Rozprawy doktorskie na temat „Cybersecurity risk management”

2015 - 2016
The global digital network, with its ability to communicate directly and in real time between people in every part of the planet, is a formidable tool to develop relationships and realize exchange of information and knowledge. In cyberspace they coexist people of all kinds, characterized by different interests, different cultures and different ways of relating to others. From an economic point of view, the global network has become a formidable transactional tool for the exchange of goods and services and there is the commercial and industrial sector that has not arrived in some way in cyberspace. The cybernetic revolution, induced by new and increasingly powerful electronic and computer technologies, it is not limited to connect the network, almost all of the planet's surface but is rapidly expanding to the direct control of myriad physical devices of the most varied , from Smartphone to wearable devices, from city traffic control to the electricity production and distribution infrastructure systems. And 'the SO-CALLED "Internet of Things" and the Internet of things, the network that interconnects all electronic devices capable of communicating with the outside world. A pervasive who did not spare the public sector which, first, is called on to provide answers on many fronts, not least regulatory, and as far as possible, ensure compliance with the rules in the real world even in cyberspace. In particular, the public sector must take responsibility to ensure the physical and cyber security of SO-CALLED National Critical Infrastructure, including all the essential services for national security, the proper functioning of the country and its economic growth and, not least, the well-being of the population. Are Critical Infrastructures electric and energy system, communication networks in general, networks and transport infrastructure of people and goods (ship, rail, air and road), the public health system, economics and financial channels, the national networks of government , regions, those for emergency management and civil protection. The challenge is complex and Public Administration alone seems unable to respond effectively to increasingly sophisticated cyber-attacks that day, affecting the civilian world, industrial and economic. NCI are not immune and, as a result, the Public Strategic Services are exposed to significant risks. On this issue, Western governments have long established close cooperation with the private sector, and highlighted the need to define a strategy and a shared modus operandi and quality between the various actors involved. This work aims to address systematically the "hot" topic of cyber security, an area that involves national governments, military, intelligence services, the economy and the business world as a whole and, gradually and in various capacities and degree of interest, every single citizen of the world. In this unprecedented scenario, strongly characterized by uncertainty and variability of the virus, the application sic et simpliciter of "traditional" evaluation techniques of the corporate risk derivation is inadequate for this purpose, despite a certain degree of adaptation to the new scenario is already underway. The analysis focuses on the relative adaptive-evolution that is affecting the risk management in the field of cyber security and state of the art in the academic and scientific world views in the introduction of new and more advanced tools for analysis the Cyber Risk. The work ends with a case study of a large Italian company which provides a strategic public service such as electricity. [edited by author]
La rete digitale globale, con la sua capacità di stabilire contatti diretti e in tempo reale tra persone in ogni parte del pianeta, rappresenta uno strumento formidabile per sviluppare relazioni e realizzare scambio di informazioni e di conoscenza. Nel cyberspazio convivono persone di ogni tipo, caratterizzate da interessi diversi, culture differenti e diversi modi di relazionarsi con il prossimo. Dal punto di vista economico, la rete globale è oggi un formidabile strumento transazionale per lo scambio di beni e di servizi e non vi è settore commerciale e industriale che non sia approdato in qualche modo nel cyberspazio. La rivoluzione cibernetica, indotta dalle nuove e sempre più potenti tecnologie elettroniche e informatiche, non si è limitata a connettere in rete la quasi totalità della superficie del pianeta ma si sta rapidamente espandendo verso il controllo diretto di una miriade di dispositivi fisici tra i più vari, dagli Smartphone ai dispositivi indossabili, dai sistemi di controllo del traffico cittadino alle infrastrutture di produzione e distribuzione di energia elettrica. E’ la c.d. “Internet of Things” o Internet delle cose, che interconnette in rete tutti i dispositivi elettronici in grado di comunicare con il mondo esterno. Una pervasività che non ha risparmiato il settore pubblico che, in primo luogo, è chiamato a fornire risposte su numerosi fronti, non ultimo quello normativo, e, per quanto possibile, garantire il rispetto delle regole presenti nel mondo reale anche nello spazio cibernetico. In particolare, il settore pubblico deve farsi carico di garantire la sicurezza fisica e informatica delle c.d. infrastrutture critiche nazionali, che includono tutti quei servizi essenziali per la sicurezza nazionale, il buon funzionamento del Paese e la sua crescita economica e, non ultimo, il benessere della popolazione. Sono Infrastrutture Critiche il sistema elettrico ed energetico, le reti di comunicazione in genere, le reti e le infrastrutture di trasporto di persone e merci (navale, ferroviario, aereo e stradale), il sistema sanitario pubblico, i circuiti economici e finanziari, le reti del Governo nazionale, delle Regioni, quelle per la gestione delle emergenze e della Protezione Civile. La sfida è complessa e la Pubblica Amministrazione da sola non sembra in grado di poter rispondere in modo efficace agli attacchi informatici sempre più sofisticati che, quotidianamente, colpiscono il mondo civile, industriale ed economico. Le infrastrutture critiche nazionali non ne sono immuni e, di conseguenza, i Servizi Pubblici Strategici sono esposti a significativi rischi. Su questo tema, i Governi occidentali hanno da tempo avviato una stretta collaborazione con il settore privato, ed è emersa la necessità di definire una strategia e un modus operandi condiviso e di qualità tra i vari attori coinvolti. Questo lavoro si propone di affrontare in maniera sistematica il tema “caldo” della Cyber Security, un ambito che coinvolge governi nazionali, settori militari, servizi di informazione, il sistema economico e il mondo delle imprese nel suo complesso e, via via e a vario titolo e grado di interesse, ogni singolo cittadino del mondo. In questo scenario inedito, fortemente connotato da incertezza e variabilità delle minacce, l’applicazione sic et simpliciter delle tecniche “tradizionali” di valutazione del rischio di derivazione aziendale risulta inadeguata allo scopo, nonostante un certo grado di adattamento al nuovo scenario sia già in corso. L’analisi si concentra sulla parte relativa all’’evoluzione adattativa’ che sta interessando il risk management nel campo della cyber security e dello stato dell’arte nel panorama accademico e scientifico mondiale nell’introduzione di nuovi e più evoluti strumenti per l’analisi del Cyber Risk. Il lavoro si conclude con un caso di studio effettuato su di una grande azienda italiana che fornisce un servizio pubblico strategico quale l’energia elettrica. [a cura dell'autore]
XV n.s.

