Cybersecurity and Information Assurance - Cloud Computing

The University of Sheffield
Cybersecurity and
Information
Assurance
Mr Joseph Pindar and Dr Jonathan Rigelsford
7/7/2011

2 | P a g e
Idea In Brief:
1. See Cybersecurity and Information Assurance for what they are: mainly a cost
of doing business with the unique opportunity to create significant value by
enabling the enterprise to enter markets and use technology that competitors
fear.
2. Learn from other disciplines and use existing methodologies to deliver
enterprise outcomes.
3. Focus on the end-consumer of products and services as the customer and
never consider the enterprise as a customer.
4. Consistently and repeatedly communicate the value of Cybersecurity and
Information Assurance throughout the enterprise, using language the listener
expects to hear.
In addition to the generous support of the ECIIA, the authors would like to thank all
those who contributed to the paper, specifically: Paul King (Cisco) for his insight into
security programmes in a large enterprise; Peter Hewson (Angerona) for his
detailed contribution on certification; Andy Gill (ASE) for the detailed discussion on
risk management and strategic alignment; GW for his insight into security in the
petro-chemical industry; SG for his contribution surrounding the integration of ITIL
and security in the finance industry and finally all those contributors who must
remain anonymous. Thank you.

3 | P a g e
Contents
1.0: Introduction.....................................................................................................................................5
1.1: Research Approach......................................................................................................................5
1.2: What is Information Assurance? What is Cybersecurity? ...........................................................6
1.3: Security Frameworks and Governance........................................................................................7
1.4: Paper Structure............................................................................................................................7
2.0: The Enterprise and Cybersecurity....................................................................................................8
2.1: The Enterprise: Operational Effectiveness and Strategy.............................................................8
2.2: Information Assurance and Cybersecurity: The Best of Both Worlds .........................................8
2.3: Information Assurance and Cybersecurity: Competitive Advantage.........................................10
2.4: Achieving Enterprise Strategy Alignment ..................................................................................10
2.5: Information Assurance and Cybersecurity Block Enterprise Success........................................11
3.0: Cloud Computing: The Next Phase of IT ........................................................................................13
3.1: A Concept of Many Definitions..................................................................................................13
3.2: Cloud Implementations and Security Challenges ......................................................................14
4.0: Cybersecurity: Operational Effectiveness......................................................................................15
4.1: Regulatory Compliance and Security Standard Certification.....................................................15
4.2: Question The Unquestionable: Is Antivirus Worth the Cost?....................................................16
4.3: Metrics.......................................................................................................................................18
5.0: Information Assurance and Cybersecurity: Strategic Advantage..................................................21
5.1: Risk Management ......................................................................................................................21
5.1.1: Risk = Probability × Impact..................................................................................................22
5.1.2: Risk = Danger & Opportunity..............................................................................................23
5.2: Communicating Cybersecurity...................................................................................................24
5.2.1: Communicating Cybersecurity to the Boardroom..............................................................25
5.2.2: Communicating Cybersecurity to Front-line Employees ....................................................26
5.3: Analytics.....................................................................................................................................27
5.3.1: What is Analytics?...............................................................................................................27
5.3.2: Intel ROSI Model .................................................................................................................28
5.4: How To Outsource? That is the Question..................................................................................29
5.5: The Value of Information...........................................................................................................30
5.5.1: What is an Intangible Asset?...............................................................................................30
5.5.2: Valuing Information............................................................................................................31
5.6: Where Is My Data? ....................................................................................................................32

4 | P a g e
6.0: Implementing a Cybersecurity Programme...................................................................................34
6.1: Role of Security in Cisco.............................................................................................................34
6.2: Operationally Effective Desktop Support ..................................................................................34
6.3: Security as a Strategic Value Proposition ..................................................................................35
6.4: Security Analytics.......................................................................................................................35
6.5: Valuing Information and Analytics.............................................................................................35
6.6: Communicating Cybersecurity at Cisco .....................................................................................35
End Note: So, What of the Future?.......................................................................................................36
Bibliography ..........................................................................................................................................37

5 | P a g e
1.0: Introduction
Despite a history of 2500 years1
, Information Assurance and Cybersecurity remain troubled
teenagers within the enterprise family. Legislation has forced IT2
and Security Governance into the
open; however security departments and professionals are still finding their feet when asked for a
consistent and decisive value proposition.
Porter, widely held as the founder of modern strategy, developed a paradigm to understand the role
of strategy and operational effectiveness in delivering superior enterprise performance.3
Applying
this model to Cybersecurity and Information Assurance provides a framework to judge their
contribution to a successful enterprise.
In this paper we argue that much of Information Assurance and Cybersecurity relates to Porter’s
operational effectiveness. However a mature security programme can provide the enterprise with
competitive advantages by offering a strategy to outperform rivals and “establish a difference that it
can preserve”4
.
As the enterprise environments change, it is essential for Information Assurance and Cybersecurity
to change. Security professionals must review and rework their position within the enterprise to
maintain relevance to the prevailing conditions. Carr stated that “IT Doesn’t Matter”5
because its
strategic importance diminished as its ubiquity grew. The latest market iteration and increase in
ubiquity is the move to Cloud Computing. This paper uses Cloud Computing to present current issues
being faced by Information Assurance and Cybersecurity professionals.
Security professionals have failed to inspire confidence throughout the enterprise because of poor
communication skills and a failure to correctly identify their customer. Only by effectively
communicating the value of Information Assurance and Cybersecurity will security professionals be
consulted to contribute to enterprise decisions. The Harvard Business Review made it clear that
business professionals consider the role of Information Assurance and Cybersecurity to be broken
when it published “Hack Work”6
as a breakthrough idea for 2010.
1.1: Research Approach
The approach taken in this paper was to undertake semi-structured interviews with senior security
consultants and leaders. The security experts were drawn from a variety of industries including the
UK Public Sector, Finance, Petro-chemical and IT Hardware. Based on these discussions, further
research was undertaken specifically related to the key trends and issues within the Information
Assurance and Cybersecurity arenas.
1
“In The Histories, Herodotus chronicled the conflicts between Greece and Persia in the fifth century BC [...]
According to Herodotus, it was the art of secret writing that saved Greece from being conquered by Xerxes”
(Singh 2000, p. 4). This ‘secret writing’ is the earliest example of Confidentiality being used to ensure
information does not fall into the hands of an enemy.
2
Information Technology
3
Porter (1996)
4
Porter (1996, p. 62)
5
Carr (2003, p. 41)
6
Jensen and Klein (2010, p. 7)

6 | P a g e
From these interviews, five key themes emerged. They are:
• Strategic Alignment: How Cybersecurity and Information Assurance interface with other
areas of the enterprise is critical to success.
• Communication: The importance of effectively communicating the value of
Cybersecurity value throughout the enterprise.
• Cloud Computing: What is it and how does it impact Cybersecurity and Information
Assurance.
• Risk Management: Specifically the lack of objective data and the difference in approach
compared to other risk management organisations.
• Certification: The increased requirement of certification.
1.2: What is Information Assurance? What is Cybersecurity?
Information Assurance and Cybersecurity are often used interchangeably. However a consensus has
developed that they refer to subtly different disciplines. Unfortunately the extent of the agreement
ends there and experts cannot agree how the concepts differ. One school of thought considers
Information Assurance to be a subset of Cybersecurity, whilst a second considers the reverse to be
the case.
Much of the confusion is because of the close similarity of the two subjects and that Cybersecurity is
a young and developing discipline. Such is the youth of the subject that the exact formation of the
word is inconsistently used with use of ‘Cyber Security’, Cyber-security’ and ‘Cybersecurity’ being
common. For the purposes of this paper, the grammatical definition of Cybersecurity as taken from
the Oxford English Dictionary will be used: “the state of being protected against the criminal or
unauthorized use of electronic data, or the measures to achieve this.”
Information Assurance is in contrast a more established discipline with a consistent definition as
typified by CESG7
: “Information Assurance is the confidence that information systems will protect
the information they handle and will function as they need to, when they need to, under the control
of legitimate users”8
.
Whilst there is considerable overlap between the terms, there are two notable differences.
Information Assurance uniquely includes the security of information in non-electronic form, for
example the security of hard-copy document storage and transportation. Cybersecurity, in contrast,
uniquely considers defending against attacks on computer systems; including control systems, for
example those in electricity generation and distribution networks.
For the purposes of this paper, Risk Management is considered to be part of both Information
Assurance and Cybersecurity. A formulation of risk being the product of probability and impact is
used within Information Assurance; however, this paper proposes that other formulations of risk,
such as those used in Corporate Finance, offer alternate ways of managing Cybersecurity risk within
the enterprise.
7
CESG is the National Technical Authority for the UK.
8
CESG (2010)

7 | P a g e
1.3: Security Frameworks and Governance
From the expert interviews, it was clear that the specific choice between individual security
frameworks was not as important as ensuring that a suitable framework was used to ensure
structured thinking. No security framework was identified as being markedly superior to others
reviewed and there were examples of enterprises successfully implementing each framework.
Historically, Amazon have used COBIT9
as a framework and only recently adopted the ISO27000
series frameworks as discussed in section 2.3: Information Assurance and Cybersecurity: Competitive
Advantage. Intel, contrastingly, have used OCTAVE10
as a component of the Return on Security
Investment (ROSI) programme described in 5.3.2: Intel ROSI Model.
The intention of this paper is to highlight current thinking in Information Assurance and
Cybersecurity on a range of topics. Through the discussion of these topics insight can be gained and
enterprises can adapt their chosen framework as necessary to maintain the strategic alignment of
security initiatives.
1.4: Paper Structure
In the remainder of the paper, we develop the concept of Information Assurance and Cybersecurity
as both operational effectiveness and competitive strategy. In section 2.0: The Enterprise and
Cybersecurity, we discuss the position and strategic alignment of Information Assurance and
Cybersecurity in the enterprise. Then, in section 3.0: Cloud Computing: The Next Phase of IT we
provide a brief overview of Cloud Computing, focusing on two definitions which make up the next
two sections of the paper. Section 4.0: Cybersecurity: Operational Effectiveness considers
Information Assurance and Cybersecurity as both a cost of doing business and in section 5.0:
Information Assurance and Cybersecurity: Strategic Advantage as a strategic proposition. Finally, in
section 6.0: Implementing a Cybersecurity Programme we use a case study of Cisco to review the
concepts covered within the paper.
9
COBIT is developed by ISACA.
10
OCTAVE: Operationally Critical Threat, Asset and Vulnerability Evaluation, developed by Carnegie Melon
University’s CyLab

