International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
DOI: 10.5121/ijnsa.2021.13103 33
DESIGNING A CYBER-SECURITY CULTURE
ASSESSMENT SURVEY TARGETING CRITICAL
INFRASTRUCTURES DURING COVID-19 CRISIS
Anna Georgiadou, Spiros Mouzakitis, and Dimitris Askounis
Decision Support Systems Laboratory, National Technical University of Athens, Iroon
Polytechniou 9, 15780 Zografou, Greece
ABSTRACT
The paper at hand presents the design of a survey aiming at the cyber-security culture assessment of
critical infrastructures during the COVID-19 crisis, when living reality was heavily disturbed and working
conditions fundamentally affected. The survey is rooted in a security culture framework layered into two
levels, organizational and individual, further analyzed into 10 different security dimensions consisted of 52
domains. An in-depth questionnaire building analysis is presented focusing on the aims, goals, and
expected results. It concludes with the survey implementation approach while underlining the framework’s
first application and its revealing insights during a global crisis.
KEYWORDS
Cybersecurity Culture, Assessment Survey, COVID-19 Pandemic, Critical Infrastructures
1. INTRODUCTION
Coronavirus disease 2019, widely known as COVID-19, is an infectious disease caused by severe
acute respiratory syndrome coronavirus 2 (SARS-CoV-2) [1]. The disease was first detected in
late 2019 in the city of Wuhan, the capital of China’s Hubei province[2]. In March 2020, the
World Health Organization (WHO) declared the COVID-19 outbreak a pandemic [3]. Today,
with more than 11 million confirmed cases in 188 countries and at least half a million casualties,
the virus is continuing its spread across the world. While epidemiologists argue that the crisis is
not even close to being over, it soon becomes apparent that “the COVID-19 pandemic is far more
than a health crisis: it is affecting societies and economies at their core” [4].
Terms such as “Great Shutdown” and “Great Lockdown” [5, 6, 7] have been introduced to
attribute the major global recession which arose as an economic consequence of the ongoing
COVID-19 pandemic. The first noticeable indication of the accruing recession was the 2020
stock market crash on the 20th of February. International Monetary Fund (IMF) in the April
World Economic Outlook projected global growth in 2020 to fall to -3 percent. This is a
downgrade of 6.3 percentage points from January 2020, making the “Great Lockdown” the worst
recession since the Great Depression, and far worse than the Global Financial Crisis [7].
According to the International Labour Organization (ILO) Monitor, published on 7th April 2020,
full or partial lockdown measures are affecting almost 2.7 billion workers, representing around
81% of the world’s workforce [8].
Organizations from various business domains and operation areas globally try to survive this
unprecedented financial crisis by investing their hopes, efforts, and working reality on
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
http://airccse.org/journal/jnsa21_current.html
https://doi.org/10.5121/ijnsa.2021.13103
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
34
information technology and digitalization. The workforce is being encouraged and facilitated on
teleworking while most products and services become available over the web while, in many
cases, transforming and adjusting to current rather demanding reality. However, the
aforementioned organiations face another, not that apparent, COVID-19 side-effect: the cyber-
crime increase.
The increase in the population percentage connected to the World Wide Web, the expansion of
time spent online, combined with the sense of confinement and the anxiety and fear generated
from the lockdown, seem to catalyzeaction of cyber-criminals. Coronavirus has rapidly reshaped
the dark web activities, as ers and sellers seize the opportunity to capitalizeon global fears, as
well as dramatic shifts in supply and demand. Phishing emails, social engineering attacks,
malware, ransom ware and spyware, medical related scums, investment opportunities frauds, are
only a few examples of the cyber-crime incidents reported during the crisis period [9, 10].
INTERPOL’s Cybercrime Threat Response team has detected and reported a significant increase
in the number of attempted ransom ware attacks against key organizations and infrastructure
engaged in the virus response. Cybercriminals are using ransom ware to hold hospitals and
medical care services digitally hostage; preventing them from accessing vital files and systems
until a ransom is paid[11].
