Planning and Conducting Cybersecurity Audits to Assess the Effectiveness of Controls

This article reports the findings of an empirical study that assessed the effectiveness of the CyberSecurity Audit Model (CSAM 2.0) in a different Canadian higher education institution. CSAM 2.0 is used to conduct cybersecurity audits in medium to large organizations or even at the national level to assess and measure cybersecurity assurance, maturity, and cyber readiness. CSAM 2.0 is a mature model that enables the effective and comprehensive assessment of security controls that are part of the selected cybersecurity domains to be audited. The authors examined the best practices and methodologies of global leaders in the cybersecurity assurance and audit field, highlighting the absence of standardized guidelines for conducting comprehensive cybersecurity audits and identifying weaknesses in general cybersecurity awareness training programs. The paper outlines the structure of CSAM 2.0 in detail, including its architecture. CSAM 2.0 has undergone testing, implementation, and validation in three research scenarios: (1) a single audit in the cybersecurity domain focused on awareness education, (2) audits in various domains such as governance and strategy, legal and compliance, cyber risks, frameworks and regulations, incident management, cyber insurance, cloud security, and evolving technologies, and (3) a comprehensive cybersecurity audit covering all model domains. The study concludes by demonstrating that the validation of the CSAM 2.0 model provides valuable insights for future decision-making, enabling organizations to address cybersecurity weaknesses and enhance their cybersecurity domains and controls.