Towards a Cyber Approach for Large Organisations

Home , Deloitte

Towards a cyber approach for large organisations

Arthur Thomas Verkerke Delft University of Technology

Towards a cyber approach for large organisations

Arthur Thomas Verkerke student number 1374435

in partial fulfilment of the requirements for the degree of

Master of Science in Systems Engineering, Policy Analysis and Management

at the faculty of Technology, Policy and Management of the Delft University of Technology,

to be defended publicly on Tuesday 15 December, 2015 at 9:15 AM

Committee Prof. dr. ir. J. van den Berg, Chair Full professor at section ICT, TU Delft

Dr. J. Hulstijn, First supervisor Assistant professor at section ICT, TU Delft

Prof. dr. ir. P. H. A. J. M. van Gelder, Second supervisor Full professor at section Safety and Security Science, TU Delft

E. Bulder, MSc., External supervisor Consultant, CGI Nederland

This is the public version of this thesis

An electronic copy of this thesis is available at http://repository.tudelft.nl/

I dedicate this thesis to my mum, dad and Anna. Thanks for your unconditional love and support.

Preface

Dear reader,

With this thesis my time as a student in Delft has come to an end. For my study time, and my graduation project in particular, I would like to thank some people. First of all I would like to thank my family, especially my parents, for giving me the opportunity and the freedom to experience the student life in all its aspects. Being able to explore the ‘grown-up world’ in this way gave me a wonderful time and learned me a lot. Next I would like to thank the music society Krashna Musika and all its members I had the pleasure to make music with and/or organise activities together. You helped me to balance my rational (study) mind and my emotional (music) mind. Joining Krashna gave me experiences, opportunities and (maybe most important) friends that are very precious to me.

This graduation project would not have been possible without CGI, which provided me with the needed resources and contacts to conduct this research. A special thanks for my mentor and supervisor from CGI Evelien; thanks to your input my research stayed focused and your positive attitude and (practical) comments helped me a lot to remain on track. Another special thanks for Michael, who has given support through the whole project; your ideas, insights, sharp comments and lunches have helped me to create this thesis. Evelien and Micheal, your joint effort has made this project possible, for which I am truly thankful. Furthermore I would like to thank all colleagues for helping me to complete this thesis. Your input both during more formal settings and informal settings is much appreciated. Thanks also to all respondents for participating in this research, helping me with my first steps in the cyber world.

My graduation committee of Delft University of Technology also deserves a word of thanks. Joris, our (sometimes too) long discussions together helped me so much in completing this research. After our meetings my enthusiasm for graduating always gained a great boost, enabling me to continue researching with the fresh energy needed for graduating. Pieter, thank you for providing me insights in the parallels between resilience in cyber and water management. Jan, you have inspired me during several courses in my study, but the resilience you showed lately is incredible. I hope you are able to support many more students in their way towards graduation, keep inspiring people and enjoy life for a long time to come.

Finally I would like to thank Anna for always supporting me. Thanks to your love and support I was able to complete this project.

I hope you will all enjoy reading my thesis.

Arthur Thomas Verkerke Delft, November 2015

PUBLIC VERSION v

Summary

Participation in cyberspace is of key importance for large organisations (and the functioning of our society), but to participate responsibly a comprehensive cyber approach is needed. Cyberspace is a dynamic and complex environment due to the hyper-connectedness and therefore such an approach should aim for cyber resilience to cope with this complexity. Standards can form good inspiration for the creation of a cyber approach. However, due to the differences between traditional information security and cyber security the standards do not cover the cyber domain completely. At this moment there is a knowledge gap on (1) what elements a cyber approach for large organisations should cover and (2) what role standards can play in such an approach. Furthermore, aiming at resilience is not (yet) common practice. This research therefore has as main goal: To design a cyber framework that helps large organisations to develop a cyber approach. An analysis of the cyber security landscape has shown that a diverse set of actors create in a garbage can-like model a diverse set of standards with different aims and scopes. Six standards are further analysed resulting in elements of standards that are important for a cyber approach (requirement for cyber framework). The analysis further shows that the main standards are still mostly based on traditional information security and do not yet (all) cover the main aspects of cyber and/or resilience. Semi structured interviews have resulted in the identification of five issues that needs to be dealt with when dealing with cyber security: (1) Parties in cyberspace are highly dependent on each other, (2) Dynamics of cyber are larger compared to traditional information security, (3) Assets to protect are constantly getting more diverse, (4) Incidents in cyberspace can have huge consequences in the physical world and (5) The general level of cyber resilience is rather low. These issues form requirements for the cyber framework. Based on literature research, the analysis of the standards landscape and the conducted interviews, design principles for a cyber approach are formulated. The design principles have two roles; (1) they serve as input for designing a cyber approach to help dealing with design dilemmas and (2) they are requirements for a cyber framework, because that needs to be compatible with these design principles. Based on the requirements, a cyber framework has been designed with Hevner’s design science methodology. The framework covers the three dimensions (1) cyber governance, providing the goal/ mission of the organisation, boundary conditions for and evaluation of the other dimensions and (2) Risk management, covering the long term risk balance with a cycle covering assessing the risk, control and monitoring. These two are completed with (3) situational awareness, providing the incident detection (monitoring), short term response and recover completed with the monitoring of (strategic) developments in the environment. With the addition of situational awareness the framework provides the needed addition to participate in cyberspace responsibly. The framework serves as (1) tool to gain insight in the elements and their relation needed in a cyber approach and (2) as a ‘check-list’ for a designer when designing an approach. Due to the important role of situational awareness in the framework, it helps to develop a cyber approach that results in a better cyber resilience of the organisation. The framework is shown in figure 1. These results have been evaluated with six of the respondents from the other interviews based on a questionnaire and a case based on DigiNotar. Besides these contributions, the most interesting conclusion of this research is the changed role of standards; because of the complexity of the (risks) of participating in cyberspace, a ‘silver bullet’ solution cannot be made. Therefore standards are still useful for high over requirements and technical implementation, but for the layer in between a more tailor made approach is needed. Standards will still play a key role in cyber security, because part of the way to deal with the complexity of cyber is to cooperate with partners and standards can help to communicate between partners. The results of this research could be further evaluated with expert workshops on specific cases. Fur- ther research could be done to test the developed principles and the framework in practice, to develop of a decision support framework to help select specific elements of standards for large organisations and the measuring of cyber resilience.

PUBLIC VERSION vii viii Summary acceptance repository Asset Risk Assetsto protect Long term risk risk term Long & control Boundaryconditions         Resource allocation

& Riskappetite Organisational control Responsibilities Processes Procedures Policies Legalaspects Technological Social Human Financial Lessonsfrom incidents structure Goal & Recoveryplan Responseand Translateto conditions boundary  

Boundaryconditions Riskappetite organisation Corevalues of iue1 ye framework Cyber 1: Figure Mission & /   culture Organiseoversight Goal

Oversight Balancesteering v Auditing , evaluationand monitoring long term ( internal Riskmanagement and Situational awareness Oversightresults Performanceof + . s . external creativity ) Goal Short term respond and recover and respond term Short & respond and recover and respond Gather intelligence & analyse the cybercommunity Participating in Environment Dependencies intelligence ( technical socialand External )

PUBLIC VERSION Contents

Preface v Summary vii List of Figures xi List of Tables xi 1 Introduction 1 1.1 Dealing with cyberspace...... 1 1.2 Research goal ...... 2 1.3 Methodology...... 3 1.4 Thesis structure ...... 3 2 Cyber resilience 5 2.1 Importance of a cyber approach ...... 5 2.2 Cyber resilience...... 9 2.3 Summary ...... 14 3 The cyber security standards landscape 15 3.1 The role of cyber security standards ...... 15 3.2 Cyber security standard landscape ...... 17 3.3 Comparing six major standards ...... 18 3.4 Analysis of the compared standards ...... 33 3.5 Summary ...... 34 4 Exploring cyber issues 35 4.1 Interview explanation and structure ...... 35 4.2 Standards in practice ...... 36 4.3 Cyber governance findings ...... 37 4.4 Risk management findings ...... 38 4.5 Situational awareness findings...... 38 4.6 General findings from the interview ...... 39 4.7 Cyber issues identified ...... 40 4.8 Summary ...... 41 5 Designing a cyber framework 43 5.1 The design challenge wrap up ...... 43 5.2 Requirements ...... 44 5.3 Cyber framework ...... 46 5.4 Measuring of cyber resilience...... 48 5.5 Summary ...... 50 6 Evaluating the cyber framework 53 6.1 Methods used - interview based on questionnaire and case study...... 53 6.2 Results of evaluation interviews ...... 53 6.3 Results of case study ...... 54 6.4 Further evaluation ...... 56 6.5 Summary ...... 57

PUBLIC VERSION ix x Contents

7 Conclusions and recommendations 59 7.1 Main contributions and conclusions ...... 59 7.2 Research limitations ...... 62 7.3 Discussion...... 62 7.4 Future research possibilities ...... 64 Bibliography 65

Appendices 71 A Design science research method 73 A.1 Research goal and sub-questions ...... 73 A.2 Introduction to design science research method ...... 73 A.3 Design science research framework ...... 74 A.4 Design science research guidelines ...... 75 B Interview outline and questions 77 C Elaboration on the seven suggested design principles for cyber 81 D Coverage/compatibleness of elements of standards in cyber framework 85 E Questionnaire for validation of results 91 Acronyms 95 Glossary 97

PUBLIC VERSION List of Figures

1 Cyber framework ...... viii

1.1 Schematic thesis structure ...... 4

2.1 Conceptualisation of cyberspace ...... 6 2.2 Gartner’s conceptualisation of cyber security ...... 7 2.3 Cyber risk management using the ‘Bowtie’ ...... 8 2.4 Conceptualisation of cyber approach ...... 9 2.5 Conceptualisation of situational awareness ...... 14

3.1 COBIT 5 scope ...... 20 3.2 COBIT 5 product family ...... 20 3.3 Table of contents ‘cyber risks resource for practitioners’ ...... 25 3.4 PDCA-cycle from ISO 22301 ...... 26

