Exploring cybertechnology standards through bibliometrics: Case of National Institute of Standards and Technology ☆

,


Introduction and background
Cybersecurity can be defined as a discipline that focuses on securing computer systems, networks, software, and data.We can say that they aim to protect against cyber-attacks, prevent unauthorized access, ensure data confidentiality, ensure data integrity, and make information systems useable at all levels [1][2][3].Cyber security applications appear to consist of several sub-components.While the component that includes the work done for the protection of computer networks is called network Security, it covers topics such as protecting network components (router, switch, firewall, etc.), monitoring and filtering traffic, removing network weaknesses, and taking precautions against attack [4].In system security, which includes studies to ensure the security of information systems such as operating systems, servers, desktop computers and mobile devices, issues such as authentication, access control, security patches, detection and prevention of malicious software are examined [5].In data security, which aims to ensure the security of sensitive and personal data, solutions are developed for issues such as data encryption, database security, data recovery and backup, and data loss prevention [5][6][7].In the studies carried out to ensure the security of applications defined as Software Security, topics such as secure software development, detection of weak points, security tests and code analysis are covered [8,9].Cryptography can also be shown among the topics sought for solutions in this context: Investigating the methods of encrypting and decrypting information, Cryptography is used to provide confidentiality, integrity and authentication in communication [10,11].Finally, there comes the Social Engineering applications, which is a unit that examines an area where attackers try to access sensitive information by manipulating people.While dealing with social engineering, psychology, and human behavior, it aims to produce solutions for applications that aim to deceive users with methods such as giving information, phishing, and fraud [12,13].Since the issue of cyber security has the potential to affect many areas in terms of social, economic, environmental, and political aspects, it has been a subject discussed at the level of governments [14,15].Looking at the literature, previous studies indicate that in many situations where the corporate world lives, organizations have permeable controls on attack detection and monitoring, incident response, or IT forensics.Although it is stated that cyber problems can originate from internal and external sources of any organization or system, it requires organizations to do internal research as well as focus on external interaction in parallel with the world trend.For organizations to better combat attacks, they need to look both internally and externally and establish a solid cybersecurity stance against potential attackers, regardless of which vector originates.In the UK, the Center for Conservation of Critical National Infrastructure (CPNI) defines Critical National Infrastructure (KUA) as follows: the facilities, systems, sites, and networks that enable the country to function socially and economically and provide essential services needed to sustain everyday life in England [16,17].In a world where 80 percent of private sector industries operate national assets as part of their core business, there is a compelling need for better understanding, protection and maintenance of critical assets and information infrastructures against cyber threats [18].There is limited consumer and end-user understanding or technical skills against growing cyber threats [19][20][21].The USA, which aims to produce solutions according to the principles of multiple perspective analysis, has also carried out a series of studies on this subject.Focusing on five main functions from the main reference points of the subject, the USA aimed to develop a standard based on these functions.Since the subject consists of so many sub-components and application areas, it has become necessary to develop a standard on this subject and a framework consisting of five basic functions has been developed for cybersecurity.The responsibility of the work to be done for this purpose has been undertaken by the American Standard Institute called National Institute of Standards and Technology (NIST).NIST is a federal agency that provides standards and guidance on science, technology, and cybersecurity systems in the United States [22,23].The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) has been developed to determine applicable security standards and rules in all industries with critical infrastructure.NIST CSF aims to provide a flexible and repeatable structure based on performance and efficiency, while helping to identify, assess and manage cyber risks.In this respect, it can be said that it aims to identify improvement areas for existing cyber risks, to identify security gaps that are not met by published standards, and to develop action plans for these gaps [24].NIST has developed several frameworks (frameworks) in the field of cybersecurity, one of which is called the NIST Cybersecurity Framework (NIST Cybersecurity Framework).Since our study will be based on this framework, we believe that it will be useful to give information about the subject.The NIST Cybersecurity Framework is a guide to help those concerned manage their cybersecurity risks and improve their security programs.The framework consists of five main functional categories.
1. Identify: It is designed to help organizations understand cybersecurity risks, identify their assets and storage, create their risk strategy, and perform an organizational-level security assessment.
2. Protect: It includes security measures such as raising awareness of cyber security, access control, secure network design, system configuration.3. Detect: Helps organizations set up protection strategies to help detect cyberattacks or security incidents and quickly identify cybergroups.It includes operations such as reporting of detection observations of events, log management, and threat intelligence monitoring.4. Respond (Reply): Helps organizations respond to cybersecurity groups quickly and effectively to direct attacks.This process, which includes operations such as emergency management, incident management, intrusion detection and prevention, and intervention against the application, is very important.5. Recover: Helps organizations plan and perform normal business process reassembly after cybersecurity incidents.It includes operations such as data backup and recovery, system restore, business continuity.
The NIST Cybersecurity Framework highlights the principle of "Continuous Improvement," a cycle to enable organizations to continually improve their cybersecurity practices.

