COMPLIANCE MANAGEMENT. Journal of Economics, Management, Entrepreneurship, and Business (JEMEB), 1(2), 128‑145.
Surridge, M., Meacham, K., Papay, J., Phillips, S. C., Pickering, J. B., Shafiee, A., & Wilkinson, T. (2019). Modelling compliance threats and security analysis of cross border health data exchange. Communications in Computer and Information Science, 1085, 180‑189. https://doi.org/10.1007/978-3-030-32213-7_14
Tanaka, Y., Kodate, A., & Bolt, T. (2018). Data sharing system based on legal risk assessment. ACM International Conference Proceeding Series. https://doi.org/10.1145/3227696.3227715
Timm, F. (2018). An application design for reference enterprise architecture models. Lecture Notes in Business Information Processing, 316, 209‑221. https://doi.org/10.1007/978-3-319-92898-2_18
Timm, F., & Sandkuhl, K. (2018a). A reference enterprise architecture for holistic compliance management in the financial sector.
Timm, F., & Sandkuhl, K. (2018b). Towards a reference compliance organization in the financial sector. Banking and information technology/Deutsche Ausgabe, 19(2), 38‑48.
Torre, D., Soltana, G., Sabetzadeh, M., Briand, L. C., Auffinger, Y., & Goes, P. (2019). Using Models to Enable Compliance Checking Against the GDPR: An Experience Report. model driven engineering languages and systems. https://doi.org/10.1109/MODELS.2019.00-20
Usman, M., Felderer, M., Unterkalmsteiner, M., Klotins, E., Méndez, D., & Alégroth, E. (2020). Compliance Requirements in Large-Scale Software Development : An Industrial Case Study. product focused software process improvement.
Van Rooij, B., & Fine, A. D. (2019). Preventing corporate crime from within : Compliance management, whistleblowing, and internal monitoring. The Handbook of White-Collar Crime, 229‑245.
Wang, D., Yang, R., & Gao, X. (2021). Data security compliance management and control technology based on scene orchestration. Proceedings – 2021 13th International Conference on Measuring Technology and Mechatronics Automation, ICMTMA 2021, 401‑408. https://doi.org/10.1109/ICMTMA52658.2021.00093
Widjaya, W., Sutedja, I., & Hartono, A. W. (2019). Key aspects of data management framework for early adopter : A systematic literature review.
Winter, K., Aa, H. van der, Rinderle-Ma, S., & Weidlich, M. (2020). Assessing the compliance of business process models with regulatory documents. international conference on conceptual modeling. https://doi.org/10.1007/978-3-030-62522-1_14
Wu, X., & Liang, H. (2020). Exploration Research on the Model of Government Regulation Based on Compliance Management System. 2020 6th International Conference on Information Management (ICIM), 117‑121.
Yazdanmehr, A., Wang, J., & Yang, Z. (2020). Peers matter : The moderating role of social influence on information security policy compliance. Information Systems Journal. https://doi.org/10.1111/ISJ.12271
Compliance, Compliance management, information security, cybersecurity
Abstract
This article presents the results of a systematic review of recent academic literature on the cybersecurity compliance management. It proposes a working definition of cybersecurity compliance management as a process for the governance, oversight and tracking of how organizations comply with their cybersecurity, information security and data privacy obligations.
Introduction
It could seem obvious to readers that the timely availability of accurate information is critical to organizations. Because of an insatiable need for information, organizations also need appropriate safeguards to ensure that it is available to authorized stakeholders, according to business requirements, organizations policies, and strategic imperatives. Organizations also select best practices and standards that it wants, or needs, to follow. As well, information used in an organizational context is subject to legal, regulatory, and contractual constraints. Since this will incur the allocation of resources, both financial and human, it needs to be managed appropriately.
To do this as effectively as possible, organizations implement an integrated process of Governance, Risk Management and Compliance, referred to as GRC. This article investigates one of the components on GRC, which is compliance. More specifically, it is interested in cybersecurity compliance. Compliance is not more important than governance or risk management, as they are all important parts, required to successfully support organizations. However, the focus this systematic review is part of a larger project that concerns automated compliance management systems, which justifies the choice of the enquiry.
Scientific research often starts with a subject to be explored. In this case the subject is determined by a willingness to explore the current state of the art in cybersecurity compliance management. This is part of an interest in developing automated information security compliance assessment, monitoring, and reporting of cybersecurity compliance for Canadian Small and Medium Businesses (SMB). Initial research indicated that there is not much literature on compliance issues specifically related to Canada or to SMBs. As well, the compliance literature does not seem to have a large corpus of material specific to cybersecurity compliance. However, many more general aspects of compliance could bring insights that will be useful. Thus, it is determined that the initial search topic is: “Information system compliance management”.
Computer security and cybersecurity are also used as synonyms for information security and is added to the initial search term of Information security. As well, to broaden the initial search, both compliance and compliance management will be used. The first element will help to identify the articles in the general topic. The second and third elements will help to narrow down the results to be more relevant. In this case the last query that is used could be appropriate for the intended purpose at this point while adding limits, as described in the next step. However, because the team intents to use analytical tools and perform bibliometric analysis of the results, it is determined that the next step will proceed with the last query:
(“Information security” OR “computer security” OR cybersecurity) AND « compliance management »
Starting from what is done in the previous steps, restrictions to limit the results to scientific articles published in peer-reviewed journals during the last ten years in English is considered. However, to help determine the optimal period, a bibliometric analysis of Google Scholar citations on compliance from 1960 to 2022 was performed using R-Studio. It was observed that compliance has emerged in scientific literature starting in 1994, when the number of yearly publications reached ten per year. There are very few publications recorded in Google Scholar before that date. It has only passed the 100 publications per year in 2002. Based on this information, no additional limits will be added at this time. However, considering the size of the corpus of documents resulting from the search (200), it would seem reasonable to add date limits (2002 to 2022) and select only Journal articles.
It should be expected to have a large amount of overlap between the different sources. This, once imported into Zotero and 44 duplicates removed. At the end of this step, there are 156 articles remaining following the process described.
Retrieving the documents is done using databases available on the Polytechnique Montréal and Concordia University library websites. As both universities have different database subscriptions, this allows for additional sources to be identified. However, it may result in many duplicates. The duplicates can be easily resolved later. To cast a wide net and increase the likelihood of including important literature on a subject, the following databases are used, as they are the most used databases used in our field of inquiry, Scopus, Web of Science, and Engineering Village. The results from the library searches are imported into Zotero and duplicates removed. At this point 179 documents remained.
The results are then submitted to a first high-level review. This review looks at the title of the articles and the abstract. This is done to ensure the articles are relevant and ready to be used for the next steps. In this case, 50 articles are removed as they did not indicate a link to the research question, did not meet the standard for academic papers or where not in English. For example, a product evaluation, an editorial or an article that is not from a peer-reviewed process is removed. Following this step 129 articles remained. This step is also an opportunity to help identify additional terms and keywords that can become useful later in the systematic review. The additional terms identified are then used for an automated analysis using R-Studio. From this initial list of keywords and expressions, it becomes possible to start to construct an ontology of the domain, which can then be further improved as the project progresses. This ontology will be used to classify articles.
From there, a literature mapping tool is used (https://app.litmaps.co/ ) and a bibtext file export of the articles remaining after the triage step are imported. The literature map gives a visual representation of the articles in the corpus and shows the links between them. It also shows the relative importance of articles in the size of the associated marker. The LitMap tool can then suggests new articles, which are potentially relevant based on what is there. In this case, after a few days and several trials with different combinations of dates and keywords, LitMap only suggested articles about compliance and not about compliance management. Therefore, it is decided not to add articles from the map, this eliminating the need to perform two steps in the review methodology that concern adding articles to the LitMap and re-exporting the results to Zotero. Although it did not generate new articles to add to the systematic review, the LitMap tool allows the team to get a visual outlook of the literature. This graphical presentation is helpful to get a better understanding of what is there and helping to identify the evolution of knowledge in this fields, the connections in the literature and significant articles that are more connected to the corpus of knowledge. This will become helpful in the analysis.
