Lata Nautiyal,Awais Rashid

DOI: https://doi.org/10.1016/j.cose.2024.103925

IF: 5.105

2024-07-15

Computers & Security

Abstract:A cyber security organisation needs to ensure that its workforce possesses the necessary knowledge to fulfil its cyber security business functions. Similarly, where an organisation chooses to delegate their cyber security tasks to a third-party provider, they must ensure that the chosen entity possesses robust knowledge capabilities to effectively carry out the assigned tasks. Building a comprehensive cyber security knowledge profile is a distinct challenge; the field is ever evolving with a range of professional certifications, academic qualifications and on-the-job training. So far, there has been a lack of a well-defined methodology for systematically evaluating an organisation's cyber security knowledge, specifically derived from its workforce, against a standardised reference point. Prior research on knowledge profiling across various disciplines has predominantly utilised established frameworks such as SWEBOK. However, within the domain of cyber security, the absence of a standardised reference point is notable. In this paper, we advance a framework leveraging Cyber Security Body of Knowledge (CyBOK), to construct an organisation's knowledge profile. The framework enables a user to identify areas of coverage and where gaps may lie, so that an organisation can consider targeted recruitment or training or, where such expertise may be outsourced, drawing in knowledge capability from third parties. In the latter case, the framework can also be used as a basis for assessing the knowledge capability of such a third party. We present the knowledge profiling framework, discussing three case studies in organisational teams underpinning its initial development, followed by its refinement through workshops with cyber security practitioners.

computer science, information systems

Cagatay Catal,Alper Ozcan,Emrah Donmez,Ahmet Kasif

DOI: https://doi.org/10.1007/s10639-022-11261-8

2022-08-06

Education and Information Technologies

Abstract:Due to the increasing number of cyber incidents and overwhelming skills shortage, it is required to evaluate the knowledge gap between cyber security education and industrial needs. As such, the objective of this study is to identify the knowledge gaps in cyber security graduates who join the cyber security workforce. We designed and performed an opinion survey by using the Cyber Security Knowledge Areas (KAs) specified in the Cyber Security Body of Knowledge (CyBOK) that comprises 19 KAs. Our data was gathered from practitioners who work in cyber security organizations. The knowledge gap was measured and evaluated by acknowledging the assumption for employing sequent data as nominal data and improved it by deploying chi-squared test. Analyses demonstrate that there is a gap that can be utilized to enhance the quality of education. According to acquired final results, three key KAs with the highest knowledge gap are Web and Mobile Security, Security Operations and Incident Management. Also, Cyber-Physical Systems (CPS), Software Lifecycles, and Vulnerabilities are the knowledge areas with largest difference in perception of importance between less and more experienced personnel. We discuss several suggestions to improve the cyber security curriculum in order to minimize the knowledge gaps. There is an expanding demand for executive cyber security personnel in industry. High-quality university education is required to improve the qualification of upcoming workforce. The capability and capacity of the national cyber security workforce is crucial for nations and security organizations. A wide range of skills, namely technical skills, implementation skills, management skills, and soft skills are required in new cyber security graduates. The use of each CyBOK KA in the industry was measured in response to the extent of learning in university environments. This is the first study conducted in this field, it is considered that this research can inspire the way for further researches.

education & educational research

Shouhong Wang,Hai Wang

DOI: https://doi.org/10.1080/08874417.2019.1571458

2019-04-12

Journal of Computer Information Systems

Abstract:Knowledge management (KM) plays important roles in cybersecurity. This study collects five real-life cases of good practices of KM for the domain of cybersecurity in business organizations. Through an iterative process of team-based qualitative data analysis of the five cases, the study develops a model of KM for cybersecurity that conceptualizes three common aspects of KM practices for cybersecurity in business organizations. First, KM for cybersecurity in business organizations has clear specialized organizational structures that involve three inter-organizational tiers across the organization boundaries. Second, the knowledge flows of KM for cybersecurity in business organizations emphasize on explicit, declarative, and specific knowledge. Third, in comparison with KM for other domains, KM for cybersecurity has well-defined objective measures to assess the effectiveness of KM. The domain-specific KM model based on the good practice cases provides a road-map for KM practices in the domain of cybersecurity in business organizations.