Methodology
At the set of our research, we intended to explore both journal publications [25,26] and patents [27][28][29] to explore the research and development activity in different clusters of cybersecurity as defined by NIST.This approach is very common in literature [30].Unfortunately, there was not a critical number of patents found in individual clusters.However prior literature [31,32].demonstrate that journal paper trends T. Daim et al. are good early indicators of IP trends.Therefore, we made conclusions about expected IP trends based on bibliometric trends.Since the standards are new, patenting should already be in process in this field.We expect the patenting to follow publications closely in the coming months or a year or two.
We then defined a workflow according to the "Identify", "Protect", "Detect", "Respond" and "Recover" setups, and conducted an online search on the Web of Science (WoS) to access the information on the publications on the relevant topics (Fig. 1).
In the next stage, we performed productivity analysis and social network analysis (SNA) applications.In SNA analysis, we examined the indicators required to detect developing (LAC) and mature (HAC) points, especially with structural hole analysis.We revealed the differences between nodes with high constraint aggregate and nodes with low constraint aggregate.By looking at the betweenness centrality values within the scope of SNA over the centrality values, we have ensured that the nodes are ranked according to the importance of their roles in the network [33] (Fig. 2).Productivity analysis includes several elements, including examining the number, citations, publication process, and impact of a researcher's or an institution's publications [34].In our study, indicators such as the number of articles published by the researcher or institution in a certain period, the number of citations of published articles by other researchers, the performance of the researcher or institution in academic indexes were examined.With the social network analysis, the actors with the highest degree of connectivity (degree), the actors with the highest betweenness centrality value, the actors with high constraint rate and the nodes with low constraint rate were examined [35][36][37][38].Each social network analysis indicator is ranked for the five functions (identify, protect, detect, respond, and recover) determined by NIST for the cybersecurity field.In this way, the rankings obtained have made it possible to identify the prominent actors for each function, the actors acting as a bridge, the actors that have strengthened their network position, and the actors that are open to development and will increase in relative importance.To give brief information about the analyzes made, it can be said that he made a series of evaluations based on the basic indicators based on Social Network Analysis.If we explain the values we examined in this context: With Degree Partition, it is aimed to calculate the indicators expressing the number of connections of each term with other terms in the network.In this way, the centrality degree of the term, which is the number of edges (connections) coming to the node (term) in the network [10].With the Betweenness Centrality indicator, we planned to measure the extent to which a term acts as a bridge or intermediary between other terms in the network.In this regard, by measuring the number of shortest paths passing through the term, it was possible to identify the terms with the highest potential for information flow or impact [37].We calculated a series of indicators for the detection of virgin areas by structural hole analysis.In this context, we first took a closer look at the Low Aggregate Constraints (LAC): indicator.According to this indicator, which expresses the degree to which the terms and neighboring terms are related to each other, a low LAC value indicates that the neighboring terms of a term are not strongly related to each other.In this respect, it is possible to say that the terms with this value indicate that they have less restrictions in terms of information flow or interaction between their neighbors, while they refer to relatively untouched or developing nodal points.It is possible to detect nodes that have strengthened their position in the network with the High Aggregate Constraints Constraint (HAC) value.In other words, the HAC value, which is the opposite indicator of the LAC value, expresses the extent to which a term is related to its neighboring terms, while a high HAC value indicates that the term has a high restriction in terms of information flow or interaction between its neighbors.Considering the SNA values obtained, it is possible to make the following inferences about the terms in the field of cybersecurity [38].
Cluster analysis stands out as an analysis method that is increasingly used as one of the main methodologies of choice for analyzing multivariate data [39,40].In our study, we aimed to group research focuses by using the clustering function to better understand Cybersecurity research and identify prominent research focuses, so that we can identify cybersecurity clusters within the years when they formed critical cohesion.While this gave us the opportunity to see the dynamics of research focuses that have emerged in the field of cybersecurity over the years, it has given us the opportunity to closely follow the basic dynamics of the field by showing how far the research clusters have diverged from each other [41].
If we are to describe the metrics for each cluster, we see that the largest cluster (Cluster 0) stands out from the others with 24 data points and a high silhouette score of 0.935.The label associated with this cluster (LLR) is "Attack detection" and the data points in this cluster are The average year is 2017 (751.85,1.0E-4).Cluster 1 has 16 data points with a silhouette score of 0.852.It has been labeled as "Human cybersecurity behavior" according to this cluster (LLR) algorithm, where good similarity was detected between data points within the cluster.Cluster 2 is labeled "Data breaches" and the average year of data points in this cluster is 2015.Cluster 3 is identified by the label "Supply chain management" with 16 data points, while the average year of data points in this cluster is 2016.
It can be said that the clusters represent different topics or themes within the dataset based on the label associated with each cluster.On the other hand, the silhouette score for each cluster indicates the similarity of the data points within the cluster, while the higher scores indicate higher similarity.The average year of data points in each cluster provides information about the time or period in which the research related to the subject of the cluster was conducted.In general, these metrics can be translated into important inputs that can be used in policy making with information about the clustering patterns and characteristics of the data points in each cluster.