5.1 Cyber framework ...... 51 5.2 Effectiveness of cyber approach ...... 52 5.3 Measuring of cyber resilience ...... 52

A.1 Design-science research framework ...... 75

List of Tables

1.1 Overview of methods used ...... 3

3.1 Comparison of standards ...... 19

5.1 Cyber security versus traditional information security ...... 43 5.2 Implication of cyber issues for cyber framework ...... 46

A.1 Design-science research guidelines ...... 76

C.1 Design principle 1 - Use modularisation ...... 81 C.2 Design principle 2 - Use local autonomy ...... 82 C.3 Design principle 3 - Include security from the start ...... 82 C.4 Design principle 4 - Design with the end-user in mind ...... 83 C.5 Design Principle 5 - Partner up ...... 83

D.1 Coverage of COBIT 5 in cyber framework (Part I) ...... 85 D.2 Coverage of COBIT 5 in cyber framework (Part II) ...... 86 D.3 Coverage of IRM Cyber risk resources for practitioners in cyber framework ...... 87 D.4 Coverage of ISO 22301 in cyber framework ...... 87 D.5 Coverage of ISO 27001 in cyber framework ...... 88 D.6 Coverage of NIST framework for cyber security in cyber framework ...... 89 D.7 Coverage of PAS 555 in cyber framework ...... 89

PUBLIC VERSION xi

1 Introduction

“In our digital age, the issues of cybersecurity are no longer just for the technology crowd; they matter to us all.” - Eric Schmidt, Executive Chairman, Google

1.1. Dealing with cyberspace In our information society, the digital world has steadily become more and more important; all kinds of activities have been digitalised1 and all kind of new activities have been developed in the online world. These cyber (IT-enabled) activities that are key for the functioning of modern society have created the so called cyberspace2. With the increased use of Information and Communication Technol- ogy (ICT) the strategic interests of all kinds of organisations in cyberspace have grown, so the stakes involved have grown too. Together with the growth of cyberspace, threats are also shifting towards cyberspace [4] and therefore the need to protect the involved stakes is rising. Just like real world incidents, incidents in cyberspace can have many causes. Actors trying to cause incidents are present in cyberspace in many forms and with lots of different motivations; from state driven cyber warfare to script kiddies, targeting governments, private organisations and individual citizens [5]. Because the activities of organisations in cyberspace are key for the functioning of the organisation (and indirectly affects the functioning of modern society), all organisations should deal with the risks in cyberspace. The interconnectedness makes it hard to protect an organisation against so many different threats, while an attacker only needs to find one weak spot to achieve his goal. This asymmetric aspect makes it even more important to use a specific cyber approach creating cyber resilience. There is no absolute risk-free participation in cyberspace, but the key to success can be to implement such an approach that those risks can be managed. A cyber approach consists of basically three dimensions: (1) cyber governance, (2) risk management and (3) situational awareness. Risk management for managing (long term) risks (including keep controls and risks in balance), situational awareness for the current perception of developments in the environment and the immediate response and recover and cyber governance for the organisation and governing of activities in cyberspace. When implemented, a cyber approach can help reducing the risk to an acceptable level and create cyber resilience. Note that what is acceptable is a political (or for companies strategic) choice and can therefore differ per (type of) organisation.

Participating in cyberspace brings networked risks as Helbing[6] describes. Dealing with those risks requires the ability to withstand incidents and to recover from them; the risks are too complex to prevent all possible incidents in the first place, but as long as the core operations of an organisation are not endangered, it does not need to be a serious problem for the organisation. So this ability to

1Think of the increased amount of payments made through internet (for example with PayPal almost 10 million transactions per day [1]), the large databases with personal information available in many different companies and governments [2], official communication done between citizens and governments (for example through the Dutch DigiD [3]), increased online banking, etc. 2In 2.1.1 the key definitions are provided. See also the glossary for the used definition of cyberspace and other key concepts.

PUBLIC VERSION 1 2 1. Introduction withstand and recover from incidents can help to keep functioning in the highly complex environment in cyber security [6]. The ability to withstand incidents and to recover from them can be seen as resilience3. Achieving resilience with cyber security is different (and more complicated) than just the traditional information security4[8]. Both from industry and from different governments ways to deal with the three dimensions of a cyber approach are formulated in different standards and (done through) best practices [9, 10]. However, due to the different kind of standards on different levels it is hard for organisations to choose a fitting approach for them. What is required by law? Do we just comply with a standard or did we really switch to an effective approach realising cyber resilience? What are the standards available and which combinations fit best with our organisation? What is the role of (IT-)auditing to check how we implemented elements of cyber security standards? What is the added value of using standards for us? What are best practices we (can) use? Complicated issues that differ per organisation (type).

At this moment there is a knowledge gap on (1) what elements a cyber approach for large organisations should cover in order to help organisations participate in cyberspace responsibly and (2) what role standards (based on information security) can play in such an approach. Furthermore, aiming at resilience is not (yet) common practice and the aspects of cyber resilience that are important to be able to measure the performance of and manage a cyber approach are unknown/not agreed upon. Standards and best practices can both play an important role in the designing and testing of a cyber approach, because standards are thoroughly developed guidelines which have proven their use and best practices can form a good state-of-the-art source of inspiration based on experience dealing with the newest developments in cyberspace. Therefore in this research is focused on properties of cyber, exploring standards, exploring the issues of dealing with cyber in practice and design a cyber framework. In section 1.2, the research goal of this thesis will be further discussed, including the formulation of the design goal and sub-questions. In section 1.3 the methodology of the conducted research is further explained. This chapter ends with an overview of the thesis structure in section 1.4.

1.2. Research goal In order to support large organisations5 with the designing and testing of their cyber approach a cyber framework will be designed. The goal of this research is therefore formulated as:

To design a cyber framework that helps large organisations to develop a cyber approach.

Such a framework should cover the elements needed in a cyber approach to be able to cope with the dynamic environment responsibly (aiming at cyber resilience). To create a thorough understanding of the problem environment and gather the current business goals and requirements, the following sub-questions will be addressed prior to and during the development of the cyber framework:

1. What is the importance of a cyber approach?

2. What are the relevant cyber security standards for large organisations and how can they support a cyber approach?

3. What are the issues organisations need to deal with a cyber approach in practice, especially regarding standards?

4. Given the answers to the previous questions, what would a cyber framework for large organisations look like?

5. Is the designed framework useful for large organisations?

3See also 2.2 for the definition of cyber resilience used in this thesis 4Traditional information security is mostly based on the Confidentiality, Integrity and Availability (CIA)-principles [7], cyber security is more dynamic due to the factors speed, connectedness/dependencies and the importance of services as assets, see also 2.1.1 5Large organisations are in this research seen as organisations large enough to have a separate department for information and cyber security

PUBLIC VERSION 1.3. Methodology 3

Each sub-question will be discussed in a different chapter. See also figure 1.1 for the position of these questions in the structure of this thesis.

1.3. Methodology For this research the design-science methodology of Hevner et al. [11] will be used to design a cyber framework. This design-science research method enables a systematic exploration of the problem environment and testing of the final artefact. The artefact that will be designed is a cyber framework for large organisations. Offermann et al. made a categorisation of different types of artefacts that can be designed in information systems design [12]. In that categorisation the artefact designed in this research can be categorised as ‘System design’. The structure of the artefact can be described as “Structure or behaviour-related description of a system”[12, pp. 83] and it can be used as support when designing a cyber approach for a large organisation. In appendix A, the design-science methodology is further discussed. The different standards available and their role in a cyber approach are researched with a literature study. For this literature study diverse databases were used (like Springer link [13], IEEE Explore [14], Scopus [15], ScienceDirect [16], Sage [17] and Wiley [18]). The search terms used are “cyber”, “security”, “approach”, “standard”, “best practice”, “maturity” and “framework”. They were used in all possible combinations. Furthermore the bibliographies of found sources were used to find additional sources. To further explore issues occurring when dealing with cyber in practice, interviews are conducted with various experts from the cyber security field. This is split in informal interviews with direct colleagues and supervisors from TU Delft and CGI and more formal interviews with other experts active in the field. The informal interviews were mainly to create a basic understanding of the subject, while the more formal interviews focused on best practices, standards and requirements for a cyber framework. Due to the highly explorative nature of this research the interviews were semi structured (also called qualitative interviews as described for example by Yin [19]). More about the interviews can be found in chapter 4. The constructed artefact is evaluated by interviewing the same respondents as the formal interviews from the previous phase. Based on a questionnaire and a summary of the end-results, the respondents gave their vision on the results of this research in a structured interview. Furthermore, a case based on DigiNotar [20–22] is worked out to show the practical use of the developed framework. More on the evaluation can be found in chapter 6. By using a literature study, semi structured interviews, Hevner’s design-science methodology, an expert validation and a small case study, the available standards are analysed, requirements for a cyber approach are identified and a cyber framework is designed and evaluated. In table 1.1 an overview of the methods used, their goal and the chapter the method is used in is presented.

Table 1.1: Overview of methods used

Method Goal Used in chapters Literature research Explore & analyse (role of) standards 2 and 3 Identify issues that occur when dealing with Semi structured interviews cyber in practice 4 Design-science methodology Design of a cyber framework 5 Expert evaluation Evaluation of the end-results 6 Evaluation of practical use of the developed Case study cyber framework 6

1.4. Thesis structure This thesis is structured around the design goal and the related sub-question. In each chapter a sub- question will be discussed. The final chapter will summarize the main conclusion and recommendations of this thesis. In figure 1.1 the schematic structure of this thesis is presented.

PUBLIC VERSION 4 1. Introduction iue11 ceai hssstructure thesis Schematic 1.1: Figure

PUBLIC VERSION 2 Cyber resilience

Before standards and issues from practitioners will be looked at more closely, the importance of a cyber approach and some key definitions for this research will be discussed in this chapter.

