A “peel-the-onion” analysis shows that an attacker trying to affect a critical infrastructure system would most likely be after the core control domain [4] . This study uses the Likert Scale to rank network security threats ( Table 1 ) and their corresponding defense in depth security measures which will assist network security managers in prioritizing their network resources.

Rank correlations also work well with ordinal rating data, and continuous data are reduced to their ranks [15] .

These attacks attempt to deliberately modify information shared within the smart grid to corrupt critical data exchange in the smart grid [15] . Malware can destroy data and functions designed to operate and control the smart grid. An increasing number of wireless devices are abused for illicit cybercriminal activities, including malicious attacks, computer hacking, data forging, financial information theft, online bullying/stalking [16] .

Users should be extremely careful while social distancing and using wireless networks. The target of the attacks is either customer information (e.g., pricing information and customer account balance) or network operation information (e.g., voltage readings, device running status) [15] . Network intruders may attempt to disrupt this smart grid data traveling over the Internet. Malicious attacks targeting network availability can be considered as denial-of-service (DoS) attacks [15] .

If networks become unavailable, then working from home or distance learning will come to a screeching halt. This causes the direct loss of about 83 billion euros with an estimated 556 million users worldwide impacted by cybercrime each year, according to the 2012 Norton cyber-crime report [16] . Cybercrime is responsible for large financial losses to the global economy; this is something to keep in mind while working from home.

Ad-hoc networks can pose a security threat [4] . A Bluetooth connection, for example, has fewer security controls than a managed wireless network. Differing from attacks targeting network availability, attacks targeting data integrity can be regarded as less brute force yet more sophisticated attacks [15] . Integrity attacks can try to discredit the integrity and data privacy of sensitive data.

The new paradigm of global availability in networks offered by IPv6, must also be accounted for [8] . Because of social distancing requirements and remote computing, global cloud security must be included in an organization’s security structure. Threat actors can gain access to credentials for normal or privileged access to the target network [3] . Thieves may pay inside workers for compromising information.

An unauthorized node in a wireless network is capable of inflicting intentional interferences with the objective of disrupting data communications between legitimate users [16] . Denial of service attackers can cause havoc for Internet users. Since network availability is the top priority in the security objectives for the smart grid, we use experiments to quantitatively evaluate the impact of denial-of-service (DoS) attacks on a power substation network [15] .

A denial of service (DOS) attack could potentially plunge entire regions into darkness.

An attacker must then not only compromise security controls at the perimeter but must be able to compromise each layer behind the perimeter to reach the critical asset [2] . While we are learning from home an attack is less likely to be successful if an attacker must breach multiple obstacles. A major difference between the smart grid and the Internet is that the smart grid is more concerned with the message delay than the data throughput due to the timing constraint of messages transmitted over the power networks [15] . Denial of service attacks can prevent critical smart grid messages from reaching their final destinations.

Due to the broadcast nature of radio propagation, the wireless air interface is open and accessible to both authorized and illegitimate users [16] . It is important to keep in mind while social distancing that both friends and enemies have access to wireless networks because wireless networks transmit over the airways.

The first defense approach is prevention [17] . The first defense in depth measure that a network security manager should take is to protect the network and the data that crosses the network. The network should especially be protected in a way that allows users to safely work and learn from home.

The next defense approach is detection [17] . Detective measures are taken to reveal the presence of attacks and intrusions that have compromised or circumvented preventive mechanisms [17] . It is important to deploy defense in depth tools such as NIDS that can identify potential attacks such as Trojans.

Though firewalls, IDSs, and IPSs are ineffective network security systems when deployed by themselves, layering them provides additional protection [8] . Deploying defense measures as a unit increases their effectiveness. In the event there is a security-related incident in the controls system domain, activities to recognize, respond, mitigate, and resume need to be established [4] .

Security planning and operations should take place before, during and after a security breach. For example, installing up to date antivirus is critical before breach operation. Incident response consists of policies, procedures, and technical measures that enable the identification of potential cyber intrusions and the structure to react to and remediate the event [2] . Tactically, security is incomplete without proper assessment of assets, risks associated with them and policies to control these risks; the outermost layer of the model covers all these aspects [7] .