As mentioned, some of the articles are linked directly to Zotero, as they are already included in previous steps. However, for the up-coming steps in the systematic review, it is necessary to have local copies of all the articles available in PDF. Performing a literature review involves reading and analyzing the articles at some point, so having a copy of them is an obvious necessity. Even if an effort is made to automate as much as possible and have a systematic approach that makes it possible to reduce the number of articles, reading the articles is still required. After a thorough search, a few articles still could not be located, as it is a very small number, they are removed, as keeping references to unavailable articles may be problematic for the next steps and for the analysis. However, this may introduce a small bias in the results. At this step, 127 documents remained in the collection.
Once all the articles have been downloaded a more in-depth review is made to assess their relevance. This step could be done by a team of researchers with the assistance of students. It requires that inclusion and exclusion criterions be identified. At this point there should be enough domain knowledge to make this feasible. If the number of articles is not too large, it might be acceptable to omit this step. Another strategy that might be considered is to perform a review by looking at the abstracts only to assess relevance for inclusion or exclusion. Then a review can be performed by reading more comprehensive machine-generated summaries. This would be followed by the lecture of the full articles that make it through the process. An initial automated analysis is performed using R-Studio.
The final step in the systematic review is to use the final selection of articles to perform a more in-depth analysis of the corpus of documents. This step is done using two strategies: by reading the articles and with the help automation. Reading involves, as it would imply, that the articles be read, that key information be highlighted and that notes be taken, using Zotero or other annotation tools. Automation would involve using natural language processing tools. In this case, R-Studio applications and bibliometric analysis are used using Bibliometrix and Quanteda (Benoit et al., 2018). Based on the bibliometric and automated analysis, a final sample of what appears to the research team to be the most relevant sources based on the results of the analysis is presented in a later section of this article.
Automated analysis of the corpus
The first automated analysis is done in R-Studio. It was found that 26 words that appear more 2000 times. In fact, the R Studio code that was used creates an Excel file with all the keywords that appear at least 100 times in the corpus, of which there are 1573 different keywords. Further analysis is performed using a combination of keywords that are relevant to the subject. However, when examining the complete list of keywords, it became obvious that there could be errors due to the different form of the keywords that appear in the corpus. With the keywords systems and used, there would be more accuracy in the intent of the documents to combine variations of a word, thus using stems. Hence, it was decided to use stemmed keywords, rather that the regular for of the words. Here as well, the R Studio code creates an Excel file with all the stemmed keywords that appear at least 100 times in the corpus, of which there are 1289 different keywords.
From this information, further refinement was done to determine the relevance of the documents in the corpus to the research question. This is done to eliminate from the corpus documents that are not sufficiently important, thus optimizing the use of resources. This was done with a combination of keywords that are closely correlated to the theme of compliance management, identified as group K1. The top ten documents, including the top six documents that had a K1 group value of above 1000. This is a simple calculation based on the total number of occurrences of the words in the PDF files. This is subject to many biases, of course. For example, it is impacted by less relevant data, such occurrences in the bibliography. Longer documents would naturally have more potential to have more occurrences. As well, an article is not necessary more relevant if a particular word occurs more often. However, in conjunction with other data, this does contribute to our analysis.
An example of the potential biases of this initial analysis is shown in the highest ranked document (Stroup, 2014). This is not a peer-reviewed journal article but rather it is a Ph.D. dissertation, from a candidate Capella. While it is relevant, it is more about governance than compliance management. The second document (Yang, 2018), is much more relevant, even if it presents a literature review done as part of a Master’s degree and has the added element of being supervised by Siponen Mikko, which is identified in a Scopus and a Web Of Science review as being an influential author of scientific publications on compliance, as the bibliometric analysis has identified.
Another strategy adopted to try to mitigate the biases created by larger documents is to consider the number of pages in the document to calculate a factored value of K1, which is named Fac K1. This is simply calculated by dividing the K1 value by the number of pages in the document. The top 10 results of the 127 documents are presented in table 1.
Doc No
Reference
Nb Pages
K1 Rank
K1
Fac K1 Rank
Fac K1
75
(Mayer & De Smet, 2017)
9
15
601
1
66,78
62
(Joshi, 2008)
9
18
560
2
62,22
35
(Delavari, Elahi, et al., 2019)
6
46
371
3
61,83
116
(von Solms, 2005)
5
61
301
4
60,20
98
(Pla et al., 2020)
6
53
351
5
58,50
10
(AlKalbani et al., 2017)
11
14
618
6
56,18
88
(Nissen & Marekfia, 2013)
6
57
336
7
56,00
11
(Almutairi & Riddle, 2018)
7
43
380
8
54,29
104
(Sabillon et al., 2017)
7
48
364
9
52,00
45
(Fenz et al., 2015)
4
89
206
10
51,50
33
(Dang et al., 2019)
6
67
285
11
47,50
Table 1: Factored value of K1
A manual analysis shows that the Fac K1 value does appear to correlate to the relevance of the article. For example, (Mayer & De Smet, 2017) presents a systematic review on the subject of governance, risk management and compliance (GRC) that looks into ISO standards on this topic. Examining a sample of the articles it seems that the higher the Fac K1, the more the document is relevant and that lower ranked Fac K1 values are less relevant. The lower ranked documents are then targeted to be considered for exclusion from the corpus, potentially allowing the team to optimize the use of resources to review the documents and complete the systematic review. In appendix D, documents displayed in red were removed from the corpus for the analysis once the fac K1 test was performed, and a final review of these documents was done to confirm that removal was justified.
Following a review of the results, the decision is made to remove from further steps of the systematic review all articles that have a Factored K1 value of less than one standard deviation below the average. In this case applying the value of 5,34, would result in 15 documents to be removed, leaving 113 documents in the corpus. However, before removing any documents, they were further scrutinized. One document with a score of zero was found to be relevant but is not processed accurately in the previous steps as the PDF file was saved as an image, making it impossible to be assessed automatically. The article was converted using OCR and kept for the next steps. Two documents were also found to be relevant. In the end, 11 documents were removed from the corpus. Following this, 116 documents remained in the corpus. The histogram in figure x, shows the distribution of the documents per publication year. These 116 documents, published from 2004 to 2022 form the corpus for the rest of this article and used for the next step of analysis, as illustrated in figure 3.
N-gram identification
The next automated analysis that is performed is the identification of N-grams in the corpus. The goal is to identify groupings of keywords, in this case of two, three or four words. For this purpose, R-Studio is used. The strategy was to use an automated process to identify bigrams, made of two words that appear in sequence in the corpus, trigrams, made of three words and quad-grams, made of four words. Following this automated process, the most frequent bigrams are identified. Two bigrams were removed as they are less relevant as they more related to the context or the methodology components of the document. The bigrams that were removed are literature review, intern confer, and case studi. However, all the others are directly related to the research question, further supporting that this is useful. When looking at the top twenty (20) trigrams, it was observed that many trigrams that are useful and relevant (12/20). However, there are several (8/20) that are not relevant and were removed, such as: author licens use, and licens use limit. When observing the eleven (11) quad-grams, it can be observed there are few trigrams that are useful and relevant (1/12). But one particularly stands out, inform secur polici complianc, as confirming an intuition that much of the corpus concerns information security policy compliance, a popular topic in the cybersecurity compliance literature. Similarly, nation institut standard technolog, would indicate that National Institute of Science and Technology or NIST, a very popular source of guidance, standards, and frameworks in this area. At this point, there is ample data acquired in a systematic review process to help understand the concept of compliance management. However, it was also decided to proceed with a bibliometric analysis to inform further insights. As this is done using existing analytical tools, it would not add excessive work. This is described in the next section.
