key: cord-0320033-24hmr13p
authors: Georgiadou, Anna; Mouzakitis, Spiros; Askounis, Dimitris
title: Designing a Cyber-security Culture Assessment Survey Targeting Critical Infrastructures During Covid-19 Crisis
date: 2021-02-05
journal: nan
DOI: 10.5121/ijnsa.2021.13103
sha: 47b989118ab3ce328bb38ade8c3b9ac5c8dacfd8
doc_id: 320033
cord_uid: 24hmr13p

The paper at hand presents the design of a survey aiming at the cyber-security culture assessment of critical infrastructures during the COVID-19 crisis, when living reality was heavily disturbed and working conditions fundamentally affected. The survey is rooted in a security culture framework layered into two levels, organizational and individual, further analyzed into 10 different security dimensions consisted of 52 domains. An in-depth questionnaire building analysis is presented focusing on the aims, goals, and expected results. It concludes with the survey implementation approach while underlining the framework's first application and its revealing insights during a global crisis.

Coronavirus disease 2019, widely known as COVID-19, is an infectious disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) [1] . The disease was first detected in late 2019 in the city of Wuhan, the capital of China's Hubei province [2] . In March 2020, the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic [3] . Today, with more than 11 million confirmed cases in 188 countries and at least half a million casualties, the virus is continuing its spread across the world. While epidemiologists argue that the crisis is not even close to being over, it soon becomes apparent that "the COVID-19 pandemic is far more than a health crisis: it is affecting societies and economies at their core" [4] .

Terms such as "Great Shutdown" and "Great Lockdown" [5, 6, 7] have been introduced to attribute the major global recession which arose as an economic consequence of the ongoing COVID-19 pandemic. The first noticeable indication of the accruing recession was the 2020 stock market crash on the 20th of February. International Monetary Fund (IMF) in the April World Economic Outlook projected global growth in 2020 to fall to -3 percent. This is a downgrade of 6.3 percentage points from January 2020, making the "Great Lockdown" the worst recession since the Great Depression, and far worse than the Global Financial Crisis [7] . According to the International Labour Organization (ILO) Monitor, published on 7th April 2020, full or partial lockdown measures are affecting almost 2.7 billion workers, representing around 81% of the world's workforce [8] .

Organizations from various business domains and operation areas globally try to survive this unprecedented financial crisis by investing their hopes, efforts, and working reality on information technology and digitalization. The workforce is being encouraged and facilitated on teleworking while most products and services become available over the web while, in many cases, transforming and adjusting to current rather demanding reality. However, the aforementioned organiations face another, not that apparent, COVID-19 side-effect: the cybercrime increase.

The increase in the population percentage connected to the World Wide Web, the expansion of time spent online, combined with the sense of confinement and the anxiety and fear generated from the lockdown, seem to catalyzeaction of cyber-criminals. Coronavirus has rapidly reshaped the dark web activities, as buyers and sellers seize the opportunity to capitalizeon global fears, as well as dramatic shifts in supply and demand. Phishing emails, social engineering attacks, malware, ransom ware and spyware, medical related scums, investment opportunities frauds, are only a few examples of the cyber-crime incidents reported during the crisis period [9, 10] .

INTERPOL's Cybercrime Threat Response team has detected and reported a significant increase in the number of attempted ransom ware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransom ware to hold hospitals and medical care services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid [11] .

Cyber-security agencies, organizations, and experts worldwide have issued recommendations and proposed safeguard measures to assist individuals and corporations defend against cyber-crime. While the virus is dominating in every aspect of our daily lives and human interaction is being substituted by digital transactions, cybersecurity gains the role it was deprived from during the last years. The question that remains unanswered, given the circumstances, is: What are the COVID-19 pandemic cyber-security culture side-effects on both individual and organizational level?

