A unified cybersecurity framework for complex environments
Pages 1 - 9
Abstract
Information and Communication Technologies (ICTs) present a number of vulnerabilities, threats and risks that could lead to devastating cyber-attacks resulting into huge financial losses, legal implications, and reputational damage for large and small organizations. As such, in this digital transformation and 4th industrial revolution era, nations and organizations have accepted that cybersecurity must be part of their strategic objectives and priorities. However, cybersecurity in itself is a multifaceted problem to address and the voluntary "one-size-fits-all" cybersecurity approaches have proven not effective in dealing with cyber incidents, especially in complex operational environments (e.g. large technology-centric organizations) that are multi-disciplinary, multi-departmental, multi-role, multinational, and operating across different locations. Addressing modern cybersecurity challenges requires more than a technical solution. A contextual and systematic approach that considers the complexities of these large digital environments in order to achieve resilient, sustainable, cost-effective and proactive cybersecurity is desirable. This paper aims to highlight through a single case study approach the multifaceted nature and complexity of the cybersecurity environment, pertinently in multi-disciplinary organizations. Essentially, this paper contributes a unified cybersecurity framework underpinned by an integrated capability management (ICM) approach that addresses the multifaceted nature of cybersecurity as well as the challenges and requirements eminent in complex environments, such as national government, municipalities or large corporations. The unified framework incorporates realistic and practical guidelines to bridge the gap between cybersecurity capability requirements, governance instruments and cybersecurity capability specification, implementation, employment and sustainment drawing from well-tested military capability development approaches.
References
[1]
Y. Younan, "25 Years of Vulnerabilities: 1988-2012," 2013. {Online}. Available: https://courses.cs.washington.edu/courses/cse484/14au/reading/25-years-vulnerabilities.pdf. {Accessed: 01-Sep-2018}.
[2]
ISACA, "State of Cybersecurity," 2018. {Online}. Available: https://cybersecurity.isaca.org/state-of-cybersecurity. {Accessed: 01-Sep-2018}.
[3]
B. Van Niekerk, "An analysis of cyber-incidents in South Africa," African J. Inf. Commun., vol. 20, pp. 113--132, 2017.
[4]
T. Shapshak, "Liberty hack the 'biggest breach yet,'" Financial Mail 21-Jun-2018.
[5]
P. Fihlani, "Millions caught in South Africa's 'worst data breach' - BBC News," BBC News, 2017.
[6]
G. van Zyl, "Standard Bank computer was hacked in R300m ATM fraud hit," Fin24Tech, 30-Jun-2016.
[7]
J. Mtsweni, N. Shozi, K. Matenche, and M. Mutemwa, "Development of a semantic-enabled cybersecurity threat intelligence sharing model," in 11th International Conference on Cyber Warfare & Security, 2016, pp. 244--252.
[8]
S. J. Shackelford, S. Russell, and J. Haut, "Bottoms up: A Comparison of Voluntary Cybersecurity Frameworks," UC Davis Bus. Law J., vol. 16, 2015.
[9]
S. Tisdale and R. Morris, "Architecting a cybersecurity management framework," Issues Inf. Syst., vol. 17, no. IV, pp. 227--236, 2016.
[10]
P. German, "Face the facts - your organisation will be breached," Netw. Secur., vol. 2016, no. 8, pp. 9--10, Aug. 2016.
[11]
P. A. Williams and A. Woodward, "Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem," Med. Devices (Auckland, NZ), vol. 8, no. 2015, pp. 305--316, 2015.
[12]
ITU, "Definition of Cybersecurity - ITU-T x.1205," International Telecommunciation Union, 2018. {Online}. Available: https://www.itu.int/en/ITUT/studygroups/com17/Pages/cybersecurity.aspx. {Accessed: 01-Jul-2018}.
[13]
S. Tisdale, "Architecting a Cybersecurity Management Framework: Navigating and Traversing Complexity, Ambiguity, and Agility," 2016.
[14]
S. Pfleeger and D. Caputo, "Leveraging behavioral science to mitigate cyber security risk," Comput. Secur., vol. 31, no. 4, pp. 597--611, 2012.
[15]
R. von Solms and J. van Niekerk, "From information security to cyber security," Comput. Secur., vol. 38, pp. 97--102, 2013.
[16]
E. Wheeler, Security Risk Management: building an information security risk management program from the ground up. Elsevier, 2011.
[17]
J. Mtsweni, M. Mutemwa, and N. Mkhonto, "Development of a cyberthreat intelligence-sharing model from big data sources," J. Inf. Warf., vol. 15, no. 3, pp. 56--68, 2016.
[18]
B. Rafferty, "Dangerous skills gap leaves organisations vulnerable," Netw. Secur., vol. 2016, no. 8, pp. 11--13, 2016.
[19]
C. de Waal, "Understanding the Complexity of Systems by Using the Concept Interface Matrix (CIM).," in 10th SA INCOSE Conference 2013 Systems Engineering, 2013.
