A Dynamic and Adaptive Cybersecurity Governance Framework

Abstract

Cybersecurity protects cyberspace from a wide range of cyber threats to reduce overall business risk, ensure business continuity, and maximize business opportunities and return on investments. Cybersecurity is well achieved by using appropriate sets of security governance frameworks. To this end, various Information Technology (IT) and cybersecurity governance frameworks have been reviewed along with their benefits and limitations. The major limitations of the reviewed frameworks are; they are complex and have complicated structures to implement, they are expensive and require high skill IT and security professionals. Moreover, the frameworks require many requirement checklists for implementation and auditing purposes and a lot of time and resources. To fill the limitations mentioned above, a simple, dynamic, and adaptive cybersecurity governance framework is proposed that provides security related strategic direction, ensures that security risks are managed appropriately, and ensures that organizations’ resources are utilized optimally. The framework incorporated different components not considered in the existing frameworks, such as research and development, public-private collaboration framework, regional and international cooperation framework, incident management, business continuity, disaster recovery frameworks, and compliance with laws and regulations. Moreover, the proposed framework identifies and includes some of the existing frameworks’ missed and overlapped components, processes, and activities. It has nine components, five activities, four outcomes, and seven processes. Performance metrics, evaluation, and monitoring techniques are also proposed. Moreover, it follows a risk based approach to address the current and future technology and threat landscapes. The design science research method was used in this research study to solve the problem mentioned. Using the design science research method, the problem was identified. Based on the problem, research objectives were articulated; the objective of this research was solved by developing a security governance framework considering different factors which were not addressed in the current works. Finally, performance metrics were proposed to evaluate the implementation of the governance framework.

1. Introduction

According to international standards for Organizations (ISO) 38500, cybersecurity governance is a mechanism for an organization to direct, control, monitor, and evaluate information system security to support the business process [1]. Cybersecurity governance is integral to corporate and information technology (IT) governance systems. Cybersecurity in the organization is directed by developing a suitable set of security policies, standards, procedures, and guidelines that span from strategic directions through the tactical to the operational level. Moreover, cybersecurity in the organization is mainly managed and controlled by evaluating, monitoring, measuring, and reporting compliance from the operational through tactical to the strategic level [2,3].

These days, due to the dynamic and varying nature of cyber threats and technological landscapes, every organization needs to have a complete and suitable set of cybersecurity governance frameworks to fully address all of its security needs. According to the IT governance institute, implementing good security governance ensures that cybersecurity strategies are aligned with IT and overall organizational strategy and support to achieve organizational objectives, provides and maximizes business value to all stakeholders, manages cyber risks and resources proactively, and measures organizational performance using key performance indicators to achieve organizational objectives [4,5].

The cybersecurity governance framework should mainly focus on the responsibilities and practices that should be exercised and addressed by top-level management of organizations (board and executive management) having the following main goals: provide strategic direction towards securing the IT system that supports the business operation; ensuring that security objectives are well defined and achieved; making sure that security risks are analyzed and managed appropriately; and validating that company resources are optimally used and spent for securing the company assets [6,7].

The cybersecurity governance framework does have a vital role in accomplishing the security objectives of an organization for both existing problems and future challenges [8,9,10]. To address current security issues, the security governance framework should examine and consider the following points [11,12]:

• If there is already existing security policy and strategy, it needs periodic review and updates to address the current security vulnerabilities and threat landscapes. However, if there is no security policy, it is highly recommended to implement a suitable set of security controls to audit and assess the security posture of an organization periodically,
• Design and implement security awareness and training programs among employees, end users, etc.

Moreover, for future cybersecurity challenges, the security governance framework should address the following points:

• Considering the emerging and dynamic threat factors and landscapes,
• Considering and addressing the fastest-moving technological revolution;
• Continually working on people’s attitudes towards security to create a cyber-aware workforce; and
• Focusing on the work culture transformation.

Despite the development and implementation of governance frameworks, the major problem in most organizations is they do not see cyber security as a multidimensional and cross-sector issue. It is still considered a technical or technological problem that can be addressed by a simple information technology (IT) department [13]. Simply buying more hardware and software tools is not the comprehensive solution for the existing security problem that organizations are facing. Currently, organizations spend lots of money on security devices due to a lack of appropriate security governance framework, risk management process, and mechanisms to efficiently utilize the security tools and equipment.

Organizations need to develop and implement different cybersecurity frameworks to safeguard cyberspace that can be used for national security, national interest, and economic prosperity as the author [13] researched recently. Currently, most organizations are applying technological solutions to protect their IT systems and business processes, which include: applying firewalls, intrusion detection and prevention systems; applying general and application specific security controls such as IPSec, a corporate virtual private network (VPN), secured socket layer (SSL) etc. However, all these technological solutions provide some security solutions. Apart from technological solutions, different cybersecurity frameworks should be developed and implemented for an organization to enhance its security posture. To this end, there is a need to design a cybersecurity governance framework that should be aligned with the business mission of an organization. Cybersecurity management is also a major breakthrough in cybersecurity, including planning, budgeting, performance management, etc. It is also identified that cybersecurity needs a security strategy at the organizational level. The cybersecurity risk management approach is not an exception. There is a need to design a risk management framework from multidimensional perspectives, which includes policy, people, operations and management. Appropriate cybersecurity policy, standards, governance, and strategy at the organizational level should also be designed, implemented, and monitored. Finally, the cybersecurity operational part should also be dealt with, such as mission analysis, situation awareness and planning, executing and assessing, analyzing and reporting, evaluating and giving feedback on the cyber system. If all the aforementioned mitigation options are implemented, organizational security and interest can be well achieved [13,14].