Due to a world-wide digitalisation, the fashion segment has experienced a shift from offline to online shopping. Consequently, more companies choose to interconnect digitally with consumers and suppliers. This highlights cyber risks and cybersecurity issues more than ever, which becomes specifically apparent amongst online companies. Through qualitative semi-structured interviews with three different Swedish online fashion companies, the purpose of investigating how cybersecurity currently is prioritised and managed was reached. In addition to this, two cybersecurity experts gave their view of the most important aspects in the field, which companies should consider. Results showed a fairly well-managed cybersecurity amongst Swedish online fashion companies, even though knowledge in the field is scarce. Through educating everyone at the company and implementing a group of people in charge of these questions, a more holistic view could be attained. By offering thoughts on how online fashion companies can enhance their current cybersecurity, this paper contributes to the literature of cyber risk management as well as provides meaningful knowledge to all types of online companies.

Much of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure — an issue of equivocality. Thus, to lower uncertainty for improved decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the "necessary measures," can be unambiguously applied. We formulate a system that (1) allows threats to be accurately measured and tracked, (2) enables the impacts and costs of successful threats to be determined, and (3) aids in evaluating the effectiveness and return on investment of countermeasures. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Improved control quality was shown to reduce the likelihood of security incidents, yet the results indicate that investing in maximum quality is not necessarily the most efficient use of resources. The next manuscript expands the discussion of cyber risk management beyond single organizations by surveying perceptions and experiences of risk factors related to 3rd parties. To validate and these findings, we undertake in an in-depth investigation of nearly 1000 real-world data breaches occurring over a ten-year period. It provides a robust data model and rich database required by a decision support system for cyber risk in the extended enterprise. To our knowledge, it is the most comprehensive field study ever conducted on the subject. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications.
Ph. D.

