Atos wp-cyberrisks


Published on


1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Atos wp-cyberrisks

  1. 1. White paper C cyber risks towards a governance framework Your business technologists. Powering progress
  2. 2. Contents Authors Dr. A. Shahim RE Atos Consulting Netherlands VU University Amsterdam Dr. R. S. Batenburg Institute of Information and Computing Science Utrecht University J. Geusebroek MSc Institute of Information and Computing Science Utrecht University Drs. R.J.A.C. Jansen RO Atos Consulting Netherlands 1. Introduction 3 2. Cyber and accompanying risks 4 3. A governance framework for cyber risks 7 2.1 Security concepts 2.2 Cyber threats 2.3 Cyber governance & strategy 3.1 3.2 3.3 3.4 The meta-model The framework Practical use - Bring Your Own Device (BYOD) Continuous approach 4. Concluding remarks 4 5 6 7 7 8 9 10 References 11 2 Cyber risks towards a governance framework
  3. 3. 1. Introduction1 All contemporary organizations face an increasing dependency on Information Technology (IT) systems for executing and supporting their business processes. Emerging technologies are creating a rapidly evolving cyber landscape that results in rapidly outdating solutions. Modern technologies provide organizations with unprecedented scalable and financially attractive capabilities, but the lack of knowledge regarding these new and complex innovations poses potential problems. Stakeholders (e.g. employees, suppliers) can access data whenever, wherever and however at their personal convenience. Although this possibility is a likeable benefit for stakeholders, it also creates a borderless and complicated digital environment which is of a great concern to organizations. These emerging developments create new threats such as theft of corporate and/or personal data and malicious attacks, and enable peculiar ways to commit organized crime (IT Governance Institute, 2007). Vulnerabilities in IT systems pave the road for the intruders to gain access to information without authorization. These adversaries are nowadays characterized by covert and persistent attack vectors; they act anonymously, are invisibly present and in worst case are detected when it is too late and the damage is done. The use of only a computer connected to the Internet anywhere in the world and the anonymity provide an easy access platform for malicious activities as a cornerstone for lucrative business models. The usage of sophisticated malware, Denial of Service (DoS) attacks, the always present vulnerabilities of IT assets and careless mistakes within organizations facilitate these activities. Hackers tend to be creative and crafty in exploiting this employing logic and innovation to stay ahead of their victims. Security awareness in organizations is an important prerequisite for understanding potential threats in their Cyber Ecosystem. However, thorough cyber risk assessments do not seem to be part of day-to-day business activities. It is simply characterized as bothersome and difficult and not directly financially beneficial. Mostly it is seen as requiring financial investments, time and resources and is hence an attractive first target for budget cuts in organizations. This line of thinking often leads to complacency and even negligence with all its potentially adverse consequences. Securing IT systems and information processing is a pervasive concern of organizations. The confidentiality, integrity and availability of data depend on important sources that support business activities, often characterized as critical assets. In a growing number of organizations information is the business (IT Governance Institute, 2006). Breaches in cyber security have resulted in misuse of information that could harm organizations by affecting their financial assets, reputation and other interests. It is therefore vitally important to understand current threats and to develop and maintain a comprehensive overview of an organization’s threat landscape. A focused cyber risk approach as well as an integrated view to adequately identify and mitigate potential cyber related risks are essential elements of the organization’s defensive capabilities. 1 This white paper is an extraction of a detailed report resulted from a research jointly conducted by Atos Consulting, VU University Amsterdam and Utrecht University. Cyber risks towards a governance framework 3
  4. 4. 2. Cyber and accompanying risks In the past decade the concept ‘cyber’ has been used frequently to describe almost anything in relation with networks and computers (Ottis & Lorents, 2010). It is a common prefix for new terms such as cyber warfare, cyber-attacks or cyber terrorism. The concept ‘cyber’ has an early history and originates from the term ‘cybernetics’ by Wiener (1948). Later on it transformed to the term ‘cyberspace’, which is nowadays more widely and common used. In this white paper the concept of cyber is an abbreviation for the term cyberspace. As there is still much debate on the exact description of this term (Information Security Forum, 2011), an overview of different definitions is provided in table 1 to establish a common body of knowledge: Table 1. Various definitions of cyberspace Literature source Definition Ottis & Lorents (2010) “Cyberspace