A management science and innovation lense on a forensic accounting approach to cyber security

Cyber Security: A Management Science and Innovation lens on forensic accounting as an approach to CyberDefenses Effectiveness.

Abstract from Conference Paper: 4th Forensic Accounting Teaching and Research Conference 13th-14th October, 2016 Bond University   

One of the key issues for cyber security is accounting for consequences: a) predictively in risk assessments; and, b) forensically post attacks and incidents, which then feed into predictive cost-benefit calculations.

The issues that the cyber security profession, quantifiers of consequence, and users of this information such as board directors, senior executives, forensics and risk professionals, face are multiple fold:

  1. Often individuals and organisations do not know where their data is (Ernst et al, 2014) and therefore cannot know how it is protected.
  2. Where individual and organisational data is located may have no perimeter, locally and internationally. Hence, understanding how to protect it requires an understanding of how 3rd parties, and n parties, in formal and informal supply chains and, in the case of working from home, families, (collectively ‘the Ecosystem’) are protecting the information (‘CyberMap’).
  3. Cybercrime and incidents are under-reported; and, even where they are reported, their consequences may not also be reported or quantified.
  4. A focus on large and critical infrastructure risks overlooking the fragmented Small and Medium Sized Business (‘SMB’) sector, which may be considered an interconnected entity in itself, and therefore a national and international critical infrastructure in the aggregate.
  5. This is an age where we need to assume breach and so the ability to detect, defend and be resilient is key to reducing the consequences of these breaches.
  6. Much of the focus has been on an enumeration of threats and breach detection rather than breach consequence.
  7. Quantification of the effectiveness of defences cannot be possible if we do not enumerate those defences, and the consequences of detected breaches in light of them.

In this paper, therefore, we discuss a mechanism for collecting and modelling information that enumerates and benchmarks basic SMB defences as a step toward quantifying how effective those defences are in reducing the consequences of cybercrime and incidents, when combined with breach detection information. Larger organisations could also benefit from the perspective given their make-up of, and/or interaction with, conglomerates of smaller businesses, departments, home-workers, contractors, and supply chains.

In looking at this defences enumeration mechanism, we, by acknowledgement for future research only, further account for disruptive innovation in two contexts: 1) innovation that could impact consequence such as Quantum technologies, Cloud and Blockchain; and, 2) communication and collaboration among the legitimate Ecosystem as a defence that could reduce consequences and so be disruptive to the illegitimate Ecosystem of cybercriminals.

As a data service, the social good and value of the information-sharing platform discussed is to enumerate defenses (rather than threats) that, when matched with breach data, could start better quantifying consequences and the effectiveness of defenses in consequence minimisation. It is also a platform that, in development with traction, would:

  • engage suppliers with customers at the point of need; and,
  • identify innovation and new supplier opportunities where needs are unmet. 

Cyber security as a corporate entrepreneurship concern in a radical innovation process

Today we can see a shift. Since the turn of the century entrepreneurship, innovation, ecommerce, internet marketing have all occurred mainstream in MBAs and executive education. We have also seen the rise of digital officers (Dyche, 2015) and acceptance that we are all now working in a tech company (Morgan, 2015). However, the protection of the interconnected and digital innovations lags behind these efforts even when there is solid evidence that there is a significant risk to them (GPO, 2011). 

A radical innovation approach

In the 1960’s, we started to see management science shift away from a mostly command and control, hierarchical ‘50’s style management’ approach with the emergence of corporate innovation concepts with the taking of ideas to a profitable reality within firms, and later with changing consumption behaviour. It is the view of the author that we are seeing, and needing, a similar shift in approaches to cyber security that are disruptive to cybercrime. Specifically, we need to take the idea of cyber security to a profitable reality where our definition of profit is an increase in CyberDefenses that reduces the loss to CyberUsers and $Value to CyberCriminals. This will require a change in consumption behaviour making it a radical innovation.