Cyber-security agencies, organizations, and experts worldwide have issued recommendations and
proposed safeguard measures to assist individuals and corporations defend against cyber-crime.
While the virus is dominating in every aspect of our daily lives and human interaction is being
substituted by digital transactions, cybersecurity gains the role it was deprived from during the
last years. The question that remains unanswered, given the circumstances, is: What are the
COVID-19 pandemic cyber-security culture side-effects on both individual and organizational
level?
The manuscript at hand presents the design and rollout plan of a survey aiming to assess the
cyber-security culture during the COVID-19 pandemic in the critical infrastructure domain.
Section 2 presents background information regarding the importance of public cyber-security
surveys conducted over the years, emphasizingon the variety and originality of their findings.
Building upon their approach, a detailed methodology is reported in Sections 3 & 4, in an effort
to develop a brief, targeted and comprehensible survey for the assessment of the cybersecurity
readiness of organizations during the crisis with emphasis on employees’ feelings, thoughts,
perspective, individuality. In Section 5, we sketch the survey next steps towards its conduction
and fruitful completion. Finally, Section 6 concludes by underlying the importance of our survey
reasoning while focusing on the challenging scientific opportunities that arise from it.
2. BACKGROUND
Over the last decades, cybersecurity surveys have been a powerful asset to academics and
information security professionals seeking to explore the ever-changing technological reality.
Their goal was to uncover current trends in cyber threats, organizations’ investment priorities,
cloud security solutions, threat management, application security, security training and
certification, and more.
Initially, they were narrowed down and addressed to certain participants depending on the nature
and specific purpose of each survey. A lighthouse representative of this kind was the Computer
Crime & Security Survey conducted by the Computer Security Institute (CSI) with the
participation of the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
35
Squad. This annual survey, during its 15 years of life (starting from 1995 and reaching up to
2010), was probably one of the longest-running continuous surveys in the information security
field[12]. This far-reaching study provided unbiased information and analysis about targeted
attacks, unauthorized access, incident response, organizational economic decisions regarding
computer security and risk management approaches based on the answers provided by computer
security practitioners in U.S. corporations, government agencies, financial institutions, medical
institutions and universities.
Following their lead, many public and private sector organizations are seeking revealing findings
that will help them calibrate their operations and improve their overall presence in the business
world via cybersecurity surveys. Healthcare Information and Management Systems Society
(HIMSS) focusing on the health sector[13]; ARC Advisory Group targeting Industrial Control
Systems (ICS) in critical infrastructures such as energy and water supply, as well as in process
industries, including oil, gas and chemicals [14]; SANS exploring the challenges involved with
the design, operation and risk management of ICS, its cyber assets and communication protocols,
and supporting operations[15]; Deloitte in conjunction with Wakefield Research interviewing C-
level executives who oversee cybersecurity at companies [16]; these being only some of the
countless examples available nowadays.
Current trend in the cybersecurity surveys seems to be broadening their horizon by making them
available and accessible through the internet [17, 18]. Since their goal is to reach out and attract
more participants, thus enriching the collected data and, consequently, enforcing their results,
tend to be shorter, more comprehensive to the majority of average users and apparently web-
based.
Recognizing the unique value of this undisputable fruitful security evaluation methodology and
rushing from the special working and living circumstances due to the COVID-19 pandemic, we
identified the research opportuning to evaluate how this crisis has affected the cybersecurity
culture of both individuals and organizations across the suffering globe. Security threats, frauds,
breaches & perils have been brought to the light, recommendations have been given and
precautions have been made [19, 20, 21]. What about the cybersecurity culture and its potential
scars from this virus? Addressing this concern was our aim when designing, conducting and
analyzing the survey presented in this paper.