Organizations must consider the risk to organizational assets before establishing remote connections due to social distancing requirements. Each of these defensive devices have been created to act upon specific types of threats and when used in combination can theoretically help prevent, limit, or detect the attack of a threat actor, resulting in better safety for target data and target systems [2] . If a hacker can bypass one defensive tool they can be stopped by another defensive tool and user data can remain safe.

Defensive strategies that secure each of the core zones can create a defensive strategy with depth [4] . In information security terms, administrators or organizations deploy layers of defensive measures to minimize risk of unauthorized access or information attacks [7] . The defensive layer of an UpToDate antivirus, for example, can help reduce the risk of identity theft.

Deflection is a means of diverting attackers from the valuable assets to a faux environment where their techniques and methods can be studied [17] . Honey pots can be used to deflect users away from sensitive areas where sensitive data may be stored. Security issues are not solved magically but administrators must evaluate different methodologies to consider as best practice for their organization [7] .

Network security managers should develop the best defense-in-depth strategy that fits their organization. For example, if Trojans are a concern they should focus on firewalls and Network Intrusion Detection Systems (NIDS). Information assurance (IA) mechanisms may be subdivided into three categories: preventive, corrective and detective [18] . Organizations can remain safe from attacks by using the defense in depth measures of protection, identifying potential attacks, and removing them.

Target organizations typically take action to prepare and assess their security posture to locate holes in their security systems [3] . Network security managers are constantly looking for areas in their networks that can be breached by hackers while employees are remotely working because of social distancing requirements. Overlapped layers can cover shortcomings of one layer by another [7] . Encryption can also be overlapped within the network to cover firewall shortcomings.

The strategy recommends a balance between the protection capability and cost, performance, and operational considerations [6] . Organizational defense in depth requires strategic planning. Development of a defense-in-depth strategy starts with mapping the control systems architecture [4] .

Network security managers must have intimate knowledge of the network to understand how to effectively deploy a defense in depth strategy. The DiD model uses layers of different network protection devices to create a secure network [8] . UpToDate antivirus is one example of a measure that can be deployed in the defense in depth model.

Layer 1 focuses on perimeter security and the controls surrounding the protection of the ingress/egress point of the substation electronic security perimeter [2] . The first level of protection is entry into the network. This can involve a remote connection or VPN.

Layer 2 focuses on the security controls for communication and devices that perform data aggregation [2] . The second level are the areas where critical data is stored, databases containing sensitive organizational data for example. Layer 3 focuses on host-based cybersecurity controls used to provide security at the device level [2] . The final protection level involves protecting individual devices, for example, laptops, desktops and servers.

No single security solution will keep a determined thief from the goal of compromising the hardware or software given enough time and resources [14] . Loss of privacy can be reduced by deploying defensive tools in the path of the attacker. A single strategy to defense information and its associated components may not be sufficient [7] .

Multiple layered defense measures are required to protect organizational systems while employees work from home. Historically, a military defender would build a series of defensive positions and fall back as the attacker advanced, eventually defeating the attacker [8] . Confidentiality should be built on the onion approach with the most sensitive data being in the middle and hardest for an attacker to reach.

Instead of attempting to prevent inbound attacks and blocking specific forms of outbound traffic, a functional DiD model should look to deploy defenses that are symmetric [8] . Defense in depth can be designed to prevent both internal and external data theft. The DoD Defense-In-Depth model is extended to logical, layered, and virtual “boundaries” beyond more traditional physical and geographic boundaries [18] .

Cloud or logical boundaries have enhanced the capabilities of traditional defense in depth strategies. Having multiple DMZs protects the information resources from attacks using Virtual-LAN (VLAN) hopping and trust exploitation [4] . Data can be processed in secure zones which are harder for hackers to reach. Dynamic defenses can be enabled both through dynamic computing platforms and dynamic network addressing [8] .

Demilitarized zones (DMZ) can be dynamically established using DHCP to segment and block traffic. A tool such as encryption can be combined with firewalls, NIDS and authentication to create repeated barriers to defeat attackers [3] . These systems, when layered together, create a system of defense known as Defense-in Depth, where each layered defensive device prevents a deeper level of attack.