Bibliometric analysis
To perform in-depth bibliometric analysis of the corpus of documents using Bibliometrix (https://www.bibliometrix.org/home/ ) the keywords « compliance management » are used to produce information from Web of Science. This resulted in 346 refences exported from Web Of Science (WoS) in Bibtext format that are analyzed using r-studio and an existing library called Bibliometrix, as shown in table 2. The column Results WoS presents this data. The analysis showing the results was supplemented by the data already collected on the corpus of 116 documents, shown as Systematic Review (SR) Corpus in table 2. The data was analyzed using R-Studio and statistical functions in Excel. In some cases, the data was also calculated from the Zotero database or manually counted.
Description
Results WoS
SR Corpus
Timespan of articles
1979 to 2022
2004 to 2022
Sources (Journals, Books, etc)
299
108
Documents
346
116
Annual Growth Rate %
5.73
5.3
Document Average Age
9.53
5.5
Average citations per doc
9.965
51.60
References
8782
5986
Table 2: Description of bibliometric data used
The data presented in table 2 compares the results of the Web of Science query on compliance management, comprising 346 documents published from 1979 to 2022, with the results collected in the corpus of 116 documents used in the systematic review, published from 2004 to 2022. As previously mentioned, the documents collected concern cybersecurity compliance management. As such the two are comparable and this information can help develop further insights, as well as validate the corpus.
Literature review
Following the bibliometric analysis of the corpus, which is presented in the previous sections, this section presents an overview of current knowledge around cybersecurity compliance management. The review is based on the corpus of 116 documents that is identified at the end of the process. Reminding readers that the search query used. From the query, documents were identified and scored to facilitate the process. Most of the documents scored a high Factored K1 value, indicating their high correlation to the keywords that describe the research question. This is important to the team as this literature review a necessary step in empirical research. Observing the literature for compliance and compliance management, not limited to cybersecurity, the number of academic and peer-reviewed sources seems to be relatively small. Particularly, when compared to previous articles in cybersecurity, where the number of articles is much larger. However, by following the systematic review process described, and looking at the metrics, the documents that remain in the corpus appear to be the most relevant.
The literature review starts with the concept of compliance and how it differs in cybersecurity compared to other areas of compliance. It then discusses compliance management and compliance management tools, such as frameworks, standards, and others, that are identified in the literature. To find expressions in the corpus the grep -irl « search text » . command was used in a MacOS Terminal window. This was followed by a manual review of the documents to count the occurrences of the different expressions. As well, R-Studio was used to categorize the articles based on keywords that have been identified in the systematic review. This automated process was chosen to eliminate biases often introduced in this process by reviewers.
Information security
As the research question is investigated a particular aspect of compliance, namely information security compliance, it was decided to also include similar terms in the queries, as described earlier. Of course, a central aspect is information security, or the aspects of security related to information used by organizations in the execution of its mission and by the various business processes required to operate. But since the literature may use different terms, such as cybersecurity to describe information security in a connected world such as organizations involved in e-business or using the Internet as an important component of their strategy. Since it was noticed that cybersecurity may be written in different manners in the articles retrieved. Similar keyword choices were also made in other articles, such as (Anu, 2021).
Organizations need to safeguard the information they need to operate (Fenz et al., 2013). As well, they need to protect their employees access to this information (Chaudhry et al., 2012). The goal of information security as the protection of information systems so they can operate as expected (Yang, 2018). Information security is used to determine the choices organizations need to make and the mitigation measures that they implement to stop the threats against their valued information (Ali et al., 2021). Internal stakeholders, such as employees, are key components of information security management (Chen et al., 2018). Metrics are used to monitor the effectiveness of information security choices (Anu, 2021). In particular, information security governance metrics are an important decision making enabler for organizations to optimize information security programs and strategy (Anu, 2021).
Compliance
Based on the search query used to perform the systematic review, it should be expected that the term compliance appears in all the documents in the corpus. In fact, the term compliance and its variations appear 5627 times in all the 116 documents in the corpus. However, looking at the documents with the highest Factored K1 Scores for a definition, a working definition can be determined. Starting from these sources, and further supported by other documents in the corpus, the literature review, definitions have emerged and presented in this section. A similar strategy is used to develop all the other definitions.
Risk management and compliance are steering tools that organizations integrate in a governance layer (Fenz et al., 2013; Mayer & De Smet, 2017). Referred to as GRC, covering the three complementary disciplines of governance, risk management and compliance. (Mayer & De Smet, 2017) further cite Racz et al., who define GRC as
“an integrated, holistic approach to organization-wide governance, risk and compliance ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness”[1].
The ISO/IEC 38500:2015 standard, titled “Information Technology — Governance of IT — for the organization” provides normalized guidance and principles for the effective, efficient, and acceptable use of IT within organizations.
At the highest levels of an organization, the board of directors and the executives, Corporate Governance provides strategic and performance guidance as to how objectives are achieved, creating value, while risks are managed appropriately (Al-hashimi et al., 2018; Chaudhry et al., 2012; von Solms, 2005; Yip et al., 2006). This high-level guidance leads, among many other more tactical guidance, which include IT governance and, more specifically, information security governance (Yip et al., 2006). The information security component of corporate governance informs all stakeholders of the organization on how information security is addressed at an executive level and a part of an organization’s overall corporate governance responsibilities (Al-hashimi et al., 2018). It also provide guidance in navigating the complex web of data protection, privacy regulations, and security standards that can help organization to meet its compliance requirements (Fenz et al., 2013; Yip et al., 2006). Information security governance will also guide the organization in the creation of Information Security Policies, a key component of information security(Yang, 2018), which informs internal stakeholders of acceptable use of information systems (Chen et al., 2018). Information security governance is an integral part of good IT and Corporate Governance (von Solms, 2005).
‘Information Security Governance consists of the management commitment and leadership, organizational structures, user awareness and commitment, policies, procedures, processes, technologies and compliance enforcement mechanisms, all working together to ensure that the confidentiality, integrity and availability (CIA) of the company’s electronic assets (data, information, software, hardware, people, etc.) are maintained at all times’. (von Solms, 2005).
Categories of compliance
Multiple categories of compliance have been identified in the context of this study. However, not all of them are relevant in the context of this study. For example, compliances domains related to the environment, public works, or financial services where not considered as relevant, unless it considered specific IT-related or cybersecurity aspects. Other categories that where included are:
Information security compliance
Information Security Policy Compliance
Security policy compliance
Security Standard Compliance
Cybersecurity compliance
Business process compliance
Legal and regulatory compliance
Legal compliance
Regulatory compliance
Privacy compliance
The expression “cybersecurity compliance” does not appear in any of the documents in the corpus. However, other forms that have a similar meaning in the context of this study are found in the corpus, as expected. The similar forms that have been identified are security compliance, information security compliance, security policy compliance and information security policy compliance. Standard compliance and security standard compliance were also included.
There are other categories of compliance that are mentioned in the corpus. The compliance categories identified include business process compliance, legal and regulatory compliance, legal compliance, regulatory compliance, privacy compliance and environmental compliance. They are included in this study as they could provide valuable insights as to various compliance approaches that can be used for cybersecurity compliance.
Compliance framework
As previously mentioned, a complex web of laws, regulations, standards, policies and contractual obligations contribute to providing compliance requirements (Abdullah et al., 2016). To help organizations fulfil these requirements, various stakeholder groups has created IT governance and compliance frameworks, such as consensus-based standards. The literature in the corpus mentions many of these. COBIT, created by ISACA, ISO 27001 and ISO 27002, created by ISO/EIC subcommittee 27, and NIST cybersecurity framework, created by the National Institute of Science and Technology (NIST) are among the standards most frequently identified with compliance (Al-hashimi et al., 2018; Ali et al., 2021; Delavari et al., 2019; Shamsaei et al., 2011; Sillaber et al., 2019). The ISO/IEC 38500:2015 standard “Information Technology — Governance of IT — for the organization” provides guiding principles on the effective, efficient, and acceptable use of IT within their organizations. It also provides guidance to those advising, informing, or assisting governing bodies. (Mayer & De Smet, 2017)
While many of the articles in the corpus mention specific frameworks that are used for compliance, only two mention the expression “compliance frameworks” directly, (Cabanillas et al., 2022; Shamsaei et al., 2011), while none mention “compliance requirements”.
