ABSTRACT

This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.

摘要

本文提出了一个网络安全文化框架，用于评估和评估组织员工的当前安全状况。在对最常用的安全框架进行了彻底的审查之后，我们确定了与人的核心安全相关的元素，并通过构建域不可知的安全模型对它们进行了分类。然后，我们将详细介绍模型的每个组成部分，并尝试对其进行量化，以实现可行的评估方法。此后，本文介绍了该方法在安全文化评估工具的设计和开发中的应用，该工具为劳动力培训计划和技术提供了建议和替代方法。该模型旨在轻松适应各种应用程序域，同时关注其独特特性。