Each layer in defense in depth architecture has heterogeneous implementation of security controls which results in administration overhead [7] . Each defensive player must be configured separately by a security manager or an administrator. Multilayer security puts the critical assets at the most reliable and secure layer [2] .

Sensitive organizational data, for example, should be placed in the most critical level of the defense in depth strategy. A DMZ is an exceptionally good way to enhance the security posture and add another layer to the defense-in-depth strategy [4] . Systems used by employees working from home can be placed in a secure zone (DMZ) which protects their communications.

With multiple layers, each layer can have unique yet complementary security controls [2] . Phishing attacks can be reduced with specific but supportive defensive layers. Defense in depth is based on layered architecture; every layer has its own implementation [7] . Although defense measures may cover vulnerabilities that others miss. Each requires individual configuration.

Differentiating between similar attacks like phishing and spear-phishing is crucial for effective threat prioritization. Here are some strategies to prioritize and differentiate these overlapping threat categories. Analyze the context of the attack. Spear-phishing attacks often contain personalized information, such as the recipient’s name, job title, or specific details about the organization [19] .

Phishing attacks, on the other hand, are more generic [19] . Verify the source of the email or message. Spear-phishing attacks may appear to come from a trusted source within the organization, while phishing attacks often use generic or spoofed email addresses [20] .

Effective security policies and procedures are the first step to a secure control systems network [4] . It is important for organizations to outline in detail how they will protect their data from network intrusions. The best method for protecting the confidentiality of information transmitted over wireless networks is to encrypt all wireless traffic [4] .

Using authentication and encryption is the most effective way to secure wireless networks. A well-defined and well implemented defense in depth strategy prevents a wide variety of attacks and generates real-time intrusion alarms to the administrators [7] . Network Intrusion Detection Systems NIDS can tell network security managers when their network is being attacked and steps necessary to prevent the attack.

There are several common methods for monitoring a network for unusual or unauthorized activity, with one of the most effective being Intrusion Detection Systems (IDS) [4] . Illegal access to systems can be monitored and blocked by several devices before intruders can steal data. Network Security Situation Awareness (NSSA) is a new notion deriving from Air Traffic Control (ATC) [21] .

Knowing where the attacks are occurring is an important step in stopping an attack. Ensure that Software is up-to-date, systems are appropriately configured on its network, and access is appropriately controlled [3] . Software must be properly patched to prevent zero-day attacks.

Informing personnel of their responsibilities when it comes to cybersecurity is an important step in implementing and enforcing policies and procedures [2] . Employee training and an effective security awareness campaign are critical to a successful cybersecurity program for example security necessary to maintain Confidentiality. The next generation cyberspace intrusion detection systems will fuse data from heterogeneous distributed network sensors to create cyberspace situational awareness, and analogized cyberspace situational awareness with ATC [21] .

Sensors can be deployed to spot phishing attacks that are designed to breach critical systems. Over time, there have been two key practices for this assessment: tabletop exercises and penetration tests [3] . Security managers should use these tools to assess their networks to ensure they are effective at preventing breaches such as phishing attacks which are designed to steal passwords.

Specific fingerprinting and operating system detection can be used to profile attacker activities, skill level and motivations [22] . What an attacker is trying to achieve can be viewed in real time. To maintain confidential transmission, existing systems typically employ cryptographic techniques for preventing eavesdroppers from intercepting data transmissions between legitimate users [16] .

The defense in depth measure encryption can help stop man-in-the-middle attackers from disrupting and intercepting Internet communications. If the message is not encrypted, or encrypted with a weak algorithm, the attacker can read it, thereby compromising confidentiality [4] . Authentication and encryption are critical to wireless network security especially while working from home and learning from home.

Situational awareness was defined by Endsley as “the perception of the elements in the environment with a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future” [21] . Multi-factor Authentication can be used to deter an attacker for a limited amount of time. At the point that the authentication expires the user should reauthenticate. This intelligence is vital for initiating appropriate responses and for law enforcement investigations [22] . Cybersecurity forensics can benefit by capturing this data.

