Developing a Risk-Based Security Roadmap: A Strategic Approach to Cybersecurity Planning

I. Introduction

In the world of cybersecurity, where threats are constantly evolving and the stakes are high, organizations must adopt a risk-based approach to safeguard their digital assets effectively. As Douglas W. Hubbard and Richard Seiersen emphasize in "The Metrics Manifesto: Confronting Security with Data" (2022), making informed decisions based on accurate risk quantification is crucial for optimizing security investments and maximizing risk reduction. Developing a strategic security roadmap is an essential step in this process, as it provides a clear direction and prioritization for an organization's cybersecurity efforts (Seaman & Gioia, 2023).

Imagine embarking on a cross-country road trip without a map or a plan. You might eventually reach your destination, but the journey would be full of unnecessary detours, wasted time, and potential hazards. Similarly, navigating the complex landscape of cybersecurity without a risk-based roadmap can lead to inefficient resource allocation, misaligned priorities, and increased exposure to cyber threats (Amin, 2019). A well-crafted security roadmap acts as a GPS for your organization's cybersecurity journey, guiding you towards your desired state of resilience and risk management (Tahajod et al., 2009).

The key steps in creating a risk-based security roadmap involve assessing your current security posture and risks, prioritizing initiatives based on their potential for risk reduction and business impact, establishing clear goals and milestones, and regularly reviewing and updating the roadmap to adapt to changing circumstances (Parsola, 2023). By following these steps, organizations can develop a strategic and adaptable approach to cybersecurity planning that maximizes the value of their security investments and helps them stay ahead of emerging threats (Labazanova et al., 2023).

II. Assessing Current Security Posture and Risks

Before embarking on the journey of creating a risk-based security roadmap, it is essential to understand your organization's current security posture and the risks it faces. As Steven Levitt, the co-author of "Freakonomics," might suggest, this process is akin to conducting a thorough health check-up before starting a new fitness regimen. Just as a doctor would assess your vital signs, medical history, and lifestyle factors to identify potential health risks, a comprehensive security risk assessment is necessary to uncover the vulnerabilities, threats, and potential impacts that could jeopardize your organization's digital well-being (Bokan & Santos, 2021).

The first step in this assessment is to identify your organization's critical assets, which may include sensitive data, intellectual property, financial information, and operational systems (Gunawan et al., 2023). These assets are the crown jewels that attackers are most likely to target, and their compromise could have severe consequences for your business. Once you have identified these assets, you need to evaluate the vulnerabilities that could be exploited to gain unauthorized access to them, such as unpatched software, weak passwords, or misconfigured settings (Jaquire & Solms, 2015).

Next, you should consider the various threats that could exploit these vulnerabilities, including cybercriminals, nation-state actors, insiders, and even accidental errors (Stoneburner, 2006). By understanding the motivations, capabilities, and tactics of these threat actors, you can better anticipate the likelihood and potential impact of different types of security incidents (Slovic, 1987). This information will help you prioritize risks based on their severity and alignment with your business objectives, enabling you to focus your resources on the most critical areas (Renn, 1992).

III. Prioritizing Security Initiatives Based on Risk Reduction and Business Impact

Once you have a clear picture of your organization's security risks, the next step is to prioritize the initiatives that will most effectively reduce those risks while supporting your business goals. As Douglas W. Hubbard and Richard Seiersen point out in "How to Measure Anything in Cybersecurity Risk" (2023), not all risks are created equal, and attempting to eliminate every possible threat is both impractical and counterproductive. Instead, organizations should focus on the risks that pose the greatest potential for harm and align their security efforts with their overall risk appetite and tolerance (Curran, 2018).

To evaluate the potential risk reduction and business value of each initiative, you can use techniques such as the Factor Analysis of Information Risk (FAIR) methodology, as described by Jack Freund and Jack Jones in "Measuring and Managing Information Risk: A FAIR Approach" (2015). This approach involves breaking down complex risk scenarios into their component factors, such as threat event frequency, loss magnitude, and vulnerability, and using probabilistic models to estimate the likely impact and cost of different mitigation strategies (Koubatis & Schonberger, 2005).

When prioritizing initiatives, it is also important to balance proactive and reactive security measures. While proactive measures, such as implementing strong authentication and encryption, can help prevent security incidents from occurring in the first place, reactive measures, such as incident response plans and backup systems, are essential for minimizing the impact of successful attacks (Scheer et al., 2014). The right mix of proactive and reactive measures will depend on your organization's specific risk profile and business needs.