computer science, information systems

Ryan Shah,Manuel Maarek,Shenando Stals,Lynne Baillie,Sheung Chi Chan,Robert Stewart,Hans-Wolfgang Loidl,Olga Chatzifoti

DOI: https://doi.org/10.48550/arXiv.2307.16535

2023-07-31

Abstract:Cybersecurity is an important topic which is often viewed as one that is inaccessible due to steep learning curves and a perceived requirement of needing specialist knowledge. With a constantly changing threat landscape, practical solutions such as best-practices are employed, but the number of critical cybersecurity-related incidents remains high. To address these concerns, the National Cyber Security Centre published a Cybersecurity Body of Knowledge (CyBOK) to provide a comprehensive information base used to advise and underpin cybersecurity learning. Unfortunately, CyBOK contains over 1000 pages of in-depth material and may not be easy to navigate for novice individuals. Furthermore, it does not allow for easy expression of various cybersecurity scenarios that such individuals may be exposed to. As a solution to these two issues, we propose the use of a playing cards format to provide introductory cybersecurity knowledge that supports learning and discussion, using CyBOK as the foundation for the technical content. Upon evaluation in two user studies, we found that 80% of the participants agreed the cards provided them with introductory knowledge of cybersecurity topics, and 70% agreed the cards provided an interface for discussing topics and enabled them to make links between attacks, vulnerabilities and defences.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Sara Ramezanian,Valtteri Niemi

DOI: https://doi.org/10.1109/access.2024.3392970

IF: 3.9

2024-05-07

IEEE Access

Abstract:The widespread deployment of digital technologies has made the globe an interconnected world. Among other necessities of the digitalized world, cybersecurity is a crucial component. Therefore, education and proper training of the cybersecurity workforce are essential for building a strong national and global community. However, a significant shortage of proficient cybersecurity experts is reported worldwide. In this study, we present a comprehensive guideline for university-level cybersecurity curriculum development with respect to workforce training. Our curriculum guideline is based on consulting various globally well-known documents, reports, and frameworks that are specifically designed for cybersecurity. Namely, to conduct our research we utilize Cybersecurity Curricula 2017 (CSEC2017) by the Joint Task Force on Cybersecurity Education, National Initiative for Cybersecurity Education (NICE) cybersecurity workforce framework by the National Institute of Standards and Technology (NIST), and the Development Needs in Cybersecurity Education: Final report of the project by Lehto et al. at the University of Jyväskylä in Finland. The significance of our work also relies on the fact that the previous efforts to establish a link between the NICE workforce framework and the CSEC2017 curriculum have fallen short, and to the best of our knowledge, this work is the first successful attempt on the matter. In particular, we map every knowledge requirement in each work role to one or several knowledge areas of CSEC2017 curriculum. We define a measurement system to assign a numeric value to each knowledge area. Our goal is to determine the significance of a cybersecurity knowledge area in workforce training. Moreover, we identify the shortcomings of the Cybersecurity Curricula, i.e., we recognize the knowledge areas that are missing from the curriculum. We also discuss about the shortcomings of NICE framework in terms of defining the proper required knowledge in the work roles. Based on our findings, we present a comprehensive guideline for cybersecurity curriculum development for higher educational institutions. Finally, we propose a curriculum roadmap to the job categories.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ivan Flechais,George Chalhoub

2023-11-17

Abstract:Research into the ethics of cybersecurity is an established and growing topic of investigation, however the translation of this research into practice is lacking: there exists a small number of professional codes of ethics or codes of practice in cybersecurity, however these are very broad and do not offer much insight into the ethical dilemmas that can be faced while performing specific cybersecurity activities. In order to address this gap, we leverage ongoing work on the Cyber Security Body of Knowledge (CyBOK) to help elicit and document the responsibilities and ethics of the profession. Based on a literature review of the ethics of cybersecurity, we use CyBOK to frame the exploration of ethical challenges in the cybersecurity profession through a series of 15 interviews with cybersecurity experts. Our approach is qualitative and exploratory, aiming to answer the research question "What ethical challenges, insights, and solutions arise in different areas of cybersecurity?". Our findings indicate that there are broad ethical challenges across the whole of cybersecurity, but also that different areas of cybersecurity can face specific ethical considerations for which more detailed guidance can help professionals in those areas. In particular, our findings indicate that security decision-making is expected of all security professionals, but that this requires them to balance a complex mix of technical, objective and subjective points of view, and that resolving conflicts raises challenging ethical dilemmas. We conclude that more work is needed to explore, map, and integrate ethical considerations into cybersecurity practice; the urgent need to conduct further research into the ethics of cybersecurity AI; and highlight the importance of this work for individuals and professional bodies who seek to develop and mature the cybersecurity profession in a responsible manner.

