Mike Nkongolo,Nita Mennega,Izaan van Zyl

DOI: https://doi.org/10.1007/978-981-99-7962-2_7

2024-01-08

Abstract:This research paper adopts a methodology by conducting a thorough literature review to uncover the essential prerequisites for achieving a prosperous career in the field of Information Security (IS). The primary objective is to increase public awareness regarding the diverse opportunities available in the Information Security (IS) field. The initial search involved scouring four prominent academic databases using the specific keywords "cybersecurity" and "skills," resulting in the identification of a substantial corpus of 1,520 articles. After applying rigorous screening criteria, a refined set of 31 relevant papers was selected for further analysis. Thematic analysis was conducted on these studies to identify and delineate the crucial knowledge and skills that an IS professional should possess. The research findings emphasize the significant time investment required for individuals to acquire the necessary technical proficiency in the cybersecurity domain. Furthermore, the study recognizes the existence of gender-related obstacles for women pursuing cybersecurity careers due to the field's unique requirements. It suggests that females can potentially overcome these barriers by initially entering the profession at lower levels and subsequently advancing based on individual circumstances.

Computers and Society

Nabin Chowdhury,Vasileios Gkioulos

DOI: https://doi.org/10.1108/ics-07-2020-0121

2021-08-24

Information and Computer Security

Abstract:Purpose The purpose of this paper can be encapsulated in the following points: identify the research papers published on the topic: competencies and skills necessary for critical infrastructure (CI) cyber-security (CS) protection; determine main focus areas within the identified literature and evaluate the dependency or lack thereof between them: make recommendations for future research. Design/methodology/approach This study is based on a systematic literature review conducted to identify scientific papers discussing and evaluating competencies, skills and essential attributes needed by the CI workforce for CS and preparedness to attacks and incidents. Findings After a comparative analysis of the articles reviewed in this study, a variety of skills and competencies was found to be necessary for CS assurance in CIs. These skills have been grouped into four categories, namely, technical, managerial, implementation and soft skills. Nonetheless, there is still a lack of agreement on which skills are the most critical and further research should be conducted on the relation between specific soft skills and CS assurance. Research limitations/implications Investigation of which skills are required by industry for specific CS roles, by conducting interviews and sending questionnaire\surveys, would allow consolidating whether literature and industry requirements are equivalent. Practical implications Findings from this literature review suggest that more effort should be taken to conciliate current CS curricula in academia with the skills and competencies required for CS roles in the industry. Originality/value This study provides a previously lacking current mapping and review of literature discussing skills and competencies evidenced as critical for CS assurance for CI. The findings of this research are useful for the development of comprehensive solutions for CS awareness and training.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Anthony Vance,Zeynep Sahin

DOI: https://doi.org/10.1016/j.cose.2024.104063

IF: 5.105

2024-08-24

Computers & Security

Abstract:Since its establishment in the 1990s, the role of chief information security officer (CISO) has become critical to organizations in managing cybersecurity risks. However, despite widespread recognition of the importance of this role in industry, research about CISOs and the problems they face in protecting organizations is nascent. We review the academic and practitioner literature on CISOs to identify existing themes and highlight a range of challenges related to CISOs in which further research is needed, such as establishing legitimacy within C-suite executive teams, appropriate accountability for cybersecurity incidents, CISO turnover, and promoting security in the face of human factors, business realities, and budget constraints. We also propose a research agenda to address these challenges using potential theoretical lenses. In these ways, this study lays the groundwork for future research on CISOs and their essential role in ensuring the cybersecurity of organizations.

computer science, information systems

Betsy Uchendu,Jason R.C. Nurse,Maria Bada,Steven Furnell

DOI: https://doi.org/10.1016/j.cose.2021.102387

2021-10-01

Abstract:<p>While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture.</p>

computer science, information systems

Duong Dang,Tero Vartiainen,Mike Mekkanen

2024-05-03

Abstract:Literature in cyber security including cyber security in energy informatics are tecnocentric focuses that may miss the chances of understanding a bigger picture of cyber security measures. This research thus aims to conduct a literature review focusing on non-technical issues in cyber security in the energy informatics field. The findings show that there are seven non-technical issues have been discussed in literature, including education, awareness, policy, standards, human, and risks, challenges, and solutions. These findings can be valuable for not only researchers, but also managers, policy makers, and educators.