Thesis: S.M. in Engineering and Management, Massachusetts Institute of Technology, School of Engineering, System Design and Management Program, Engineering and Management Program, 2016.
Cataloged from PDF version of thesis.
Includes bibliographical references (pages 92-107).
In the past two decades, the exponential growth of the modern Internet with the digitization of most human activities such as data gathering and storage have also fueled the growth of cybercrimes. In more recent years, the modern Internet is spreading into everyday life through the Internet of Things (IoT), which is further expanding the attack surface. Among all the IoT domains, the smart home, in particular, is poised to be one of the most exciting application areas of the IoT. However, behind the optimistic outlook, the shadow of an impending threat is also growing. Across the board, among the smart home device manufacturers, security is nearly non-existent or significantly downplayed. Consequently, the neglected, unresolved vulnerabilities in these devices widely expose their users and their family to cyberattacks. This thesis aims to illuminate the dynamics in the smart home market and their implications for IoT as a whole. First, it will review the past evolution of the IoT and the smart home along with current trends in enabling technologies. Next, through detailed examinations of four dynamic factors - i) macro pressures to innovate, 2) growing perils of cybercrimes, 3) vulnerabilities in the smart home, and 4) values at risk - the thesis seeks to elucidate the serious consequences of ignoring cybersecurity in the smart home system through causal loop diagramming. This thesis uses substantiated data from the past few years to justify its analyses. The thesis concludes that the smart home is an essential innovation that can help solve many urgent challenges facing our time, and securing the smart home devices is a key step towards building a safer and more secure IoT future as well as a future for the current generation and many generations to come.
by Olivia Qing Gao.
S.M. in Engineering and Management

Background: Today´s world is characterized by a high level of digitalization that contributes to the development of new and effective technologies. However, this digital success requires knowledge and awareness about cybersecurity. Previous studies have shown that during 2020 the number of cyber-attacks among Swedish companies have increased. Due to digitalization, external parties find new methods to enter a company's systems and take advantage of its innovations and valuable information. That can affect the company's value negatively by ruining its reputation and making the stakeholders mistrust it. Purpose: The purpose of the study is to contribute to an increased understanding of strategic leadership´s influence on cyber risk awareness. Methodology: This study follows a qualitative research method. The data have been conducted through semi-structured interviews, based on 11 respondents consisting of experts whose professional background is anchored in cybersecurity. The research process follows an abductive approach. Conclusion: This study concludes that the current state of cyber risk awareness is not sufficient although it is increasing. Risk awareness is dependent on knowledge and organizational culture. This study concludes that the top management has a significant role in the influence of organizational culture and knowledge and thereby the risk awareness of a company, which in turn has an impact ontheir cybersecurity. It is the responsibility of the top management to delegate tasks that enhance riskawareness. Therefore, cyber risk awareness is to be treated as a top management issue. As a contribution, the study provides an insight on how humans, in this case, the top managementinfluences a company's cybersecurity through risk awareness.

According to research, the risks of adopting new technology and the technological and organizational factors that influence adopting it are not clear. Thus, many financial institutions have hesitated to adopt cloud-computing. The purpose of this quantitative, cross-sectional study was to evaluate the cyber-risk implications of cloud-computing adoption in the U.S. financial services sector. The study examined 6 technological and organizational factors: organization size, relative advantage, compliance, security, compatibility, and complexity within the context of cyber-risk. Using a combination of diffusion of innovation theory and technology-organization-environment framework as the foundation, a predictive cybersecurity model was developed to determine the factors that influence the intent to adopt cloud-computing in this sector. A random sample of 118 IT and business leaders from the U.S. financial services sector was used. Multiple regression analysis indicated that there were significant relationships between the intent to adopt cloud-computing by the leaders of financial organizations and only 2 of the 6 independent variables: compliance risk and compatibility risk. The predictive cybersecurity model proposed in this study could help close the gaps in understanding the factors that influence decisions to adopt cloud-computing. Once the rate of cloud-computing adoption increases, this study could yield social change in operational efficiency and cost improvement for both U.S. financial organizations and their consumers.

Cyber attacks by domestic and foreign threat actors are increasing in frequency and sophistication. Cyber adversaries exploit a cybersecurity skill/knowledge gap and an open society, undermining the information security/privacy of citizens and businesses and eroding trust in governments, thus threatening social and political stability. The use of open digital hacking technologies in ethical hacking in higher education and within broader society raises ethical, technical, social, and political challenges for liberal democracies. Programs teaching ethical hacking in higher education are steadily growing but there is a concern that teaching students hacking skills increases crime risk to society by drawing students toward criminal acts. A cybersecurity skill gap undermines the security/viability of business and government institutions. The thesis presents an examination of opportunities and risks involved in using AI powered intelligence gathering/surveillance technologies in ethical hacking teaching practices in Canada. Taking a qualitative exploratory case study approach, technoethical inquiry theory (Bunge-Luppicini) and Weick’s sensemaking model were applied as a sociotechnical theory (STEI-KW) to explore ethical hacking teaching practices in two Canadian universities. In-depth interviews with ethical hacking university experts, industry practitioners, and policy experts, and a document review were conducted. Findings pointed to a skill/knowledge gap in ethical hacking literature regarding the meanings, ethics, values, skills/knowledge, roles and responsibilities, and practices of ethical hacking and ethical hackers which underlies an identity and legitimacy crisis for professional ethical hacking practitioners; and a Teaching vs Practice cybersecurity skill gap in ethical hacking curricula. Two main S&T innovation risk mitigation initiatives were explored: An OSINT Analyst cybersecurity role and associated body of knowledge foundation framework as an interdisciplinary research area, and a networked centre of excellence of ethical hacking communities of practice as a knowledge management and governance/policy innovation approach focusing on the systematization and standardization of an ethical hacking body of knowledge.

