CYBER_SECURITY_CULTURE_ASSESSMENTSURVEYTARGETINGCRITICALINFRASTRUCTURESDURINGCOVID-19CRISIS.pdf

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

DOI: 10.5121/ijnsa.2021.13103 33

DESIGNING A CYBER-SECURITY CULTURE

ASSESSMENT SURVEY TARGETING CRITICAL
INFRASTRUCTURES DURING COVID-19 CRISIS

Anna Georgiadou, Spiros Mouzakitis, and Dimitris Askounis

Decision Support Systems Laboratory, National Technical University of Athens, Iroon

Polytechniou 9, 15780 Zografou, Greece

ABSTRACT

The paper at hand presents the design of a survey aiming at the cyber-security culture assessment of

critical infrastructures during the COVID-19 crisis, when living reality was heavily disturbed and working

conditions fundamentally affected. The survey is rooted in a security culture framework layered into two

levels, organizational and individual, further analyzed into 10 different security dimensions consisted of 52

domains. An in-depth questionnaire building analysis is presented focusing on the aims, goals, and

expected results. It concludes with the survey implementation approach while underlining the framework’s

first application and its revealing insights during a global crisis.

KEYWORDS

Cybersecurity Culture, Assessment Survey, COVID-19 Pandemic, Critical Infrastructures

1. INTRODUCTION

Coronavirus disease 2019, widely known as COVID-19, is an infectious disease caused by severe

acute respiratory syndrome coronavirus 2 (SARS-CoV-2) [1]. The disease was first detected in

late 2019 in the city of Wuhan, the capital of China’s Hubei province[2]. In March 2020, the

World Health Organization (WHO) declared the COVID-19 outbreak a pandemic [3]. Today,

with more than 11 million confirmed cases in 188 countries and at least half a million casualties,

the virus is continuing its spread across the world. While epidemiologists argue that the crisis is

not even close to being over, it soon becomes apparent that “the COVID-19 pandemic is far more

than a health crisis: it is affecting societies and economies at their core” [4].

Terms such as “Great Shutdown” and “Great Lockdown” [5, 6, 7] have been introduced to

attribute the major global recession which arose as an economic consequence of the ongoing

COVID-19 pandemic. The first noticeable indication of the accruing recession was the 2020

stock market crash on the 20th of February. International Monetary Fund (IMF) in the April

World Economic Outlook projected global growth in 2020 to fall to -3 percent. This is a

downgrade of 6.3 percentage points from January 2020, making the “Great Lockdown” the worst

recession since the Great Depression, and far worse than the Global Financial Crisis [7].

According to the International Labour Organization (ILO) Monitor, published on 7th April 2020,

full or partial lockdown measures are affecting almost 2.7 billion workers, representing around

81% of the world’s workforce [8].

Organizations from various business domains and operation areas globally try to survive this

unprecedented financial crisis by investing their hopes, efforts, and working reality on

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

http://airccse.org/journal/jnsa21_current.html

https://doi.org/10.5121/ijnsa.2021.13103

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

34

information technology and digitalization. The workforce is being encouraged and facilitated on

teleworking while most products and services become available over the web while, in many

cases, transforming and adjusting to current rather demanding reality. However, the

aforementioned organiations face another, not that apparent, COVID-19 side-effect: the cyber-

crime increase.

The increase in the population percentage connected to the World Wide Web, the expansion of

time spent online, combined with the sense of confinement and the anxiety and fear generated

from the lockdown, seem to catalyzeaction of cyber-criminals. Coronavirus has rapidly reshaped

the dark web activities, as ers and sellers seize the opportunity to capitalizeon global fears, as

well as dramatic shifts in supply and demand. Phishing emails, social engineering attacks,

malware, ransom ware and spyware, medical related scums, investment opportunities frauds, are

only a few examples of the cyber-crime incidents reported during the crisis period [9, 10].

INTERPOL’s Cybercrime Threat Response team has detected and reported a significant increase

in the number of attempted ransom ware attacks against key organizations and infrastructure

engaged in the virus response. Cybercriminals are using ransom ware to hold hospitals and

medical care services digitally hostage; preventing them from accessing vital files and systems

until a ransom is paid[11].