Cryptography and Security,Human-Computer Interaction

Francois Goupil,Pavel Laskov,Irdin Pekaric,Michael Felderer,Alexander Dürr,Frederic Thiesse

DOI: https://doi.org/10.48550/arXiv.2204.13793

2022-04-28

Cryptography and Security

Abstract:Given the ongoing "arms race" in cybersecurity, the shortage of skilled professionals in this field is one of the strongest in computer science. The currently unmet staffing demand in cybersecurity is estimated at over 3 million jobs worldwide. Furthermore, the qualifications of the existing workforce are largely believed to be insufficient. We attempt to gain deeper insights into the nature of the current skill gap in cybersecurity. To this end, we correlate data from job ads and academic curricula using two kinds of skill characterizations: manual definitions from established skill frameworks as well as "skill topics" automatically derived by text mining tools. Our analysis shows a strong agreement between these two analysis techniques and reveals a substantial undersupply in several crucial skill categories, e.g., software and application security, security management, requirements engineering, compliance, and certification. Based on the results of our analysis, we provide recommendations for future curricula development in cybersecurity so as to decrease the identified skill gaps.

Richard Knight,Jason R.C. Nurse

DOI: https://doi.org/10.1016/j.cose.2020.102036

2020-12-01

Abstract:<p>A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders. This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events. The validity of this framework is demonstrated by its evaluation through interviews with senior industry professionals, as well as a critical assessment against relevant practice and research. The framework is further refined based on these evaluations, and an updated version defined. This research represents the first grounded, comprehensive and evaluated proposal for characterising effective corporate communication after cyber security incidents.</p>

computer science, information systems

Emily Kesler

2024-05-17

Abstract:Classical cybersecurity is often perceived as a rigid science discipline filled with computer scientists and mathematicians. However, due to the rapid pace of technology development and integration, new criminal enterprises, new defense tactics, and the understanding of the human element, cybersecurity is quickly beginning to encompass more than just computers. Cybersecurity experts must broaden their perspectives beyond traditional disciplinary boundaries to provide the best protection possible. They must start to practice transdisciplinary cybersecurity. Taking influence from the Stakeholder Theory in business ethics, this paper presents a framework to encourage transdisciplinary thinking and assist experts in tackling the new challenges of the modern day. The framework uses the simple Think, Plan, Do approach to enable experts to develop their transdisciplinary thinking. The framework is intended to be used as an evaluation tool for existing cybersecurity practices or postures, as a development tool to engage with other disciplines to foster learning and create new methods, and as a guidance tool to encourage new ways of thinking about, perceiving, and executing cybersecurity practices. For each of those intended uses, a use case is presented as an example to showcase how the framework might be used. The ultimate goal of this paper is not the framework but transdisciplinary thinking. By using the tool presented here and developing their own transdisciplinary thinking, cybersecurity experts can be better prepared to face cybersecurity's unique and complex challenges.

Cryptography and Security

Cyril Onwubiko,Karim Ouazzane

DOI: https://doi.org/10.48550/arXiv.2202.02537

2022-02-05

Cryptography and Security

Abstract:Cybersecurity is now at the forefront of most organisational digital transformative agendas and National economic, social and political programmes. Hence its impact to society can no longer be seen to be one dimensional. The rise in National cybersecurity laws and regulations is a good indicator of its perceived importance to nations. And the recent awakening for social and ethical transparency in society and coupled with sustainability issues demonstrate the need for a paradigm shift in how cybersecurity discourses can now happen. In response to this shift, a multidimensional cybersecurity framework for strategic foresight underpinned on situational awareness is proposed. The conceptual cybersecurity framework comprising six domains such as Physical, Cultural, Economic, Social, Political and Cyber, is discussed. The guiding principles underpinning the framework are outlined, followed by in-depth reflection on the Business, Operational, Technological and Human (BOTH) factors and their implications for strategic foresight for cybersecurity.

