Abstract
The increasing number of cyber-attacks requires an organizational awareness about the disruptive effects of fraud attempts and acts of vandalism on business continuity and, sometimes, on company survival. The context influences the way companies use and adapt these theories in practice, so we consider in this study differences in the effectiveness of cybersecurity best practices between organizations that manage internally or outsource the cybersecurity processes. We conducted a study involving 153 managers’ experts in cybersecurity who responded to a survey on the effectiveness of NIST procedures. Results revealed significant differences in the effectiveness of managing cybersecurity in-house or outsource it. Specifically, major differences can be observed in the variables related to the use of disciplinary processes, the protection of log information, and the use of lessons learned to improve recovery plans. These differences provide further insights for cybersecurity management literature and a practical instrument for organizations willing to adapt their cyber processes to their organizational context.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Collier, Z.A., Dimase, D., Walters, S., Tehranipoor, M.M., Lambert, J.H., Linkov, I.: Cybersecurity standards: managing risk and creating resilience. IEEE Comput. Soc. 47(9), 70–76 (2014). https://doi.org/10.1109/MC.2013.448
Carayannis, E.G., Grigoroudis, E., Rehman, S.S., Samarakoon, N.: Ambidextrous cybersecurity: the seven pillars (7Ps) of cyber resilience. IEEE Trans. Eng. Manag. 68(1), 223–234 (2021). https://doi.org/10.1109/TEM.2019.2909909
Framework for improving critical infrastructure cybersecurity: Version 1.0, Gaithersburg, MD (Feb 2014). https://doi.org/10.6028/NIST.CSWP.02122014
DiMase, D., Collier, Z.A., Heffner, K., Linkov, I.: Systems engineering framework for cyber physical security and resilience. Environ. Syst. Decis. 35(2), 291–300 (2015). https://doi.org/10.1007/s10669-015-9540-y
Ganin, A.A., et al.: Multicriteria decision framework for cybersecurity risk assessment and management. Risk Anal. 40(1), 183–199 (2020). https://doi.org/10.1111/risa.12891
Li, H., (Robert) Luo, X., Zhang, J., Sarathy, R.: Self-control, organizational context, and rational choice in Internet abuses at work. Inf. Manag. 55(3), 358–367 (2018). https://doi.org/10.1016/j.im.2017.09.002
Annarelli, A., Nonino, F., Palombi, G.: Understanding the management of cyber resilient systems. Comput. Ind. Eng. 149 (Nov 2020). https://doi.org/10.1016/j.cie.2020.106829
Shah, A., Ganesan, R., Jajodia, S., Hasan, C.A.M.: An outsourcing model for alert analysis in a cybersecurity operations center. ACM Trans. Web 14(1) (2020). https://doi.org/10.1145/3372498
Saleem, J., Adebisi, B., Ande, R., Hammoudeh, M.: A state of the art survey – impact of cyber attacks on SME’s. In: ACM International Conference Proceeding Series, vol. Part F130522 (Jul 2017). https://doi.org/10.1145/3102304.3109812
ENISA threat landscape report 2018 — ENISA: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018. Accessed 29 Jan 2021
Armenia, S., Angelini, M., Nonino, F., Palombi, G., Schlitzer, M.F.: A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs. Decis. Support Syst. 147, 113580 (2021). https://doi.org/10.1016/j.dss.2021.113580
Panemon: 2018 State of cybersecurity in small & medium size businesses (2018)
Ikerionwu, C., Edgar, D., Gray, E.: The development of service provider’s BPO-IT framework. Bus. Process Manag. J. 23(5), 897–917 (2017). https://doi.org/10.1108/BPMJ-10-2015-0146
Doran, J., Ryan, G., Bourke, J., Crowley, F.R.: In-house or outsourcing skills: how best to manage for innovation? Int. J. Innov. Manag. 24(01), 2050010 (2020). https://doi.org/10.1142/S1363919620500103
Benaroch, M.: Cybersecurity Risk in IT Outsourcing—Challenges and Emerging Realities, pp. 313–334. Springer, Cham (2020)
ISO/IEC 27001:2013: ISO – ISO/IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements. https://www.iso.org/standard/54534.html (2013). Accessed 19 Jan 2021
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009). https://doi.org/10.1016/j.dss.2009.02.005
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009). https://doi.org/10.1287/isre.1070.0160
Li, L., He, W., Xu, L., Ash, I., Anwar, M., Yuan, X.: Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inf. Manage. 45, 13–24 (2019). https://doi.org/10.1016/j.ijinfomgt.2018.10.017
Ng, B.-Y., Kankanhalli, A., (Calvin) Xu, Y.: Studying users’ computer security behavior: a health belief perspective. Decis. Support Syst. 46(4), 815–825 (2009). https://doi.org/10.1016/j.dss.2008.11.010
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012). https://doi.org/10.1016/j.cose.2011.10.007
Siponen, M., Adam Mahmood, M., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51(2), 217–224 (2014). https://doi.org/10.1016/j.im.2013.08.006
Vrhovec, S., MiheliÄŤ, A.: Redefining threat appraisals of organizational insiders and exploring the moderating role of fear in cyberattack protection motivation. Comput. Secur. 106 (2021). https://doi.org/10.1016/j.cose.2021.102309
Dhillon, G., Syed, R., de Sá-Soares, F.: Information security concerns in IT outsourcing: identifying (in) congruence between clients and vendors. Inf. Manag. 54(4), 452–464 (2017). https://doi.org/10.1016/j.im.2016.10.002
Akhuseyinoglu, N.B., Joshi, J.: A risk-aware access control framework for cyber-physical systems. In: Proceedings – 2017 IEEE 3rd International Conference on Collaboration and Internet Computing, CIC 2017, vol. 2017-January, pp. 349–358 (Dec. 2017) https://doi.org/10.1109/CIC.2017.00052.
