{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T07:00:11Z","timestamp":1764572411422,"version":"3.46.0"},"reference-count":21,"publisher":"Springer Science and Business Media LLC","issue":"6","license":[{"start":{"date-parts":[[2025,11,8]],"date-time":"2025-11-08T00:00:00Z","timestamp":1762560000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,11,8]],"date-time":"2025-11-08T00:00:00Z","timestamp":1762560000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,12]]},"DOI":"10.1007\/s10207-025-01155-4","type":"journal-article","created":{"date-parts":[[2025,11,8]],"date-time":"2025-11-08T14:15:00Z","timestamp":1762611300000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Security by design: a risk-based framework for cybersecurity compliance and critical infrastructure protection"],"prefix":"10.1007","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-2821-8377","authenticated-orcid":false,"given":"Ayokunle","family":"Akinsanya","sequence":"first","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,11,8]]},"reference":[{"key":"1155_CR1","unstructured":"National Institute of Standards and Technology: Cybersecurity Framework 2.0. U.S. Department of Commerce (2025). https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.29.pdf"},{"key":"1155_CR2","unstructured":"World Economic Forum: Global cybersecurity outlook 2024. (2024). https:\/\/www3.weforum.org\/docs\/WEF_Global_Cybersecurity_Outlook_2024.pdf"},{"key":"1155_CR3","doi-asserted-by":"publisher","unstructured":"Dodson, D.F., Souppaya, M., Scarfone, K.: Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF). National Institute of Standards and Technology (2020). https:\/\/doi.org\/10.6028\/NIST.CSWP.04232020","DOI":"10.6028\/NIST.CSWP.04232020"},{"issue":"3","key":"1155_CR4","doi-asserted-by":"publisher","first-page":"126","DOI":"10.18261\/olr.8.3.2","volume":"8","author":"LA Bygrave","year":"2022","unstructured":"Bygrave, L.A.: Security by design: Aspirations and realities in a regulatory context. Oslo Law Rev. 8(3), 126\u2013177 (2022). https:\/\/doi.org\/10.18261\/olr.8.3.2","journal-title":"Oslo Law Rev."},{"issue":"3","key":"1155_CR5","doi-asserted-by":"publisher","first-page":"422","DOI":"10.3390\/network3030018","volume":"3","author":"M Chauhan","year":"2023","unstructured":"Chauhan, M., Shiaeles, S.: An analysis of cloud security frameworks, problems and proposed solutions. Network. 3(3), 422\u2013450 (2023). https:\/\/doi.org\/10.3390\/network3030018","journal-title":"Network"},{"issue":"1","key":"1155_CR6","doi-asserted-by":"publisher","first-page":"tyaa005","DOI":"10.1093\/cybsec\/tyaa005","volume":"6","author":"LA Gordon","year":"2020","unstructured":"Gordon, L.A., Loeb, M.P.: Integrating cost\u2013benefit analysis into the NIST cybersecurity framework via the Gordon\u2013Loeb model. J. Cybersecur. 6(1), tyaa005 (2020). https:\/\/doi.org\/10.1093\/cybsec\/tyaa005","journal-title":"J. Cybersecur."},{"key":"1155_CR7","first-page":"34996","volume":"6","author":"LO Mailloux","year":"2018","unstructured":"Mailloux, L.O., Span, M., Grimaila, M.R., Young, W.B., Hodson, D.D.: Examination of security design principles from NIST SP 800\u2009\u2013\u2009160. IEEE Access. 6, 34996\u201335007 (2018). https:\/\/www.researchgate.net\/publication\/325495586_Examination_of_security_design_principles_from_NIST_SP_800-160","journal-title":"IEEE Access."},{"key":"1155_CR8","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-61350-501-4.ch007","author":"A Cavoukian","year":"2009","unstructured":"Cavoukian, A.: Privacy by design: The 7 foundational principles. Inform. Priv. Commissioner Ont. Can. (2009). https:\/\/doi.org\/10.4018\/978-1-61350-501-4.ch007","journal-title":"Inform. Priv. Commissioner Ont. Can."},{"key":"1155_CR9","doi-asserted-by":"publisher","unstructured":"Mbaka, W.B., van Gerwen, S., Tuma, K.: Human factors in security risk of software systems: A systematic literature review. Journal of Systems and Software. Available at SSRN: https:\/\/ssrn.com\/abstract=4799844 or (2024). https:\/\/doi.org\/10.2139\/ssrn.4799844","DOI":"10.2139\/ssrn.4799844"},{"key":"1155_CR10","doi-asserted-by":"publisher","first-page":"105926","DOI":"10.1016\/j.clsr.2023.105926","volume":"52","author":"J Boeken","year":"2024","unstructured":"Boeken, J.: From compliance to security, responsibility beyond law. Comput. Law Secur. Rev. 52, 105926 (2024). https:\/\/doi.org\/10.1016\/j.clsr.2023.105926","journal-title":"Comput. Law Secur. Rev."