In light of the above facts, this research aimed to first review existing IT and security governance frameworks, make comparisons and see their gaps, overlaps, and limitations. According to the review made, the following major limitations are observed;

-

The existing frameworks are complex and have complicated concepts and structures to implement, and they have too many requirement checklists for compliance and audit findings, so organizations are reluctant to implement them. Moreover, they require a lot of resources and investments to implement.

-

There is also a lack of well-prepared guidelines for the implementation and well justified and confirmed benefits compared to the huge budget required.

-

Most of the frameworks require highly skilled manpower and knowledge.

-

Since most of them are very wide in content, it takes time for IT and security officers to assess the whole components and frameworks.

-

The existing frameworks also require high training costs and highly qualified security professionals and experts in the field to implement and evaluate their security postures.

-

Some of the frameworks, such as COBIT, are business frameworks that can’t be used for securing cyberspace, while the other frameworks, like ITIL, are mainly focused on the IT parts and the service of the IT systems, not the governance of the IT and security-related activities.

In addition to existing frameworks and standards, the most relevant previously done research towards the problem domain is thoroughly investigated along with the research gap. The following major limitations are identified:

-

Almost all of the proposed frameworks lack the following components, which we have added to the proposed security governance frameworks; security training and awareness (SETA) program, research and development framework, regional and international collaboration framework, public-private partnership framework, incident management business continuity and disaster recovery frameworks, change and configuration management frameworks, etc.

-

Some of the proposed governance frameworks are specific to some application domains. They are not generic and can be used by any sector.

-

They also lack the integration of their frameworks with the existing ones.

-

The other papers focused on developing critical success factors in the existing standard governance frameworks.

To fill the identified gap, the other objective of this research study was to propose a dynamic and adaptive cyber security governance framework. Additionally, performance indicators and metrics are proposed to measure the effectiveness of the proposed framework. To this end, the major contributions of this research are:

• Most widely used governance framework works are thoroughly reviewed along with their benefits and limitations,
• A simple to use, dynamic, and adaptive cybersecurity governance framework is proposed.
• To evaluate the proposed framework, key performance indicators are proposed.

If organizations use the proposed framework, they will get the following benefits:

• Cybersecurity risks can be proactively identified, analyzed, and mitigation options will be put in place.
• Following the identification of cyber-risks, appropriate security policy and strategy development directions are recommended.
• The framework also recommends an organizational security structure, which is separated from IT, and overall organizational structures so that top management and leadership will give the necessary attention to cybersecurity.
• Since cybersecurity is borderless, the proposed governance framework recommends the development of international and regional collaboration frameworks.
• It also highlights the importance and recommendation of a private-public partnership framework.
• Security education, trading, and awareness (SETA) programs and research and development frameworks are also recommended.
• Finally, developing security incident management, business continuity, and disaster recovery plans are recommended in the governance framework, which is paramount in cybersecurity.

If organizations implement all the above contributions, they can easily and proactively manage security threats. Moreover, they can also comply with international standards and best practices.

The rest of the paper is organized as follows; Section 2 presents reviews and comparisons of risk management frameworks. Section 3 discussed the most relevant previously done research towards the problem domain. Section 4 presents the research methodology that is followed to solve the problem. The proposed cybersecurity governance framework is presented in Section 5. Section 6 presents performance indicators of the proposed governance framework. Finally, Section 7 gives concluding remarks.

The rest of the paper is organized as follows; Section 2 presents reviews and comparisons of risk management frameworks. Section three discussed the most relevant previously done research towards the problem domain. Section four presents the research methodology that is followed to solve the problem. The proposed cybersecurity governance framework is presented in section five. Section six presents performance indicators of the proposed governance framework. Finally, section seven gives concluding remarks.

2. Review of Existing IT and Cybersecurity Governance Frameworks

Currently, there are a lot of enterprises, IT, and information security governance frameworks. The most recent and well-known Information Security Governance (ISG) industrial frameworks are COBIT 2019, ITIL, and ISO/IEC 27014, which are applicable to all organization sizes and types. These governance frameworks and their benefits and limitations are presented below from process and principles perspectives.

2.1. COBIT 2019

The Control Objectives for Information and Related Technology (COBIT) framework was developed by the Information Systems Audit and Control Association (ISACA) [14,15,16,17,18]. As shown in Figure 1, COBIT 5 framework has the following governance processes: evaluation, direct, monitoring, performance, and compliance. It also has management processes: plan, build, run and monitor daily activities [19]. The revised and amended version of COBIT 5 was released as COBIT 2019.

As shown in Figure 2, there are six governance system principles in COBIT 2019 as compared with COBIT 5. Moreover, COBIT 2019 was developed based on two main principles; principles, which present the core requirements of the government system and governance system principles, which are used to build the governance system for organizations. There are also three principles for a governance framework; the governance framework should be based on a conceptual model, open and flexible, and align with other regulations, frameworks, and standards.

COBIT 2019 provide guidelines and directions for organizations to achieve their goals towards the governance of an IT system that supports business operations and processes. This framework can be integrated and aligned with other standards and best practices of ISACA frameworks and IT programs, such as the IT Assurance Framework, COBIT, Val IT, Risk IT, and the Business Model for IS [19]. It clearly distinguishes between the governance and management aspects of the IT system. Moreover, the focus is to provide an end-to-end view of the governance of the IT system and follows a holistic approach.

The COBIT 2019 governance framework mainly provides detailed guidance on governing IT systems across the organization’s strategic, tactical, and operational levels. The number of processes increased from 37 in COBIT 5 to 40 in COBIT 2019 [18].

The governance and management objectives of COBIT 2019 are: Evaluate, Direct, and Monitor (EDM); Align, Plan, and Organize (APO); Build, Acquire, and Implement (BAI); Deliver, Support, and Service (DSS); Monitor, Evaluate, and Assess (MEA).

