A service lens on cybersecurity continuity and management for organizations’ subsistence and growth

1. Introduction

The advent of the Internet or cyberspace has had a positive impact on the way organizations and businesses perform their functions and services. Platforms for e-commerce, banking and government among others exist to ensure greater reach, engage with and provide services for customers and citizens alike (Kitsing, 2017; Pawar and Palivela, 2022). More so, because of the Internet's reach, individuals continue to take advantage as entrepreneurs to reach customers that cut across international boundaries, thus contributing to a nation's economy and poverty mitigation. For instance, the network marketing industry continues to leverage Internet technology for its reach and services (Jones et al., 2013; Dwivedi et al., 2021).

While the Internet and the corresponding information and communication technology (ICT) tools continue to provide great value for different entities, they are not without risks (Jang-Jaccard and Nepal, 2014; Fonseca-Herrera et al., 2021). The activities of cybercriminals continue to threaten this new way of life, limiting the trust levels in Internet-driven services. Cybercriminals take advantage of the available tools on the darknet, users' lack of knowledge/awareness and the anonymity the Internet platform offers to run cyberattacks whether through hacking or social engineering among others (Kobielus, 2020; Pawar and Palivela, 2022). More so, the current COVID-19 pandemic has made the world more reliant on the Internet and the digital economy. Cyberspace continues to see increasing and evolving threats and vulnerabilities associated with the continuous adoption and evolving nature of cyberspace.

According to the 2020 global risks report by the World Economic Forum, cyberattacks on critical infrastructure are rated the fifth top risk in 2020 which continues to prevail across the energy, healthcare and transportation industries among others (Cremer et al., 2022). The report maintains that cybercrime-as-a-service is a growing business model, especially with the increase of sophisticated tools on the darknet that is making malicious services affordable and more easily accessible to anyone. More so, organized cybercrime entities continue to evade detection and prosecution where the likelihood of this happening in the USA, for instance, only stands at an estimated low of 0.05%. The impact of insufficient cybersecurity has been estimated to have cost US$ 945 bn to the global economy in 2020 increasing to about $6 tn in cybercrime damages worldwide in 2021 (Cremer et al., 2022; Pitchkites, 2022). The prediction is that the cost of cybercrime will hit $10.5 tn by 2025 (Kerner, 2022). As such, taking proactive measures, subscribing to security standards/frameworks and meeting regulatory compliance become a most for an organization to address cybersecurity challenges and increase/improve digital trust levels geared to protect businesses, institutions and individuals alike; thus, governments, organizations and businesses continue to invest in ways to ensure cyberattacks are mitigated.

Cybersecurity represents a way for individuals and organizations to protect their Internet-connected systems, such as computer networks, hardware, software and data from cyber threats (Rouse, 2020; Perwej et al., 2021), thus protecting against unauthorized access to their data centers or other electronic systems. As a subset of information security, cybersecurity efforts aim to protect against malicious attacks or intent that extort an organization or user-sensitive data (Jang-Jaccard and Nepal, 2014; Pawar and Palivela, 2022).

However, this is easier said than done as mitigating cybersecurity risks can be a challenging task. According to Taylor (2021), even the best cyber defense application cannot provide total cyber protection as nearly all systems deemed secured can be vulnerable to some type of cyberattack. More so, cybersecurity is a continuously evolving field, with the development and advancement of technologies that come with novel avenues for cyberattacks (Rouse, 2020; Perwej et al., 2021). Networks are becoming more extended, complex and challenging to monitor. This is especially true for organizations that have moved to remote working and as such have less control over workers' behavior and device security (De Smet and Mysore, 2020).

According to Cremer et al. (2022) and Dixon and Singh (2020), the risk of cyber-attacks continues to rise; more so now as the COVID-19 pandemic continues to disrupt global health, economic, political and social systems, the uncertainty of the crisis forces organizations and individuals to embrace new practices such as social distancing, hand washing/sanitizing and remote working and increased reliance on digital tools. Sadly, cybercriminals continue to capitalize on the increasing dependence on digital tools resulting in a rise in cybersecurity risks (Lallie et al., 2020; Weil and Murugesan, 2020).