Compliance management
The expression “compliance management” appears in many articles in the corpus. (Fenz et al., 2015) presented an automated information security risk and compliance assessment tool for hardware, software and data assets based on ISO27002 controls. The strategy (Fenz et al., 2015) developed is based on automatic keyword-based identification of policy documents and assigning them automatically to the most fitting ISO 27002 control. Activities for which compliance must be managed (von Solms, 2005) :
Previously identified IT risks
Information Security awareness
Information Security policies, procedures, and standards
Regulatory, legal and statutory requirements
Software Licensing issues and others.
(Abdullah et al., 2016) developed an ontology intended to provide a shared conceptualization of compliance management, the compliance management ontology (CoMOn). This ontology should be integrated in the construction of the cybersecurity compliance ontology that is being created.
Compliance checking
Compliance checking is a process used to enforce compliance to policies and procedures, as well as adequate management of IT risks (von Solms, 2005). In compliance checking, a source of compliance requirements, such as regulations and policies, help to define a set of controls that must be observed by the organization to achieve compliance (Cabanillas et al., 2022). There are many strategies that can be used to perform compliance checking. In the past, manual processes have been used. In regulatory compliance checking, manual compliance checking has been found to be a costly and error-prone process Cunha et al., 2021). There are many other strategies that can be used to improve compliance checking. For example, (Janpitak N. & Sathitwiriyawong C., 2015) proposes an ontology-based automated compliance checking approach for non-log operations. (Cunha et al., 2021) proposes an automated approach for regulatory compliance checking based on the use of empirical fuzzy multi-criterion logic. (Massey et al., 2015) mentions logic-based and requirement modelling approaches to compliance checking that have also been used in software engineering.
Literature analysis
Reminding the reader that this systematic literature review aimed to identify the current state of knowledge on Cybersecurity Compliance Management, this section looks at gaps in the literature on this topic. A few things to consider are mentioned here:
Compliance, as a research subject, only emerged since the last 20 years.
Cybersecurity compliance is about 10 years old as a research domain.
The number of cybersecurity articles that have been identified is lower than wan initially expected.
Many different types of security-related compliance exist and are studied, cybersecurity is not the most popular area found in published research articles.
Cybersecurity compliance comprises many specialty areas that include compliance to laws and regulations, contractual obligations, international obligations, privacy, environmental issues related to datacenters, as an example, and many other areas
Information Security Policy compliance is a popular area of published research.
Privacy compliance is also another area for which there is large and growing corpus of publications.
Much of the information found related to cybersecurity compliance metrics is anecdotal or based on commercial solutions for which there is no published peer-reviewed publications that would support its inclusion in this systematic review.
Information on cybersecurity compliance metrics can be found in product reviews, professional literature, marketing support material or non-academic publications.
Compliance is not an isolated area but as a component of the GRC cybersecurity process triad. Governance gives direction and context, risk management provides information about risk appetite, defines levels of acceptability, and select metrics, while compliance is used to monitor implementation and, without surprise, ensure compliance to legal and contractual obligations, tracks respects of governance objectives and manage risks.
While compliance is predominantly a business concern, it is intrinsically linked to technical aspects of cybersecurity. Because of the complexity of how it is connected to different problem domains, such as legal and regulatory issues, contractual issues, human behavior issues, as well as the technical aspects, a combination of business and technical skills is likely desirable. This, and other reasons, contribute to increasing the subjectivity of compliance evaluation. Also, adding to the problem that most monitoring involves manual review, it is error prone, as well begging subjective, compounding the problem. Mechanisms and tools, such as ontologies proposed by (Abdullah et al., 2016) or automation, perhaps using analytics or machine learning, can help limit the effects. There are many research opportunities in cybersecurity compliance and many researchers interested in this area but there is little peer-reviewed output showing this. This is something that need further investigation to find solutions to resolve this issue.
Based on what identified in this systematic review, a definition of compliance management is proposed:
Compliance Management is concerned with the governance, oversight and tracking of how organizations comply with their obligations.
As there are many categories and levels of obligations, domains of compliance management are needed to address them. As the focus of this systematic review is cybersecurity compliance, the definition can be further developed to address this situation. Hence, a definition of cybersecurity compliance management is proposed:
Cybersecurity Compliance Management provides processes for the governance, oversight and tracking of how organizations comply with their cybersecurity, information security and data privacy obligations.
While this working definition can be further improved, it provides a reasonable starting point that is congruent with the findings of the systematic review that was performed and described in this article. It is sufficiently vague to allow for the various categories of compliance that need to be integrated into the cybersecurity domain. It also allows for the use of this definition in the design of an automated compliance management and assessment solution that can be done.
Conclusion
This article described a systematic review of cybersecurity compliance management. It was performed with a specific goal in mind, to support the design of an information system to assist organization achieve and maintain compliance. While one of the findings is that the corpus of scientific publications is smaller than it should probably be, considering how this is such an important topic and how important it is to organizations today. It was also found that cybersecurity compliance is a multi-dimensional problem, including several problem domains, such as legal, organizational, human, and technical, and requiring but business and technical solutions.
Bibliography
Abdullah, N. S., Indulska, M., & Sadiq, S. (2016). Compliance management ontology—A shared conceptualization for research and practice in compliance management. Information Systems Frontiers : A Journal of Research and Innovation, 18(5), 995‑1020. https://doi.org/10.1007/s10796-016-9631-4
Agbaegbu, J., Arogundade, O. T., Misra, S., & Damaševičius, R. (2021). Ontologies in Cloud Computing—Review and Future Directions. Future Internet, 13(12), 302. https://doi.org/10.3390/fi13120302
Akhunzada, A., Sookhak, M., Anuar, N. B., Gani, A., Ahmed, E., Shiraz, M., Furnell, S., Hayat, A., & Khan, M. K. (2015). Man-At-The-End attacks : Analysis, taxonomy, human aspects, motivation and future directions. Journal of Network and Computer Applications, 48, 44‑57. https://doi.org/10.1016/j.jnca.2014.10.009
Al-hashimi, M., Othman, M., Sulaiman, H., & Zaidan, A. A. (2018). Information Security Governance Frameworks in Cloud Computing an Overview. Journal of Advanced Computer Science and Technology Research, 8(2), 67‑81.
Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance : A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383
AlKalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information Security Compliance in Organizations : An Institutional Perspective. Data and Information Management, 1(2), 104‑114. https://doi.org/10.1515/dim-2017-0006
Al-Rashdi, Z., Dick, M., & Storey, I. (2017). Literature-based analysis of the influences of the new forces on ISMS : A conceptual framework.
Alsharif, I., & Khelifi, A. (2019). Exploring the Opportunities and Challenges of Open Source Software and Its Economic Impact on the Cybersecurity Market. Smart Technologies and Innovation for a Sustainable Future, 115‑127.
Anu, V. (2021). Information security governance metrics : A survey and taxonomy. Information Security Journal: A Global Perspective, 1‑13.
Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age : A review of information privacy research in information systems. MIS quarterly, 1017‑1041. https://doi.org/10.2307/41409971
Benoit, K., Nulty, P., Obeng, A., Müller, S., & Matsuo, A. (2018). quanteda : An R package for the quantitative analysis of textual data. Journal of Open Source Software, 774.
Bibliometrix—Home. (s. d.). Consulté 15 août 2022, à l’adresse https://www.bibliometrix.org/home/
Bicaku, A., Zsilak, M., Theiler, P., Tauber, M., & Delsing, J. (2022). Security Standard Compliance Verification in System of Systems. IEEE Systems Journal, 16(2). https://doi.org/10.1109/JSYST.2021.3064196
Cabanillas, C., Resinas, M., & Ruiz-Cortes, A. (2022). A Mashup-Based Framework for Business Process Compliance Checking. IEEE Transactions on Services Computing, 15(3). https://doi.org/10.1109/TSC.2020.3001292
Chaudhry, P. E., Chaudhry, S. S., Reese, R., & Jones, D. S. (2012). Enterprise information systems security : A conceptual framework. Re-conceptualizing Enterprise Information Systems, 118‑128.