Cryptography and Security

Angelo Corallo,Mariangela Lazoi,Marianna Lezzi,Angela Luperto

DOI: https://doi.org/10.1016/j.compind.2022.103614

IF: 10

2022-05-01

Computers in Industry

Abstract:Cybersecurity is one of the main challenges faced by companies in the context of the Industrial Internet of Things (IIoT), in which a number of smart devices associated with machines, computers and people are networked and communicate with each other. In this connected industrial scenario, personnel need to be aware of cybersecurity issues in order to prevent or minimise the occurrence of cybersecurity incidents and corporate data breaches, and thus to make companies resilient to cyber-attacks. In addition, the recent increase in smart working due to the COVID-19 pandemic means that the need for cybersecurity awareness is more relevant than ever. In this study, we carry out a systematic literature review in order to analyse how the existing state of the art deals with cybersecurity awareness in the context of IIoT, and to provide a comprehensive overview of this topic. Four areas of analysis are considered: (i) definitions of the concepts of cybersecurity awareness and information security awareness, with keyword extrapolation (e.g. cybersecurity control level, information and responsibility); (ii) the industrial context of the analysed studies (e.g. manufacturing, critical infrastructure); (iii) the techniques adopted to raise company awareness of cybersecurity (e.g. serious games, online questionnaires); and (iv) the main benefits of a large-scale campaign of cybersecurity awareness (e.g. the effectiveness of employees in terms of managing cybersecurity issues, identification of cyber-attacks). Practitioners and researchers can benefit from our analysis of the features of each area in their future research and applications.

computer science, interdisciplinary applications

Thilini B. G. Herath,Prashant Khanna,Monjur Ahmed

DOI: https://doi.org/10.3390/jcp2010001

2022-01-20

Journal of Cybersecurity and Privacy

Abstract:In this paper, we present secondary research on recommended cybersecurity practices for social media users from the user’s point of view. Through following a structured methodological approach of the systematic literature review presented, aspects related to cyber threats, cyber awareness, and cyber behavior in internet and social media use are considered in the study. The study presented finds that there are many cyber threats existing within the social media platform, such as loss of productivity, cyber bullying, cyber stalking, identity theft, social information overload, inconsistent personal branding, personal reputation damage, data breach, malicious software, service interruptions, hacks, and unauthorized access to social media accounts. Among other findings, the study also reveals that demographic factors, for example age, gender, and education level, may not necessarily be influential factors affecting the cyber awareness of the internet users.

Noor Suhani Sulaiman,Muhammad Ashraf Fauzi,Walton Wider,Jegatheesan Rajadurai,Suhaidah Hussain,Siti Aminah Harun

DOI: https://doi.org/10.3390/socsci11090386

2022-08-30

Social Sciences

Abstract:Cyber and information security (CIS) is an issue of national and international interest. Despite sophisticated security systems and extensive physical countermeasures to combat cyber-attacks, organisations are vulnerable due to the involvement of the human factor. Humans are regarded as the weakest link in cybersecurity systems as development in digital technology advances. The area of cybersecurity is an extension of the previously studied fields of information and internet security. The need to understand the underlying human behavioural factors associated with CIS policy warrants further study, mainly from theoretical perspectives. Based on these underlying theoretical perspectives, this study reviews literature focusing on CIS compliance and violations by personnel within organisations. Sixty studies from the years 2008 to 2020 were reviewed. Findings suggest that several prominent theories were used extensively and integrated with another specific theory. Protection Motivation Theory (PMT), the Theory of Planned Behaviour (TPB), and General Deterrence Theory (GDT) were identified as among the most referred-to theories in this area. The use of current theories is discussed based on their emerging importance and their suitability in future CIS studies. This review lays the foundation for future researchers by determining gaps and areas within the CIS context and encompassing employee compliance and violations within an organisation.

