دانلود مقاله چارچوب امنیت سایبری برای سنجش آمادگی سازمان
خلاصه
مقدمه
زمینه
چارچوب فرهنگ امنیتی
کاربرد
ملاحظات و محدودیت ها
نتیجه گیری و کار آینده
قدردانی
منابع مالی
منابع
Abstract
Introduction
Background
Security culture framework
Application
Considerations and limitations
Conclusion and future work
Acknowledgments
Funding
References
چکیده
این مقاله یک چارچوب فرهنگ امنیت سایبری را برای ارزیابی و ارزیابی آمادگی امنیتی فعلی نیروی کار یک سازمان ارائه میکند. پس از انجام یک بررسی کامل از متداول ترین چارچوب های امنیتی مورد استفاده، ما عناصر اصلی امنیتی مرتبط با انسان را شناسایی کرده و آنها را با ساخت یک مدل امنیتی آگنوستیک دامنه طبقه بندی می کنیم. سپس با ارائه جزئیات هر یک از اجزای مدل خود و تلاش برای تعیین کمیت آنها به منظور دستیابی به یک روش ارزیابی امکان پذیر، ادامه می دهیم. این مقاله پس از آن کاربرد این روش را برای طراحی و توسعه ابزار ارزیابی فرهنگ امنیتی ارائه میکند که توصیهها و رویکردهای جایگزین برای برنامهها و تکنیکهای آموزشی نیروی کار را ارائه میدهد. این مدل به گونه ای طراحی شده است که به راحتی با دامنه های مختلف برنامه سازگار شود و در عین حال بر ویژگی های منحصر به فرد آنها تمرکز کند. این مقاله در مورد کاربردهای ابزار ما در حوزههای حیاتی امنیتی، و سهم آن در تحقیقات فعلی با ارائه بینشهای عمیقتر در مورد عامل انسانی در امنیت سایبری، نتیجهگیری میکند.
توجه! این متن ترجمه ماشینی بوده و توسط مترجمین ای ترجمه، ترجمه نشده است.
Abstract
This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.
Introduction
Information Security is a multidisciplinary area of study and professional activity focusing on safeguarding and protecting Information Technology against a variety of dangers and threats.1,2 Initially, information security was characterized by a rather technical approach best left to the technical experts. 3 Even at this early stage, people responsible for implementing information security, identified the need for top management becoming involved. This led to a second phase where information security was incorporated into organizational structures and Information Security Managers were appointed.4 Security policies and procedures were drafted creating the need to understand their effectiveness and assess their results. But most importantly, revealing that there were other elements of information security that had been disregarded up until then. Information security standardization, certification and assessment were introduced along with an effort to understand and address the human element as an important security factor.5
An organization’s biggest threat to privacy and security, even if not acknowledged, are considered to be their own staff. 6 Employee security awareness is a key link to an organization’s security chain since even the most well-guarded corporation is defenseless with no security culture. 7,8 This term, “security culture,” soon dominated in the era and was attributed various definitions.9 The vast majority of them agree that it “exists when every participant in the information society, appropriately to their role, is aware of the relevant security risks and preventative measures, assumes responsibility and takes steps to improve the security of their information systems and networks
Conclusion and future work
Research trend appears to be moving from a technical approach of information security to a socio-cultural approach.53,96,97 Technical simulations and real-time testing of information systems, mathematical models, analytics, and risk assessments make room to behavioral, organizational, and criminological theories as to the basis of the cybersecurity evaluation.
The security culture framework presented in this paper manages to combine the pros and mitigate the cons of both scientific approaches while underlining the importance of human factor in the security chain.9 Its iterative nature allows closely monitoring and constantly evaluating an organization’s cyber-security culture which, as a living mechanism, adapts and evolves to the continuously demanding technological environment of this century