2.1. Importance of a cyber approach Large organisations need to act in a network society [23] that is getting more and more connected through ICT. This situation has created a lot of IT-enabled cyber activities [24]. Those activities offer great (economic) opportunities [25] that increase our general prosperity. Not participating in cyberspace is not an option for large organisations, because so many societal and economic activities take place in the cyber domain; not participating would have as a consequence that (some of the) (core) activities of organisations can not be deployed any more and/or opportunities are lost. How- ever, participating in this newly emerged cyberspace is not without risks; just as with activities in the physical world, participating with activities in cyberspace comes with its threats, potentially causing incidents (with negative impact) if not aware of the downsides [26]. Thinking about the cyber approach as organisation helps to see both the opportunities and the risks that are present in cyberspace. Par- ticipation in cyberspace is a double edged sword; it comes with great advantages (communicating faster, working more efficient, etc. (see for example this Capgemini report [27])), but it also has a downside because of the threats in cyberspace that could disrupt the business, causes legal liability issues, causing financial loss and lead to brand damage (for example described by [28]). If one is not aware of these negative sides, they can lead to serious incidents potentially harming the functioning of organisations. With a structured cyber approach, organisations can deal with both the opportunities and risks of cyberspace in a systematic way.

2.1.1. Key definitions In this research field, there are a lot of ‘cyber’-terms in use1. These are the most important definitions used in this research2.

Cyberspace For the definition of cyberspace, in this research is chosen to use the same definition as Singer and Friedman [29, pp. 13]:

“Cyberspace is the realm of computer networks and the users behind them in which information is stored, shared, and communicated online.”

This definition enables us to look more broadly than just the technical part; because the users are included, the actors involved can also be taken into account thus enable us to grasp the complexity of cyberspace better. Furthermore this definition matches the conceptualisation of cyberspace of Van Den Berg et al. [30] in layers. This conceptualisation can be found in figure 2.1.

1See for example the glossary of [29] 2See also the glossary of this thesis for a more complete list of definitions.

PUBLIC VERSION 5 6 2. Cyber resilience

Figure 2.1: Conceptualisation of cyberspace (obtained from [30, pp. 12-2]) Conceptualisation of cyberspace (from Van den Berg et al. 2014)

Cyber security Roughly stated, cyber security concerns all security of assets in cyberspace. More formally put, for this research cyber security is defined almost in the same way as Craigen et al. [31, pp. 13] do:

“Cyber security is the organization and collection of resources, processes, and structures used to protect specific assets in cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.”

The difference in definition with Craigen et al. [31] is the addition of the term ”specific assets”; this makes sure that cyber security is not looked at as securing the whole of cyberspace because this would be impossible; a parallel with the physical world would be to define security in such a way that it would cover the security of the whole universe. This definition of cyber security enables us to research the organisation of protection of assets and systems from properties different than intended. ‘Different than intended’ can have mainly two sources: intentional (security) and unintentional (safety) [30, see also figure 2.3]. For this research the focus will be on the intentional part, but some implications for the approach for business continuity (and thus also the unintentional part) will also be taken into account.

How cyber differs from ‘traditional’ information security As mentioned in chapter 1, traditional information security differs from cyber security. There are two main ways to view at cyber security:

1. Cyber security is part of information security

2. Cyber is broader (more diverse) than information security

PUBLIC VERSION 2.1. Importance of a cyber approach 7

The first view is supported by for example ISACA; they see cyber security as protection of information assets: “protecting information assets by addressing threats to information processed, stored and transported by inter-networked information systems”[32, pp 5]. Advantage of this view is that it connects directly to the existing concept of information security, making the transfer more smooth, also because a lot of standards are based on information security. Downside is that not all properties of cyber security are fully captured with this view. The dynamics are different compared to information security, because in cyber security the environment changes continuously, while in information security the environment is more static (see for example [33, pp. 31]). Furthermore, in cyber security assets that need protection are not only information, but also services potentially influencing personal and physical aspects of human beings (both tangible and intangible) and societal values (intangible) and infrastructure (tangible) [8, pp. 103]. Thirdly organisations are much more connected with and dependent on each other in cyberspace [34]. The second view is for example supported by Gartner. In figure 2.2 is Gartners vision showed towards cyber security related to information security, IT security, physical security, operations technology (OT) security and internet of things (IoT) security. In the vision of Gartner, cyber security is broader than information security and in cyber security more offensive and proactive measures/attitude is needed; due to the differences as described above they argue for a cyber approach needs to cover these as well. Because the second view enables a broader view that acknowledges the different aspects in cyberspace the second view is used in this research.

Figure 2.2: Gartner’s conceptualisation of cyber security, obtained from [35, pp 6]

Zooming in more to the second view from another perspective, the differences between traditional information security and cyber security can be made clear with reviewing the bowtie model. The bowtie model has its roots in risk management [30]. The bowtie model, presented in figure 2.3, splits the risk analysis in three phases; the pre-incident phase, the incident phase and the post-incident phase. In traditional information security the focus is on placing ‘barriers’ on the left side of the bowtie and respond if the right side of the bowtie is reached. At cyber security, the prevention stretches further than only on the left side; immediately after an incident, also damage control measures need to be taken; with information security, this makes less sense, because once stolen, information cannot easily be ‘unstolen’, while unauthorised access to a service can make the damage worse if the access lasts longer. Furthermore, in traditional information security, the monitoring is not included on the left side, while this is an important aspect of cyber security due to the properties mentioned earlier. In short, traditional information security focusses on creating large barriers on the left side of the bowtie and respond for future cases if an incident occurs. In cyber security, both prevention on the left side and the right side of the incident should be included and monitoring should be added in order to catch flaws in the barriers and prevent incidents before they occur.

PUBLIC VERSION 8 2. Cyber resilience

THREATS INCIDENTS IMPACT

Intentional  (security): Social   Terroristic Economic   Criminal Political  (Inter) Governmental  Prevention Dependent Repression Technological  Unintentional Legal Incident  (safety): Ethical   Industrial Behavioural   Natural Environment  Among others

Risk = Probability * Impact

Figure 2.3: Cyber risk management using the ‘Bowtie’ (obtained from [30, page 12-3])

Why the three dimensions cyber governance, risk management and situational awareness? Before zooming into the definition of a cyber approach, which includes the three dimensions, a bit more on ‘Why the three dimensions cyber governance, risk management and situational awareness?’. Each organisation has a goal/mission it pursues [36][37] (1 cyber governance). To realise this goal, risks that could harm this realisation should be managed (2 risk management). This entails the mapping of threats and potential incidents, taking control measures, and regularly check if the risk is still acceptable. These two were covering the main aspects of traditional information security. However, with the dynamics of cyberspace the environment changes fast and often. To be able to deal with this, there is a need for close monitoring, incident response and recover and strategic monitoring of the environment to watch the outside developments (combined in the dimension 3 situational awareness). To be able to organise risk management and situational awareness boundary conditions are needed (also from cyber governance). With the addition of situational awareness to cyber governance and risk management, the swiftness needed to participate responsibly in cyberspace is added. Each dimension is discussed in more detail in section 2.2.

Cyber approach Organisations need to find/create a way to cope with the (new) implications of their activities in cyberspace. For this research ‘Cyber approach’ is therefore in such a way defined that it covers both the technical and the socio-technical aspects of the way an organisation approaches cyberspace:

“Cyber approach is the way an organisation deals with their direct and indirect activities in cyberspace both in technical and socio-technical aspects, especially in the dimensions cyber governance, risk management and situational awareness.”

By defining it in this broad way, the whole approach towards cyberspace including its risks and opportunities can be looked at. This definition of a cyber approach relates to the ‘government’ layer of the cyberspace conceptualisation of Van Den Berg et al. [30]; the approach of an organisation tells how they look at the socio-technical and technical parts of cyberspace. Note that it is not a full conceptualisation of the governance layer, since ”... both the technical and the socio-technical layer are governed - in complex ways - by a huge variety of human actors and organizations”[30, pp 12-2]. Therefore this only includes the governance aspects of a single organisation. In figure 2.4 the conceptualisation of an organisations cyber approach is shown The three dimensions that are part of a cyber approach are defined and further discussed in the sections 2.2.1, 2.2.2 and 2.2.3.

PUBLIC VERSION 2.2. Cyber resilience 9

By defining the cyber approach with these three dimensions, the organisation and procedures of cyber security (cyber governance), the mapping of the risks (risk management), and the awareness of the organisation (situational awareness) it can together give an integral view of the approach towards cyberspace. To check the total performance of a cyber approach, one can look at the cyber resilience of an organisation. Before cyber resilience and the three dimensions are further discussed, standards and best practices are shortly defined.

Organisation’s cyber approach

Governance

Update process/cycle

Risk Situational management awareness

Figure 2.4: Conceptualisation of cyber approach

Standards and best practices Standards can range from non-strict ‘open norms’ to very strict standards with compulsory requirements to fulfil. Best practices can, if used as ‘guideline’, also turn into loose (forms of) standards. In this research there will be differed between standards and best practices based on three criteria: 1. Origin (designed vs ‘arisen’) 2. Requirements (from no requirements to non-binding requirements to legally binding requirements) 3. Documentation (from only examples to complete documentation). Standards are seen as designed guidelines with requirements (non-binding to binding) with a documentation, while best practices are seen as ‘arisen’ in practice with no requirements and a limited documentation. The role of standards and the standard landscape will be further discussed in chapter 3. With the core concepts defined, cyber resilience and the three dimensions will be zoomed in further in the next section.

2.2. Cyber resilience Together with the bowtie thinking (shortly introduced in section 2.1.1)in the (cyber) security scene, the realisation that ‘risk-free participation in cyberspace cannot be achieved’ arrived. And therefore, as mentioned in section 2.1.1, not only the prevention (left side of the bowtie) is important, but also the repression/mitigation (right side of the bowtie). The resilience of an organisation is, due to the dynamics, inclusion of services, connection to the physical world and the interconnectedness between organisations from key importance for a good functioning in cyber space; a cyber approach does not need to prevent any incident (which is extremely hard given the dynamic), but it should make sure that incidents say as small as possible, are noticed in an early stage and that the organisation can function

PUBLIC VERSION 10 2. Cyber resilience normally after an incident as soon as possible. The resilience of an organisation is therefore strongly related to the right side of the bowtie (how fast can an organisation recover?). Given the cyber context as explained before, in this research cyber resilience is thus defined (based on [38]) as:

“Cyber resilience is the ability of an organisation to withstand a (major) disruption (with prevention, repression and mitigation) and to recover within an acceptable time and composite costs and risk.”

