Application and Evaluation of Method for Establishing Consensus on Measures Based on Cybersecurity Framewor

Due to the development of our information society in recent years, the number of companies depending on IT systems has increased. However, it has been noticed that executives have not implemented sufficient information security measures. This is due to the poor consensus regarding information security between executives and IT administrators in an enterprise. Numerous approaches to solve this problem have been carried out. The Cybersecurity Framework developed by NIST is one approach. However, the Cybersecurity Framework does not have a function to select and enumerate specific measures on the basis of mutual understanding between executives and administrators. By applying the Cybersecurity Framework and use cases of the framework provided by the Intel Corporation, we propose a method that can enumerate measures and obtain the optimal combination of measures that leads to mutual agreement between executives and administrators. Moreover, the authors implemented a system called Risk Communicator for Tier (RC4T) to support the framework. By applying this framework and RC4T to a small example, we were able to enumerate specific measures for obtaining mutual consensus between executives and administrators.