Chen, X., Chen, L., & Wu, D. (2018). Factors That Influence Employees’ Security Policy Compliance : An Awareness-Motivation-Capability Perspective. Journal of Computer Information Systems, 58(4), 312‑324. https://doi.org/10.1080/08874417.2016.1258679
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard : Literature review and theory-based research agenda. The TQM Journal.
Cunha, V. H. C., Caiado, R. G. G., Corseuil, E. T., Neves, H. F., & Bacoccoli, L. (2021). Automated compliance checking in the context of Industry 4.0 : From a systematic review to an empirical fuzzy multi-criteria approach. Soft Computing, 25(8), 6055‑6074.
Da Veiga, A., & Eloff, J. H. P. (2007). An Information Security Governance Framework. Information Systems Management, 24(4), 361‑372. https://doi.org/10.1080/10580530701586136
Dang, L. M., Piran, M. J., Han, D., Min, K., & Moon, H. (2019). A survey on internet of things and cloud computing for healthcare. Electronics, 8(7), 768.
Delavari, V., Shaban, E., Janssen, M., & Hassanzadeh, A. (2019). Thematic mapping of cloud computing based on a systematic review : A tertiary study. Journal of Enterprise Information Management.
Esayas, S., & Mahler, T. (2015). Modelling compliance risk : A structured approach. Artificial Intelligence and Law, 23(3), 271‑300. https://doi.org/10.1007/s10506-015-9174-x
Fenz, S., Heurix, J., & Neubauer, T. (2015). How to increase the inventory efficiency in information security risk and compliance management. 2015-May.
Fenz, S., Neubauer, T., Accorsi, R., & Koslowski, T. (2013). FORISK: Formalizing information security risk and compliance management. 4 pp.-. https://doi.org/10.1109/DSNW.2013.6615533
Foorthuis, R., & Bos, R. (2011). A Framework for Organizational Compliance Management Tactics. In C. Salinesi & O. Pastor (Éds.), Advanced Information Systems Engineering Workshops (Vol. 83, p. 259-+). Springer-Verlag Berlin. http://www.webofscience.com/wos/woscc/summary/ef98347e-e620-4445-90b7-1dcb9f988d95-417d1e10/relevance/1
Gupta, B. B., & Badve, O. P. (2017). Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Computing and Applications, 28(12), 3655‑3682.
Hassanzadeh, A., Rasekh, A., Galelli, S., Aghashahi, M., Taormina, R., Ostfeld, A., & Banks, K. (2020). A review of cybersecurity incidents in the water sector. arXiv preprint arXiv:2001.11144.
Jacobs, P., Arnab, A., & Irwin, B. (2013). Classification of security operation centers. 7 pp.-. http://dx.doi.org/10.1109/ISSA.2013.6641054
Janpitak N. & Sathitwiriyawong C. (2015). Automated Compliance Checking Methodology for Non-Log Operations. Information Security Journal, 24(4‑6), 98‑108. https://doi.org/10.1080/19393555.2015.1067340
Joshi, S. (2008). HIPAA, HIPAA, Hooray? : Current Challenges and Initiatives in Health Informatics in the United States. Biomedical informatics insights, 1. https://doi.org/10.4137/BII.S2007
Marbouh, D., Abbasi, T., Maasmi, F., Omar, I. A., Debe, M. S., Salah, K., Jayaraman, R., & Ellahham, S. (2020). Blockchain for COVID-19 : Review, opportunities, and a trusted tracking system. Arabian journal for science and engineering, 45(12), 9895‑9911.
Martínez-González, M. M., Alvite-Díez, M. L., Casanovas, P., Casellas, N., Sanz, D., & Aparicio, A. (2021). OntoROPA Deliverable 1. State of the Art and Ambition.
Massey, A. K., Otto, P. N., & Antn, A. I. (2015). Evaluating Legal Implementation Readiness Decision-Making. IEEE Transactions on Software Engineering, 41(6). https://doi.org/10.1109/TSE.2014.2383374
Mayer, N., & De Smet, D. (2017). Systematic Literature Review and ISO Standards analysis to Integrate IT Governance and Security Risk Management. International Journal for Infonomics (IJI), 10(1), 1255‑1263.
Nissen, V., & Marekfia, W. (2013). Towards a research agenda for strategic governance, risk and compliance (GRC) management. 2013 IEEE 15th Conference on Business Informatics, 1‑6.
Noor, T. H., Sheng, Q. Z., Maamar, Z., & Zeadally, S. (2016). Managing Trust in the Cloud : State of the Art and Research Challenges. Computer, 49(2). https://doi.org/10.1109/MC.2016.57
Pereira, R., & da Silva, M. M. (2013). IT Compliance Management Process Modeling Based on Best Practices Reference Models and Qualitative Data. 2013 17th IEEE International Enterprise Distributed Object Computing Conference Workshops, 178‑187.
Plá, L. F., Shashidhar, N., & Varol, C. (2020). On-premises versus SECaaS security models. 2020 8th International Symposium on Digital Forensics and Security (ISDFS), 1‑6.
Reshmi, T. R. (2021). Information security breaches due to ransomware attacks-a systematic literature review. International Journal of Information Management Data Insights, 1(2), 100013. https://doi.org/10.1016/j.jjimei.2021.100013
Sabillon, R., Serra-Ruiz, J., Cavaller, V., & Cano, J. (2017). A comprehensive cybersecurity audit model to improve cybersecurity assurance : The cybersecurity audit model (CSAM). 2017 International Conference on Information Systems and Computer Science (INCISCOS), 253‑259.
Sackmann, S., Kuehnel, S., & Seyffarth, T. (2018). Using business process compliance approaches for compliance management with regard to digitization : Evidence from a systematic literature review. International Conference on Business Process Management, 409‑425.
Salek, M. S., Khan, S. M., Rahman, M., Deng, H.-W., Islam, M., Khan, Z., Chowdhury, M., & Shue, M. (2022). A Review on Cybersecurity of Cloud Computing for Supporting Connected Vehicle Applications. IEEE Internet of Things Journal, 9(11), 8250‑8268. https://doi.org/10.1109/JIOT.2022.3152477
Shamsaei, A., Amyot, D., & Pourshahid, A. (2011). A systematic review of compliance measurement based on goals and indicators. International Conference on Advanced Information Systems Engineering, 228‑237.
Sillaber, C., Mussmann, A., & Breu, R. (2019). Experience Data and Information Quality Challenges in Governance, Risk, and Compliance Management. Journal of Data and Information Quality (JDIQ), 11(2), 1‑14. https://doi.org/10.1145/3297721
Stroup, J. W. (2014). The current mind-set of federal information security decision-makers on the value of governance : An informative study.
von Solms, S. H. (Basie). (2005). Information Security Governance—Compliance management vs operational management. Computers & Security, 24(6), 443‑447. https://doi.org/10.1016/j.cose.2005.07.003
Wollersheim, J., & Krcmar, H. (2014). Quality analysis approaches for cloud services-towards a framework along the customer’s activity cycle. Trusted Cloud Computing, 109‑124.
Yang, Y. (2018). Literature review of information security practice survey reports.
Yimam, D., & Fernandez, E. B. (2016). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1), 1‑12. https://doi.org/10.1186/s13174-016-0046-8
Yip, F., Ray, P., & Paramesh, N. (2006). Enforcing business rules and information security policies through compliance audits. 2006, 81‑90. Scopus. https://www.scopus.com/inward/record.uri?eid=2-s2.0-33847152561&partnerID=40&md5=0c52f181e1f0c2715a294162858de3b5
Zandesh, Z., Ghazisaeedi, M., Devarakonda, M. V., & Haghighi, M. S. (2019). Legal framework for health cloud : A systematic review. International journal of medical informatics, 132, 103953.