8 | P a g e
2.0: The Enterprise and Cybersecurity
In this section we discuss Porter and Carr’s contributions to understanding the role of operational
effectiveness and strategy in the enterprise. Later sections will use this framework to discuss specific
aspects of Information Assurance and Cybersecurity and link them to enterprise objectives.
2.1: The Enterprise: Operational Effectiveness and Strategy
To survive, an enterprise must develop products and services that are required by a set of
customers. On balance, the income (or funding) generated by the products or services must be
greater than or equal to the costs of producing those offerings. Porter recognised the value of both
operational effectiveness and strategy for the performance of any enterprise11
. But what is meant by
operational effectiveness and strategy?
Porter defines operational effectiveness as “performing similar activities better than rivals perform
them”12
which can lead to offering lower cost and superior quality at the same time. However
competing with rivals purely on operational effectiveness benefits no one. Improvements in
methods raise the level of competition everyone must maintain and do not enhance the position of
individual enterprises13
. Moreover, in the pursuit of operational effectiveness competition often
results in enterprises moving closer together in what Porter describes as “competitive
convergence”14
.
Strategy, in contrast, “is about being different”15
and limiting the aims of an enterprise. In the IT
market NetApp have a tightly focussed strategy and choose to focus exclusively on the manufacture
of efficient storage arrays. Hewlett-Packard, in contrast, has a broad strategy and chooses to
manufactures servers, laptops and printers in addition to a range of storage arrays.
2.2: Information Assurance and Cybersecurity: The Best of Both Worlds
Information Assurance and Cybersecurity mainly contribute to the operational effectiveness of the
enterprise in a similar way to Carr’s view of IT16
. However through risk management and advancing
the ‘Risk Frontier’, discussed later in this section, Information Assurance and Cybersecurity can
create strategic value.
Carr argues strongly that IT’s “strategic importance has diminished”17
because of its availability and
use in all enterprises. Similarly key Information Assurance and Cybersecurity controls, such as
antivirus and firewalls, have been adopted widely by enterprises. Thus the strategic importance of
Information Assurance and Cybersecurity must also have diminished.
When security professionals buy similar products from a small range of suppliers, the enterprise’s
position is no longer unique. In demanding proof of the robustness of security claims from Common
Criteria and other review processes security professionals diminish the enterprise’s distinctiveness
11
Porter (1996)
12
Porter (1996, p. 62)
13
Van Valen terms this endless pursuit of maintaining the level of competition the ‘Red Queen Hypothesis’.
(Van Valen, 1973)
14
Porter (1996, p. 63)
15
Porter (1996, p. 63)
16
Carr (2003)
17
Carr (2003, p. 41)

further as the number of available solutions is restricted
security controls18
inevitably push Information Assurance and Cybersecurity
competitive convergence.
Much of the investment in Information Assurance and Cybersecurity does not protect the
confidentiality of the information, but rather
and availability vulnerabilities. Although not the original intention behind the investment, this focus
on vulnerabilities matches Carr’s
operational effectiveness.
The main strategic benefit of Information Assurance and Cybersecurity is to ensure continued safe
and compliant operation of the enterprise whilst adopting new technologies and techniques.
Wardley20
explains that as IT is commodit
important. However adopting new techniques in a bid to gain market share or improved operational
effectiveness brings unknown challenges and impacts. How the enterprise responds to these
challenges is critical.
Stanton21
explains that for a given set of systems the majority of the security events have low
impact, as shown in Figure 1: The
extreme are events that cannot be predicted and have
events. The region between these two classes of security events is the ‘Risk Frontier’.
Figure 1: The 'Risk Frontier' redrawn from Stanton
18
Payment Card Industry - Data Security Stan
software or programs” to gain certification. PCI Security Standards Council, (2010, p. 5)
19
Carr (2003, p. 48). Carr’s three New Rules for IT Management consist of spend less, follow don’t le
focus on vulnerabilities, not opportuinites
20
OreillyMedia (2010)
21
Stanton (2011)
22
Taleb (2010, p. xxii) describes a ‘Black Swan’ event as having three properties: firstly, it is an ‘outlier’ on a
distribution – an extremely rare event; secondly,
‘outlier’, human nature makes us concoct explanations for its occurrence
23
BaU – Business as Usual. Stanton (2011)
Numberofevents
BaU Risk Management
as the number of available solutions is restricted. Certifications mandating
inevitably push Information Assurance and Cybersecurity into Porter’s
confidentiality of the information, but rather safeguards the enterprise from more costly
Carr’s third “New Rule for IT Management”19
and enhances enterprise
explains that as IT is commoditised, how an enterprise uses IT becomes increasingly
However adopting new techniques in a bid to gain market share or improved operational
: The 'Risk Frontier' redrawn from Stanton. However a
extreme are events that cannot be predicted and have devastating impact, so called “
The region between these two classes of security events is the ‘Risk Frontier’.
'Risk Frontier' redrawn from Stanton
23
Data Security Standard (PCI-DSS) requires the “use and regularly update anti
software or programs” to gain certification. PCI Security Standards Council, (2010, p. 5)
Carr (2003, p. 48). Carr’s three New Rules for IT Management consist of spend less, follow don’t le
focus on vulnerabilities, not opportuinites
an extremely rare event; secondly, it carries an extreme impact; finally in spite of it being an
‘outlier’, human nature makes us concoct explanations for its occurrence after the fact.
Business as Usual. Stanton (2011)
Impact
BaU Risk Management
'Black Swan' Events
'Risk Frontier'
9 | P a g e
Certifications mandating the use of specific
into Porter’s
more costly integrity
and enhances enterprise
ised, how an enterprise uses IT becomes increasingly
However adopting new techniques in a bid to gain market share or improved operational
However at the other
devastating impact, so called “Black Swan”22
The region between these two classes of security events is the ‘Risk Frontier’.
DSS) requires the “use and regularly update anti-virus
Carr (2003, p. 48). Carr’s three New Rules for IT Management consist of spend less, follow don’t lead and
it carries an extreme impact; finally in spite of it being an
Events

10 | P a g e
Enterprises respond to the majority of security events via automated systems such as antivirus
software and firewalls, often without even noticing. However where an enterprise is positioned
relative to the Risk Frontier is down to the Information Assurance and Cybersecurity functions. Only
by careful risk management can an enterprise survive operating close to the Black Swan boundary
and gain greater rewards than competitors by undertaking more ‘risky’ activities.
2.3: Information Assurance and Cybersecurity: Competitive Advantage
Cybersecurity and Information Assurance contribute to the success of an enterprise in an identical
way to launching a new product or entering a new market. Porter explains that competitive
advantage of an enterprise is the result of “all a company’s activities, not only a few”.24
If done well,
Information Assurance and Cybersecurity can boost profitability by aligning to enterprise strategy.
Equally if implemented badly or misaligned these activities can damage profits.
There is an important distinction to be made between ‘aligning to enterprise strategy’ and the more
commonly heard ‘aligning to the enterprise’. By aligning to the enterprise strategy, Cybersecurity
and Information Assurance are undertaking activities to deliver outcomes to the enterprise’s
customer25
. That is the consumer of the enterprise’s products and services. The only way to serve
customers is to produce outcomes that extend beyond the perimeter of the enterprise.
Aligning to the enterprise, in contrast, does not deliver the outcomes required and creates an
artificial divide between Cybersecurity and Information Assurance professionals and the rest of the
business. Hunter and Westerman explain, “if alignment is the goal and the topic under discussion,
then the [security] team is in effect showing that it is not focussed on the outcomes that matter.”
A good example of Information Assurance and Cybersecurity delivering outcomes to enterprise
customers is Amazon Web Services (AWS). A recent survey26
found 43% of respondents felt the risks
of Cloud Computing outweighed the benefits. This lack of consumer confidence could stall Amazon’s
growth plans for AWS.
In responding to this concern, Amazon’s security functions have gained internationally recognised
security accreditations27
for AWS in an attempt to prove the security of the system to their
customers. What makes this significant is Amazon acceptance of the cost of accreditation.
Particularly when Amazon’s cost controls are more stringent than most enterprises. Vance28
explains
the extent of the cost controls by describing that the light fixtures in Amazon’s reception area
“aren’t fixtures at all but rather collections of extension cords fitted with bulbs”.
2.4: Achieving Enterprise Strategy Alignment
Previously we discussed the importance of aligning Information Assurance and Cybersecurity
activities with enterprise strategy. But how is this achieved? Moreover, Cybersecurity and
Information Assurance initiatives are often designed to change business practices. Thus an
understanding of change management is essential to embed the outcomes delivered by security
24
Porter (1996, p. 62)
25
Hunter and Westerman (2009, p. 36)
26
ISACA (2011)
27
Including PCI-DSS Level 1, ISO 27001 and HIPAA certifications
28
Vance (2011, p. 1)

11 | P a g e
initiatives. Looking to other areas of the enterprise, Programme Management and Enterprise
Architecture can respond to these requirements.
In many organisations, Cybersecurity and Information Assurance have emerged to be significant
parts of the enterprise only as a result of regulatory requirements. Information Assurance and
Cybersecurity projects have been formed to respond to specific requirements and are not structured
to align to an overarching business strategy. Grouping these projects into an “Emergent
Programme”29
enables the enterprise to ensure alignment between the individual initiatives and the
overarching enterprise strategy.
The positioning of Cybersecurity and Information Assurance as an Emergent Programme is
consistent with the requirement to focus on outcomes. As the Office of Government Commerce
(OGC) describe “Programmes deal with outcomes; projects deal with outputs.”30
Additionally,
programme management contains processes and mechanisms to embed the changes necessary to
affect the enterprise culture.
Whilst the focus of programme management is to deliver outcomes, the role of Enterprise
Architecture is to improve cost efficiencies in the implementation of IT systems. Rather than develop
solutions to meet the specific requirements of an initiative, Enterprise Architecture uses a common
base architecture to deliver all solutions. Ross explains that this architecture is used to implement
systems and processes that reflect the enterprise’s “desired level of standardization and
integration”.31
Whilst TOGAF32
positions itself as an Enterprise Architecture framework, it is simply a specialisation
of more generic programme management methodologies. TOGAF’s Architectural Development
Method (ADM) is congruent to the OGC’s Managing Successful Programmes Framework. As
discussed previously, the specific variant of programme management framework is not significant to
the outcomes delivered. What is important is that a framework is used to maintain a structured
approach to the emergence of Information Assurance and Cybersecurity as a critical area of the
enterprise for delivering outcomes.
2.5: Information Assurance and Cybersecurity Block Enterprise Success
Whilst business change is hard to achieve the task is made more difficult because of the poor
reputation of Information Assurance and Cybersecurity within the enterprise. Whether justified, or
not, security professionals have gained a reputation for saying ‘No!’ more often than saying ‘Yes!’.
Non-security areas of the enterprise believe Information Assurance and Cybersecurity professionals
occupy a position of unquestionable expert, owing to the deep technical knowledge required to
secure IT systems. Moreover, the perceived reluctance to break through the Risk Frontier has further
damaged the reputation of Information Assurance and Cybersecurity.
29
Office of Government Commerce (2007, p. 6)
30
Office of Government Commerce (2007, p. 4)
31
Ross (n.d.)
32
TOGAF – The Open Group Architectural Framework

12 | P a g e
This view of Information Assurance and Cybersecurity blocking enterprise success was further
highlighted when the Harvard Business Review chose “Hack Work”33
as one of their breakthrough
ideas for 2010. The description of the idea depicts a bank employee socially engineering a database
vendor to gain a password and direct access to a database. As a result of bypassing security controls
the employee increased his access and became “incredibly productive” and a “hero to the senior
execs”34
.
Importantly, this perception has the potential to marginalise Information Assurance and
Cybersecurity within the enterprise. An example of this marginalisation is sales professionals
adapting their techniques to accommodate both IT and security professionals reluctance to adopt
Cloud Computing. As Ryden of MarginPro, a pricing service for commercial loans, states “We sell
around the technology guys and straight to the business folks.”35
How to effectively communicate the value of Information Assurance and Cybersecurity is discussed
further in section 5.2.
33
34
35
Vance (2011, p. 7)