English Else

Steve Goliath,Pitso Tsibolane,Dirk Snyman

2024-11-06

Abstract:Cyberattacks frequently target higher educational institutions, making cybersecurity awareness and resilience critical for students. However, limited research exists on cybersecurity awareness, attitudes, and resilience among students in higher education. This study addresses this gap using the Theory of Planned Behavior as a theoretical framework. A modified Human Aspects of Information Security Questionnaire was employed to gather 266 valid responses from undergraduate and postgraduate students at a South African higher education institution. Key dimensions of cybersecurity awareness and behavior, including password management, email usage, social media practices, and mobile device security, were assessed. A significant disparity in cybersecurity awareness and practices, with postgraduate students demonstrating superior performance across several dimensions was noted. This research postulates the existence of a Cybersecurity-Education Inflection Point during the transition to postgraduate studies, coined as the Cybersecurity-Resilience Gap. These concepts provide a foundation for developing targeted cybersecurity education initiatives in higher education, particularly highlighting the need for earlier intervention at the undergraduate level.

Cryptography and Security

Ahmed Ibrahim,Marnie McKee,Leslie F. Sikos,Nicola F. Johnson

DOI: https://doi.org/10.1109/access.2024.3393425

IF: 3.9

2024-05-03

IEEE Access

Abstract:This paper presents a systematic review of K-12 cybersecurity education literature from around the world. 24 academic papers dated from 2013–2023 were eligible for inclusion in the literature established within the research protocol. An additional 19 gray literature sources comprised the total. A range of recurring common topics deemed as aspects of cybersecurity behavior or practice were identified. A variety of cybersecurity competencies and skills are needed for K-12 students to apply their knowledge. As may be expected to be the case with interdisciplinary fields, studies are inherently unclear in the use of their terminology, and this is compounded in this field due to the pervasive nature of cybersecurity, relevant and important to every person using a digital device. Almost all the studies within the data focused on secondary school settings and it appears the primary school years are largely ignored. This review suggests that most aspects of cybersecurity are not being systematically taught at K-12 around the world.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.1109/tale.2018.8615162

2018-12-01

Abstract:Social engineering, due in part to the increasing popularity and advancements in information technology and ubiquity of devices, has emerged as one of the most challenging cyber security threats in the contemporary age. In the context of cyber security, social engineering is the practice of taking advantage of human weaknesses through manipulation to accomplish a malicious goal. This literature review identifies various social engineering cyber security threats in diverse environments. Exploiting humans as the weakest security link in such environments, as opposed to technical vulnerabilities and system protocols, has led to increased calls for raising information security awareness among users. One of the most straightforward solutions is through effective training and education programs. As such, the paper details how innovative information security education programs can effectively increase user/employee awareness and ultimately reduce cyber security incidents.

Amy Ertan,Georgia Crossland,Claude Heath,David Denny,Rikke Jensen

DOI: https://doi.org/10.48550/arXiv.2004.11768

2020-04-24

Abstract:This review explores the academic and policy literature in the context of everyday cyber security in organisations. In so doing, it identifies four behavioural sets that influences how people practice cyber security. These are compliance with security policy, intergroup coordination and communication, phishing/email behaviour, and password behaviour. However, it is important to note that these are not exhaustive and they do not exist in isolation. In addition, the review explores the notion of security culture as an overarching theme that overlaps and frames the four behavioural sets. The aim of this review is therefore to provide a summary of the existing literature in the area of everyday cyber security within the social sciences, with a particular focus on organisational contexts. In doing so, it develops a series of suggestions for future research directions based on existing gaps in the literature. The review also includes a theoretical lens that will aid the understanding of existing studies and wider literatures. Where possible, the review makes recommendations for organisations in relation to everyday cyber security.

Computers and Society

Valdemar Švábenský,Jan Vykopal,Pavel Čeleda

DOI: https://doi.org/10.48550/arXiv.1911.11675

2019-11-26

Cryptography and Security

Abstract:Cybersecurity is now more important than ever, and so is education in this field. However, the cybersecurity domain encompasses an extensive set of concepts, which can be taught in different ways and contexts. To understand the state of the art of cybersecurity education and related research, we examine papers from the ACM SIGCSE and ACM ITiCSE conferences. From 2010 to 2019, a total of 1,748 papers were published at these conferences, and 71 of them focus on cybersecurity education. The papers discuss courses, tools, exercises, and teaching approaches. For each paper, we map the covered topics, teaching context, evaluation methods, impact, and the community of authors. We discovered that the technical topic areas are evenly covered (the most prominent being secure programming, network security, and offensive security), and human aspects, such as privacy and social engineering, are present as well. The interventions described in SIGCSE and ITiCSE papers predominantly focus on tertiary education in the USA. The subsequent evaluation mostly consists of collecting students' subjective perceptions via questionnaires. However, less than a third of the papers provide supplementary materials for other educators, and none of the authors published their dataset. Our results provide orientation in the area, a synthesis of trends, and implications for further research. Therefore, they are relevant for instructors, researchers, and anyone new in the field of cybersecurity education. The information we collected and synthesized from individual papers are organized in a publicly available dataset.

