Evaluation Of Legislations From The Perspective Of Organizational Understanding To Managing Cybersecurity Risk

Abstract:

Organizations are striving to achieving compliance with the stringent legal cybersecurity requirements to preventing the sanctions and costly lawsuits following law infringements. In a nutshell, the aim of this paper is to provide a critical evaluation of generally applicable cybersecurity-related legislation pertaining to two areas of statute (i.e. data protection and privacy, critical infrastructure protection) under selected jurisdictions by focusing on the enablers of organizational understanding with respect to managing cybersecurity risk to identify the degree of commonality between some of the main relevant statutes. The paper begins with introducing the legal compliance challenges encountered by organizations operating in one or multiple jurisdictions, followed by giving the logic behind the selection of in-scope jurisdictions and the areas of statute. Further, the paper provides an overview of some of the key cybersecurity-related legislations and regulations in the selected jurisdictions. Furthermore, the paper provides the evaluation methodology and benchmarks the selected legislations (i.e. EU’s General Data Protection Regulation, Singapore's Personal Data Protection Act 2012, EU’ Directive on Security of Network and Information Systems, Singapore's Cybersecurity Act) against the underlying categories of the identify function of NIST’s Framework for Improving Critical Infrastructure Cybersecurity. Subsequently, the paper provides the related work. Finally, the paper presents the concluding remarks.