Cyber-security agencies, organizations, and experts worldwide have issued recommendations and

proposed safeguard measures to assist individuals and corporations defend against cyber-crime.

While the virus is dominating in every aspect of our daily lives and human interaction is being

substituted by digital transactions, cybersecurity gains the role it was deprived from during the

last years. The question that remains unanswered, given the circumstances, is: What are the

COVID-19 pandemic cyber-security culture side-effects on both individual and organizational

level?

The manuscript at hand presents the design and rollout plan of a survey aiming to assess the

cyber-security culture during the COVID-19 pandemic in the critical infrastructure domain.

Section 2 presents background information regarding the importance of public cyber-security

surveys conducted over the years, emphasizingon the variety and originality of their findings.

Building upon their approach, a detailed methodology is reported in Sections 3 & 4, in an effort

to develop a brief, targeted and comprehensible survey for the assessment of the cybersecurity

readiness of organizations during the crisis with emphasis on employees’ feelings, thoughts,

perspective, individuality. In Section 5, we sketch the survey next steps towards its conduction

and fruitful completion. Finally, Section 6 concludes by underlying the importance of our survey

reasoning while focusing on the challenging scientific opportunities that arise from it.

2. BACKGROUND

Over the last decades, cybersecurity surveys have been a powerful asset to academics and

information security professionals seeking to explore the ever-changing technological reality.

Their goal was to uncover current trends in cyber threats, organizations’ investment priorities,

cloud security solutions, threat management, application security, security training and

certification, and more.

Initially, they were narrowed down and addressed to certain participants depending on the nature

and specific purpose of each survey. A lighthouse representative of this kind was the Computer

Crime & Security Survey conducted by the Computer Security Institute (CSI) with the

participation of the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

35

Squad. This annual survey, during its 15 years of life (starting from 1995 and reaching up to

2010), was probably one of the longest-running continuous surveys in the information security

field[12]. This far-reaching study provided unbiased information and analysis about targeted

attacks, unauthorized access, incident response, organizational economic decisions regarding

computer security and risk management approaches based on the answers provided by computer

security practitioners in U.S. corporations, government agencies, financial institutions, medical

institutions and universities.

Following their lead, many public and private sector organizations are seeking revealing findings

that will help them calibrate their operations and improve their overall presence in the business

world via cybersecurity surveys. Healthcare Information and Management Systems Society

(HIMSS) focusing on the health sector[13]; ARC Advisory Group targeting Industrial Control

Systems (ICS) in critical infrastructures such as energy and water supply, as well as in process

industries, including oil, gas and chemicals [14]; SANS exploring the challenges involved with

the design, operation and risk management of ICS, its cyber assets and communication protocols,

and supporting operations[15]; Deloitte in conjunction with Wakefield Research interviewing C-

level executives who oversee cybersecurity at companies [16]; these being only some of the

countless examples available nowadays.

Current trend in the cybersecurity surveys seems to be broadening their horizon by making them

available and accessible through the internet [17, 18]. Since their goal is to reach out and attract

more participants, thus enriching the collected data and, consequently, enforcing their results,

tend to be shorter, more comprehensive to the majority of average users and apparently web-

based.

Recognizing the unique value of this undisputable fruitful security evaluation methodology and

rushing from the special working and living circumstances due to the COVID-19 pandemic, we

identified the research opportuning to evaluate how this crisis has affected the cybersecurity

culture of both individuals and organizations across the suffering globe. Security threats, frauds,

breaches & perils have been brought to the light, recommendations have been given and

precautions have been made [19, 20, 21]. What about the cybersecurity culture and its potential

scars from this virus? Addressing this concern was our aim when designing, conducting and

analyzing the survey presented in this paper.