Finally, it is crucial to consider the feasibility and resource requirements of each initiative. As Steven Levitt might caution, even the most promising security solutions will fail if they are too complex, expensive, or disruptive to implement effectively. By carefully evaluating the costs and benefits of each initiative, and involving stakeholders from across the organization in the decision-making process, you can ensure that your security roadmap is both achievable and sustainable (Chidukwani et al., 2021).

IV. Establishing Short-Term and Long-Term Security Goals and Milestones

With a prioritized list of security initiatives in hand, the next step is to translate those priorities into clear, measurable, and time-bound goals and milestones. As Steven Levitt might suggest, this process is similar to setting fitness goals, such as losing a certain amount of weight or running a marathon within a specific timeframe. Just as these goals provide motivation and direction for a fitness journey, well-defined security objectives help organizations stay focused and accountable in their cybersecurity efforts (Melaku, 2023).

When defining security objectives, it is important to use the SMART criteria – Specific, Measurable, Achievable, Relevant, and Time-bound. For example, instead of a vague goal like "improve network security," a SMART objective might be "implement multi-factor authentication for all remote access systems within the next 6 months, reducing the risk of unauthorized access by 50%" (Hubbard & Seiersen, 2022). By setting clear and measurable targets, organizations can track their progress and demonstrate the value of their security investments to stakeholders.

To ensure that these objectives are realistic and achievable, it is crucial to set appropriate timelines and milestones for each initiative. As Douglas W. Hubbard and Richard Seiersen emphasize in "The Metrics Manifesto" (2022), overambitious goals and unrealistic deadlines can lead to frustration, burnout, and ultimately, failure. By breaking down larger objectives into smaller, incremental milestones, organizations can maintain momentum and celebrate successes along the way (Amin, 2019).

Furthermore, it is essential to align security goals with overall business strategies and objectives. As Jack Freund and Jack Jones point out in "Measuring and Managing Information Risk" (2015), cybersecurity is not an end in itself, but rather a means to support the organization's mission and protect its value-creating activities. By framing security objectives in terms of their contribution to business outcomes, such as reducing the risk of data breaches that could damage customer trust or ensuring the availability of critical systems during peak periods, security leaders can gain buy-in and support from senior management and other stakeholders (Parsola, 2023).

Finally, communicating security goals and progress to stakeholders is a critical component of a successful risk-based security roadmap. As Steven Levitt might suggest, just as a fitness coach needs to keep clients informed and motivated by sharing regular updates and achievements, security leaders must engage in ongoing communication with executives, board members, and employees to maintain awareness, commitment, and accountability (Labazanova et al., 2023). By using dashboards, reports, and other visual aids to present key metrics and milestones, security teams can demonstrate the tangible impact of their efforts and build trust and credibility across the organization (Curran, 2018).

V. Allocating Resources and Budget Effectively

Once you have established your security goals and milestones, the next challenge is to allocate the necessary resources and budget to achieve them. As Steven Levitt might point out, this process is akin to creating a financial plan for a major life event, such as buying a house or saving for retirement. Just as individuals need to assess their income, expenses, and priorities to make informed financial decisions, organizations must carefully evaluate their available resources and competing demands to ensure that their security investments are both effective and sustainable (Scheer et al., 2014).

The first step in this process is to assess the available resources and budget for security initiatives. This includes not only financial resources but also human capital, such as the skills and expertise of security team members, and technical assets, such as existing security tools and systems (Chidukwani et al., 2021). By conducting a thorough inventory of these resources, organizations can identify potential gaps or constraints that may impact their ability to execute their security roadmap (Stoneburner, 2006).

Next, organizations should prioritize resource allocation based on the severity of the risks they face and the potential business impact of each initiative. As Douglas W. Hubbard and Richard Seiersen emphasize in "How to Measure Anything in Cybersecurity Risk" (2023), not all risks and initiatives are equally important or urgent, and attempting to address every possible threat or vulnerability can quickly exhaust an organization's resources. By focusing on the most critical risks and the initiatives that offer the greatest risk reduction and business value, organizations can maximize the return on their security investments (Bokan & Santos, 2021).