Corporate entrepreneurship and innovation, which takes ideas and inventions to a profitable reality within existing entities, has been studied and peer-reviewed since at least the 1960’s when Schon (1963) used the term ‘Champion’. Those principles were further engaged and popularised by NASA in the 1970’s (Rickards, 2012; p.72). Independent entrepreneurship, however, is argued by some as appearing in the literature since the turn of last century with Schumpeter (1954) and economic analysis of entrepreneurship and innovation. This is important because as we will later see, the definition of entrepreneurship can be argued to include both independent and corporate entrepreneurship.

Pinchot (1985) and Pinchot et al (1999), who coined the term intrapreneurship, discovered the distinction between invention (idea) and innovation, and their associated activities and roles, from the failure of ideas to commercialise out of the R&D department of organisations. The process of each of invention and innovation require different skillsets, which may or may not exist in a single person. The cyber security professional, therefore, that has the ideas and inventions to achieve reducing the loss to CyberUsers and $Value to CyberCriminals may or may not be the one or group that actually takes those ideas to a profitable reality within a particular organisation or group.

One of the primary concerns for corporate entrepreneurs is overcoming the issues associated with leverage to capitalise on the advantages of parent firm resources, toward achieving their definition of success at a lower marginal cost. In negotiating shared benefit and marginal cost allocations to P&L’s etc., and as identified by Stevenson et al (1999), a corporate entrepreneur is seeking to pursue opportunity – innovate – without regard for resources, while the people they are leveraging those resources from are concerned with the most efficient use of the resources under their control. For cyber security, creating and enforcing policies in this environment requires buy-in from leadership, the ability to enforce policies, and appealing to multiple stakeholders’ motivations (Author, 2007).

Sharma and Chrisman (1999) argue the entrepreneur takes an idea to a profitable reality within or independently of an existing firm. The author would further argue that after a certain turnover and assets even an independent entrepreneur becomes a corporate entrepreneur because they have resources and assets to leverage in the innovation process. It is this skillset that taking the idea of cyber security to a profitable reality requires as it needs to reach every individual through whom information and functionality ultimately flows and choices about it are made.

In this way, the innovation required to reach the definition of profit for cyber security is disruptive, which term ‘Disruptive Innovation’ Christensen (1995) coined in the 1990’s. Disruptive innovation is where traditionally legitimate startups communicate and collaborate to dint the profits and market share of traditionally big and legitimate market encumbents, ultimately disrupting them. This concept is applied in this paper with cyber security, and communication and collaboration, disruptive to cyber crime. That is, instead of trying to disrupt legitimate market encumbents, it seeks to disrupt illegitimate market encumbents, that is, cybercriminals as the encumbents.

Radical innovation takes an idea to a profitable reality by changing consumption behaviour (ODMA, 2006). It has the propensity to sustain, if not increase, mature firm profits. Recent radical innovations include: 1) Taking the idea of the commercialisation of internet to a profitable reality required the change in consumption behaviour of information and functionality to become online; 2) Taking the idea of equal education, rights and pay of women to a profitable reality required a changing in consumption behaviour of women’s and men’s roles in society and the workplace to become equal; and 3) Taking the idea of commercial international air travel at scale to a profitable reality of required a change in the consumption behaviour of laws, and trade and diplomacy, to become international and accessible to the masses.

Similarly, cyber security is a radical innovation. Taking the idea of cyber security to a profitable reality requires a change in the consumption behaviour of information and functionality online to become much-less-insecure. At the moment the cybercriminals are highly incentivised to communicate and collaborate and trade legitimate CyberUsers’ information, functionality and more online – and are very effectively doing so. The goal of this paper is to provide, initiate, a model for disrupting cybercrime.

The proposed concept is a global communication, collaboration and benchmarking standard, tools and resources for ecosystems of organic and non-organic life and machines toward disrupting cybercrime.