Cao, Y., Huang, Z., Yu, Y., Ke, C., Wang, Z.: A topology and risk-aware access control framework for cyber-physical space. Front. Comp. Sci. 14(4), 1–16 (2020). https://doi.org/10.1007/s11704-019-8454-0
Doomun, M.R.: Multi-level information system security in outsourcing domain. Bus. Process Manag. J. 14(6), 849–857 (2008). https://doi.org/10.1108/14637150810916026
Ahmad, A., Maynard, S.B., Shanks, G.: A case analysis of information systems and security incident responses. Int. J. Inf. Manage. 35(6), 717–723 (2015). https://doi.org/10.1016/j.ijinfomgt.2015.08.001
Cezar, A., Cavusoglu, H., Raghunathan, S.: Outsourcing information security: contracting issues and security implications. Manage. Sci. 60(3), 638–657 (2014). https://doi.org/10.1287/mnsc.2013.1763
Nah, F.F.-H., Lau, J.L.-S., Kuang, J.: Critical factors for successful implementation of enterprise systems. Bus. Process Manag. J. 7(3), 285–296 (2001). https://doi.org/10.1108/14637150110392782
Comfort, L.K., Haase, T.W.: Communication, coherence, and collective action: the impact of Hurricane Katrina on communications infrastructure. Public Work. Manag. Policy 10(4), 328–343 (2006). https://doi.org/10.1177/1087724X06289052
Wieland, A., Wallenburg, C.M.: The influence of relational competencies on supply chain resilience: a relational view. Int. J. Phys. Distrib. Logist. Manag. 43(4), 300–320 (2013). https://doi.org/10.1108/IJPDLM-08-2012-0243
Scholten, K., Schilder, S.: The role of collaboration in supply chain resilience. Supply Chain Manag. 20(4), 471–484 (2015). https://doi.org/10.1108/SCM-11-2014-0386
Knight, R., Nurse, J.R.C.: A framework for effective corporate communication after cyber security incidents. Comput. Secur. 99, 102036 (2020). https://doi.org/10.1016/j.cose.2020.102036
Decreto direttoriale 6 novembre 2019 – Elenco dei manager qualificati e delle società di consulenza: https://www.mise.gov.it/index.php/it/normativa/decreti-direttoriali/2040421-decreto-direttoriale-6-novembre-2019-elenco-dei-manager-qualificati-e-delle-societa-di-consulenza (2019). Accessed 29 Jan 2021
Warmbrod, J.R.: Reporting and interpreting scores derived from Likert-type scales. J. Agric. Educ. 55(5), 30–47 (2014). https://doi.org/10.5032/jae.2014.05030
Cramer, D.: Fundamental Statistics for Social Research: Step-by-Step Calculations and Computer Techniques Using SPSS for Windows. Taylor and Francis (2003)
Aldya, A.P., Sutikno, S., Rosmansyah, Y.: Measuring effectiveness of control of information security management system based on SNI ISO/IEC 27004: 2013 standard. In: IOP Conference Series: Materials Science and Engineering, vol. 550, no. 1 (Aug 2019). https://doi.org/10.1088/1757-899X/550/1/012020
GutiĂ©rrez-MartĂnez, J., Núñez-Gaona, M.A., Aguirre-Meneses, H.: Business model for the security of a large-scale PACS, compliance with ISO/27002:2013 standard. J. Digit. Imaging 28(4), 481–491 (2015). https://doi.org/10.1007/s10278-014-9746-4
Acknowledgment
This work is supported by the fund of the Department of Computer, Control and Management Engineering “Antonio Ruberti” of Sapienza University of Rome. The department has been designated by the Italian Ministry of Education (MIUR) for being “Department of Excellence” in advanced training programs in the field of cybersecurity.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Annarelli, A., Colabianchi, S., Nonino, F., Palombi, G. (2022). The Effectiveness of Outsourcing Cybersecurity Practices: A Study of the Italian Context. In: Arai, K. (eds) Proceedings of the Future Technologies Conference (FTC) 2021, Volume 3. FTC 2021. Lecture Notes in Networks and Systems, vol 360. Springer, Cham. https://doi.org/10.1007/978-3-030-89912-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-89912-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89911-0
Online ISBN: 978-3-030-89912-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)