3. SECURITY CULTURE FRAMEWORK
During the last years, our research efforts have been focusing on cyber-security in terms of tools,
standards, frameworks and marketplace solutions especially targeting the human element. We
have benchmarked the dominant reveals on the field, classified their possibilities and analyzed
their core security factors. Having identified their gaps and overlaps, common grounds and
differentiation and thoroughly studied several academic principles regarding information
security, including technical analyses, algorithmic frameworks, mathematical models, statistical
computations, behavioral, organizational and criminological theories, we have created a
foundation combining the elements that constitute the critical cyber-security culture elements
[22]. The suggested cybersecurity culture framework is based on a domain agnostic security
model combining the key factors affecting and formulating the cybersecurity culture of an
organization. It is layered into two levels, organizational and individual, analyzed into 10
different security dimensions consisted of 52 domains assessed by more than 500 controls. This
hierarchical approach is being presented in Figure 1. Table 2 and Table 4list dimensions, domains
and indicative controls in an attempt to unfold to the reader the generalized philosophy of our
framework.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
36
Figure 1. Cyber-Security Culture Model: Main Concepts
Table 1.Organisational Levelpresenting indicative controls
Dimension Domain Indicative Controls
Assets Application
Software
Security
Do you only use up-to-date and trusted third-party
components for the software developed by the organization?
Do you apply static and dynamic analysis tools to verify that
secure coding practices are being adhered to for internally
developed software?
Data Security and
Privacy
Do you maintain an inventory of all sensitive information
stored, processed, or transmitted by the organization’s
technology systems, including those located on-site or at a
remote service provider?
Have you ensured that sensitive data or systems are not
regularly accessed by the organization from the network?
Hardware Assets
Management
Do you employ integrity checking mechanisms to verify
hardware integrity?
Do you maintain an accurate and up-to-date inventory of all
assets with the potential to store or process information?
Hardware
Configuration
Management
Have you established and do you maintain secure
configuration management processes (e.g. when servicing
field devices or updating their firmware)?
Do you store the master images and templates on securely
configured servers, validated with integrity monitoring tools,
to ensure that only authorized changes to the images are
possible?
Information
Resources
Management
Do you properly label all relevant assets, depending on their
classification?
Are the classification scheme and labeling procedures
properly communicated to all relevant parties?
Level
Dimension
Domain
Controls
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
37
Network
Configuration
Management
Do you maintain documented security configuration standards
for all authorized network devices?
Have you compared all network device configurations against
approved security configurations defined for each network
device in use, and do you alert when any deviations are
discovered?
Network
Infrastructure
Management
Have you associated active ports, services, and protocols to
the hardware assets in the asset inventory?
Do you perform automated port scans on a regular basis
against all systems and alert if unauthorized ports are detected
on a system?
Software Assets
Management
Have you utilized software inventory tools throughout the
organization to automate the documentation of all software on
business systems?
Is the software inventory system tied into the hardware asset
inventory so that all devices and associated software are
tracked from a single location?
Personnel
Security
Does your staff wear ID badges?
Are authorized access levels and type (employee, contractor,
visitor) identified on the Badge?
Physical Safety
and Security
Is access to your computing area controlled (single point,
reception or security desk, sign-in/sign-out log,
temporary/visitor badges)?
Do you have an emergency evacuation plan and is it current?
Continuity Backup
Mechanisms
Do you store backups in a remote location?
Do you encrypt backups containing confidential information?
Business
Continuity &
Disaster
Recovery
Do you have an emergency/incident management
communications plan?
Do you have a current business continuity plan?
Capacity
Management
Do you have enough capacity to ensure that data availability
is maintained?
Do you either deny or restrict bandwidth for resource-hungry
services if these are not business critical?
Change
Management
Are the maintenance and copying of program source libraries
subject to strict change control?
Have you established a formal approval procedure for
proposed changes?
Continuous
Vulnerability
Management
Do you perform authenticated vulnerability scanning with
agents running locally on each system or with remote
scanners that are configured with elevated rights on the
system being tested?
Have you utilized a risk-rating process to prioritize the
remediation of discovered vulnerabilities?
Access and
Trust
Access
Management
Have you enabled firewall filtering between VLANs to ensure
that only authorized systems are able to communicate with
other systems necessary to fulfill their specific
responsibilities?
Have you implemented physical or logical access controls for
the isolation of sensitive applications, application data or
systems?