Table 1. Comparison of COBIT 5 and COBIT 2019.

Parameters	COBIT 5	COBIT 2019
Governance processes	37 processes	40 processes
Governance principles	Five principles	Six principles
Governance framework principles	absent	added
Performance measurement	Based on ISO/IEC 33000 (0–5 level)	CMMI performance measurement scheme is used
Design factors	Not included	Are included (contextual, strategic, and tactical)
Enablers	Not included	Are renamed as components
Alignment with other standards	Not applicable	Aligns with other security standards, frameworks, and protocols

shows the comparison of COBIT 5 and 2019 using different governance parameters.

If properly implemented, the COBIT 2019 governance processes will ensure IT risk optimization, framework implementation and maintenance, value delivery, and efficient usage of resources.

It also has six main principles: following a holistic approach, covering the organization end-to-end, ascertaining stakeholders’ needs, tailoring to enterprise needs, creating a dynamic governance system, and separating the governance from management [18].

However, some practical problems of COBIT 5 and COBIT 2019 are identified, such as complex and complicated concepts and structure, lack of guidelines for the implementation and well justified and confirmed benefits, creating some misunderstanding with other IT best practices and standards. Moreover, it mainly focused on IT systems that didn’t fully address the issue of cybersecurity. The other problem with the COBIT framework is it is costly to implement. Therefore, many organizations have avoided their implementation. It also requires a lot of skill and knowledge, so it is not used for organizations with a low security posture. Since it is vast in content, it takes a lot of time for the IT auditors to assess the whole components, frameworks, and other parts of the framework. The requirement level of IT professionals and experts to implement and audit is high. It also requires high training for implementation.

The COBIT framework, mainly considered an IT governance framework, is a business framework used to solve a business problem.

2.2. ISO/IEC 27014

The International Organization for Standardization (ISO) and the International Electro Technical Commission (IEC) issued ISO/IEC 27014 to provide standards and guidelines for the governance of IT systems. It is an integral part of the ISO/IEC 27000 series, which mainly provides best practices, guidelines, and standards that support organizations to secure their business and information assets [19,20,21]. As shown in Figure 3, the ISO 27014 governance standard has about five processes: evaluate, direct, monitor, communicate, and assure the security of the IT system. It also has five principles, as shown in Figure 4, such as establishing enterprise-wide IS, following a risk-based approach, creating a security-aware environment across the enterprise, setting directions for investment decisions, and reviewing and evaluating performance concerning the business outcome. Moreover, the standard provides a direction for integrating and aligning IT strategies with an enterprise’s overall strategy (ISO/IEC 27014, 2013).

Finally, ISO/IEC 27014:2013 provides guidance and standards on the governance parts of how to govern information systems and their security aspects so that they can direct, monitor, evaluate, and communicate at strategic, tactical, and operational levels the information security related functions and activities within the organization.

The major limitations of ISO/IEC 27014 are presented as follows; since it has a lot of requirement checklists for implementation and auditing purposes, organizations are reluctant to implement it. It is also expensive and requires high skill IT and security professionals for both auditing and implementation. It also involves a lot of time and resources for the implementation.

2.3. Information Technology Infrastructure Library (ITIL)

ITIL provides a suitable set of standards, guidance, and best practices that were developed by the United Kingdom’s Office of Government Commerce (OGC) [13]. ITIL is composed of five main strategies in the form of services such as:

Service strategy—it comprises the management of a service portfolio that mainly deals with the process of maximizing return on investment (ROI); financial management that directs, monitors, and evaluates investments in services to assist in strategic decision-making; and Demand management that mainly dealt with the identification and producing pattern of business demand.

Service design—it originates with a set of business requirements and ends up with the solution design to meet the business needs.

Service transition—it mainly dealt with managing changes to the business, risk, and quality assurance while delivering service into operation.

Service operations—mainly address the issues of daily operations and look for the effectiveness and efficiency of services.

Continual service improvement—it provides guidance and best practices on how to enhance the overall efficiency of service processes.

Some of the benefits of ITIL are improving the efficient utilization of available resources, building a mechanism that leads to more competitiveness, avoiding repeated activities and processes, improving reliability, availability, and security of IT related services, and finally delivering key performance indicators (KPI).

However, some of the limitations of ITIL are presented as follows; it was mainly designed as service management standards that focused on the services of IT systems, not the governance of IT and security related activities. COBIT and ISO/IEC 27014 guide on what should be done. However, ITIL gives direction on how IS system should be doing. ITIL mainly focuses on IT services and processes; it doesn’t address the security aspects of the IT system. Additionally, one of the major limitations is its implementation cost. It requires high financial costs, including resources and training for the setting up of the framework in an organization. Therefore, it is infeasible for most organizations as it requires a huge investment to implement. It also has a complex Process to implement, especially for an organization that doesn’t have prior knowledge of the governance aspect. The other problem of ITIL is its rigidity. It doesn’t change according to the dynamically changing technological landscape. IT officers and top management must have high analytical skills to implement.

As a concluding remark, COBIT can be used to determine if an organization’s business process is well supported by IT and partly addresses the issue of security. ISO/IEC 27014 can be used to determine the company’s security posture.

Table 2. Comparison of Governance frameworks.