However, even with careful prioritization, many organizations may still face resource constraints that limit their ability to implement all of their desired security measures. In these cases, it is important to identify opportunities for cost optimization and efficiency gains. For example, by consolidating security tools and platforms, automating routine tasks, or leveraging cloud-based services, organizations can reduce their operational costs and free up resources for more strategic initiatives (Tahajod et al., 2009). Additionally, by fostering a culture of security awareness and responsibility among employees, organizations can create a force multiplier effect, where every individual becomes a first line of defense against cyber threats (Gunawan et al., 2023).

Finally, organizations should not hesitate to leverage external resources and expertise when necessary. As Jack Freund and Jack Jones note in "Measuring and Managing Information Risk" (2015), the cybersecurity landscape is constantly evolving, and even the most well-resourced organizations may struggle to keep pace with emerging threats and technologies. By partnering with trusted vendors, consultants, or managed security service providers, organizations can access specialized skills, tools, and intelligence that would be difficult or expensive to develop in-house (Amin, 2019). However, it is important to carefully vet and manage these external relationships to ensure that they align with the organization's security goals and standards (Jaquire & Solms, 2015).

VI. Implementing and Executing the Security Roadmap

With a clear set of security goals, milestones, and resource allocations in place, the next step is to put the rubber to the road and begin implementing and executing the security roadmap. As Steven Levitt might suggest, this process is similar to following through on a fitness plan – it requires discipline, commitment, and the ability to adapt to changing circumstances. Just as a well-designed workout routine is only effective if it is consistently followed and adjusted based on progress and setbacks, a security roadmap must be diligently executed and monitored to achieve the desired results (Melaku, 2023).

The first critical aspect of implementation is assigning roles and responsibilities for each initiative. As Douglas W. Hubbard and Richard Seiersen emphasize in "The Metrics Manifesto" (2022), accountability is key to ensuring that security efforts stay on track and deliver the intended outcomes. By clearly defining who is responsible for each task, milestone, and deliverable, organizations can avoid confusion, duplication of effort, and finger-pointing when challenges arise (Amin, 2019). It is also important to ensure that these roles and responsibilities align with the skills, expertise, and capacity of each team member, and that they are supported by appropriate training, resources, and incentives (Parsola, 2023).

Next, organizations should develop detailed project plans and timelines for each initiative. As Jack Freund and Jack Jones note in "Measuring and Managing Information Risk" (2015), these plans should break down each initiative into specific tasks, dependencies, and deliverables, and map them against the overall security goals and milestones. By creating a clear roadmap for execution, organizations can identify potential bottlenecks, resource constraints, and risk factors early on, and take proactive steps to mitigate them (Bokan & Santos, 2021). These plans should also incorporate regular checkpoints and review cycles to assess progress, gather feedback, and make necessary adjustments (Labazanova et al., 2023).

With plans in place, the next step is to begin implementing the specific security controls and solutions outlined in the roadmap. This may involve a wide range of activities, such as configuring network segmentation, deploying endpoint protection, implementing access controls, and conducting security awareness training (Chidukwani et al., 2021). As Steven Levitt might caution, it is important to approach these implementations with a critical eye and a willingness to question assumptions. Just as a fitness enthusiast might experiment with different exercises or nutrition strategies to optimize their results, security teams should continuously evaluate the effectiveness of their controls and be open to trying new approaches or technologies when necessary (Gunawan et al., 2023).

Finally, throughout the implementation process, it is crucial to monitor progress and adjust the roadmap as needed. As Douglas W. Hubbard and Richard Seiersen point out in "How to Measure Anything in Cybersecurity Risk" (2023), the cybersecurity landscape is constantly evolving, and what worked yesterday may not be sufficient tomorrow. By regularly assessing the performance of security controls, tracking key risk indicators, and gathering feedback from stakeholders, organizations can identify areas for improvement and adapt their roadmap to changing circumstances (Scheer et al., 2014). This may involve modifying timelines, reallocating resources, or even pivoting to new initiatives when necessary. The key is to remain agile, data-driven, and focused on the ultimate goal of reducing risk and supporting the business (Stoneburner, 2006).

VII. Measuring and Reporting on Security Roadmap Progress

As the old adage goes, "you can't manage what you don't measure." This is particularly true in the context of a risk-based security roadmap, where the ultimate success of the program depends on the ability to demonstrate tangible progress and impact. As Steven Levitt might suggest, measuring and reporting on security roadmap progress is akin to tracking fitness metrics like weight loss, strength gains, or cardiovascular endurance. Just as these metrics provide valuable feedback and motivation for individuals on their fitness journey, well-defined security KPIs and reporting mechanisms help organizations stay accountable, informed, and focused on their cybersecurity goals (Curran, 2018).