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
38
Account
Management
Do you automatically disable dormant accounts after a set
period of inactivity?
Do you maintain an inventory of each of the organization’s
authentication systems, including those located on-site or at a
remote service provider?
Communication Do you have documentation of the mapping of organizational
communication flows?
Do users acknowledge receipt of secret authentication
information?
External
Environment
Connections
Do your policies and procedures ensure the flexibility of your
organization by defining ways of adapting to changes in the
sector and the environment?
Have you established a good cooperation level with other
sectoral organizations (inter-organizational strategic ties)?
Password
Robustness and
Exposure
Does your log-on procedure avoid displaying a password
being entered?
Are your computers set up so that others cannot view staff
entering passwords?
Privileged
Account
Management
Do you identify the privileged access rights associated with
each system or process and the users to whom they need to be
allocated?
Do you log changes to privileged accounts?
Role Segregation Do you properly inform employees about his responsibilities
that remain valid after termination or change of employment?
Are access permissions and authorizations managed according
to the principles of least privilege and separation of duties?
Third-Party
Relationships
Have you formalized contractual relationships with partners
and suppliers regarding information security?
Do you identify and define the necessary requirements a third
party should have to be considered trusty?
Wireless Access
Management
Do you maintain an inventory of authorized wireless access
points connected to the wired network?
Have you created a separate wireless network for personal or
untrusted devices?
Operations Compliance
Review
Do you audit your processes and procedures for compliance
with established policies and standards?
Do you review and revise your security documents, such as:
policies, standards, procedures, and guidelines, on a regular
basis?
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
39
Documentation
Fulfillness
Do you have all the necessary policies and procedures
properly documented?
Do you have all the necessary records properly documented?
Efficient
Distinction of
Development,
Testing and
Operational
Environments
Do users have different user profiles for operational and
testing systems?
Do you maintain separate environments for production and
non-production systems?
Operating
Procedures
Do you specify the operational instructions of the installation
and configuration of systems?
Do you specify the operational instructions of the scheduling
requirements, including interdependencies with other systems,
earliest job start and latest job completion times?
Organizational
Culture and Top
Management
Support
Is your leadership actively and continuously involved in
information security planning?
Do you pursue the principle of efficiency in information
security – economy/cost optimization?
Risk Assessment Do you receive threat and vulnerability information from
information sharing forums and sources?
Is the organizational risk tolerance determined and clearly
expressed?
Defense Boundary
Defense
Do you maintain an up-to-date inventory of all of the
organization’s network boundaries?
Do you decrypt all encrypted network traffic at the boundary
proxy prior to analyze the content?
Cryptography Do you encrypt all data stored in cloud services?
Do you encrypt event files locally and in transit?
Email and Web
Browser
Resilience
What is the percentage from your total received emails that
are detected as spam?
What is the percentage of your SSL certificates that are
configured incorrectly?
Information
Security Policy
and Compliance
Have you properly broken-down information security policies
into sub-areas and ly documented them?
Do your policies and procedures comply with relevant
regional legislation?
Malware Defense What percentage of your systems (workstations, laptops,
servers) are covered by antivirus/antispyware software?
Do you send all malware detection events to enterprise anti-
malware administration tools and event log servers for
analysis and alerting?
Security
Awareness and
Training Program
Do you perform a skills gap analysis to understand the skills
and behaviors workforce members are not adhering to, using
this information to build a baseline education roadmap?
Do you deliver training to address the skills gap identified to
positively impact workforce members’ security behavior?
Security
Governance
Audit Logs
Management
Have you ensured that local logging has been enabled on all
systems and networking devices?
Do you protect logs from unauthorized alterations or deletion?
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
40
Incident
Response and
Management
What percentage of your security incidents cause service
interruption or reduced availability?
Do you have established processes to receive, analyze and
respond to vulnerabilities disclosed to the organization from
internal and external sources (e.g. internal testing, security
bulletins, or security researchers)?
Penetration Tests
and Red Team
Exercises
Have you tested that you gracefully handle denial of service
attempts (from compromised meters)?