Parameters	COBIT	ISO/IEC 27014	ITIL
Definition	Business and best practice framework for the governance and management IT systems	An international standard for the management of service given by IT systems and requirements	It is composed of a suitable set of best practice guidance for IT service management.
Function	It defines a set of standards and requirements for the governance, management, and control of IT systems and processes.	It defines a set of standards and requirements for the formation, implementation, maintenance, and continual improvement of cybersecurity.	Service level management of IT systems that support business operation and process
Certification requirements	Implementation doesn’t require certification	Implementation requires certification	Implementation doesn’t require certification
Applicability	It is applicable to any type and size of organization. It is frequently used by top management who are responsible for compliance and audit.	It is applicable to any type and size of organization. It is frequently used by organizations supported by IT that want to prove that they comply with externally defined best practices and standards.	It applies to any type and size of organization. Any organization delivering internal or external IT services. Most commonly used in operational IT departments.
Focus	COBiT focused on audit and compliance. Recent versions focused on IT service governance and management.	ISO/IEC focused on meeting certification requirements to validate compliance with the standards	ITIL focuses on IT services and processes. Recent versions combined service lifecycle and are more focused on value, service, and customers.
Domain/Area	40 processes and four domains	More than ten domains	Nine processes
Implementation	Information system audit	Service level management of Information systems	Compliance with security standards
Scope/Coverage	It has more scope coverage as compared to ITIL.	It is complementary to ITIL.	It is a framework of standards and best practices for IT service management and is complementary to ISO standards.
Ownership	An IT government framework from ISACA (UK)	A service management standard from ISO (Geneva)	A service management framework owned by Axelos
Mainly used for	Outlining audit and compliance requirements for IT systems	Demonstrating that the IT organization meets a suitable set of standards and best practices	Helping to define operational IT service management processes
Issuer	ISACA	ISO/IEC, Information Technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection, inclooaboration with ITU-T SG 17	AXELOS, a joint venture between Capita and the UK Cabinet Office

ITU-T—International Telecommunication Union-Telecommunication Sector. SC—Subcommittee. SG—Sub group.

compares three of the most widely used IT and security governance frameworks and standards: COBIT, ISO/IEC 27014, and ITIL. To compare them, we have used different parameters.

3. Related Works

Yassin et al. [7] proposed a capability maturity assessment framework to assess and improve cyber security governance for an organization. The authors claimed that the findings will help an organization to measure and evaluate their governance capabilities. However, there is no governance framework proposed by the authors. Whereas, Savas and Serkan [18] discussed the importance of cyber governance frameworks and made a thorough review on different aspects and components of security governance frameworks. Their results showed that, though there are other governance frameworks used by other countries around the world, yet there is no general governance framework that can be used by all nations. Although some international security institutions developed the framework, these plans are not yet accepted. Finally, way forward recommendations are given by the authors. While a generic security governance framework, which should be accepted by all countries, is developed, the following points should be considered; it should be adaptable, participatory, inclusive, developable, and binding.

Albalas et al. [19] presented the importance and purpose of cybersecurity governance frameworks in ensuring the security of organizations. A systematic literature review was done on existing governance frameworks based on criterions such as; the most effective countries based on cyber governance, the most efficient journals based on cyber governance, and the most cited articles in cybersecurity governance. Using these metrics, a detailed discussion and way forward recommendations are made. Savas and Kartas [17] identified the key cybersecurity governance framework used in the governance of IT and security and discussed the core concepts of these frameworks. Moreover, the limitations of these frameworks are also thoroughly discussed. Finally, the authors suggested another framework for future researchers to consider while developing information security governance frameworks.

Salifu and Abdul [19] developed a model for a cybersecurity governance framework to address five major challenges that most organizations face; cybersecurity strategy, standardized process, compliance, senior leadership oversight, and resources. Their proposed framework is continuously monitored and evaluated.

Welker and Abiona [20] proposed a framework for network administrators and networked organizations to improve their cybersecurity framework for future consumer networks. They put the way forward a recommendation on the implementation of effective security plans that are informed and outlines the responsibilities of security team members, creating governance support for the proliferation of the protection of US-based networks; and, finally, analyze the past cyber-attack metadata to further recognize the threat landscape that is possible to happen and creates problem to consumer networks. All the recommended solutions enhance the frameworks for cybersecurity in consumer-based networks.

Sultan et al. [11] presented information security governance challenges and critical success factors as a systematic review. They aimed to introduce ISG as a wide-ranging solution for the alignment between information security policy and the organization’s objective. The paper presented the importance of developing a holistic information security governance framework. Moreover, the analysis of their literature review showed the main challenges to adopting the ISG program and framework. Finally, they developed seven ISG domains with twenty-seven critical success factors that should be considered when developing an information security governance framework. Munirul et al. [22] proposed a framework for the banking system’s information security governance. The paper presented the information assets and potential threats to banking industries. The authors also examined the currently used security governance frameworks, standards, and best practices. Their strengths and limitations are also identified and presented. Finally, they proposed a high level governance framework that can work for banking sectors and can be implemented in a real banking environment.

Ghada et al. [16] proposed a best practice framework for information security governance. The authors focused on the critical success factors (CSFs) that guarantee the effective governance of an IT system. In the paper, seven initial CSFs were identified for information security governance. Moreover, COBiT and ISO/IEC 2014 adopted a set of governance rules for information security governance. Finally, a best practice framework for the ISG has been proposed for effective governance of IS that supports organizations. Chee Kong et al. [10] proposed information security governance, a process model and a pilot case study. The authors developed a process model to explain how ISG can be practised and implemented in financial organizations.

Most of the proposed governance frameworks mainly focus on the financial sectors and some of the papers focus on the critical success factor. The other papers focused on developing a capability maturity assessment model for the already existing governance frameworks. The rest gave way-forward recommendations on improving the cybersecurity framework to implement it effectively.

4. Research Method

The design science research process model (DSRP) was used. In this research context, the DSRP research model comprises problem identification and motivation, objective identification for the solution, design and development of the cybersecurity governance framework, demonstration of the framework, and evaluation and validation of the developed framework. Each phase is presented below.

