Abstract

This dissertation introduces an innovative continuous cybersecurity management artifact using design science research methodology. Cybersecurity management is the informed assurance that information risks and controls are balanced. Traditionally, this assurance is organized into functions outlined by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which include Governance, Detection, Protection, Response, and Recovery. However, these functions have often been managed in isolation and at specific points in time, leading to ineffective outcomes. While existing literature addresses each function through continuous, dynamic, and adaptive (CDA) methods, there remains a gap in integrating these functions into a comprehensive approach. Additionally, there is limited research on the practical application and effectiveness of CDA methodologies in real-world settings (Lins et al., 2016; Melaku, 2023).

This dissertation presents a Comprehensive Continuous, Adaptive, and Dynamic (CAD) cybersecurity management framework that integrates all functions and categories of NIST CSF 2.0. The framework was validated through the creation and evaluation of a software artifact that operationalizes these principles in real world setting, called Maple GRC.

Using Design Science Research Methodology (DSRM), this study identified key challenges, derived framework requirements from the literature, designed and developed the framework, and demonstrated is as a software artifact (Maple GRC), and evaluated its perceived effectiveness in improving cybersecurity management. Thirty-six professionals from IT, cybersecurity, governance, risk management, and compliance participated in the evaluation. The findings demonstrate that the artifact enhances cybersecurity management and fosters a strong intent to adopt the software among professionals. Moreover, the study highlights the absence of similar approaches in theory and practice and confirms the validity of this integrated, holistic and continuous paradigm to address cybersecurity challenges in modern organizations.

The research advocates for a shift from siloed, disconnected cybersecurity activities to a holistic, continuous, dynamic, and adaptive framework. In this model, each function influences and is influenced by others, fully integrating cybersecurity activities across the organization and its evolving environment.