The manuscript at hand presents the design and rollout plan of a survey aiming to assess the cyber-security culture during the COVID-19 pandemic in the critical infrastructure domain. Section 2 presents background information regarding the importance of public cyber-security surveys conducted over the years, emphasizingon the variety and originality of their findings. Building upon their approach, a detailed methodology is reported in Sections 3 & 4,  in an effort to develop a brief, targeted and comprehensible survey for the assessment of the cybersecurity readiness of organizations during the crisis with emphasis on employees' feelings, thoughts, perspective, individuality. In Section 5, we sketch the survey next steps towards its conduction and fruitful completion. Finally, Section 6 concludes by underlying the importance of our survey reasoning while focusing on the challenging scientific opportunities that arise from it.

Over the last decades, cybersecurity surveys have been a powerful asset to academics and information security professionals seeking to explore the ever-changing technological reality. Their goal was to uncover current trends in cyber threats, organizations' investment priorities, cloud security solutions, threat management, application security, security training and certification, and more.

Initially, they were narrowed down and addressed to certain participants depending on the nature and specific purpose of each survey. A lighthouse representative of this kind was the Computer Crime & Security Survey conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. This annual survey, during its 15 years of life (starting from 1995 and reaching up to 2010), was probably one of the longest-running continuous surveys in the information security field [12] . This far-reaching study provided unbiased information and analysis about targeted attacks, unauthorized access, incident response, organizational economic decisions regarding computer security and risk management approaches based on the answers provided by computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.

Following their lead, many public and private sector organizations are seeking revealing findings that will help them calibrate their operations and improve their overall presence in the business world via cybersecurity surveys. Healthcare Information and Management Systems Society (HIMSS) focusing on the health sector [13] ; ARC Advisory Group targeting Industrial Control Systems (ICS) in critical infrastructures such as energy and water supply, as well as in process industries, including oil, gas and chemicals [14] ; SANS exploring the challenges involved with the design, operation and risk management of ICS, its cyber assets and communication protocols, and supporting operations [15] ; Deloitte in conjunction with Wakefield Research interviewing Clevel executives who oversee cybersecurity at companies [16] ; these being only some of the countless examples available nowadays.

Current trend in the cybersecurity surveys seems to be broadening their horizon by making them available and accessible through the internet [17, 18] . Since their goal is to reach out and attract more participants, thus enriching the collected data and, consequently, enforcing their results, tend to be shorter, more comprehensive to the majority of average users and apparently webbased.

Recognizing the unique value of this undisputable fruitful security evaluation methodology and rushing from the special working and living circumstances due to the COVID-19 pandemic, we identified the research opportuning to evaluate how this crisis has affected the cybersecurity culture of both individuals and organizations across the suffering globe. Security threats, frauds, breaches & perils have been brought to the light, recommendations have been given and precautions have been made [19, 20, 21] . What about the cybersecurity culture and its potential scars from this virus? Addressing this concern was our aim when designing, conducting and analyzing the survey presented in this paper.

During the last years, our research efforts have been focusing on cyber-security in terms of tools, standards, frameworks and marketplace solutions especially targeting the human element. We have benchmarked the dominant reveals on the field, classified their possibilities and analyzed their core security factors. Having identified their gaps and overlaps, common grounds and differentiation and thoroughly studied several academic principles regarding information security, including technical analyses, algorithmic frameworks, mathematical models, statistical computations, behavioral, organizational and criminological theories, we have created a foundation combining the elements that constitute the critical cyber-security culture elements [22] . The suggested cybersecurity culture framework is based on a domain agnostic security model combining the key factors affecting and formulating the cybersecurity culture of an organization. It is layered into two levels, organizational and individual, analyzed into 10 different security dimensions consisted of 52 domains assessed by more than 500 controls. This hierarchical approach is being presented in Figure 1 . Table 2 and Table 4list dimensions, domains and indicative controls in an attempt to unfold to the reader the generalized philosophy of our framework. Controls used by our evaluation methodology aim to assess whether specific security fields have been taken into consideration and to what extend rather than measure the effectiveness and efficiency of the actual policies and procedures in place. In other words, evaluate the multidisciplinary approach towards information security and the depths in which is organizationally reaching rather than the completeness of security technology solutions acquired and utilizedby the enterprise under examination.