13 | P a g e
3.0: Cloud Computing: The Next Phase of IT
Cloud computing is a hot topic. IBM recently raised its 2015 cloud revenue forecast from $3 billion to
$7 billion and is currently experiencing a doubling of revenue, year on year.36
Goodburn and Hill
respond to the question ‘What is ‘Cloud’?’ simply with “A business imperative”37
. The ability to
access computing, storage and network resource instantly and at very low costs makes the
operational effectiveness of adopting Cloud Computing compelling.
3.1: A Concept of Many Definitions
What is Cloud Computing? A relatively simple question at first glance; but like much of the IT
industry, every expert we interviewed for this paper had a different answer to that question.
The most commonly cited definition of Cloud Computing is provided by NIST38
. The main
contribution of this definition has been to provide a list of essential characteristics, service and
deployment models. The inclusion of “Rapid Elasticity” as an ‘essential characteristic’ is critical to the
definition as it differentiates the new concept of Cloud Computing from the ‘co-located server’
market developed in the 1990s.
A criticism of the NIST model, however, is that it is written for a technical (IT) audience and fails to
provide a concise, ‘elevator-pitch’ definition of the type required by business. Thus the development
of more concise definitions has proliferated. Wardley identified sixty-seven different definitions
before settling on his own39
. This inability to characterise Cloud Computing has added to its
ambiguity and mystique among Cybersecurity, Information Assurance and wider IT professionals.
Two definitions that resonate well from a business perspective are:
• “Cloud Computing is a transition from IT as a product to IT as a service”40
which typifies the
argument that the scales and economies achievable within Cloud Computing are
transformational to the enterprise. Moreover, the ability to pay for only what is used
changes the provision of IT from a capital cost to an on-demand, per task operating expense.
• “Cloud Computing is an outsourcing model”41
which typifies the argument that Cloud
Computing is nothing new and the selling of spare capacity within mainframe computers
was common place in the 1960’s and 1970’s.
Both of these definitions provide useful contexts in which to consider Information Assurance and
Cybersecurity. Thus, for the purposes of this paper, both definitions are considered and used in ‘5.0:
Information Assurance and Cybersecurity: Strategic Advantage’ to illustrate how Cybersecurity and
Information Assurance can contribute to the competitive advantage of an enterprise.
36
Vance (2010)
37
Goodburn and Hill (2010, p. 2)
38
NIST (2011)
39
O’Reilly Media (2009)
40
O’Reilly Media (2009)
41
Stanton (2011)

14 | P a g e
3.2: Cloud Implementations and Security Challenges
The NIST model for cloud computing provides three service models and four deployment models.
However in practice, only the Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS)
service models are the most commonly discussed. The deployment models consider whether a cloud
service provider offers services to any member of the public (a Public Cloud) or whether an
enterprise has sole use of the cloud (a Private Cloud).
SaaS acts as an application service and provides applications that meet specific business
requirements, such as managing customer engagement, without the need for the enterprise to
maintain the system. In contrast IaaS offers the ability to run arbitrary code on a scalable managed
infrastructure, where the consumer does not incur maintenance requirements. A service provider
uses virtualisation to offer multiple virtual machine instances on a single server and can offer
computational power at costs drastically lower than standard server farms. For example, Amazon
AWS offers 142 hours of computing time for $1 based on a Micro Spot Instance located in Virginia,
USA42
.
Later sections of this paper consider specific topics relating to the security challenges of using Cloud
Computing services. ‘Is my data too valuable to release?’ is a common consideration before
releasing enterprise data to a Cloud Computing service provider and is considered in section 5.5.
Moreover, when releasing data to a Cloud Computing service provider ‘Where is my data?’ both
geographically and on which server within the data centre become important. This topic is discussed
in section 5.6. In addition to these questions, concerns over the availability of the Cloud Computing
providers persist.
The concern over the availability of Cloud Computing is a relic of system administrators’
expectations of enterprise-grade servers which are found within enterprise data centres. However as
the number of systems increase, the Mean-Time-To-Any-Failure reduces such that in a cloud of
10,000 servers, one server could be expected to fail every few hours43
. Using the common analogy of
Cloud Computing being a utility such as electricity, data centre engineers rarely install business
critical servers without some form of backup power supply because of the likelihood of supply
failure. Thus expecting the utility of Cloud Computing to remain constantly stable is to place
unrealistic expectations on the service. As with using an alternative electricity supply, enterprises
should consider using several Cloud Computing service providers to maintain availability.
Peter Hewson (Angerona), a security expert interviewed for this paper, proposes that using multiple
Cloud Computing providers can further enhance security as it ensures the “aggregation of business
intelligence”44
by a single provider is avoided.
42
Amazon (2011a)
43
Barroso and Hölzle (2009)
44
Interview, London (2011)

15 | P a g e
4.0: Cybersecurity: Operational Effectiveness
Previously in section 2.2, we concluded that Information Assurance and Cybersecurity mainly
contributed to the operational effectiveness of an enterprise. Improvements in operational
effectiveness lead to a reduction in enterprise costs and thus an increase in profitability. In this
section we consider three topics relating to improving the operational effectiveness of enterprises.
They are: regulatory compliance, justifying the cost of common security controls and the use of
metrics to effectively measure the performance of enterprise security.
4.1: Regulatory Compliance and Security Standard Certification
Keeping enterprise directors out of jail has been a key motivator for senior buy-in to Information
Assurance and Cybersecurity within the enterprise. Regulatory compliance requirements are
imposed on enterprises as a prerequisite to being in specific markets. Thus groups of competing
enterprises have common compliance requirements and must implement the necessary controls
with cost efficiency. When gaining regulatory compliance and certification, it is essential to only
tackle relevant risks so as not to incur unnecessary expense. Even when enterprises are certified
compliant, it does not mean systems are secure, but rather communicates that a minimum standard
has been achieved.
The scandals of Enron, Tyco and WorldCom started a rush of US security and privacy regulations to
reduce fraud. The most prominent piece of legislation from this period is Sarbanes-Oxley (SOX).
When working towards regulatory compliance, it is essential to consider the business processes
before considering any IT systems or security controls used to deliver the process. Failure to
implement this top-down approach in the first year of SOX implementation resulted in an estimated
$3 billion of unnecessary costs.45
IT controls made up the single largest category of remedial actions
required by enterprises. However, during later analysis, many of these controls were found “not to
be direct risks to accurate financial reports and did not result in any material weakness”46
.
In addition to how compliance is implemented, it is important to understand which regulations and
standards apply. Andy Gill (ASE), a security expert interviewed for this paper, noted the importance
of relevant standards being included in contracts. On occasion, “it seems that legal departments
have searched Google for ‘security standards’”47
This lack of understanding when buying services can
lead to poor operational effectiveness and incurring unnecessary costs. Andy explained that in the
worst case he has seen, “the standards were both obsolete and irrelevant”48
.
Some enterprises choose not to complete a standard certification process, often in an attempt to
avoid costs. However, the enterprises may choose to implement controls they consider to be
‘compliant’ with the standard requirements, without being tested. During the interview for this
paper, Peter Hewson (Angerona) warned that this logic is a false economy: “Being compliant is less
cost effective than being certified”49
. Central to this concern is the appreciation that the process of
certification provides a set of controls and processes which are deemed sufficient to gain
45
Kim, Love and Spafford (2008, p. 50)
46
Kim, Love and Spafford (2008, p. 50)
47
48
49

16 | P a g e
certification. Without independent assessment, security administrators can over compensate with
controls and incur unnecessary costs.
Security accreditations provide the enterprise with an important misconception: gaining a security
certification does not mean a system is secure. Rather it demonstrates that a process has been
followed and a minimum standard has been achieved. Thus the enterprise can communicate to
suppliers and partners that certain processes have been undertaken and controls are in place. Prior
to being the victims of major security compromises, both Heartland Payment Systems and RBS
Worldpay were PCI-DSS50
certified and were listed as approved service providers. As a response to
the successful compromise of the security systems, Visa revoked the service providers’
certifications51
.
A final challenge when seeking to gain security certification is that occasionally mandated controls
cannot be applied. Health and Safety is more important than either Information Assurance or
Cybersecurity thus can prevent the implementation of security controls as prescribed by security
standards. During the interviews for this paper, GW explained a situation that arose during the
security certification of an oil refinery52
.
In the control room of the refinery there was a single computer that had control over the all systems
on the site and had the ability to shut down processing in the event of a safety incident. The
standard being applied to the refinery required that all computers must be both password-protected
and the passwords must be changed at regular intervals. However in an emergency, safety could be
compromised by delays caused by entering passwords, thus passwords were not configured on the
system. In this instance other compensating controls were used to prevent unauthorised access to
the computer and the certification was validated without the mandated password.
4.2: Question The Unquestionable: Is Antivirus Worth the Cost?
As previously discussed, effective cost control is essential to maintain operational effectiveness.
Some security standards mandate the use of specific controls53
and require the enterprise to incur
the associated cost. However beyond these mandated requirements, Information Assurance and
Cybersecurity often seek to replicate controls as ‘best practice’ throughout the enterprise, without
considering the cost burden of these actions. Antivirus54
is an example of a protective measure,
often used by Information Assurance and Cybersecurity without questioning the rationale. But is
antivirus worth the cost?
Whilst the threat profile and risk appetite of an enterprise contribute to an organisation specific
answer, in general we argue that the cost incurred from blanket use of antivirus is difficult to justify.
Selective installation of antivirus, in contrast, provides a cost efficient way of maintaining the
availability and integrity of computer systems.
50
PCI-DSS: Payment Card Industry - Data Security Standard
51
Finextra (2009)
52
53
PCI-DSS explicitly require the “use and regularly update anti-virus software or programs”. PCI Security
Standards Council (2010, p. 5)
54
Antivirus is used to cover the range of systems which detect malicious software, such as: viruses, Trojans,
Worms etc.

The reason against the blanket use of antivirus is
most common type of antivirus deployed within enterprises uses signature detection to identify
malicious software. This method of detection
further instances of the malicious co
encryption and obfuscation techniques to hide malicious software
Researchers55
have tested the feasibility of using signatures to identify all possible virus variants
using current polymorphic techniques.
sooner run out of atoms than attackers run out of decoders”
Importantly, the use of polymorphism is widespread in the cybercriminal com
virus that uses polymorphism is Zeus.
tailored piece of malicious software, each with a unique signature which explains why
researchers have detected “70,330 unique vari
The challenge Zeus poses antivirus is significant and
Malware Samples’ illustrates the detection rate
products. As shown, only nine samples (0.5% of those tested) were detected by all of the
systems. In contrast, 176 samples (10.0% of those tested) were not detected by over 90% of the
antivirus products tested.
Figure 2: Antivirus Detection Rate of Zeu
55
Song, et al. (2007)
56
Song, et al. (2007, p. 6)
57
Coogan (2009)
58
Spamhaus, (2011)
176
332
204
0
50
100
150
200
250
300
350
0% 10% 20%
NumberofZeuSMalwareSamplesTested(n=1753)
% of Antivirus products tested (n = 43) to correctly identify sample as being
blanket use of antivirus is, in its current form antivirus does not work.
malicious software. This method of detection use unique strings from known viruses
further instances of the malicious code. However to overcome detection, virus writers use
encryption and obfuscation techniques to hide malicious software, creating polymorphic software
g current polymorphic techniques. Unfortunately, the research concludes “we would much
sooner run out of atoms than attackers run out of decoders”56
used to hide malicious software.
morphism is widespread in the cybercriminal community.
virus that uses polymorphism is Zeus. Users of the Zeus Crimeware Toolkit can create their own
tailored piece of malicious software, each with a unique signature which explains why
researchers have detected “70,330 unique variants”57
.
The challenge Zeus poses antivirus is significant and ‘Figure 2: Antivirus Detection Rate of Zeu
illustrates the detection rate of 1,753 Zeus samples submitted
products. As shown, only nine samples (0.5% of those tested) were detected by all of the
Antivirus Detection Rate of Zeus Malware Samples
58
204
168
145
203
111
141
201
63
20% 30% 40% 50% 60% 70% 80% 90%
malicious (closer to 100% is better)
17 | P a g e
antivirus does not work. The
known viruses to identify
However to overcome detection, virus writers use
polymorphic software.
Unfortunately, the research concludes “we would much
used to hide malicious software.
munity. One prolific
create their own
tailored piece of malicious software, each with a unique signature which explains why Symantec
Antivirus Detection Rate of Zeus
submitted to 43 antivirus
products. As shown, only nine samples (0.5% of those tested) were detected by all of the antivirus
63
9
90% 100%