In execution, the concept is modelled as a viral commercial open source community of trust: a Community Cyber Information Modelling System that would:

  • provide the checklist of questions that form the basis – the place to start and uncover what’s missing – for every organic and non-organic life form to know where to turn, and what to do, to effect their part toward disrupting cybercrime.
  • benchmark progress on doing those things at an individual and ecosystem level, whether organisation, supply chain, country and so on.
  • forensically quantify changes in consequences of Cybercrime as a result of things done or not done at an individual, organisational, or ecosystem level toward disrupting it.
  • share this information to minimize consequence and make more robust consequence quantification given a particular set of assets and controls or a daisy chain of them for a given information asset or assets.

When we choose to adopt cyberspace and become a CyberUser, we assume the opportunities and risks. In considering the moral hazard of cyber security and toward forensically quantifying the consequences of the risk of a breach, we can look to an equation which considers how a CyberUser’s CyberDefenses in conjunction with Other CyberUsers’ CyberDefenses can reduce loss to the CyberUser and to Other CyberUsers thereby exponentially reducing the value to the CyberCriminals directly involved in the breach in conjunction with exponentially reducing the value to the Other CyberCriminals they subsequently trade with. The result is disincentivisation of the CyberCriminal’s value creation system of breaching once and selling many times, including the opportunity and information for further breaches, and an incentivisation for the CyberUser and Other CyberUsers to retain value and disincentivise CyberCriminals by collectively increasing CyberDefenses Effectiveness. 

To understand CyberDefenses Effectiveness, however, we need to start quantitatively measuring it under a standardised checklist. We need, therefore, to embark on a system of enumerating CyberDefenses, detecting breaches and calculating the cost of their consequences, and in light of this information quantifying CyberDefenses Effectiveness as a calculation of (Our CyberDefenses Effectiveness + Others CyberDefenses Effectiveness) against loss as a calculation of a decrease in (Loss to us + Loss to Others). This information can then be matched against exponential decrease in $Value to CyberCriminals as a calculation of ($Value to CyberCriminals plus $Value to Other CyberCriminals). While this paper excludes calculations of country level economic loss and advantaging of foreign countries and citizens, it acknowledges its limitation in this respect and suggests it as an opportunity for further research.

The output of the CyberDefenses Checklist would measure, and continuously baseline and benchmark CyberDefenses Effectiveness, under shifts in these levers of CyberUser Loss and CyberCriminal Value. As a data service, this forensically obtained information would predictively inform CyberDefenses Effectiveness for risk professions, executives in decision making, as well as engage suppliers with the market at the point of need and provide market demand information for innovators.

The issue of brand and negligence could, in this way, also be surmountable and provide a point of engagement. If CyberDefenses are measured to be effective then any breach may be expressed in terms of accepted reasonable care taken; and, consequences potential versus experienced and

minimised. This would encourage the breach disclosure required for the system to work as it requires communication and collaboration toward disrupting cybercrime.

A policy incentive could include providing a voucher (Innovate UK, 2015) for those who take the Checklist (DHI) which can be used toward approved suppliers providing recommended work where there are exceptions in CyberDefenses and using information uncovered to taking a targeted approach to supporting innovation in areas where there is an unmet market demand.

A sample illustrative healthcare case

If we make some assumptions about Defences, Losses and Value we can see how the equation may operate in practice with some aspects remaining qualitative in the interim to quantitative information as the model is effected. Please note that in this illustrative scenario, US examples are used and applied to an Australian setting. In this process, US Dollars and matched one to one conversion rate with Australian Dollars and US tax information is replaced with tax file number matching.

Organisation and scenario

In this sample case we will use a medical centre, which holds 2000 patient records. The scenario is that they have been victims of a ransomware attack. In Scenario Outcome 1, only one CyberDefence is in place. In Scenario Outcome 2 onward CyberDefenses are increased.

Defenses assumptions: The Medical Centre has an offline backup in its control from 1 day prior to the attack which it restores from and does not pay any ransom.

Loss assumptions: All 2000 Medical records are encrypted rendering them inaccessible to the Medical Centre. With that access, the CyberCriminals also steal the patient records. The loss does not include psychological costs or costs of victim support services, which are acknowledged here as a limitation and an opportunity for future research.

