Figure - available from: International Cybersecurity Law Review
This content is subject to copyright. Terms and conditions apply.
Source publication
This paper empirically explores the contribution and collaborative networks of public and private actors to cybersecurity provision in Spain. The article draws on data from three sources: policy and legal documents, a Delphi study with cybersecurity experts, and 34 interviews. Rooted in the theoretical underpinnings of nodal governance and anchored...
Citations
... Governance and ComplianceEffective governance structures are necessary to ensure that cybersecurity policies are implemented and adhered to within HEIs. Del-Real and Fernández (2022) highlight the importance of plural governance approaches that recognize the diverse needs of different stakeholders(Del-Real & Fernández, 2022). This approach can help HEIs avoid a "one-sizefits-all" mentality in policy formulation, allowing for tailored solutions that address specific institutional challenges.Moreover,Neri et al. (2023) emphasize the role of organizational readiness in cybersecurity, suggesting that leadership support and a commitment to continuous learning are critical for fostering a resilient cybersecurity culture(Neri et al., 2023). ...
Objective: The objective of this study is to investigate the intersection of cybersecurity policies with legal and cultural considerations within higher education institutions (HEIs), with the aim of addressing key challenges and proposing a balanced framework that ensures institutional control while respecting ethical and cultural diversity. Theoretical Framework: This research is grounded in theories of ethical governance, legal compliance, and cultural sensitivity. Established frameworks such as ISO 27001 and NIST Cybersecurity Framework provide a foundational basis but are examined critically for their limitations in addressing the unique needs of HEIs. Method: The study employs a qualitative methodology, combining a systematic literature review and semi-structured expert interviews. Data collection was conducted through a comprehensive review of academic and institutional sources (2015–2024) and in-depth interviews with ten experts from the fields of cybersecurity, legal studies, and higher education policy. Results and Discussion: The results revealed that existing cybersecurity frameworks lack alignment with cultural and ethical considerations, leading to resistance and limited effectiveness in HEIs. Key challenges include insufficient stakeholder engagement, tensions between institutional control and individual rights, and inadequate resources. The discussion contextualizes these findings within the theoretical framework, emphasizing the importance of inclusive policy development and ethical audits. Limitations of the study include its focus on specific institutional contexts, which may not fully generalize to other educational systems. Research Implications: The research has practical and theoretical implications for the development of more robust and inclusive cybersecurity policies. The findings provide actionable insights for improving stakeholder engagement, balancing legal and ethical imperatives, and fostering cultural sensitivity. These implications are particularly relevant for HEIs, policymakers, and cybersecurity professionals. Originality/Value: This study contributes to the literature by highlighting the necessity of integrating cultural and ethical dimensions into cybersecurity frameworks. Its innovative approach bridges gaps in existing models, providing practical solutions for HEIs to create secure, equitable, and culturally responsive digital environments.
... Based on the theoretical foundations of nodal governance and anchored pluralism; they argue that the position of the actors and the dynamics of publicprivate collaboration involved in cybersecurity governance can be understood through the analysis of the exchange of capital. The analyses they carried out reveal that public organizations occupy a preeminent position in cybersecurity governance despite the greater economic and cultural capital of large technological corporations (Del-Real & Díaz-Fernández, 2022). ...
Persistent Challenges in Cybersecurity Governance Project Formulation: A Case Study in Ecuador and Beyond. The formulation of projects aimed at managing cybersecurity governance to optimize organizational resources presents persistent challenges both in Ecuador and globally. Among the most prevalent issues are: A lack of knowledge in identifying relevant standards and policies, Insufficient human resources with expertise and training in cybersecurity, and Deficiencies in norms, prototypes, and appropriate project management models for cybersecurity governance. The objective of this research is to perform the analysis for the formulation of a project for managing cybersecurity governance to optimize resources in an organization. A deductive approach and exploratory research methods were employed to analyze relevant documents and literature. Key Findings: Indicators to support the formulation of cybersecurity governance projects, Proposed solutions for project formulation in cybersecurity governance, Identification of relevant stakeholders essential for project development and resource optimization, Algorithm development utilizing flowchart techniques for project formulation. Conclusions: Simulation results, evaluated through the Likert scale and expert judgment, revealed varying levels of satisfaction: Scenarios 1 and 3: Satisfaction below 75% – indicating dissatisfaction, Scenarios 2 and 4: Satisfaction between 76% and 94% – indicating satisfaction, Scenario 5: Satisfaction between 95% and 100% – indicating high satisfaction. It is concluded that to ensure successful project formulation, all key stakeholders must achieve satisfaction levels exceeding 75%.