Deloitte (2020) reports an observed increase in phishing attacks, malicious spam and ransomware attacks as cybercriminals have continued to use COVID-19 as a lure to impersonate known brands, thereby cheating employees and their customers. Given the level of unpreparedness of remote work deployment by organizations and businesses as a result of the pandemic, new vulnerabilities have been introduced, and cybercriminals around the world undoubtedly are exploiting them (Lallie et al., 2020; Perwej et al., 2021). Unfortunately, the traditional perimeter security approach often employed by organizations to protect and defend crucial system components against known threats remains insufficient. Despite the sophisticated firewalls and antivirus systems installed by organizations, new vulnerabilities come to the fore, and the threat landscape continues to evolve more rapidly than organizations can keep up with.

As the volume and complexity of cyberattacks grow, it is imperative that businesses and organizations, especially those tasked with the duty of protecting information related to health, national security and financial records among others, take a proactive and holistic approach to cybersecurity in order to safeguard sensitive corporate and personnel information. Standards and best practice organizations continue to encourage more proactive, adaptive, applied and data-focused approaches to cybersecurity (NIST CSF, 2014).

However, existing standards and frameworks do not present a one size fits all approach to cybersecurity management as organizations continue to have unique risks with different threats, vulnerabilities and risk tolerance levels (Gordon et al., 2020; Pawar and Palivela, 2022; Al Faruq et al., 2020). As such, they have varying customized practices based on different frameworks with activities that are deemed important for their service delivery. While existing frameworks provide an overview of how cybersecurity risk management should be approached at a macrolevel, they leave the implementation details to the individual organizations at the microlevel (Fonseca-Herrera et al., 2021; Ibrahim et al., 2018). Existing research and practice have been mostly focused on protecting immediate business environment exploring how standards, best practices and frameworks can be best implemented or integrated to improve an organization's credibility and standing. Thus, this only supports the strategic move by organizations to instill confidence to their stakeholders that risks are adequately managed by getting certified, which is far from realizing absolute security.

Research to aid organizations realize absolute end-to-end security that takes cognizance of the both the service provider environment and the customers is practically nonexistent. There is very little concern about a broader business environment that considers the customers and their environment which can introduce dire threats and vulnerabilities that can be exploited. Since cybersecurity risk management revolves around correctly assessing risk environment, which is not an easy task (Sheehan et al., 2021; Hitchcox, 2020), this paper advocates taking a holistic view of service activities from its source (service provider) to destination (customer) to better fulfill cybersecurity requirements. Thus, what is needed is a holistic analytical approach that takes cognizance of existing frameworks, guidelines and organizations’ unique contexts to find their best cybersecurity footing.

This paper argues that by taking a service lens and leveraging on the strengths of existing best practices and standards, a holistic approach to cybersecurity continuity and management can be realized. The following section will highlight more on the challenges associated with cybersecurity, whereafter the paper dwells on the existing approaches employed towards a solution. Next, it delves into the core of the service system frameworks, the Information Technology Infrastructure Library (ITIL), Information Security Management System (ISMS) and the National Institute of Standards and Technology (NIST) security frameworks taking cognizance of their strengths, focus and limitations. Consequently, a conceptual cybersecurity continuity and management model is presented, followed by a discussion on its merits, a conclusion and future work.

2. The cyberspace security issues and challenges

As mentioned in the previous section, cyberspace provides opportunities for organizations, businesses and government agencies to extend their reach and improve their productivity and service provision even amidst an existential crisis like the COVID-19 pandemic. However, the opportunities presented by cyberspace are not without risks. Cybersecurity continues to remain a challenging task as the threat and vulnerability landscape continues to evolve (Lallie et al., 2020; Weil and Murugesan, 2020; Perwej et al., 2021). Since unauthorized access or exposure to sensitive data can result in negative consequences, organizations continue to look for ways to mitigate threats and effectively respond to security incidents, especially now that digital adoption has become widespread with remote working and increased reliance on IT-driven services. Additionally, customers continue to demand better security services as the ongoing environmental crisis (COVID-19) has introduced more threats and vulnerabilities to individuals and organizations alike (Cremer et al., 2022) As businesses and individuals continue to take advantage of digital technologies and cloud services to emerge ahead of the crisis, the risk and impact of cyberattacks have continued to rise (Weil and Murugesan, 2020; Dalal et al., 2022).