Cyber resilience is thus not seen as being free from any harm; due to the factors earlier described involved in cyberspace, this is not a realistic goal to persuade. The ability to withstand and recover is the core of the resilience; an organisation is resilient if it can cope with extreme situations and recover from it, without spending too much resources (time and money) and enduring extra unacceptable exposure to risks. Note that, just like with ‘acceptable risk’ the amount of resources and risk that is acceptable is a strategic/political choice. For a cyber approach to lead to cyber resilience, it needs to be clear:

• What are the goals?, Who is responsible for what?, What are the procedures?

→ Cyber governance

• What do we want to protect? What are the (possible) threats? How can we treat them?

→ Risk management

• What threats manifest now/in the near future? How can we respond to that? Is our mission still on track?

→ Situational awareness

For this thesis, the preparation of the recovery will be part of the scope, however the execution of recovery not, because this is so specific for each individual incident and organisation. The general principles of the preparation of the recovery can be used as setup for working out plans for and dealing with a specific incidents. With a cyber approach covering all three dimensions, cyber resilience can be created and with that participation in cyberspace can be done in a (more) responsible way. Each dimension is now zoomed in further.

2.2.1. Cyber governance On organisational level a cyber approach needs to be embedded in the organisation. The dimension cyber governance makes this connection. In this research cyber is defined as (based on [36]):

“Cyber governance is the preparation for, making of, and implementation of decisions regarding goals, processes, people and technology related to cyber activities on tactical and strategic level.”

Each organisation has a main goal or a mission3. For a defence organisation it could be guarding the national security and national interests abroad, for a private IT-supplier it could be to deliver qualitative high service, building long lasting relations while making a healthy profit. The main goal(s) or mission of an organisation can be enriched with principles/core values. Strategy means “[a] plan of action designed to achieve a long-term or overall aim”[39], in other words the strategy of an organisation is the bridge between the mission and goal(s) of an organisation and the practical implementation of it. The strategy, mission, goal(s) and principles of an organisation determine what kind of activities an organisation should deploy, both offline and online. Every period of x years4 the strategy needs to be revised and with that the activities deployed can change. Governance in general is about making the connection from the strategy on paper to practice. Cyber governance covers translating the strategy into practice for the cyber related activities. Based on the six functions of governance (obtained from [40]5), cyber governance will be discussed.

3See for example COBIT 5 [37] 4The period differs per organisation, but every 3-5 years is common 5The World Bank has adapted these from the OECD principles of Corporate Governance [41]

PUBLIC VERSION 2.2. Cyber resilience 11

• Strategic direction The overall governance of an organisation should give a strategic direction for the organisation. For cyber governance, this means that a link between the organisational strategic goals should be implemented for the cyber approach. This function also includes defining the organisational structure and procedures. Furthermore this function also entails the allocation of ”financial, human, social, and technological resources”[40, pp. 72]. • Management oversight From the governing body, the performances of management need to be monitored. For cyber security, this means that performance of security management needs to be monitored, budgets per (security) organisational part need to be set. Note that a (for each organisation unique) balance between steering from the top and creativity on management level should be found in order to let the strategic goals be worked out as optimal as possible. • Stakeholder participation All internal stakeholders should be heard by setting the direction. An important function of governance is therefore to make sure that all stakeholders can participate. For cyber security, think for example about making sure that both the technical and the business view on security is taken into account. • Risk management The ultimate responsibility for the organisation and functioning of risk management lays within executives from the governance layer. Risk management will be further discusses separately as one of the three main dimensions. • Conflict management This function is about monitoring potential conflicts of interest and making sure that these are dealt with in time. For security this entails balancing business, technology and personal views on securing assets. • Audit and evaluation To check the integrity of especially financial parts of the organisation audits and evaluations need to be organised. More about auditing will be discussed in section 3.1.1. Cyber governance sets the direction and the boundaries for the cyber approach. Note the difference between management and governance. Roughly it is the difference between ‘what’ needs to be done (governance) and ‘how’ should it be done (management) [40]. The management part falls outside the scope of this research, because this differs too much per organisation. Of course, when implementing a cyber approach, not only the governance part, but also the management layer needs to be created.

2.2.2. Risk management The second dimension is risk management; this is defined in line with what Van Den Berg et al. have written [30]: “Risk management is managing the risks related to cyber activities both from the technical and the socio-technical layer of cyberspace.” Managing means as much as (a) identify and assess the related cyber risks,[...] (b) determine acceptable risk levels of the assessed risks and (c) design a balanced set of preventive and repressive measures to reduce them to acceptable levels.[30, pp 12-3]. This matches with the bowtie thinking from [42]. For the bowtie as presented by Van Den Berg et al. [30] see figure 2.3.

Risk is often defined by ”Probability multiplied by impact” [30], so in order to be able to practice risk management, one should know: • The assets in/connected to cyberspace Assets can be information, (digital) services and physical objects. In order to protect those, it should be clear what these are and what will change in those in the (near) future. In that way the risk management part of the approach can also encounter changes.

PUBLIC VERSION 12 2. Cyber resilience

• Potential threats and their likelihood of occurrence Once you know what you want to protect, you need to know from what you want to protect your assets. As already mentioned in the introduction, threats occur in many forms and severity levels. Up to date threat analyses from organisations like the NCSC (Netherlands) [5], World economic forum [34], SANS institute (United States) [43], SOPHOS (United Kingdom) [44] and many others can be used as input to form an organisation specific threat analysis in the cyber domain. • The impact on the mission/operation When the assets and the threats are known, an estimation of the impact can be made. This estimation is important, because it determines the possible resources that can be allocated to prevent this incident(type). This is also the step in the risk management where the link to the mission/goal(s) of an organisation is the most direct; if an incident can have as impact that the organisation cannot fulfil one (or more) of its core goals, it is even more important to prevent this incident from occurring and to prevent further damage if it occurs and to recover fast. • Scenario’s about future developments For the view on a bit more higher level not only the threats and their trends are important, but also the security trends and future scenario’s on a higher level are important to study; if a scenario in which cyber security capabilities of the organisation need to be extraordinary looks to become reality, the needed investments can be done in an earlier stage, saving resources later in the process. An example of such security trends are from the World Economic Forum [34]. By including the possible scenario’s they sketch in the risk management and, depending on the maturity level of the organisation, also try to trigger positive scenario’s, the risk management part of the approach can become even more complete.

These points can be practised with help of a risk management cycle. Typically this cycle runs every year. This risk management cycle contains roughly three stages:

• Asses the risk As described above, the assets, the probabilities and impacts need to be identified. Input for this step are the findings of the first analysis of the threat field or the monitoring conclusions of the previous cycle. • Control Based on the impact and the risk level that is accepted, control measures to take the risks to an acceptable level need to be taken. As mentioned earlier, the level of risk that is accepted is a political/strategic choice. • Monitor Monitoring means two things in this case; (1) monitoring if the risks as identified are correct and if the countermeasures have the desired effect. (2) It means monitoring how the threat landscape is evolving and if for the next cycle additional measures are needed. This contains also the monitoring how possible future scenario’s are developing. Note the link with situational awareness for this second type of monitoring.

2.2.3. Situational awareness The third dimension is situational awareness. This is defined like Endsley does in [45, pp. 36]: “Situation[al] awareness is the perception of the elements of the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.” For this research this definition is projected to the cyber domain. Note that situational awareness differs from situation assessment; situational awareness is ”a state of knowledge”[45, pp. 36], while situation assessment is ”the process of achieving, acquiring, or maintaining situational awareness”[45, pp. 36]. In [46] Tadda and Salerno make the comparison with a pilot to illustrate the difference between the performance and the situational awareness. Pilots can have a high situational awareness (knowing about the extreme weather conditions while landing) and still perform ‘bad’ by making a rough landing, or can have an extreme low situational awareness and perform very good (with help of the autopilot). In other words, it is the difference between (1) being really aware of the surroundings,

PUBLIC VERSION 2.2. Cyber resilience 13 being focussed on changes, try to foresee the near future and react on that and (2) what the result (performance) is.

Situation(al) awareness has its origin in roughly two main streams: from the military and from artificial intelligence [45]. When looking at situational awareness from the artificial intelligence side, it is often about creating a mental model to understand a situation based on different signals. Heintz, Kvarnström, and Doherty [47] have written about bridging between signals and mental models. They introduce “knowledge processing middle-ware” as layer to bridge the often noisy signals and the decision taking (reasoning). Heintz et al. have developed DyKnow, which is an implementation of such a knowledge processing middle-ware for unmanned aerial vehicles. The DyKnow can serve as example when trying to include such a layer for situational awareness in a cyber approach. Besides being able to process all the signals, having a goal is also important to know what kind of actions needs to be taken based on the signals. Smith and Hancock [48] made a model to link ‘the process of getting aware’ and ‘knowledge’. They stress the importance of having a goal that needs to be reached when applying situational awareness. In the pilot example, this can be to land the plain, without any damage done to the passengers and the aircraft. Smith and Hancock stress the need for a goal, to be able to optimally perform situational awareness. Besides their plea for the importance of a goal, Smith et al. also look into the human, machine interaction; they argue for a system in which machines support humans in taking the best decisions. Note that the final decisions are taken by the human in their view. This principle can also be interesting when using situational awareness in a cyber approach. From the military perspective, situational awareness is also about creating mental models, but with a different goal, namely to get an overview of a specific (strategic) military situation. The Defence Advanced Research Projects Agency (US) has researched shared situational awareness [49]. They describe how situational awareness for individuals gets created from the input of information, structural factors (like education, personality, etc.) and situational factors (like mood, time pressure, etc.). An organisation that takes the military perspective is MITRE; they see cyber as an extra dimension of traditional military and business awareness. MITRE has written an interesting text about situational awareness in cyber security [50]. In their text they argue that there are three areas important for situational awareness in cyber security:

1. Network awareness MITRE sees this as internal monitoring, already realised at this moment in a lot of organisations.

2. Threat awareness This is more about external monitoring, which is now evolving according to MITRE [50].

3. Mission awareness MITRE classifies this as critical dependencies, related to goals. This is needed, but developments are (almost) not being made yet.

In other words, MITRE analyses that situational awareness should be extended from only operational to also include external threat analyses and the more tactical level related to the goals of the organisation (note the link to governance).

