An Investigation On Recent Cyber Security Frameworks As Guidelines For Organizations Adoption
An Investigation On Recent Cyber Security Frameworks As Guidelines For Organizations Adoption
ISSN No:-2456-2165
Abstract:- Cybersecurity knowledge is knowledge for incoming attack. This research paper aims to identify the
all, as many organizations activities operate via the currently available cybersecurity frameworks and explains
internet and also as the results of the current pandemic their components for an organization to have a start-up
the world is facing (Covid 19). This situation has further position on selecting the one that would suit their
forced many organizations to use the internet for their organization using Halverson and Conradi's taxonomy of
daily operation, on the other hand, cybercriminals have software process improvement (2001).
gotten a chance for launching more attacks on many
organizations. Cybersecurity is a method of protecting The papers are further subdivided into section II as
organization assets, through the identification of threats Literature review, Section III result analysis, and discussion,
that can compromise the critical information stored in and Section IV conclusion.
the organization systems, it also involves the protection,
identification, and responding to threats. The method II. LITERATURE REVIEW
adopted in conducting the comparative analysis was
from Halverson and Conradi's taxonomy of software This section explained all the identified Cybersecurity
process improvement taxonomy. The paper aims to frameworks from literature, the frameworks include: The
provide a detailed review of the current cybersecurity frameworks identified are National Institute of Standards and
frameworks that can serve as a guideline for the Technology (NIST), Control Objectives for Information and
organization in selecting the appropriate framework for Related Technologies (COBIT), Health Information Trust
their organization and also as a benchmark for future Alliance (HITRUST CSF), A Pedagogic Cybersecurity
cyber security framework design. Framework (PSF), Center for Internet Security (CIS) and
The Cloud Security Alliance (CSA).
Keywords:- Cybersecurity, Framework, Organization.
A. Cybersecurity Frameworks
I. INTRODUCTION This section will explain the most used cybersecurity
frameworks by organizations to protect themselves from any
Cybersecurity is a method of protecting organization form of cyber threat. The frameworks identified are National
assets, through the identification of threats that can Institute of Standards and Technology (NIST), Control
compromise the critical information stored in the Objectives for Information and Related Technologies
organization systems, it also involves the protection, (COBIT), Health Information Trust Alliance (HITRUST
identification, and responding to threats (Garba A.A. et al., CSF), A Pedagogic Cybersecurity Framework (PSF), Center
2020). This indicates the need for all organizations to be for Internet Security (CIS), and The Cloud Security Alliance
prepared and have a model or framework as a blueprint for (CSA).
implementing any cybersecurity measures in protecting
critical assets. However, protracting confidentiality, B. NIST Framework
integrity, and availability is everyone's job in any NIST framework offers a policy framework that
organization, therefore security knowledge is essential to all. guides how an organization can assess and improve the
Also, the organization needs sophisticated machines to process or method to prevent, detect, and also respond to
detect infrequent behaviors’ from employees and security any cyber-attacks. The framework provides outcomes on
levels that protect all access points or control the access cybersecurity and a methodology to measure and manage
point (Taylor et al., 2014). those outcomes, also it provides the mean of identifying,
prioritizing action that can reduce or minimize cyber risk.
A survey was conducted which revealed 20% of $130 (Calder, 2018). The framework is designed to manage
million attacks on computer systems are based on cybersecurity risk across the whole organization or it can
unauthorized access and malware, $97 million to social also be focused on the delivery of critical service within the
engineering, $78 million to email spam and phishing, and organization. The aim of designing this framework was to
$52 million to online scams (Serianu, 2018). The attacks Strengthening the Cybersecurity of Federal Networks and
show every organization needs to be vigilant on any Critical Infrastructure in the US in the year 2014.
This framework consists of five core functions The main function of this framework is to provide a
Identify: To identify organizational systems, people, clearer and understandable policy and good practices in IT
assets, data, and capabilities in other to develop and governance (Haviluddin, 2012). This framework give helps
manage cybersecurity risk. Each function consists of a management to manage the risk associated with IT
set of categories e.g. Assets management. governance by offering a clear set of processes that helps to
Protect: to develop and implement necessary safeguard bridge the gap between business risks, control need, and
to ensure delivery of critical service technical issues.
Detect: to identify and detect the occurrence of a
cybersecurity event and to develop and implement The basic principle of this framework for organization
appropriate activities managers include providing clear direction in terms of
providing values of critical success factors (CSF), key Goals
Respond: to develop activities that will be used
Indicators (KGIs), Key Performance Indicators (KPIs), and
regarding the detected incident or cyber-attacks event
Maturity Model (0; mom-existent. 1; initial/ ad-hoc, 2;
Recover: to develop and implement activities to
repeatable but intuitive, 3; defined process, 4; managed and
maintain and restore any services that are attacked due to
measurable and 5; optimized) (Institute, 2007a, 2007b, 2008;
cybersecurity incidents.
Singleton, 2011). The framework helps an organization in
planning to improve its security and quality of production.
The framework key attributes include A common and
The framework consists of five core principles shown in
accessible language, risk-based, internal standard, constant
figure 1.2.
updating (a living document), adaptability to many
technologies, and also guided by the private sector,
academic and public sector for improvement and feedback.
Figure 1.3 A Pedagogic Cybersecurity Framework (layers of the expanded OSI model) source (Swire, 2018).
The expanded layer shown in figure 1.3 which are The framework consists of three columns for the
added to the OSI model include: expanded layers, the columns refer to “A”; refers to
Organization: this layer teaches the internal policies or vulnerabilities and risk mitigation arising with the
plan of action to minimize risk within an organization. organization or nation, “B”, refer also to the vulnerabilities
Government: this layer explains laws that govern what and risk mitigation in relation with other actors at the level
an individual or organization can or must do (security and “C”, refers to limitation created by the actors at that
rule). level.
International: this layer describes the unilateral actions
by one government directed at one or more nations PCF offers a big picture to the student to the individual
(launching an attack on another nation). context on how cybersecurity issues fit together as many
classes focus on how the chief information security officer
(CISO) should manage companies' risk at layer 8. Another
Domain 5 5 10 5 12 20
Purpose To To provide a To add To provide To protect the To mitigate
Strengthening clearer and organizational, security of payment card the common
the understandable government, and patient details of a cyber-attack
Cybersecurity policy and good international personal customer threats
of Federal practices in IT affair to the OSI information in
Networks and governance layer and explain the health
Critical the industry.
Infrastructure vulnerabilities of
each layer
Organization size Large enterprise Large enterprise All All Payment All
organization
Field Applicable Organization Organization University Hospital Financial organization