New Validation of a Cybersecurity Model to Audit the Cybersecurity Program in a Canadian Higher Education Institution

Abstract

This article presents the results of one empirical study that evaluated the validation of the CyberSecurity Audit Model (CSAM) for the second time in a different Canadian higher education institution. CSAM is utilized for conducting cybersecurity audits in medium or large organizations or a Nation State to evaluate and measure cybersecurity assurance, maturity, and cyber readiness. The authors review best practices and methodologies of global leaders in the cybersecurity assurance and audit arena, that puts in evidence the lack of universal guidelines to conduct extensive cybersecurity audits and the detection of existing weaknesses in general programs to deliver cybersecurity awareness training. The architecture of CSAM is described in central sections. CSAM has been tested, implemented, and validated in three research scenarios (1) a single cybersecurity domain audit (Awareness Education), (2) Cybersecurity audit of several domains (Governance and Strategy, Legal and compliance, Cyber Risks, Frameworks and Regulations, Incident Management, Cyber Insurance and Evolving Technologies) and (3) Cybersecurity audit of all model domains The study concludes by showing how the validation of the model allows to report significant information for future decision making that the target organization may correct cybersecurity weaknesses or to improve cybersecurity domains and controls.