Problem Identification and Motivation: to identify the problems or gaps and to find the motivational factors to conduct this study, researchers have reviewed different literature, existing documentation, standards, best practices, and systems that are currently used by various nations and organizations to secure their network infrastructures [10]. However, most organizations (both public and private sectors) primarily rely on technological solutions to protect and secure their information and networking infrastructure, ignoring cyberspace’s governance. There is also a lack of enterprise-wide security structure to address the dynamic nature of cyber threats. To implement the governance frameworks developed by international institutions, most organizations don’t have highly skilled manpower. Additionally, the frameworks are complex and require a huge amount of resources. Moreover, their requirement checklists are too much for both compliance and auditing. Due to this and other reasons, organizations are reluctant to implement the stated frameworks.

The solution’s objective: This research study aims to design a security governance framework for organizations to protect and secure IT systems and business processes. The developed cybersecurity governance focused on the top management’s commitment to securing their enterprise resources with the following goals in mind [23]; provide strategic directions towards security the cyberspace, ensure that security objectives are well defined and addressed, ensure that security risks are well assessed and managed and appropriate mitigation options are put in place, and evaluating and validating that enterprise resources are effectively spent for securing their IT systems and business processes.

Design and development: This activity involves designing and developing various cybersecurity frameworks. The researcher designed and developed a cybersecurity governance framework. While designing the security governance framework, the following factors were taken into consideration; considering the emerging threat factors, addressing the fastest moving technological landscape, continually working on security awareness to change people’s attitudes to create a cyber-aware workforce, giving due attention to the work culture transformation of an organization. In general, whilst designing the proposed cyber security governance framework, the following core components were considered; a risk management and assessment methodology, a cybersecurity strategy and policy directions, development of security standards, which transforms the policy directions into an appropriate set of procedures and guidelines, development of evaluation and monitoring techniques to ensure for the fulfilment of compliance and audit findings, a suitable set of governance process to periodically update, evaluate, and monitor the security strategy, policy, procedures, and guidelines. And finally, the development of an effective security structure that is an integral part of an organizational and IT structure.

Demonstration: This activity presents the use of the artifact (in this research, the framework) to solve the identified problem. The essential requirement that is required for demonstration is to gain enough knowledge about how the framework works or how to use the framework to solve the stated security-related problem. To this end, the research output will be demonstrated in selected sectors.

Evaluation: this activity is all about measuring how well the developed framework solves the existing problem. This is accomplished by associating the stated research objectives with the observed result of the framework towards the identified problem. To this end, the research output was evaluated and tested using different key performance indicators (KPIs) and evaluation scenarios. The limitation of this research is that the proposed framework is not implemented and validated in selected sectors.

5. Proposed Cybersecurity Governance Framework

To design the proposed cybersecurity governance framework, we considered the following design principles: a cybersecurity risk management approach to manage risk according to the cyber-risk appetite of the organization as we are following a risk-based approach to overcome security related threats. Once the risk assessment is properly performed and cyber-risk mitigation options are put in place, a comprehensive security strategy that is aligned with IT and business objectives to make it an integral part of the organizational strategy should be developed. To implement the security strategy, appropriate security policies that address each aspect of strategy and regulation should be designed. For each security policy, a complete and suitable set of security standards that address each aspect of the security policy should be developed to ensure that security procedures and guidelines comply with the security policy. Institutionalized monitoring processes should be designed to implement the security policy, procedures, and guidelines. This also ensures security audit and compliance and offers feedback on the effectiveness of the cyber-risk treatment options proposed. Moreover, security processes should be designed and implemented to ensure persistent evaluation and updating of the security policy, procedures, guidelines, and risks. Finally, all the security mentioned above related activities are governed and managed by proposing an organizational security structure that is an integral part of the security governance framework.

In addition to the outlined security governance framework design principles, the following are the tasks that should be performed while designing the framework: (1) Develop the cybersecurity strategy, which supports the overall business strategy of an organization. (2) Get top management’s commitment and support of the security activities throughout the organization. (3) Define roles and responsibilities throughout the organization in the implementation of the security governance program. (4) Design communication and reporting channels and techniques which supports the security governance activities. (5) Address the current and future legal and regulatory concerns that may affect cybersecurity and assess their potential impact on the organization. (6) Establish and maintain security policies that support business goals and objectives. (7) Ensure the development of procedures, guidelines, standards, and best practices that support information security policies. (8) Develop a business case model that gives organization value analyses supporting information security investments.

As shown in Figure 4, the proposed governance framework has four major categories: components, activities, outcomes and processes. It also has about 14 principles. The proposed security governance framework is dynamic, adaptive, and easy to implement by any organization to see security in a holistic approach and to follow risk based approaches.

5.1. Cybersecurity Governance Framework Components

In this section, all the components of the proposed security governance framework are presented in detail.

Cybersecurity strategic planning: Cybersecurity strategic plans should be developed for three to five years aligned with an organization’s overall strategic plan. Strategic planning can be seen from three different but interrelated perspectives shown in Figure 5.

Firstly, the cybersecurity strategic plan should be integrated with the IT strategic plan, which is an integral part of the company’s overall strategic plan. Given the above principles, there are three strategic components: organizational strategic planning, IT strategic planning, and security strategic planning. To sum up, a cybersecurity strategic plan is an integral part of IT strategic plans, which in turn is an integral part of the enterprise strategic plans. This way, it is possible to see cybersecurity holistically across an enterprise that will have a part in achieving the organization’s overall strategy. In light of the above facts, key components to developing an effective cybersecurity strategic plan include: clearly understanding how cybersecurity risk is related and affects critical business processes; developing a strategic goal; defining the scope; identifying cybersecurity needs and developing objectives; establishing key performance indicators (KPIs); determine resource needs; determine security risks; and establish continuous monitoring and evaluation techniques.