Current thesis is a documentative approach to sum up experiences of a practical projectof implementing Cyber Threat Intelligence into an existing information securitymanagement system and delivering best practices using action design researchmethodology. The project itself was delivered to a multinational energy provider in 2017.The aim of the CTI-implementation was to improve the information security posture ofthe customer. The author, as participant of the delivery team presents an extensive reviewof the current literature on CTI and puts the need for threat intelligence into context. Theauthor claims that traditional security management is not able to keep up with currentcybersecurity threats which makes a new approach required. The thesis gives an insightof an actually working and continuously developed CTI-service and offers possible bestpractices for InfoSec professionals, adds theoretical knowledge to the body of knowledgeand opens up new research areas for researchers.

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists.

Information and communication technology (ICT) has made remarkable impact on the society, especially on companies and organizations. The use of computers, databases, servers, and other technologies has made an evolution on the way of storing, processing, and transferring data. However, companies access and share their data on internet or intranet, thus there is a critical need to protect this data from destructive forces and from the unwanted actions of unauthorized users. This thesis groups a set of solutions proposed, from a company point of view, to reach the goal of “Managing data protection”. The work presented in this thesis represents a set of security solutions, which focuses on the management of data protection taking into account both the organizational and technological side. The work achieved can be divided into set of goals that are obtained particularly from the needs of the research community. This thesis handles the issue of managing data protection in a systematic way, through proposing a Data protection management approach, aiming to protect the data from both the organizational and the technological side, which was inspired by the ISO 27001 requirements. An Information Security Management System (ISMS) is then presented implementing this approach, an ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives, The goal of ISMS is to minimize risk and ensure continuity by pro-actively limiting the impact of a security breach. To be well-prepared to the potential threats that could occur to an organization, it is important to adopt an ISMS that helps in managing the data protection process, and in saving time and effort, minimizes cost of any loss. After that, a comprehensive framework is designed for the security risk management of Cyber Physical Systems (CPSs), this framework represents the strategy used to manage the security risk management, and it falls inside the ISMS as a security strategy. Traditional IT risk assessment methods can do the job (security risk management for a CPS); however, and because of the characteristics of a CPS, it is more efficient to adopt a solution that is wider than a method that addresses the type, functionalities and complexity of a CPS. Therefore, there is a critical need to follow a solution that breaks the restriction to a traditional risk assessment method, and so a high-level framework is proposed, it encompasses wider set of procedures and gives a great attention to the cybersecurity of these systems, which consequently leads to the safety of the physical world. In addition, inside the ISMS, another part of the work takes place, suggesting the guidelines to select an applicable Security Incident and Event Management (SIEM) solution. It also proposes an approach that aims to support companies seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites a SIEM system should have; and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers’ solutions. At the end, a research activity was carried out aiming classify web attacks on the network level, since any information about the attackers might be helpful and worth a lot to the cyber security analysts. And so, using network statistical fingerprints and machine learning techniques, a two-layers classification system is designed to detect the type of the web attack and the type of software used by the attackers.