18 | P a g e
An alternative way of detecting viruses is to identify anomalous characteristics within software, so
called ‘heuristic detection’. This method aims to detect previously unknown viruses by detecting
behaviour such as attempting to gain privilege access to sensitive files. Whilst heuristic based
detection faces a more tractable problem, testing by Anti-virus Comparative59
demonstrates that the
best performing antivirus product was able to detect only 62% of previously unknown malicious
software, leaving 38% undetected. Moreover when viruses are detected and remedial actions are
implemented, attackers can simply change their methodologies, repackage known viruses and regain
access to computer systems60
.
The fallibility of antivirus products may lead to a conclusion that it is a cost that does not produce
reliable outcomes. However when viewed as a cost efficient method of ensuring the availability of
systems and reducing the cost of recovering from known virus infections, the case for using antivirus
becomes more balanced.
Like an enterprise, attackers seek to be operationally effective and maximise the return for their
efforts. Viewed from an attacker’s perspective, Kazanciyan and Glyer exclaimed “Simple is cheap,
and still works!”61
Escalation to more advanced techniques only occurs once the impact of simpler
techniques has been reduced. Thus two distinct operating models develop: firstly using increasingly
sophisticated techniques to attack a specific victim and secondly using less sophisticated techniques
to attack an increasing range of victim.
The first operating model pushes the limit of antivirus capability and challenges high-threat
enterprises such as banks to continually track and counter evolution of attack methods. This
dedicated response to attacks is expensive to maintain and is difficult to justify for all but the highest
threat industries. However, as a by-product of this costly investment, the results of malicious
software research are shared within the security community and provided to antivirus vendors for
incorporation in their products. Thus knowledge is transferred from a high-threat, high-capability
environment to other environments on a regular basis.
The second operating model is more relevant to the majority of enterprises and results in those
without antivirus being exploited and incurring recovery costs. The automation of attacks results in
the cost of exploitation of an unspecified enterprise being low for the attacker. However the victim
enterprise incurs a higher recovery cost for each successful attack. Thus it is more cost effective to
use antivirus than attempt to recover from regular attacks.
4.3: Metrics
Log files are invaluable when responding to breaches of security. However, the original purpose of
these files was for system administrators to manage IT infrastructures and ensure their continued
operation. System administrators recognised that by monitoring log files over extended periods,
trends emerged and by using certain measures or metrics the number of unscheduled outages could
be reduced. Although the predictive use of metrics is common within IT system administration, this
technique is not widely used by Information Assurance and Cybersecurity professionals. In contrast
59
Anti-virus Comparative (2010)
60
Kazanciyan and Glyer (2010)
61
Kazanciyan and Glyer (2010)

security professionals often rely on alerts from antivirus products and intrusion detection systems
(IDS) to notify that an incident is occurring, despite the
Metrics are often collected and analyzed for maintenance reasons
Westerman63
propose a second use of metrics
investment. Both maintenance metrics
control of Information Assurance and Cybersecurity initiat
control what you can’t measure”
An alert from an antivirus product or IDS
been detected. For attacks targeting
first enumerate the victims IT systems before attempting to exploit the security.
value of metrics is to identify precursor events, rather than focus on the outputs from systems that
detect late in the attack cycle.
More broadly than these technical maintenance metrics, Lacey suggests t
and Safety and considering the bad practices to near misses and on to major incidents.
Lacey’s Remodelling of Heinrich's Safety Triangle
hierarchy to illustrate the number of detection opportunities available before a major security
incident occurs.
Beyond the early detection of attacks, maintenance metrics can be used to provide
in secure development practices to developers who habitually produce insecure software
analysis tool metrics such as “Defects per 1000 Lines of Code” and “
(vulnerabilities per unit of code)”
62
Jaquith (2007)
63
64
Maintenance metrics use figures to assist in the maintenance of systems.
65
Value metrics use figures to communicate the value of a system’s quality and performance.
66
DeMarco (1982, p. 3)
67
Jaquith (2007, p. 75)
rity professionals often rely on alerts from antivirus products and intrusion detection systems
(IDS) to notify that an incident is occurring, despite the availability of precursor data.
Metrics are often collected and analyzed for maintenance reasons62
; however, Hunter and
propose a second use of metrics to show the value of specific IT and security
Both maintenance metrics64
and value metrics65
contribute to the management
of Information Assurance and Cybersecurity initiatives and as DeMarco states “You can’t
control what you can’t measure”.66
product or IDS is rarely the first time the process of an attack could have
targeting a specific enterprise it is well understood that
first enumerate the victims IT systems before attempting to exploit the security.
to identify precursor events, rather than focus on the outputs from systems that
More broadly than these technical maintenance metrics, Lacey suggests taking a lead from Health
and considering the bad practices to near misses and on to major incidents.
Lacey’s Remodelling of Heinrich's Safety Triangle shows Lacey’s reworking of a Health and Safety
etection of attacks, maintenance metrics can be used to provide
in secure development practices to developers who habitually produce insecure software
as “Defects per 1000 Lines of Code” and “Vulnerability
lnerabilities per unit of code)”67
can be used to measure performance on a per
Maintenance metrics use figures to assist in the maintenance of systems.
Major
Incident
29 Minor Incidents
300 Near Misses
Thousands of bad practices
19 | P a g e
rity professionals often rely on alerts from antivirus products and intrusion detection systems
data.
owever, Hunter and
to show the value of specific IT and security
contribute to the management and
DeMarco states “You can’t
is rarely the first time the process of an attack could have
that an attacker must
Thus the potential
to identify precursor events, rather than focus on the outputs from systems that
aking a lead from Health
and considering the bad practices to near misses and on to major incidents. Figure 3:
shows Lacey’s reworking of a Health and Safety
etection of attacks, maintenance metrics can be used to provide targeted training
in secure development practices to developers who habitually produce insecure software. Code
Vulnerability Density
on a per-developer basis.

Figure 3: Lacey’s Remodelling of Heinrich's Safety Triangle
Metrics can be used to effectively
Cybersecurity. However, Information Assurance and Cybersecurity professionals mistakenly attempt
to use the same maintenance metrics to communicate value and maintain performance. F
example, few areas of the enterprise beyond IT could asse
Availability as 93%. Executives are left to ask ‘What business functions were affected by the 7% of
time the Firewall was unavailable?’ and ‘What business outcomes were not achiev
To effectively communicate the value of Information Assurance and Cybersecurity, it is necessary to
“use metrics about quality and price for visible services.”
to be directly compared, while enab
Hunter and Westerman explain that the focus should be “a
best possible price”70
. Moreover, u
between business groups and enterprises and manage performance improvements.
Figure 4: Value Metrics for Secure Remote Working and Perimeter Protection
of metrics that communicate the value of security controls
understood by executives. Compiling these metrics for individual Lines
explains what the impact of security controls are on th
Figure 4: Value Metrics for Secure Remote Working and Perimeter Protection
68
Lacey (2009, p. 51)
69
70
Security Service
Secure Remote
Working
(Laptop, HDD
Encryption & VPN)
Perimeter
Protection
(Firewalls, Email
Scanning & IDS)
: Lacey’s Remodelling of Heinrich's Safety Triangle
68
ly communicate the value of Information Assurance and
However, Information Assurance and Cybersecurity professionals mistakenly attempt
metrics to communicate value and maintain performance. F
f the enterprise beyond IT could assess the importance and value of
. Executives are left to ask ‘What business functions were affected by the 7% of
time the Firewall was unavailable?’ and ‘What business outcomes were not achiev
“use metrics about quality and price for visible services.”69
These metrics enable the cost of services
to be directly compared, while enabling the enterprise to choose the required level of quality.
that the focus should be “achieving the right level of quality at the
Moreover, unit costs should be used to further facilitate comparisons
ween business groups and enterprises and manage performance improvements.
: Value Metrics for Secure Remote Working and Perimeter Protection illustrates
the value of security controls for two types of system
. Compiling these metrics for individual Lines-of-Business effectively
explains what the impact of security controls are on the enterprise.
: Value Metrics for Secure Remote Working and Perimeter Protection
Cost Metrics
•Cost per Laptop
•Cost per MB transfered
•Cost per Mailbox
•# of Mailboxes
•Cost per MB
transfered
Service Level Metrics
• Hours of Downtime
• Time to Install
• Time to Problem
Resolution
• Performance
• Hours of Downtime
• Message Delivery
Time
• Performance
20 | P a g e
communicate the value of Information Assurance and
However, Information Assurance and Cybersecurity professionals mistakenly attempt
metrics to communicate value and maintain performance. For
ss the importance and value of Firewall
. Executives are left to ask ‘What business functions were affected by the 7% of
time the Firewall was unavailable?’ and ‘What business outcomes were not achieved as a result?’.
These metrics enable the cost of services
required level of quality.
chieving the right level of quality at the
nit costs should be used to further facilitate comparisons
ween business groups and enterprises and manage performance improvements.
illustrates a short set
for two types of system in a way easily
Business effectively
Service Level Metrics
Hours of Downtime
Time to Install
Time to Problem
Resolution
Performance
Hours of Downtime
Message Delivery
Performance

21 | P a g e
5.0: Information Assurance and Cybersecurity: Strategic Advantage
In the previous section, we discussed the importance of cost control and measurement of
performance to ensure Information Assurance and Cybersecurity contribute to the operational
effectiveness of an enterprise. However, to consider Information Assurance and Cybersecurity as
only a cost of doing business is to underplay the significant value the disciplines can create by safely
extending the enterprise Risk Frontier.
In this section, we consider the strategic competitive advantages Cybersecurity can offer with
particular reference to Cloud Computing. The transition model discussed in section 3.0 is used to
consider how Cloud Computing impacts on core security activities of risk management,
communicating Cybersecurity and analysing metrics.
Risk and risk management are often considered solely the preserve of Information Assurance71
.
However, we assert that understanding other definitions of risk already used by the enterprise is of
benefit to Cybersecurity. Through this new understanding, different operating models can be used
to create operational value for the enterprise. The two definitions of risk are discussed in section 5.1.
Information Assurance and Cybersecurity professionals cannot realise the value of these new models
without engaging with other areas of the enterprise. For this reason it is essential to consider how to
communicate Cybersecurity throughout the enterprise and this is covered in section 5.2. Finally we
consider the opportunity to use Cloud Computing to perform analytics and how it enables the
enterprise to extend metrics to assess future opportunities in section 5.3.
The outsourcing model of Cloud Computing is used to discuss specific challenges which Cloud
Computing pose to an enterprise. The overall challenge of outsourcing is considered in section 5.4
and the specific challenges of valuing information and understanding the impact of data location is
covered in sections 5.5 and 5.6.
5.1: Risk Management
As described in section 2.2, the Risk Frontier describes events that are beyond the scope of business-
as-usual security controls, but are predictable in contrast to Black Swan events. Information
Assurance and Cybersecurity have the potential to extend the Risk Frontier and undertake activities
that are deemed ‘too risky’ by competitors. In return for operating in a more risky environment, the
enterprise anticipates a greater return. Risk management is a central pillar of Information Assurance,
however to extend the Risk Frontier a broader understanding of risk management is required than is
traditionally used by Information Assurance. We contend that these alternate definitions provided
by finance and corporate communications offer Cybersecurity professionals the opportunity to
enhance the position of the enterprise. Moreover, this broader understanding of risk is essential as
Information Assurance “falls into the category of disciplines that have developed risk management
in isolation”72
.
71
ISO(2010a)
72
Hutton and Hubbard (2011, p. 1)

22 | P a g e
The most common formula73
used by Information Assurance:
ܴ݅‫݇ݏ‬ = ܲ‫ݕݐ݈ܾܾ݅݅ܽ݋ݎ‬ × ‫ݐܿܽ݌݉ܫ‬
is only one of several methods used by enterprises to understand risk. Moreover, this formula guides
the enterprise to focus on the negative impact of undesirable events. Risk in finance in contrast
considers both positive and negative returns being defined as the variability of actual returns around
those expected. Damordaran74
extends this definition and presents the formula:
ܴ݅‫݇ݏ‬ = ‫ݎ݁݃݊ܽܦ‬ & ܱ‫ݕݐ݅݊ݑݐݎ݋݌݌‬
This formula makes no attempt at unbiased objectivity, which is often the goal of Information
Assurance and Cybersecurity risk management. This view, and its acceptance of subjectivity, is
consistent with research showing cognitive bias and emotions prevent humans from being entirely
objective in assessing risk. Slovic75
identified there are two fundamental ways in which humans
comprehend risk: the ‘analytic system’ and the ‘experiential system’. The ‘experiential system’ being
the most common way to respond to risk and is based on intuition rather than formal logic.
The second formula provides a different understanding of risk. Used in combination, the formula
offers opportunities to develop a more complete risk management strategy than is employed by
many Information Assurance and Cybersecurity programmes today.
5.1.1: Risk = Probability × Impact
Although this formula is commonly used by Information Assurance, it is the most fragile of the three
formulas presented. The original form developed by Roper76
:
݈ܵ݅݊݃݁ ‫ݏݏ݋ܮ‬ ‫ݕܿ݊ܽݐܿ݁݌ݔܧ‬ = ‫ݐ݁ݏݏܣ‬ ܸ݈ܽ‫݁ݑ‬ × ‫݈݅݁݇݅ܮ‬ℎ‫݀݋݋‬ ‫݂݋‬ ‫ݏݏ݋ܮ‬
is often used to understand the relative importance of assets and to communicate the value of
potential loss to business leaders. However, as Schneier77
highlights “It’s a good idea in theory, but
it’s mostly bunk in practice”78
.
In theory, this formula provides the necessary detail to make the judgements required to sell cyber
insurance. However, the core of the problem with the formula is a lack of accurate data for either
the probability or impact variables. As Geer explains robustly, “the numbers are too poor to even lie
with”79
. To overcome this lack of data, Vispoli of Chubb Insurance, is cited as saying the strategy for
pricing cyberinsurance is to “price them high and see what happens”80
.
Rapidly changing IT environments and the complexity of computer systems make the collection and
modelling of consistent risk data difficult to achieve over a long period. However, as Hubbard
73
NIST (2002, p. 1)
74
Damordaran (2008, p.6)
75
Slovic (2004)
76
Roper (1999, p. 15)
77
Schneier (2008)
78
Schneier (2008, p. 1)
79
Geer (2004 cited in Jaquith, 2007, p. 32)
80
Visipoli (2010 cited in Bejtlich, 2010)

23 | P a g e
explains “everything is measurable”81
and the contribution such Diagnostic Metrics could offer the
enterprise is significant. In the absence of objective data, this formula often resorts to subjectivity
assessments and as Schneier82
explains “the math quickly falls apart when it comes to rare and
expensive events”83
. Without a strong base of objective data, it is nearly impossible to defend an
opinion and outcomes are based on the degree of influence of each party.
Andy Gill (ASE) cited Grimshaw v Ford Motor Co. (1981) as an example of the dangers of incorrectly
assigning Asset Values84
. During testing of the Pinto model, Ford identified that in specific types of
collision the fuel tank would rupture and ignite because of its position behind the rear axle. In
assessing whether to undertake changes to the design which were known to improve the safety of
the car, Ford conducted a risk/reward calculation. When calculating the risk of injury Ford valued a
life at $200,000 and the cost of a serious injury as $67,000. As a result of these calculations, it was
deemed too expensive to modify the Pinto, thus Ford sold the car in the US knowing the danger
posed by the fuel tank. Following Grimshaw’s victory in the case, the court awarded punitive
damages of $125M to act as a deterrent to future risk/reward calculations.
5.1.2: Risk = Danger & Opportunity
Conceptually this formula is more robust, however to overcome the fragility of the previous example
it is based on a subjective measure. Damordaran’s concept of risk uses the Chinese symbol for risk
which he describes as best capturing the “duality” of risk.
Figure 5: Chinese Symbol For Risk
85
The symbol is composed of a “combination of danger (crisis) and opportunity” and for Damordaran
“captures perfectly both the essence of risk and the problems with focussing purely on risk
reduction”.86
As Farshchi87
identifies, this perspective of balancing “risk and value toward
enablement of the business, not to just simplistically reduce risk” contradicts the mindset of many
Cybersecurity and Information Assurance professionals.
Damordaran’s premise is that as risk is composed of both danger and opportunity, it is not possible
to have one without the other. Moreover, when pricing risk in terms of investments, one cannot
increase opportunity without accepting an associated increase in danger. Thus, in an enterprise that
is seeking to gain either profit or cost saving opportunities to gain operational effectiveness, the
level of opportunity available is directly related to the level of danger the enterprise is prepared to
accept.
81
Hubbard (2007, p.1)
82
Schneier (2008)
83
84
85
Damodaran (2008)
86
Damordaran (2008, p.6)
87
Farshchi (2010)

24 | P a g e
Consider the two extremes that this concept of risk offers Cybersecurity as operational
effectiveness: ‘No security: maximum cost savings’ and at other extreme ‘Total security: no cost
savings’:
• No security: maximum cost savings. An enterprise decides that no security procedures
should be put in place, thus providing the greatest opportunity to reduce cost. However, a
Cybersecurity professional would highlight that this exposes the business to increased
danger of attack, with an associated drop in system availability and loss of valuable data.
• Total security: no opportunity to reduce cost. An enterprise employs every possible security
control available and ensures the security to the highest possible standard, incurring the
associated costs. If a rival enterprise does not employ the same level of security, then the
enterprise looses competitive advantage by unnecessarily incurring costs and reducing
profits.
Neither of these propositions is wrong; however, neither offers an optimal solution nor represents
an intuitively sensible decision. A middle ground is required. Where the middle ground is depends on
the individual enterprise. This is the notion of Risk Appetite within the organisation: the level of
danger an enterprise is prepared to accept. However, it is not necessary for the enterprise to have a
single Risk Appetite; rather it is possible to have varying levels for different lines-of-business
depending on the growth strategy for those areas.
Both Netflix and H&R Block have extended their Risk Frontier and used Cloud Computing to gain
competitive advantage and cost efficiencies (the opportunity) over their competitors. Overcoming
security concerns (the danger) has enabled Netflix to be “almost 100% in the public cloud”88
.
Similarly H&R Block stores the highest level of sensitive personal data, PCI-DSS Category 1, in the
Amazon Web Services Public Cloud89
. These examples have lead Cloud Computing experts to
contend that any confidential data can be hosted in the public Cloud90
.
5.2: Communicating Cybersecurity
“Executives, like everyone else, see what is brought to their attention.”91
Communication is an essential part of modern business and thus Cybersecurity and Information
Assurance. Without communication informed investment decisions cannot be made, budgets cannot
be allocated, users cannot be educated on the dangers of the Internet and new security initiatives
cannot be launched. If Information Assurance and Cybersecurity fail to communicate effectively with
other areas of the enterprise, it can result in managers bypassing them entirely to deliver the
enterprise strategy. As Stanton explains, “There are at least two security departments I know of that
don’t have a seat at the cloud table.”92
However, how to be effective in communication is often
overlooked by Information Assurance and Cybersecurity professionals. In the words of Peter
Drucker, the founder of modern management theory:
88
Cockcroft (2011, cited in Reilly (2011))
89
Cockcroft (2011)
90
Cockcroft (2011)
91
92
Stanton (2011)

25 | P a g e
“It is the recipient who communicates. The so-called communicator, the person who emits
the communication, does not communicate. He or she utters. Unless there is someone who
hears, there is no communication.”93
This perspective is contrary to the view often taken by security professionals. As experts discussing
complex topics, it is all too easy to start from a position of ‘What do I want to say?’, rather than
‘What does the listener want to hear?’ To communicate effectively it is essential to differentiate the
message based on the audience. Not only must one “know what the recipient expects to see and
hear”94
, but be aware that “one can communicate only in the recipient’s language or terms”95
.
The two extremes of this communication spectrum are the Boardroom and front-line employees. As
PwC advise “If you’re not talking ROI96
, the boardroom isn’t listening”97
and Peter Hewson
(Angerona), an independent security consultant interviewed for this paper, notes “When it comes to
front-line employees, the starting point is always ‘What’s in it for me?’”98
.
5.2.1: Communicating Cybersecurity to the Boardroom
Schneier99
represents a vocal majority of Information Assurance and Cybersecurity professionals
who consider Return on Investment (ROI) an unsuitable term for use in the context of security.
Schneier argues “Security is not an investment that provides a return [...]. It’s an expense that,
hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings.”100
However, the root of this argument stems from the view that security controls and measures are,
primarily required to safeguard the confidentiality of information rather than ensure the availability
of the IT infrastructure as discussed in section 2.2.
This approach to the communicating Cybersecurity leads to what Hunter and Westerman term
‘Value Traps’, which prevent security programmes “from delivering value, and prevent the rest of
the business from seeing the value delivered”101
. When making investment decisions, the principle
aim of the boardroom is to understand whether value for money is being achieved. The use of ROI
acts as a transparent and consistent method of understanding and comparing the value of diverse
programmes. Thus, communicating Cybersecurity to the boardroom is essentially an exercise in
communicating the value of Cybersecurity to the enterprise.
As discussed in the previous section, enterprises and individual lines-of-business within an enterprise
have different risk appetites. Unit cost metrics enable the value of security measures applied for
each risk appetite to be measured and comparisons drawn between the qualities of service provided
to each line-of-business and costs baselined between enterprises. Thus, the operational
effectiveness of Information Assurance and Cybersecurity is measured and can be effectively
communicated through diagrams such as Figure 6: Intel's Unit Cost / Quality Matrix.
93
Drucker (2001, p. 391)
94
Drucker (2001, p. 393)
95
Drucker (2001, p. 392)
96
ROI – Return on Invesment.
97
PwC (2005, p.29)
98
Hewson (2011)
99
Schenier (2008)
100
101

26 | P a g e
Figure 6: Intel's Unit Cost / Quality Matrix
102
5.2.2: Communicating Cybersecurity to Front-line Employees
“Security experts frequently refer to people as ‘The weakest link in the chain’”103
. As Beautement,
Sasse and Wonham explain “A significant number of security breaches result from employees’ failure
to comply with security policies”104
. On preliminary analysis, one could conclude that users are
“hopelessly lazy and unmotivated on security questions”105
. However, whilst “one may improve the
psychological acceptability”106
of a delay attributed to a security requirement, delays users consider
to be excessive lead to the counterargument, “anything that loses time is not good for the
business”107
.
We propose that these issues arise through the failure of Information Assurance and Cybersecurity
professionals to communicate the value of Cybersecurity and answer front-line employees question,
‘What’s in it for me?’.
Herley108
argues security “advice offers to shield [users] from the direct costs of attacks, but burdens
them with increased indirect costs, or externalities. Since the direct costs are small relative to the
indirect one, they reject this bargain”109
. This situation occurs as a result of two problems: Firstly,
because of a lack of compromise data, Information Assurance and Cybersecurity professionals speak
102
Redrawn from Hunter and Westerman (2009, p. 59)
103
Sasse and Flechais (2005, p. 13)
104
Beautement, Sasse and Wonham (2008, p.47)
105
Herley (2009, p. 1)
106
Egelman et al. (2010, p. 9)
107
Beautement, Sasse and Wonham (2008, p.50)
108
Herley (2009)
109
Herley (2009, p. 2)
0.0
1.0
1.25
0.5
0.25
0.5
0.25
Best in
class
Worst in
class
Unit cost
Best in
class
Worst in
class
Quality
7
4
2A
10
6
9
2B 1
7
3
4
8
2A
10
6
5
9
2B
1
5
8
3
E-mail
Laptop
Desktop
PBX+VM
Enterprise business computing
Engineering computing
Flex computing
Manufacturing computing
Mainframe
WAN
Computing platform
IT products and services

27 | P a g e
of the worst-case risk, rather than the most probable. Secondly, the cost of user effort is
underestimated and assumed to be negligible. Herley asserts that this is an “enormous
miscalculation: it treats as free a resource that is actually worth $2.6 billion an hour”110
for the US
adult online population. The research concludes:
“’Given a choice between dancing pigs and security, users will pick dancing pigs every time.’
While amusing, this is unfair: users are never offered security, either on its own or as an
alternative to anything else. They are offered long, complex and growing sets of advice,
mandates, policy updates and tips. These sometimes carry vague and tentative suggestions
of reduced risk, never security”111
.
To resolve this situation four actions are suggested112
:
• Gain a better understanding of the actual harms endured by users
• Ensure the cost of any security advice is in proportion to the victimization rate. 113
• Retire advice that is no longer compelling is necessary.
• Prioritise the advice presented to users.
Beautement, Sasse and Wonham114
approach the topic in a similar way and introduce the concept of
a ‘Compliance Budget’ as a measure of individuals’ perception of the costs and benefits of
compliance with enterprises security goals. The research concludes that “an individual’s Compliance
Budget sets a cap on the effectiveness of security practices they are involved in. [...] once the
threshold is crossed, the individual will choose work-arounds motivated by his or her own needs,
rather than the more altruistic process of compliance”115
.
5.3: Analytics
In section 5.1.1: Risk = Probability × Impact, we discussed the lack of security data within the
enterprise and resulting failure of Single Loss Expectancy as a method of communicating the value of
a potential loss. One significant exception to this is Intel’s use of Analytics to develop a model for the
“Return on Security Investment” (ROSI) in their manufacturing environment116
. Rosenquist estimates
that $18M per year of losses is avoided as a result of the application of the model.
5.3.1: What is Analytics?
Davenport and Harris define analytics as, “the extensive use of data, statistical and quantitative
analysis, explanatory and predictive models, and fact-based management to drive decisions and
actions.” Analytics build on the opportunities metrics offer the enterprise, as discussed in ‘4.3:
Metrics’. The analysis of metrics (the lower four boxes of ‘Figure 7: Hierarchy of Analytics Extending
Reporting and Metrics’) seeks to quantify what has or is happening and where. Analytics seek to
extend this to answer questions such as ‘Why is this happening?’ and offer views of the future (the
upper four boxes).
110
Herley (2009, p. 9)
111
Herley (2009, p. 11)
112
Herley (2009, p. 10)
113
User education is a cost borne by the whole population, while offering benefit only to the fraction that fall
victim.
114
Beautement, Sasse and Wonham (2008)
115
Beautement, Sasse and Wonham (2008, p. 53)
116
Rosenquist (2007, p. 1)

Figure 7: Hierarchy of Analytics Extending Reporting and Metrics
Many large enterprises have found analytics to offer both competitive
offer differentiated services to customers
of analytics include, Netflix and Google in e
telecommunications118
.
Analytics often require large datasets and conducting analysis with a ran
simulations. Cloud Computing offers a cost efficient way of completing the large number of
computations required by analytics.
Computing is illustrated by MarginPro, a pricin
every $10 million in revenue the company makes off this work, it pays $1,500 in cloud fees to
Microsoft.” Moreover, a Northrop Grumman
“less than a day to train machine
Amazon cloud.
5.3.2: Intel ROSI Model
As discussed in ‘5.2.1: Communicating Cybersecurity to the Boardroom
security to the boardroom it is essential to use terms that are easily understood, namely ROI. The
requirement for the Intel ROSI model was to meet this very requirement and estimate “the return
on investment for security programmes that reduce the number of incidents in manufacturing
processes”. The development of the model began in 2005 to assist in justifying investment costs, but
also to identify best-of-breed products, compare the value of programme
117
Adapted from Davenport and Harris (2007, p. 8)
118
Davenport and Harris (2007, p. 7)
119
Vance (2011, p. 7)
120
Vance (2011, p.6)
Optimisation
Predictive Modeling
Forecasting / Extrapolation
Statistical Analysis
Alerts:
Query / Drill Down
Ad-hoc Reports
Reports:
: Hierarchy of Analytics Extending Reporting and Metrics
117
have found analytics to offer both competitive advantages
offer differentiated services to customers, and increased effectiveness of decisions. Significant users
of analytics include, Netflix and Google in e-Commerce, Capital One in financial services and O2 in
large datasets and conducting analysis with a range of statistical tools and
Cloud Computing offers a cost efficient way of completing the large number of
computations required by analytics. An example of the economies achievable by using
illustrated by MarginPro, a pricing service for commercial loans. Vance
Northrop Grumman researcher developing a ‘cybersecurity system
y to train machine-learning algorithms on more than 1.3 million files
Communicating Cybersecurity to the Boardroom’, to effectively communicate
stment for security programmes that reduce the number of incidents in manufacturing
breed products, compare the value of programmes against non
Adapted from Davenport and Harris (2007, p. 8)
Davenport and Harris (2007, p. 7)
Optimisation: What's the best that can happen?
Predictive Modeling: What will happen next?
Forecasting / Extrapolation: What if the trend continues?
Statistical Analysis: Why is this happening?
What action is needed?
Query / Drill Down: Where exactly is the problem?
hoc Reports: How many, often and where?
: What happened?
28 | P a g e
advantages, by the ability to
and increased effectiveness of decisions. Significant users
Commerce, Capital One in financial services and O2 in
ge of statistical tools and
Cloud Computing offers a cost efficient way of completing the large number of
achievable by using Cloud
g service for commercial loans. Vance119
explains, “for
cybersecurity system’ took
on more than 1.3 million files”120
by using the
’, to effectively communicate
stment for security programmes that reduce the number of incidents in manufacturing
s against non-security

29 | P a g e
initiatives and make data driven decisions. Importantly, a key feature of the model is to make
predictive estimates of losses likely to be incurred by not adopting security controls.
Intel developed the ROSI model using data from 18,000 computers collected over a two year period
(equivalent to over 13 million computer-days)121
, in addition to a variety of other financial and
management databases. Using this data, an ‘Impact / Valuation Calculation Engine’ estimates the
value of planned security programmes using the following inputs:
• Attack Incident Occurrence Data
• Business Impact and Outage Data
• Business Loss and Cost Data
• Risk Mitigation Security Programme
Using the earliest data as a baseline to assess three subsequent security programmes, Intel was able
to measure a 99% reduction in security incidents and a 396-fold increase in the days between
incidents.122
Rosenquist estimates that over $18M is avoided as a result of the security programmes
implemented and the model’s predictions have been measured to be 87% accurate.
5.4: How To Outsource? That is the Question.
As a method of gaining operational effectiveness outsourcing business functions to cheaper external
suppliers “seem[s] like a no-brainer”.123
Cloud Computing can be seen as a continuation of this trend
and considered to be a cost efficient method of externalising IT resources to deliver operational
effectiveness. Few other areas of business operations have a greater potential to bring Information
Assurance and Cybersecurity into conflict with business strategy. However, the speed with which an
enterprise can adopt this type of step change in capability is a source of competitive advantage.
Like previous iterations of outsourcing, Cloud Computing offers enterprises the ability to realise
short-term cost savings, increase revenue per employee and transform fixed costs into a variable,
on-demand payment.124
But with the benefits comes a loss of visibility and control. While the impact
of this shift on events and security breaches may be at the forefront of Information Assurance and
Cybersecurity professionals concerns, the location of information and the shift in employee loyalty
from the enterprise to the service provider should also be concerns.
Although by outsourcing business functions the enterprise transfers responsibility to deliver secure
functions, it does not transfer accountability for any breaches. In 2010, the UK Financial Services
Authority (FSA) fined the UK branch of Zurich Insurance Plc £2.275m (€2.74m) for data security
failings of an outsourcing supplier which lost the personal details of 46,000 customers125
. The FSA
specifically cited Zurich UK’s failure to “ensure it had effective systems and controls to manage the
risks relating to the security of customer data resulting from the outsourcing arrangement” as a
121
122
123
Manget and Mercier (2011)
124
Lacey (2010)
125
Financial Services Authority (2010)

30 | P a g e
problem. The lack of “proper reporting lines”126
and suitable incentives resulted in Zurich UK not
being informed of the breach by the supplier for a year.
Contracts are often the preferred method of ensuring specific business processes and practices are
maintained. Importantly the design of incentives within the contract is critical to the security of the
outsourced service and is a new area of research. In a departure from the traditional highly technical
subjects considered by security researchers, Anderson and Moore used economics and game theory
to evaluate contracts in outsourced environments and the security failures resulting from bad
incentives.127
Further, Cezar, Cavusoglu and Raghunathan128
devised two ‘optimal’ contracts when
outsourcing both security device management and security monitoring to the same service provider.
Concluding the use of penalty clauses in contracts to penalise security breaches resulted in the
service provider having no incentive to detect errors or breaches.
In addition to a comprehensive yet flexible contract, good governance and maintaining lines of
communication are essential to successful outsourcing.129
However, where these are available in
traditional outsourcing models Cloud Computing does not afford the same degree of control. Peter
Hewson (Angerona) explains, “Fundamentally it is the lack of control and visibility of events which
deter security professionals from adopting Cloud Computing”130
. As discussed in section 2.3, it is
these motivations that have lead Amazon to gain security certifications for the AWS.
5.5: The Value of Information
As discussed previously in section 5.1 an accurate understanding of ’Asset Values’ would assist an
enterprise to measure risk more effectively. This combined with accurate data on the probability of
an event occurring would lead to an objective assessments of risk. Unfortunately, Bader and
Rüther131
found that 44.4% of management decisions are made using cost-based valuation models
which attribute an unrealistically low value to patents and information.
Enterprises have both tangible and intangible assets. The security and value of tangible assets, those
that can be touched, are straight-forward to comprehend. Physical security devices such as a strong
rooms or vaults have been used for centuries to secure items that are deemed precious or valuable
to their owner. Only the physical size of the secure container limits the volume of assets an owner is
able to protect. In contrast, the security and value of intangible assets is only a recent development
and is far from a developed subject.
5.5.1: What is an Intangible Asset?
A range of organisations have produced standards for the valuation of intangible assets, including
the International Valuation Standards Council (IVSC)132
and the International Organization for
Standardization (ISO)133
. However, for this paper the most common definition from International
Financial Reporting Standards (IFRS) is used. The IFRS defines an intangible asset as “an identifiable
126
Financial Services Authority (2010)
127
Anderson and Moore (2007, p. 68)
128
Cezar, Cavusoglu and Raghunathan (2010)
129
Lacey (2010)
130
131
Bader and Rüther (2009)
132
Guidance Note 4
133
ISO 10668 (ISO, 2010)

31 | P a g e
nonmonetary asset without physical substance.”134
The IFRS identify three critical attributes that all
intangible assets must be: identifiable, controlled and be expected to generate future economic
benefits. Thus computer software, patents, copyrights and business intelligence all are identified as
intangible assets.
Centuries of tangible asset valuations have enabled efficient markets to develop and the price of
assets such as precious metals are valued on a continuous basis. In contrast, the first valuation of an
intangible asset was made by News Corp in 1984 when “Rupert Murdoch’s worldwide publishing
empire included a valuation for ‘publishing titles’ in its balance sheet”135
. This was an attempt to
reconcile the difference between the price paid to acquire publishing titles (or brands) and the
underlying assets. The move to value self-created intangible assets was made in 1988 when Rank
Hovis McDougall (RHM) defended a hostile takeover by an Australian food conglomerate.
5.5.2: Valuing Information
In both the News Corp and RHM valuations, the intangible assets being valued were the brands.
Over the past 27 years, valuation of brands has become a common undertaking for enterprises, and
whilst the process remains subjective an understanding of valuation has evolved. However, the
valuation of patents remains far from consistent with a variety of different methods being used.
Bader and Rüther136
surveyed the top 500 patent applicants to the European Patent Office to
understand how patents were valued by the applicants. The survey identified three main approaches
to valuation:
• Cost-based: using reproduction or replacement cost models.
• Market-based: using a validated analogy which has a market price attached.
• Income-based: using expected cash flows over the useful life of the asset to estimate
current value.
Bader and Rüther conclude that of these approaches, the income-based mode offered the most
robust method. The weakest method was considered to be the cost-based model as it only provides
a ‘minimum price threshold’ and does not consider the value of ‘game changing’ ideas.
Figure 8: Monetary Valuation by Business Need reproduces data from Bader and Rüther to illustrate
the extent each valuation model is used within the enterprise to make three types of decision.
Whilst Accounting and Dispute Resolution activities were found to be most often income-based
(Accounting: 42.9%) and market-based (Dispute Resolution: 43.2%), Management Decisions were
shown to rely heavily on cost-based valuations (Management: 44.4%). Bader and Rüther’s finding is
of concern as it illustrates, even with data available, management decisions routinely use the least
effective method which undervalues information.
134
Deloitte Global Services (2009)
135
Penrose and Moorhouse (1989)
136

Figure 8: Monetary Valuation by Business Need
5.6: Where Is My Data?
The location of data both geographically and within the data centre is of concern to enterprises
seeking to use Cloud Computing. The geographic location of data presents issues relating to data
protection and more complex regulatory compliance. Whilst the location of data within a given data
centre provides practical challenges for the security certification of deplo
Simply put, if a European enterprise uses a Cloud Computing Service provider based in the US, it is
necessary for the enterprise to comply with both US and relevant EU regulations. Whilst increasing
costs, in isolation this does not automatically preclude the use of international service providers.
obstacle most often cited as blocking
approaches which the US and European Union (EU) take different to data privac
these differences, the US has established a ‘US
to implement controls in line with EU expectations and thus gain access to larger markets.
A more subtle issue often overlooked when
which disputes are arbitrated. Amazon AWS for example requires that
County, Washington state138
. Moreover, Amazon specifically precludes the use of the United Nations
Convention for the International Sale of Goods which is commonly used to arbitrate in international
sales disputes.
Security experts have concerns relating to how it is possible
certification. This point was raised by
system that I cannot scope?”139
This issue is further complicated as Cloud Computing providers
rarely present the exact architecture of their data centre, relying instead on block diagrams to
137
138
Amazon (2011)
139
0% 5%
Dispute Resolution
Accounting
Management
% of Activity using Cost, Market or Income Valuation Models
TypeofActivity
Cost
Market
Income
: Monetary Valuation by Business Need
137
loud Computing. The geographic location of data presents issues relating to data
centre provides practical challenges for the security certification of deployment.
does not automatically preclude the use of international service providers.
cited as blocking the use of international service providers is the different
the US and European Union (EU) take different to data privacy. To overcome
these differences, the US has established a ‘US-EU Safeharbor Framework’ to enable US companies
A more subtle issue often overlooked when buying Cloud Computing services is the jurisdiction
arbitrated. Amazon AWS for example requires that all disputes be filed in King
Moreover, Amazon specifically precludes the use of the United Nations
International Sale of Goods which is commonly used to arbitrate in international
s relating to how it is possible scope Cloud Computing
was raised by Peter Hewson (Angerona) in the query “How can I accredit
36.4%
24.4%
21.4%
31.1%
20.5%
35.7%
5% 10% 15% 20% 25% 30% 35% 40%
32 | P a g e
loud Computing. The geographic location of data presents issues relating to data
does not automatically preclude the use of international service providers. The
use of international service providers is the different
y. To overcome
EU Safeharbor Framework’ to enable US companies
is the jurisdiction in
disputes be filed in King
Moreover, Amazon specifically precludes the use of the United Nations
International Sale of Goods which is commonly used to arbitrate in international
scope Cloud Computing for security
in the query “How can I accredit a
42.9%
43.2%
44.4%
45% 50%

33 | P a g e
illustrate the key components of the system. A rare exception to this is Barroso and Hölzle’s
presentation of Google’s design methodology for ‘Warehouse-Scale Machine’.140
It is clear from
Google’s methodology that it is not feasible to predict where a specific virtual machine instance will
run, both because of load-balancing in the system and the failure tolerant design of the system.
As discussed in section 2.3, Amazon has taken the steps to certify the AWS to a range of
international security standards. However, it is important to note that the security certifications only
apply to the hardware and processes controlled by Amazon. Thus for an enterprise using the
Amazon AWS an additional certification for the configuration of the operating system and software
applications is necessary.
140
Barroso and Hölzle (2009)

34 | P a g e
6.0: Implementing a Cybersecurity Programme
Cisco Systems use many of the ideas presented in this paper. As Paul King (Cisco) explains “Security
is cultural”141
. The Cisco security programme enhances the business by offering both cost efficient
processes to gain operational effectiveness and strategic opportunities to create value and is
progressive in outlook.
6.1: Role of Security in Cisco
The strategic position of the security programme is clear. King explains, “At Cisco, security can't
inhibit the business. The security department needs to be coming up with solutions to enable the
business”142
.King describes the security function as having an advisory role, with the starting point
for all security decisions being, “The business can do what it likes”143
.
This concept of security enabling the business and acting as advisors extends to the most senior
roles within the enterprise. As the leader of the business, the Chief Executive Officer (CEO) chooses
the enterprise strategy and makes business decisions in line with that strategy. The Chief Security
Officer (CSO) reports to the CEO and has the role of explaining the security risks of specific business
decisions. If the risk is too great for the CEO to accept, the CSO offers solutions to mitigate the
security risks. However, the decision of whether to pursue a specific line of business remains with
the CEO.
King explains it is critical to the success of security programmes that the CEO remains ultimately
accountable for deciding on a course of action in the knowledge of security risk. Significant security
issues and damage to shareholder value occurs where CEOs try to delegate this responsibility to
others as a form of plausible deniability and in an attempt to divest accountability.
6.2: Operationally Effective Desktop144 Support
To ensure operational effectiveness, Cisco prioritises recovery from failure over attempting to
protect against every possible IT failure, whether security, configuration or hardware related. This
approach is applied to the laptops used by many Cisco employees to access the corporate intranet
and mitigates the risk of overinvesting in protection mechanisms. King explains this emphasis is the
result of answering the question, “Why do we have IT?”145
. As laptops are not integral to Cisco’s
business, “it wouldn't make sense for Cisco to hire large numbers of Windows administrators to fix
Windows machines”146
. This is not to suggest that Cisco does not invest in protective measures; they
do. It is a response to the infeasibility of detecting all possible attacks as discussed in section 4.2.
Which Cisco have identified is more efficient and thus operationally effective to simply provide a
new hard drive with a default operating system when a laptop becomes corrupt.
Moreover, Cisco does not maintain rigid requirements on the type of device used to access
corporate systems. King explains that some ‘desktops’ accessing the Cisco corporate systems are not
supported by the corporate IT functions: “At Cisco, parts of the business use Apple products. Should
141
142
143
144
‘Desktop’ is used as a loose categorisation of user devices used to access Cisco’s corporate intranet.
145
146

35 | P a g e
Cisco hire Apple support staff? No. Support to Apple it's not part of the core business. IT simply says
‘You can have Macs, but they won't be supported.’”147
.
6.3: Security as a Strategic Value Proposition
Looking forward, King speculates “In the coming years Cisco could move to ‘use any device’ model of
accessing the network”148
. The challenges of securing the presence of unsupported devices on a
corporate infrastructure are apparent. However, the business requirement for Cisco to manufacture
products at a competitive price means that it is for the security department to respond to the
requirement. Rather than prevent this move to extend the Risk Frontier, Cisco security enables the
business to lower the price of desktop provision below that of competitors thus allowing a gain in
competitive advantage.
6.4: Security Analytics
As Cisco priorities the response to security incidents above heavy investment in protection against
compromise, the requirement to detect anomalous and malicious behaviour increases. One area in
which King is driving forward Cisco security is by the innovative use of analytics to detect the type of
Advanced Persistent Threats discussed in section 4.2. This is an emerging area of security, but for
Cisco it is showing positive returns.
6.5: Valuing Information and Analytics
In section 5.5, the issues of accurately valuing information were discussed. King contends that a
focus on the concept of ‘valuing information’ to evaluate suitable level of safeguarding activities is
flawed and the product of a failure to appreciate the role of security within the enterprise.
“That's a very security-centric way of looking at it. As I said previously, security supports the
business. The business ultimately decides ‘I'll accept that risk, but not that one.’ The
business implicitly values information in making the decision of accepting the risk”149
.
Unsurprisingly, Cisco does not invest significant effort in the quantitative analysis on the value of
information. However, market share is used when required, although this is the exception. More
often classical impact analysis is used to assist in structuring the process of making business
decisions.
6.6: Communicating Cybersecurity at Cisco
Beyond the boardroom engagement described above, a significant task for Cisco security is
communicating the value to security to front-line employees. Like many large enterprises, Cisco has
a programme of mandatory annual training for employees. The rationale behind the training is the
adage popularised by President Ronald Reagan, ‘Trust, but verify’. King explains, “Fundamentally, we
trust our employees. […] We assume that if explained, Cisco employees will want to keep the
organisation safe”150
. However, not every employee in such a large organisation is wholly
trustworthy, thus the importance of verifying employee activities.
147
148
149
150

36 | P a g e
An important distinction between Cisco’s security training and those of other enterprises is that the
training videos and material are produced by an external supplier rather than the security team. King
explains this is to increase the effectiveness of the training, “If you want to get a point across, use a
communications expert”151
. The content of the training is adjusted annually, with reviews of security
incidents contributing to specific topics. As part of the production of Cisco security training ‘click
rate’ data is collected. In the event of a breach of security, this data is analyzed to assess whether
the employee watched the complete video or simply clicked to the end.
For King, “Security training acts as a vaccine. Once a critical mass has been trained, it only takes one
employee to overhear and challenge insecure disclosure of information for a business benefit to be
achieved”152
.
151
152
End Note: So, What of the Future?
Many of the issues discussed in this paper have been solved by areas of the
enterprise beyond Information Assurance and Cybersecurity. However, what is
clear is that this knowledge will not be transferred unless security professionals
improve their engagement throughout the enterprise and, to paraphrase Hunter
and Westerman, acknowledge that ‘it’s not all about security’.