This approach is even more evident in the individual level where the beliefs, emotions, attitude, and behavior of the employees is examined under various prisms using a variety of psychological, behavioral, emotional and specialization assessments. 

 What is necessary for a person to turn a plain text message into an encrypted message?  Which of the following events presents the greatest risk? Training Completion and Scoring  My achievement score at the last security training program I participated in was around.  How many self-security assessments do you normally attempt per year?

Our goal was to design a survey that would be short and targeted to get the security pulse of current business reality in the critical infrastructure domain. One of our major aims was to keep the questionnaire small and easily addressed in a timely manner by a common employee with no special security expertise or knowledge. This way, we could facilitate participation of a broader workforce group lessening effort and prerequisites while maximizing result variation and credibility. Towards that goal, we needed to formulate questions targeting specific security factors bridging various security domains while smartly extracting information depicting the existing working security routine and culture, their disruption by the COVID-19 crisis and their reaction to these special and rather demanding circumstances.

On the other hand, taking into consideration the reported cyber-crime incidents along with the fraud and attack techniques used by the criminals of the dark web during this period, we focused our evaluation on specific dimensions related to network infrastructure, asset management, business continuity, employee awareness, and attitude.

In the paragraphs to follow, we outline how starting from a detailed cyber-security culture framework with more than 500 controls, we have narrowed down our objectives to a questionnaire containing no more than 23 questions, depending on the provided answers. Table  3indexes the questions constituting the final version of our questionnaire including secondary clarification questions presented based on provided participant input whereas Table 4correlates each of the questions to specific cyber-security levels, dimensions, and domains of our model. Table 3 . Question indexing, including secondary clarification questions presented based on provided input (asterisk annotated).

Prior to the COVID-19 crisis, were you able to work from home?

How were you informed how to use them?

I am proud to work for my organisation.

Did you receive any security guidelines from your employer regarding working from home?

Has your company adopted a specific collaboration solution?

I have access to the things I need to do my job well.

Q2.2* Please describe the main (2-3) security guidelines provided.

What is your age?

What kind of devices are you using to connect to your corporate working environment?

Did you face any of the below cybersecurity related threats during the COVID-19 crisis?

What is the highest degree or level of school you have completed?

Are these devices accessed by users other than yourself?

Q11.2* Please name any other cyber-security threats you encountered during this period, not listed above.

Please select the business domain of the organisationyou work for.

These devices are personal or corporate assets?

To what extent do you agree with the following statements: (during this specific period of the COVID-19 crisis) I prefer working from home than going to the office.

Which of the following best describes your work position?

Are these devices managed by your organisation?

Q12.2 I work more productively from home. 

Culture is defined as a set of shared attitudes, values, goals, and practices that define an institution or organization. Consequently, cyber-security culture refers to the set of values, conventions, practices, knowledge, beliefs and behaviors associated with information security. Therefore, its skeleton is being outlined by the working environment along with the technological infrastructure and security countermeasures that define it.

To understand, assess and detail the security cultural status of the critical infrastructure organizations represented in our survey, we have included questions Q1-Q10 that heartbeat the overall technological and security readiness and adaptability. Under the coronavirus prism, we intended to understand if teleworking was an option prior to the crisis or not and under which security policies. Thus, we have included queries polling the remote access procedures and their meeting standards as well as the types, configuration and management of the devices used to gain access to the corporate environments. In other words, we attempted to assess the way and the means of the working from home experience with a clear focus on cyber-security.

Given that one of the most important shifts in the "everyday business" was the "home office", we clearly focused on the technological infrastructure used during this period. Preconfigured workstations were substituted by remote assets, such as laptops, tablets, smartphones, which gained access to the corporate network via different communication protocols and security standards. We needed to evaluate this newly deployed working ecosystem and understand the security precautions made by the participating enterprises.

