{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,16]],"date-time":"2026-04-16T03:01:07Z","timestamp":1776308467265,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":25,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,8,17]],"date-time":"2021-08-17T00:00:00Z","timestamp":1629158400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,8,17]]},"DOI":"10.1145\/3465481.3470095","type":"proceedings-article","created":{"date-parts":[[2021,8,16]],"date-time":"2021-08-16T17:57:21Z","timestamp":1629136641000},"page":"1-10","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Control Effectiveness: a Capture-the-Flag Study"],"prefix":"10.1145","author":[{"given":"Arnau","family":"Erola","sequence":"first","affiliation":[{"name":"University of Oxford, GB"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Louise","family":"Axon","sequence":"additional","affiliation":[{"name":"University of Oxford, GB"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alastair","family":"Janse van Rensburg","sequence":"additional","affiliation":[{"name":"University of Oxford, GB"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ioannis","family":"Agrafiotis","sequence":"additional","affiliation":[{"name":"University of Oxford, GB"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michael","family":"Goldsmith","sequence":"additional","affiliation":[{"name":"Cybersecurity Centre, Department of Computer Science, University of Oxford, GB"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sadie","family":"Creese","sequence":"additional","affiliation":[{"name":"University of Oxford, GB"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2021,8,17]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2013. ISO\/IEC 27002 Code of practice for information security controls. https:\/\/www.iso27001security.com\/html\/27002.html [accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_2_1","unstructured":"Ioannis Agrafiotis Sadie Creese Michael Goldsmith Jason\u00a0RC Nurse and David Upton. 2016. The Relative Effectiveness of widely used Risk Controls and the Real Value of Compliance. (2016)."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyy006"},{"key":"e_1_3_2_1_4_1","unstructured":"AuditScripts. 2018. AuditScripts Critical Security Controls. URL: https:\/\/www.auditscripts.com\/ [accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/CyberSA.2019.8899641"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2799979.2800007"},{"key":"e_1_3_2_1_7_1","unstructured":"National Cyber\u00a0Security Centre. 2014. Cyber Essentials. https:\/\/www.cyberessentials.ncsc.gov.uk\/ [accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_8_1","unstructured":"National Cyber\u00a0Security Centre. 2021. 10 Steps to Cyber Security. https:\/\/www.ncsc.gov.uk\/collection\/10-steps-to-cyber-security[accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243794"},{"key":"e_1_3_2_1_10_1","unstructured":"Center for Internet\u00a0Security. 2015. A Measurement Companion to the CIS Critical Security Controls. URL: https:\/\/www.cisecurity.org\/white-papers\/a-measurement-companion-to-the-cis-critical-controls\/[accessed 25\/05\/2021]."},{"key":"e_1_3_2_1_11_1","unstructured":"SANS\/Center for Internet\u00a0Security. 2021. 20 Critical security controls. https:\/\/www.cisecurity.org\/controls\/ [accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_12_1","unstructured":"ISACA. 2021. COBIT 5. https:\/\/www.isaca.org\/cobit\/ [accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/3468.935052"},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of the IEEE SMC Information Assurance Workshop. Citeseer, 1\u20138.","author":"Kewley L","year":"2001","unstructured":"Dorene\u00a0L Kewley and John Lowry. 2001. Observations on the effects of defense in depth on adversary behavior in cyber warfare. In Proceedings of the IEEE SMC Information Assurance Workshop. Citeseer, 1\u20138."},{"key":"e_1_3_2_1_15_1","volume-title":"Template analysis. Qualitative Methods and Analysis in Organisational Research: A Practical Guide","author":"King Nigel","year":"1998","unstructured":"Nigel King. 1998. Template analysis. Qualitative Methods and Analysis in Organisational Research: A Practical Guide (1998)."},{"key":"e_1_3_2_1_16_1","unstructured":"Marsh. 2019. Global Cyber Risk Perception Survey Report. https:\/\/www.marsh.com\/uk\/insights\/research\/marsh-microsoft-cyber-survey-report-2019.html[accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2008.42"},{"key":"e_1_3_2_1_18_1","unstructured":"National\u00a0Institute of Standards and Technology. 2018. Cybersecurity Framework. https:\/\/www.nist.gov\/cyberframework [accessed on 25\/05\/2021]."},{"key":"e_1_3_2_1_19_1","unstructured":"Jane Ritchie Jane Lewis Carol\u00a0McNaughton Nicholls Rachel Ormston 2013. Qualitative research practice: A guide for social science students and researchers. sage."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"crossref","unstructured":"Accenture Security. 2019. The Cost of Cybercrime. https:\/\/www.accenture.com\/_acnmedia\/pdf-96\/accenture-2019-cost-of-cybercrime-study-final.pdf[accessed on 25\/05\/2021].","DOI":"10.1016\/S1353-4858(19)30032-7"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-34210-3_4"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1108\/ICS-06-2014-0036"},{"key":"e_1_3_2_1_23_1","volume-title":"Cyber security controls effectiveness: a qualitative assessment of cyber essentials","author":"Such M","unstructured":"Jose\u00a0M Such, John Vidler, Timothy Seabrook, and Awais Rashid. 2015. Cyber security controls effectiveness: a qualitative assessment of cyber essentials. Lancaster University."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1186\/s13174-017-0059-y"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1080\/23738871.2017.1360927"}],"event":{"name":"ARES 2021: The 16th International Conference on Availability, Reliability and Security","location":"Vienna Austria","acronym":"ARES 2021"},"container-title":["Proceedings of the 16th International Conference on Availability, Reliability and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3465481.3470095","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3465481.3470095","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:17:24Z","timestamp":1750191444000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3465481.3470095"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,17]]},"references-count":25,"alternative-id":["10.1145\/3465481.3470095","10.1145\/3465481"],"URL":"https:\/\/doi.org\/10.1145\/3465481.3470095","relation":{},"subject":[],"published":{"date-parts":[[2021,8,17]]},"assertion":[{"value":"2021-08-17","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}