Cybersecurity risk management: It is identifying what kind of security threats an organization faces, analyzing security vulnerabilities to assess the threat level, and defining how to address the cybersecurity risk. Cybersecurity risk management includes three processes: risk assessment, risk treatment, and evaluation and analysis of the security risk. The risk assessment process includes identifying and evaluating cyber-risks and risk impacts and recommending risk-reducing measures. Risk treatment refers to giving priority, implementing, and maintaining a suitable set of risk-minimizing techniques recommended from the risk assessment process. The developed risk management program should be periodically monitored and evaluated [13].

Cybersecurity Policy: Security policy should be prepared upon completion of performing security related risk assessment. Security policy is meant to describe the following security related issues such as used to assign responsibilities, define roles, discuss execution processes, specify audit and compliance requirements, and determine acceptable risk levels. Cybersecurity policies are usually updated or revised only when performing risk assessment and when a fundamental change occurs in the organization’s operations. Organizations should develop three types of policies: program policy, issue specific policy, and system specific policy. Moreover, security policy shall be developed using standards, guidelines, and best practices.

Incident Response Management: One of the principal objectives of any security program is to prevent security incidents. A security incident is a single or a series of undesirable or unexpected security events likely to compromise the company’s assets. Whilst cybersecurity incident management is the process of proactively preparing, detecting, responding, mitigating, recovering, reporting, and learning from cybersecurity incidents. As part of the security governance framework, the cybersecurity incident management framework should be developed and used by any type and size of the organization.

Business Continuity and Disaster Recovery Plans: It is important to have planning when a security incident happens at the national and organizational levels. If the IT system that supports business operations is interrupted by security breaches, a suitable set of plans and procedures are required that will permit the business to continue essential functions and operations without interruption. In light of the above facts, a Business Continuity Plan (BCP) should be prepared that mainly includes evaluating the security risks to the organization process and creating policies, plans, and procedures to reduce the effect of those security risks if they were to occur. In contrast, a Disaster Recovery Plan (DRP) is a plan that states how to resolve the security problem and return back to the normal operation of IT systems and business processes in the event of a disaster. DRP is often an integral part of the BCP. BCP and DRP directly support the availability security objective.

Security Education Training and Awareness (SETA) program: As part of the governance framework, the SETA program is needed at the organizational level. Moreover, leadership development and human capital management on cybersecurity are a must.

Research and development: To effectively face the challenges of cybersecurity, innovations, research and development programs should be prepared.

International and Regional Collaborations: Cybersecurity needs collaboration among all stakeholders, such as government, intelligence agencies, military, industries, legal and law enforcement agencies, academia, and the general public. Moreover, since cybersecurity is borderless, it needs regional and international collaboration. To this end, an international and regional collaboration program and framework should be prepared that is an integral part of the governance framework.

Organizational Security Structures: Security structure should be developed and integrated into the company’s overall organizational structure. The experience showed that security was considered an integral part of the IT organizational structure, and IT is integrated into the overall organizational structure. However, due to the dynamic nature of cyber threats and landscapes, the security organizational structure should be detached from the IT department and stand alone at national and organizational levels. In light of the above facts, there is a need for an effective security organizational structure with sufficient authority and adequate resources.

5.2. Cybersecurity Governance Framework Activities

Strategic Alignment: Cybersecurity strategy should be integrated and aligned with the overall IT and organizational strategies. An organization must clearly define its risk management policies, strategy, and goals to establish a good cybersecurity governance program. Top management must evaluate the current cyber risk level. Based on the outlined security risk level, appropriate strategies and goals should be established. Once the strategy and goals are formalized, organizational level security policy must be implemented and distributed throughout the organization.

Resource Management: The main goal of cybersecurity governance is to make an alignment of the cybersecurity budget and resources with the overall enterprise requirements. Top management must ensure that an acceptable level of resources should be available to come across basic cybersecurity governance, and sufficient budgets should be allocated to protect the more critical IT systems and business processes. Moreover, top management should ensure that resources allocated for security are used conscientiously and efficiently.

Establishment of Roles, Responsibilities and Accountability: Cybersecurity governance must be measurable and enforced, and there should be responsibility for auditing and compliance throughout the enterprise. Establishing and verifying the roles and responsibilities of security officers, users, contractors, etc., should be part of the security governance framework.

Compliance with Laws and Regulations: One of the main challenges of information security is the lack of national and regional legal frameworks. Therefore, information security programs should have complied with laws and regulations.

5.3. Cybersecurity Governance Outcomes

The following section presents the outcomes of the cybersecurity governance framework.

Strategic alignment: Cybersecurity strategy and policy should be aligned with the overall business strategy of an organization.

Cybersecurity Risk Management: the major focus area of the cybersecurity governance framework is risk management. Accordingly, enterprises should identify the threat and vulnerabilities; recognize the risk exposure factor and consequences of the cyber-attack reduce security risks to an acceptable level according to the organization’s risk appetite.

Resource Management: the major goal of cybersecurity governance is to integrate and align the cybersecurity budget with the overall enterprise requirements.

Performance measurement: Organizations need key performance metrics against which the security programs and policy are measured to ensure that organizational objectives are achieved, looking for shortcomings and receiving feedback, and having external audits to confirm security assertions. Details are presented in section four.

Value delivery: Investment in cybersecurity must be managed to achieve the desired value delivered by the company.

5.4. Cybersecurity Governance Processes

Direct: Top management should direct the cybersecurity programs in the form of security policy to the lower level management so that security strategies and goals will be converted to the operational level.

Control: the overall security programs should be controlled by the top management of an enterprise.

Monitor: Monitoring mechanisms that monitor the performance of security programs with measurable and key performance indicators (KPI) should be developed and put in place.

