Skip to main content
SpringerLink
Log in

On the Empirical Validation of a Zero Trust Security Framework via Group Support System Research

  • Conference paper
  • First Online:
Proceedings of the Future Technologies Conference (FTC) 2022, Volume 2 (FTC 2022 2022)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 560))

Included in the following conference series:

  • 530 Accesses

Abstract

Zero Trust (ZT) is a strategic approach to Cybersecurity. What is lacking in ZT is a holistic approach that addresses other departments and associated processes such as risk management, compliance, and finance. This paper elaborates on how a collaborative process via Group Support System sessions was applied to validate the ZT Framework. Next, we describe the design and engineering of a ZT artefact (dashboard) that addresses the problems at hand, according to Design Science Research (DSR). The last part of this paper outlines the empirical validation with GSS through practitioner-oriented research to better implement ZT strategies. It elaborates on how this validation was conducted during the COVID pandemic in 2020 with 73 security practitioners. The final result is a widely supported and validated framework with a strategic and holistic approach to better understand the required capabilities to operationalize a ZT security strategy successfully.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Chief Risk Officer Forum; The CRO Forum’s Emerging Risk Initiative continually scans the horizon to identify and communicate emerging risks.

  2. 2.

    The Standish Group: Decision latency theory states: “The value of the interval is greater than the quality of the decision.” Therefore, to improve performance, organizations need to consider ways to speed-up their decisions.

  3. 3.

    The Lockchain artefact constructed via DSR is a smart risk and security admin-technology that ensures end to end trust in DevOps teams. Url; https://www.thelockchain.eu.

  4. 4.

    A protect surface contains a single DAAS element. The DAAS element in your protect surface is highly sensitive and critical to your business. You will have multiple DAAS elements that are critical to your business, resulting in multiple protect surfaces. The protect surface is orders of magnitude smaller than the attack surface and, because it is a single area of focus, is always knowable. (Source: Palo Alto Networks, author; J. Kindervag).

  5. 5.

    ATM is an abbreviation for automated teller machine. The ATM segment is part of the Moore private bank organization used in this demonstration of the artefact.

  6. 6.

    At June 9th global managed security services company ON2IT Zero Trust innovator, announces an industry first: Zero Trust as a Managed Service. https://on2it.nl/en/introducing-zero-trust-as-a-service/.

References

  1. Betz, C.: The Impact of Digital Transformation, Agile, and DevOps on Future IT Curricula (2016)

    Google Scholar 

  2. Bobbert, Y., Ozkanli, N.: LockChain technology as one source of truth for Cyber, Information Security and Privacy). In: Computing Conference. London (2020)

    Google Scholar 

  3. CROForum: Understanding and managing the IT risk landscape: a practitioner’s guide (2018). https://www.thecroforum.org/2018/12/20/understanding-and-managing-the-it-risk-land-scape-a-practitioners-guide/

  4. Kumar, T.: What is the Impact of Distributed Agile Software Development on Team Performance? Antwerp Management School, Antwerp (2020)

    Google Scholar 

  5. Lencioni, P.: The Five Dysfunctions of a Team; a leadership fable. Wiley Imprint Jossey Bass, SA USA (2002)

    Google Scholar 

  6. Ozkanli, N.: Implementation of Continuous Compliance; Automation of Information Security Measures in the software development process to ensure Continuous Compliance. Open University Press Netherlands, utrecht (2020)

    Google Scholar 

  7. Forsgren, N.: Accelerate: The Science of Lean Software and Devops: Building and Scaling High Performing Technology Organisations. IT Revolution Press, United States (2018)

    Google Scholar 

  8. McCarthy, M.A.: A compliance aware software defined infrastructure. In: Proceedings of IEEE International Conference on Services Computing, pp. 560–567 (2014)

    Google Scholar 

  9. Bobbert, Y.: Defining a research method for engineering a Business Information Security artefact. In: Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, Antwerp (2017)

    Google Scholar 

  10. Hilton, M.N.N.: Trade-offs in continuous integration: assurance, security, and flexibility. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (2017)

    Google Scholar 

  11. ITGI: Information Risks; Who's Business are they? IT Governance Institute, United States (2005)

    Google Scholar 

  12. Kuijper, N.: Effective privacy governance and (change) management practices (limited to GDPR article 32) a view on GDPR ambiguity, non-compliancy risks and effectiveness of ISO 27701 as Privacy Management System. Antwerp Management School, Antwerp (2020)

    Google Scholar 

  13. Kluge, D., Sambasivam, S.: Formal Information Security Standards in German Medium Enterprises. In: Conisar, Phoenix (2008)

    Google Scholar 

  14. Puhakainen, P., Siponen, M.: Improving employees compliance through information systems security training; an action research study. MIS Quar. 34(4), 757–778 (2010)

    Google Scholar 

  15. Workman, M., Bommer, W., Straub, D.: Security lapses and the omission of information security measures: a threat control model and empirical test. Comput. Hum. Behav. 24(6), 2799–2816 (2008)

    Article  Google Scholar 

  16. Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 12(37), 1049–1092 (2014)

    Article  Google Scholar 

  17. Yaokumah, W., Brown, S.: An empirical examination of the relationship between information security/business strategic alignment and information security governance. J. Bus. Syst. Govern. Ethics 2(9), 50–65 (2014)