NIST's identify
Aiming to guide the development of organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities, this function is the basis for the effective use of NIST's cybersecurity framework.This Function, Asset Management, aims to understand the business context, the resources that support critical functions, and the associated cybersecurity risks, enabling organizations to focus and prioritize their efforts consistent with their risk management strategy and business needs; business environment; Management; Risk assessment; and Outcome Categories such as Risk Management Strategy [42][43][44].
If we compare the clusters according to the parameters in the table; It is observed that the sizes of the clusters vary between 11 and 32, while the largest cluster, Cluster 0, has 32 data points.Clusters 16 and 17 have the smallest cluster sizes.The average year associated with each cluster represents the temporal direction.The clusters cover a year range from 2015 to 2017 with varying distributions.Cluster 0 has 32 data points and shows a concentration for the topic of "modelling decision-making" in 2016.In other words, it is possible to say that there is a trend that shows a significant focus on understanding and managing the risks associated with decision-making in context of cyber security.Cluster 1, with its 30 data points, represents the concept of "vulnerability assessment" that emerged around 2016.It represents a crucial research focus in that it demonstrates a focus on the application of vulnerability assessment, potentially aimed at improving cybersecurity services.Cluster 2 represents the set of 30 data points labeled as "anti-malware behavior".This cluster, which represents research or discussions about people or techniques that reached critical density in 2016 and plays a critical role in hacking or cybersecurity, is one of the prominent research focuses for NIST's Identify function.On the other hand, it is observed that the focus is on "smart factory" consisting of cluster 3 and 30 data points.A group of 30 data points that are strongly associated with the concept of smart factories.These data points likely reflect research, discussions, or data related to the implementation, technologies, and advancements in smart factories during the year 2017.The silhouette values that emerged in the clustering analysis show that although the clusters are well separated from each other, they are located very close to each other in terms of neighborhood relations.The prominent clusters for the identify function and the indicators that are the basis for cluster analysis are given in Table 1 and Fig. 3.

NIST's protect
Aiming to guide the development and implementation of appropriate measures to ensure the secure delivery of critical infrastructure services, this function helps limit or contain the impact of a potential cybersecurity incident.According to NIST, the output categories included in this function are Access Control; Awareness and Education; Data security; Information Protection Processes and Procedures; Care; and Protective Technology processes [22,45].
The cluster has the largest size with 0.27 data points (Fig. 4).Cluster 14 has the smallest size with only 7 data points.Silhouette Coefficient: The 10th, 12th, and 13th clusters have the highest silhouette coefficient of 1 Cluster 2 has the lowest silhouette coefficient of 0.773, which can be interpreted as indicating some overlap or less distinctiveness between the data points.When the label is compared in terms of Average Year, it can be interpreted that the average years have changed from 2013 to 2019, in other words, the time frames in which the research focuses are interested or relevant are concentrated in this six-year period.To summarize, it is clearly seen that the clusters differ in size, silhouette coefficient, subject and average year of prominence.According to the results of the cluster analysis, the topics represented by the tags, "security assessment methodologies", "vulnerability risks", "technological research", "critical infrastructure", "secure data transmission", "behavioral strategies", "technology adoption", "cybersecurity" " is shaped as "cyber-physical security" (Table 2).