Sara Ricci,Simon Parker,Jan Jerabek,Yianna Danidou,Argyro Chatzopoulou,Remi Badonnel,Imre Lendak,Vladimir Janout

DOI: https://doi.org/10.1109/te.2023.3340868

2024-01-01

IEEE Transactions on Education

Abstract:Demand for cybersecurity professionals from industry and institutions is high, driven by an increasing digitization of society and the growing range of potential targets for cyber attacks. However, despite this pressing need a significant shortfall in the number of cybersecurity experts remains and a discrepancy has emerged between the skills introduced through education and those required in professional settings. In this article, a political, economic, social, technological, legal, and environmental (PESTLE) analysis was utilized to explore the factors impacting cybersecurity education in Europe. The PESTLE analysis enabled the categorization of factors affecting cybersecurty education and skills and allowed for cybersecurity professionals to assess the relevance of the factors at a national-level and European-level. Utilizing the concept of modularity from social network analysis, the interconnectivity of factors was also considered. Finally, a European-level stakeholder survey was conducted to verify the findings. As a result of the above process, a lack of societal awareness of cybersecurity was identified as a major challenge to education, along with a lack of EU-level certification. It should be noted that significant differences between factors perceived as impacting cybersecurity education were found between countries suggesting a need for local solutions to the problem.

engineering, electrical & electronic,education, scientific disciplines

Alina Torbunova,Adnan Ashraf,Ivan Porres

2024-07-10

Abstract:Context: To effectively defend against ever-evolving cybersecurity threats, software systems should be made as secure as possible. To achieve this, software developers should understand potential vulnerabilities and apply secure coding practices. To prepare these skilled professionals, it is important that cybersecurity concepts are included in programming courses taught at universities. Objective: To present a comprehensive and unbiased literature review on teaching of cybersecurity concepts in programming courses taught at universities. Method: We perform a Systematic Mapping Study. We present six research questions, define our selection criteria, and develop a classification scheme. Results and Conclusions: We select 24 publications. Our results show a wide range of research contributions. We also outline guidelines and identify opportunities for future studies. The guidelines include coverage of security knowledge categories and evaluation of contributions. We suggest that future studies should cover security issues, negative impacts, and countermeasures, as well as apply evaluation techniques that examine students' knowledge. The opportunities for future studies are related to advanced courses, security knowledge frameworks, and programming environments. Furthermore, there is a need of a holistic security framework that covers the security concepts identified in this study and is suitable for education.

Programming Languages

Robert Ramirez,Nazli Choucri

DOI: https://doi.org/10.48550/arXiv.2010.05156

2020-10-11

Cryptography and Security

Abstract:The growing demand for computer security and the cyberization trend are hallmarks of the 21st century. The rise in cyber-crime, digital currency, e-governance, and more, is well met by a corresponding recent jump in investment in new technology for securing computers around the globe. Recently, business and government sectors have begun to focus efforts on comprehensive cyber security solutions. With this growth has emerged the need for greater methods of collabo-ration and measurement of security. Despite all these efforts, this need has not been met, and there is still too little cross-disciplinary collaboration in the realm of computer security. This paper reviews the new trends in cyber security research, their contributions, and some identifiable limitations. We argue that these limitations are due largely to the absence of co-operation required to address a problem that is clearly multifaceted. We then identify a need for further standardization of terminology in computer security and propose guidelines for the global Internet multistakeholder community to consider when crafting such standards. We also assess the viability of some specific terms, including whether cyber should be used as a separate word when it is a descriptor (e.g. cyber security or cybersecurity), and conclude with recommendations for writing future papers on cyber security or the broader new field of all things relating to cyberspace, which has recently been dubbed Cybermatics, a term we also examine and propose alternatives to, like Cyber or Cybernomics. By furthering the effort of standardizing cyber security terminology, this paper lays groundwork for cross-disciplinary collaboration, agreement between technical and nontechnical stakeholders, and the drafting of universal Internet governance laws.