Penetration tests are live fire exercises in which White Hat Hackers perform as threat actors and are tasked with attempting to infiltrate the target network, access the target systems [3] . White hat hackers are hackers hired by the organization to identify system security weaknesses which might possibly disrupt critical activities. Network situation elements consist of Internet/Intranet (environment), entities in the network including software and hardware, network security events including alerts, logs and files, correlation team and network intrusion behavior [21] .

The status of the entire must be known to prevent intrusions such as DoS attacks. Anomaly based intrusion detection systems, but care must be taken avoid overwhelming the human operator [22] . Network intrusion detection systems must take the limitations of the security manager into consideration.

White hat hackers can retrieve a sample of target data to prove that network defense is ineffective, thus locating a route that should be remediated [3] . Using this tool network security managers can fix network security issues before they cause real security problems. The long-term goal is to create a library of visual signatures that can be used by experts or novice analysts to detect malicious activity [22] .

Due to the external nature of the penetration tests, they tend to be expensive to execute and are typically undertaken infrequently (usually once or twice a year) [3] . Unfortunately pen testing is too costly and disruptive and therefore not frequently conducted. NSSA fuses data from tools of IDS, VDS (Virus Detection System), Firewall, Netflow etc., to find what happening in the network [21] .

Data is collected from several points to see for example when a Man in the middle attack is attacking the network. There are a wide variety of potential visualizations that can be used to display network traffic data in a way that is meaningful for security analysis [22] . Network security managers can see intrusions that are placed on the network from several different views.

In addition, they usually stop at the first successful breach, resulting in a single Successful breach log and one or more failed breach attempts [3] . Pen testing is unlikely to discover a vulnerability which can be exploit by an advanced persistent attack (APT) for example man in the middle attacks. These types of attacks put working from home at risk.

In the MAC layer, the MAC address of a user should be authenticated to prevent unauthorized access [14] . To prevent hackers from entering the network, security managers should use MAC authentication. Training is a core component of an overarching security awareness program [4] .

Because of social distancing requirements, network security training for administrators and users may have to be carried out remotely. Vulnerability scanning is not a passive operation, and as such can produce real-world failures that can impact operations inside of the organization [3] . Scanning should be done during non or low operational maintenance periods so that it does not disrupt normal organizational network functions.

Interception and alteration of wireless transmissions represents a form of “man-in-the-middle” attack [4] . Encryption can stop a man-in-the-middle attacker from viewing the content of the data that he has managed to steal especially during times when people are working from home and learning from home. To secure networks, the DiD model must be viewed as a system of systems and updated with current network defense strategies [8] .

Latest Encryption algorithms allow systems to securely communicate together with lower risk of privacy or data loss. The open communications environment makes wireless transmissions more vulnerable than wired communications to malicious attacks [16] . Using a wired network is safer than using a wireless one.

In the network layer, the WPA and theWPA2 are two commonly used network-layer online bullying/stalking [16] . Authentication is a critical part of defense in depth. Firewalls, for blocking access from or to unwanted locations to or from the defended networks; Intrusion Detection Systems (IDS), for detecting Suspicious traffic on the defended networks [3] . The control center receives security events from each element to preprocess and save them in a database before transferring to situation analysis [21] .

Once security data is analyzed, it can be uploaded to create UpToDate antivirus files. Security measures such as Demilitarized Zones (DMZ), firewall, Intrusion detection System (IDS), malware Protection and virtual private networks (VPNs) provide defense in depth strategy that deflect information security attacks aim to gain unauthorized access to an organization asset from the internet or public network [7] . Along with other measures such as antiviruses these defensive measures are critical for stopping attacks from the Internet.

New advances in cloud computing allow users to rapidly scale provisioned computing resources to consume DoS and DDoS attacks [8] . Network intrusion can be severely limited by placing resources in the cloud. Network segmentation has traditionally been accomplished by using multiple routers.

Firewalls should be used to create DMZs to protect the control network [4] . To stop malware such as trojans, firewalls should be used to create protected zones within the network. One problem with tabletop exercises is that they test the theoretical function of the systems under test, not the actual function [3] . Penetration test (pentest) can be used in leu of tabletop exercises to locate system vulnerabilities which hackers may try to exploit.