NIST's detect
The Detection Function, which includes developing and implementing appropriate activities to identify the occurrence of a cyber security incident, aims to ensure that cyber security incidents are discovered at the time they occur.This Function is Abnormalities and Events; Security Continuous Monitoring; and Results Categories such as Detection Actions [22,46].
When we compare clusters, it can be said that cluster 2 is the largest cluster with 28 data points (Fig. 5), while Cluster 16 is the smallest cluster with only 6 data points in terms of cluster size.When we evaluate it within the framework of the silhouette coefficient, it is possible to say that the quality of the cluster is at a good level.Cluster 8 is labeled "DDoS Attack" and Cluster 11 is "Automated Cyber".The average year for most clusters is 2018, suggesting that research or data points in these clusters are relatively new.In general, "cybersecurity", "energy internet", "Internet of Things", "artificial intelligence", etc.It covers a range of topics such as Clusters are tabulated with details showing varying sizes, silhouette coefficients, thematic focuses, and publication years, reflecting the diversity and complexity of the research field (Table 3).

NIST's respond
Aimed at developing and implementing appropriate actions to take on a detected cybersecurity incident, the Response Function as a function aims to support the ability to contain the impact of a potential cybersecurity incident.Respond Function Response Planning; Communication; Analysis; Decrease; and Improvements [47,48].
If we compare clusters (Fig. 6), it is seen that cluster sizes vary according to the number of data points they contain.Cluster 0 has the largest size with 18 data points, while Clusters 5, 6, 7, 8 and 9, 10 and represent the smallest clusters in terms of the number of data points they contain.The silhouette coefficient measures the compactness and separation of clusters.Cluster 7 stands out with its high silhouette coefficient of 0.98, which indicates that the data points within the cluster are well separated from the other clusters.The LLR method was used to identify a tag representing the dominant theme or topic within each cluster.Accordingly, its tags can be said to provide insights into the main focus areas in each cluster.In this respect, it is possible to say that the 1st Cluster is labeled as "Classification Measure" and the 4th Cluster "Reinforcement Learning".
While the average year represents the temporal direction of the clusters, it denotes the average publication year of the data points in each cluster.In this regard, it is seen that the research focuses on the respond function have average years ranging from 2015 to 2020.By looking at this value, it can be said that the studies on the respond function are a mixture of recent and relatively old research points (Table 4).

NIST's recover
The recover function, which refers to developing and implementing appropriate activities to maintain resilience plans and restore capabilities or services that have been disrupted due to a cybersecurity incident, supports timely recovery of normal operations to mitigate the impact of a cybersecurity incident.This Function is Recovery Planning; Improvements; and Communication results categories [49,50].
When we compare these clusters, it is seen that Cluster 0 is the largest with 10 data points, and Clusters 8 and 9 are the smallest with 4 and data points, respectively.Cluster 1, which is the second largest cluster, is labeled "False Data Injection Attack", while Cluster 6 is labeled "Railway Communications Case Study".When we want to represent the temporal direction of the clusters in terms of average year, it is seen that the clusters cover the time period from 2019 to 2021, depending on the average publication year of the data points in each cluster.This indicates that the studies on the recover function involve a mix of relatively recent and somewhat older research points.In general, clusters in the recovery function, "scoping studies", "false data injection attacks", "malicious attack resistance", "efficient production", "data decryption", "rail transport industry", "rail communication case studies" covers topics such as "data analysis" and "digital forensics analysis".The clusters show different dimensions, silhouette coefficients, thematic focuses, and how well they differentiate from each other, reflecting the diversity and complexity of the recovery function in the context of cybersecurity (Table 5).
When we analyze the scientific research on the rescue function; NIST's cybersecurity framework recovery functions are observed to be spread across multiple clusters.In other words, it can be said that clusters covering different areas that are vital for each cyber resilience and recovery function have emerged.Clusters define specific areas, from combating malicious attacks and mitigating DoS attacks to protect critical infrastructure such as the rail transport industry and programmable logic controllers.There are also quests for the necessity of efficiently securing production processes and decrypting data after cyber incidents.On the other hand, efforts to develop methodologies for digital forensic analysis, which investigate case studies in railway communications and are necessary for post-event investigations, also attract attention.These clusters also provide important clues as they reflect NIST's holistic approach to cyber security, addressing various threats and sectors and ensuring resilience and continuity in the face of evolving cyber risks (Fig. 7).

