Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal

Antunes, Mário; Maximiano, Marisa; Gomes, Ricardo; Pinto, Daniel Fernandes

doi:10.3390/jcp1020012

Cited by 31 publications

(6 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cybersecurity standards explain and provide methods one by one, specify what is expected to be done to complete the process, and clarify methods to coincide with the standard, whereas a cybersecurity framework is a general guideline that covers many components or domains that can be adopted by businesses/companies/institutions, which does not specify the steps that are required to be taken [21]. Satisfactory cybersecurity protection can be achieved by adopting a cybersecurity framework that describes the scope, implementation, and evaluation processes, and also provides a general structure and methodology for protecting critical digital assets [22]. In fact, organizations can refer to cybersecurity frameworks to realize guidelines in the successful implementation of cybersecurity standards to be better equipped to identify, detect, and respond to cyberattacks [23].…”

Section: Cybersecurity Standards and Frameworkmentioning

confidence: 99%

Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview

Taherdoost

2022

Electronics

View full text Add to dashboard Cite

Businesses are reliant on data to survive in the competitive market, and data is constantly in danger of loss or theft. Loss of valuable data leads to negative consequences for both individuals and organizations. Cybersecurity is the process of protecting sensitive data from damage or theft. To successfully achieve the objectives of implementing cybersecurity at different levels, a range of procedures and standards should be followed. Cybersecurity standards determine the requirements that an organization should follow to achieve cybersecurity objectives and facilitate against cybercrimes. Cybersecurity standards demonstrate whether an information system can meet security requirements through a range of best practices and procedures. A range of standards has been established by various organizations to be employed in information systems of different sizes and types. However, it is challenging for businesses to adopt the standard that is the most appropriate based on their cybersecurity demands. Reviewing the experiences of other businesses in the industry helps organizations to adopt the most relevant cybersecurity standards and frameworks. This study presents a narrative review of the most frequently used cybersecurity standards and frameworks based on existing papers in the cybersecurity field and applications of these cybersecurity standards and frameworks in various fields to help organizations select the cybersecurity standard or framework that best fits their cybersecurity requirements.

show abstract

Section: Cybersecurity Standards and Frameworkmentioning

confidence: 99%

Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview

Taherdoost

2022

Electronics

View full text Add to dashboard Cite

show abstract

“…In [62], a use case in Portugal for the implementation of information security actions in a group of SMEs was explained in detail. Some aspects of this work are similar to those adopted in our proposal: a set of information security controls from a recognized standard, which have been grouped into different groups of controls to respond to different needs.…”

Section: A Lack Of High-level Standards That Provide Procedural Eleme...mentioning

confidence: 99%

CyberTOMP: A Novel Systematic Framework to Manage Asset-Focused Cybersecurity From Tactical and Operational Levels

Manuel¹,

Carmona-Murillo

Cortés-Polo

et al. 2022

IEEE Access

View full text Add to dashboard Cite

Currently different reference models are used to manage cybersecurity, although practically none are applicable "as is" to lower levels as they do not detail specific procedural aspects for them. However, they urge organizations to develop a methodological foundation to manage cybersecurity at those levels. Although they allow organizations to adhere to a recognized standard at the strategic level, this advantage vanishes when organizations must define specific low-level procedures, allowing the appearance of inconsistency at tactical and operational levels between departments of the same organization or between organizations. The design of these elements with the required holism and homogeneity is difficult, and this is why generic processes focused on getting certified regarding a standard are usually originated, but they are insufficient to obtain effective cybersecurity because they are not focused on dealing with real cyber threats. Because of the great responsibility of lower levels to achieve effective cybersecurity, this lack of methodological definition makes it difficult to adapt cybersecurity to the highly dynamic cyber context with the required holism and strategic alignment. Our proposal provides CyberTOMP, a process for managing cybersecurity at lower levels, as well as a set of methodological elements that support it. The novelty of these contributions is that they complement the strategic standard selected by the organization, providing it with a set of procedural elements ready to be used out of the box, contributing those aspects required by high-level frameworks to manage cybersecurity at lower levels, for which there is no alternative with a managerial approach.

show abstract

“…Regarding the impact of cyberawareness in Small-Medium Enterprises (SME), Boletsis et al [23] and Antunes et al [24] have pointed out the key factors and the cyberawareness best practices that should be adopted in this type of organization. In healthcare institutions, Nunes et al [25] evaluated the cybersecurity awareness level of health practitioners in hospitals and identified the associated risk.…”

Section: Literature Reviewmentioning

confidence: 99%

An Integrated Cybernetic Awareness Strategy to Assess Cybersecurity Attitudes and Behaviours in School Context

2021

Self Cite

View full text Add to dashboard Cite

Digital exposure to the Internet among the younger generations, notwithstanding their digital abilities, has increased and raised the alarm regarding the need to intensify the education on cybersecurity in schools. Understanding of the human factor and its influence on children, namely their attitudes and behaviors online, is pivotal to reinforce their awareness towards cyberattacks, and to promote their digital citizenship. This paper aims to present an integrated cybersecurity and cyberawareness strategy composed of three major steps: (1) Cybersecurity attitude and behavior assessment, (2) self-diagnosis, and (3) teaching/learning activities. The following contributions are made: Two questionnaires to assess risky attitudes and behaviors regarding cybersecurity; a self-diagnosis to measure students’ skills on cybersecurity; a lesson plan addressing cyberawareness to be applied on Information and Communications Technology (ICT) and citizenship education curricular units. Cybersecurity risky attitudes and behaviors were evaluated in a junior high school population of 164 students attending the sixth and ninth grades. The assessment focused on two main subjects: To identify the attitudes and behaviors that raise the risk on cybersecurity among the participating students; to characterize the acquired students’ cybersecurity and cyberawareness skills. Global and individual scores and the histograms for attitudes and behaviors are presented. The items in which we have observed significant differences between sixth and ninth grades are depicted and quantified by their corresponding p-values obtained through the Mann–Whitney non-parametric test. Regarding the results obtained on the assessment of attitudes and behaviors, although positive, we observed that the attitudes and behaviors in ninth grade students are globally inferior compared to those attained by sixth grade students. The deployed strategy for cyberawareness was applied in a school context; however, the same approach is suitable to be applied in other types of organizations, namely enterprises, healthcare institutions and public sector.

show abstract

Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal

Cited by 31 publications

References 24 publications

Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview

Understanding Cybersecurity Frameworks and Information Security Standards—A Review and Comprehensive Overview

CyberTOMP: A Novel Systematic Framework to Manage Asset-Focused Cybersecurity From Tactical and Operational Levels

An Integrated Cybernetic Awareness Strategy to Assess Cybersecurity Attitudes and Behaviours in School Context

Contact Info

Product

Resources

About