Nabin Chowdhury,Vasileios Gkioulos

DOI: https://doi.org/10.1108/ics-07-2020-0121

2021-08-24

Information and Computer Security

Abstract:Purpose The purpose of this paper can be encapsulated in the following points: identify the research papers published on the topic: competencies and skills necessary for critical infrastructure (CI) cyber-security (CS) protection; determine main focus areas within the identified literature and evaluate the dependency or lack thereof between them: make recommendations for future research. Design/methodology/approach This study is based on a systematic literature review conducted to identify scientific papers discussing and evaluating competencies, skills and essential attributes needed by the CI workforce for CS and preparedness to attacks and incidents. Findings After a comparative analysis of the articles reviewed in this study, a variety of skills and competencies was found to be necessary for CS assurance in CIs. These skills have been grouped into four categories, namely, technical, managerial, implementation and soft skills. Nonetheless, there is still a lack of agreement on which skills are the most critical and further research should be conducted on the relation between specific soft skills and CS assurance. Research limitations/implications Investigation of which skills are required by industry for specific CS roles, by conducting interviews and sending questionnaire\surveys, would allow consolidating whether literature and industry requirements are equivalent. Practical implications Findings from this literature review suggest that more effort should be taken to conciliate current CS curricula in academia with the skills and competencies required for CS roles in the industry. Originality/value This study provides a previously lacking current mapping and review of literature discussing skills and competencies evidenced as critical for CS assurance for CI. The findings of this research are useful for the development of comprehensive solutions for CS awareness and training.

Sang-Yoon Chang,Kay Yoon,Simeon Wuthier,Kelei Zhang

DOI: https://doi.org/10.48550/arXiv.2206.08971

2022-06-17

Computers and Society

Abstract:Team collaboration among individuals with diverse sets of expertise and skills is essential for solving complex problems. As part of an interdisciplinary effort, we studied the effects of Capture the Flag (CTF) game, a popular and engaging education/training tool in cybersecurity and engineering, in enhancing team construction and collaboration. We developed a framework to incorporate CTF as part of a computer-human process for expertise recognition and role assignment and evaluated and tested its effectiveness through a study with cybersecurity students enrolled in a Virtual Teams course. In our computer-human process framework, the post-CTF algorithm using the CTF outcomes assembles the team (assigning individuals to teams) and provides the initial role assignments, which then gets updated by human-based team discussions. This paper shares our insights, design choices/rationales, and analyses of our CTF-incorporated computer-human process framework. The students' evaluations revealed that the computer-human process framework was helpful in learning about their team members' backgrounds and expertise and assigning roles accordingly made a positive impact on the learning outcomes for the team collaboration skills in the course. This experience report showcases the utility of CTF as a tool for expertise recognition and role assignments in teams and highlights the complementary roles of CTF-based and discussion-based processes for an effective team collaboration among engineering students.

Anna Sutton,Lisa Tompson

DOI: https://doi.org/10.31234/osf.io/h4uby

IF: 5.105

2024-09-11

Computers & Security

Abstract:A strong organisational cybersecurity culture (CSC) is critical to the success of any cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To facilitate the framing and measurement of CSC we conducted a rapid evidence assessment (REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records. 59 studies were eligible for the final synthesis. Thematic analysis of the CSC definitions in the included studies highlighted that CSC should not be viewed solely as a technical problem but as a management issue too; CSC requires top management involvement and role modelling, with full organisational support for the desired employee behaviours. We identify both theoretically and empirically derived models of CSC in the REA, along with a range of methods to develop and test these models. Integrative analysis of these models provides detailed information about CSC dimensions, including employee attitudes towards CS; compliance with policies; the role of security education, training and awareness; monitoring of behaviour and top management commitment. The evidence indicates that CSC should be understood both in the context of the wider organisational culture as well as in the shared employee understanding of CS that leads to behaviour. Based on the findings of this review, we propose a novel integrated framework of CSC consisting of cultural values, the culture-to-behaviour link, and behaviour itself. We also make measurement recommendations based on this CSC framework, ranging from simple, broad-brush tools through to suggestions for multi-dimensional measures, which can be applied in a variety of sectors and organisations.