Systems such as firewalls, IDSs and IPSs are still used, but layered with new devices that provide different new capabilities to the network defense system [8] . Privacy loss can be prevented with both traditional and new devices. Each of these devices acts as an obstacle to the attacker [7] . Advanced persistent threats (APTs) can be stopped by using successive defensive barriers.

Defense to stop the threat actors at the earliest point in the attack, and to provide the earliest warning of the presence of threat actors attempting to access a defended network [3] .

While learning from home network security managers try to stop an attacker as far away from user data as possible. Preferably before they gain access to the network.

Current network defenses are designed around the features of specific network defense tools, such as identifying malware, blocking packets, or analyzing network events [8] . Two factor Authentication is designed to stop unauthorized network Intrusion. Malware is very prevalent in operating systems that typically run on laptops, desktops, and server hardware platforms [2] . Security managers should ensure that all device firmware updates are installed from a trusted source.

Artificial intelligence (AI), the ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings [23] . Computers can perform some tasks quicker, more efficiently and consistently than humans. Artificial intelligence (AI) is technology that enables computers and machines to simulate human learning, comprehension, problem solving, decision making, creativity and autonomy [24] . Human learning and problem solving can be enhanced by using AI.

Artificial Intelligence (AI) is playing an increasingly significant role in cybersecurity [25] . Some of the AI benefits in Cybersecurity include threat detection, automated responses and behavior analysis. In terms of threat detection, AI can analyze vast amounts of data to identify patterns and detect threats in real-time. This enables rapid response and mitigation [25] .

Artificial Intelligence (AI) can enhance automated responses by automating routine tasks such as log analysis and vulnerability scanning, freeing up human analysts for more complex tasks [25] . Threat actor behavior can be quickly analyzed by AI systems to uncover malicious behavior. Systems can monitor behaviors, detect phishing attempts, and authenticate users by analyzing data like typing styles and voice patterns [25] . Finally, AI can continuously learn from new data, improving its ability to identify and counter emerging threats [25] .

There are some challenges and risks associated with using AI to perform cybersecurity tasks. Cybercriminals can use AI to create highly personalized spear-phishing messages or deepfake voices to deceive employees [26] . Attackers can use AI to tamper with data, creating false information that can be used for financial gain or to damage reputations [26] . The use of AI in cybersecurity raises ethical questions about privacy, data protection, and the potential misuse of AI technologies [26] .

A few artificial intelligence trends are developing in the field of cyber security. Enhanced AI capabilities will continue to evolve, becoming more sophisticated in detecting and responding to cyber threats [27] . Collaboration will be increased collaboration between government agencies, private sector companies, and international partners to advance global AI security best practices [27] . Organizations will focus on workforce development, expanding AI expertise within their workforce to ensure they can effectively leverage AI technologies [27] . AI is a powerful tool in the fight against cybercrime, but it must be harnessed responsibly and securely [27] .

The purpose of this chapter is to present the analysis which reject the H₀ null hypothesis that expected utility analysis does not affect the relationship between the prioritization and combining of 20 Cybersecurity Article’s defense in depth tools and procedures (independent variables) and cyber threats (dependent variables). Preferential independence can be described as the preferential outcome of one criterion over another that is not influenced by the remaining criteria [16] . Encryption can be seen in a network security expected utility analysis as the preferred security tool for preventing privacy loss.

Data collected before the analysis in this experiment shows a lack of combining security measures and tools to combat specific security threats. The data capture (recording) and coding methodology employed in this study was used to determine the best defense in-depth choices from a list of decision alternatives (network security threats). Finally, a summary of the results is included in this chapter.

The study design included one investigative question which provided foundation for the main research questions. This section lists the investigative question and includes the statistical analysis to explore the question.

The current agenda of prioritizing and combining defense in depth measures can continue to evolve based on this investigation. Defense in depth is an effective method of mitigation and prevention of automatic attacks that an organization faces from public internet [7] . Multi-factor Authentication can help to prevent Internet attacks password sniffing for example.

