Abstract
Zero Trust (ZT) is a strategic approach to Cybersecurity. What is lacking in ZT is a holistic approach that addresses other departments and associated processes such as risk management, compliance, and finance. This paper elaborates on how a collaborative process via Group Support System sessions was applied to validate the ZT Framework. Next, we describe the design and engineering of a ZT artefact (dashboard) that addresses the problems at hand, according to Design Science Research (DSR). The last part of this paper outlines the empirical validation with GSS through practitioner-oriented research to better implement ZT strategies. It elaborates on how this validation was conducted during the COVID pandemic in 2020 with 73 security practitioners. The final result is a widely supported and validated framework with a strategic and holistic approach to better understand the required capabilities to operationalize a ZT security strategy successfully.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Chief Risk Officer Forum; The CRO Forum’s Emerging Risk Initiative continually scans the horizon to identify and communicate emerging risks.
- 2.
The Standish Group: Decision latency theory states: “The value of the interval is greater than the quality of the decision.” Therefore, to improve performance, organizations need to consider ways to speed-up their decisions.
- 3.
The Lockchain artefact constructed via DSR is a smart risk and security admin-technology that ensures end to end trust in DevOps teams. Url; https://www.thelockchain.eu.
- 4.
A protect surface contains a single DAAS element. The DAAS element in your protect surface is highly sensitive and critical to your business. You will have multiple DAAS elements that are critical to your business, resulting in multiple protect surfaces. The protect surface is orders of magnitude smaller than the attack surface and, because it is a single area of focus, is always knowable. (Source: Palo Alto Networks, author; J. Kindervag).
- 5.
ATM is an abbreviation for automated teller machine. The ATM segment is part of the Moore private bank organization used in this demonstration of the artefact.
- 6.
At June 9th global managed security services company ON2IT Zero Trust innovator, announces an industry first: Zero Trust as a Managed Service. https://on2it.nl/en/introducing-zero-trust-as-a-service/.
References
Betz, C.: The Impact of Digital Transformation, Agile, and DevOps on Future IT Curricula (2016)
Bobbert, Y., Ozkanli, N.: LockChain technology as one source of truth for Cyber, Information Security and Privacy). In: Computing Conference. London (2020)
CROForum: Understanding and managing the IT risk landscape: a practitioner’s guide (2018). https://www.thecroforum.org/2018/12/20/understanding-and-managing-the-it-risk-land-scape-a-practitioners-guide/
Kumar, T.: What is the Impact of Distributed Agile Software Development on Team Performance? Antwerp Management School, Antwerp (2020)
Lencioni, P.: The Five Dysfunctions of a Team; a leadership fable. Wiley Imprint Jossey Bass, SA USA (2002)
Ozkanli, N.: Implementation of Continuous Compliance; Automation of Information Security Measures in the software development process to ensure Continuous Compliance. Open University Press Netherlands, utrecht (2020)
Forsgren, N.: Accelerate: The Science of Lean Software and Devops: Building and Scaling High Performing Technology Organisations. IT Revolution Press, United States (2018)
McCarthy, M.A.: A compliance aware software defined infrastructure. In: Proceedings of IEEE International Conference on Services Computing, pp. 560–567 (2014)
Bobbert, Y.: Defining a research method for engineering a Business Information Security artefact. In: Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, Antwerp (2017)
Hilton, M.N.N.: Trade-offs in continuous integration: assurance, security, and flexibility. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (2017)
ITGI: Information Risks; Who's Business are they? IT Governance Institute, United States (2005)
Kuijper, N.: Effective privacy governance and (change) management practices (limited to GDPR article 32) a view on GDPR ambiguity, non-compliancy risks and effectiveness of ISO 27701 as Privacy Management System. Antwerp Management School, Antwerp (2020)
Kluge, D., Sambasivam, S.: Formal Information Security Standards in German Medium Enterprises. In: Conisar, Phoenix (2008)
Puhakainen, P., Siponen, M.: Improving employees compliance through information systems security training; an action research study. MIS Quar. 34(4), 757–778 (2010)
Workman, M., Bommer, W., Straub, D.: Security lapses and the omission of information security measures: a threat control model and empirical test. Comput. Hum. Behav. 24(6), 2799–2816 (2008)