Do you apply a qualified third-party security penetration
testing to test all hardware and software components prior to
live deployment?
Reporting
Mechanisms
Do you provide your employees with a channel in to
report violations of information security policies or
procedures?
How much time does the organization take in to respond
to a report?
Security
Management
Maturity
Are critical security tasks handled based on team decision-
making techniques?
Do you organize vertical and horizontal security meetings on
a regular basis?
Controls used by our evaluation methodology aim to assess whether specific security fields have
been taken into consideration and to what extend rather than measure the effectiveness and
efficiency of the actual policies and procedures in place. In other words, evaluate the
multidisciplinary approach towards information security and the depths in which is
organizationally reaching rather than the completeness of security technology solutions acquired
and utilizedby the enterprise under examination.
This approach is even more evident in the individual level where the beliefs, emotions, attitude,
and behavior of the employees is examined under various prisms using a variety of
psychological, behavioral, emotional and specialization assessments.
Table 2. Individual Level presenting indicative controls
Dimension Domain Indicative Controls
Attitude Employee Climate I believe that cyber criminals are more advanced than the
people who are supposed to be protecting us.
I worry that if I report a cyber-attack to the Police it might
damage the reputation of the company.
Employee Profiling Seniority
Enterprise role
Employee
Satisfaction
I am pleased with my organization’s approach towards
information security.
I am happy to conform with the security guidance offered
by our security experts.
Awareness Policies and
Procedures
Awareness
Are you aware of the organizations’ communication
flows?
Are you aware of the organization’s role in the supply
chain?
Roles and
Responsibilities
Awareness
Are you aware of all the devices and systems you are
responsible for?
Are you aware of all the external information systems
they come in contact with?
Behaviour Policies and
Procedures
Do you make sure your mobile devices are not left
exposed?
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
41
Compliance Do you efficiently protect mobile devices from physical
hazards?
Security Agent
Persona
What would you do if you saw a colleague not wearing
their security pass around the office?
What would you do if you overheard a discussion, which
you knew to be about some highly sensitive and
confidential information, being held in a corridor where
external visitors often pass through?
Security Behaviour How many of your security incidents stem from non-
secure behavior?
I get into the office wearing my security pass.
Competency Employee
Competency
Specific per organization and employee.
Security Skills
Evaluation
What is necessary for a person to turn a plain text
message into an encrypted message?
Which of the following events presents the greatest risk?
Training
Completion and
Scoring
My achievement score at the last security training
program I participated in was around.
How many self-security assessments do you normally
attempt per year?
4. DESIGNING THE SURVEY
Our goal was to design a survey that would be short and targeted to get the security pulse of
current business reality in the critical infrastructure domain. One of our major aims was to keep
the questionnaire small and easily addressed in a timely manner by a common employee with no
special security expertise or knowledge. This way, we could facilitate participation of a broader
workforce group lessening effort and prerequisites while maximizing result variation and
credibility. Towards that goal, we needed to formulate questions targeting specific security
factors bridging various security domains while smartly extracting information depicting the
existing working security routine and culture, their disruption by the COVID-19 crisis and their
reaction to these special and rather demanding circumstances.
On the other hand, taking into consideration the reported cyber-crime incidents along with the
fraud and attack techniques used by the criminals of the dark web during this period, we focused
our evaluation on specific dimensions related to network infrastructure, asset management,
business continuity, employee awareness, and attitude.
In the paragraphs to follow, we outline how starting from a detailed cyber-security culture
framework with more than 500 controls, we have narrowed down our objectives to a
questionnaire containing no more than 23 questions, depending on the provided answers. Table
3indexes the questions constituting the final version of our questionnaire including secondary
clarification questions presented based on provided participant input whereas Table 4correlates
each of the questions to specific cyber-security levels, dimensions, and domains of our model.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3787197
P
re
pr
in
t n
ot
p
ee
r r
ev
ie
w
ed
International Journal of Network Security & Its Applications (IJNSA) Vol.13, No.1, January 2021
42
Table 3. Question indexing, including secondary …
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more