Evaluate: Measuring and verifying the outcomes of security performance monitoring techniques to ensure that enterprise’s objectives and goals are achieved and to oversee future security program changes.

Awareness and Training: The development of cybersecurity policies, procedures, guidelines, standards, and is only the beginning of an effective security program. We need to ensure that the employees are well aware of their rights and responsibilities regarding the organization business assets. Awareness and training on cybersecurity can solve lots of security related problems. To this end, awareness and training programs should be developed as part of the governance process.

Holistic approaches: Security should be seen as a cross-sector and multidimensional approach. Organizations should set a common vision and establish principles to guide the security program holistically. The proposed security governance process should be implemented end-to-end, from top management to lower management across the enterprise, to see security holistically.

Communicate: Reporting and communication channels shall be developed to inform stakeholders of the enterprise’s security posture and therefore evaluate stakeholder requirements.

5.5. Proposed Cybersecurity Governance Framework Principles

Figure 6 shows the proposed cybersecurity governance framework principles. Each of them is presented as follows:

Flexible: The framework should be dynamic and flexible enough to adapt according to the current cybersecurity threats and technological landscapes.

Risk based approach: Organizations should spend money and budget for security controls according to the security risk of that enterprise. Today, we are shifting from managing security in a simple IT department to a more proactive and risk based approach.

Standards, compliance and conformance requirements: In addition to the proposed governance framework, organizations should evaluate their IT systems against a set of standards and regulations, including NIST 800-53, NIST Cybersecurity Framework, SOC-2 and ISO 27001. Cybersecurity compliance comprises meeting various security controls (usually enacted by a regulatory authority, law, or industry group) to protect the security triads such as confidentiality, integrity, and availability of information assets.

Holistic Approach: In this dynamic technological time and threat landscape, cybersecurity requires a holistic approach, which addresses people, skills, and technology as well as processes and governance. Organizations should clearly comprehend how to achieve cyber defense and resilience efficiently.

Separate governance from management: cybersecurity governance is the process of directing, controlling, and monitoring security programs and processes; defining accountability, and providing oversight to ensure that cyber-risks are sufficiently alleviated. While cybersecurity management is the framework to establish, operate, monitor, review, maintain, and improve the cybersecurity posture within the organization. The proposed cybersecurity governance framework clearly distinguished between them, as shown in Figure 4.

Adaptive governance framework: cybersecurity governance framework should be periodically reviewed, evaluated, and monitored to adapt according to the dynamic technological change and threat landscape.

Tailored to enterprise needs: most cybersecurity frameworks are generic and may not appropriate according to an organization’s security needs. To make the security governance framework efficient, it should be tailored according to the organization’s needs, resources, and other related issues.

Build a culture of cybersecurity: to develop and implement cybersecurity program, there is a need to create cyber-aware culture and training across the enterprise. Employee education, training and awareness are a must to create a security-aware workforce and culture and to make sure that all employees know how to use the security systems and tools that are planning to implement.

End-to-end governance system: the proposed framework covers the IT function and all functions and processes across the entire organization. It treats information and related technologies as assets that need to be dealt with like any other organizational asset.

Collaboration and cooperation: Since cyberspace is borderless, it needs both national and international collaborations. Moreover, governments, public and private sectors should work together to combat the worst security problems that come from cyber-criminals.

6. Performance Indicators of the Proposed Security Governance Framework

To facilitate and maintain an effective and efficient governance of the security operations and process and to establish a successful and effective cybersecurity program across an organization, there is a need to come up with reliable key performance indicators (KPIs). Using KPIs, the security governance frameworks are implemented, monitored, measured, and evaluated [24].

Top management and Chief Information security officers (CISO) should measure the strategic, tactical, and operational efficiency of their security programs that are an integral part of the security governance system. These days, organizations are investing a lot of budget to secure the information system supporting the business operation. Top management should be convinced and aware of the importance of cybersecurity programs to allocate enough budgets on security related activities. To this end, senior managers responsible for an organization’s security aspect need reliable KPIs to measure and evaluate the reliability of the security program. To measure, evaluate, and monitor the effectiveness of the security programs, policies, strategies, and countermeasures with in governance framework that is implemented in an enterprise, there is a need to develop security performance metrics that should be adapted according to the company’s security governance strategies, processes and principles. In general, measuring the effectiveness of security controls means building a competency to fine-tune the security policy and programs, thereby deciding on the security investments. In view of the above facts, the implementation of the proposed cybersecurity governance framework can be well measured using the standard framework of metrics based on the governance framework structure such as process, technology, people, and compliance as shown in Figure 7.

Some of the important metrics that can be used to measure the effectiveness of the security governance framework are presented below:

6.1. Financial Metrics: It Is Mainly Deals with the Financial Impact of Security Controls Implemented to Safeguard and Create Resilience in Company Assets

Financial metrics in cybersecurity mainly evaluate the security investment made to protect IT systems that support the company’s business operation. ALE (Annualized loss expectancy), total cost of ownership (TCO), and economic value added (EVA) can be used as financial metrics. ALE is the annualized loss as a result of the cyber-risk impact. ALE can be calculated as part of cyber risk assessment as:

Annualized loss expectancy (ALE) = Single loss expectancy (SLE) X

The annualized rate of occurrence (ARO)

(1)

where ARO is the annual rate of occurrence of cyber threat, and SLE is calculated as:

SLE = Asset value X exposure factor

(2)

The ALE can be well described in terms of TCO. TCO includes all costs, such as human resources, software, and hardware in the security programs and determines how much investment is made for the security program. By observing the trends and differences between both ALE and TCO, it is possible to define the benefit of security investment, as shown in Figure 8.