... In this chapter, we have brought together our research expertise in exploring both perspectives. On the one hand, we have examined the top-down perspective, seeking to understand the role of public institutions, private organizations, and professional communities, as well as the dynamics among them, in cybersecurity governance, with a particular focus on Spain (Del-Real, 2022;Del-Real & Díaz-Fernández, 2022;Del-Real & Rodriguez Mesa, 2023). On the other hand, we have adopted the bottom-up approach to investigate strategies for influencing user behaviour and enhancing awareness and training of employees in cybersecurity ( van Steen & Deeleman, 2021). ...
... Therefore, when referring to "capital", I encompass five types: economic, political, cultural, symbolic, and social. For further details on the conceptual framework, please refer to Dupont (2004) and Del-Real and Díaz-Fernández (2022). with other entities to foster cybersecurity, (ii) to map the collaboration networks among these organizations and the hackers communities, and (iii) to determine the most likely future cybersecurity model for Spain in 2035. ...
... The CCN have real-time monitoring probes installed in the networks of public administrations to identify threats and incidents. However, the police officers I interviewed complained that their organizations did not have easy access to this information, even though one of their mandates is to protect citizens' rights, freedoms, and security, including in cyberspace, in their opinion (Del-Real & Díaz-Fernández, 2022). The lack of infrastructure that would enable them to conduct this "virtual patrolling" compromised their ability to take action. ...
The field of cybersecurity governance research strives to understand, rationalize, and propose effective solutions for the complex task of safeguarding cyberspace as a secure environment. Concurrently, social research focuses on comprehending the institutions, policies, and behaviours that foster a safer online realm. This type of inquiry often relies on the expertise of professionals or involves research conducted directly with end-users. However, conducting fieldwork with these specific groups presents unique challenges pertaining to the subject matter. In this chapter, we aim to share our first-hand experiences of conducting fieldwork in cybersecurity, engaging with both experts and end-users. Our experiences stem from three distinct projects centred around governance, culture, and cybersecurity training. Throughout this chapter, we delve into the logistical, ethical, and emotional challenges we encountered along the research journey, highlighting the successes and missteps we encountered. By sharing our experiences and lessons learned, we contribute to the ongoing discourse in this field and offer valuable insights for future research endeavours.
... Holistic cybersecurity foundations and cybersecurity context in public sector [2,3,13,[15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34] Tactical-operational cybersecurity workforce management [1,[35][36][37][38][39][40][41][42][43][44][45][46][47] Cybersecurity talent development and retention [4][5][6][7][8][9][10][48][49][50][51][52][53][54][55][56][57][58][59][60][61][62][63][64][65][66] Outsourcing in public sector [11, Outsourcing CyberSOC services [89][90][91][92][93][94][95] Slowly but surely, organizations are beginning to adopt practical approaches to cybersecurity management. However, these efforts are often limited to the strategic level and rely on information security standards rather than specific cybersecurity frameworks, as analyzed by Sulistyowati et al. in [15]. ...
... The threats and risks that emerge from this environment require unity of action and a broader holistic approach as studied in Ahmed et al. [17], and while some research has been conducted in this area as described by Atoum et al. in [18], much more work remains to achieve an acceptable level of holism, something that is covered by Kranemburg and Le Gars [19], and to cover those specific threats emanating from cyberspace for which an information security approach does not fit well. Recent studies also suggest the need to extend this holism not only within the organization itself, but also to its network of collaborators, civil organizations, government entities, and citizens, in order to provide the necessary unity of action to effectively respond to threats and risks, as investigated in [20] by Del-Real and Díaz-Fernández. ...
Public sector organizations are facing an escalating challenge with the increasing volume and complexity of cyberattacks, which disrupt essential public services and jeopardize citizen data and privacy. Effective cybersecurity management has become an urgent necessity. To combat these threats comprehensively, the active involvement of all functional areas is crucial, necessitating a heightened holistic cybersecurity awareness among tactical and operational teams responsible for implementing security measures. Public entities face various challenges in maintaining this awareness, including difficulties in building a skilled cybersecurity workforce, coordinating mixed internal and external teams, and adapting to the outsourcing trend, which includes cybersecurity operations centers (CyberSOCs). Our research began with an extensive literature analysis to expand our insights derived from previous works, followed by a Spanish case study in collaboration with a digitization-focused public organization. The study revealed common features shared by public organizations globally. Collaborating with this public entity, we developed strategies tailored to its characteristics and transferrable to other public organizations. As a result, we propose the “Wide-Scope CyberSOC” as an innovative outsourced solution to enhance holistic awareness among the cross-functional cybersecurity team and facilitate comprehensive cybersecurity adoption within public organizations. We have also documented essential requirements for public entities when contracting Wide-Scope CyberSOC services to ensure alignment with their specific needs, accompanied by a management framework for seamless operation.