Houda Harkat,Luis M. Camarinha-Matos,João Goes,Hasmath F.T. Ahmed

DOI: https://doi.org/10.1016/j.cie.2024.109891

IF: 7.18

2024-02-01

Computers & Industrial Engineering

Abstract:In recent years, cyber-physical systems (CPS) have been to many vital areas, including medical devices, smart cars, industrial systems, energy grid, etc. As these systems increasingly rely on Internet, ensuring their security requirements, which are different from those of ordinary information technology systems, has become an important research topic. However, the area is not yet well structured and, therefore, it is essential to review and analyze recent work in this field to better understand the adopted approaches and also to identify corresponding gaps and future interesting research directions. This article is based on a systematic literature review that addresses core issues in CPS security. Part of the focus is placed on the defense mechanisms introduced to help the system fully recover from attacks. However, the framework devoted to risk/threat assessments has also been highlighted, as there is a substantial need to strengthen the systems architecture to be more proactive. In addition, the ethical and societal impact of CPS is emphasized since it is essential to get a vision of the unintended outcomes of the possible evolution of these systems.

computer science, interdisciplinary applications,engineering, industrial

Sotirios Katsikeas,Pontus Johnson,Mathias Ekstedt,Robert Lagerström

DOI: https://doi.org/10.1016/j.cosrev.2021.100431

2021-04-22

Abstract:In order to provide a coherent overview of cyber security research, the Scopus academic abstract and citation database was mined to create a citation graph of 98,373 authors active in the field between 1949 and early 2020. The Louvain community detection algorithm was applied to the graph in order to identify existing research communities. The analysis discovered twelve top-level communities: access control, authentication, biometrics, cryptography (I & II), cyber-physical systems, information hiding, intrusion detection, malwares, quantum cryptography, sensor networks, and usable security. These top-level communities were in turn composed of a total of 80 sub-communities. The analysis results are presented for each community in descriptive text, sub-community graphs, and tables with, for example, the most-cited papers and authors. A comparison between the detected communities and topical areas defined by other related work, is also presented, demonstrating a greater researcher emphasis on cryptography, quantum cryptography, information hiding and biometrics, at the expense of laws and regulation, risk management and governance, and security software lifecycle.

Cryptography and Security

Sara Ramezanian,Valtteri Niemi

DOI: https://doi.org/10.1109/access.2024.3392970

IF: 3.9

2024-05-07

IEEE Access

Abstract:The widespread deployment of digital technologies has made the globe an interconnected world. Among other necessities of the digitalized world, cybersecurity is a crucial component. Therefore, education and proper training of the cybersecurity workforce are essential for building a strong national and global community. However, a significant shortage of proficient cybersecurity experts is reported worldwide. In this study, we present a comprehensive guideline for university-level cybersecurity curriculum development with respect to workforce training. Our curriculum guideline is based on consulting various globally well-known documents, reports, and frameworks that are specifically designed for cybersecurity. Namely, to conduct our research we utilize Cybersecurity Curricula 2017 (CSEC2017) by the Joint Task Force on Cybersecurity Education, National Initiative for Cybersecurity Education (NICE) cybersecurity workforce framework by the National Institute of Standards and Technology (NIST), and the Development Needs in Cybersecurity Education: Final report of the project by Lehto et al. at the University of Jyväskylä in Finland. The significance of our work also relies on the fact that the previous efforts to establish a link between the NICE workforce framework and the CSEC2017 curriculum have fallen short, and to the best of our knowledge, this work is the first successful attempt on the matter. In particular, we map every knowledge requirement in each work role to one or several knowledge areas of CSEC2017 curriculum. We define a measurement system to assign a numeric value to each knowledge area. Our goal is to determine the significance of a cybersecurity knowledge area in workforce training. Moreover, we identify the shortcomings of the Cybersecurity Curricula, i.e., we recognize the knowledge areas that are missing from the curriculum. We also discuss about the shortcomings of NICE framework in terms of defining the proper required knowledge in the work roles. Based on our findings, we present a comprehensive guideline for cybersecurity curriculum development for higher educational institutions. Finally, we propose a curriculum roadmap to the job categories.

computer science, information systems,telecommunications,engineering, electrical & electronic