The EVA of the security investment can be calculated as:

EVA = ΔALE/ΔTCO

(3)

Using the above formulation and Figure 8, the EVA should always be less than one for better and cost-effective security investment. Whereas, if EVA is greater than one, it means the cost of security investments is not enough to pay off the potential loss of business assets. Finally, if EVA is equal to one according to the above Formula (3), security cost can compensate for the potential loss.

Maturity assessment: it measures the organization’s maturity in securing the information system and business process using a suitable set of security controls recommended from risk assessment output. Cybersecurity governance requires a simple, adaptive, and standardized way to measure and visualize the level of security controls that are implemented or the capability to mitigate cyber-risk. In general, security maturity assessment is meant to describe the security posture concisely and standardly. Here, the security process maturity model can be given as a five process maturity scale as shown in Figure 9. The maturity model can then generate a graph showing the gaps between the real and the anticipated level of maturity for different security programs, controls, and objectives. The levels are discussed below:

• Initial: This level shows an organization starts implementing security controls, but there are no well-defined standards and best practices, and processes, which the company follows. Therefore, the security process is ad hoc or temporary. The security programs and processes are new and are not evaluated and audited. In general, at this level, security practices are not performed.
• Repeatable: the security practices, processes, and programs are developed, implemented, and documented so that the processes can be repeated. However, there are no performance metrics, capabilities, and techniques for an organization to evaluate its security posture and readiness to evaluate against a set of standards and best practices.
• Defined: The Process is defined and confirmed as a standard business process. An organization at this level can proactively analyze its security risk and provide mitigation options.
• Managed: The Process is quantitatively managed according to a set of agreed standard metrics. In this level, security practices are documented, sufficient resources are allocated to implement the security process, and the security practices are more advanced than in the previous level (Level 3).
• Mature: An organization in this stage has all security programs in place and begins optimizing and improving the security programs implemented. In this level, security processes and programs are guided by policies and directives, responsibility, accountability, and authority to perform the security activities are well defined and are put in place, and security officers are assigned with sufficient knowledge and skills, the effectiveness of security programs are periodically assessed and evaluated using key performance indicators (KPIs).

To demonstrate the security capability maturity model shown in Figure 9, it is very well illustrated in Figure 10, which offers the security capability assessment of a sample organization. It implements various security controls with a current maturity level shown in red. Most of the implemented security controls lie with no more than three maturity levels. This indicates the security processes and programs that are defined and confirmed as a set of standard business processes. However, it needs improvement to reach the maximum maturity level labeled as 5 (Mature) in all security processes, plans, and programs.

In general, the maturity assessment process model maintains and justifies whether security governance processes, policies, and risk assessments are properly implemented. Moreover, it will allow the CISO, business leaders, risk managers, auditors, and other stakeholders to discuss and view their security posture thoroughly across the enterprise.

6.2. Operational Metrics

Presents the effectiveness of security programs, processes, and controls. Security operational performance or the ability to mitigate cyber risk is paramount in evaluating the overall security governance and management process. It should be presented in the form of a graphical representation along with ratios, trends, maturity, and risk. To perform the measurement, security control register can be prepared, and the security officers can identify the most important security controls that are implemented to secure the main information system assets and business process of an organization and measure their performance.

Table 3. Operational metrics with trends.

Measurement Objectives	Metrics	Trends
Risk management	The number of times risk assessments are performed per year.
Incident handling	The average time to resolve security incidents
Configuration management	The total number of patched and updated system
Awareness efficiency	The total percentage of employees trained on cyber-risks
Efficiency in resolving audit findings	Average delays in processing of security audit findings

shows sample operational metrics along with their trends.

6.3. Benchmarking

Comparison of the security governance and programs in place with other security best practices or standards is termed benchmarking. It is also important to compare an organization’s security governance and strategies with similar enterprises. Various techniques can be used to see the security trends using researched and audited outputs that can be used as benchmarking, such as (a) research and surveys made by advisory or consultancy companies; (b) security posture studies that business associations conduct with given sector, (c) Outputs of research or survey made by a similar organization, (d) Regulators given the mandate to audit companies and authorizing consultants specialized in conducting benchmarking.

As a concluding remark, well-defined KPIs are of paramount importance for the measurement of the cybersecurity governance process and other components within the framework. These performance indicators help security officers to measure, evaluate, and adjust their security programs accordingly.

7. Conclusions

The cybersecurity governance framework is a critical and core part of information security governance. This research aimed to first review existing IT and security governance frameworks and to make comparisons and and see their gaps, overlaps, and limitations. According to the review and investigations made the following major limitations were identified; they are complex and have complicated structures to implement. They are expensive and require high skill IT and security professionals. Moreover, the frameworks require lots of requirement checklists for both implementation and auditing purposes; they also require a lot of time and resources. To fill the limitations mentioned above, a simple, dynamic, and adaptive cybersecurity governance framework is proposed that provides security related strategic direction, ensures that security risks are managed appropriately, and ensures that organizations’ resources are utilized optimally. The framework incorporated different components which were not considered in the existing frameworks. It also provides security-related strategic direction, ensures that security objectives are met, ascertain that security risks are managed appropriately, and ensure that organization resources are utilized optimally. The proposed governance framework has nine components, five activities, four outcomes, and seven processes. It is simple that can be implemented by any organization. Other security policies, standards, guidelines, and security related programs can be prepared and implemented using this governance framework. To this end, the major contributions of this research are; the most widely used governance framework works are thoroughly reviewed along with their benefits and limitations, a simple to use, dynamic, and adaptive cybersecurity governance framework is proposed, and finally, to evaluate the proposed framework, key performance indicators are proposed to measure the effectiveness of the proposed security governance framework. As future work, implementation, evaluation, and validation of the proposed framework will be performed on selected organizations to see its effectiveness.