Thesis: S.M. in Engineering and Management, Massachusetts Institute of Technology, System Design and Management Program, 2018.
Cataloged from PDF version of thesis.
Includes bibliographical references (pages 107-109).
Urban Mobility is in the midst of a revolution, driven by the convergence of technologies such as artificial intelligence, on-demand ride services, as well as connected and self-driving vehicles. Technological advancements often lead to new hazards and changing nature in how accidents can happen. Coupled with increased levels of automation and connectivity in the new generation of autonomous vehicles, cybersecurity is emerging as one of the key threats affecting the safety of these vehicles. Traditional methods treat safety and security analysis in isolation, and are limited in the ability to account for interactions among organizational, socio-technical, human, and technical components. In response to these challenges, the System Theoretic Process Analysis (STPA) was developed to meet the growing need for system engineers to analyze such complex socio-technical systems. We applied STPA-Sec, an extension to STPA to include security analysis, to co-analyze safety and security hazards, as well as identify mitigation requirements. The results were compared with another promising method known as Combined Harm Analysis of Safety and Security for Information Systems (CHASSIS). Both methods were applied to the Mobility-as-a-Service use case, focusing on over-the-air software updates feature. Overall, STPA-Sec identified additional hazards and more effective requirements compared to CHASSIS. In particular, STPA-Sec demonstrated the ability to identify hazards due to unsafe/ unsecure interactions among sociotechnical components. This research also suggested using CHASSIS methods for information lifecycle analysis to complement and generate additional considerations for STPA-Sec. Finally, results from both methods were back-tested against a past cyber hack on a vehicular system, and we found that recommendations from STPA-Sec were likely to mitigate the risks of the incident.
by Chee Wei Lee.
S.M. in Engineering and Management

Кібербезпека являється головним пріоритетом для ризик-менеджменту банку. Незадовільний стан забезпечення кібербезпеки призводить до значних фінансових втрат, витоку важливої інформації, погіршення репутації банку та зниження його конкурентоспроможності. У зв’язку з цим актуальною є проблема підвищення ефективності забезпечення кібербезпеки банку. Виділено організаційний та технологічний аспекти вирішення цієї проблеми. Визначено слабкі сторони в забезпеченні кібербезпеки банку. Розглянуто взаємодію суб’єктів забезпечення кібербезпеки в банківській сфері, особливості впровадження внутрішнього аудиту кібербезпеки банку, інноваційні технології у сфері кіберзахисту.
Кибербезопасность является главным приоритетом для риск-менеджмента банка. Неудовлетворительное состояние кибербезопасности приводит к значительным финансовым потерям, утечке важной информации, ухудшению репутации банка и снижению его конкурентоспособности. В связи с этим актуальной является проблема повышения эффективности обеспечения кибербезопасности банка. Выделено организационный и технологический аспекты решения этой проблемы. Определены слабые стороны в обеспечении кибербезопасности банка. Рассмотрено взаимодействие субъектов обеспечения кибербезопасности в банковской сфере, особенности внедрения внутреннего аудита кибербезопасности банка, инновационные технологии в сфере киберзащиты.
Cyberattacks are on the top of the bank risks list, so cybersecurity is a top priority for the bank’s risk management. The unsatisfactory state of cybersecurity leads to significant financial losses, leakage of valuable information, deterioration of the bank’s reputation, and reduction of its competitiveness. In this regard, the problem of improving the efficiency of the bank’s cybersecurity is relevant. The organizational and technological aspects of solving this problem are highlighted. Сommon weaknesses in ensuring the bank’s cybersecurity have been identified. The features of the internal bank cybersecurity audit, relationship of the internal audit department with the bank’s cybersecurity entities are considered. Using innovative technologies in the field of cybersecurity are considered.

This thesis presents a decision aiding system named C3-SEC (Contex-aware Corporative Cyber Security), developed in the context of a master program at Polytechnic Institute of Leiria, Portugal. The research dimension and the corresponding software development process that followed are presented and validated with an application scenario and case study performed at Universidad de las Fuerzas Armadas ESPE – Ecuador. C3-SEC is a decision aiding software intended to support cyber risks and cyber threats analysis of a corporative information and communications technological infrastructure. The resulting software product will help corporations Chief Information Security Officers (CISO) on cyber security risk analysis, decision-making and prevention measures for the infrastructure and information assets protection. The work is initially focused on the evaluation of the most popular and relevant tools available for risk assessment and decision making in the cyber security domain. Their properties, metrics and strategies are studied and their support for cyber security risk analysis, decision-making and prevention is assessed for the protection of organization's information assets. A contribution for cyber security experts decision support is then proposed by the means of reuse and integration of existing tools and C3-SEC software. C3-SEC extends existing tools features from the data collection and data analysis (perception) level to a full context-ware reference model. The software developed makes use of semantic level, ontology-based knowledge representation and inference supported by widely adopted standards, as well as cyber security standards (CVE, CPE, CVSS, etc.) and cyber security information data sources made available by international authorities, to share and exchange information in this domain. C3-SEC development follows a context-aware systems reference model addressing the perception, comprehension, projection and decision/action layers to create corporative scale cyber security situation awareness.

