Evaluation of Cyber Security Awareness Policies Using the NIST CSF Framework
Keywords:
Cybersecurity, Awareness, NIST CSF, Security Policy, Systematic Literature Review, FrameworkAbstract
Awareness is a critical aspect of cybersecurity, especially in shaping an information security culture within an organization. The NIST Cybersecurity Framework (CSF) offers strategic guidance that includes the "Protect" function, which contains policies for enhancing security awareness. This study aims to evaluate the effectiveness and implementation of awareness policies linked to the NIST CSF framework through a Systematic Literature Review (SLR) approach. This research covers 15 scientific articles from the IEEE Xplore, SpringerLink, and Google Scholar databases published between 2019 and 2024. The results show that cybersecurity training, phishing attack simulations, and digital awareness campaigns are the most widely used strategies. The study also identifies challenges regarding program sustainability and management involvement. These findings provide a comprehensive overview of best practices and obstacles in implementing NIST CSF-based awareness policies.
References
M. Rahman and Y. Lee, “Barriers to Cybersecurity Awareness Implementation in Local Governments,” J. Inf. Secur. Appl., vol. 57, p. 102623, 2021.
A. Uchendu and others, “Developing a Cybersecurity Culture: Current Practices and Future Needs,” Comput. & Secur., vol. 105, p. 102225, 2021.
S. Das, J. Kim, and others, “All About Phishing: Exploring User Research through a Systematic Literature Review,” Comput. & Secur., vol. 88, p. 101582, 2019.
A. Author, “An Evaluation Framework for Cybersecurity Maturity Aligned with the NIST CSF,” Sensors, vol. 22, no. 1, p. 1001, 2022.
M. Wafiq and N. Angresti, “Comparative Analysis of Cybersecurity Maturity Frameworks: NIST‐CSF and C2M2,” J. Keamanan Siber, vol. 3, no. 1, pp. 13–21, 2024.
T. Nguyen and others, “Improving Security Awareness in SMEs Using NIST CSF,” J. Cybersecurity Pract., vol. 10, no. 2, pp. 45–58, 2021.
D. Sulistyowati, A. Setiawan, and others, “Comparative Analysis of Cybersecurity Frameworks: NIST and ISO 27001,” J. Sist. Inf., vol. 16, no. 2, pp. 55–63, 2020.
R. Kumar and A. Singh, “Cybersecurity Training Effectiveness in Higher Education,” Int. J. Cyber Educ., vol. 8, no. 1, pp. 12–25, 2022.
S. Vrhovec and B. Markelj, “We Need to Aim at the Top: Factors Associated with Cybersecurity Awareness,” Gov. Inf. Q., vol. 41, no. 1, p. 100752, 2024.
J. Miller and L. Davis, “Continuous Awareness Program in Public Sector Organizations,” Public Cybersecurity Reports, vol. 7, no. 3, pp. 87–99, 2023.
A. Bada and M. A. Sasse, “Cyber Security Awareness Campaigns: Why Do They Fail to Change Behaviour?,” Int. Conf. Cybersecurity, pp. 1–10, 2019.
M. Irawan, R. Hidayat, and others, “Cybersecurity Maturity Assessment Using NIST and CIS Controls,” J. Techno. Inf. and Computing Science., vol. 10, no. 1, pp. 77–86, 2023.
Helmiawan, M. A., & Wiharko, T. (2018). Application of Fingerprint Security System on Motorcycles using Arduino Microcontroller. J-Tin’s-Jurnal Teknik Informatika, 2(1).
Helmiawan, M. A., Juna, D. I., & Ramdhani, B. (2018). Pengamanan Sistem Dan Data E-Voting Berbasis Network. INTERNAL (Information System Journal), 1(1), 1–10.
Helmiawan, M. A., Firmansyah, E., Fadil, I., Sofivan, Y., Mahardika, F., & Guntara, A. (2020). Analysis of web security using open web application security project 10. 2020 8th International Conference on Cyber and IT Service Management
Helmiawan, M. A., Julian, E., Cahyan, Y., & Saeppani, A. (2021). Experimental evaluation of security monitoring and notification on network intrusion detection system for server security. 2021 9th International Conference on Cyber and IT Service Management (CITSM ….
Helmiawan, M. A., Fadil, I., Sofiyan, Y., & Firmansyah, E. (2021). Security model using intrusion detection system on cloud computing security management. 2021 9th International Conference on Cyber and IT Service Management (CITSM ….
Helmiawan, M. A., & Nasution, A. I. (2022). The Effect of Internet Banking Use and Customer Protection Against Cyber Crime at Bank Rakyat Indonesia. Journal of Islamic Economics and Business, 2(2), 170–183.