[1] N. Racz, E. Weippl, A. Seufert, A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC), in: B.D. Decker, I. Schaumüller-Bichl (Eds.), Communications and Multimedia Security, Springer Berlin Heidelberg, 2010: pp. 106–117. cited in (Mayer & De Smet, 2017)
In the intricate web of modern society where the sails of technology, health, finance, and business are ever billowed by the winds of change, the notion of ‘risk’ stands as a crucial beacon in navigating the unpredictable. Originating from the perilous ventures at sea signified by the Middle-Ages Italian term ‘risco’, risk has journeyed through centuries to emerge as a central theme in diverse domains of human activity. As a university professor deeply engaged in the study of information technology and cybersecurity, I find that the contemporary understanding of risk requires a synthesis of its historical essence through a multidisciplinary lens. Herein, I propose an updated, synthesized definition of risk, aimed at encompassing the breadth and depth of its impact across various fields of study and practice. I started by feeding all the risk definitions I had found in my many literature searches in the last few years into ChatGPT, and this is a snapshot of what we came up with.
Risk Reenvisioned: A Tapestry of Probabilities and Possibilities
Risk, at its core, encapsulates the potential for deviation from anticipated outcomes, driven by uncertainty and complexity. It is a tapestry woven from event probabilities and their diverse consequences—ranging from the catastrophic to the opportunistic. This proposition extends beyond theoretical discourse into a pragmatic framework that recognizes risk as a dynamic entity, simultaneously informed by subjective judgment and empirical evidence. It is a paradigm that transcends the traditional association of risk solely with negative outcomes. It acknowledges the silver lining of opportunity uncertainty can present.
The Need for a Comprehensive Risk Framework
The impetus behind this comprehensive risk framework is multifold. Primarily, it acknowledges risk’s interdisciplinary manifestations across various sectors. In finance, risk encapsulates the gamut of market volatility and investment uncertainties; in medicine, it concerns the probabilities of health-related adversities; in information technology, it pertains to the spectrum of security threats and data integrity challenges. The proposed definition champions universal applicability, promoting a cohesive narrative and more strategic risk management.
Furthermore, this framework recognizes the dichotomy of risk: it is the chasm of possible loss and the crucible of potential innovation. It proposes a balanced approach to risk management, one that judiciously seeks out potential advantages as it diligently mitigates potential threats.
Scholarly Rationale for the Integrated Definition of Risk
The scholarly impetus for this integrated definition is rooted in the labyrinthine nature of contemporary issues. These issues are characterized by intertwined global systems, rapid innovation, and the complex interplay between human factors and systemic vulnerabilities. This complexity calls for a definition that is both robust and adaptive, capable of underpinning sophisticated risk management strategies responsive to an ever-evolving global milieu.
Moreover, this definition is a testament to the value of interdisciplinarity in academic inquiry and professional practice. By merging various conceptual models of risk—from the quantifiable ‘risk capital’ in financial markets to the qualitative ‘informational risks’ in cybersecurity—it fosters a transdisciplinary dialogue, facilitating a more comprehensive approach to addressing risk.
Consider cybersecurity, where risk is not confined to breaches but also encompasses organizational responses to such incursions. This includes the adoption of cutting-edge security practices and the development of robust, resilient infrastructures. In healthcare, risk management extends from disease prevention to the creation of healthcare systems that are reactive but also proactive in their approach to patient care and disease management.
Conclusion: Uniting Under the Banner of a Unified Risk Understanding
Embracing this refined definition of risk marks a step toward a unified understanding of the concept. It invites us to reflect on both the probability and potential consequences of unforeseen events. It also invites us to reflect on risk’s prospects for progress. As we steer through the complexities of the 21st century, an intricate understanding of risk is not merely an academic exercise but a strategic imperative for informed decision-making, foresight in planning, and the development of systems that are equipped to withstand but also capitalize on the uncertainties of our times.
This definition should act as a cornerstone in academia, prompting scholars to expand their viewpoints and consider risk interconnectedness across different disciplines. By encouraging a forward-looking and inclusive perspective, we can cultivate anticipatory, adaptive, and holistic strategies, ensuring we are prepared to meet the unknown with confidence and resourcefulness. In a world where change is the only constant, a multifaceted understanding of risk is not just beneficial—it is essential for the growth and resilience of societies and the individuals within them.
In the intricate dance of market economics, supply and demand traditionally lead the way, dictating prices and guiding consumer behavior. Nevertheless, in the grand ballroom of commerce, there exists a paradoxical player: Veblen goods. Named after the economist Thorstein Veblen, who first illuminated their peculiar nature, Veblen goods flip the script on conventional economic wisdom. They challenge producers and consumers alike to rethink value and advantage.
Defying Demand: The Veblen Good Explained
Veblen goods have a contrarian response to price changes. Unlike typical products, where demand decreases as prices rise, Veblen goods see an uptick in demand precisely when their prices soar. This anomaly is rooted in the social symbolism these goods carry; they are not merely purchases but proclamations of status. Owning a Veblen good is like wearing a medal of economic prowess, signaling wealth and social distinction. As such, their value is not solely in their utility but in their scarcity and prestige. For instance, Birkin bags, handmade leather bags made by Hermès in France, have become a symbol of wealth and status. Their prices reach up to hundreds of thousands of dollars for the rarest models made in exotic leathers. Rolex watches are also perceived as symbols of luxury and social status. Some models, like the Submariner or Daytona, sell for thousands of dollars over retail prices on the secondary market, as individuals strive to bypass retail waitlists.
The Economics of Exclusivity: How Veblen Goods Break the Mold
The traditional supply and demand curve is a testament to the rationality of the market. This is where increased supply typically lowers prices, and heightened demand usually leads to price hikes. Veblen goods, however, dance to another tune. Their demand curve slopes upwards, reflecting increased demand as prices rise. This phenomenon is a stark departure from the norm, presenting an unusual challenge to businesses: how to price a product not only for profit but for prestige.
Competitive Advantage in a Veblen Economy
In the pursuit of competitive advantage, companies dealing in Veblen goods must navigate a landscape where the usual rules do not apply. The perceived rarity and perceived value of these goods become the cornerstone of strategy. Note the importance of perception as the key factor, making this highly subjective. For businesses, this means crafting an image that resonates with exclusivity and desirability. This is often accomplished through limited editions, bespoke services, or by harnessing luxury branding allure.
The IT Paradox: Veblen Goods in the Digital Age
Information technology, with its rapid innovation cycles and democratizing force, seems an unlikely sector for Veblen goods. Yet, even here, the Veblen effect holds. High-end technology products can attain Veblen status when marketed as elite, cutting-edge, or revolutionary. The latest smartphone, for instance, may boast features marginally different from its predecessor. However, its positioning as a must-have gadget for the tech-savvy elite can drive demand upward with each price increase.
E-commerce and the Veblen Effect
E-commerce platforms have become the modern-day marketplaces for Veblen goods, amplifying their reach and reinforcing their desireability through strategic digital marketing. The online space allows for the creation of an aura around Veblen goods, often through storytelling, influencer endorsements, and the cultivation of digital scarcity. The result is a virtual environment where consumers are willing to pay premiums not just for the product but for the shopping experience and the status it bestows.
Social Media: The Amplifier of Aspiration
Social media platforms serve as echo chambers for Veblen goods. They are stages where the drama of aspiration and prestige plays out, with each share, like, and comment adding to the narrative of exclusivity. In this realm, Veblen goods gain their luster not from price tags but from social validation and visibility. Brands leverage this dynamic, using social media to craft a coveted image that turns their offerings into symbols of social capital.
Sustaining Advantage in a Veblen World
For businesses, the challenge lies in sustaining the Veblen effect. It is a delicate balance between maintaining high prices and perceived exclusivity while ensuring that the allure does not fade. This requires a deep understanding of consumer psychology, a commitment to innovation, and a marketing strategy that continually reinforces the narrative of prestige.
Conclusion: The Veblen Good as a Competitive Chess Piece
Veblen goods are a testament to the complexity and psychological underpinnings of market economics. They serve as a reminder that value is not always intrinsic but reflects societal perceptions and desires. For companies, IT infrastructure, e-commerce strategies, and social media presence offer them an opportunity to craft a competitive edge based on prestige and exclusivity. However, this edge is only as sharp as the strategy behind it, demanding a nuanced approach to pricing, marketing, and brand storytelling.