Comparing all components of NIST cybersecurity framework in terms of social network analysis metrics
2.1.6.1.Keywords.To examine the functions defined in the NIST Cybersecurity framework, which is the cyber security framework standard, we have considered metrics based on social network analysis.In this context, we especially evaluated these functions defined as identify, protect, detect, respond, and recover.We looked at the necessary indicators to determine the roles of the keywords under these functions with their social network analysis values.We started to work by identifying the degree of connectivity, the indicator of centrality betweenness, the identification of nodes with high constraints, and the identification of nodes with low constraints.In the next step, we continued the analysis by listing the top 25 keywords of the rankings formed by the nodes under each function.In this way, it gave the opportunity to make inferences about the determination of the nodal points that continue to be important in the functions determined in the context of the cyber security framework according to the NIST standard, the detection of the nodes that will lose their importance, and the determination of the sub-technology areas that can be defined as open to development or relatively untouched areas.In this part of the study, a comparison process based on social network analysis values was made.According to this comparison, the roles and scores of the keywords in the cyber security framework function list defined by NIST are compared according to their social network analysis values.
When we analyze them according to their functions, the terms "Security," "Computer Security," and "Information Security" among the headings under the Identify heading are closely related to the Identify function.These topics are about identifying and analyzing vulnerabilities, threats or vulnerabilities.In addition, "Privacy" and "Blockchain" headers can also be linked to identification, data privacy and security can be said to be a part of this function.The titles "Cybersecurity," "Machine Learning," and "Internet of Things" under Protect can be associated with the Protect function.These topics include implementing security measures, protecting against attacks, and securing systems.In addition, the title "Computer Crime" can also be linked to the protection function, taking measures against criminal activities is part of this function.As for the Detect function, the titles "Cybersecurity," "Machine Learning," and "Deep Learning" are closely related to the Detect function.These topics are directly related to detecting anomalies, attacks or harmful activities and using early warning systems."Intrusion Detection" and "Anomaly Detection" headings can also be shown as other topics to be associated with this function.In the Respond function, the concepts of "Cybersecurity," "Machine Learning," and "Security" stand out as components that include reacting, responding, and taking necessary measures to attacks or anomalies quickly and effectively."Phishing" and "Covid-19" headings stand out as headings that can be associated with the Respond function and draw attention to the importance of responding to attacks or emergencies.Finally, in the Recover function, the "Cybersecurity," "Machine Learning," and "Computer Security" titles stand out as the titles associated with the Recover function, which include the subjects of restoring, repairing, and improving systems after attacks."Smart Grid" and "Critical Infrastructure" headings stand out as structures that need to be rapidly improved after attacks, especially energy systems or critical infrastructures, which can be associated with the Recover function (Table 6).
If it is necessary to analyze and compare the similarities and differences between the concepts gathered under five functions, the concepts gathered under the Identify function include "Security", "Machine Learning", "Internet of Things", "Computer Security", "Deep Learning", "Computer Crime", " It seems that there are terms such as "Anomaly Detection".While these concepts are generally concerned with the identification, analysis and classification of security threats and vulnerabilities, terms such as "Cybersecurity" and "Privacy" stand out among the terms with high centralization value.It can be said that these concepts focus on determining security and privacy issues.Among the concepts gathered under the Protect function are terms such as "Cybersecurity", "Security", "Machine Learning", "Internet of Things", "Computer Security", "Privacy".These concepts deal with the implementation of security measures, the protection of systems, and the prevention of vulnerabilities.While the terms "Cybersecurity" and "Security" stand out among the terms with high centralization value, it is possible to say that these terms represent general security measures and protection strategies.The concepts gathered under the Detect function are "Cybersecurity", "Machine Learning", "Deep Learning", "Internet of Things", "Computer Security", "Anomaly Detection".These concepts prioritize the detection of security breaches and attacks, the detection of anomalies, and the analysis of events.While "Cybersecurity" and "Machine Learning" stand out among terms with high centralization value.These terms appear to represent important tools and techniques for the T. Daim et al. detection and analysis of security incidents.Under the Respond function, there are terms such as "Cyberattack", "Covid-19", "Threat Analysis", "Response", "Game Theory", "Risk Management".It can be said that these concepts are related to responding to security events and threats, stopping attacks and crisis management.Among the terms with high centralization value, "Cyberattack" and "Covid-19" stand out.These terms represent strategies for responding to cyber-attacks and outbreaks.Finally, it has been observed that there are terms such as "Smart Grid", "Covid-19", "Critical Infrastructure", "Response", "Game Theory", "Risk Management" in the Recover function.These concepts are directly related to the recovery, restructuring and normal functioning of systems after attacks and incidents.Among the terms with high centralization