},{"issue":"2","key":"1155_CR11","doi-asserted-by":"publisher","first-page":"41","DOI":"10.2753\/MIS0742-1222300202","volume":"30","author":"J Kwon","year":"2014","unstructured":"Kwon, J., Johnson, M.E.: Health-care security strategies for data protection and regulatory compliance. J. Manage. Inform. Syst. 30(2), 41\u201366 (2014). https:\/\/doi.org\/10.2753\/MIS0742-1222300202","journal-title":"J. Manage. Inform. Syst."},{"issue":"2","key":"1155_CR12","doi-asserted-by":"publisher","first-page":"15","DOI":"10.5281\/zenodo.1485567","volume":"3","author":"JM Pelletier","year":"2018","unstructured":"Pelletier, J.M.: Longitudinal analysis of information security incident spillover effects. J. Manage. Sci. Bus. Intell. 3(2), 15\u201320 (2018). https:\/\/doi.org\/10.5281\/zenodo.1485567","journal-title":"J. Manage. Sci. Bus. Intell."},{"key":"1155_CR13","unstructured":"Boehm, J., Curcio, N., Merrath, P., Shenton, L., St\u00e4hle, T.: The risk-based approach to cybersecurity. McKinsey & Company Risk Practice. (2019). Available at: https:\/\/www.mckinsey.com\/~\/media\/McKinsey\/Business%20Functions\/Risk\/Our%20Insights\/The%20risk%20based%20approach%20to%20cybersecurity\/The-risk-based-approach-to-cybersecurity.pdf"},{"issue":"6","key":"1155_CR14","doi-asserted-by":"publisher","first-page":"101","DOI":"10.3390\/risks11060101","volume":"11","author":"HM Melaku","year":"2023","unstructured":"Melaku, H.M.: Context-based and adaptive cybersecurity risk management framework. Risks. 11(6), 101 (2023). https:\/\/doi.org\/10.3390\/risks11060101","journal-title":"Risks"},{"issue":"1","key":"1155_CR15","doi-asserted-by":"publisher","first-page":"75","DOI":"10.5555\/2017212.2017217","volume":"28","author":"A Hevner","year":"2004","unstructured":"Hevner, A., March, S., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75\u2013105 (2004). https:\/\/doi.org\/10.5555\/2017212.2017217","journal-title":"MIS Q."},{"key":"1155_CR16","doi-asserted-by":"publisher","unstructured":"National Institute of Standards and Technology (NIST): *NIST Cybersecurity Framework 2.0: Quick Start Guide for Using the CSF tiers* (NIST Special Publication 1302). U.S. Department of Commerce (2024). https:\/\/doi.org\/10.6028\/NIST.SP.1302","DOI":"10.6028\/NIST.SP.1302"},{"key":"1155_CR17","doi-asserted-by":"publisher","unstructured":"Tatam, M., Shanmugam, B., Azam, S., Kannoorpatti, K.: A review of threat modelling approaches for APT-style attacks. Heliyon. 7(1) (2021). https:\/\/doi.org\/10.1016\/j.heliyon.2021.e05969","DOI":"10.1016\/j.heliyon.2021.e05969"},{"key":"1155_CR18","doi-asserted-by":"publisher","unstructured":"Kummarapurugu, C.S.: Enhancing serverless computing security in multi-cloud environments: Integrating policy-as-code, automated compliance, and dynamic access controls. Int. J. Innovative Res. Eng. Multidisciplinary Phys. Sci. 10(2) (2022). https:\/\/doi.org\/10.5281\/zenodo.14059454","DOI":"10.5281\/zenodo.14059454"},{"key":"1155_CR19","doi-asserted-by":"publisher","first-page":"100496","DOI":"10.1016\/j.cosrev.2022.100496","volume":"45","author":"A Shukla","year":"2022","unstructured":"Shukla, A., Katt, B., Nweke, L.O., Yeng, P.K., Weldehawaryat, G.K.: System security assurance: A systematic literature review. Comput. Sci. Rev. 45, 100496 (2022). https:\/\/doi.org\/10.1016\/j.cosrev.2022.100496","journal-title":"Comput. Sci. Rev."},{"key":"1155_CR20","unstructured":"National Institute of Standards and Technology: Security and Privacy Controls for Information Systems and Organizations (Special Publication 800\u2009\u2013\u200953 Rev. 5). (2020). https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf"},{"key":"1155_CR21","unstructured":"National Institute of Standards and Technology, Security Automation and, Management, V.: https:\/\/csrc.nist.gov\/nist-cyber-history\/automation-metrics\/chapter#security-automation"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01155-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01155-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01155-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T06:55:30Z","timestamp":1764572130000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01155-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,8]]},"references-count":21,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2025,12]]}},"alternative-id":["1155"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01155-4","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2025,11,8]]},"assertion":[{"value":"30 April 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 October 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 November 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"234"}}