{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T23:55:51Z","timestamp":1773446151834,"version":"3.50.1"},"reference-count":63,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2022,5,18]],"date-time":"2022-05-18T00:00:00Z","timestamp":1652832000000},"content-version":"vor","delay-in-days":137,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,1,28]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Cybersecurity requirements, such as data security, are often used as evidence for the Government's relationship with external service providers to process, store and transmit sensitive government data. However, cybersecurity researchers have not profoundly studied the practical application of government data security requirements (e.g. data confidentiality) in service level agreements (SLAs) in the context of an outsourced scenario. The relationships with external service providers are usually established through SLAs as trust-enhancing instruments. However, there is a concern that existing SLAs mainly focus on the system availability and performance aspects but overlook cybersecurity requirements (e.g. data security) in SLAs. Such an understanding is essential to develop government SLA data confidentiality requirements into the formulation of security-related SLAs. We seek to provide insights by developing and conducting a grounded adaptive Delphi method (GADM) with 35 government participants through group discussions and individual sessions. The work on the Indonesian Government's data confidentiality requirements was used as a case study. This paper provides insights into three understandings of the increasing considerations of the Government's data confidentiality requirements in SLA definitions. The three perceptions of security-related SLAs are the target of protection, the data confidentiality risks and the government SLA data confidentiality requirements. Our findings play important implications for a better understanding of how to incorporate data confidentiality requirements according to perceived threats for government data classification in security-SLAs. Based on these findings, we recommend that the Government and service providers improve existing security-related SLAs and future research lines.<\/jats:p>","DOI":"10.1093\/cybsec\/tyac004","type":"journal-article","created":{"date-parts":[[2022,5,18]],"date-time":"2022-05-18T12:05:06Z","timestamp":1652875506000},"source":"Crossref","is-referenced-by-count":13,"title":["Cybersecurity service level agreements: understanding government data confidentiality requirements"],"prefix":"10.1093","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1875-0219","authenticated-orcid":false,"given":"Yudhistira","family":"Nugraha","sequence":"first","affiliation":[{"name":"Jakarta Smart City, Department of Communications, Informatics, and Statistics , Jl. Medan Merdeka Sel. No.8-9, Jakarta Pusat, DKI Jakarta 10110, Indonesia"},{"name":"School of Computing, Telkom University , Jl. Telekomunikasi No. 1, Terusan Buahbatu, Kabupaten Bandung, Jawa Barat 40257, Indonesia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8236-980X","authenticated-orcid":false,"given":"Andrew","family":"Martin","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Oxford , Robert Hooke Building, Parks Road, Oxford, the United Kingdom OX1 3PP, UK"}]}],"member":"286","published-online":{"date-parts":[[2022,5,18]]},"reference":[{"key":"2022121515104864100_bib41","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1109\/TETC.2015.2389661","article-title":"An adaptive wideband Delphi method to study state cyber-defence requirements","volume":"4","author":"Nugraha","year":"2016","journal-title":"IEEE Trans EmergTop Comput"},{"key":"2022121515104864100_bib2","first-page":"5","article-title":"A test-based security certification scheme for web services","volume":"7","author":"Anisetti","year":"2013","journal-title":"Proc ACM Trans Web"},{"key":"2022121515104864100_bib54","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1109\/MSP.2011.33","article-title":"Monitoring cloud computing by layer, part 1","volume":"9","author":"Spring","year":"2011","journal-title":"IEEE Secur Priv Mag"},{"key":"2022121515104864100_bib4","first-page":"p.202","article-title":"Security SLAs for federated cloud services","volume-title":"Proceedings of the Sixth International Conference on Availability, Reliability and Security (ARES)","author":"Bernsmed","year":"2011"},{"key":"2022121515104864100_bib31","first-page":"p.123","article-title":"Security SLAs\u2013an idea