In the end, Veblen goods challenge us to reconsider value in a market-driven world. They are not mere commodities but chess pieces in the strategic game of competitive advantage. This is where perception is king, and the price is often a measure of prestige rather than cost. As we navigate the evolving landscape of IT, e-commerce, and social media, understanding the Veblen effect is crucial for those looking to thrive in the economy of aspiration.
In the ever-evolving landscape of cybersecurity, risk analysis has become increasingly complex, requiring advanced computational techniques to address multifaceted challenges. One such advancement is the use of deep learning platforms to analyze cybersecurity risk scenarios. Deep learning, a subset of machine learning, has shown immense promise in various domains, including natural language processing, computer vision, and indeed, cybersecurity. Deep learning can be used to analyze large amounts of data quickly and accurately, enabling organizations to identify patterns and trends in their cybersecurity risk profiles. It can also help organizations identify potential threats and vulnerabilities, and alert them to the need to take preventive or corrective action. This blog post aims to offer an in-depth exploration of the most suitable programming languages and software frameworks that can be leveraged to build a deep learning platform tailored to cybersecurity risk analysis.
Criteria for selection
When choosing a programming language and software framework for such a specialized task, one must consider several factors:
Scalability: The ability to handle large and complex datasets effectively.
Performance: Speed and computational efficiency.
Community Support: Prebuilt libraries and a strong community.
Interoperability: Seamless integration with existing systems and databases.
Ease of Use: A manageable learning curve and a user-friendly interface.
Python programming language
Python is a high-level, interpreted, and object-oriented programming language. Its syntax is designed to be simple and easy to understand, making it an ideal language for beginners. Python also has a wide range of libraries and frameworks that make it easy to become productive quickly, and its user-friendly interface makes it easy to learn. Python emerges as the frontrunner for building a Deep Learning platform to analyze cybersecurity risk scenarios for several reasons:
Rich ecosystem
Python boasts a rich ecosystem of libraries specifically designed for machine learning and deep learning, such as TensorFlow, PyTorch, and Keras. These libraries provide pre-built modules and functions, significantly expediting development.
Versatility
Python’s versatility makes it suitable for both data preprocessing and model development, providing a unified platform for the entire machine learning pipeline.
Community support
Python has widespread community support, ensuring that developers can readily find solutions to common problems, plug into community-driven modules, or even contribute to the ecosystem.
Interoperability
Python’s extensive range of APIs allows for easy integration with existing cybersecurity platforms and databases, a crucial factor for any enterprise-level application.
Software Framework: TensorFlow
Among the plethora of available deep learning frameworks, TensorFlow stands out as particularly well-suited to cybersecurity applications for several reasons:
Scalability
TensorFlow can easily scale from a single machine to a cluster of servers, meeting large-scale cybersecurity datasets.
High performance
TensorFlow offers accelerated computation through GPU support, crucial for training large and complex deep learning models efficiently.
Flexibility
TensorFlow provides both high-level APIs for quick prototyping and low-level APIs for fine-tuned customization, making it adaptable to a variety of cybersecurity tasks.
TensorBoard
TensorFlow comes with TensorBoard, a visualization toolkit that aids in understanding, debugging, and optimizing deep learning models. This is invaluable for complex tasks such as cybersecurity risk analysis.
Conclusion
Python and TensorFlow collectively offer a robust, scalable, and efficient environment for building a deep learning platform focused on analyzing cybersecurity risk scenarios. Python provides a versatile and rich programming environment replete with libraries and community support. TensorFlow complements this by offering a high-performance, flexible, and scalable deep learning framework. Together, they form an optimal toolset for tackling cybersecurity risk analysis’s intricacies and complexities through deep learning methods.
Given the critical nature of cybersecurity and the increasing sophistication of cyber threats, adopting the right tools for deep learning-based risk analysis is not merely an academic exercise but a strategic imperative. By leveraging Python and TensorFlow, organizations can better equip themselves to navigate the complex and ever-changing cybersecurity risks landscape.
In a world increasingly driven by digital interactions, cybersecurity cannot be underestimated. Cybersecurity frameworks serve as the cornerstone for securing modern organizations’ complex infrastructure. These frameworks encompass a set of guidelines, best practices, and tools designed to provide a structured and strategic approach to cybersecurity management. This blog post aims to elucidate the concept of a cybersecurity framework, its constituent elements, types, and its significance in contemporary information technology environments. Cybersecurity frameworks are an essential element of any organization’s security posture and should be regularly reviewed and updated to ensure their efficacy. Furthermore, organizations should ensure that their employees have the necessary knowledge and skills to effectively implement and adhere to the guidelines and best practices outlined in a cybersecurity framework.
Defining cybersecurity frameworks
A cybersecurity framework is an organized set of guidelines, policies, and procedures aimed at providing a unified strategy for safeguarding an organization’s digital assets and information systems. It serves as a reference model that enables organizations to identify, protect, detect, respond to, and recover from cybersecurity incidents in a systematic and effective manner. The framework typically encapsulates both technical and non-technical components, offering a holistic approach to cybersecurity that is adaptable to an organization’s specific requirements. The framework also helps organizations to develop and maintain a security culture by raising awareness and providing guidance on how to protect their systems and data. Additionally, it provides guidelines on how to recover from a cyber incident and minimize its effects. The framework is like a roadmap for an organization to follow, ensuring that they are taking the necessary steps to protect their systems and data, as well as having a plan in place in the event of a breach.
Historical context
The emergence of cybersecurity frameworks can be traced back to the late 20th and early 21st centuries when digitization of services and operations became commonplace. Organizations soon realized that ad-hoc security measures were insufficient to counter the growing threat landscape. This led to the formulation of structured frameworks, initially by governmental agencies and later by private firms to address the burgeoning need for standardized cybersecurity protocols. Cybersecurity frameworks are typically composed of various elements, such as policy, procedures, and standards. They are designed to help organizations assess their security posture and prioritize their security investments. Cybersecurity frameworks are also constantly evolving to keep up with the ever-changing threat landscape. For example, the National Institute of Standards and Technology (NIST) regularly updates its Cybersecurity Framework to provide guidance on how organizations should protect their networks and systems.
Constituent elements of a cybersecurity framework
Cybersecurity frameworks usually consist of several core components:
Policies and Guidelines: These are high-level documents that define the organization’s stance and objectives regarding cybersecurity.
Standards and Procedures: These elaborate on the policies by specifying the technical and operational details for achieving the stated objectives.
Tools and Technologies: These are the actual hardware and software solutions employed to enforce the standards and procedures.
Monitoring and Auditing: This involves continuous observation and periodic evaluation of the system to ensure compliance with the framework.
Incident Response Plan: This outlines the steps to be taken when a security breach or incident occurs.
Training and Awareness: This element focuses on educating staff about their roles and responsibilities in maintaining cybersecurity.
Types of cybersecurity frameworks
National Institute of Standards and Technology (NIST) Framework: Developed by the U.S. government, it is widely used globally and provides guidelines for critical infrastructure sectors.
ISO/IEC 27001: An international standard that provides a systematic approach to managing sensitive company information and ensuring its confidentiality, integrity, and availability.
Center for Internet Security (CIS) Controls: Focusing on actionable controls for improving cybersecurity posture, it is popular among small and medium-sized enterprises.
Payment Card Industry Data Security Standard (PCI DSS): Specifically designed for organizations that handle credit card transactions, this framework focuses on securing financial data.
Significance in contemporary settings
In the modern world, where cyber threats are ever-evolving, cybersecurity frameworks play a pivotal role in safeguarding an organization’s assets and reputation. These frameworks enable organizations to achieve several key objectives:
Standardization: They provide a standardized approach to cybersecurity, making it easier to manage and measure security efforts.
Risk Management: They offer a structured way to identify, assess, and manage cybersecurity risks, reducing the likelihood and impact of security incidents.