Value to CyberCriminals: The CyberCriminals miss out on their ransom to unlock the information however, having stolen it, they trade it in bulk on the black market obtaining 2000 at 82c per record (Kan, 2016). They then individually sell off each record for $60 per record. Purchasers of the records then use the information to gain access to the bank accounts of these patients stealing $1200 per patient on average. The information is then matched with tax file number information in 25% of cases and false tax returns are processed on average of $6,214 (Schlesinger and Day, 2016). This brings a total nominal, illustrative-only, return to the criminal ecosystem of: $5, 628,640 (for the purposes of this paper: 100%).

Scenario – Outcome 2 – additional CyberUser CyberDefenses

Defences assumptions: The Medical Centre has an offline backup in its control from one (1) day prior to the attack, which it restores from and does not pay any ransom; and, also has in place the ASD Top 4 mitigating nominally 85% of cyber attacks direct to the workstation (ASD, 2013).

Loss assumptions: 15% of the 2000 Medical records are encrypted rendering them inaccessible to the Medical Centre. With that access, the CyberCriminals also steal those patient records. That is, 300 records are stolen. The loss still does not include psychological costs or costs of victim support services, which are acknowledged here as a limitation and an opportunity for future research.

Value to CyberCriminals: The CyberCriminals miss out on their ransom to unlock the information however, having stolen 300 records, they trade it in bulk on the black market obtaining 300 at 82c per record. They then individually sell off each of the 300 records for $60 per record. Purchasers of the records then use the information to gain access to the bank accounts of these patients stealing $1200 per patient on average *300. The information is then matched with tax file number information in 25% of cases (75) and false tax returns are processed on average of $6,214. This brings a total nominal, illustrative-only, return to the criminal ecosystem of: $844,296 (for the purposes of this paper: 15%).

Scenario – Outcome 3 – additional CyberUser CyberDefenses PLUS Other CyberUser CyberDefenses

Defenses assumptions: The Medical Centre has an offline backup in its control from one (1) day prior to the attack, which it restores from and does not pay any ransom; and, also has in place the ASD Top 4 mitigating 85% of cyber attacks direct to the workstation. There is also a communications plan in place notifying patients, banks and the Tax Office of the risk to the particular individuals affected.

Loss assumptions: 15% of the 2000 Medical records are encrypted rendering them inaccessible to the Medical Centre. With that access, the CyberCriminals also steal those patient records. That is, 300 records are stolen. The loss still does not include psychological costs or costs of victim support services, which are acknowledged here as a limitation and an opportunity for future research.

Value to CyberCriminals: The CyberCriminals miss out on their ransom to unlock the information however, having stolen 300 records, they trade it in bulk on the black market obtaining 300 at 82c per record. They then individually sell off each of the 300 records for $60 per record. Purchasers of the records then attempt to use the information to gain access to the bank accounts of these patients however because the banks have been notified they are unsuccessful in stealing anything further. The information is then matched with tax file number information in 25% of cases (75) however because the tax office has been notified they are unsuccessful in stealing anything further.This brings a total nominal, illustrative-only, return to the criminal ecosystem of: $18,246 (for the purposes of this paper: 0.3%).

Scenario 4 – Moratorium on consequences while increasing CyberDefenses Effectiveness

Scenario 3 also points to another motivational policy setting. If we revisit Scenario Outcome 1 and pair it with a communications plan per Scenario Outcome 3, we can see it would make sense to encourage a period where there is a moratorium on consequences to communicating breaches to Other CyberUsers.

Defenses assumptions: The Medical Centre has an offline backup in its control from 1 day prior to the attack. There is also a communications plan in place notifying patients, banks and the Tax Office of the risk to the particular individuals affected.

Loss assumptions: All 2000 Medical records are encrypted rendering them inaccessible to the Medical Centre. With that access, the CyberCriminals also steal the patient records. The loss does not include psychological costs or costs of victim support services, which are acknowledged here as a limitation and an opportunity for future research.