value, "Smart Grid" and "Covid-19" stand out.It can be said that these terms represent terms for the recovery of energy grids and postpandemic recovery strategies (Table 7).Among the concepts gathered under the identify function are terms such as "Security", "Machine Learning", "Internet of Things", "Computer Crime", "Computer Security", "Deep Learning".These terms relate to identification processes such as identifying security threats, data analysis, and threat classification.It is observed that "Security" and "Computer Security" stand out among the terms with high centralization value representing general security issues and the security of computer systems.Among the concepts gathered under the Protect function are terms such as "Cybersecurity", "Security", "Feature Extraction", "Machine Learning", "Security of Data", "Computer Security".These terms relate to systems protection, enforcement of security measures, data security and access controls.Among the terms with high centralization value, "Cybersecurity" and "Security" stand out.These terms represent general Fig. 5. Cluster analysis (Detect).
T. Daim et al. security measures and protection strategies.Concepts gathered under the Detect function consist of terms such as "Cybersecurity", "Cyberattack", "Machine Learning", "Deep Learning", "Intrusion Detection", "Data Models".These terms relate to detecting security breaches, identifying anomalies, detecting cyber-attacks, and analyzing events.Among the terms with high centralization value, "Cybersecurity" and "Intrusion Detection" stand out.These terms represent important tools and techniques for the detection and analysis of security events.The concepts gathered under the Respond function are.It creates terms like "Security", "Security of Data", "Cloud Computing", "Phishing", "Threat Analysis", "Anomaly Detection".These terms relate to responding to security incidents, stopping attacks, crisis management, and threat analysis.Among the terms with high centralization value, "Security" and "Anomaly Detection" stand out.These terms represent strategies for reacting to security events and detecting anomalies.Among the concepts gathered under the recovery function There are terms such as "Cybersecurity", "Covid-19", "Smart Grid", "Computer Crime", "Covid-19", "Critical Infrastructure".These terms deal  with the recovery, reconstruction, and normal functioning of systems after attacks and incidents.Among the terms with high centralization value, "Smart Grid" and "Covid-19" stand out.These terms represent strategies for recovering energy grids and post-pandemic recovery.It is worth noting that these concepts are concepts that have reached the level of maturity under each function with high scarcity rates (Table 8).Low-restriction concepts collected for the identify function include terms such as "Digital Forensics", "Web Security", "Culture", "Connected and Autonomous Vehicles", "Attribution", "Machine Learning (ML)".These terms relate to incident detection, threat detection, digital monitoring, and analysis processes.Among the terms with low centralization value, "Digital Forensics" and "Web Security" stand out.These terms represent digital evidence gathering and web security issues.Concepts with a low restriction rate among those gathered under the Protect function consist of terms such as "Proactive Defense", "Privacy Violation Risk", "Privacy Impact Assessment", "Privacy-Preserving Aggregation", and "Privacy-Preserving Consensus".These terms relate to the implementation of security measures, assessment of privacy risks, data protection and privacy.Among the terms with low centralization value, "Proactive Defense" and "Privacy Violation Risk" stand out.These terms represent active defense strategies and risks associated with privacy breaches.There are terms such as "Cybersecurity Testing", "Human-Machine Interface", "Information Sharing", "Statistical Anomaly Detection", "Cyber Attacks Detection" among the concepts with low restriction rate gathered under Detect.These terms relate to the detection of attacks, detection of anomalies, security testing and information sharing.Among the terms with low centralization value, "Cybersecurity Testing" and "Human-Machine Interface" stand out.These terms represent issues of security testing and human-machine interaction or interface.Concepts with low restrictions in the response function include terms such as "Online Voting", "Municipalities", "Network Flow Forensics", "Malware Traffic Analysis", "Security Operations Center".These terms relate to responding to security incidents, analyzing incidents, monitoring and managing threats.Among the terms with low centralization value, "Online Voting" and "Municipalities" stand out.These terms represent strategies for online voting and the safety of local governments.Concepts with low restriction rate gathered under the Recover function consist of terms such as "Online Voting", "Municipalities", "Network Flow Forensics", "Malware Traffic Analysis", "Security Operations Center".These terms deal with the recovery, reconstruction, and normal functioning of systems after attacks and incidents.Among the terms with low centralization value, "Network Flow Forensics" and "Malware Traffic Analysis" are prominent concepts that usually represent network traffic analysis and malware detection (Table 9).
