{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,2]],"date-time":"2025-12-02T22:15:28Z","timestamp":1764713728315,"version":"3.40.3"},"publisher-location":"Cham","reference-count":31,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031453151"},{"type":"electronic","value":"9783031453168"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"DOI":"10.1007\/978-3-031-45316-8_33","type":"book-chapter","created":{"date-parts":[[2023,11,6]],"date-time":"2023-11-06T00:03:14Z","timestamp":1699228994000},"page":"517-532","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["CRAG: A Guideline to Perform a Cybersecurity Risk Audits"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7573-0575","authenticated-orcid":false,"given":"Isaac D.","family":"S\u00e1nchez-Garc\u00eda","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6104-7430","authenticated-orcid":false,"given":"Tom\u00e1s San Feliu","family":"Gilabert","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2864-2203","authenticated-orcid":false,"given":"Jose A.","family":"Calvo-Manzano","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,11,6]]},"reference":[{"issue":"1","key":"33_CR1","doi-asserted-by":"publisher","first-page":"151","DOI":"10.2308\/ajpt-52593","volume":"39","author":"H Li","year":"2020","unstructured":"Li, H., No, W.G., Boritz, J.E.: Are external auditors concerned about cyber incidents? evidence from audit fees. Auditing: A J. Pract. Theory 39(1), 151\u2013171 (2020). https:\/\/doi.org\/10.2308\/ajpt-52593","journal-title":"Auditing: A J. Pract. Theory"},{"issue":"03","key":"33_CR2","doi-asserted-by":"publisher","first-page":"1950013","DOI":"10.1142\/S1094406019500136","volume":"54","author":"P Rosati","year":"2019","unstructured":"Rosati, P., Gogolin, F., Lynn, T.: Audit firm assessments of cyber-security risk: evidence from audit fees and sec comment letters. Int. J. Account. 54(03), 1950013 (2019). https:\/\/doi.org\/10.1142\/S1094406019500136","journal-title":"Int. J. Account."},{"issue":"2","key":"33_CR3","doi-asserted-by":"publisher","first-page":"177","DOI":"10.2308\/isys-52241","volume":"33","author":"TJ Tom Smith","year":"2019","unstructured":"Tom Smith, T.J., Higgs, J.L., Pinsker, R.E.: Do auditors price breach risk in their audit fees? J. Inform. Syst. 33(2), 177\u2013204 (2019). https:\/\/doi.org\/10.2308\/isys-52241","journal-title":"J. Inform. Syst."},{"key":"33_CR4","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1016\/j.accinf.2018.06.003","volume":"30","author":"H Li","year":"2018","unstructured":"Li, H., No, W.G., Wang, T.: SEC\u2019s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. Int. J. Account. Inf. Syst. 30, 40\u201355 (2018). https:\/\/doi.org\/10.1016\/j.accinf.2018.06.003","journal-title":"Int. J. Account. Inf. Syst."},{"issue":"1","key":"33_CR5","doi-asserted-by":"publisher","first-page":"24","DOI":"10.1111\/ijau.12209","volume":"25","author":"TG Calderon","year":"2021","unstructured":"Calderon, T.G., Gao, L.: Cybersecurity risks disclosure and implied audit risks: evidence from audit fees. Int. J. Audit. 25(1), 24\u201339 (2021). https:\/\/doi.org\/10.1111\/ijau.12209","journal-title":"Int. J. Audit."},{"issue":"6","key":"33_CR6","doi-asserted-by":"publisher","first-page":"1233","DOI":"10.1108\/CG-05-2022-0200","volume":"23","author":"IM Beuren","year":"2023","unstructured":"Beuren, I.M., Machado, V.N., Dall Agnol, A.J.: Relevance of internal controls for risk management: empirical evidence from the perception of its executors and reviewers in a multinational company. Corporate Governance: Int. J. Bus. Soc. 23(6), 1233\u20131250 (2023). https:\/\/doi.org\/10.1108\/CG-05-2022-0200","journal-title":"Corporate Governance: Int. J. Bus. Soc."},{"issue":"1","key":"33_CR7","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1016\/j.acclit.2018.03.002","volume":"42","author":"K Chalmers","year":"2019","unstructured":"Chalmers, K., Hay, D., Khlif, H.: Internal control in accounting research: a review. J. Account. Lit. 42(1), 80\u2013103 (2019). https:\/\/doi.org\/10.1016\/j.acclit.2018.03.002","journal-title":"J. Account. Lit."