3. SECURITY CULTURE FRAMEWORK

During the last years, our research efforts have been focusing on cyber-security in terms of tools,

standards, frameworks and marketplace solutions especially targeting the human element. We

have benchmarked the dominant reveals on the field, classified their possibilities and analyzed

their core security factors. Having identified their gaps and overlaps, common grounds and

differentiation and thoroughly studied several academic principles regarding information

security, including technical analyses, algorithmic frameworks, mathematical models, statistical

computations, behavioral, organizational and criminological theories, we have created a

foundation combining the elements that constitute the critical cyber-security culture elements

[22]. The suggested cybersecurity culture framework is based on a domain agnostic security

model combining the key factors affecting and formulating the cybersecurity culture of an

organization. It is layered into two levels, organizational and individual, analyzed into 10

different security dimensions consisted of 52 domains assessed by more than 500 controls. This

hierarchical approach is being presented in Figure 1. Table 2 and Table 4list dimensions, domains

and indicative controls in an attempt to unfold to the reader the generalized philosophy of our

framework.

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

36

Figure 1. Cyber-Security Culture Model: Main Concepts

Table 1.Organisational Levelpresenting indicative controls

Dimension Domain Indicative Controls

Assets Application

Software

Security

 Do you only use up-to-date and trusted third-party
components for the software developed by the organization?

 Do you apply static and dynamic analysis tools to verify that
secure coding practices are being adhered to for internally

developed software?

Data Security and

Privacy

 Do you maintain an inventory of all sensitive information
stored, processed, or transmitted by the organization’s

technology systems, including those located on-site or at a

remote service provider?

 Have you ensured that sensitive data or systems are not
regularly accessed by the organization from the network?

Hardware Assets

Management

 Do you employ integrity checking mechanisms to verify
hardware integrity?

 Do you maintain an accurate and up-to-date inventory of all
assets with the potential to store or process information?

Hardware

Configuration

Management

 Have you established and do you maintain secure
configuration management processes (e.g. when servicing

field devices or updating their firmware)?

 Do you store the master images and templates on securely
configured servers, validated with integrity monitoring tools,

to ensure that only authorized changes to the images are

possible?

Information

Resources

Management

 Do you properly label all relevant assets, depending on their
classification?

 Are the classification scheme and labeling procedures
properly communicated to all relevant parties?

Level

Dimension

Domain

Controls

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

37

Network

Configuration

Management

 Do you maintain documented security configuration standards
for all authorized network devices?

 Have you compared all network device configurations against
approved security configurations defined for each network

device in use, and do you alert when any deviations are

discovered?

Network

Infrastructure

Management

 Have you associated active ports, services, and protocols to
the hardware assets in the asset inventory?

 Do you perform automated port scans on a regular basis
against all systems and alert if unauthorized ports are detected

on a system?

Software Assets

Management

 Have you utilized software inventory tools throughout the
organization to automate the documentation of all software on

business systems?

 Is the software inventory system tied into the hardware asset
inventory so that all devices and associated software are

tracked from a single location?

Personnel

Security

 Does your staff wear ID badges?
 Are authorized access levels and type (employee, contractor,

visitor) identified on the Badge?

Physical Safety

and Security
 Is access to your computing area controlled (single point,

reception or security desk, sign-in/sign-out log,

temporary/visitor badges)?

 Do you have an emergency evacuation plan and is it current?

Continuity Backup

Mechanisms

 Do you store backups in a remote location?
 Do you encrypt backups containing confidential information?

Business

Continuity &

Disaster

Recovery

 Do you have an emergency/incident management
communications plan?

 Do you have a current business continuity plan?

Capacity

Management

 Do you have enough capacity to ensure that data availability
is maintained?

 Do you either deny or restrict bandwidth for resource-hungry
services if these are not business critical?

Change

Management

 Are the maintenance and copying of program source libraries
subject to strict change control?

 Have you established a formal approval procedure for
proposed changes?

Continuous

Vulnerability

Management

 Do you perform authenticated vulnerability scanning with
agents running locally on each system or with remote

scanners that are configured with elevated rights on the

system being tested?

 Have you utilized a risk-rating process to prioritize the
remediation of discovered vulnerabilities?

Access and

Trust

Access

Management

 Have you enabled firewall filtering between VLANs to ensure
that only authorized systems are able to communicate with

other systems necessary to fulfill their specific

responsibilities?

 Have you implemented physical or logical access controls for
the isolation of sensitive applications, application data or

systems?