whose time has come?","volume-title":"Proceedings of International Conference on Availability, Reliability, and Security","author":"Jaatun","year":"2012"},{"key":"2022121515104864100_bib42","doi-asserted-by":"crossref","first-page":"p.57","DOI":"10.1007\/978-3-319-59171-1_6","article-title":"Investigating security capabilities in service level agreements as trust-enhancing instruments","volume-title":"Proceedings of the Eleventh IFIP WG 11 International Conference on Trust Management","author":"Nugraha","year":"2017"},{"key":"2022121515104864100_bib7","volume-title":"Cybersecurity SLAs: Managing Requirements at Arm's Length","author":"Butkovic","year":"2013"},{"key":"2022121515104864100_bib21","first-page":"p.723","article-title":"Access control and security properties requirements specification for clouds\u2019 SecLAs","volume":"Vol. 1","author":"","year":"2013","journal-title":"Proceedings of Fifth IEEE International Conference on Cloud Computing Technology and Science"},{"key":"2022121515104864100_bib27","first-page":"p.54","article-title":"Security service level agreements: quantifiable security for the enterprise?","volume-title":"Proceedings of the Workshop on New security paradigms","author":"Henning","year":"1999"},{"key":"2022121515104864100_bib34","first-page":"p.166","article-title":"Ontology of secure service level agreement","volume-title":"Proceedings of the Sixteenth IEEE International Symposium on High Assurance Systems Engineering","author":"Lee","year":"2015"},{"key":"2022121515104864100_bib36","doi-asserted-by":"crossref","first-page":"457","DOI":"10.1109\/TCC.2015.2469659","article-title":"Quantitative reasoning about cloud security using service level agreements","volume":"5","author":"Luna","year":"2017","journal-title":"IEEE Trans Cloud Comput"},{"key":"2022121515104864100_bib38","article-title":"Meaningful security SLAs","author":"Monahan","year":"2008"},{"key":"2022121515104864100_bib58","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1109\/MVT.2013.2269188","article-title":"Tailored security: building nonrepudiable security service-level agreements","volume":"8","author":"Takahashi","year":"2013","journal-title":"IEEE Veh Technol Mag"},{"key":"2022121515104864100_bib8","volume-title":"Procurement Policy Note-Use of Cyber Essentials Scheme Certification","author":"Cabinet Office"},{"key":"2022121515104864100_bib23","volume-title":"DoD Amends its DFARS Safeguarding and Cyber Incident Reporting Requirements with a Second Interim Rule","author":"Hadeka","year":"2016"},{"key":"2022121515104864100_bib40","volume-title":"Implementing the Cloud Security Principles","author":"National Cyber Security Centre","year":"2016"},{"key":"2022121515104864100_bib49","first-page":"171","article-title":"Protecting controlled unclassified information in nonfederal information systems and organizations","volume":"800","author":"Ross","year":"2015","journal-title":"NIST Spec Publ"},{"key":"2022121515104864100_bib11","volume-title":"Constructing Grounded Theory","author":"Charmaz","year":"2014"},{"key":"2022121515104864100_bib15","doi-asserted-by":"crossref","first-page":"p.750","DOI":"10.1145\/2660267.2660273","article-title":"Are you ready to lock?","volume-title":"Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security","author":"Egelman","year":"2014"},{"key":"2022121515104864100_bib37","first-page":"p.399","article-title":"Investigating the computer security practices and needs of journalists","volume-title":"Proceedings of Twenty-Fourth USENIX Security Symposium (USENIX Security 15)","author":"McGregor","year":"2015"},{"key":"2022121515104864100_bib28","volume-title":"Educating Cultural Heritage Information Professionals for Australia's Galleries, Libraries, Archives and Museums: A Grounded Delphi Study","author":"Howard","year":"2015"},{"key":"2022121515104864100_bib56","volume-title":"Applied Software Project Management","author":"Stellman","year":"2005"},{"key":"2022121515104864100_bib46","article-title":"Grounding theory from Delphi studies","volume-title":"Proceedings of the International Conference on Information Systems","author":"Pa\u00a8iva\u00a8rinta","year":"2011"},{"key":"2022121515104864100_bib59","doi-asserted-by":"crossref","first-page":"149","DOI":"10.1016\/0040-1625(70)90161-7","article-title":"The design of a policy Delphi","volume":"2","author":"Turoff","year":"1970","journal-title":"Technol Forecast Soc Change"},{"key":"2022121515104864100_bib62","first-page":"1","article-title":"The Delphi technique: making sense of