2.1.6.2.Institutions.Institutions gathered under the identify function include institutions such as "King Saud Univ", "Prince Sattam Bin Abdulaziz Univ", "Chinese Acad Sci", "Univ Texas San Antonio", "Taif Univ".Among the institutions with high centralization value, "King Saud Univ" and "Prince Sattam Bin Abdulaziz Univ" stand out.These institutions can be specified as universities that have important studies on the determination process and information gathering.For the protect function, it is observed that institutions such as "King Saud Univ", "Menoufia Univ", "Umm Al Qura Univ", "Prince Sattam Bin Abdulaziz Univ", "King Abdulaziz Univ" stand out, while "King Saud Univ" and "Prince Sattam" It can be said that institutions such as "Bin Abdulaziz Univ" are among the institutions with high centralization value.It is observed that these institutions are also universities that have T. Daim et al. pioneering studies on protection measures and security policies.In the detect function, it is seen that institutions such as "Prince Sattam Bin Abdulaziz Univ", "Taif Univ", "King Abdulaziz Univ", "Prince Sultan Univ", "Univ Waterloo" are collected, while "Prince Sattam Bin Abdulaziz Univ" is among the institutions with high centralization value.and "Taif Univ".These institutions are universities that stand out with their publications in the field of detection of threats, detection of anomalies and security analysis.It is seen that institutions such as "Univ Illinois", "Tokyo Inst Technol", "Umbc", "City Univ London", "Univ Milan" are gathered under the Respond function.It can be said that "Univ Illinois" and "Tokyo Inst Technol" stand out among the institutions with high centralization value, and these institutions are pioneers with their publications on responding to security incidents, incident analysis and management.In the recovery function, it is possible to see institutions such as "Univ Texas San Antonio", "Fordham Univ", "Nist", "Univ Southampton", "Natl Inst Informat"."Univ Texas San Antonio" and "Nist", which have high centralization values, stand out as institutions that come to the fore in post-attack system recovery, restructuring and continuity (Table 10).When we evaluate the prominent institutions based on functions according to geographical regions, "Univ Texas San Antonio" and "Fordham Univ" in North America are the prominent institutions in post-attack system recovery, restructuring and continuity."Univ Illinois" is a prominent organization with publications on security incident response, incident analysis and management.In Europe, "Univ Southampton" and "Natl Inst Informat" are institutions that play an important role in post-attack system recovery, restructuring and continuity."City Univ London" and "Univ Milan" are prominent institutions in security incident response, incident analysis and management.Looking institution with publications on security incident response, incident analysis and management."King Saud Univ", "Univ Texas San Antonio", "Univ Waterloo", "Univ Oxford", "George Mason Univ" come to the fore among the institutions with high betweenness centrality in the identify function.While these institutions stand out as leading universities in the determination process and information gathering, institutions such as "King Saud Univ" and "Univ Oxford" have a particularly strong position in the field of determination.Institutions with high Centralization value in the Protect function include "Taif Univ", "La Trobe Univ", "Guangzhou Univ", "Air Univ", "Deakin Univ".These institutions can be defined as universities that are pioneers in protection measures and security policies.On the other hand, institutions such as "Taif Univ" and "La Trobe Univ" are institutions that have effective studies in the field of conservation.Among the institutions with high Detect Centralization value, "King Abdulaziz Univ", "Prince Sattam Bin Abdulaziz Univ", "Chinese Acad Sci", "Virginia Tech", "Univ Illinois" stand out.These institutions are universities that are pioneers in threat detection, detection of anomalies and security analysis.Institutions such as "King Abdulaziz Univ" and "Chinese Acad Sci" can also be characterized as institutions that have a strong position in detection.Institutions with high Respond Centralization value include "Univ Oxford", "City Univ London", "Alan Turing Inst", "Tokyo Inst Technol", "Ajou Univ".These organizations are pioneers in security incident response, incident analysis and management.Institutions such as "Univ Oxford" and "Tokyo Inst Technol" can be cited among other institutions that have effective work in the field of response.Among the institutions with high Centralization value for the recovery function, "Nanyang Technol Univ", "Xian Univ Technol", "Carnegie Mellon Univ", "Tokyo Inst Technol", "Cent South Univ" stand out.structuring and continuity.Institutions such as "Nanyang Technol Univ" and "Carnegie Mellon Univ" are among other institutions that have a strong position in the rescue field (Table 11).
Institutions with a high aggregate constraints in the identify function include "Prince Sattam Bin Abdulaziz Univ", "King Saud Univ", "Indiana Univ", "Univ Texas Dallas", and "Northeastern Univ".Although these institutions have a high level of connectivity in the determination process, they are still universities that can work effectively.It can be said that institutions such as "King Saud Univ" and "Prince Sattam Bin Abdulaziz Univ" have an important role in the network and are among the important institutions that are effective in determining their place in the network, even if there is a movement constraint in terms of social network dynamics."Menoufia Univ", "King Saud Univ", "Deakin Univ", "Umm Al Qura Univ", "Birmingham City Univ" stand out among the institutions with a high aggregate constraints in the protect function.These institutions are universities that operate with limited resources in the conservation processes.Institutions such as "Deakin Univ" and "Umm Al Qura Univ" are institutions that have effective studies on protection despite the high aggregate constraint."King Abdulaziz Univ", "Prince Sattam Bin Abdulaziz Univ", "Taif Univ", "Umm Al Qura Univ", "Vellore Inst Technol" stand out among the institutions with high aggregate constraints.These institutions are active in threat detection and security analysis with limited momility in terms of social network dynamics.Institutions such as "King Abdulaziz Univ" and "Prince Sattam Bin Abdulaziz Univ" are institutions that have effective studies on detection, despite their high aggregate constraint.Institutions with high aggregate constraint on Respond include "City Univ London", "Sphynx Technol Solut Ag", "Simplan", "Social Engn Acad", "Danaos Shipping Co".These institutions are universities that are active in reacting and managing events with limited flexibility in terms of social network dynamics.Institutions such as "City Univ London" and "Danaos Shipping Co" are institutions that have scientific publications on effective response processes, despite the high aggregate constraint."Nanyang Technol

Table 12
High aggregate constraints.instrumental in recovery efforts.

Conclusions
When we look at the results obtained in the study, it is possible to say that there are important determinations about the prominent institutions and research areas.In particular, on the 5 functions proposed by NIST: identifying prominent institutions, countries, research focuses, and determining the dominant actors in the five functions mentioned.Thanks to the information obtained, it can be said that it has been developed as a tool that can be used in directing the cooperation models that can be made at the point of R&D policy development.
Tables 14 and 15 show the current research and potential intellectual property topics and domains in cybersecurity.Table 15 lists only the top 5 institutes identified in Tables 10-13.Different metrics are used in each table.Bolded institutes in Table 15 appear 5 or more times in the top 5 lists implying to be centers of research.They all appear to be in Saudi Arabia.
It is thought that the findings obtained in this context will contribute to all institutions and organizations that work on cyber security and make efforts in research and development activities.Following the main actors determined by the results obtained by cluster analysis and social network analysis, together with the method proposed in the study, can be used as a tool that will benefit the production of data-based policy in studies to be put forward in the field of cybersecurity.On the other hand, close monitoring of prominent subject areas, additionally nodal points with low constraints in capturing weak signals, can be used as a tool to identify points that are open to development and gain importance, and to closely monitor institutions and countries that will increase their importance.
Technology standards provide a foundation for intellectual property on which companies can build products and services.We are already seeing knowledge accumulating in this field.We expect the standards will ensure the protection of knowledge.

Declaration of competing interest
We have no conflicts of interest.

Table 1
Summary of the largest 18 clusters (Identify).

Table 2
Summary of the largest 15 clusters (Protect).

Table 3
Summary of the largest 17 clusters (Detect).

Table 4
Summary of the largest 10 clusters (Respond).

Table 5
Summary of the largest 9 clusters (Recover).