},{"issue":"1","key":"33_CR8","doi-asserted-by":"publisher","first-page":"41","DOI":"10.2308\/isys-51294","volume":"30","author":"JZ Haislip","year":"2016","unstructured":"Haislip, J.Z., Masli, A., Richardson, V.J., Sanchez, J.M.: Repairing organizational legitimacy following information technology (IT) material weaknesses: executive turnover, IT expertise, and IT system upgrades. J. Inf. Syst. 30(1), 41\u201370 (2016). https:\/\/doi.org\/10.2308\/isys-51294","journal-title":"J. Inf. Syst."},{"key":"33_CR9","unstructured":"International Organization for Standardization: \u201cISO\/IEC 27004:2016,\u201d Information technology \u2014 Security techniques \u2014 Information security, 2016. https:\/\/www.iso.org\/standard\/64120.html. Accessed 24 Oct 2022"},{"key":"33_CR10","unstructured":"National Institute of Standards and Technology: NIST Cybersecurity framework. In: Proceedings of the Annual ISA Analysis Division Symposium, vol. 535, pp. 9\u201325 (2018)"},{"key":"33_CR11","unstructured":"Information Systems Audit and Control Associatio: COBIT 2019. www.isaca.org\/COBIT (2018). Accessed: 08 May 2022"},{"key":"33_CR12","unstructured":"Galligan, M.E., Rau, K.: COSO in the cyber age (2015)"},{"key":"33_CR13","unstructured":"IAASB: International Auditing and Assurance Standards Board. https:\/\/www.iaasb.org\/ (2023). Accessed 22 May 2023"},{"key":"33_CR14","unstructured":"Public Company Accounting Oversight Board. Sarbanes Oxley Act. (2002)"},{"issue":"4","key":"33_CR15","doi-asserted-by":"publisher","first-page":"189","DOI":"10.1080\/19393555.2020.1834649","volume":"30","author":"OMM Al-Matari","year":"2021","unstructured":"Al-Matari, O.M.M., Helal, I.M.A., Mazen, S.A., Elhennawy, S.: Integrated framework for cybersecurity auditing. Inform. Secur. J. 30(4), 189\u2013204 (2021). https:\/\/doi.org\/10.1080\/19393555.2020.1834649","journal-title":"Inform. Secur. J."},{"key":"33_CR16","unstructured":"European Confederation of Institutes of Internal Auditors: \u2018Risk in focus 2021. Hot topics for internal auditors. https:\/\/www.eciia.eu\/wp-content\/uploads\/2020\/09\/100242-RISK-IN-FOCUS-2021-52PP-ECIIA-Online-V2.pdf (2020)"},{"key":"33_CR17","doi-asserted-by":"publisher","unstructured":"Duncan, B., Whittington, M.: Compliance with standards, assurance and audit: Does this equal security? In: ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 77\u201384 (2014). doi: https:\/\/doi.org\/10.1145\/2659651.2659711","DOI":"10.1145\/2659651.2659711"},{"key":"33_CR18","doi-asserted-by":"publisher","first-page":"103170","DOI":"10.1016\/j.cose.2023.103170","volume":"128","author":"ID S\u00e1nchez-Garc\u00eda","year":"2023","unstructured":"S\u00e1nchez-Garc\u00eda, I.D., Feliu Gilabert, T.S., Calvo-Manzano, J.A.: Countermeasures and their taxonomies for risk treatment in cybersecurity: a systematic mapping review. Comput. Secur. 128, 103170 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103170","journal-title":"Comput. Secur."},{"issue":"1","key":"33_CR19","doi-asserted-by":"publisher","first-page":"395","DOI":"10.3390\/app13010395","volume":"13","author":"ID S\u00e1nchez-Garc\u00eda","year":"2022","unstructured":"S\u00e1nchez-Garc\u00eda, I.D., Mej\u00eda, J., Feliu Gilabert, T.S.: Cybersecurity risk assessment: a systematic mapping review, proposal, and validation. Appl. Sci. 13(1), 395 (2022). https:\/\/doi.org\/10.3390\/app13010395","journal-title":"Appl. Sci."},{"issue":"2","key":"33_CR20","doi-asserted-by":"publisher","first-page":"6","DOI":"10.1108\/09564239510084914","volume":"6","author":"C Congram","year":"1995","unstructured":"Congram, C., Epelman, M.: How to describe your service. Int. J. Serv. Ind. Manag. 6(2), 6\u201323 (1995). https:\/\/doi.org\/10.1108\/09564239510084914","journal-title":"Int. J. Serv. Ind. Manag."},{"key":"33_CR21","doi-asserted-by":"publisher","unstructured":"Islamova, O.V., Zhilyaev, A.A., Bozieva, A.M.: SADT technology as a tool to improve efficiency in the use of process approach in management of engineering enterprise. In: 2016 IEEE Conference on Quality Management, Transport and Information Security, Information Technologies (IT&MQ&IS), IEEE, pp. 65\u201368 (2016). https:\/\/doi.org\/10.1109\/ITMQIS.2016.7751903","DOI":"10.1109\/ITMQIS.2016.7751903"},{"key":"33_CR22","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1016\/j.procir.2022.05.241","volume":"109","author":"J Olbort","year":"2022","unstructured":"Olbort, J., R\u00f6hm, B., Kutscher, V., Anderl, R.: Integration of communication using OPC UA in MBSE for the development of cyber-physical systems. Procedia CIRP 109, 227\u2013232 (2022). https:\/\/doi.org\/10.1016\/j.procir.2022.05.241","journal-title":"Procedia CIRP"},{"key":"33_CR23","doi-asserted-by":"publisher","unstructured":"Bygdas, E., Jaatun, L.A., Antonsen, S.B., Ringen, A., Eiring, E.: Evaluating threat modeling tools: microsoft TMT versus OWASP threat dragon. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), IEEE, pp. 1\u20137 (2021). https:\/\/doi.org\/10.1109\/CyberSA52016.2021.9478215","DOI":"10.1109\/CyberSA52016.2021.9478215"},{"issue":"5","key":"33_CR24","doi-asserted-by":"publisher","first-page":"1015","DOI":"10.1108\/JEDT-08-2019-0201","volume":"18","author":"R Derradji","year":"2020","unstructured":"Derradji, R., Hamzi, R.: Multi-criterion analysis based on integrated process-risk optimization. J. Eng. Des. Technol. 18(5), 1015\u20131035 (2020). https:\/\/doi.org\/10.1108\/JEDT-08-2019-0201","journal-title":"J. Eng. Des. Technol."},{"key":"33_CR25","unstructured":"Microsoft Global: ISO\/IEC 27001:2013 Information Security Management Standards (2021). https:\/\/docs.microsoft.com\/en-us\/compliance\/regulatory\/offering-iso-27001. Accessed 01 Sep 2021"},{"key":"33_CR26","unstructured":"Security Standards Council: PCI DSS Quick Reference Guide. www.pcisecuritystandards.org (2018)"},{"key":"33_CR27","unstructured":"Center for Internet Security: CIS Critical Security Controls\u00ae CIS Critical Security Controls. www.cisecurity.org\/controls\/ (2021)"},{"key":"33_CR28","doi-asserted-by":"publisher","unstructured":"Yildiz, M., Abawajy, J., Ercan, T., Bernoth, A.: A layered security approach for cloud computing infrastructure. In: 2009 10th International Symposium on Pervasive Systems, Algorithms, and Networks, , pp. 763\u2013767. IEEE (2009). https:\/\/doi.org\/10.1109\/I-SPAN.2009.157","DOI":"10.1109\/I-SPAN.2009.157"},{"key":"33_CR29","unstructured":"ISACA: An Introduction to the Business Model for Information Security. www.isaca.org (2009)"},{"issue":"105","key":"33_CR30","doi-asserted-by":"publisher","first-page":"4","DOI":"10.47460\/uct.v24i105.375","volume":"24","author":"MG Mancero Arias","year":"2020","unstructured":"Mancero Arias, M.G., Arroba Salto, I.M., Pazmi\u00f1o Enr\u00edquez, J.E.: Modelo de control interno para pymes en base al informe COSO \u2013 ERM. Universidad Ciencia y Tecnolog\u00eda 24(105), 4\u201311 (2020). https:\/\/doi.org\/10.47460\/uct.v24i105.375","journal-title":"Universidad Ciencia y Tecnolog\u00eda"},{"key":"33_CR31","doi-asserted-by":"publisher","unstructured":"Aditya, B.R., Ferdiana, R., Santosa, P.I.: Toward modern IT audit- current issues and literature review. In: 2018 4th International Conference on Science and Technology (ICST), pp. 1\u20136. IEEE (2018). https:\/\/doi.org\/10.1109\/ICSTC.2018.8528627","DOI":"10.1109\/ICSTC.2018.8528627"}],"container-title":["Communications in Computer and Information Science","Telematics and Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-45316-8_33","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,6]],"date-time":"2023-11-06T00:08:52Z","timestamp":1699229332000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-45316-8_33"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031453151","9783031453168"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-45316-8_33","relation":{},"ISSN":["1865-0929","1865-0937"],"issn-type":[{"type":"print","value":"1865-0929"},{"type":"electronic","value":"1865-0937"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"6 November 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"WITCOM","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Congress of Telematics and Computing","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Puerto Vallarta","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Mexico","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"13 November 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17 November 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"witcom2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.witcom.upiita.ipn.mx\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"88","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"35","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"40% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}