... Our research has confirmed, for an agency as specific as the intelligence services within the public sector, that university students from the legal, international relations, and criminological disciplines have a greater willingness to work for the CNI. Moreover, our research contributes to the literature on the willingness of Computer Science students to work for the CNI, probably motivated by the relevance of cyber threats, as well as the increasing role and publicity of the work of the National Cryptological Centre (CCN), 33 which is part of the CNI. These results partially confirmed H1. ...
The intelligence services compete with other public and private bodies to recruit the best candidates. Therefore, they must design specific recruitment policies to attract the young talent they need. However, the variables associated with the desire to work for these agencies among young people is still unknown. In this study, we explore these variables based on a survey administered to 2,888 young university students in Spain. The results reveal that social science students and those with greater satisfaction with democracy and trust in political institutions are more willing to work for the Spanish National Intelligence Centre.
This study explores the future of cybersecurity governance in Spain by 2035, focusing on the roles of public and private actors. Using a two‐round Delphi method, we collected insights from experts to evaluate the probability, desirability, and impact of 20 projections for Spain's cybersecurity landscape. The findings suggest a consolidation of multi‐stakeholder forms of governance, with public agencies like INCIBE and CCN guiding policy and oversight while private entities deliver essential services. Experts foresee continued collaboration between national and EU institutions, with the EU playing a key role in regulatory coordination. Three governance scenarios emerged: public‐centric cybersecurity governance, state‐driven cybersecurity assurance, and private monopolistic provision. These scenarios underscore a complex multistakeholder model shaped by collaboration and tension between public and private actors, particularly in light of fragmented ownership over cyberspace resources. This study highlights the need for adaptable governance frameworks that balance regulatory oversight with private sector efficiency, providing insights for stakeholders as they prepare for evolving cyber threats.
Insider threats represent a latent risk to all organizations, whether they are large companies or SMEs. Insiders, the individuals with privileged access to the assets of organizations, can compromise their proper functioning and cause serious consequences that can be direct—such as financial—or indirect—such as reputational. Insider incidents can have a negative impact on SMEs, as their resources are often limited, making it paramount to implement adequate cyber security measures. Despite its indisputable relevance, the empirical study of insider incidents from a criminological point of view has received little attention. This paper presents the results of an exploratory study that aims to understand the nature and extent of three type of insider incidents—malicious, negligent, and well-meaning—and how they are related to the adoption of cyber security measures. To that end, we administered a questionnaire among a panel of 496 Dutch SME entrepreneurs and managers and analyzed the results quantitatively and qualitatively. The results show that although the prevalence of insider incidents is relatively low among Dutch SMEs, few organizations report a disproportionate number of incidents that often entail serious consequences. A regression model shows that there are cyber security measures related to both higher and lower incident likelihood. The implications of these findings for the cyber security policies of SMEs are discussed.
Mantener seguro el ciberespacio es una tarea compleja que supone un reto constante para las instituciones públicas. A la primera oleada de desinterés político por la ciberseguridad le ha seguido una renovada preocupación por la soberanía digital, la defensa de la ciberseguridad nacional y, más recientemente, la protección de la ciudadanía en el ciberespacio. Para cumplir estos objetivos, los Estados han desarrollado normativas, instituciones y prácticas basadas en diferentes narrativas. Este estudio analiza las instituciones involucradas en la gobernanza de la ciberseguridad en España a través de cuatro prácticas: cultura de ciberseguridad, respuesta a ciber incidentes y ciber crisis, protección de infrastructuras críticas e investigación criminal. El artículo aporta evidencias coincidentes con la conclusión de que España ha adoptado la narrativa de la gobernanza multi-stakeholder a través de competencias distribuidas entre diferentes actores. Este enfoque se ha materializado en fragmentación institucional y a la falta de claridad sobre el sistema de ciberseguridad en España. El artículo finaliza con propuestas de políticas públicas que podrían contribuir a una mayor unidad, coordinación y claridad del sistema de gobernanza de la ciberseguridad.