The issue approached in this study is the possible gaps in cybersecurity in the Closed-Circuit TV system (CCTV) currently being implemented in Jamaica. During 2018, the government of Jamaica together with systems developers from MSTech Solutions developed and started to implement a video surveillance system with the aim to cover the entire nation to reduce criminal activities and create a safer society. To address potential problems of cybersecurity in this system, the purpose of this study was to explore which cybersecurity domains and factors were the most important in the JamaicaEye project. In order to examine such a purpose, the cybersecurity of the system is put into contrast with the cybersecurity domains of the C2M2 model to unveil similarities and differences in cybersecurity strategy and application. To be able to collect in-depth data of the JamaicaEye project, a hybrid of a field-and a case- study took place in Ocho Rios, Jamaica, during approximately 9 weeks. Data collection was carried out through interviews with representatives from the Jamaican government and the systems developer, MSTech Solutions. After compiling and transcribing the collected data from the interview the color coding and comparison of the results with the cybersecurity capability maturity model, C2M2, started. The C2M2 model was chosen as the theoretical framework for this study. The results of mapping the theoretical data with the empirical data gave underlying material and a perspective on the most important cybersecurity factors in the JamaicaEye system. This study will be a foundation for future expansion of the project in Jamaica, but also similar projects in other nations that are in need for cybersecurity development, management and assessment. Mainly, this study will be useful for those in the industry of development, analysis and assessment, and cybersecurity of CCTV systems.

This study represents the end of the Master's course in Law and Financial Markets, at New University of Lisbon, in partnership with PahlConsulting. It was developed to answer questions that directly or indirectly influence Angola's financial sector and economic stability in banking SCI. We follow the integral structure of internal control approved by COSO, a model adopted for the development of our study that originates from the management IC approach. The conclusions were based on the responses collected through a survey, which “is a basic instrument of observation, in the survey and in the interview, allows observing the facts through the analysis that the respondent or interviewer makes of them (Ramos & Naranja, 2014)” , relying on closed questions, annual reports and the robust two-stage dynamic panel system to assess the degree of maturity of the Internal Banking Control System, which operate in the Angolan financial system. The results show that the degree of SCI maturity is at a low level for all Angolan banks, show that the existence of actual corruption actions is greater due to the lack of supervision and qualified resources. The sample for this study comes from banks traded in the Angolan market. In this sense, the results may not be generalized with banks traded in other financial markets. Due to the cross-border character of the internal banking control practices, our study suggests that Angolan banks strengthen the regulatory framework in order to be in alignment with national and international legislation, to have better control of potential events that may prevent the smooth functioning of the SCI.
O presente estudo representa o trabalho de fim do curso de Mestrado em Direito e Mercados Financeiros, na Universidade Nova de Lisboa, em parceria com a PahlConsulting. Foi desenvolvida para responder às questões que influenciam direta ou indiretamente o setor financeiro e a instabilidade económico de Angola no SCI bancário. Seguimos a estrutura integral de controlo interno aprovado pelo COSO, modelo adotado para o desenvolvimento do nosso estudo que tem origem na abordagem do CI de gestão. As conclusões foram baseadas nas respostas recolhidas através de um survey, que “é um instrumento básico da observação, no inquérito e na entrevista, permite observar os fatos através da análise que o inquirido ou entrevistador faz dos mesmo (Ramos & Naranja, 2014)”, apoiando-se nas perguntas fechadas, nos relatórios anuais de contas e o sistema robusto de duas etapas do painel dinâmico para avaliar o grau de maturidade do Sistema de Controlo Interno Bancário, que operam no sistema financeiro angolano. Os resultados mostram que o grau de maturidade do SCI está num nível baixo para todos os bancos angolanos, mostram que a existência de envetuais ações de corrupção é maior por falta de supervisão e de recursos qualificados. A amostra deste estudo vem dos bancos negociados no mercado angolano. Neste sentido os resultados, podem não ser generalizados com os bancos negociados em outros mercados financeiros. Devido ao caráter transfroteiriço das práticas de controlo interno bancário, o nosso estudo sugere que os bancos angolanos fortaleçam o quadro regulatório de modo a estarem em alinhamento com a legislação nacional e internacional, para terem melhor controlo de enventuais acontecimento que podem impedir o bom funcionamento do SCI.