consensus","volume":"12","author":"Hsu","year":"2007","journal-title":"Pract Assess Res Evaluat"},{"key":"2022121515104864100_bib30","volume-title":"ITU-T Rec. X.805 on Security Architecture for Systems Providing End-to-End Communications","author":"International Telecommunication Union","year":"2003"},{"key":"2022121515104864100_bib52","volume-title":"Secrets and Lies: Digital Security in a Networked World","author":"Schneier","year":"2011"},{"key":"2022121515104864100_bib10","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1002\/bltj.20035","article-title":"The role of SLAs in reducing vulnerabilities and recovering from disasters","volume":"9","author":"Chan","year":"2004","journal-title":"Bell Labs Tech J"},{"key":"2022121515104864100_bib18","first-page":"20","article-title":"Data integrity\u2014information security's poor relation","volume":"6","author":"Gelbstein","year":"2011","journal-title":"ISACA J"},{"key":"2022121515104864100_bib47","first-page":"p. 1","article-title":"Security as a service using an SLA-based approach via SPECS","volume":"Vol. 2","author":"Rak","year":"2013","journal-title":"Proceedings of the Fifth IEEE International Conference on Cloud Computing Technology and Science"},{"key":"2022121515104864100_bib48","volume-title":"The SLA Ready Project Website","author":"SLA Ready Consortium","year":"2015"},{"key":"2022121515104864100_bib26","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1093\/cybsec\/tyw008","article-title":"Policy, statistics and questions: reflections on UK cyber security disclosures","volume":"2","author":"Heitzenrater","year":"2016","journal-title":"J Cybersecur"},{"key":"2022121515104864100_bib1","volume-title":"G-Cloud UK","author":"Amazon Web Services","year":"2016"},{"key":"2022121515104864100_bib16","first-page":"8","volume":"800","author":"Joint Task Force and Transformation Initiative","year":"2013","journal-title":"Security and Privacy Controls for Federal Information Systems and Organizations"},{"key":"2022121515104864100_bib55","volume-title":"DoD Further Clarifies its DFARS Cybersecurity Requirements","author":"Stanton","year":"2017"},{"key":"2022121515104864100_bib20","volume-title":"Federal Risk and Authorization Management Program (FedRAMP)","author":"US Government","year":"2012"},{"key":"2022121515104864100_bib35","volume-title":"Procurement of Government Goods and Services","author":"LPKPP","year":"2010"},{"key":"2022121515104864100_bib24","volume-title":"An examination of service level agreement attributes that influence cloud computing adoption","author":"Hamilton","year":"2015"},{"key":"2022121515104864100_bib12","volume-title":"The Delphi Method: An Experimental Study of Group Opinion","author":"Dalkey","year":"1969"},{"key":"2022121515104864100_bib33","doi-asserted-by":"crossref","first-page":"467","DOI":"10.1016\/j.techfore.2005.09.002","article-title":"Current validity of the Delphi method in social sciences","volume":"73","author":"Landeta","year":"2006","journal-title":"Technol Forecast Soc Change"},{"key":"2022121515104864100_bib45","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/j.im.2003.11.002","article-title":"The Delphi method as a research tool: an example, design considerations and applications","volume":"42","author":"Okoli","year":"2004","journal-title":"Inf Manag"},{"key":"2022121515104864100_bib57","first-page":"p.350","article-title":"Reliability and accuracy of the estimation process-wideband Delphi vs. wisdom of crowds","volume-title":"Proceedings of the 2011 IEEE Thirty-Fifth Annual Computer Software and Applications Conference (COMPSAC)","author":"Stochel","year":"2011"},{"key":"2022121515104864100_bib5","volume-title":"Software Engineering Economics","author":"Boehm","year":"1981"},{"key":"2022121515104864100_bib60","first-page":"p.3","article-title":"The Delphi method and its contribution to decision-making","volume-title":"Gazing into the Oracle: The Delphi Method and its Application to Social Policy and Public Health","author":"Ziglio","year":"1996"},{"key":"2022121515104864100_bib32","volume-title":"Peraturan Pemerintah Republik Indonesia Nomor 82 Tahun 2012 tentang Penyelenggaraan Sistem dan Teransaksi Elektronik","author":"KOMINFO","year":"2012"},{"key":"2022121515104864100_bib29","first-page":"p.344","article-title":"Delphi technique","volume-title":"Encyclopedia of Research Design","author":"Hsu","year":"2010"},{"key":"2022121515104864100_bib39","doi-asserted-by":"crossref","first-page":"423","DOI":"10.1353\/rhe.1995.0008","article-title":"Delphi: a versatile methodology for conducting