loading page

CyberTOMP: A novel systematic framework to manage asset-focused cybersecurity from tactical and operational levels
  • +1
  • Manuel Domínguez-Dorado ,
  • Javier Carmona-Murilo ,
  • David Cortés-Polo ,
  • Francisco J. Rodríguez-Pérez
Manuel Domínguez-Dorado
Public Business Entity Red.es, Public Business Entity Red.es

Corresponding Author:[email protected]

Author Profile
Javier Carmona-Murilo
Author Profile
David Cortés-Polo
Author Profile
Francisco J. Rodríguez-Pérez
Author Profile


Currently different reference  models are used to manage cybersecurity, although practically none are  applicable “as is” to lower levels as they do not detail specific  procedural aspects for them. However, they urge organizations to develop  a methodological foundation to manage cybersecurity at those levels.  Although they allow organizations to adhere to a recognized standard at  the strategic level, this advantage vanishes when organizations must  define specific low-level procedures, allowing the appearance of  inconsistency at tactical and operational levels between departments of  the same organization or between organizations. The design of these  elements with the required holism and homogeneity is difficult, and this  is why generic processes focused on getting certified regarding a  standard are usually originated, but they are insufficient to obtain  effective cybersecurity because they are not focused on dealing with  real cyber threats. Because of the great responsibility of lower levels  to achieve effective cybersecurity, this lack of methodological  definition makes it difficult to adapt cybersecurity to the highly  dynamic cyber context with the required holism and strategic alignment.  Our proposal provides CyberTOMP, a process for managing cybersecurity at  lower levels, as well as a set of methodological elements that support  it. The novelty of these contributions is that they complement the  strategic standard selected by the organization, providing it with a set  of procedural elements ready to be used out of the box, contributing  those aspects required by high-level frameworks to manage cybersecurity  at lower levels, for which there is no alternative with a managerial  approach.
2022Published in IEEE Access volume 10 on pages 122454-122485. 10.1109/ACCESS.2022.3223440