Additionally, we intended to assess the security maturity of the management, the security response team, and awareness training program by introducing several questions clearly related to cyber-security familiarity and readiness. The most critical question of these category is the one referring to security guidelines provided during the COVID-19 crisis seeking to match their responsiveness and contemporality. Most of the leading cyber-security entities and experts during the coronavirus pandemic have issued special security guidelines towards individuals and organizations. Succeeding or failing to propagate similar guiding principles towards your workforce during such confusing and challenging periods is a core security indicator.

Another business facet which was examined, although not directly related to information security, was the collaboration possibilities offered to employees. Business trend and current reality (including but not limited to COVID-19 crisis) lead to a "remote" or "hybrid" working structure [23, 24] . Communication and teamwork need to be facilitated and promoted, especially during this period when general isolation is mandated as the main defense against the virus spread. Companies are expected to make provision for all means necessary to assist their employees in being productive, effective and cooperative [25] . This notion and quality are being tested via two simplified questions included in our survey.

Moving down to an individual level, evaluation becomes more demanding since virus fear and emotional stress dominate every aspect of daily life directly or indirectly affecting the human-related security factors. Questions Q11-Q12 attempt to probe the security behavior, attitude and competency of the remote workers by examining their emotions, thoughts and beliefs and by asking them to report any security incidents they came up against.

As Cisco CEO John Chambers stated in a January 2015 post for the World Economic Forum titled "What does the Internet of Everything mean for security?", "there are two types of companies: those who have been hacked, and those who don't yet know they have been hacked". Similarly, there are two types of technology users, those who understand the perils they face every day, either successfully or not, and those who are simply unaware of the dangers they are most probably already exposed to. Our question Q11 tries to examine this security familiarity and awareness among the different seniority, age, expertise, background of the participants.

Question Q12 clearly traces the emotional and intellectual state of the remote workers by listing several questions deriving from the Insider Threat theory according to which dissatisfaction, stressful events and personality predispositions can transform a loyal employee to a malicious or unintentional insider [26, 27] .

Questions Q13-Q16 refer to generic information used for an individual profiling and categorization which shall enable us to analyze gathered results under different prisms offering various grouping possibilities and leading to possibly interesting findings on the basis of age, industry, education, working experience and expertise. This enterprise profiling is also believed to be closely related to security factors formulating fertile ground to a number of human-related cyber-threats [28, 29, 30] . The accruing questionnaire manages to combine the two security levels of our framework effectively and efficiently. Additionally, its contents have been tailored to rapidly yet effectually heartbeat the cyber-security reality during a disrupting chronological period, such as the COVID-19 pandemic. This agile instrument, although offering a quick and fruitful measurement method compared to similar concurrent surveys, it cannot be considered an in-depth information security assessment. Furthermore, it should not be used to label participating organizations but only to provide an overview of the AS-IS situation.

Having developed a first questionnaire version addressing the security elements of interest based on our security culture framework, we carefully designed the rest of the survey methodology including:

• validity testing: identify ambiguous questions or wording, unclear instructions, or other problems before widespread dissemination possibly conducted by a group of survey experts, experienced researchers and analysts, certified security and technology officers. • delivery method: select the appropriate delivery method and possibly run an instrument validity testing to verify survey conduction methodology. • sample selection: carefully chose representatives from energy, transport, water, banking, financial market, healthcare and digital infrastructure from different European countries (e.g. Cyprus, France, Ger-many, Greece, Italy, Romania, Spain) affected by the COVID-19 crisis. • survey duration: defining a specific start and end period communicated to all invited parties.

Survey has been concluded and its results have been made available via a research data repository [31] . Their analysis and interesting findings are currently under publication.

Having performed this indicative(meaning non-restricted within the business limits of an organization) pilot application of our cyber-security culture framework during a crisis period, we now focus on conducting similar cyber-security culture assessment surveys to specific organizations targeting different security domains and not only during the pandemic. We intend to proceed with extended applications of our framework and conduct a comparative analysis on the cyber-security differences among the various business domains possibly identifying variations in needs, threats, attitude, awareness, and overall culture.

Our survey focuses on evaluating the security readiness and responsiveness of corporations during the Great Shutdown and more specifically it shall be addressing critical infrastructure domain representatives from different countries affected by the coronavirus.