qualitative research","volume":"18","author":"Murry","year":"1995","journal-title":"Rev High Educ"},{"key":"2022121515104864100_bib50","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1016\/0040-1625(91)90039-I","article-title":"Delphi: a re-evaluation of research and theory","volume":"39","author":"Rowe","year":"1991","journal-title":"Technol Forecast Soc Change"},{"key":"2022121515104864100_bib51","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1080\/07421222.2001.11045662","article-title":"Identifying software project risks: an international delphi study","volume":"17","author":"Schmidt","year":"2001","journal-title":"J Manag Inf Syst"},{"key":"2022121515104864100_bib17","first-page":"196","article-title":"Delphi technique","volume-title":"Encyclopedia of Group Processes & Intergroup Relations","author":"Forsyth","year":"2010"},{"key":"2022121515104864100_bib13","volume-title":"Group Techniques for Program Planning: A Guide to Nominal Group and Delphi Processes","author":"Delbecq","year":"1975"},{"key":"2022121515104864100_bib22","doi-asserted-by":"crossref","first-page":"59","DOI":"10.1177\/1525822X05279903","article-title":"How many interviews are enough? An experiment with data saturation and variability","volume":"18","author":"Guest","year":"2006","journal-title":"Field Methods"},{"key":"2022121515104864100_bib61","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1080\/07421222.2001.11045662","article-title":"Identifying software project risks: an international Delphi study","volume":"17","author":"Schmidt","year":"2001","journal-title":"J Manag Inf Syst"},{"key":"2022121515104864100_bib63","first-page":"001","article-title":"The Delphi method for graduate research","volume":"6","author":"Skulmoski","year":"2007","journal-title":"J Inf Technol Educ Res"},{"key":"2022121515104864100_bib25","volume-title":"Data Collection Methods","author":"Harrell","year":"2009"},{"key":"2022121515104864100_bib19","doi-asserted-by":"crossref","first-page":"291","DOI":"10.1038\/bdj.2008.192","article-title":"Methods of data collection in qualitative research: interviews and focus groups","volume":"204","author":"Gill","year":"2008","journal-title":"Br Dent J"},{"key":"2022121515104864100_bib43","article-title":"Investigating SLA confidentiality requirements: a holistic perspective from the government agencies","volume-title":"Proceedings of the Eleventh International Conference on Emerging Security Information, Systems and Technologies","author":"Nugraha","year":"2017"},{"key":"2022121515104864100_bib44","doi-asserted-by":"crossref","first-page":"p. 304","DOI":"10.1109\/IC2E.2017.48","article-title":"Towards the classification of confidentiality capabilities in trustworthy service level agreements","volume-title":"Proceedings of the 2017 IEEE International Conference on Cloud Engineering (IC2E)","author":"Nugraha","year":"2017"},{"key":"2022121515104864100_bib3","doi-asserted-by":"crossref","DOI":"10.17487\/RFC7624","volume-title":"Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement","author":"Barnes","year":"2015"},{"key":"2022121515104864100_bib53","doi-asserted-by":"crossref","first-page":"269","DOI":"10.1109\/JIOT.2015.2460333","article-title":"Twenty security considerations for cloud-supported internet of things","volume":"3","author":"Singh","year":"2016","journal-title":"IEEE Internet of Things J"},{"key":"2022121515104864100_bib9","volume-title":"Government Ssecurity Classifications","author":"UK Cabinet Office","year":"2014"},{"key":"2022121515104864100_bib14","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1016\/j.cose.2014.10.016","article-title":"Exfiltrating data from android devices","volume":"48","author":"Do","year":"2015","journal-title":"Comput Secur"},{"key":"2022121515104864100_bib6","first-page":"129","volume-title":"Security Audits Revisited","author":"Bo\u00a8hme","year":"2012"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/8\/1\/tyac004\/47918812\/tyac004.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/8\/1\/tyac004\/47918812\/tyac004.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T19:55:15Z","timestamp":1700596515000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyac004\/6588067"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,1]]},"references-count":63,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1,28]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyac004","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2022,1,1]]},"published":{"date-parts":[[2022,1,1]]},"article-number":"tyac004"}}