Cyberspace continues to be troubled with highly motivated offenders who take advantage of inadequate security, the lack of security awareness and noncompliance to regulation among others. More so, the rapidly evolving technology landscape comes with new threats and vulnerabilities. For instance, the Internet of Things (IoT) landscape amplifies the potential for cyberattacks. According to the global risk report, attacks on IoT devices have increased by more than 300% in the first half of 2019 and in one instance, taking down Wikipedia through the classic distributed denial of service (DDoS) attack (WEF, 2020). It is expected that such IoT-driven attacks will increase given that there are already over 21 billion active IoT devices in existence, and the number is expected to double by 2025. Thus, cybersecurity continues to remain a big challenge and the scale of the global cyber threat continues to evolve rapidly. The RBS (2019) report revealed that 7.9 billion records were exposed by data breaches in the first nine months of 2019 doubling the number of records in 2018. The report showed that the medical, retailers and public domains experienced the most breaches.

More so, proceeds from cybercrime activities globally were up to $1.5 tn in 2018 (Ismail, 2018), with Juniper Research (Morrow and Crabtree, 2019) estimating cybercrime costs in association with data breaches to soar to over $5 tn in 2024 rising from $3 tn each year (Kerner, 2022). Regulations on data breaches continue to tighten as sensitive data are continuously transmitted across networks and other devices as organizations continue to do business. Ensuring that systems are secure and safe is vital to protecting the business interest and their customers. To improve confidence and trust in products and services for both providers and customers, cybersecurity is dedicated to protecting sensitive information and the systems used to process and store it.

Kapersky (2020) and Perwej et al. (2021) define cybersecurity as the practice of protecting computers, mobile devices, electronic systems, servers, networks and data from unauthorized access, malicious attack and destruction. The term also applies to business and mobile computing contexts which can be divided into network, application, information, operational security, business continuity, disaster recovery and end-user education. According to Rouse (2020), “The goal of implementing cybersecurity is to provide a good security posture for computers, servers, networks, mobile devices and the data stored on these devices from attackers with malicious intent”. As such, it is imperative to proactively monitor the constantly evolving threats in a business environment, such as malware, phishing attacks, man-in-the-middle attack, ransomware and social engineering, among others, thus endorsing a total security need to protect businesses in the worst-case scenario (Deloitte, 2019; Kaspersky, 2020; Pawar and Palivela, 2022). Essentially, a cybersecurity solution must account for total end-to-end security by inter alia protecting data applications, networks and end-users by preventing unauthorized access and improving recovery time after a breach while ensuring continuity among other things.

To adequately manage cybersecurity, the National Cyber Security Alliance (NCSA) (2018) recommends a top-down method to cybersecurity where management must take a leading role in prioritizing cybersecurity management and continuity across all a business' practices. Essentially, the NCSA maintains that organizations must be prepared to respond to unavoidable cyber incidents, restore normal operations and ensure that an organization's assets and reputation are protected. Additionally, organizations should take cognizance of any regulations or standards that will influence the way data should be collected, stored and secured to protect individuals, citizens, corporate and governmental agencies among others.

In effort to ensure cybersecurity, organizations continue to subscribe to existing best practices and standards to realize the feat, but continue to fall short as the cybersecurity problems continue to exist. The problem is existing cybersecurity standards/frameworks only present a macrolevel overview on how cybersecurity risk management should be approached leaving the details of how it should be effected to the individual organizations on account of the unique risks factors they are likely to experience (Gordon et al., 2020; Al Faruq et al., 2020). Existing ISM standards/frameworks are generic in scope and attempt to provide ISM practices that are focused on securing organizations’ perimeter centric information systems, which when adopted by organizations at best showcases their commitment to secure business practices by applying and obtaining certificates that attest to their compliance, which is not enough to guarantee the required level of security. Meeting the bare minimum of a given framework can suffice in certification that will show compliance with mandatory regulations/laws, keep customers happy as it helps the organization maintain an image of responsibility at the lowest cost possible (Culot et al., 2021). Thus, this derails cybersecurity efforts that should ultimately take cognizance of a variety of variables that can compromise absolute security.

Given the nuanced and dynamic nature of cybersecurity needs, a method that takes cognizance of these generic ISM guidelines and advocates a well-tailored solution that takes cognizance of the ever evolving organizations environment and operations to enable continuous and absolute security is desirable. Essentially, what is required to aid realize requisite level of security is an analytical and management approach that is vigorous and extends its focus beyond securing an organization IS to encapsulate both an organization and its customers' environment, as with their operations which continue to evolve.