    Google Scholar 

  18. Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: investigating the effect of behavioral information security governance and national culture. Comput. Secur. 2014–43, 90–110 (2014)

    Article  Google Scholar 

  19. Pfeffer, J., Sutton, R.: The Knowing‐Doing Gap: How Smart Companies Turn Knowledge into Action. Harvard Business School Press (2001)

    Google Scholar 

  20. Bobbert, Y., Scheerder, J.: Zero trust validation: from practical approaches to theory. Sci. J. Res. Rev. 2(5) (2020). https://doi.org/10.33552/SJRR.2020.02.000546

  21. Bobbert, Y., Scheerder, J.: On the design and engineering of a zero trust security artefact. In: Future of Information and Communication Conference (FICC), Vancouver (2021)

    Google Scholar 

  22. WhiteHouse: Executive Order on Improving the Nation’s Cybersecurity. Washington, United States (2021). https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

  23. Bobbert, Y.: Improving The Maturity of Business Information Security; On the Design and Engineering of a Business Information Security Artefact. Radboud University, Nijmegen (2018)

    Google Scholar 

  24. Van Niekerk, J., Von Solms, R.: Information Security Culture; A Management Perspective, pp. 476–486. Elsevier (2010)

    Google Scholar 

  25. Papelard, T.: Critical Succes Factors for effective Business Information Security. Antwerp Management School, Antwerpen (2017)

    Google Scholar 

  26. Deming, W.: Elementary Principles of the Statistical Control of Quality. JUSE (1950)

    Google Scholar 

  27. NIST: Zero Trust Architecture SP 800-207 (2020). https://www.nist.gov/news-events/news/2019/09/zero-trust-architecture-draft-nist-sp-800-207-available-comment

  28. Hooper, V., McKissack, J.: The emerging role of the CISO. Business Horizons, no. 56, pp. 585–595. Indiana University (2016)

    Google Scholar 

  29. von Solms, R., von Solms, B.: Information Security Governance_ A model based on the Direct–Control Cycle. Comput. Secur. Science Direct 25, 408–412 (2006)

    Google Scholar 

  30. March, S., Smith, G.: Design and natural science research on information technology. Decis. Support Syst. 15, 251–266 (1995)

    Article  Google Scholar 

  31. Hevner, S., Park, J.M., Ram, S.: Design science research in information systems. Manage. Inf. Syst. Quar. 28(1), 75–105 (2004)

    Google Scholar 

  32. Johannesson, P., Perjons, E.: An introduction to Design Science. Springer, Stockholm University (2014)

    Google Scholar 

  33. Wieringa, R.: Design science as nested problem solving. In: Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology. New York (2009)

    Google Scholar 

  34. Bobbert, Y., Mulder, J.: Group support systems research in the field of business information security; a practitioners view. In: 46th Hawaii International Conference on System Science. Hawaii US (2013)

    Google Scholar 

  35. Ackermann, F., Gallupe, R., Franco, A., Parent, M.: GSS for multi-organizational collaboration: reflections on process and content. Group Decision and Negotiation, Management Science. University of Strathclyde (2005). https://doi.org/10.1007/s10726-005-0317-4

  36. Klein, E.E.: Group support systems and the removal of barriers to creative idea generation within small groups: the inhibition of normative influence. Virtual education: Cases in learning and teaching technologies, pp. 91–112. IRM Press, Hershey, PA (2003)

    Google Scholar 

  37. Hancock, J.T., Thom-Santelli, J., Ritchie, T.: Deception and design: the impact of communication technology on lying behavior. In: Proceedings of the 2004 Conference on Human Factors in Computing Systems, pp. 129–134 (2004)

    Google Scholar 

  38. den Hengst, M., Adkins, M., Keeken, S., Lim, A.: Which Facilitation Functions are Most Challenging: A Global Survey of Facilitators. Delft University of Technology, Delft (2005)

    Google Scholar 

  39. Nunamaker, J.F.J., Briggs, R.O., Mittleman, D.D., Vogel, D.R.: Lesson from a dozen years of group support systems research: a discussion of lab and field findings. J. Manag. Inf. Syst. 13(3), 163–207 (1996)

    Article  Google Scholar 

  40. Argyris, C.: Double-loop learning, teaching, and research. Acad. Manag. 1(2), 206–218 (2002)

    Google Scholar 

  41. Kindervag, J.: Zero Confusion for Zero Trust Terminology, Palo Alto Networks (2019). www.paloaltonetworks.com/resources/zero-trust. Accessed 20 May 2021

  42. Pyrko, I., Eden, C., Howick, S.: Knowledge Acquisition Using Group Support Systems. Group Dec. Negot. 28, 233–253 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Antwerp Management School and ON2IT, Belgium, The Netherlands

    Yuri Bobbert

Authors
  1. Yuri Bobbert
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuri Bobbert .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bobbert, Y. (2023). On the Empirical Validation of a Zero Trust Security Framework via Group Support System Research. In: Arai, K. (eds) Proceedings of the Future Technologies Conference (FTC) 2022, Volume 2. FTC 2022 2022. Lecture Notes in Networks and Systems, vol 560. Springer, Cham. https://doi.org/10.1007/978-3-031-18458-1_24

Download citation

Publish with us

Policies and ethics

Search

Navigation