37 | P a g e
Bibliography
Amazon, 2011. AWS User Agreement. [online] Available at: <http://aws.amazon.com/agreement/>
[Accessed 17 April 2011]
Amazon, 2011a. Amazon Elastic Compute Cloud (Amazon EC2). [online] Available at:
<http://aws.amazon.com/ec2/#pricing> [Accessed 17 April 2011]
Anderson, R. and Moore, T., 2007. Information Security Economics – and Beyond. In: Menezes, ed.
Advances in Cryptology – CRYPTO 2007, LNCS 4622. Santa Barbara, USA. 19-23 August.
Anti-virus Comparative, 2010. Proactive / retrospective test (Static detection of new /unknown
malicious software). [online] Available at: <http://www.av-comparatives.org/images/stories/test/
ondret/avc_retro_nov2010.pdf> [Accessed 2 April 2011]
Bader, M. And Rüther, F., 2009. Still A Long Way To Value-Based Patent Valuation: The Patent
Valuation Practices of Europe's Top 500. les Nouvelles, 4 June.
Barroso, L. A. and Hölzle, U., 2009. The Datacenter as a Computer: An Introduction to the Design of
Warehouse-Scale Machines. Madison: Morgan & Claypool.
Beautement, A., Sasse, M. A. and Wonham, M., 2008. The compliance budget: managing security
behaviour in organisations. In: NSPW 2008 Proceedings, pp. 47-58. [online] Available at:
<http://www.nspw.org/proceedings/2008/nspw2008-beautement.pdf> [Accessed 16 May 2011]
Bejtlich, R., 2010. Brief Thoughts on WEIS 2010. TaoSecurity, [blog] 14 July, Available at:
<http://taosecurity.blogspot.com/2010/07/brief-thoughts-on-weis-2010.html> [Accessed 10 March
2011].
Carr, N., 2003. IT Doesn’t Matter. Harvard Business Review, May 2003, pp. 41-49.
CESG, 2010. What is Information Assurance (IA)? [online] Available at:
<http://www.cesg.gov.uk/about_us/whatisia.shtml> [Accessed: 17 April 2011].
Cezar, A., Cavusoglu, H. and Raghunathan, S., 2010. Outsourcing Information Security: Contracting
Issues and Security Implications. The Ninth Workshop on the Economics of Information Security
(WEIS 2010). Cambridge, USA. 7-8 June. [online] Available at:
<http://weis2010.econinfosec.org/program.html> [Accessed 12 March 2011].
Cockcroft, A., 2011. How Not To Build A Private Cloud. Adrian Cockcroft’s Blog, [blog]
<http://perfcap.blogspot.com/2011/03/how-not-to-build-private-cloud.html> [Accessed 2 May
2011]
Coogan, P., 2009. Zeus, King of the Underground Crimeware Toolkits. Security Response Blog, [blog]
25 August, Available at: <http://www.symantec.com/connect/blogs/zeus-king-underground-
crimeware-toolkits> [Accessed 16 May 2011]
Damodaran, A., 2008. Strategic Risk Taking: A Framework for Risk Management. Upper Saddle River,
NJ: Prentice Hall.

38 | P a g e
Davenport, T. and Harris, J., 2007. Competing on Analytics: The New Science of Winning. Boston, MA:
Harvard Business School Press.
De Geus, A., 1999. The Living Company. London: Nicholas Brealey Publishing.
Deloitte Global Services, 2009. Summaries of International Financial Reporting Standards. [online]
Available at: <www.iasplus.com/standard/ias38.htm> [Accessed 2 March 2011].
DeMarco, T., 2001. Controlling Software Projects: Management, Measurement & Estimation. New
York, NY: Yourdon Press
Drucker, P., 2001. Management: Tasks, Responsibilities, Practices. Oxford: Butterworth-Heinemann.
Egelman, S. et al., 2010. Please Continue to Hold: An empirical study on user tolerance of security
delays. The Ninth Workshop on the Economics of Information Security (WEIS 2010). Cambridge, USA.
7-8 June. [online] Available at: <http://weis2010.econinfosec.org/program.html> [Accessed 12
March 2011].
Farshchi, J., 2010. A Troubling Trend With Information Security Practitioners. Risking Alpha, [blog] 16
August, Available at: <http://riskingalpha.com/2010/10/16/a-troubling-trend-with-information-
security-practitioners/> [Accessed 21 February 2011].
Financial Standards Authority, 2010. FSA fines Zurich Insurance £2,275,000 following the loss of
46,000 policy holders’ personal details. [online] Available at:
<www.fsa.gov.uk/pages/Library/Communication/PR/2010/134.shtml> [Accessed 13 March 2011].
Finextra, 2009. Visa pulls Heartland and RBS Worldpay from PCI DSS compliance list. [online]
Available at: <http://www.finextra.com/News/Fullstory.aspx?newsitemid=19778> [Accessed 17 April
2011]
Florêncio, D. and Herley, C., 2007. A Large-Scale Study of Web Password Habits. In: Proceedings of
the Sixteenth International World Wide Web Conference (WWW2007), [online] Available at:
<http://www2007.org/papers/paper620.pdf> [Accessed 14 April 2011]
Goodburn, M. and Hill, S., 2010. The Cloud Transforms Business. Financial Executive, December
2010.
Grimshaw v. Ford Motor Co., 1 19 Cal.App.3d 757, 174 Cal. Rptr. 348 (1981)
Herley, C., 2009. So Long, And No Thanks for the Externalities: The Rational Rejection of Security
Advice by Users. In: NSPW 2008 Proceedings, [online] Available at:
<http://www.nspw.org/proceedings/2009/nspw2009-herley.pdf> [Accessed 14 April 2011]
Hiscox, 2011. E-Risks Policy wording.[online] Available at: <http://www.hiscox.co.uk/shared-
documents/Hiscox-Business-Insurance-E-risks-policy-wording-03-11-6076.pdf> [Accessed 16 May
2011].
Hubbard, D., 2007. Everything is Measurable. CIO Blog, [blog] 23 May, Available at:
<www.cio.com/article/112101/Everything_Is_Measurable> [Accessed 27 March 2011].

39 | P a g e
Hunter, R. and Westerman, G., 2009. The Real Business of IT: How CIOs Create and Communicate
Value. Boston, MA: Harvard Business Press.
Hutton, A. and Hubbard, D., 2011. The Great IT Risk Measurement Debate, Part 1. CSO Data
Protection, [blog] 28 February, Available at: <http://www.csoonline.com/article/669868/the-great-
it-risk-measurement-debate-part-1> [Accessed 2 March 2011].
International Organization for Standardization, 2010. ISO10668:2010 Requirements for Monetary
Brand Valuation. Geneva: ISO.
International Organization for Standardization, 2010a. ISO27037:Draft Guidelines for Identification,
Collection, Acquisition and Preservation of Digital Evidence. Geneva: ISO.
International Valuation Standards Council, 2010. Guidance Note 4: Valuation of Intangible Assets.
London: IVSC.
ISACA, 2011. 2011 ISACA IT Risk/Reward Barometer – Europe Edition. [online] Available at:
<http://www.isaca.org/SiteCollectionDocuments/2011-Risk-Reward-Barometer-Europe.pdf>
[Accessed 2 June 2011].
Jaquith, A., 2007. Security Metric: Replacing Fear, Uncertainty, and Doubt. Boston MA: Addison-
Wesley.
Jensen, B. and Klein, J., 2010. Breakthrough Ideas for 2010: 7. People Management – Hacking Work.
Harvard Business Review, January-February 2010, pp. 7-8.
Kazanciyan, R. and Glyer, C., 2010. State of the Hack: It’s the end of the year as we know it – 2010.
[online] Available at: <http://www.mandiant.com/uploads/presentations/SOH_121610.pdf>
[Accessed 19 March 2010].
Kim, G., Love, P. and Spafford, G., 2008. Visible Ops Security: Achieving Common Security and IT
Operations Objectives in 4 Practical Steps. Eugene, OR: IT Process Institute.
Lacey, D., 2009. Managing the Human Factor in Information Security. Chichester: John Wiley & Sons.
Lacey, D., 2010. Managing Security in Outsourced and Offshored Environments. London: British
Standards Institute.
Manget, J. and Mercier, P., 2011. What’s Next When Offshoring Isn’t so Cheap? The Conversation,
[blog] 12 January, Available at: <blogs.hbr.org/cs/2011/01/chinas_rising_costs_whats_next.html>
[Accessed 12 March 2011]
National Institute of Standards and Technology, 2002. NIST SP 800-30 Risk Management Guide for
Information Technology Systems. Gaithersburg, MD: NIST. [online] Available at:
<http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf> [Accessed 14 April 2011].
National Institute of Standards and Technology, 2011. NIST SP 800-145 (Draft) The NIST Definition of
Cloud Computing (Draft). Gaithersburg, MD: NIST. [online] Available at:
<http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf> [Accessed
4 March 2011].

40 | P a g e
Office of Government Commerce, 2007. Managing Successful Programmes. Norwich:TSO.
OreillyMedia, 2010. OSCON 2010: Simon Wardley, “Situation Normal, Everything Must Change”.
[video online] Available at: <http://www.youtube.com/watch?v=5Oyf4vvJyy4> [Accessed 12 April
2011].
PCI Security Standards Council, 2010. PCI DSS Requirements and Security Assessment Procedures,
Version 2.0. [online] Available at: <https://www.pcisecuritystandards.org/security_standards/
documents.php> [Accessed 27 February 2011].
Penrose, N. and Moorhouse, M., 1989. The Valuation of Brands. Journal of Marketing Intelligence
and Planning, 7 (11/12), pp. 30-33.
Porter, M., 1996. What is Strategy? Harvard Business Review, November-December 1996, pp. 61-78.
PwC, 2005. SecurityATLAS guidebook: How to align security with your strategic business objectives.
[online] Available at: <http://www.pwc.com/us/en/it-risk-security/assets/
security_atlas_guidebook.pdf> [Accessed 12 March 2011].
Reilly, C., 2011. The Hollywood Culture. CloudAve, [blog] 13 March, Available at:
<http://www.cloudave.com/10515/the-hollywood-culture-public-cloud-private-cloud/> [Accessed 2
May 2011]
Roper, C., 1999. Risk Management for Security Professionals. Woburn, MA: Butterworth-Heinemann.
Rosenquist, M., 2007. Measuring the Return on IT Security Investments. [online] Available at:
<http://www.intel.com/it/pdf/measuring-the-return-on-it-security-investments.pdf> [Accessed 12
April 2011].
Ross, J., (n.d.). Enterprise Architecture as Strategy, Knowledge Leadership, [online] Available at:
<http://www.thomasgroup.com/getattachment/90f45e2d-3b10-4b00-99a4-094542b365b5/
Enterprise-Architecture-as-Strategy.aspx> [Accessed 28 March 2011]
Sasse, M. A. and Flechais, I., 2005. Usable Security: Why Do We Need It? How Do We Get It? In:
Cranor, L. F. and Garfinkel, S., 2005. Security and Usability: Designing Secure Systems that People Can
Use. Sebastopol, CA: O’Reilly Media. Ch. 2.
Schneier, B., 2008. Security ROI: Fact or Fiction? CSO Data Protection, [blog] 2 September, Available
at: <http://www.csoonline.com/article/446966/security-roi-fact-or-fiction-?page=1> [Accessed 23
March 2011].
Singh, S., 2000. The Code Book: The Secret History of Codes and Codebreaking. London: Fourth
Estate.
Slovic, P. Finucane, M. Peters, E. and MacGregor, D., 2004. Risk as Analysis and Risk as Feelings:
Some Thoughts about Affect, Reason, Risk, and Rationality. Risk Analysis, 24(2)
Song, Y. Locasto, M. E. Stavrou, A. Keromytis, A.D. and Stolfo, S. J., 2007. On the Infeasibility of
Modeling Polymorphic Shellcode. In: Proceedings of the ACM Conference on Computer and

41 | P a g e
Communications Security (CCS), [online] Available at: <http://citeseerx.ist.psu.edu/viewdoc/
download?doi=10.1.1.116.94&rep=rep1&type=pdf> [Accessed 1 April 2011]
Spamhaus, 2011. Zeus Tracker :: Statistics.[online] Available at: <https://zeustracker.abuse.ch/
statistic.php> [Accessed 16 May 2011].
Stanton, R., 2011. Keynote Speech, SecureLondon February 2011: Virtual Reality or Head in the
Clouds? London, UK 8 February 2011. London: (ISC)2 Events
Van Valen, L., 1973. A New Evolutionary Law, Evolutionary Theory, 1, pp. 1-30 [online] Available at:
<http://leighvanvalen.com/evolutionary-theory/> [Accessed 16 March 2011]
Vance, A., 2011. The Cloud: Battle of the Tech Titans, Bloomberg Businessweek, [online] Available at:
<http://www.businessweek.com/magazine/content/11_11/b4219052599182.htm> [Accessed 3 May
2011]

Cybersecurity and Information Assurance - Cloud Computing

More Related Content

Viewers also liked

Similar to Cybersecurity and Information Assurance - Cloud Computing

Recently uploaded

Cybersecurity and Information Assurance - Cloud Computing