[20]
C. Osborne, "Most companies take over six months to detect data breaches | ZDNet," ZDNet, 2015. {Online}. Available: https://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/. {Accessed: 02-Jul-2018}.
[21]
R. K. Yin, Case Study Research - design and methods, 4th ed. SAGE Publications, 2009.
[22]
T. Peltier, Information security risk analysis. 2010.
[23]
S. Sahibudin, M. Sharifi, and M. Ayat, "Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations," in 2008 Second Asia International Conference on Modelling & Simulation (AMS), 2008, pp. 749--753.
[24]
L. S.-S. Law. and undefined 2013, "NIST Cybersecurity Framework: Overview and Potential Impacts, The," HeinOnline.
[25]
International Organization for Standardization, "ISO/IEC 27001 Information security management," ISO, 2018. {Online}. Available: https://www.iso.org/isoiec-27001-information-security.html. {Accessed: 02-Jul-2018}.
[26]
M. Talib, M. El Barachi, A. Khelifi, and O. Ormandjieva, "Guide to ISO 27001: UAE case study," Issues Informing Sci. Inf. Technol., vol. 7, no. 2012, pp. 331--349, 2012.
[27]
R. van der Meulen, "Build Adaptive Security Architecture Into Your Organization," Gartner, 2017. {Online}. Available: https://www.gartner.com/smarterwithgartner/build-adaptive-security-architecture-into-your-organization/. {Accessed: 03-Jul-2018}.
[28]
L. Ertaul, A. Movasseghi, and S. Kumar, "Enterprise Security Architecture in TOGAF-9."
[29]
W. Miron and K. Muita, "Cybersecurity capability maturity models for providers of critical infrastructure," Technol. Innov. Manag. Rev., 2014.
[30]
B. K. Wiederhold, "The Role of Psychology in Enhancing Cybersecurity," Cyberpsychology, Behav. Soc. Netw., vol. 17, no. 3, pp. 131--132, Mar. 2014.
[31]
R. Oosthuizen and J. Roodt, "Credible defence capability: command and control at the core," in Land Warfare Conference, 2008.
[32]
M. Thaba, "Technology support for military capability based acquisition," in International Association for Management of Technology IAMOT 2017 Conference Proceedings, 2017.
[33]
C. Smith, R. Oosthuizen, H. Harris, ... J. V.-S. A. J., and U. 2012, "System of systems engineering: the link between operational needs and system requirements," South African J. Ind. Eng., vol. 23, no. 2, pp. 47--60, 2012.
[34]
C. J. Smith and R. Oosthuizen, "Applying Systems Engineering Principles Towards Developingg Defence Capabilities," in 22nd Annual International Symposium of the International Council on Systems Engineering, INCOSE 2012 and the 8th Biennial European Systems Engineering Conference 2012, EuSEC 2012 (2012), 2012, vol. 22, no. 1, pp. 1056--1070.
[35]
P. C. Jacobs, S. Von Solms, and M. M. Grobler, "Towards a national cybersecurity capability development model," in 16th European Conference on Cyber Warfare and Security (ECCWS), 2017.
[36]
R. Krutz and R. Vines, Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Wiley Publishing., 2010.
Index Terms
- A unified cybersecurity framework for complex environments
Recommendations
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
AbstractSide-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
A Holistic and Case-Analysis Approach for Cybersecurity Education: (Abstract Only)
SIGCSE '18: Proceedings of the 49th ACM Technical Symposium on Computer Science EducationThere is a growing acceptance that a holistic cybersecurity approach incorporating technical, human, and business factors is needed to address the myriad cyber threats nowadays. This paper introduces a new holistic and case-analysis (HCA) teaching ...
Changing Hearts and Minds: The Role of Cybersecurity Champion Programs in Cybersecurity Culture
Augmented CognitionAbstractHumans have often been written off as the weakest link in the cybersecurity industry. This paper looks at the human factor from a different perspective, seeking ways to leverage the human element to improve cybersecurity. The human element and its ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
September 2018
362 pages
ISBN:9781450366472
DOI:10.1145/3278681
- Conference Chair:
- Sue Petratos,
- Program Chairs:
- Johan van Niekerk,
- Bertram Haskins
Copyright © 2018 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 September 2018
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
SAICSIT '18
SAICSIT '18: 2018 Annual Conference of the South African Institute of Computer Scientists and Information Technologists
September 26 - 28, 2018
Port Elizabeth, South Africa
Acceptance Rates
Overall Acceptance Rate 187 of 439 submissions, 43%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 333Total Downloads
- Downloads (Last 12 months)32
- Downloads (Last 6 weeks)3
Reflects downloads up to 16 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in