Security cultural approach demands flexibility and concurrency. Corporations of the public and private sector regardless of their specialization and expertise need to develop a digital workplace strategy that includes collaboration applications, security controls, network management, and digital technologies. They need to adjust their employment modes, business models, communication, and marketing channels.

In a radically evolving and transforming environment, security and risk teams need to become part of the crisis management group, remote working employees need to remain vigilant to cyber-threats and operations life-cycle needs to remain uninterrupted especially for the operators of essentials services. Our research aims to investigate if and to what extend is this approach embraced by the critical infrastructure organizations in different countries nowadays while revealing interesting findings related to cyber-security and inspiring further scientific research on this field.

Since unfortunately COVID-19 crisis still holds, we now consider repeating our survey properly adjusted and addressed to the same organizations involved in the first iteration, to understand if their security culture status has differentiated and evolved via this crash-testing experience or if the long-standing critical circumstances have negatively affected their attitude and behavior towards information technology and security. We are also examining a similar tailor-made survey focusing on other domains of interest possibly differentiating organizations of the public and private sector and different financial or workforce dimensions.

This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 832907 [32] .

The COVID-19 epidemic

The continuing 2019-nCoV epidemic threat of novel coronaviruses to global health -The latest 2019 novel coronavirus outbreak in Wuhan, China

WHO Director-General's opening remarks at the media briefing on COVID-19

Socio-economic impact of COVID-19 | UNDP

The world economy is now collapsing

The Great Shutdown: Challenges And Opportunities

The Great Lockdown: Worst Economic Downturn Since the Great Depression

ILO Monitor:COVID-19 and the world of work

The impact of COVID-19 on the spread of cybercrime

COVID-19 cyberthreats

Cybercriminals targeting critical healthcare institutions with ransomware

Healthcare Information and Management Systems Society

The State Of Industrial Cybersecurity

SANS 2019 State of OT/ICS Cybersecurity Survey

The future of cyber survey

Information Security Community

Reason Labs

Home working: preparing your organisation and staff

ENISA -European Union Agency for Cybersecurity

A Cyber-Security Culture Framework for Assessing Organization Readiness

Securing the Future of Hydrid Working

The 2020 State of Remote Work

Coronavirus (COVID-19) Outbreak: Short-and Long-Term Actions for CIOs

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

Unintentional Insider Threats: A Foundational Study

Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis

Position: "insider" is relative

Defining the insider threat

Working from home during COVID-19 crisis -A Cyber-Security Culture Assessment Survey

Energy Shield

Laboratory in the School of Electrical and Computer Engineering at the National Technical University of Athens (NTUA). She has been working as a senior engineer on operation and system support services for major telecommunication providers, energy regulators, banking systems, and other critical national infrastructures. She has recently become a Ph.D. candidate in the cyber-security field inspired by her active participation in the HEDNO's (Hellenic Electricity Distribution Network Operator) information security management group. She is a certified database and network administrator, software developer, and data analyst.Dr. Spiros Mouzakitis is a senior research analyst for the National Technical University of Athens (NTUA). He has 18 years of industry experience in the conception, analysis, and implementation of information technology systems. His research is focused on decision analysis in the field of decision support systems, risk management, Big Data Analytics, as well as optimization systems and algorithms, and enterprise interoperability. He has published in numerous journals including Computer Standards & Interfaces, International Journal of Electronic Commerce, Information Systems Management, and Lecture Notes in Computer Science, and has presented his research at international conferences.

Engineering at the National Technical University of Athens (NTUA). He has been involved in numerous IT research and innovation projects funded by the EU since 1988 in the thematic areas of eBusiness interoperability, eGovernance, data exploitation and management, decision support, knowledge and quality management, computer integrated manufacturing, enterprise resource planning, etc. He teaches digital innovation management, decision support, and management systems, and he is a member of scientific committees on innovation and entrepreneurship competitions and incubators offered by International University networks, Financial Institutions, etc. Dr. Askounis has published over 80 papers in scientific journals and international conference proceedings.