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 12(37), 1049–1092 (2014)
Yaokumah, W., Brown, S.: An empirical examination of the relationship between information security/business strategic alignment and information security governance. J. Bus. Syst. Govern. Ethics 2(9), 50–65 (2014)
Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture. Comput. Secur. 2014–43, 90–110 (2014)
Pfeffer, J., Sutton, R.: The Knowing‐Doing Gap: How Smart Companies Turn Knowledge into Action. Harvard Business School Press (2001)
Bobbert, Y., Scheerder, J.: Zero trust validation: from practical approaches to theory. Sci. J. Res. Rev. 2(5) (2020). https://doi.org/10.33552/SJRR.2020.02.000546
Bobbert, Y., Scheerder, J.: On the design and engineering of a zero trust security artefact. In: Future of Information and Communication Conference (FICC), Vancouver (2021)
WhiteHouse: Executive Order on Improving the Nation’s Cybersecurity. Washington, United States (2021). https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Bobbert, Y.: Improving The Maturity of Business Information Security; On the Design and Engineering of a Business Information Security Artefact. Radboud University, Nijmegen (2018)
Van Niekerk, J., Von Solms, R.: Information Security Culture; A Management Perspective, pp. 476–486. Elsevier (2010)
Papelard, T.: Critical Succes Factors for effective Business Information Security. Antwerp Management School, Antwerpen (2017)
Deming, W.: Elementary Principles of the Statistical Control of Quality. JUSE (1950)
NIST: Zero Trust Architecture SP 800-207 (2020). https://www.nist.gov/news-events/news/2019/09/zero-trust-architecture-draft-nist-sp-800-207-available-comment
Hooper, V., McKissack, J.: The emerging role of the CISO. Business Horizons, no. 56, pp. 585–595. Indiana University (2016)
von Solms, R., von Solms, B.: Information Security Governance_ A model based on the Direct–Control Cycle. Comput. Secur. Science Direct 25, 408–412 (2006)
March, S., Smith, G.: Design and natural science research on information technology. Decis. Support Syst. 15, 251–266 (1995)
Hevner, S., Park, J.M., Ram, S.: Design science research in information systems. Manage. Inf. Syst. Quar. 28(1), 75–105 (2004)
Johannesson, P., Perjons, E.: An introduction to Design Science. Springer, Stockholm University (2014)
Wieringa, R.: Design science as nested problem solving. In: Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology. New York (2009)
Bobbert, Y., Mulder, J.: Group support systems research in the field of business information security; a practitioners view. In: 46th Hawaii International Conference on System Science. Hawaii US (2013)
Ackermann, F., Gallupe, R., Franco, A., Parent, M.: GSS for multi-organizational collaboration: reflections on process and content. Group Decision and Negotiation, Management Science. University of Strathclyde (2005). https://doi.org/10.1007/s10726-005-0317-4
Klein, E.E.: Group support systems and the removal of barriers to creative idea generation within small groups: the inhibition of normative influence. Virtual education: Cases in learning and teaching technologies, pp. 91–112. IRM Press, Hershey, PA (2003)
Hancock, J.T., Thom-Santelli, J., Ritchie, T.: Deception and design: the impact of communication technology on lying behavior. In: Proceedings of the 2004 Conference on Human Factors in Computing Systems, pp. 129–134 (2004)
den Hengst, M., Adkins, M., Keeken, S., Lim, A.: Which Facilitation Functions are Most Challenging: A Global Survey of Facilitators. Delft University of Technology, Delft (2005)
Nunamaker, J.F.J., Briggs, R.O., Mittleman, D.D., Vogel, D.R.: Lesson from a dozen years of group support systems research: a discussion of lab and field findings. J. Manag. Inf. Syst. 13(3), 163–207 (1996)
Argyris, C.: Double-loop learning, teaching, and research. Acad. Manag. 1(2), 206–218 (2002)
Kindervag, J.: Zero Confusion for Zero Trust Terminology, Palo Alto Networks (2019). www.paloaltonetworks.com/resources/zero-trust. Accessed 20 May 2021
Pyrko, I., Eden, C., Howick, S.: Knowledge Acquisition Using Group Support Systems. Group Dec. Negot. 28, 233–253 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bobbert, Y. (2023). On the Empirical Validation of a Zero Trust Security Framework via Group Support System Research. In: Arai, K. (eds) Proceedings of the Future Technologies Conference (FTC) 2022, Volume 2. FTC 2022 2022. Lecture Notes in Networks and Systems, vol 560. Springer, Cham. https://doi.org/10.1007/978-3-031-18458-1_24
Download citation
DOI: https://doi.org/10.1007/978-3-031-18458-1_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-18457-4
Online ISBN: 978-3-031-18458-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)