is a time-dependent set of interconnected information systems and the human users that interact with these systems.” Bodeau, Boyle, FabiusGreene, & Graubart (2010) “The collection of information and communications technology (ICT) infrastructures, applications, and devices on which the organization, enterprise, or mission depends, typically including the Internet, telecommunications networks, computer systems, personal devices, and (when networked with other ICT) embedded sensors, processors, and controllers.” Department of Homeland Security (2011) “The interdependent network of information and communications technology infrastructures, including the Internet, telecommunications networks, computer systems and networks, and embedded processors and controllers in facilities and industries.” Information Security Forum (2011) “Cyberspace is the always-on, technologically interconnected world; it consists of people, organizations, information and technology.” Risks related to cyber evolved quickly over the past decades. Security breaches can be mentioned as common examples that potentially cause unprecedented damage to vital assets of organizations. Figure 1 illustrates a holistic and integrated governance view on the cyber landscape, based upon a model provided by Betz (2011). It includes three pillars each of which reflects a part of this challenging and ever changing environment. The processes pillar (i.e. the first one) defines the logic layer which represents the way of thinking and reasoning of activities. These processes highly rely on IT by which they are also connected to large networks of organizations. The information (i.e. the second pillar) is generated by the processes and is further handled by applications of different nature. This crucial asset in fact acts as the blood running through the veins (processes) of organizations to keep them alive. IT infrastructure (i.e. the third and last pillar) serves as a foundation for these capabilities and amongst other things facilitates the flow of information enabled by applications supporting business processes. Figure 1. Integrated cyber governance view 2.1 Security concepts Different concepts regarding security as schematized in figure 2 are congregating in cyber: information security, cyber security and cyber resilience. The Information Security Forum (ISF) distinguishes between these concepts by using confidentiality, integrity and availability (CIA) of organizational assets. Threats in cyber are directly influencing these three main objectives of information security. With securing cyber one should also address additional threats which are far beyond CIA, the so-called non-CIA. Examples are reputational damage due to a breakdown of IT assets or an unintended impact from data leakage. Cyber resilience stands for preparing for the unknown, unpredictable, uncertain and unexpected. The complexity of cyber enables threats to develop quickly in unpredictable and dangerous ways. Uncertainty cannot be prevented and should indeed be embraced through cyber resilient business operations. Organizations increasingly understand that the rapid evolution of cyber is outpacing risk management practices in organizations. Managing security risks is a comprehensive task at hand and requires agility and flexibility. CYBER GOVERNANCE PROCESSES INFORMATION TECHNOLOGY LOGIC 4 Vulnerabilities in one or in a combination of these interconnected pillars can be targeted by malicious attacks possibly leading to harm or damage. In general, technology is usually the premise in each of the definitions with respect to cyber, however, it is not limited to it. Cyber possesses unique characteristics with pivotal elements such as humans. These features together make it challenging, complex and constantly changing that plainly creates an unpredictable environment. Cyber is the reality of our modern life and is increasingly woven into the everyday life across the globe. It is certainly there to stay. APPLICATION INFRASTRUCTURE Cyber risks towards a governance framework
  5. 5. ICTABLE, UNCER RED TA NP IN, ,U UN N EX OW N OWN NON-CIA KN Table 2 - Cyber threat overview Threat INFORMATION SECURITY CYBER SECURITY CYBER RESILIENCE 2.2 Cyber Threats Threats in cyber can be found practically everywhere and are somehow always present. Threats can originate internally, for instance from personnel due to accidents or poor practice, or externally from unwanted adversaries. In general, a threat is a category of objects, persons, or other entities that presents a danger to an asset. A cyber threat is a potential event that may cause undesired outcomes resulting in harm to organizational assets. It should be noted that there is a difference between purposeful and undirected threats. A purposeful threat is a preconceived goal such as extracting valuable information by a hacker from an organization. An undirected threat is, for example, a (natural) disaster such as fire threatening to affect physical components of IT infrastructures. This distinction of threats can unconsciously be extended by vulnerabilities of an organization itself. Due to improperly managed practices, careless mistakes or by human failure or accidents, cyber threats are more likely to materialize. Table 2 provides a global overview of possible threats to organizations that are categorized based on figure 1. Cyber risks towards a governance framework Technology For instance mistakes or accidents made by employees regarding their duties. Usage of outdated software, bugs or code problems. Espionage Unauthorized data collection and/or access compromising Intellectual Property. Blackmailing an organization to gather information. Natural disasters Natural threats which directly threaten the physical components of the IT infrastructure (e.g. floods, fire, earthquakes or lightning). Force majeure Information Human failure Extortion of information OWN CIA KN Description Negligent errors Processes ED CT PE UN K Figure 2. Positioning concepts based upon ISF (2011) Dependency on third parties such as Internet Service Providers (ISP’s) which can possibly affect the availability of concerned technology. There are obviously many types of threats. When focusing on purposeful threats, the World Economic Forum (2012) categorized four different types of cyber-attacks. The first category is reconnaissance, gaining information from victims to plan a further attack. The second category is disruption for breakdown of business, system or service. Third category is extraction for extracting data from the victim. The fourth and last category is manipulation or mutation of data or systems. CACI (2011) defines a cyber-attack as: “Generally an act that uses computer code to disrupt computer processing or steal data, often by exploiting software or hardware vulnerability or a weakness in security practices. Results include disrupting the reliability of equipment, the integrity of data, and the confidentiality of communications”. 5
  6. 6. The covert nature of threats brings possible underestimation of the risks faced. The prediction and understanding of cyberspace in the future is difficult due to the rate of new innovations and changes. New risks and vulnerabilities emerge suddenly. Responses and defenses look slow and inadequate due to the pace of events. Cyberspace is a complex environment; global in nature, largely commercially owned and consisting of many different components, suppliers and sub-contractors. Supporting the primary tasks of organizations and governments by creating a safe and secure cyberspace is a clear and well defined integrated strategy. IT nowadays is an indispensable part of many organizations and has hence been integrated with Enterprise Risk Management (ERM) or larger security strategies within and beyond organizations (Bodeau et al., 2010). As cyber security is more than information security, achieving an enterprise-wide cyber risk strategy consists of different concepts. They should be taken into consideration while defining the strategy, which is logically specific for most organizations. They face different threats and have their own culture upon which the strategy should be constructed and executed. 6 CT STRATEGIC L RO NT CO The growing use, adoption and dependency on (new and continuously evolving) IT assets contribute to a dynamic and complex environment, introducing a variety of challenges. Some examples of these issues and concerns are listed below (The Cabinet Office, 2011): Figure 3. Corporate governance view (Von Solms & Von Solms, 2006) DI RE 2.3 Cyber Governance & Strategy TACTICAL DIRECTIVES POLICIES/ COMPANY STANDARDS OPERATIONAL PROCEDURES EXECUTION The Department of Homeland Security (2011) for example used a multi-staged methodology to develop a cyber security strategy. Below, the main phases of this methodology are mentioned: 1. Assessment – of the current and future strategic environment through analysis of key trends associated with cyber and cyber security; 2. Examination – of current policy, strategy, programs and resources across cyber security activities; 3. Identification – of key assumptions (including associated policy implications); 4. Consideration – of alternative strategic concepts (achieve desired end states efficiently and effectively). Dealing with cyber risks seems self-explanatory as they affect all levels of an organization. Mitigating activities should thus be governed continuously, consistently and correctly. Governance is in general a set of responsibilities and practices exercised by top executives providing strategic direction. This crucial task should be done in such a way that the set objectives are reached, verifying that organizational resources are used responsibly and risks are managed appropriately. Figure 3 (model based upon the Direct-Control cycle by Von Solms & Von Solms, 2006) provides a governance overview showing that the layers of an organization (strategic, tactical and operational) are involved in governing the strategic goals and directives. Cyber risk governance accordingly requires an integrated approach and should be a transparent part of the corporate governance structure of an organization. Cyber risks towards a governance framework
  7. 7. 3. A governance framework for cyber risks The previous section described challenges and risks which call for an adequate governance. They can be perceived as focus areas applied as input for constructing a framework useful for top executives. It contains a meta-model and includes a structure with multiple components for organizational activities and explanatory content. The framework is an auxiliary instrument which provides high level guidelines for any organization dealing with Cyber risks. This chapter discusses the designed framework in a top down fashion by starting with the metamodel which provides a high level overview of this structure to support governing risks. It is subsequently presented in combination with a strategic approach. 3.1 The meta-model A meta-model including a set of interlinked topics is developed with the aim to provide simplicity and overview of the cyber risk governance framework. The directives (strategy) encapsulate four main concepts: risks, reputation, response and resources. They are supported by policies and processes, to protect the organization in its cyber ecosystem which is positioned in the center of the model. Another characteristic depicted at the top of the meta-model displayed in figure 4 is the possibility of multiple governance structures beyond the concerned organizational context. IT outsourcing for instance implies the adaption of (multiple) governance structures of third parties which are beyond (direct) control of the organization. Depending on (parts of) the governance of other organizations, a combined governance structure along the supply chain can be enabled. When this possible situation occurs, it is clear that organizations should then conduct a dependency analysis with all stakeholders to comprehensively manage risks, given these interdependencies. They influence or determine an organization’s risk profile in its cyber ecosystem. Risks and response are positioned on the opposite side of each other. Risks directly influence an organization’s posture as well does the response mitigating possible unwanted consequences of risks. A secure cyber ecosystem and an effective response against cyber related risks depend on sufficient funding and resources. The response to cyber risks and the establishment of a secure cyber ecosystem contribute to an organization’s ability to secure its reputation and assets. Table 3 shows an overview of all the individual characteristics related to the core concepts of the framework. 3.2 The framework The meta-model (figure 4) serves as the foundation for the governance framework. Figure 5 depicts the designed framework where the indicated core concepts (i.e. risks, resources, response and reputation) continuously revolve around cyber and its interrelated governance aspects. Figure 5. The framework TINUOUS STRATEGY CON RISKS Figure 4. The meta-model DIRECTIVES Threats Vulnerabilities RISKS CYBER DIRECTIVES RISKS CYBER PR O C ESSES RESPONSE DIRECTIVES D IR E C TI V E S REPUTATION RESOURCES C POLI IES CYBER Processes Information Technology a orm Inf T sabotage I RESPONSE D IR E C TI V E S Fundin g IT resour ces O CESSES RESOUR CES PR SSETS ION & A TAT PU RE tion theft REPUTATION RESOURCES C POLI IES RISKS CYBER PR REPUTATION RESOURCES POLICIES Ap g t A e c ri n pr ware D et ne oa c h - n e s s - A s s e s s - - Pa r t Responsibilities R E S P O NSE O CESSES RESPONSE CON TINUOUS STRATEGY DI R E C T I V E S Cyber risks towards a governance framework 7
  8. 8. Table 3 - Cyber risk governance framework description Core concepts Sub concepts Description Risks Threats Threats emerging from the cyber risk landscape which threaten business reputation and assets. Vulnerabilities Possible vulnerabilities of an organization reinforcing and nurturing threat potential. Information theft The organization provides an adequate response to reduce the possibility of information theft. IT Sabotage Organizational assets might be targeted by adversaries able to perform different forms of deliberate destruction. Awareness The organization is aware of the potential risks that it faces in correlation with possible painful consequences. Assess Assessment of the governance strategy is continuously executed to ensure the adequate protection of the organization against cyber risks. Detect Risks are adequately detected which is followed by an effective approach for countering them. Approach Organizational approach for mitigation and minimizing the consequences of a direct threat. Responsibilities Cyber risk governance strategy tasks are delegated to the designated employees as a result of which they are formally responsible for this crucially defined piece of work. Partnering Sharing information with partners to jointly mitigate the risk of cyber threats. Funding Employees possess the right skills and proper knowledge to prevent incidents or possible wrong performance. They are supported by organizational resources to receive time and space for carrying out their operational tasks. The organization invests in its cyber risk governance programme by creating organizational awareness, welcoming suitable knowledge and supplying sufficient resources to execute the necessary activities. IT Resources Technical resources needed to build and maintain a safe and secure cyber ecosystem. Reputation & Assets Response Resources 3.3 Practical use – Bring Your Own Device (BYOD) The meta-model (figure 4) and the framework (figure 5) illustrate an executive auxiliary tool for top executives to enable a cyber risk governance strategy in the organization. This model provides guidelines which support organizations in assessing the situation and incorporating the right strategy and necessary processes. They are naturally free to establish their own strategy, policies, procedures and processes given the framework for governing their cyber risk landscape and implementing their own organizational structure and culture. BYOD is one of the recent developments with which organizations allow employees to user their own laptop and smart-phone to connect to the business IT domain. It is a concept that contributes to an adaptive and mobile workplace. Nonetheless, BYOD enables a new way of working and also introduces IT related risks which should seriously be dealt with. If an organization decides to apply this concept, the framework can be helpful to fabricate a top down view. It starts with the construction of a strategic plan for implementing BYOD in the organization. Defining clear objectives (e.g. only peripherals can have access after a secured authentication process, followed by an encrypted and secured connection) followed by an assessment (what are the possibilities for employees in the current state and what in the desired state?) lead to an approach for implementing the strategy within the organization. In this case for example: which employees are involved and what are the responsibilities for reaching this goal? If the strategy is defined and incorporated in the business processes, its actual implementation on lower levels in the organization can be started. This act initiates the use of the risk governance framework depicted in figure 5. 8 Cyber risks towards a governance framework
  9. 9. The strategy is translated into organizational policies and processes which support the activities on operational level for the core concepts as defined: risks, resources, response and reputation. Table 4 provides an overview for translating the different concepts to the implementation of BYOD in the organization. Table 4- Example case BYOD BYOD implementation – Risk governance framework (high level overview) Core concepts Sub concepts Description Risks Threats Identify the threats directly related to the use of BYOD. Vulnerabilities Identify the vulnerabilities which are introduced with BYOD. Organizations have less control over the devices, thus also over the vulnerabilities. Information theft What kind of company confidential information is at risk because of the introduction of BYOD? What if an employee lost his device? IT Sabotage How could adversaries affect the organization by sabotaging BYOD devices in use by employees? Awareness The organization should be aware of the risks related to BYOD. Complete security cannot be guaranteed so continuous awareness should be ensured. Assess Continuously assess the situation. Is a necessary security baseline in place for BYOD? Are there new developments? Detect If there is something wrong with any device in use, detection should display any illegal access or strange behavior. Approach 3.4 Continuous approach Maintaining a continuous approach is an important component of cyber risk governance as it is surely not a one time achievement. A top down approach implies developing a strategy that translates into policies and processes for the guidelines set in the framework (figure 5). These parts are interrelated and cover an equal motion of turning gears (figure 6). The turning speed on operational level is considerably higher in comparison with the strategic and tactical level. A strategy could evidently have a longer expiration date in comparison with activities on operational level. If there is an incident an effective approach needs to be in place and effectuated (e.g. if an employee loses a smartphone or laptop it should be remotely blocked). Reputation & Assets Response Responsibilities Partnering Resources Employees are responsible for the secure use of their peripherals on the network. The IT department is responsible for a secure and well organized environment. How are BYOD responsibilities assigned in case third parties are involved? Use available best practices for implementing BYOD, what are lessons learned which can be reused? Funding Figure 6. The framework in motion STRATEGIC TACTICAL OPERATIONAL Employees should be professionally trained and educated to gain the right knowledge and skills to securely work with BYOD. IT Resources Figure 6 visualizes a top-down motion starting from strategy downwards via the different levels. However, sudden developments on an operational level can initiate a reversed motion in the framework. New threats can emerge or existing policies may not be sufficient to define an effective response against risk which is incurred at operational level. This new knowledge could possibly influence the existing policies and strategy of an organization. The knowledge gained on operational level can possibly initiate a bottom-up approach as well that in turn affects the existing policies and strategy. Sufficient technical resources are needed to protect the devices in use against possible risks. Cyber risks towards a governance framework 9
  10. 10. 4. Concluding remarks The development of this governance framework once more demonstrated the insight that the cyber risk landscape is a complex, dynamic and unpredictable environment. We hence deliberately chose not to focus on developing a ‘one size fits all’ solution, but a governance framework that contains a set of guidelines for organizations to govern their cyber risk strategy. Establishing a cohesive governance approach for protecting organizational assets asks for a comprehensive and integrated approach with specific and customized protective measures, which are possible to incorporate in the different aspects of the framework. One of the benefits of the chosen set-up is that organizations do not have to adopt new methodologies or approaches to their risk governance practices. Instead, this configuration provides an additional aid in creating a future-proof and robust approach which copes with the continuously changing nature of cyber risks. Additionally it is important to stress the importance of the collaboration with partners in your organization’s cyber ecosystem. These (public and private) organizations also deal with the specifics of their cyber threat landscape, but creating a cyber resilient posture throughout the complete ecosystem requires extensive as well as measurable communication and collaboration. Alignment of cyber risk management practices and sharing lessons learned is an important prerequisite for building a secure industrial digital environment. This is the reason we specifically incorporated this aspect into the governance framework, so organizations actually stretch out to their ecosystem to realize collaborative cyber situational awareness. 10 Last but not least we gladly emphasize one final cornerstone for a successful cyber risk governance implementation: an organization’s benevolence to invest and attention for the human factor. For decades security and risk management practitioners have dealt with difficulties showing the contribution to business value and caught in discussions around the business case and investment incentives. Hopefully nowadays organizations realize that the implementation of a governance framework for cyber risks is an absolute must, given the ‘always on’ nature of our digital society. In addition to such a framework it is important to realize the critical contribution of the professionals with the specific knowledge to perform this daunting task. It is well known that skilled resources are hard to find, and university programmes across the globe are investing in cyber security programmes to keep up with the market demand. This cyber workforce might in fact be the most important success factor, combined with executive management support for these activities of course. Cyber risks towards a governance framework
  11. 11. References Betz, C. T. (2011). Architecture and Patterns for IT Service Management, Resource Planning, and Governance. Elsevier. Bodeau, D., Boyle, S., Fabius-Greene, J., & Graubart, R. (2010, September). Cyber security governance. Mitre. CACI. (2011). Cyber Threats to National Security. Department of Homeland Security. (2011, September). Blueprint for a secure cyber future. Retrieved February 1, 2012, from publications/blueprint-for-a-secure-cyber-future.shtm. Information Security Forum. (2011). Cyber Security Strategies: Achieving cyber resilience. Retrieved from documentview/5901. IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Ed. (2nd ed.). IT Governance Institute. (2007). COBIT Security Baseline: An Information Survival Kit, 2nd Edition. Ottis, R., & Lorents, P. (2010). Cyberspace: Definition and Implications. Presented at the Proceedings of the 5th International Conference on Information Warfare and Security, Dayton. The Cabinet Office. (2011, November 25). The UK Cyber Security Strategy. Retrieved from The World Economic Forum. (2012). Partnering for Cyber Resilience. Von Solms, B., & Von Solms, R. (2005). From information security to…business security? Computers & Security, 24(4), 271–273. doi:10.1016/j. cose.2005.04.004. Wiener, N. (1948). Cybernetics or Control and Communication in the Animal and the Machine. New York: John Wiley. Cyber risks towards a governance framework 11
  12. 12. About Atos Atos is an international information technology services company with annual 2012 revenue of EUR 8.8 billion and 76,400 employees in 47 countries. Serving a global client base, it delivers hi-tech transactional services, consulting and technology services, systems integration and managed services. With its deep technology expertise and industry knowledge, it works with clients across the following market sectors: Manufacturing, Retail, Services; Public sector, Healthcare & Transport; Financial Services; Telecoms, Media & Technology; Energy & Utilities. Atos is focused on business technology that powers progress and helps organizations to create their firm of the future. It is the Worldwide Information Technology Partner for the Olympic and Paralympic Games and is quoted on the Paris Eurolist Market. Atos operates under the brands Atos, Atos Consulting & Technology Services, Atos Worldline and Atos Worldgrid. More information: Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud, Atos Healthcare (in the UK) and Atos Worldgrid are registered trademarks of Atos SE.. November 2013 © 2013 Atos