computer science, information systems

Magdalena Glas,Gerhard Messmann,Günther Pernul

DOI: https://doi.org/10.1016/j.cose.2024.103965

IF: 5.105

2024-06-27

Computers & Security

Abstract:The global shortage of cybersecurity professionals poses a daunting challenge for organizations seeking to protect their assets and data. To counteract this workforce shortage, cyber range exercises (CRXs) can equip individuals with the necessary knowledge and skills to become security professionals. However, the complexity of CRXs tends to overwhelm trainees with little prior cybersecurity experience, resulting in ineffective learning experiences. To address this issue, we take an interdisciplinary approach, leveraging established models on learning and motivation for cybersecurity. In this pursuit, we propose a literature-based framework of six design principles that aim to facilitate CRX designers in creating more effective CRXs. To illustrate the framework's utility, we introduce a CRX for incident response built upon these principles. To evaluate the effectiveness of this principle-driven CRX design, we conducted a user study with N=89 participants. The results of this study showed that the design provided an engaging learning experience that enabled participants to effectively acquire incident response knowledge and skills.

computer science, information systems

Filipo Sharevski,Adam Trowbridge,Jessica Westbrook

DOI: https://doi.org/10.48550/arXiv.1806.01198

2018-06-04

Computers and Society

Abstract:Training the future cybersecurity workforce to respond to emerging threats requires introduction of novel educational interventions into the cybersecurity curriculum. To be effective, these interventions have to incorporate trending knowledge from cybersecurity and other related domains while allowing for experiential learning through hands-on experimentation. To date, the traditional interdisciplinary approach for cybersecurity training has infused political science, law, economics or linguistics knowledge into the cybersecurity curriculum, allowing for limited experimentation. Cybersecurity students were left with little opportunity to acquire knowledge, skills, and abilities in domains outside of these. Also, students in outside majors had no options to get into cybersecurity. With this in mind, we developed an interdisciplinary course for experiential learning in the fields of cybersecurity and interaction design. The inaugural course teaches students from cybersecurity, user interaction design, and visual design the principles of designing for secure use - or secure design - and allows them to apply them for prototyping of Internet-of-Things (IoT) products for smart homes. This paper elaborates on the concepts of secure design and how our approach enhances the training of the future cybersecurity workforce.

Mohammed El-Hajj,Zuhayr Aamir Mirza

DOI: https://doi.org/10.3390/electronics13193910

IF: 2.9

2024-10-03

Electronics

Abstract:As the number of Small and Medium Enterprises (SMEs) rises in the world, the amount of sensitive data used also increases, making them targets for cyberattacks. SMEs face a host of issues such as a lack of resources and poor cybersecurity talent, resulting in multiple vulnerabilities that increase overall risk. Cybersecurity risk assessment frameworks have been developed by multiple organizations such as the National Institute of Science and Technology (NIST) and the International Organization for Standardization (ISO), but they are complicated to understand and challenging to implement. This research aimed to create an effective cybersecurity risk assessment framework specifically for SMEs while considering their limitations. This was achieved by first identifying common threats and vulnerabilities and categorizing them according to their importance and risk. Secondly, popular frameworks like the NIST CSF and ISO 27001/2 were analyzed for their proficiencies and deficiencies while identifying relevant areas for SMEs. Finally, novel techniques catered to SMEs were explored and incorporated to create an effective framework for SMEs. This framework was also developed in the form of a tool, providing an interactive and dynamic environment. The tool was effective, and the framework is a promising start but requires more quantitative analysis.

engineering, electrical & electronic,computer science, information systems,physics, applied