With combining the factors and characteristics of situational awareness as described above for cyber and the model introduced by [51], a schematic conceptualisation of situational awareness has been created. This conceptualisation is shown in figure 2.5. Situational awareness is created based on the perception of the world. This perception is created based on information, structural factors and situational factors. Depended on the goal of the organisation and the perception created, action can be taken to influence the world. The situational awareness cycle consists of three steps, (1) gathering intelligence (observe the world), (2) analyse intelligence (create a mental model), (3) respond (determine action based on goals). As MITRE suggest, this cycle should be run on the three levels network (internal), external (threats) and mission (critical dependencies).

2.2.4. Linking the three dimensions As already shown in figure 2.4, the three dimensions cannot only be seen separately in a cyber approach. By linking the three dimensions in a comprehensive way, the fundamentals of a cyber approach

PUBLIC VERSION 14 2. Cyber resilience

World (Physical & cyberspace)

Cyber situational awareness cycle

Gather Analyse intelligence intelligence Perception Action & Goal Respond

Levels: • Network (internal) • Threat (external) • Mission (critical dependencies) Situational awareness

Figure 2.5: Conceptualisation of situational awareness (based on [50], [45] and [51]) can be shown. However, the dimensions are now only described based on literature. In the next chapter (chapter 3) standards are analysed and in chapter 4 interviews with experts about what is needed in a cyber approach and why is it needed is discussed. Based on these three together, the dimensions will be linked into a cyber framework, covering the three dimensions cyber governance, risk management and situational awareness and placing the existing standards and best practices in that context.

2.3. Summary In this chapter the key concepts of cyber security have been discussed. The importance of having a cyber approach covering the dimensions cyber governance, risk management and situational awareness, aiming at cyber resilience is pointed out. The fact that, due to the complexity of the cyber environment it is acceptable to have an approach that does not aim at being free from incidents but at being free from incidents that impact the core mission of the organisation is important for a cyber framework. The addition of situational awareness to cyber governance and risk management is proposed in order to deal with the dynamics of the environment in cyberspace; with situational awareness the swift respond and recover and the more tactical monitoring of the environment are covered. The different views on cyber security versus information security are discussed and for this research the view that cyber security is broader than information security is used. This has consequences for the (role of the) standards, which is further discussed in the next chapter.

PUBLIC VERSION 3 The cyber security standards landscape

Standards can have different roles related to a cyber approach of an organisation. In this chapter those roles are discussed. Related to the roles, the auditing and legal aspects will be discussed. Furthermore the landscape of cyber standards including the parties involved is explored. Six major standards are zoomed in to in order to identify potential elements of a cyber approach.

3.1. The role of cyber security standards According to Backhouse and Mehan [52, 53] a standard can help in three different phases of the creation of a cyber approach:

• Design phase In the design phase standards can be used as blueprint for an approach or as inspiration. In practice it is hard to use standards exactly as blueprint for an approach, because each organisation has its own unique characteristics and historic background to deal with [52]. Still, starting with a standard as a basis and building further on that can help.

• Test/evaluation phase The testing can be done by different parties and on different levels. As a basis for the testing not only requirements from standards, but also from business needs can be used. Testing can also be done not just for one organisation, but for a specific sector. Governments could monitor how well a certain standard is adopted by a sector and can aim for a certain level of adoption to increase cyber resilience in that sector. This can be done in a formal way, with laws and regulations, but also more informally with public private partnerships (PPPs) [54] to enhance the adoption of certain standards in consultation with the sector itself. It depends on the strategy of the government how strict the demands for adoption of a set of standards can be. Because the technology in cyberspace develops fast, using PPPs and self-regulation can be a good alternative to strict laws and regulations to achieve cyber resilience [55].

• Implementation phase Standards that can be used during the implementation phase often describe steps in the implementation process and controls to see if the implementation was successful.

There can be different motivations for organisations to adopt a standard. Purser [56] describes three reasons to adopt standards. (1) Standardised processes and procedures are essential for communication between organisations. If each organisation organises his cyber approach on his own way it gets hard to communicate with other parties; standards help to have a common reference/language to communicate. (2) Standards can be demanded from government or businesses clients/partners. The motivation to do so can be found for assurance reasons or also communicating perspective. If an organisation works according to a standardised process and works with standard procedures, these can

PUBLIC VERSION 15 16 3. The cyber security standards landscape give a third party the assurance that it is done completely and precise. (3) For internal control it can also be practical to adopt standards. Just like with external parties, it helps the internal communication. It can help to make clear what needs to be covered and how there should be reported about it. And it can serve as inspiration.

3.1.1. Auditing For this thesis auditing is defined as ‘an independent examination of, and expression of opinion on, a system’ (based on Power [57, pp. 4]). The definition of a system is flexible; it depends on the scope and therefore of the goal of the audit. Note that this is parallel to the definition of Praat and Suerink [58]; they speak of providing ‘assurance’ (examination of in the definition of Power) about an ‘object’ (comparable with system in the definition of Power). For example, an audit with as goal to see if a standard has been implemented fully has a scope related to the scope of the standard. There are two possible goal types an audit can have: (1) To check if a design of a system is appropriate for its purpose and (2) if a system is operating effectively (does it perform as was intended) [58]. According to Praat and Suerink, the audit process should:

1. be systematic

2. be documented

3. have audit proof

4. have audit criteria

Standards are often used to set the criteria of the examination/assurance. These can be also internally set standards, as long as they are clear beforehand. A certification is a special case of an audit; the goal of the audit is to see if the system fulfils minimum requirements as described in a standard, which can result in a certification. Assurance is in that case provided about the requirements described in a standard. In the cyber security area, an audit can have as goal to see if a system fulfils certain specific (set of) security standard(s) (optionally for certification). More formal standards in this area focus therefore on the traceability of actions and information (like COBIT 5 and ISO 27001). The idea to use an audit to check if a standard has been fully adopted comes from the traditional bu- reaucratic organisation (like for example defined by [59]); actions and information need to be traceable to see if procedures have been followed in case something goes wrong. Auditing developed during the industrial revolution and IT-auditing in particular became a specialised profession around 1960 [60].

3.1.2. Legal aspects of standards Standards can have influence on the regulation about cyber security. An example is described by Pagallo [61]; he writes about the ‘privacy by design’ principle and how it could become part of legislation in order to safeguard rights of individual citizens related to privacy. Standards can have roughly three different jurisdictional statuses; a standard can be a ‘de facto’ standard, a ‘de jure’ standard or a standard without official or unofficial status. The latter one is the case when a standard is just introduced (for example, shortly after its introduction ISO 27001 was not seen as a success [62], but now it has become a de facto standard in information security [63]). De facto means that the standard is adopted so widely that it is ‘enforced’ by the other peers in that sector; if you do not also comply to that standard you cannot do business with others. De jure means literally ‘enforced by law’. A standard can become de jure if it gets adopted in legislation and can therefore be enforced by law to an organisation. Because legislation processes often take long, there is almost always a gap between the newest technologies and related standards and legislation. Ideally legislation is technology neutral [64], however sometimes this can become tricky due to the new possibilities new technology enables. For example the possibility to store data in the cloud has only developed in recent years. Even technology neutral laws could not have covered all legal implications, because the impact of the technology was not yet known before it was developed. Standards can be more flexible and therefore cover (parts of) the gaps that exist due to the long legislation process and (non) technology neutral legislation. Note that in absence of a standard, a generally accepted best practice can become a ‘de facto’ standard.

PUBLIC VERSION 3.2. Cyber security standard landscape 17

3.2. Cyber security standard landscape Due to the complexity of the subject and the large need for standards, a lot of standards are available on cyber and information security, being a lot of different parties are involved. The most important parties involved will be shortly discussed and before six standards will be looked at more closely, the standards available will be reviewed.

3.2.1. Actors involved in cyber standards First of all there is the international standardisation organisation (ISO) [65]. ISO was founded shortly after the second world war and with more than 160 countries represented it has a large influence on international standards. With standards covering subjects from measuring units, to food quality, to information security and risk management, they are a party to take into account when looking at standards. Standards published by ISO are available for everyone both digitally and in paper for a financial compensation1. The members of ISO are national standardisation bodies (for example for the US it is the ANSI [66] and for the Netherlands the NEN [67]), often independent organisations founded by industrial parties.

Besides the international general standardisation body and their national members, there are also standards from more specialised bodies. Examples are associations of different professions (for example ISACA of IT-governance professionals [68], Institute of Risk Management of risk managers [69], Information Security Forum (ISF) for information security professionals [70] and the European Telecom- munications Standards Institute (ETSI) [71] on telecom (related) standards), research organisations (for example universities, MITRE the independent research institute [72]) and training institutes (for example SANS [73]). These bodies focus on specific subjects of cyber standards. Furthermore, all kind of companies individually (try to) develop standards for internal use and sometimes also lobby at existing standardisation bodies to get their (parts of standards) included in ‘official’ standards. A third group of parties involved in cyber standards are government related parties. Departments of central governments work on standards, or try to influence the adoption of certain standards (for example NCSC in the Netherlands [5]), special agencies develop standards to influence the cyber security of the society (for example the European Union Agency for Information and Network Security (ENISA) [74] on European level and NIST from the US [75]). The independent standardisation organisations, specialised interest groups and governmental parties together shape the cyber standards landscape. In a way similar as described in the garbage can model [76] issues are debated, private/commercial and public stakes are weighted, coalitions are formed, pioneers take steps ahead of the rest and in that ‘rough play field’, standards are created and adopted. The success of a standard depends on how often it gets adopted and by who and who has produced the standard and who recommends it.

3.2.2. Standards around related to cyber All those actors have produced (and produce) a large range of standards. These differ from (organisational) level and specific subject. In this research, the scope is limited to organisational standards related to cyber security and/or information security. So technical standards will not be part of the scope of this research2. Although, as said in section 2.1.1, information security and cyber security are not the same, literature research has shown that standards based on cyber are not yet widely available. As will be shown when discussing some specific standards, the information security standards however are better evolved and can (partly) still serve as basis for a cyber approach. A British research about Cyber standards shows how much different standards are available; Miller et al. [78] have researched 128 different standards related to cyber security, but mention over 1000 publications about cyber security. As Miller et al. conclude, the landscape is complex and there is no ‘one size fits all’ cyber security standard. Note however that a ‘one size fits all’ standard is not realistic given the complexity of the cyber domain. A one size fits all ‘silver bullet’ solution is not realistic and not desirable, because there are so many different needs from organisations. If a ‘one size fits all’ standard

1ISO is a non-profit foundation, but some money is asked to compensate for the organisational costs. 2Examples of relevant technical standards are TAXII and STIX from the department of homeland security of the US [77]; these standards can play an important role when a cyber approach needs to be implemented. This research focusses on a level higher, where the contours of an approach are sketched and the fundamental principles behind the approach are set

PUBLIC VERSION 18 3. The cyber security standards landscape would appear, it cannot cover the need of all the different organisations for standardisation. The need for standards from organisations differ on an organisational level, per sector, and per individual goal of an organisation. This can (partly) explain the need for and therefore the existence of so many different cyber related standards. To illustrate the landscape further and identify interesting elements for a cyber approach, the next section will compare six different standards available.