Value to CyberCriminals: The CyberCriminals miss out on their ransom to unlock the information however, having stolen it, they trade it in bulk on the black market obtaining 2000 at 82c per record. They then individually sell off each record for $60 per record. Because the bank has been notified, purchasers of the records fail in their attempt to use the information to gain access to the bank accounts of these patients stealing $0. The banks are also able to monitor and obtain more information about the CyberCriminals. The information is then matched with tax file number information in 25% of cases and the false tax returns submitted are caught before being processed and are monitored for more information about the CyberCriminals. The calculation for the assistance to law enforcement is acknowledged as a limitation of this paper and opportunity for future research. This brings a total nominal, illustrative-only, return to the criminal ecosystem of: $121,640 (for the purposes of this paper: 2.2%).

Case Summary

We can see then that it would appear to be worth future research into implementing CyberDefence Effectiveness measures for all CyberUsers and run the calculations overtime. To ensure this is possible, policies that first put in place 1/ a moratorium on punitive consequences for victims assuming CyberDefences are being implemented and communication and collaboration is made and facilitated in a timely manner; and, 2/ to develop an ecosystem of approved suppliers and access to innovators to assist with effective CyberDefences. These two policy areas are a limitation of this paper and opportunity for future research.

Application of CyberDefenses

With an understanding of why CyberDefenses are important, the next steps are to decide their application in context and what checklist of CyberDefenses are to be applied.

To contextualise CyberDefenses an entity first needs to understand what information it has, what of it is important and where it is, so CyberDefenses may be applied.

Taking a Building Information Modelling Systems (5) approach, firstly there need to be a 1d drawing though preferably a 2-3d mapping of where information assets are across physical and virtual assets before 4D Cyber Information Modelling Systems including time and cost can be put in play (SIBA, 2016: p.6). Only by knowing where information and functionality is, can it possibly be understood how it is or needs to be protected.

An entity needs a place to start and contextualisation of our cyber security may leverage an entity’s strapline. That is, an entity’s strap line underpins what it does, in 10 words or less, including its point of differentiation.

A strapline will describes the entity’s key business metric, which drives what its financial definitions of profit look like P&L to P&L. Cyber security needs to be measured in the same way to enable the health of the entity and contextualise its priorities to that which underpins and enables strategy.

For example, a training business may have a key business metric of profit per delegate day. If an airline, it will likely be PRASM. If a training company is holding extremely sensitive records such as healthcare information, the organisation needs to decide what business it is in and whether it needs to store and use that information, and if so how, versus not needing to and thereby dramatically reducing cost and risk to them and the owners of that healthcare or sensitive information.

It can also be noted that this management science approach to a risk identification framework (Figure 8) also reflects an ability to be adapted to consultative sales frameworks, such as that put forward by Rackham (1995). While the labels in that particular framework do not appear to be the best fit for purpose here, they could be an area for future research in applying those consultative sales techniques and strategies to implementing identified actions.

“Only by knowing where information and functionality is, can we possibly understand how it is or needs to be protected.”

Once we understand what information is of high consequence, we need to map out where it is: a CyberMap. A CyberMap is at worst a 1D drawing and at best a 3D map of systems and cyberspace drawing out functionality, data flows and storage.

With a CyberMap in play, organisations can begin to understand and simplify their footprints under a discussion based on CyberDefenses that are in place, or over time need to be, which allows us to bring Cyber Security into 4D. That is, inclusive of time and costs, map out a cybersecurity action plan or, for larger organisations, a program. Some firms may have this capability in-house, be small enough to map it out themselves and otherwise engage their IT or security provider to help.

The CyberMap is less a network topology than a diagram of information flows. For the security provider, a call with the executive first identifies systems of critical importance. A subsequent call with the IT provider gains their understanding of data and critical systems of importance.

Once the CyberMap is created, a cross-functional cyber security steering group is developed made up of heads of each function including Director/ Senior general executive, Security, IT, HR, Product/ Marketing and Legal/ Development or other functions critical to the organisation and dependent on its size. This group discusses what infrastructure and information has been missed. Then, with the full picture of data and data flows mapped out with critical systems identified, a discussion about whether those systems and data stores are needed and if so CyberDefences on these systems can start to be enumerated and documented based on the Checklists.