Two types of countermeasures can significantly reduce the risk of such attacks: strong encryption and strong authentication of both devices and users [4] . It is imperative that network security managers deploy strong encryption and authentication on their wireless network as a part of their defense in depth approach. Defense in depth takes a holistic approach to network security, protecting the network from several different perspectives with both tools and procedures.

It is of importance to increase the secrecy capacity by exploiting sophisticated signal processing techniques, such as the artificial-noise-aided security [16] . While working from home, communications must remain private to protect personal and organizational information. The new concept has decision makers setting an aspiration level, though it may not be reachable using current resources, or simply redesigning the decision space [16] . Defense in depth allows the security manager to be creative in security tool deployment so that he can successfully achieve his security goals.

Secure communications should satisfy the requirements of authenticity, confidentiality, integrity, and availability (CIA) [16] . The goal of defense in depth security is to protect CIA. Communications are also vulnerable to denial-of-service (DoS) attacks [4] . Firewalls and NIDS should also be included in the wireless network defense in depth deployment to prevent DOS attacks.

The research concluded that expected utility analysis can play a role in the organization’s decision process to array and combine defense in depth measures against network threats. If an eavesdropper lies in the transmit coverage area of the source node, the wireless communications session can be overheard by the eavesdropper [16] . Like how spies operate, eavesdroppers (sniffers) can easily intercept wireless communications. A combination of both security procedures and security tools plays an important role in defense in depth.

An aspiration level could be attained by expanding employees’ competence set (e.g., training) or adding or changing new resources (e.g., through strategy alliance, innovation, or creativity) to expand the original decision space [16] . Both administrator and employee training are critical in achieving network security goals and objectives. To maintain confidential transmission, typically cryptographic techniques relying on secret keys are adopted to prevent eavesdropping attacks from intercepting the data transmission [16] . To help meet social distancing requirements, encryption should be used to prevent intruders from tapping into private communications.

Differing from the Internet, the smart grid has only two major directional information flows: bottom-up and top-down [15] . Because of the vertical nature of smart grid communications, redundant communication paths are required to enhance communications. Hackers collect data on different systems; the information collected is analyzed for possible security problems [22] . Stopping this reconnaissance is the first step in preventing an attack.

Organizations can take several steps to reduce the risk of such unintentional DoS attacks [4] . Encryption and authentication are two of many measures that should be taken to prevent both intentional and unintentional DoS attacks. Building interrelationships (dependence and feedback) among criteria and improvement of criteria in general is used to achieve the aspiration level [16] . Deploying defense in depth analytically can help to build the synergy between security tools necessary to achieve organizational security goals.

There are examples of detailed case studies that illustrate successful application of AI and expected utility hypothesis in cybersecurity prioritization in real-world organizational settings. A Fortune 500 international food chain with over 100,000 employees faced significant cybersecurity challenges [36] . Cyclops Security’s AI-powered Risk Prioritization platform helped the organization uncover critical risks by correlating and analyzing security data [36] .

The platform identified several critical systems missing required protections and highlighted that two company executives with privileged access rights were accessing critical systems without using multi-factor authentication (MFA) [37] . A study compared the optimal resource allocation to cybersecurity and cyber insurance using Expected Utility Theory (EUT) and Prospect Theory (PT) [37] . The research demonstrated that EUT, which relies on rational decision-making principles, can help organizations optimize their resource allocation by assessing the probabilities and impacts of different threats [37] .

Fructification of each layer of model presents vast variety of implementation alternatives and adoptability according to the design and architecture of organization [7] . Each organization will deploy a different variation of defense in depth. A malicious node in wireless networks can readily generate intentional interference for disrupting the data communications between legitimate users, which is referred to as a jamming attack (also known as DoS attack) [16] . Innocent conversations, both business and pleasure can be interrupted by interference.

The smart grid must have the ability to detect the attempt of an intruder to gain unauthorized access to computer systems [15] . Network intrusion detection systems can identify malware that has gained access to the smart grid. Insecure, poorly configured wireless access points can compromise confidentiality by allowing unauthorized access to the network [4] . Network administrators should be professionally trained on wireless network security when implementing wireless networks.