According to Williams-Banta (2019), a solution that considers technology and human participation is necessary since looking at technology alone is not enough to stop hackers, and after all, people have often been considered the weakest link in a security chain (Dalal et al., 2022; Poehlmann et al., 2021). Spear phishing, a type of social engineering attack that targets an individual(s) has been blamed for more than 90% of cyberattacks that begin with tailored phishing emails that target a person in a company (Kerner, 2022). Thus, it is sensible that a solution that accounts for both the people's view as well as the technology is more desirable than paying attention to just one perspective that leaves the other vulnerable. To holistically account for the continuously evolving and sophisticated cybersecurity threats and vulnerabilities, this research proffers that taking a service approach leveraged on existing industry information security best practices, cybersecurity due-care and due diligence can be better attained. The approach employed toward that end is explicated in the next section.

3. The approach

Customers, citizens and lawmakers among others need to be ensured that a viable process to deal with cybersecurity threats, meet regulatory compliance and assure total security is in place. As such, organizations need to adopt sound cybersecurity measures to continuously gain a competitive advantage while ensuring customers' trust. Through an extensive literature review, the study explores lessons from the service systems concepts, the information security management literature and cybersecurity bests practices among others to propose a cybersecurity service system model. Logical reasoning is employed to design the model by deliberately combining the best parts of existing frameworks toward holistically addressing cybersecurity concerns. The paper argues that this approach will present a holistic view that will adequately account for the understanding and mitigation of the ever-evolving cybersecurity threats and vulnerabilities while proactively and adaptively managing the resulting incidents from an end-to-end perspective. The proposed model is primarily framed within the service system concept theory and supported by the industry-specific standard frameworks. These concepts and frameworks that underpin the solution toward ensuring cybersecurity continuity and management are discussed in the next section.

4. The underlying concepts

This section delves into the concepts that provide the underlying premise for holistic cybersecurity management and continuity highlighting their strengths, focus and limitations. The section begins by unpacking the ITIL ISM framework and the NIST cybersecurity framework, respectively. Next, the service system concept theory which frames the proposed solution is explicated. The following subsection begins with a discourse on the ITIL-ISM framework followed by the NIST CSF and finally the service system concept.

5. The conceptual cybersecurity service system model (CSSM)

What is clear from the review in the previous sections is that no one framework or standard provides an all-encompassing cybersecurity solution, what is recommended is a combination of different aspects driven by contextualized service provider/customer-centric requirements. Also, there is a need to ensure adaptive continuous management of cybersecurity service systems to account for the ever-evolving threat and vulnerabilities landscape. To avoid a one-sided assessment focusing totally on the internal operation of the work system that may leave weaknesses undetected, giving an organization a false sense of security state and risk exposure, a holistic and continuous approach to cybersecurity and cyber resilience needs to be employed. As the cybersecurity threat and vulnerability landscape continues to evolve, a flexible and adaptive approach that can account for such changes and uncertainties alike becomes desirable. This section proposes a cybersecurity service system archetype.

This paper argues that to account holistically for the cybersecurity problem, there is a need to view cybersecurity as a service system. The service system view promises an approach that looks beyond a service provider perimeter to capturing and evaluating how a service consumer is faring and is satisfied. The proposed cybersecurity service system is premised on the combined lessons from the industry-specific standard frameworks and the service system concepts discussed in section 4. For instance, the proposed model leverages the customer/service provider relationship supported by the work system elements from the service system concept and the PDCA lifecycle model implemented in the ITIL ISMS, as well as the linearly streamlined actions elaborated in the NIST CSF framework which resonates and complements the planned and unplanned changes as prescribed in the service system WSLC. Figure 3 presents an overview of the cybersecurity service system model (CSSM) composite of various components as identified in the previous section working together.

Figure 3 shows that the cybersecurity services will be co-produced by both the service providers and the customers as inspired by the service value chain framework in section 4.3.

Thus, understanding and explicitly laying out the actions and responsibilities of both the service provider and customer is critical. Every instance of the service delivered suggests an explicit or implied service request from the customer component. The customer component represents both an external customer that will consume what work system produces (e.g bank customer) and the internal customers who are bank workers/units that are part of the work processes (internal operation) that depend on each other to ensure value is delivered to the external customer. Essentially, the service providers' responsibility includes creating awareness of the service, handling and fulfilling service requests while ensuring customer follow-up based on negotiated commitments. The customer in turn becomes aware of a need, consumes and contributes to the service by making service requests, participating in fulfillment, providing feedback performing follow-ups as per negotiated commitments. The interaction between the service provider and customers opens a way for both parties to be situationally aware in terms of the needs, ongoings, interests, fears and concerns of each other. Projecting the successful cybersecurity effort will depend on what the provider understands based on quality analysis, which is fed by quality input from customers and their surrounding environment who in turn are expected to comply with what is prescribed, evaluate its impact (positive or negative) and feedback into the system.

The customer component represents the direct beneficiaries of the cybersecurity service representing the service customer and other environmental entities. The customer component of the customer section includes individuals, groups, organizations or functional units within that will receive the benefits created by the activities of the cybersecurity service system. The service benefits should apply regardless of whether services are directed at external customers, internal customers or both. The environmental entities include inter alia the relevant regulations, policies, standards or legislation that require compliance. As such, the customer component with the environment is responsible for making up the service requirement that will guide the action of the service provider, which will influence the SLA prescribed in the control and initiation component. Thus, the SLA should be malleable to change. Changes in customers' needs often driven by environmental uncertainties, opportunities or challenges in their resource/capability can lead to changes in the work system elements supporting the service system. Also, from the service provider's direction, changes in one of the work system elements like information and technology can be appraised on their effect on the internal operational efficiency of the service system and customer satisfaction. Thus, the need for consistent interactions between the two parties cannot be overemphasized.

The service provider component hosts the control and initiation activity as well as the security management process supported with the necessary resource and capabilities to ensure complete and satisfactory cybersecurity service provision to customers. The service provides represents the internal operation of an organization's cybersecurity service system which takes cognizance of customers' evaluation of what the system offers towards improving the entire service system. The control and initiation activity of the service provider perspective is responsible for organizing, directing and managing the security management process. It defines the processes, allocates the responsibility and defines the policy statements, rules and management framework. It initiates the security process setting the tone that is supported in the other subsequent process activities stages introduced. The control component sets up and modifies the SLA or contracts between the service provider and the customer. Contracts are agreements set for accessing, processing, communicating, or managing information, software or services between an organization and external parties or employees. For example, an agreement can be set to ensure that external parties and employees abide by the policies set out by an organization. The security requirements are defined under SLA alongside the responsibility of the service provider and customer as well as the service level targets. The control components also handle the Service Level Report to be issued by service providers to their customers.

The Plan activity in cooperation with service level management devises and recommends appropriate cybersecurity measures based on an understanding of the requirements as defined in an SLA. The Plan activity specifies the goals as expressed in the SLA in the form of OLA security plan that will be undertaken by an internal unit within the service provider's standpoint toward the general cybersecurity service provision. Other input into the “Plan” activity includes among others; the policy statement and rules established in the control activity process. Furthermore, The Plan activity incorporates the “identify, analyze and evaluate the risks” as can be seen in the NIST in section 4.2 CSF and part of the “Do” as in the ISMS cycle in section 4.1 which involves controls selection and implementation of policies. The output of the “Plan” activity is the implementation plan.

The Implement plan activity ensures that all the control measures as specified in the plans are properly carried out. The section handles the implementation of protection technology and services to help mitigate cybersecurity threats and vulnerabilities taking cognizance of both the customer/provider perspectives. This also involves Security Education, Awareness, and Training (SETA,) which should be specified in the plan base on planned or unplanned changes. This activity reflects the “Do” section of the ISMS model, requiring the implementation of controls to reduce or ease the risks discovered during the analysis activity. The content will determine what level of control will be required. For instance, the health sector will find unique controls as specified in the Health Insurance Portability and Accountability Act (HIPAA) security rule. However, whether the controls implemented are effective or successful, an evaluation needs to be carried out to confirm which the customer must be engaged in.

The Evaluation activity is vital to appraise the success of the security plan implementations. It checks the sturdiness and compliance of the security implementation with the security policy and requirements spelled out and specified in SLAs and OLAs, respectively. An Evaluation result is used to uphold the agreed measures or lead to new requirements where a “Request for Change” process can be engaged. The evaluation activity represents the Check process of the ISMS, which is responsible for reviewing whether requirements as specified have been satisfied. Both technical and nontechnical measures employed to realize compliance or total security are evaluated periodically to ensure that requirements are being met. A service desk incident report in terms of the number of breaches, resolutions and escalations can indicate the efficiency and proficiency level of existing measures while exposing vulnerabilities if any. Organizations can do well to evaluate their level of security maturity at this stage to determine where they are and where they need to be and are adequately meeting and satisfying customer needs.

The Maintenance activity process suggests that for cybersecurity management to be effective, it needs to be improved and enhanced continuously. This involves reviewing the SLAs, the security policies as well as the control and monitoring techniques. As organizational and IT infrastructure and work patterns continue to change, the security risks change as well over time. Thus, the need for consistent revisions of the security segment of an SLA and security plans. The results from evaluations and the insight into the changing risk landscape serves as input to the maintenance activity. The output of the maintenance activity is the change proposal to be acted upon at the control stage and translated into an action plan. Essentially, the evaluation outputs propose improvements or changes to the security implementation and agreements as laid out in the SLAs and OLAs.

The plan, implement, review and maintain activities are not one-time activities; they are adaptive cyclic and continuous activities, as shown in Figure 2. These actions are in line with the WSLC model described in section 4.3, which states that a service system evolves through a combination of planned and unplanned changes. An initiation stage will follow a formal project development approach in terms of the planned changes while uncertainties that may occur from the environmental changes will result in unplanned changes such as ongoing adaptations and experimentation that will change aspects of the service system. The success of such engagement is certainly determined by the availability of the resource and corresponding capabilities. The iterative nature of the model speaks to the Identify, Protect, Detect, Respond and Recover functions of the NIST CSF. Thought must be given towards the abilities of an entity (Service provider/customer) to perform their activities as required or specified by a plan, matching the supporting resource and capability at their disposal.

The resource and capability components are composite of both the work system elements described in section 4.3 and ITIL organizational capacity elements described in section 4.1 in the context that knowing the proficiency and availability levels of these components is critical to successful cybersecurity service provisioning. By focusing on probing questions around the resource and capability components, insight into their proficiency level to provide the expected service return from both provider and customer can be uncovered. For instance, if an issue revolved around competency, experience, knowledge of execution or know-how of doing something, roles and responsibilities among others, tt can be deemed a capability problem, and if it dealt with something that could be acquired, such as an IT infrastructure, people and money among others it is a resource problem. Table A1 in Appendix presents a template made up of composed dimensions premised on the service work system and the organizational capacity elements as well as the service value system interaction constructs. The template dimensions which are presented in no particular order will aid analysis that considers the customer/provider perspectives, noting where a problem is indicated along a dimension, its risk level and impact, what is proposed as a solution requirement, the state of implementation and what was realized in the form of results (successful or not) and other likely comments. By probing the dimensions, failure points that will need to be addressed whether for example through changes in an IT system or behavioral changes in participants among other things can be realized. Of course, the dimensions are by no means exhaustive, they can be extended given a need context or opportunity context and they can be further broken down to lower levels of detail items. For instance, the infrastructure dimension can include detailed concepts like interoperability and integration concerns, the knowledge dimension could include constructs like acquisition and utilization codification concerns, and the participant dimension could reflect a lack of awareness, knowledge or skill concerns, and application can reflect a configuration issue among others. As changes in one component can affect other components at different levels of granularity, the ripple must be traced and logged. Thus, the study argues that questions structured around these components from both the service provider and customer angles will help determine risks that will affect the cybersecurity service systems' successful functioning. Of course, further dimensions can be incorporated into the template at different levels of details to account for nuanced cybersecurity landscape.

6. Discussion

The proposed cybersecurity service archetype promises a total end-to-end view of the cybersecurity service delivery system that takes cognizance of technology and human participation among others, moving beyond the often technical or compliance focused views of existing approaches. Given the IT-reliant nature of the cybersecurity service system, the protection required is considered from the backend support systems, processing, transmission and front-end customer interfacing and service consumption. Thus, remedies for all possible aspects of cybersecurity, including network, information, application operational security, disaster recovery, business continuity planning, end-user education and continuous interaction with the service providers, are considered. An effective cybersecurity approach must encompass the entire IT infrastructure involved in service provision and must be premised on consistent risk assessments that may come from both a customer and service provider environment.

The customer and service provider interaction provides an avenue to better understand a situation status-quo so as to better prescribe the solution or approach a customer can contribute to the system without too many difficulties and vice versa. Both service providers and customers whether internal or external should be aware of the ongoings and the reaction required in a given situation. Thus, a culture of being situationally aware can be nurtured. Whether it is human-to-human or IT-reliant interaction (service desk) and follow-up, knowledge can be acquired that can result in quality data that can be leveraged by cybersecurity security professionals or artificial intelligent (AI) and machine learning systems for instance to better fortify an intrusion detection system that can predict, mitigate possible threats and manage vulnerabilities to prevent cybersecurity breaches. Also, the interaction between the stakeholders can require changes in behavior of actors to achieve better levels of security. Thus, efforts to realize better security form the service lens can result in changes that impact both the technological and the people or participants dimensions among others for example.