The Checklists need to be run across 3rd to n parties to assure the protections are in place and also that one party does not think the other party is responsible for it resulting in exceptions in CyberDefences being missed.

CyberDefenses Checklist composition: Justification for measures

The core measures for Government in Australia are the ASD Top 4 by the Australian National Audit Office (ANAO, 2016), and where these are not in place compensating controls and sign-off by the Director/ Senior Executive that the risk is accepted.

These four mitigation strategies are nominally 85% effective against attacks direct to the workstation or device. Generally, this type of attack is instigated using Malware. Malware is just malicious software and like any software it has to get to us and it has to run. These two points are important to hold onto to understand why these top four mitigations work in combination.

There are three primary ways malware can ‘Get to us’: Phishing, Driveby, and External Media. Explained in more detail in Author (2014), non-exhaustively:

  • A driveby, is where a website is visited and in loading the website onto our machine or device, malware loads too. It may be a bogus site but it may also be a legitimate site where an advertising engine has been compromised, or the site itself has been compromised. In a sophisticated setting it is called a waterhole and the machines that malware will download to are restricted to a certain IP address or IP range being targeted in a more persistent attack.
  • External media, includes CD’s, DVD’s, USBs and even phones and other devices if connected to machine or device for, say, charging.
  • Phishing is where an email, text or social media message is sent that includes a malicious link that may download malware or direct to a bogus site that asks of further information to be shared such as usernames and passwords, or more. Phishing may also occur by phone or by a letter through the post. Spearphishing is the targeted form and may include things such as emails that look like they are from a trusted brand, or authority such as the CEO or a client or supplier, requesting money transfers or changes in information for money transfers. Effective CyberDefences put an extra step in the process such as enabling two-factor authentication where offered and taking a breath, not acting on the initial instruction but instead verifying it through an additional trusted source, such as walking over to the CEO’s office and asking them if they sent the instruction, or calling on a trusted number.

If we assume that chances are malware will get to us, the Australian Signal’s Directorate (ASD) has released its award winning ASD Top 4 which nominally mitigate 85% of these attacks. More information can be found on these mitigations at the ASD website, however these CyberDefences are effective and in a nutshell they include:

Keeping software up-to-date: on operating systems (eg. iOS, Windows, Firewall) and applications (eg. Office, Online Banking App, Antivirus). The reason is that once a software update (also known as a patch) is announced, CyberCriminals start developing their tools to exploit the ‘hole’ it is patching in our software. If the software is up-to-date and the hole they are looking for no longer exists, then the malware will be prevented from running. Vulnerability scanning can also assist with this.

Application Whitelisting: creates a list of software that is allowed to run. It will filter out any unwanted software not on that list and prevent it from running. This will therefore also prevent malware, as unwanted software, form running.

Limiting administrator access: limits the number of people that can do and see everything on a machine or device and anything it is interconnected with. Limiting what people can do and see more generally to what is needed to perform a task or role further reduces risk. It also means that if malware does run on the machine it will limit what can be done or seen with it increasing the time, cost and risk for the CyberCriminal to do and see more.

The Australian National Audit Office measures government entities on these measures, and otherwise compensating controls and risk signed off by the senior executive. It would make sense for this to commercialise into the business domain.

Tactical Services considerations

It is also important to know what to do when something goes wrong, including have an offline, time-stamped backup in our control, that is valid as checked by test restores.

On mission critical systems and information we may engage a penetration tester and retain a professional tactical services and incident response firm accredited by a body such as CREST to support managing the security of the system. Other tactical services would include monitoring and vulnerability scanning.

To encourage interoperability as we increase our CyberDefenses and as disruptive technologies continue to evolve and potentially themselves become disrupted, it is important to be aware of open and robust standards, including NIST, NoT, SmartCities, Quantum, ISO, Blockchain, OWASP, PCI DSS. For pretty much any security initiative there is now an open standard and/or guideline published or in draft for comment. 