3.3. Comparing six major standards In order to give insight in the standards available and explore useful elements for a cyber approach a selection of standards will be zoomed in on further. The selection is made in order to have covered: • the biggest3 information security standard ISO 27001 • the biggest IT governance standard COBIT 5 • the business continuity4 ISO 22301 • The risk management IRM Cyber risk resources for practitioners5 Furthermore the two newest cyber security standards are reviewed • NIST framework for cyber security • PAS 555 Note that the fact that situational awareness is not covered explicitly in the selected standards is because the research has shown that situational awareness is not really covered in all the standards available. These standards together can give an up to date overview of what standards can contribute to a cyber approach. Besides a short description, background and aim of the standard, also potential elements to include in a cyber approach are identified. The link to the approach will be further made in chapter 5. In table 3.1 an overview of the standards discussed is given. The standards are discussed in alphabetical order.

3.3.1. COBIT 5 Name: COBIT 5 Origin: ISACA Website: Link to ISACA website about COBIT 5 [79] Last revision: 2012-04-10 Size: 94 pages main document, 190 pages Transforming cyber security using COBIT 5, plus several extra documents

Short description & background COBIT 5 is the fifth version of the COBIT framework developed by ISACA. It was released in 2012. During the development of COBIT its scope was extended from audit to governance of enterprise IT (see figure 3.1). COBIT 5 is meant as a total enterprise IT governance framework. In the complete documentation they provide structure, tools and practices to implement enterprise IT governance framework. It has been set up to be able to adopt other standards in the framework. COBIT 5 consists of a large ‘product family’ (see figure 3.2). Security (information/cyber and general security) is one of the enablers of the processes defined in COBIT 5. For this research, the most important extra document is the professional guide ‘Transforming cyber security using COBIT 5’[80]. This document is a professional guide developed by ISACA to zoom into the cyber security applications of COBIT 5. Note that only persons can get COBIT 5 certification, organisations cannot.

3biggest meaning most adopted 4Business continuity is strongly related to resilience, therefore this factor is included in the standard comparison 5According to the definition used in this thesis this is not a standard, but a best practice. However, because it gives valuable input on risk management for cyber security, it will be discussed as standard

PUBLIC VERSION 3.3. Comparing six major standards 19

Table 3.1: Comparison of standards

Dimension(s) Resilience Size** Standard Certification covered Publisher Country covered* (pages) Personal cer- COBIT 5 tification Governance ISACA US - 94 IRM Cyber risk resources for Risk Manage- practitioners None ment IRM UK + 249 Organisational ISO 22301 certification All ISO CH + 24 Organisational ISO27001 certification Governance ISO CH - 23 Risk Manage- ment NIST framework for cyber security None Governance NIST US + 39 PAS 555 None Governance BSI UK ++ 22 = ‘++’ means major part of standard, ‘+’ means resilience is covered and ‘-’ means it is not (or to a very limited extend) covered = Size of the standard is expressed in number of pages of the main document. More detail about the size is provided at the beginning of each section about a specific standard.

Organisation The ISACA6 was founded in 1967 in its earliest form by professionals who were responsible for auditing controls in computer systems [68]. Currently around 140,000 professionals are associated to ISACA. They provide several personal certifications like Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), etc.. The original auditors background is clearly visible in all the products and services they provide.

Aim and scope of standard COBIT 5 is based on five principles and seven enablers. The five principles are:

1. Meeting Stakeholder Needs This principle means that the organisation exists to create value for its stakeholders. Potential stakeholders are shareholders, employees, customers, etc.. Stakeholder needs drive benefit realisation and risk and resource optimisation. Multiple stakeholders can have different concepts of value. Negotiating needs to be done amongst different stakeholders values of interest. In the COBIT framework the stakeholder needs inspire the enterprise goals, which influence the IT-related goals, which influence the enabler goals.

2. Covering the enterprise end-to-end This principle means that the IT governance (and also the cyber governance) cannot be seen separate from the enterprise governance. The cyber and enterprise governance need to be aligned and support each other. In COBIT there is a separation between stakeholders, governing body, management and execution; those four connect to each other (like four layers) to cover the enterprise end-to-end in the COBIT framework.

6ISACA used to be an abbreviation for ‘Information Systems Audit and Control Association’, but is now only used as acronym [68].

PUBLIC VERSION 20 3. The cyber security standards landscape

Figure 3.1: Historical scope development of COBIT (Obtained from [81, pp. 5])

Figure 3.2: COBIT 5 product family (obtained from [37, pp. 11])

3. Applying a Single Integrated Framework This simply means that COBIT is aligned with other standards and frameworks (like COSO, ISO 27000, etc.). To prevent separate ‘islands’ in the governance/management COBIT says that one integral framework should be used in the organisation. 4. Enabling a Holistic Approach This means that not only one framework should be used, but also the factors that influence the processes should be managed with a central vision. This is where the seven enablers come in (see below). 5. Separating Governance From Management Separating governance from management enables a split in the ‘executing’ tasks and the ‘directing and monitoring’ tasks. On governance levels the performance of the organisation is evaluated (based on the creation of value for the stakeholders). Management plans, builds, runs and monitors the activities (in line with the direction from the governance layer). The seven enablers, linked to the principles by the fourth principle, are: 1. Principles, policies and frameworks These form the bridge between the desired behaviour from governance layer to the practical implementation on management level.

PUBLIC VERSION 3.3. Comparing six major standards 21

2. Processes Organised set of practices and activities to achieve objectives and produce outputs (related to overall (IT-related)) goals.

3. Organisational structures Describe the decision taking entities of an organisation

4. Culture, ethics and behaviour Are a key factor for success in both governance and management activities

5. Information Essential on all levels of the organisation to take decisions, governing, managing but often also part of the end product on the executing level.

6. Services, infrastructure and applications Provide the organisation with the needed information and services.

7. People, skills, and competencies Are required from the people in the organisation to successfully completing tasks and taking decisions

As an addition to the COBIT framework, ISACA has published an addition about cyber security and the COBIT 5 framework [80]. In this guide the application of the COBIT 5 framework and the information security guide to cyber security is worked out. In this transformation guide the cyber domain is introduced and the whole COBIT framework is worked out for cyber security. Especially interesting are the eight principles that are identified to transforming cyber security. The eight principles are:

1. Know the potential impact of cyber crime and cyber warfare Knowing what is at stake is a starting point for transforming cyber security (according to the guide). Note that knowledge about the cyber domain is essential to be able to estimate potential impacts.

2. Understand end users, their cultural values and their behaviour patterns ISACA underlines the importance of the users of (information) systems for the security approach. They emphasize that these should be taken into account on strategic, tactical and operational levels of security measures/approaches.

3. Clearly state the business case for cyber security, and the risk appetite of the enterprise In line with the overall goal of the COBIT 5 framework (create value for the stakeholders), the business case of cyber security should be formulated to help it land in the organisation.

4. Establish cyber security governance This means as much as an governance framework for cyber security should be adopted and constantly improved. Such a framework should provide a sense of direction and boundaries.

5. Manage cyber security using principles and enablers This is closely linked to the COBIT 5 model; this principle states that it should be managed according to the COBIT 5 principles and enablers.

6. Know the cyber security assurance universe and objectives Basically this principle is about what is in the direct sphere of influence of an organisation and what is not and that these boundaries should be known. Based on that the objectives for assurance should be known and manageable.

7. Provide reasonable assurance over cyber security ISACA describes that this can be done by appropriate monitoring, internal reviews, audits, and investigative and forensic analyses.

PUBLIC VERSION 22 3. The cyber security standards landscape

8. Establish and evolve systemic cyber security ISACA argues for looking at cyber security as a system of interdependent elements. The weakest link should be identified and strengthened. Furthermore they state that security governance, management and assurance cannot be seen in isolation. Besides the above described five general and eight cyber principles and the enablers, the process areas are interesting elements too; these are the more applied versions of the principles. In COBIT these are categorised in the Governance and Management layer. The Governance layer has a category containing evaluate, direct and monitor (EDM in COBIT). In the management layer there are four areas: align, plan and organise (APO in COBIT), build, acquire and implement (BAI in COBIT), deliver, service and support (DSS in COBIT) and monitor, evaluate and assess (MEA in COBIT).

1. Evaluate, direct and monitor This category contains the processes on governance level. According to COBIT, all processes on governance level need an evaluate, direct and monitor component. Evaluate means evaluating strategic options, direct is setting the instructions for the management and monitor is to check if the actions set out in management are done

2. Align, plan and organise In the management layer the instructions from the governance layer need to be set up.

3. Build, acquire and implement After the planning (both on strategic and operational level) comes the building (or acquiring) and implementation phase.

4. Deliver, service and support This is the ‘run’ phase. All processes related to the daily operations are part of this phase

5. Monitor, evaluate and assess Monitoring performance of the daily operations is needed both to manage the daily operations and to feedback to the governance layer

Note the difference between monitoring in the governance layer and the management layer. The monitoring in the management layer is feedback to the governance layer on performance, while the monitoring on governance layer is about checking performance on strategic goals. The principles, enablers and processes form the backbone of COBIT. The idea of the principles, processes and enablers is that they are general applicable, also to cyber security. In the next section these principles and processes areas are analysed as potential element of a cyber approach. With these placed in context of a cyber approach, the more in depth elements of COBIT can be included more easily.

