A Classification of Essential Factors for the Development and Implementation of Cyber Security Strategy in Public Sector Organizations

To ensure the achievement of quality security to safeguard business objectives, implementing, and maintaining an effective Cyber Security Strategy (CSS) is crucial. Inevitably, we need to recognize and evaluate the essential factors, such as technological, cultural, regulatory, economic, and others, that may hinder the efficacy of a CSS development and implementation. From the literature review, it is evident that such factors are either abstractly stated, or only assessed from singular viewpoint and are scattered across the literature. Moreover, there is a lack of holistic studies that could assist us in comprehending the critical factors affecting a CSS. In this paper, we present a systematic classification of distinct, structured, and comprehensive list of key factors covering multiple aspects of an organization’s CSS, including organizational, cultural, economic, legal and political, and security, to provide a more complete view of understanding the essentials and analyzing the aptitude of a planned or given CSS. The proposed classification is further evaluated to examine the critical factors verified by conducting semi-structured interviews from security experts in different public sector organizations. Furthermore, we present a comparison of our work with the recent attempts that reflects that a significant accumulation of essential factors have been holistically identified in this study. Keywords—Cyber security strategy; critical factors; risk treatment; culture; threats


I. INTRODUCTION
This Cyber security is a vital concern for both the public and private sectors. However, the public sector is unique as it comparatively has a vast IT infrastructure covering a broader and general user base [1]. Public sector organizations have experienced targeted attacks continuously and increasingly [2]. Around 70% of breaches target public or government organizations [3].
Security is becoming harder to manage in today"s dynamic information systems and necessitates an efficient strategy to deal with the adverse incidents and to protect the organization from the potential risks [4]. A Cyber Security Strategy (CSS) is a long-term high-level plan designed to achieve security goals to ensure that the business meets its set objectives, mission, and vision effectively [5]. It provides a collection of frameworks, procedures, and corresponding objectives that aim to achieve certain quality in securing the organization infrastructure and operations.
As stressed in [6] and [7], CSS is very important to the public sector because:  Cyber-attacks in this domain is more permanent and their consequences can last for a long period.
 The public sector is composed of the most sensitive and critical infrastructure.
 There is a need to develop justifications for and foresee low risk investments of public funds in cyber security solutions and services.
 It will assist in implementing a uniform plan across the organization to protect public resources, and therefore assist in building and retaining a high-level public trust.
The reliance of technology for almost every single process in an organization has led to push CSS and its success factors to the top of the business agenda. A CSS can only be designed and implemented efficaciously, if we recognize and assess the corresponding influencing factors [8]. During our study, we found that there have been numerous efforts made in highlighting these factors however, their focus is either a particular aspect of business like regulatory needs and technical concerns, or abstractly identified in a particular operational infrastructure, e.g., healthcare. We couldn"t find any appropriate study that provides a holistic and comprehensive classification or list of essential factors, which we can refer to for (re)consideration, while we plan to design and implement an effective CSS.
In this study, we present a classification of distinct and well-structured list of more than twenty essential factors that will help a public sector"s organization to evaluate key business and operational aspects when designing or implementing their CSS. For every long-term planning, such as a CSS, it is vital to consider the major business contexts. This includes the human factors, regulatory and political contexts, economic capabilities, the potential threat landscape and its methodological management, etc. [9]. To ensure that our classification encompasses all major and mission-critical business themes, we developed our classification to include six principal classes as: Organizational, Cultural, Legal and Political, Economic, Technical, and Risk. Similar business themes are also stressed to be evaluated in [9][10][11]. This classification ensures that all the identified factors are aligned with and cover the vital concerns related to the key contexts of *Corresponding Author www.ijacsa.thesai.org an organization. To further refine the factors and to highlight the critical ones, we have conducted open-ended semi-structure interviews. The interviews, comprising of seventy questions, were held with experts in the field to comprehend what they believe to be crucial factors for a successful CSS. Moreover, a comparative analysis is performed with the existing related work that shows that our classification provides a more comprehensive and complete list of factors, and provides an organization a broader view of the dynamics related to the development and implementation of an effective CSS.
The rest of the article is structured as follows: In Section 2, we summarize the area, factors and methodology used in the related work. The methodology used and results are detailed in Section 3. This section also highlights the reflection made on the critical factors identified. A comparison of the proposed classification with related work is provided in Section 4. Finally, the study limitations and conclusion are presented in Section 5.

II. RELATED WORK
Several studies highlighted some of the factors that can influence the design and implementation of CSS. In this section, we have reviewed the most related literature. These works also form the basis of the proposed classification and are also used in the comparison.
Jalaai et al. [2] has explored the organizational perspective of cyber security in the Healthcare sector. The study followed a systematic literature review and focused on the most important aspects needed to tackle a successful strategy adopted for healthcare. The study highlighted and focused on organizational factors that also touched the technical readiness of the healthcare institutes. The factors identified in this study were software development security, disaster recovery planning and business continuity.
The human factor in the current cyber security landscape is studied by Benson et al. [12]. Using a systematic literature review, the authors outlined the most critical factors in human element domain are: Awareness, Individual Attitudes, Norms and Cultural context. Fritzvold, in [13], has focused on the Cyber security in the organization with focus on the sectors of power distributions, railway and healthcare. The study followed a case study approach to explore the factors that directly or indirectly influence the cyber security posture in the mentioned domains.
The key factors outlined in this work are: competence, compliance, awareness, leadership engagement and system technology management.
Awan et al., in [14], have studied the security strategies to overcome security measures, the authors pointed out the effective factors that influence the success of implementing such strategies to overcome such measures. Following a systematic literature review, the factors stressed are: Level of governance in critical information infrastructure (CII), level of protection, sharing of Cyber-security information and insufficient market preparation.
In [15], the authors studied the human factors in the information security culture and stated that the human factor has always been the weakest link when it comes to security enforcement. To strengthen this aspect, some procedures need to be taken into consideration. Following a systematic literature review, the authors included that the essential human factors that form the basis for a successful security program enforcement are: information security (IS) policy, deterrence, incentives, attitude, involvement, training and awareness and management support. The authors concluded that only employing technology-oriented security controls are not sufficient, and that people at all levels of the organization play an important role in bringing a positive value to the information security culture and therefore, should be assessed and addressed in any security program.
Khansa et al. [16], have followed two rounds of a qualitative survey to study the impact of organizational control in cyber environment. The study emphasized on exploring the relationship between employees" cyberloafing and formal organization control. Cyberloafing is defined as the surfing of employees over the internet for personal reasons during work hours [17,18]. Such a behavior negatively affects the productivity and may lead to unwanted and severe security issues. The study suggested that that factors such as, attitude, subjective norms perceived, behavioral controls and lack of punishment. These factors play a vital role in designing organization controls that are crucial to be considered for any given CSS.
Ebenezer [19] studied how staff accessing, using and sharing published information online is conducted within the National Health Service (NHS) in England along with the potential impacts they may have on the trust of these services. The author makes use of semi-structured interviews and document analysis methods and shows risk factors that can adversely affect the security of these services are information manipulation, identity theft, insider, productivity loss and cyber-attacks.
Cooke [20] conducted a systematic literature review to identify the factors related to the success of strategies implemented in the public sector. The study concluded factors such as, IT skills, adequate funding, engagement to CSS, cybercrime law and public enlightenment programs are inevitable to be considered for a successful strategy.
Choejey et al. [21] explored the critical success factors for cybersecurity in government organizations in Bhutan. The authors conducted a questionnaire-based survey for data collection. The study concluded several critical factors needed for the successful implementation of cyber security. They are: awareness and training, security policy, budget, security audit, security responsibility, organization structure, change management, and communication and collaboration.
Peursum [22] studied the building blocks necessary for a security strategy from an organization perspective. The author adopted an expert interviews methodology to confirm data collected from the literature. The key factors highlighted are, systems, skills, staff, strategy, style shared value and structure.
While developing and implementing the cyber security strategy the alignment with business objectives should be taken into consideration. Developing a CSS is certainly not a single www.ijacsa.thesai.org perspective task. It should be aligned with the organization"s objectives and vision. It should also build the trust that needed to realize the objectives and protecting the organization from the cyber-threats [23]. The key factors and the focus area of the reviewed literature are summarized in Table I.

III. METHODOLOGY AND RESULTS
To achieve our objective of a well-defined and structured classification of the essential factors for an effective CSS, we have utilized two-step approach; first, to develop the classification, and second, to recognize the most critical factors.

A. Factors Classification
Firstly, a literature review method has been employed to devise a structured classification of the essential factors. This was necessary to collect the necessary factors, summarized in the Table I that are scattered across the literature, some of them were synonymous. For instance, awareness, public enlightenment programs, and training and awareness have the same meaning and objective, which need to be transformed to a common terminology. Similarly, as productivity loss, cyberattacks, and insider threats represent instances of threats and attacks, they are accumulated in accordingly. Moreover, there was a need to re-label a few of them to widely recognized terminology in the context of CSS, e.g., "structure" needs to be resolved to organizational structure, which is less confusing and a more commonly known phrase. Therefore, to have a refined classification and to avoid the mentioned concerns in a systematic manner, we exercised the following steps in a process manner as shown in Fig. 1.

B. Identifying Critical Factors
Critical factors may vary from the type of organization to country or region they are operating in, as they might be influenced by their respective regulations, culture, threat spectrum, and other circumstances. In this study, we have explored critical factors in the context of public sector organizations working in Oman. We conducted open-ended and semi-structured interviews from a target group of ten participants to further refine and confirm these critical factors. Participants were selected based on the criteria such that they have at least a five years" experience in the security domain and have been involved in key business processes related to CSS at the organizational level in the public sector. A summary of the participants" profiles is highlighted in Table II. Seventy questions were asked in each interview with at least two distinct questions to assess the importance (criticality) of each factor listed in the classification. The questions were validated using face validation and pilot testing with two experts, as suggested in [31] that assisted us to eliminate and modify the redundant and out-of-context questions. The interview sessions were recorded and transcribed into text, and analyzed using the Interactive Analysis Model [32]. A Likertscale was then used to evaluate the overall feedback concerning the importance of a given factor. The importance scale used was: Very Important= 5, Important=4, Moderately Important=3, Less important =2, Unimportant= 1). Factors having an average value of 4 and above are characterized as critical. The factors criticality level of each factors with respect to each participant (P) response is depicted in Table III to VIII. Table III, Organizational Size, Shared Values, and Risk Postures were considered as no critical. The majority of the participants concurs that the organizational size does not affect the CSS development and execution as long as there is a clear structure, guideline, and resources available. Risk posture was dominated because the majority of participants acknowledged that they adapt from the existing standard risk management methodologies and practices as per their needs instead of defining and utilizing their own as it takes considerable time and effort to conclude it. Moreover, since shared values are motivated by the competitiveness in the market, it is less perceived in the public sector [33] and was therefore not acknowledged by the P2, which lowered its overall score in the class.

1) Organizational factors: As can be seen in
2) Cultural factors: From all the interviews conducted, as evident in Table IV, it was concluded that the majority of the participant, based on their experiences, believed that the employees" positive attitude, knowledge, and collaboration are critical to complete tasks in a teamwork. Employee compliance with the organizations policy and rules is also accounted as critical. The popular perception about deterrence was that although related penalties and actions exist, it is not usually experienced in practice. Pressure was believed to be rarely existed, as government authorities do not frequently introduce changes.
3) Legal and political factors: The interviews were conducted before April 2021 when there were no taxes and interest rates introduced in Oman. They were not applicable and therefore were unimportant, as reflected in Table V. Even with their introduction an application, it is still a nominal concern for government driven organizations. On the other hand, laws and regulations and government interest were marked as critical as commonly commented as actively overseen in the participants" organization as key factors.

4) Economic factors:
As primarily based on government funding, all participants concur that it is critical. As for the cost and budget, the majority believes that although cost is an important factor to invest in the efficacy of the CSS, it has not been a key problem for the public sector. These verdicts are also reflected in Table VI. Table VII, all participants strongly believed that the technical aspects of the CSS are of utmost importance. This perception is true mainly because a substantial part of the operations and processes are supported by IT-based systems in which the listed factors are inevitable. However, a few participants pointed out that change www.ijacsa.thesai.org management is unless important. They remarked that the changes introduced are either infrequent or are easily manageable. This notion is also supported the perception about the pressure factor in the Cultural class.

6) Risk factors:
The common consensus about the risk factors was that all of them are high importance as they all are necessary to be monitored, analyzed, and managed earnestly not just in the context of an effective CSS but, also with regards the sensitivity of the public information that they are dealing with. They also indicated to have a clear risk treatment plan and protocols that their organization follow. P2 stated that they don"t have such plan and mechanism in place and that their organization tends to decide one when there is a need and that too for only severe and organizational wide risks. Table VIII highlights the scores associated with the risk  factors. Based on the interviews and the scaled defined, the list of critical factors are identified, as illustrated in Fig. 3.

IV. COMPARISON
In this section, we provide a comparison of our classification with the studies summarized in Table I. However, we have selected only the 10 most relevant ones that cover the majority of the factors that are also common in the other attempts listed there. The comparison is provided in Table IX to XI. The tick mark indicates that a particular factor is stressed as an essential CSS factor whereas, the cross sign highlights that the given factor is not addressed essential. Overall, it can be concluded that our work provides a more complete list of factors rather than emphasizing a particular set of factors. Moreover, it can be observed that most of these works have mainly focused on the organizational and cultural aspects, whereas other key contexts of the business have been overlooked. www.ijacsa.thesai.org To develop and implement an effective CSS, we need to recognize and evaluate the necessary factors that might influence its efficacy. In this article, we have accumulated a comprehensive list of such essential factors in accordance with the critical areas of an organization that are vital to be recognized and evaluated for any long-term planning, such as developing a CSS. The comparison depicts that the proposed classification covers and provides a broader view of the essential CSS Factors as compared to the current attempts that emphasize on a specific domain or context of a business. Such a holistic classification of essential factors can provide a fundamental ground for organizations planning to develop and implement a CSS to understand and evaluate the influencing aspects of it and to plan accordingly. Furthermore, we have also listed the critical factors in the public sector in Oman. However, we believe that this study is limited in scope and that the corresponding critical factors assessed may vary considerably in regions or spaces with different legal, political, economic, and cultural backgrounds. More data need to be collected and analyzed to conclude whether this list of critical factors will shrink or grow, and it will be interesting to see how different types or organizations in a broader geospatial context comprehend the criticality of the different factors. In future, we plan to further refine the classification proposed and conduct a wider data collection approach to evaluate the critical factors.