Social Engineering mitigations

Social engineering also bypasses security control by encouraging people to compromise themselves. As mentioned, malware has to get to us and run. Training people to put an extra step in the process to verify information via a different trusted means and enabling 2-factor authentication where offered can prevent some of the ways it gets to us. These tactics are also used to gain other sensitive information and may occur not only online but also in offline and call scenarios.

Traditional security controls are still important and so need to be included in CyberDefences Checklists. Today, these would include protections such as firewall, antivirus and encryption. 

Compliance

Compliance requirements will vary by entity and even state or country. Therefore, the checklist needs to ask what compliance requirements the individual or entity has. If at this stage it does not understand compliance requirements then it needs to be referred to an encumbent or new supplier for help. If compliance requirements are identified, then checklists for those compliance requirements or suppliers need to be referred to.

Notifications and communications plan

A key component of the checklist as we can see from the Healthcare case scenario is having in place a communications pan and notifying entities and individuals that may be affected by a breach. 

Influencing the ecosystem

The checklist needs an item that the organisation is assuring its ecosystem is taking similar steps. From a motivational standpoint, this would desirably create a viral benchmarking standard thereby increasing CyberDefenses Effectiveness.

Everyone

Employees, contractors and families in home networks could perform their own benchmarks thereby improving their own CyberDefenses and thereby also the organisation. Additional motivational tools may assist such as a competitive award process and cyber ambassadors people can go to for help and advice along with online resources.

Free text

Requesting an observation of each of a good practice and a concern will uncover shifting sands and unknown unknowns. It will also help identify emerging technologies and practices.

Accommodating future tech and practices

The checklist for CyberDefenses Effectiveness will need to be robust but agile, evolve and under continuous review with the constantly changing technological landscape including cars, the network of things, drones, satellites and space, cloud and supporting infrastructures particularly as we see an ongoing convergence of the natural, built, digital and cyberspace environments.

Insurance

Once reasonable care is demonstrated under the CyberDefenses checklist, insurance may be a viable option to cover residual risk.

Checklist implementation

Measuring CyberDefenses highlights exceptions and, with policy, could drive action and parsimonious spend in the right places, versus kneejerk reactionary spend or the largest competitor to cyber security – ‘do nothing’.

Once CyberDefences have been enumerated, under the Checklists, a list of exceptions can be allocated to tasks under action plans in normal management 90 day action plan cycles with the checklists reviewed quarterly in line with P&L reviews to ensure cyber security and defences continue to underpin strategy and expected progress on plans.

The baseline from the previous quarter or quarters can then be compared with the current quarter’s benchmark for improvement. This entity benchmark can then be compared with others like them. 

However, an organisation is an interconnected system and so these defenses will not only reside within the organisation’s control but within other organisations’ and so information about these defenses can be enumerated via that or those organisations going through the same process and being benchmarked as part of a supply chain or ecosystem. 

Measuring CyberDefences Effectiveness

Once the Digital Health system is in place, threat and breach detection information can be provided and quantified in terms of a standardised approach to forensically accounting for consequence, which may be matched with the defenses that were enumerated thereby providing a measure for the effectiveness of those defenses in reducing consequences of a breach.

The quantification of consequence minimisation can then more accurately help weigh risk appetite and cost justification in deciding on cyber security spend.

We can’t manage what we can’t measure so we need to start somewhere now and refine over time.