Compliance: Adherence to a recognized cybersecurity framework often fulfills legal and regulatory requirements, shielding organizations from potential legal repercussions.
Operational Efficiency: By providing a structured approach to cybersecurity, frameworks enable more efficient resource allocation and better decision-making.
Conclusion
Cybersecurity frameworks are not merely a set of rules or tools; they are an integral aspect of organizational information security strategy. They offer a balanced approach to cybersecurity by focusing on technology, processes, and people. As the cyber landscape evolves, so too will cybersecurity frameworks, adapting to new types of threats and vulnerabilities. Therefore, understanding and implementing a cybersecurity framework is not just a necessity but a strategic imperative for organizations aiming for resilience and longevity in the digital age.
By comprehensively understanding the multifaceted nature and utility of cybersecurity frameworks, organizations can better prepare for, respond to, and mitigate the risks associated with cyber threats. Therefore, the adoption and implementation of a robust cybersecurity framework should be considered an essential component of any serious effort to secure an organization’s information systems and digital assets.
Today I asked ChatGPT to use the new Dall-E functionality to create an artistic rendition of generative AI that I can use to illustrate an article. Here is what it answered.
Generative AI is an exciting frontier that marries the complex intricacies of artificial intelligence with the boundless realm of creativity. The images presented here aim to encapsulate the essence of this phenomenon.
The first image depicts a classical setting with wooden tables and chairs, which is reminiscent of traditional scholarly environments. Atop one table, an antique brass orrery symbolizing the solar system is placed. Above this classical representation of the universe, a modern, holographic projection of a neural network illuminates the space. This image serves as a metaphor for the juxtaposition of the past and the future, highlighting how the emergence of generative AI is seamlessly intertwining with our rich history of knowledge and discovery.
The second image, rendered in the style of 19th-century Romanticism, paints a vast landscape illuminated by the glow of a golden sunrise. Within this serene setting, silicon chips and circuit boards, emblematic of our digital age, stand tall, reminiscent of ancient monoliths. Ethereal strings of binary code traverse the landscape like meandering rivers, and ghostly digital avatars wander about, signifying the omnipresent influence and power of generative AI in our contemporary world.
Both of these artistic representations offer a visual narrative that captures the transformative power of generative AI, bridging the gap between the historical and the cutting-edge, the tangible and the digital, and the known and the yet-to-be-discovered. They emphasize the profound impact of AI on our understanding of creativity, knowledge, and the world at large. I hope one of these images resonates with the theme of your article and can serve as a compelling visual accompaniment.
If you have any further specifications or require adjustments, please let me know. I am here to assist you in your academic endeavors.
Cybersecurity continues to evolve at a rapid pace, and fraud continues to be a persistent challenge that organizations and individuals strive to overcome. As sophisticated schemes of fraud become more sophisticated, traditional methods of fraud detection and prevention are becoming increasingly ineffective, despite the fact that they are effective to some extent. In response to this, we have explored more advanced technologies, among them Artificial Intelligence (AI), which is one of the more recent ones. Despite the fact that the role of artificial intelligence in cybersecurity is already well established, the specific utility of generative AI models to prevent, identify, and investigate fraud is a subject that deserves greater attention. In this blog post, we will discuss how generative artificial intelligence can be a game-changer when it comes to these key areas of development. Generative AI models can be used to detect fraudulent activity in real-time. They can also be used to uncover potential fraud before it happens, by analyzing large amounts of data to detect patterns and anomalies. Generative AI models can also be applied to investigate fraud, by providing detailed insights into suspicious activity.
What is generative AI?
Before delving into its applications in fraud management, it is essential to understand what generative AI entails. Generative AI refers to a subset of machine learning models that generate new data that resemble a given dataset. Unlike discriminative models, which classify or differentiate between existing data points, these models can create new instances that share statistical characteristics with the training data. This capability opens up a plethora of applications, ranging from natural language processing to image generation, and, as we will see, fraud management. Generative AI models can also be used to detect fraud by generating new data that is similar to a fraudulent dataset. This can help to detect fraud patterns that are not visible in existing data. Generative AI models can also be used to detect anomalies in data, such as outliers or outliers.
Fraud prevention through anomaly detection
One of the most immediate applications of generative AI in fraud prevention is anomaly detection. Traditional fraud prevention systems often rely on rule-based algorithms that flag transactions or activities based on predefined criteria. While effective at catching known types of fraud, these systems are less adept at identifying upcoming, more sophisticated fraud schemes. Generative AI algorithms, on the other hand, are able to detect subtle patterns in transactions that could indicate fraud. In addition, generative AI systems can be trained to detect new types of fraud, allowing them to stay one step ahead of malicious actors. For instance, generative AI systems can detect anomalies in transaction data such as unexpected movements in amounts, or unusual patterns in customer behavior.
Generative AI models, such as Generative Adversarial Networks (GANs), can be trained on a dataset of legitimate transactions. Once trained, these models can generate synthetic transactions that resemble normal behavior. By comparing incoming transactions to these synthetic but statistically similar transactions, the system can more accurately identify anomalies that may signify fraudulent activity. The generative model augments the dataset, providing a more robust basis for detecting deviations from the norm. This allows for improved accuracy and efficiency in fraud detection, as the system is able to better identify suspicious transactions based on a more comprehensive dataset. Additionally, this reduces the reliance on manual analysis, freeing up time for analysts to focus on more complex tasks. For example, a generative model can use statistical methods to generate synthetic data with similar characteristics to the training data, allowing analysts to conduct more comprehensive tests of a system’s fraud detection capabilities.
Fraud identification through data augmentation
Data scarcity is a common challenge in fraud detection. Fraudulent activities are, by nature, rare and often dissimilar, making it difficult to train machine learning models effectively. Generative AI can mitigate this issue by creating synthetic data that resembles known fraud cases. This augmented dataset can then be used to train other machine learning models, enhancing their ability to identify fraudulent activities. Generative AI can also be used to generate new fraud cases that are not possible in the real world, providing a more comprehensive dataset for machine learning models to learn. Additionally, Generative AI can generate new data that is tailored to the specific needs of the machine learning model, allowing it to better detect fraud.
For instance, a generative model can be trained on a dataset of known phishing emails. The model can then generate new instances of phishing emails that share the same characteristics but are not exact replicas. When a machine learning model is trained on this augmented dataset, it gains a more nuanced understanding of the features that constitute phishing attempts. This improves its identification capabilities. The model can then be used to detect previously unseen phishing emails more accurately. Additionally, the model can be used to detect phishing attempts in real-time, allowing it to proactively protect your organization from potential attacks. For example, the model can be used to detect a suspicious email based on the language used, the sender’s email address, or other features indicative of a phishing attempt.
Fraud Investigation through scenario generation
Generative AI can also play a pivotal role in fraud investigations. Traditional investigative methods often involve manual data analysis and pattern recognition, which are time-consuming and subject to human error. Generative AI models can automate and enhance this process by generating plausible scenarios or data points that investigators can explore.
For example, in a case involving financial fraud, a generative model could be trained on transaction data to develop a range of scenarios that explain anomalous transactions. These generated scenarios can serve as starting points for investigators, helping them understand the possible mechanisms of the fraud scheme. This will aid in quicker resolution.
Ethical considerations
While the potential of generative AI in fraud management is immense, it is crucial to consider the ethical implications. These models generate synthetic data, which poses risks of data manipulation and misuse. Therefore, it is imperative to implement robust security measures and ethical guidelines when deploying generative AI for fraud management.
Conclusion
Generative AI holds significant promise in enhancing existing fraud prevention, identification, and investigation systems. Its ability to generate synthetic data can help overcome traditional methods’ limitations, providing a more dynamic and adaptive approach to fraud management. However, ethical considerations cannot be overlooked. As with any technological advancement, the key lies in responsible implementation and continuous monitoring to ensure that the benefits outweigh the risks.
By integrating generative AI into their cybersecurity strategies, organizations can equip themselves with a more robust and adaptive tool for combating fraud. This will safeguard their assets and reputation in an increasingly complex digital landscape.