The first step in measuring security roadmap progress is defining a set of key performance indicators (KPIs) and success metrics. As Douglas W. Hubbard and Richard Seiersen emphasize in "The Metrics Manifesto" (2022), these metrics should be closely aligned with the specific goals and objectives outlined in the roadmap, and should provide a clear and quantifiable way to assess the effectiveness of security initiatives. Examples of common security KPIs include the number of incidents detected and resolved, the average time to patch vulnerabilities, the percentage of systems with up-to-date security configurations, and the level of employee security awareness (Amin, 2019). By selecting a balanced set of metrics that cover both technical and human factors, organizations can gain a holistic view of their security posture and progress (Parsola, 2023).

Once KPIs are defined, the next step is to establish processes and systems for collecting and analyzing the relevant data. As Jack Freund and Jack Jones note in "Measuring and Managing Information Risk" (2015), this may involve leveraging existing security tools and platforms, such as SIEM systems, vulnerability scanners, and access control logs, as well as developing custom data collection mechanisms where necessary. It is important to ensure that data is collected consistently, accurately, and in a timely manner, and that it is stored securely and in compliance with relevant regulations and standards (Chidukwani et al., 2021). Additionally, organizations should invest in data analytics and visualization capabilities to help make sense of the raw data and identify trends, patterns, and insights (Labazanova et al., 2023).

With data in hand, the next critical aspect of measuring progress is reporting on the outcomes and impact of security initiatives to stakeholders. As Steven Levitt might suggest, this is where the rubber meets the road in terms of demonstrating the value and effectiveness of the security program. By creating clear, concise, and visually compelling reports and dashboards that highlight key metrics, milestones, and achievements, security leaders can communicate the tangible benefits of their efforts to executives, board members, and other key stakeholders (Bokan & Santos, 2021). These reports should not only showcase successes but also transparently discuss challenges, setbacks, and areas for improvement, along with plans for addressing them (Gunawan et al., 2023).

Finally, it is important to celebrate successes and learn from challenges along the way. As Douglas W. Hubbard and Richard Seiersen point out in "How to Measure Anything in Cybersecurity Risk" (2023), building a strong security culture requires not only holding people accountable for failures but also recognizing and rewarding their achievements. By highlighting successful initiatives, sharing lessons learned, and acknowledging the hard work and dedication of security teams, organizations can foster a sense of pride, ownership, and continuous improvement in their cybersecurity efforts (Scheer et al., 2014). Additionally, by conducting regular post-mortem reviews and root cause analyses of security incidents or near-misses, organizations can identify systemic weaknesses, gaps, and opportunities for improvement, and use these insights to refine their security roadmap and strategies over time (Stoneburner, 2006).

VIII. Regularly Reviewing and Updating the Security Roadmap

In the fast-paced and ever-evolving world of cybersecurity, a security roadmap is not a static document but a living, breathing plan that must be continually reviewed, updated, and adapted to remain effective. As Steven Levitt might suggest, this process is akin to the concept of "marginal gains" in sports and business, where small, incremental improvements across multiple areas can add up to significant overall performance enhancements. Just as a cyclist might tweak their training regimen, diet, or equipment based on new research or changing conditions, organizations must be willing to regularly reassess and refine their security roadmap to stay ahead of emerging threats and capitalize on new opportunities (Melaku, 2023).

The first key aspect of this ongoing review process is monitoring changes in the threat landscape and business environment. As Douglas W. Hubbard and Richard Seiersen emphasize in "The Metrics Manifesto" (2022), the cybersecurity battlefield is constantly shifting, with new attack vectors, technologies, and actors emerging on a daily basis. By staying abreast of the latest threat intelligence, industry trends, and regulatory developments, organizations can proactively identify and assess the potential impact of these changes on their security posture and adjust their roadmap accordingly (Amin, 2019). This may involve subscribing to threat intelligence feeds, participating in industry forums and conferences, and collaborating with external partners and stakeholders to share information and best practices (Chidukwani et al., 2021).