Limitations and opportunities for future research

  1. i) The calculation of loss for:
  • psychological costs and costs of victim support services
  • country level economic loss and advantaging of foreign countries and citizens
  1. ii) Policies that first put in place are needed to assist in adoption and effectiveness of the DHI, including: 1/ a moratorium on punitive consequences for victims assuming CyberDefenses are being implemented and communication and collaboration is made and facilitated in a timely manner; and, 2/ the development of an ecosystem of approved suppliers and access to innovators to assist with effective CyberDefenses.

iii) Applying consultative sales and marketing frameworks to cyber security program implementation

References

  1. ANOA (2016) Cyber resilience. <https://www.anao.gov.au/work/performance-audit/cyber-resilience Last accessed 10th December, 2016>
  1. ASD (2013), Top 4 strategies to mitigate targeted cyber intrusions: mandatory requirement explained. <http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm Last accessed Dec 10, 2016>>
  1. Ernst (2007) Entrepreneurship and Innovation Thesis
  1. Ernst (2015) Cyber security handbook
  1. Author et al (2014) Board Director and cyber security engagement research
  1. Dyche, Jill (2015) 6 responsibilities of the Chief Digital Officer. CIO Magazine << Oct 26, 2015 5:07 AM PT, URL http://www.cio.com/article/2997180/cio-role/6-responsibilities-of-the-chief-digital-officer.html last accessed Dec 10, 2016, 2.33pm AEST>>
  1. GPO (2011) Cyber security: protecting your small business. Hearing before the subcommittee on healthcare and technology of the committee on small business United States House of Representatives, One Hundred Twelfth Congress, First session. << Dec 23, 2015 1:17 AM, URL http://www.forbes.com/sites/jacobmorgan/2015/12/23/why-every-company-is-a-technology-company/#190b42d16454 last accessed Dec 10, 2016, 2.33pm AEST>> US Government Printing Office
  1. Innovate UK (2015), Cyber security: apply now for business funding. <https://www.gov.uk/government/news/cyber-security-apply-now-for-business-funding Last accessed Dec 10, 2016>>
  1. Kan, M (2016), Hacker looks to sell 10M patient records on black market. Computerworld. <http://www.computerworld.com/article/3088972/security/hacker-looks-to-sell-10m-patient-records-on-black-market.html Last accessed Dec 10, 2016>>
  1. Morgan, Jacob (2015) Why every company is a technology company. Forbes Magazine << Dec 23, 2015 1:17 AM, URL http://www.forbes.com/sites/jacobmorgan/2015/12/23/why-every-company-is-a-technology-company/#190b42d16454 last accessed Dec 10, 2016, 2.33pm AEST>>
  1. ODMA (2006) “Product Management Glossary: The PDMA Glossary for New Product Development” <pdma.org>>
  1. Pinchot, III, G. (1985) Intrapreneuring Harper and Row New York. See also Pinchot G and Pinchot ES (1978) “Intra-corporate entrepreneurship” Fall 1978 <http://www.intrapreneur.com/mainpages/history/intracorp.html last accessed 12 June, 2006>>
  1. Pinchot III, G., and Pellman, R. (1999) Intrapreneuring in action Berrett-Koehler San Francisco
  1. Rackham, N (1995) SPIN Selling. Gower.
  1. Rickards, T (2012, p.72) Dilemmas of Leadership Routledge London
  1. Schlesinger, J and Day, A (2016) Dark Web is fertile ground for stolen medical records. CNBC 11 March 2016 <http://www.cnbc.com/2016/03/10/dark-web-is-fertile-ground-for-stolen-medical-records.html Last accessed Dec 10, 2016>>
  1. Schon, D (1963) The displacement of concepts, Tavistock
  1. Schumpeter, EB (1954; 1984) History of Economic Analysis : capitalism, socialism and democracy Harper Torchbooks in Shavina, L (2003) The International Handbook on Innovation. Harper Torchbooks
  1. SIBA (2015) Integration of Spatial and Built Environment – National Data Policy << URL http://www.siba.com.au/getattachment/Advocacy/Advocacy-Requests/The-Use-of-Smart-ICT-in-the-Planning-Design-and-Us/DigitalBuiltEnvironment-SpatialConstructionInformationV2-151120.pdf Last accessed 10th December, 2016>>
  1. Stevenson, H.H, Roberts, M.J, Grousbeck, D.E & Bhide, A (1999) New Business Ventures and the Entrepreneur Richard D Irwin Homewood.

@DrSallyErnst, info@csns.co

There are a number of illustrative figures available in this paper that are not published here. Please email info@csns.co if needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s