Potential elements to include in cyber approach The elements described above as core of COBIT can be part of a cyber approach. Based on the COBIT cyber addition [80] and analyses the elements are discussed. The main principles: 1. Meeting Stakeholder Needs In the cyber domain, the stakeholders will be similar to the stakeholders involved for the whole business. However within the stakeholders it is likely that there are internal conflicting interests. Creating value for the business in/with the cyber domain also means balancing those internal conflicting interests. In an approach there is therefore a need to balance these in a way. 2. Covering the enterprise end-to-end Applied to the a cyber approach this means that all activities and assets related to cyber need to be covered.

PUBLIC VERSION 3.3. Comparing six major standards 23

3. Applying a Single Integrated Framework A cyber approach needs to connect to other frameworks in the organisation. Especially because cyber plays a bigger role in most organisations than before, it is essential that the cyber approach is aligned with other frameworks in the organisation

4. Enabling a Holistic Approach Besides connection to other frameworks, the cyber approach should be approached from a central vision. This means that within an organisation, in the central approach also cyber related decisions on a strategic level should be made, which can become part of the cyber approach.

5. Separating Governance From Management In a cyber approach the separation between strategic and operational level should also be included.

The cyber principles

1. Know the potential impact of cyber crime and cyber warfare This is strongly related to the risk management of the cyber approach. Knowledge about the cyber domain combined with knowledge of the own services and assets are essential to estimate the impact of cyber incidents.

2. Understand end users, their cultural values and their behaviour patterns In an approach the end users should be kept in mind. Note that this is related to the general ‘end to end’ principle; not only on technical level, but also on the socio-technical level the approach should cover the security of services and assets.

3. Clearly state the business case for cyber security, and the risk appetite of the enterprise When applied, this principle makes sure that the measures and risk will stay in balance in a cyber approach. It is therefore linked to the risk management as part of a cyber approach.

4. Establish cyber security governance This principle underlines the general need for a cyber approach, with governance included in it.

5. Manage cyber security using principles and enablers This principle also underlines that an approach should cover the principles and enablers. Note that one could formulate this also as ‘COBIT 5 elements should be used to manage cyber security’.

6. Know the cyber security assurance universe and objectives This principle entails that the assurances and objectives should be clear in a cyber approach. In other words: it should be clear what is in side the sphere of influence of an organisation, what is not, how is dealt with external risks and what are the objectives with using a certain approach.

7. Provide reasonable assurance over cyber security As stated earlier, ISACA describes that this can be done by appropriate monitoring, internal reviews, audits, and investigative and forensic analyses. These should, if you apply this principle, be part of a cyber approach.

8. Establish and evolve systemic cyber security Within the cyber approach, governance, management and assurance should be covered in con- junction, not as separate parts.

The process areas(/phases):

1. Evaluate, direct and monitor For an approach this means that inside the governance part the link with the goals of the organisation should be made, this needs to be evaluated and directed towards management. Results need to be linked back from management to the governance, in order to see how the organisation is performing on strategic level. It also means that the whole approach needs to be

PUBLIC VERSION 24 3. The cyber security standards landscape

2. Align, plan and organise The organisational side of a cyber approach needs to be covered according to this principle.

3. Build, acquire and implement Constructing, buying and start using specific parts of an approach need to be covered in an approach

4. Deliver, service and support Within an approach the day to day (security) practice should have a place.

5. Monitor, evaluate and assess In an approach this links towards an update cycle within the risk management and situation awareness; the evaluation of risks and the constant update of the situation in situational awareness are an important aspect of a cyber approach

3.3.2. IRM Cyber Risk Resources for practitioners Full name: Cyber risk resources for practitioners Origin: The Institute of Risk Management & CGI Website: Link to IRM website about cyber risk and risk management [69] Last revision: 2014-06-11 Size: 249 pages

Short description & background The Institute for Risk Management (IRM) and CGI have created this standard, together with other business partners, in order to sketch the latest developments in cyber risks, made by and for risk professionals [82]. It is not a (very) technical document, rather sketching the latest cyber developments of cyber. With a divers set of contributors and subjects within risk management and cyber security discussed in 126 pages, it can serve an extensive resource for practitioners (as the title already sug- gests). The fact that this standard was created with a diverse set of business partners also shows the connectedness in cyberspace; because all the different parties have, besides a (possible) financial interest, an interest in making cyberspace a bit more secure, they were able to produce an extensive document, helping others to improve their cyber security.

Organisation This standard was constructed by IRM and CGI. The Institute for Risk Management (IRM) is an independent risk management education institute [82]. As non-profit organisation, they reinvest any profit of activities back in new events and trainings. They try to encourage development on both personal and organisational level of the risk management community. They operate in more than 100 countries and cover risk management of both public and private organisations. With both members from professional organisations and students they cover a wide spectrum of the risk management community, increasing their impact. CGI is a from origin Canadian company founded in 1976, now operation globally as IT and business process services provider [82]. With over 1200 security professionals world wide and nine security operations centres (SOCs) continuously monitoring the cyber safety of clients, they have the practical experience covered for this document.

Aim and scope of standard The cyber risk resource for practitioners contains 17 chapters (including the executive summary and introduction). For the complete table of contents see figure 3.3. Because this standard covers so many subjects only the main conclusions and recommendations are discussed.

In the executive summary there are ‘questions organisations should ask themselves about cyber risk’[82, pp. 14] given, enabling organisations to do a form of self testing. The subjects covered in the questions are:

PUBLIC VERSION 3.3. Comparing six major standards 25

• ‘Governance and assurance’, covering effectiveness and integration, responsibilities, risk appetite, agility, investments, culture and auditing. • ‘Understanding the risk’, covering the identification of different kinds of assets, impact, and 3rd party dependencies. • ‘Incident response’, covering detection, response, business continuity and accountability. • ‘Training’ Note that the categories of questions mentioned in the executive summary correspond (partly) with the three dimensions. The treat landscape is analysed, concluding that there are many forms and shapes of threats and that these develop fast. Moreover, insurance cannot cover all the damage, because things like reputa- tion, customer loss, stock devaluation, devaluation of intellectual property cannot all be compensated by an insurance. People are both a weak link in security, but also a very important asset and line of defence; training and educating the people of an organisation can therefore result in improving the security of organisations. Next is argued that the basic precautions should not be taken for granted; by implementing the basic security, most of the threats can be blocked. Last, but not least the handling of incidents is discussed. The need for experience and training in incident management, together with auditing for the investigation, is stressed. Note that these trends identified endorse the findings of chapter 2 about dealing with cyberspace.

Figure 3.3: Table of contents ‘cyber risks resource for practitioners’ (obtained from [82, pp. 07])

Potential elements for framework Transformed into more requirements form ,the self-test questions from the executive summary are very interesting elements to use; the questions asked cover the main findings of the resource for practitioners and can serve as a quick check to see if an organisation has covered all issues identified. Furthermore the resource for practitioners can provide valuable insights when working on a specific part of the cyber approach like (mobile) device security, dealing with social media or cyber auditing.

PUBLIC VERSION 26 3. The cyber security standards landscape

3.3.3. ISO 22301 Name: ISO 22301 Origin: ISO Website: Link to ISO website about ISO 22301 [83] Last revision: 2012-05-15 Size: 24 pages main document (plus additional other standards in the ISO 22300 series)

Short description & background The International Organisation for Standardisation (ISO) has developed ISO 22301 as part of the ISO 22300 series that describes why business continuity management is important for organisations and of what it should cover [83]. It was created in 2012. ISO 22301 focusses on the requirements and controls, that can be checked for an audit. It is focussed around the PDCA-cycle (see also PDCA). Each section covers a part of the cycle. The cycle is shown in figure 3.4. The other standards in the ISO 22300 series are [84]:

• ISO 22300:2012, Societal security – Terminology

• ISO 22320:2011, Societal security – Emergency management – Requirements for incident response

• ISO/TR 22312:2011, Societal security – Technological capabilities

• ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management

• ISO 22323, Organizational resilience management systems – Requirements with guidance for use

• others including guidelines to set up partnership, guidelines for exercises and testing, guidance for business continuity management systems

The reason to focus on ISO 22301 (and not any of the other standards of the ISO 22300 series) is that ISO 22301 focusses on requirements. Organisations can get certified ISO 22301 compliant (persons cannot).

Figure 3.4: PDCA-cycle from ISO 22301 (obtained from [85, pp. vi])

PUBLIC VERSION 3.3. Comparing six major standards 27

Organisation ISO 27001 is constructed by ISO. ISO was founded in 1947 and is the largest creator of international voluntary standards [65]. Members come from over 162 countries giving an almost world wide coverage. Besides the ISO 27000 series, some exemplary examples of standards developed by the ISO are ISO 31 (the International System of Units, based on the SI units), ISO 9000 series about quality management and ISO 14001 about environmental management. The ISO is head quarter (central secretariat) based in Geneva (Switzerland) and has over 19.500 standards published by over 3 368 technical commissions to develop standards.

Aim and scope of standard The aim of this standard is to describe the PDCA-cycle in order to give a management foundation for business continuity management [84]. This is done in different sections. Section 0 to 3 are introduction and definition of key concepts. In section 4 the importance of the context of the organisation is emphasised. The context sets the scope for the business continuity management. In the case of cyber security this would entail what assets are there to protect, how are they connected and with who, for who are they important, etc.. Section 5 describes the need of leadership; enough resources need to be made available to set up business continuity management. Section 6 is about the practical planning of implementing a business continuity management system. Section 7 emphasises that just resources are not enough, also people with the proper competence need to be ready when something happens. This means the right knowledge, skills and experience, but also that the staff members are aware of their roles and those of others. Communication about incidents is also covered in this section. These four section cover the ‘Plan’ step of the PDCA cycle.

Section 8 is the core of the standard. It covers the business impact analysis and the risk analysis and actions that need to be taken to reduce risks. ”Hope for the best and plan for the worst”[84]. Furthermore it entails the direct response plan to prevent extra damage and the returning to ‘business as usual’ as soon as possible. Those last requirements where not yet covered by previous standards. Also for cyber security this is important, due to the need for resilience; not only the need to de-escalate an incident as soon as possible to prevent further damage, but also getting the processes running as usual as soon as possible together form the basics for being cyber resilient. The need for a big plan on the overall organisation supported by lots of smaller plans for detailed responses to specific incidents is worked out. The last part of section 8 covers the requirements for exercises and tests to see if the back ups designed on paper also work in practice. This also entails training people with skills, giving experience and raise awareness. Section 8 covers the ‘Do’ of the PDCA cycle.