The proposed service system approach ensures value is co-produced by both the service provider and customer as prescribed in section 4.3. In essence, the service expectations are defined by both the delivery organization and those that will be using the service. For instance, a debit card fraud incident may occur online after a customer's card has been compromised resulting in the card termination when reported to the bank to prevent further damage. To get a workaround that ensures customers' funds are protected, the bank creates awareness on a virtual card service where only funds that are required for the immediate transaction are deposited. The virtual card will perform the service of the debit card with a limited risk of loss. Of course, to ensure the success of such a venture, the service provider bank must ensure customers are aware that such a service exists to subscribe to and make sure they are equipped with the requisite knowledge to make it work. Thus, two-way feedback traffic exists to ensure success. In addition, the circumstance that caused the fraud incident to occur should be noted and made sure other customers are educated regarding the situation and how to prevent such occurrences. Surely, an agreement on the service level quality that is required and expected is explicated to put targets and measures in place, to keep track and measure success or otherwise.

The proposed service system approach allows the move beyond the often once-off IT requirement and specification that has been central to the existing system analysis and design approaches that are fixated on building a technical artifact as a tool for users, which may not necessarily benefit the customer of the work system. The service system presents an opportunity to make the customers be more involved in contributing to the overall functioning of the service systems as opposed to their often-marginal roles in the requirement elicitation process as potential users of an IT tool witnessed in existing system analysis and design approach as highlighted in section 4.3. Thus, by employing a service system lens, the customer is seen to have more responsibilities that involve more than just consuming or using what the service system produces but providing feedback that will in turn improve the service system. For example, iterative feedback from a consumer can be used to improve an IT component feature or participants' behavior, knowledge or competence from a service provider perspective to provide an overall positive service provisioning experience. Employing a service stem approach promotes co-value production that emphasizes quality interactions between a service provider and a consumer to adequately understand the state and concerns of each other from the obvious to the nonobvious ones. Given the cybersecurity landscape, this is an important feature to help cybersecurity professionals get ahead of the consistently evolving nature of the threats and vulnerability landscape discussed in section 2 that will result in consistently changing requirements from planned or unplanned changes.

The service system process as shown in Figure 3 ensures that activities required to realize adequate security provision are in play as well as those necessary to ensure its maintenance and continuity. Essentially, the model understands that starting with customer requirements or environmental needs explicated in a contract, law, regulation standards or organizational policies, among others, actions should be carried out to ensure that requirements are serviced while taking cognizance of the fact the requirement will evolve due to changes in the environment that continuously introduces new threats/vulnerabilities. Essentially, the proposed CSSM promises due care and diligence which although limited is mostly the goal of the industry-standard compliance frameworks highlighted in section 4. Due care and due diligence are realized as the model ensures that what is required to ensure that organization and customers are protected is in play, and appropriate measures are taken to ensure continuity and improvement towards meeting the set security goals. Thus, the model explores ways to ensure potential security gaps are closed while ensuring that the business is prepared when faced with unknown but present malicious threats and vulnerabilities. The proposed CSSM approach promises to proactively combat and manage threats and vulnerabilities across a business process to improve cybersecurity and ensure cyber resilience.

The analytical dimensions presented in Table A1 as instances of the resource and capability components will enable organizations to evaluate and measure the cybersecurity gaps and the sufficiency and limitation of the controls in play from both the service provider and customers' perspectives so that informed choices can be made about what is needed and where to apply the often-limited resources. This action will take cognizance of the service provider and customer problem spaces. The CSSM promises a broad-spectrum view of what is required from start to finish of service from the service management, its supporting structure, resources and capabilities. The model is designed to ensure that any context-specific security is based on risk assessments, defined policies, procedures and controls while ensuring that cybersecurity is integrated as much as possible into the daily work and operations of the service provider and customer alike to ensure utility and warranty through adequate interactions, feedbacks and follow-ups. Utility defines the usefulness of the service ensuring it fits for purpose, and warranty defines the guarantee of the service that it meets the set requirements. By following a holistic approach to cybersecurity, it is ensured that everything organizations will choose to do to co-create value for themselves and their customers is protected at each point in the value chain. Creating a cybersecurity service unit that will take ownership of the CSSM model overseen by the cybersecurity professionals to ensure its implementation and fulfillment is desirable.

The implication for cybersecurity management researchers and practitioners alike is that traditional organizational IS-centric thinking needs to extend beyond the organization and take cognizance of the customers' environment and operations that equally contribute to the overall service provisioning experience. Thus, the proposed model presents a novel analytical perspective identifying relevant elements that should be considered to truly satisfy an end-to-end security and better streamline existing standards controls. Essentially, solutions should encapsulate technologies, people, structures, processes and practices among others. The paper urges practitioners to consider cybersecurity needs and practices in a broader business environment where data/information are exchanged to satisfy service provisioning. Using the proposed approach will prompt for early knowledge of possible risks as such allow for a proactive action than reactive.

Given the multi-disciplinary and complex nature of cybersecurity and its varying application domains, it is important that researchers and practitioners collaborate and share knowledge as cybersecurity risks continue to evolve, in terms of identified threats, vulnerabilities and mitigation strategies. By having a common knowledge repository that logs such action (cause and effect), organizations can learn about prominent threats and vulnerabilities among others to proactively evolve their security programs based on their unique assessment, projections and resource courtesy of a shared knowledge base. It has been established that the unavailability of data on cyberrisk poses a huge problem for stakeholders looking to tackle cybersecurity issues (Cremer et al., 2022). Proactively modeling or simulating actions in relation to the risk impact will certainly be useful for projections, especially when AI is leveraged.

Another area of interest to the cybersecurity domain is to try and minimize end-users' cyber misbehavior (employee or customers) by identifying and understanding factors that can aid predict such behaviors as well as design interventions (technical, processes or rules, etc) that can alter such behaviors while incorporating new ones that will better serve the cybersecurity agenda. An investigation into how behavioral characteristics can be incorporated into service design to help mitigate job role over extension and behavioral cues overload for both employees and customers will be valuable. Cybersecurity-centric additional work should be identified and not assumed as part of a primary employee job role so that it is better infused into their work patterns. Also, knowing the managerial implications of integrating multiple standards towards addressing cybersecurity concerns will be valuable, especially for capacity planning, resource allocation and distribution among other things.

7. Conclusion and future work

It has been established that given the ever-changing threat and vulnerability landscape associated with cyberspace adoption, organizations and individuals are exposed to different types of risk daily. As such, employing a clear approach premised on a service system concept and lessons from industry-standard compliance frameworks will enable an organization to identify risks, know how to address them, monitor and repeat the process. However, the success of the service system is premised on the fully engaged interactions between the service provider and consumer of the service system who will contribute immensely to the functioning of the service system as co-producers of value. By supporting the consistent interactions with customers (internal or external), the model promises to help cybersecurity professionals who are tasked with the responsibilities of looking out for holes and misconfigurations that can cause or create vulnerabilities across the service spectrum. In essence, having an end-to-end view of the service will ensure that security incidents can be detected, mitigated and corrected without compromising service delivery. To possess, an effective cybersecurity solution for any given context careful planning is required to secure and manage the business processes and corresponding devices from the source to the destination. The activities described in the proposed CSSM need to be taken cognizance of to achieve a total and effective end-to-end cybersecurity solution as well as ensure up-to-date compliance. The proposed service system sees a technical artifact as a tool needed to help perform work effectively to fulfill customer needs who in turn contribute the service system functioning. By employing the ISMS cycle as part of the cybersecurity model functioning, a proactive and continuous security assessment, management and appropriate scaling given situational changes is ensured. The implementation of controls should be context-driven and dependent on the risk assessment which must be continuous to ensure new threats, and vulnerabilities are identified, documented, and appropriate actions are taken. The analytical dimensions in Table A1 provide a broader scope of inquiry that goes beyond the limited focus on technical or compliance issues. The proposed CSSM approach promises to provide the confidence needed for organizations, employees and individuals to focus on value production by extending their business to cyberspace with the assurance that they will be adequately protected.

However, future work should see to the instantiation of the proposed model and corresponding analytical template across different industries to validate its utility towards generalization. Findings from such instantiation will contribute to research and practice in the security management sphere for instance, further breaking down the analytical dimensions into sub-dimension inquiry or specifics and more. Also, the approach can augment IS research as the dimensions' inquiry can provide insight for better requirement fulfillment that might be missed or ignored by an analyst. While the CSSM is premised on the service system principles and lessons from the industry standards, it is still conceptual. Thus, what is required is testing the model to show its usefulness and possible limitations in analyzing and curbing cybersecurity challenges from both the service provider and customer perspectives.