How Do Organizations Seek Cyber Assurance? Investigations on the Adoption of the Common Criteria and Beyond

TL;DR

This paper investigates how organizations adopt cybersecurity standards like the Common Criteria, identifies barriers to adoption, and explores additional risk management strategies to enhance cyber assurance across various sectors.

Contribution

It provides empirical insights into adoption barriers of cybersecurity standards and offers recommendations to promote their use, along with exploring alternative risk management strategies.

Findings

Identified seven barriers to adopting the Common Criteria

Surveyed 258 participants across sectors and countries

Provided recommendations for increasing cybersecurity standards adoption

Abstract

Cyber assurance, which is the ability to operate under the onslaught of cyber attacks and other unexpected events, is essential for organizations facing inundating security threats on a daily basis. Organizations usually employ multiple strategies to conduct risk management to achieve cyber assurance. Utilizing cybersecurity standards and certifications can provide guidance for vendors to design and manufacture secure Information and Communication Technology (ICT) products as well as provide a level of assurance of the security functionality of the products for consumers. Hence, employing security standards and certifications is an effective strategy for risk management and cyber assurance. In this work, we begin with investigating the adoption of cybersecurity standards and certifications by surveying 258 participants from organizations across various countries and sectors. Specifically, we identify adoption barriers of the Common Criteria through the designed questionnaire. Taking into account the seven identified adoption barriers, we show the recommendations for promoting cybersecurity standards and certifications. Moreover, beyond cybersecurity standards and certifications, we shed light on other risk management strategies devised by our participants, which provides directions on cybersecurity approaches for enhancing cyber assurance in organizations.