Section 9 discusses the requirements for evaluation with internal audits, and managers need to review the procedures. This is the ‘Check’ of the PDCA-cycle. Finally, in section 10 the improvement is described; every management system needs to be updated every now and then. This step is to make sure that if changes in the environment need to a need of changes in the business continuity management system, those are signalled and acted upon. This the ‘Act’ of the PDCA-cycle.

Potential elements to include in cyber approach The PDCA-cycle as a whole is interesting to include in a cyber approach. This approach of business continuity connects to all three dimensions of a cyber approach. Cyber governance has mainly connections with the ‘Plan’, ‘Check’ and ‘Act’ step; making sure that sufficient resources are made available, shaping the right conditions to act quickly if needed and keep monitoring if that is still the case. Situational awareness and risk management mainly connect to the ‘Do’ step; situational awareness connects to the need to be able to monitor threats, detect incidents as soon as possible and react swift on them. The risk management is needed to know what should be monitored, and to know for what assets there should be a ‘recover plan’ and what the impacts might be (and with that how high the priority should be/if escalation is needed to deal with an incident).

3.3.4. ISO27001 Full name: ISO/IEC 27001:2013 Origin: International organisation for standardisation (ISO) Website: Link to ISO website about ISO 27001 [86]

PUBLIC VERSION 28 3. The cyber security standards landscape

Last revision: 2013-10-01 Size: 23 pages (plus list of controls and additional other standards in the ISO 27000 series)

Short description & background The ISO has developed ISO 27001 as part of the ISO 27000 series that describes what an Information Security Management Framework (ISMF) consist of, how it can be implemented, kept up to date and improved [86]. It was first developed by the UK government as standard BS 7799 and was adopted by ISO as ISO 17799 in 2000 and updated to ISO 27000 series in 2005 [87]. ISO 27001 focusses on the requirements (/controls). Other standards related to cyber security of the ISO 27000 series are [88]:

• ISO/IEC 27002 Code of practice for information security management

• ISO/IEC 27003 Implementation guide

• ISO/IEC 27004 Measurement

• ISO/IEC 27005 Information security risk management

• ISO/IEC 27032 — Guideline for cyber security

• others including network security, application security, auditing ISO27001 implementation, etc.

The choice to focus on ISO 27001 (and not on any other parts of the ISO 27000 series) is (similar to the motivation of choosing ISO 22301 of the ISO 22300 series) because ISO 27001 gives the requirements for an ISMF, which are potentially the most interesting elements for a cyber approach. Furthermore, ISO 27001 is the standard an organisation can get certified on. ISO/IEC 27032 contains the definitions of cyberspace related concepts (like in 2.1.1 in this thesis) and is the cyber implementation of ISO 27001 [89]. Because the requirements from ISO 27032 and ISO27001 do not differ much, the focus is kept on ISO 27001. The definitions ISO uses are a bit narrow compared to the definition used in this thesis7. Despite the more classical focus on CIA-principles in the ISO 27000 series, the controls defined and described can still be used (possibly after some transformation) in a cyber approach. Note that organisations can get an ISO 27001 certification (persons cannot).

Organisation See the description of ISO at section 3.3.3.

Aim and scope of standard The ISO 27000 series aims at providing the knowledge needed for establishing, implementing, maintaining and updating an ISMF in order to keep information safe. As concluded earlier, cyber security is more broader than information security. Still with the aim of the ISO 27000 series and the requirements (and controls) identified in ISO 27001 some widely accepted controls and best practices for a cyber approach can be obtained. Because it is so widely accepted and used, it can offer a basis to transform to an approach aiming for cyber resilience. Due to the clearly described controls it offers a great ‘common language’ to communicate between different parties, which can help to cooperate in (public private) partnerships. There are 114 controls divided in 14 area’s and are listed in Annex A of the standard. The aim of ISO 27001 is to be useful for all kinds of organisations (from small to large and from non-profit to governmental and commercial). Due to this the scope is very flexible and therefore means that a certification of ISO 27001 is only valuable if the scope is also known; the certification on itself only shows that there are measures/processes based on all the controls, but not how good they are implemented. [Part about strong and weak points] “Exploring the Suitability of IS Security Management Standards for SMEs”.

7For example ‘cyber security’ is defined like the “preservation of confidentiality, integrity and availability of information in cyberspace”[90]

PUBLIC VERSION 3.3. Comparing six major standards 29

Potential elements for framework In this section the fourteen categories of controls are discussed as potential element of a cyber approach. Note that the scope of ISO 27001 is originally on information security; per control area is also discussed how this changes if applied to cyber security (if relevant). The numbering is consistent with the numbering in the ISO 27001 documentation.

5. Information security policies In this control area the existence and systematic revision of security policies is checked. To fulfil this control a cyber approach needs to contains policies and a revision policy.

6. Organisation of information security This area is split up in ‘internal organisation’ and ‘mobile devices and teleworking’. These are controls about how the information security should be organised internally. These are still applicable for a cyber approach. For cyber the division of the roles should cover all assets (including services).

7. Human resources security In this area difference is being made in three phases; prior to employment, during and termination of employment. In a cyber approach these controls can be part of the governance layer. Note that these controls do not cover the service ‘HR’-management, in other words these do not cover the safety of these services. These could be covered in the area compliance.

8. Asset management These controls cover the responsibility of assets, the information classification and media handling. In cyber these would stay about the same. However, only asset management is not enough; a new category ‘services’ could complement the controls needed in a cyber approach.

9. Access control In this control area the access controls are described. This covers who gets access to what system and which information, including responsibilities of users.

10. Cryptography In a cyber approach, cryptography (policies) are less important than in information security; cryptography can be one of the protection layers to protect assets and services. These controls are still valuable, but not on the same level as it was on information security.

11. Physical and environmental security This is not part of the scope of this thesis. However, when an approach is embedded in an organisation, the link to physical security is important part. These controls could than also be adopted/used as inspiration.

12. Operations security This is a very diverse control area. These controls cover the day to day operations from (1) procedures, responsibilities, protection from malware, backup measures, logging and monitoring, software policies, technical vulnerability management and information systems audit considerations. In a cyber approach these can be categorised in governance and technical implementation. Note that the controls describe policies about logging and monitoring, which are part of governance. These are closely related to situational awareness, because in that dimension the monitoring and logging is being practised.

13. Communications security This control area is in both the network security and the transfer of information. For cyber security these are also very relevant. Communicating both internally and externally should be made as secure as possible, especially when controlling systems with remote access etc..

14. System acquisition, development and maintenance These requirements cover the security of systems before they are acquired, when they are being developed and when they need maintenance. For cyber security, these are especially important

PUBLIC VERSION 30 3. The cyber security standards landscape

because the creation of new systems or update of current systems influence the (internal) cyber environment. By adding and adjusting systems systematically the implications for the risk management (and situational awareness) can be included in the cyber approach.

15. Supplier relationships The supplier relationship requirements strongly relate to third party insurance. These requirements cover some legal (contractual) aspects, the monitoring of third parties and if these relationships are reviewed every once in a while. Because in cyber security, the connections with (and dependence on) other parties will only grow further, making these requirements even more important.

16. Information security incident management Although prescribed for information security, for cyber security these requirements are similar. These requirements cover the procedures, and responsibilities related to the detection, reporting and dealing with security incidents. If these requirements are completed with cyber forensics requirements, they could serve as basis for requirements for this area in a cyber approach.

17. Information security aspects of business continuity management These requirements cover the business continuity aspects of information security. These requirements are more extensively covered in ISO 22301 (see section 3.3.3).

18. Compliance These cover legal aspect and the regular and independent review of the security management system. These requirements are similar for cyber security.

3.3.5. NIST framework for cyber security Full name: NIST framework for cyber security Origin: NIST Website: Link to NIST website about release of version 1.0 of cyber security framework [91] Last revision: 2014-02-12 Size: 39 pages (plus additional usable versions of the appendix)

Short description & background This framework was developed in response to Executive Order 13636 [92] from president Obama of the US. The first version (version 1.0) was published on 12 February 2014 [91]. It is a voluntary framework which aims to support critical infrastructure in their cyber approach. It was constructed in a one year process with a collaboration with parties from the academic world, industry and government (actually a form of a PPP)8. Although it is aimed at critical infrastructures, all kinds of organisations could use the framework to enhance their cyber approach.

Organisation National Institute for Standards and Technology (NIST) is a part of the U.S. Department of Commerce, founded in 1901 [75]. The mission of NIST is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

Aim and scope of standard This standard can be used as a way to systematically analyse the steps in the protection from and handling of cyber incidents. There are five major functions defined by NIST: identify, protect, detect, respond, recover. NIST provides a further split of these functions in categories and sub-categories. In the appendix of the standard all the 98 subcategories are linked to other standards (like ISO 27001 and COBIT 5). This standard and the bowtie model (introduced in chapter 2) can be linked. Detect at the centre (in de bowtie at the place of the incident), on the left side of the bowtie identify and protect and on the right side respond and recover.

8Note that this is a similar group composition as the NCSC aims for in their collaborations [5].

PUBLIC VERSION 3.3. Comparing six major standards 31

1. Identify This function is about exploring the environment of an organisation, know what should be protected, determine the consequences of incidents. The categories of this function are ‘asset management’9, ‘business environment’, ‘governance’, ‘risk assessment’ and ‘risk management strategy’. Note the links to the three dimensions, especially cyber governance and risk management.

2. Protect In this function the protective measures are covered. This includes implementing measures based on the risk analysis and the basic protective measures. This function is linked to all three dimensions (especially risk management and cyber governance). The categories of this function are ‘access control’, ‘awareness and training’, ‘data security’, ‘information protection process and procedures’, ‘maintenance’ and ‘protective technologies’.

3. Detect In cyber security, incidents cannot be avoided at all times. Therefore, a good detection system is essential. In this function the detection is looked at from events, monitoring and the processes. This function is closely linked to situational awareness; if the detection is in order, the vision of the surrounding can be very sharp, enabling swift reaction if needed. The categories of this function are ‘anomalies and events’, ