Abstract
Adequately informing the board of directors about operational security effectiveness is cumbersome. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset, or sets of assets, to be protected, and from the value that it represents. Zero Trust has been around for quite some time. This paper continues on the authors previous research work on the examination of Zero Trust approaches, what is lacking in terms of operationalisation and which elements need to be addressed in future implementations and why and how this requires empirical validation. In the first part of the paper, we summarise the limitations in the state of the art approaches and how these are addressed in the Zero Trust Framework developed by ON2IT ‘Zero Trust Innovators’. Then we describe the design and engineering of a Zero Trust artefact (dashboard) that addresses the problems at hand, according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner-oriented research, in order to gain a better implementation of Zero Trust strategies. And how this validation was conducted in 2020 with 73 security practitioners. The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Chief Risk Officer Forum; The CRO Forum’s Emerging Risk Initiative continually scans the horizon to identify and communicate emerging risks.
- 2.
The Standish Group: Decision latency theory states: “The value of the interval is greater than the quality of the decision.” Therefore, to improve performance, organizations need to consider ways to speed-up their decisions.
- 3.
Telemetry is the collection of measurements or other data at remote or inaccessible points and their automatic transmission to receiving equipment for monitoring. The word is derived from Greek the roots tele, "remote", and metron, "measure". Systems that need external instructions and data to operate require the counterpart of telemetry, telecommand. Source.
References
Betz, C.: The Impact of Digital Transformation, Agile, and DevOps on Future IT Curricula (2016)
Bobbert, Y., Ozkanli, N.: LockChain technology as one source of truth for Cyber, Information Security and Privacy. In: Computing Conference, London (2020)
CROForum. Understanding and managing the IT risk landscape: A practitioner’s guide (2018). https://www.thecroforum.org/2018/12/20/understanding-and-managing-the-it-risk-land-scape-a-practitioners-guide/
Kumar, T.: What is the impact of distributed agile software development on team performance? Antwerp Management School, Antwerp (2020)
Lencioni, P.: The Five Dysfunctions of a Team; a Leadership Fable. Wiley Imprint Jossey Bass, SA USA (2002)
Ozkanli, N.: Implementation of Continuous Compliance; Automation of Information Security Measures in the software development process to ensure Continuous Compliance, Utrecht: Open University Press Netherlands (2020)
Forsgren, N.: Accelerate: The Science of Lean Software and Devops: Building and Scaling High Performing Technology Organisations. IT Revolution Press, United States (2018)
McCarthy, M.A.: A compliance aware software defined infrastructure. In: Proceedings of IEEE International Conference on Services Computing, pp. 560–567 (2014)
Bobbert, Y.: Defining a research method for engineering a Business Information Security artefact. In: Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, Antwerp (2017)
Hilton, M.N.N.: Trade-offs in continuous integration: assurance, security, and flexibility. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (2017)
ITGI, Information Risks; Who's Business are they?, United States: IT Governance Institute (2005)
Kuijper, N.: Effective Privacy Governance and (Change) Management Practices (Limited to GDPR Article 32) A View on GDPR Ambiguity, Non-Compliancy Risks and Effectiveness of ISO 27701 as Privacy Management System. Antwerp Management School, Antwerp (2020)
Kluge, D., Sambasivam, S.: Formal information security standards in German medium enterprises. In: Conisar, Phoenix (2008)
Siponen, M., Willison, R.: Information security management standards: problems and solutions. Inf. Manag. 46 (2009)
Puhakainen, P., Siponen, M.: Improving employees compliance through information systems security training; an action research study. MIS Q. 34(4), 757–778 (2010)
Workman, M., Bommer, W., Straub, D.: Security lapses and the omission of information security measures: a threat control model and empirical test. Comput. Hum. Behav. 24(6), 2799–2816 (2008)
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 12(37), 1049–1092 (2014)
Yaokumah, W., Brown, S.: An empirical examination of the relationship between information security/business strategic alignment and information security governance. J. Bus. Syst. Governance Ethics 2(9), 50–65 (2014)
Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture. Comput. Secur. 2014–43, 90–110 (2014)
Pfeffer, J., Sutton, R.: The Knowing‐Doing Gap: How Smart Companies Turn Knowledge into Action. no. Harvard Business School Press (2001)
Bobbert, Y., Scheerder, J.: Zero trust validation: from practical approaches to theory. Sci. J. Res. Rev. 2(5) (2020). https://doi.org/10.33552/SJRR.2020.02.000546
Kindervag, J.: Build Security Into Your Network’s DNA: The Zero Trust Network Archit Security (2010)
Bobbert, Y.: Improving the Maturity of Business Information Security; On the Design and Engineering of a Business Information Security Artefact. Radboud University, Nijmegen (2018)
Van Niekerk, J., Von Solms, R.: Information Security Culture; a Management Perspective, pp. 476–486. Elsevier (2010)
Papelard, T.: Critical Succes Factors for effective Business Information Security. Antwerp Management School, Antwerpen (2017)
Von Solms, R., Von Solms, B.: Information security governance; a model based on the direct–control cycle. Comput. Secur. 2006(Elsevier) Comput. Secur. 25, 408–412 (2006)
Volchkov, A.: How to measure security from a governance perspective. ISACA J. 5 (2013)
Wieringa, R.: Design Science Methodology: For Information System and Software Engineering. Springer, Berlin (2014)
Johannesson, P., Perjons, E.: An Introduction to Design Science. Springer, Stockholm University (2014)
March, S., Smith, G.: Design and natural science research on information technology. Decis. Support Syst. 15, 251–266 (1995)
Bobbert, Y.M.J.: Enterprise engineering in business information security; a case study & expert validation in security, risk and compliance artefact engineering. In: Aveiro, D. et al. (eds.) EEWC 2018. LNBIP 334, pp. 1–25. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-06097-8_6
Hevner, S., Park, J.M., Ram, S.: Design science research in information systems. Manag. Inf. Syst. Q. 28(1), 75–105 (2004)
Wieringa, R.: Design science as nested problem solving. In: Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, New York (2009)
Straus, D.: How to Make Collaboration Work; Powerfull Ways to Build Consensus, Solve Problems and Make Decisions. Berrett-Koehler Publishers Inc, San Franciso (2002)
Argyris, C.: Double-loop learning, teaching, and research. Acad. Manag. 1(2), 206–218 (2002)
den Hengst, M., Adkins, M., Keeken, S., Lim, A.: Which Facilitation Functions are Most Challenging: A Global Survey of Facilitators. Delft University of Technology, Delft (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bobbert, Y., Scheerder, J. (2021). On the Design and Engineering of a Zero Trust Security Artefact. In: Arai, K. (eds) Advances in Information and Communication. FICC 2021. Advances in Intelligent Systems and Computing, vol 1363. Springer, Cham. https://doi.org/10.1007/978-3-030-73100-7_58
Download citation
DOI: https://doi.org/10.1007/978-3-030-73100-7_58
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-73099-4
Online ISBN: 978-3-030-73100-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)