In addition to monitoring external factors, organizations must also regularly assess the effectiveness and relevance of their current security initiatives. As Jack Freund and Jack Jones note in "Measuring and Managing Information Risk" (2015), even the most well-designed security controls and programs can become obsolete or ineffective over time, as attackers develop new techniques to bypass them or as business needs and priorities shift. By using the KPIs and metrics established earlier in the roadmap process, organizations can objectively evaluate the performance and impact of each initiative and identify areas where improvements or changes may be needed (Parsola, 2023). This may involve conducting penetration tests, vulnerability assessments, or user behavior analytics to validate the efficacy of technical controls, as well as soliciting feedback from stakeholders on the usability, relevance, and value of security policies and procedures (Gunawan et al., 2023).

As organizations assess the effectiveness of their current initiatives, they should also be proactively identifying new risks and opportunities for improvement. As Steven Levitt might suggest, this requires a curious and open-minded approach, where security leaders are willing to question assumptions, explore alternative viewpoints, and embrace unconventional ideas. By conducting regular risk assessments, horizon scanning exercises, and brainstorming sessions with diverse teams and stakeholders, organizations can uncover emerging threats, vulnerabilities, and potential solutions that may not have been apparent through traditional channels (Labazanova et al., 2023). This may involve piloting new technologies, such as AI-powered anomaly detection or blockchain-based identity management, or experimenting with new processes, such as DevSecOps or zero-trust architectures, to see how they can enhance the organization's security posture (Scheer et al., 2014).

Finally, based on the insights and learnings gathered through these various review and assessment activities, organizations should regularly update and refine their security roadmap. As Douglas W. Hubbard and Richard Seiersen point out in "How to Measure Anything in Cybersecurity Risk" (2023), a security roadmap is not a one-and-done exercise but an iterative process of continuous improvement. By incorporating lessons learned, addressing identified gaps and weaknesses, and adjusting priorities and resources based on changing needs and constraints, organizations can ensure that their security roadmap remains relevant, effective, and aligned with their overall business objectives (Stoneburner, 2006). This may involve adding or removing specific initiatives, modifying timelines and milestones, or reallocating budgets and personnel to optimize the impact and efficiency of the security program (Bokan & Santos, 2021).

IX. Conclusion

In today's hyper-connected and rapidly evolving business landscape, cybersecurity is not just a technical challenge but a strategic imperative. As organizations increasingly rely on digital technologies and data to drive innovation, growth, and competitiveness, they also expose themselves to a wide range of cyber risks that can have devastating consequences for their operations, reputation, and bottom line. In this context, developing and maintaining a comprehensive, risk-based security roadmap is not a luxury but a necessity.

Throughout this article, we have explored the key steps and considerations involved in creating a robust and effective security roadmap, drawing on the insights and methodologies of leading experts in the field. From assessing current risks and prioritizing initiatives based on impact and feasibility, to establishing clear goals and metrics, allocating resources effectively, and regularly reviewing and updating the plan, we have provided a practical and actionable framework for organizations of all sizes and sectors.

By adopting a strategic, data-driven, and adaptable approach to cybersecurity planning, organizations can reap numerous benefits. They can better understand and manage their unique risk profile, aligning their security investments with their most critical assets and objectives. They can foster a culture of shared responsibility and continuous improvement, engaging stakeholders across the organization in the collective effort to protect against cyber threats. They can demonstrate the tangible value and impact of their security program to leadership and customers, building trust and differentiation in the marketplace. And they can stay ahead of the curve in an ever-changing threat landscape, proactively identifying and mitigating emerging risks before they can cause significant harm.

However, developing a risk-based security roadmap is not a one-time exercise but an ongoing journey that requires sustained commitment, collaboration, and agility. As new technologies, threats, and business demands emerge, organizations must be willing to continuously reassess and refine their approach, learning from both successes and failures and adapting to changing circumstances. This requires not only technical expertise and resources but also strong leadership, communication, and change management skills to drive buy-in and alignment across the organization.

Therefore, we call on all organizations, regardless of their size, industry, or maturity level, to prioritize the development and maintenance of a risk-based security roadmap. Whether you are just starting out on your cybersecurity journey or looking to take your program to the next level, the frameworks and best practices outlined in this article provide a solid foundation for success. By embracing a strategic, proactive, and collaborative approach to cybersecurity planning, you can not only protect your organization from the evolving cyber threat landscape but also position yourself for long-term resilience and growth.

Of course, building a truly effective and sustainable security program is not easy and requires a significant investment of time, resources, and expertise. But as Steven Levitt, Douglas W. Hubbard, Richard Seiersen, and other experts have demonstrated, the costs of inaction or inadequate protection far outweigh the costs of preparation and prevention. By taking a measured, data-driven, and adaptive approach to cybersecurity, guided by a well-crafted and regularly updated roadmap, organizations can navigate the challenges and opportunities of the digital age with confidence and success. The journey may be long and complex, but the destination – a more secure, resilient, and prosperous future – is well worth the effort.

References:?

Amin, Z. (2019). A practical road map for assessing cyber risk. Journal of Risk Research, 22, 32-43. https://doi.org/10.1080/13669877.2017.1351467

Bokan, B., & Santos, J. (2021). Managing Cybersecurity Risk Using Threat Based Methodology for Evaluation of Cybersecurity Architectures. 2021 Systems and Information Engineering Design Symposium (SIEDS), 1-6. https://doi.org/10.1109/SIEDS52267.2021.9483736

Chidukwani, D., Razique, M. A., Rafi, S., Mugheri, A. A., Sohail, S., Mansoor, S., & Ahmed, S. (2021). A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations. ArXiv. https://doi.org/10.48550/arXiv.2107.08300

Curran, D. (2018). Risk, innovation, and democracy in the digital economy. European Journal of Social Theory, 21, 207-226. https://doi.org/10.1177/1368431017710907

Freund, J., & Jones, J. (2015). Measuring and managing information risk: a FAIR approach. Butterworth-Heinemann.

Gunawan, B., Ratmono, B., & Abdullah, A. (2023). Cybersecurity and Strategic Management. Foresight and STI Governance. https://doi.org/10.17323/2500-2597.2023.3.88.97

Hubbard, D. W., & Seiersen, R. (2022). The Metrics Manifesto: Confronting Security with Data. Wiley.

Hubbard, D. W., & Seiersen, R. (2023). How to Measure Anything in Cybersecurity Risk. Wiley.

Jaquire, V., & Solms, S. (2015). A Strategic Framework for a Secure Cyberspace in Developing Countries with Special Emphasis on the Risk of Cyber Warfare. Int. J. Cyber Warf. Terror., 5, 1-18. https://doi.org/10.4018/IJCWT.2015010101

Koubatis, A., & Schonberger, J. (2005). Risk management of complex critical systems. Int. J. Crit. Infrastructures, 1, 195-215. https://doi.org/10.1504/IJCIS.2005.006119

Labazanova, S., Kaimova, F., & Isaeva, L. (2023). INTEGRATING CYBER SECURITY INTO STRATEGIC MANAGEMENT. EKONOMIKA I UPRAVLENIE: PROBLEMY, RESHENIYA. https://doi.org/10.36871/ek.up.p.r.2023.10.06.003

Melaku, H. (2023). Context-Based and Adaptive Cybersecurity Risk Management Framework. Risks. https://doi.org/10.3390/risks11060101

Parsola, J. (2023). Cybersecurity Risk Assessment and Management for Organizational Security. NeuroQuantology. https://doi.org/10.48047/nq.2022.20.5.nq22815

Renn, O. (1992). Risk communication: Towards a rational discourse with the public. Journal of Hazardous Materials, 29, 465-519. https://doi.org/10.1016/0304-3894(92)85047-5

Scheer, D., Benighaus, C., Benighaus, L., Renn, O., Gold, S., R?der, B., & B?l, G. (2014). The Distinction Between Risk and Hazard: Understanding and Use in Stakeholder Communication. Risk Analysis, 34. https://doi.org/10.1111/risa.12169

Seaman, J., & Gioia, M. (2023). Security Risk Management - The Driving Force for Operational Resilience: The Firefighting Paradox (Security, Audit and Leadership Series) 1st Edition. Independently published.

Slovic, P. (1987). Perception of risk. Science, 236(4799), 280-5. https://doi.org/10.1126/SCIENCE.3563507

Stoneburner, G. (2006). Toward a Unified Security-Safety Model. Computer, 39, 96-97. https://doi.org/10.1109/MC.2006.283

Tahajod, M., Iranmehr, A., & Darajeh, M. (2009). A roadmap to develop enterprise security architecture. 2009 International Conference for Internet Technology and Secured Transactions, (ICITST), 1-5.https://doi.org/10.1109/ICITST.2009.5402639