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

38

Account

Management

 Do you automatically disable dormant accounts after a set
period of inactivity?

 Do you maintain an inventory of each of the organization’s
authentication systems, including those located on-site or at a

remote service provider?

Communication  Do you have documentation of the mapping of organizational
communication flows?

 Do users acknowledge receipt of secret authentication
information?

External

Environment

Connections

 Do your policies and procedures ensure the flexibility of your
organization by defining ways of adapting to changes in the

sector and the environment?

 Have you established a good cooperation level with other
sectoral organizations (inter-organizational strategic ties)?

Password

Robustness and

Exposure

 Does your log-on procedure avoid displaying a password
being entered?

 Are your computers set up so that others cannot view staff
entering passwords?

Privileged

Account

Management

 Do you identify the privileged access rights associated with
each system or process and the users to whom they need to be

allocated?

 Do you log changes to privileged accounts?

Role Segregation  Do you properly inform employees about his responsibilities
that remain valid after termination or change of employment?

 Are access permissions and authorizations managed according
to the principles of least privilege and separation of duties?

Third-Party

Relationships

 Have you formalized contractual relationships with partners
and suppliers regarding information security?

 Do you identify and define the necessary requirements a third
party should have to be considered trusty?

Wireless Access

Management

 Do you maintain an inventory of authorized wireless access
points connected to the wired network?

 Have you created a separate wireless network for personal or
untrusted devices?

Operations Compliance

Review

 Do you audit your processes and procedures for compliance
with established policies and standards?

 Do you review and revise your security documents, such as:
policies, standards, procedures, and guidelines, on a regular

basis?

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

39

Documentation

Fulfillness

 Do you have all the necessary policies and procedures
properly documented?

 Do you have all the necessary records properly documented?

Efficient

Distinction of

Development,

Testing and

Operational

Environments

 Do users have different user profiles for operational and
testing systems?

 Do you maintain separate environments for production and
non-production systems?

Operating

Procedures

 Do you specify the operational instructions of the installation
and configuration of systems?

 Do you specify the operational instructions of the scheduling
requirements, including interdependencies with other systems,

earliest job start and latest job completion times?

Organizational

Culture and Top

Management

Support

 Is your leadership actively and continuously involved in
information security planning?

 Do you pursue the principle of efficiency in information
security – economy/cost optimization?

Risk Assessment  Do you receive threat and vulnerability information from
information sharing forums and sources?

 Is the organizational risk tolerance determined and clearly
expressed?

Defense Boundary

Defense

 Do you maintain an up-to-date inventory of all of the
organization’s network boundaries?

 Do you decrypt all encrypted network traffic at the boundary
proxy prior to analyze the content?

Cryptography  Do you encrypt all data stored in cloud services?
 Do you encrypt event files locally and in transit?

Email and Web

Browser

Resilience

 What is the percentage from your total received emails that
are detected as spam?

 What is the percentage of your SSL certificates that are
configured incorrectly?

Information

Security Policy

and Compliance

 Have you properly broken-down information security policies
into sub-areas and ly documented them?

 Do your policies and procedures comply with relevant
regional legislation?

Malware Defense  What percentage of your systems (workstations, laptops,
servers) are covered by antivirus/antispyware software?

 Do you send all malware detection events to enterprise anti-
malware administration tools and event log servers for

analysis and alerting?

Security

Awareness and

Training Program

 Do you perform a skills gap analysis to understand the skills
and behaviors workforce members are not adhering to, using

this information to build a baseline education roadmap?

 Do you deliver training to address the skills gap identified to
positively impact workforce members’ security behavior?

Security

Governance

Audit Logs

Management

 Have you ensured that local logging has been enabled on all
systems and networking devices?

 Do you protect logs from unauthorized alterations or deletion?

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

40

Incident

Response and

Management

 What percentage of your security incidents cause service
interruption or reduced availability?

 Do you have established processes to receive, analyze and
respond to vulnerabilities disclosed to the organization from

internal and external sources (e.g. internal testing, security

bulletins, or security researchers)?

Penetration Tests

and Red Team

Exercises

 Have you tested that you gracefully handle denial of service
attempts (from compromised meters)?

 Do you apply a qualified third-party security penetration
testing to test all hardware and software components prior to

live deployment?

Reporting

Mechanisms

 Do you provide your employees with a channel in to
report violations of information security policies or

procedures?

 How much time does the organization take in to respond
to a report?

Security

Management

Maturity

 Are critical security tasks handled based on team decision-
making techniques?

 Do you organize vertical and horizontal security meetings on
a regular basis?

Controls used by our evaluation methodology aim to assess whether specific security fields have

been taken into consideration and to what extend rather than measure the effectiveness and

efficiency of the actual policies and procedures in place. In other words, evaluate the

multidisciplinary approach towards information security and the depths in which is

organizationally reaching rather than the completeness of security technology solutions acquired

and utilizedby the enterprise under examination.

This approach is even more evident in the individual level where the beliefs, emotions, attitude,

and behavior of the employees is examined under various prisms using a variety of

psychological, behavioral, emotional and specialization assessments.

Table 2. Individual Level presenting indicative controls

Dimension Domain Indicative Controls

Attitude Employee Climate  I believe that cyber criminals are more advanced than the
people who are supposed to be protecting us.

 I worry that if I report a cyber-attack to the Police it might
damage the reputation of the company.

Employee Profiling  Seniority
 Enterprise role

Employee

Satisfaction

 I am pleased with my organization’s approach towards
information security.

 I am happy to conform with the security guidance offered
by our security experts.

Awareness Policies and

Procedures

Awareness

 Are you aware of the organizations’ communication
flows?

 Are you aware of the organization’s role in the supply
chain?

Roles and

Responsibilities

Awareness

 Are you aware of all the devices and systems you are
responsible for?

 Are you aware of all the external information systems
they come in contact with?

Behaviour Policies and

Procedures

 Do you make sure your mobile devices are not left
exposed?

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

41

Compliance  Do you efficiently protect mobile devices from physical
hazards?

Security Agent

Persona

 What would you do if you saw a colleague not wearing
their security pass around the office?

 What would you do if you overheard a discussion, which
you knew to be about some highly sensitive and

confidential information, being held in a corridor where

external visitors often pass through?

Security Behaviour  How many of your security incidents stem from non-
secure behavior?

 I get into the office wearing my security pass.

Competency Employee

Competency
Specific per organization and employee.

Security Skills

Evaluation

 What is necessary for a person to turn a plain text
message into an encrypted message?

 Which of the following events presents the greatest risk?

Training

Completion and

Scoring

 My achievement score at the last security training
program I participated in was around.

 How many self-security assessments do you normally
attempt per year?

4. DESIGNING THE SURVEY

Our goal was to design a survey that would be short and targeted to get the security pulse of

current business reality in the critical infrastructure domain. One of our major aims was to keep

the questionnaire small and easily addressed in a timely manner by a common employee with no

special security expertise or knowledge. This way, we could facilitate participation of a broader

workforce group lessening effort and prerequisites while maximizing result variation and

credibility. Towards that goal, we needed to formulate questions targeting specific security

factors bridging various security domains while smartly extracting information depicting the

existing working security routine and culture, their disruption by the COVID-19 crisis and their

reaction to these special and rather demanding circumstances.

On the other hand, taking into consideration the reported cyber-crime incidents along with the

fraud and attack techniques used by the criminals of the dark web during this period, we focused

our evaluation on specific dimensions related to network infrastructure, asset management,

business continuity, employee awareness, and attitude.

In the paragraphs to follow, we outline how starting from a detailed cyber-security culture

framework with more than 500 controls, we have narrowed down our objectives to a

questionnaire containing no more than 23 questions, depending on the provided answers. Table

3indexes the questions constituting the final version of our questionnaire including secondary

clarification questions presented based on provided participant input whereas Table 4correlates

each of the questions to specific cyber-security levels, dimensions, and domains of our model.

This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197

P
re

pr
in

t n
ot

p
ee

r r
ev

ie
w

ed

International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021

42

Table 3. Question indexing, including secondary …