The available published knowledge of expected utility analysis can be used to prioritize defense in depth measures against network threats. This is confirmed by the research conclusion.

Defense in depth decision making can be deployed using EUH to enhance organizational IT security. To make the security policy effective, it must be practical and enforceable, and it must be possible to comply with the policy [4] . Organizations must develop effective network security plans. These plans should be strictly enforced.

Defense in depth and expected utility analysis can be an important asset to the organization. Further advances can be gained in the use of defense in depth by continuing expected utility analysis. The decision space may be modified to achieve aspiration level of the objective space in changeable space situations [16] . The security of portable devices is changing the network security decision space, and defense in depth tools must adapt to meet those changes.

To better understand the role that expected utility analysis can play in IT security this research proposed a expected utility analysis structural and measurement model of the relevant factors. The future of IT security should include additional exploratory models to advance understanding of why the current models are not substantially improving IT security. To understand the shortcoming of current IT security models, further exploratory studies should be conducted on additional models.

I would like to thank the reviewers for their detailed comments that greatly improved the paper.

The potential benefits of research in organizations, especially public safety organizations, can be greatly beneficial, but there are risks that some employees or the organization could be unfairly stigmatized. This study was conducted with the informed consent of all the participants.

The participants were not subjected to risk. To avoid conflict of interest, the survey participants are in no way related to the researcher.

For specifically addressing an autonomous agency, the design included an informed consent process to ensure that participation was voluntary, with adequate information provided to participants to make their decision of whether or not to participate [38] . Specifically addressing diminished autonomy, while ensuring extra protection is afforded to prevent harm from exclusion.

Advanced Persistent Threat (APT). “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception)” [39] .

Biometrics. “The measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns) especially as a means of verifying personal identity” [40] .

Botnets. “A botnet is a group of compromised computers under the control of an attacker” [41] .

Defense in-depth. “Defense in-depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier” [42] .

Denial of service (DOS). “A denial-of-service attack is an attempt by multiple attackers to make a service unavailable to its users” [43] .

Firewall. “A firewall is a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic based on a set of rules” [43] .

Hash Algorithm (Hash). “An encryption algorithm set of rules by which information or messages are encoded so that unauthorized persons cannot read them” [40] .

Intrusion detection system. Host intrusion detection systems and network intrusion detection systems are methods of security management for computers and networks [44] .

Man-in-the-middle attack (MitM). “A kind of cyberattack where an unapproved outsider enters into an online correspondence between two users, remains escaped the two parties. The malware that is in the middle-attack often monitors and changes individual/classified information that was just realized by the two users” [45] .

Password. “A password is an un-spaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user” [46] .

Public Key Infrastructure (PKI). “A cryptographic element that is the publicly shared half of an encryption code and that can be used only to encode messages” [47] .

Phishing. “Phishing is the combined use of fraudulent e-mails and legitimate looking websites by cyber criminals to gain user credentials” [41] .

Social Engineering. “Social engineering refers to psychological manipulation of people into accomplishing goals that may or may not be in the target’s best interest. In cyber-attacks, it is often used for obtaining sensitive information or getting the target to take certain action (e.g. executing malware)” [39] .

Spam. “Spam is the use of e-mail technology to flood mailboxes with unsolicited messages” [41] .

SQL injection attacks. “These consist of attacks against web applications with the aim of extracting data or stealing credentials or taking control of the targeted web server” [41] .

Watering Hole Attacks. “The concept of a watering hole attack is similar to a predator waiting at a watering hole in a desert, as the predator knows that the victims will have to come to the watering hole. Similarly, rather than actively sending malicious emails, the attackers can identify 3rd party websites that are frequently visited by the targeted persons and then try to infect one or more of these websites with malware” [39] .

Worms/Trojans. “Worms and malicious programs have the ability to replicate and redistribute themselves by exploiting the vulnerabilities of their target systems” [41] .

Zero-day Attacks. “Zero-day vulnerabilities, i.e., threats that use an error or a vulnerability in the application or the operating system and arise immediately after the vulnerability is found, but before the relevant upgrade is issued” [48] .