Naresh Kshetri,Vasudha,Denisa Hoxha

2023-10-19

Abstract:Technology has advanced dramatically in the previous several years. There are also cyber assaults. Cyberattacks pose a possible danger to information security and the general public. Since data practice and internet consumption rates continue to upswing, cyber awareness has become progressively important. Furthermore, as businesses pace their digital transformation with mobile devices, cloud services, communal media, and Internet of Things services, cybersecurity has appeared as a critical issue in corporate risk management. This research focuses on the relations between cybersecurity awareness, cyber knowledge, computer ethics, cyber ethics, and cyber behavior, as well as protective tools, across university students in general. The findings express that while internet users are alert of cyber threats, they only take the most elementary and easy-to-implement precautions. Several knowledge and awareness have been proposed to knob the issue of cyber security. It also grants the principles of cybersecurity in terms of its structure, workforces, and evidence pertaining to the shield of personal information in the cyber world. The first step is for people to educate themselves about the negative aspects of the internet and to learn more about cyber threats so that they can notice when an attack is taking place. To validate the efficiency of the suggested analysis between CS and non-CS university students, case study along with several comparisons are provided.

Cryptography and Security

Hussain Aldawood,Geoffrey Skinner

DOI: https://doi.org/10.3390/fi11030073

2019-03-18

Future Internet

Abstract:The idea and perception of good cyber security protection remains at the forefront of many organizations’ information and communication technology strategy and investment. However, delving deeper into the details of its implementation reveals that organizations’ human capital cyber security knowledge bases are very low. In particular, the lack of social engineering awareness is a concern in the context of human cyber security risks. This study highlights pitfalls and ongoing issues that organizations encounter in the process of developing the human knowledge to protect from social engineering attacks. A detailed literature review is provided to support these arguments with analysis of contemporary approaches. The findings show that despite state-of-the-art cyber security preparations and trained personnel, hackers are still successful in their malicious acts of stealing sensitive information that is crucial to organizations. The factors influencing users’ proficiency in threat detection and mitigation have been identified as business environmental, social, political, constitutional, organizational, economical, and personal. Challenges with respect to both traditional and modern tools have been analyzed to suggest the need for profiling at-risk employees (including new hires) and developing training programs at each level of the hierarchy to ensure that the hackers do not succeed.

Azfar Khalid,Pierre Kirisci,Zeashan Hameed Khan,Zied Ghrairi,Klaus-Dieter Thoben,Jürgen Pannek

DOI: https://doi.org/10.1016/j.compind.2018.02.009

IF: 10

2018-05-01

Computers in Industry

Abstract:The paper introduces a security framework for the application of human-robot collaboration in a futuristic industrial cyber-physical system (CPS) context of industry 4.0. The basic elements and functional requirements of a secure collaborative robotic cyber-physical system are explained and then the cyber-attack modes are discussed in the context of collaborative CPS whereas a defense mechanism strategy is proposed for such a complex system. The cyber-attacks are categorized according to the extent on controllability and the possible effects on the performance and efficiency of such CPS. The paper also describes the severity and categorization of such cyber-attacks and the causal effect on the human worker safety during human-robot collaboration. Attacks in three dimensions of availability, authentication and confidentiality are proposed as the basis of a consolidated mitigation plan. We propose a security framework based on a two-pronged strategy where the impact of this methodology is demonstrated on a teleoperation benchmark (NeCS-Car). The mitigation strategy includes enhanced data security at important interconnected adaptor nodes and development of an intelligent module that employs a concept similar to system health monitoring and reconfiguration.

computer science, interdisciplinary applications

Rachel John Robinson

DOI: https://doi.org/10.69971/sl.1.1.2024.6

2024-10-11

Abstract:This paper practically deals with the theoretical base drawn from the standards and rules posed by various international bodies in terms of information security. To start with, this paper defines what security framework is applied practically to an IT outsourcing company based in UK named Cyberfox. Hence the relevant laws of the land are analyzed like NIS (The Network and Information Systems Regulations 2018) and GDPR (General Data Protection Regulations). By doing so, a framework in cyber security is tried to be fit in for this company called Cyberfox. By careful analysis and critical evaluation ofthe pros and cons of such companies’ framework and whether it is a workable model is discussed in the first half of the paper. The second half of the paper basically details the NIST (National Institute of Standards & Technology) cyber security framework and the Internal Organization of Standardization protocols in respect to 4 specific standards like Information Security Management systems (ISMS) measurement (ISO 27004), Information security risk management (ISO 27005), Requirements of bodies providing audit services (ISO 27006) and Governance of Information Security (ISO 27014). All these four are studied for their merits and demerits for practical purposes.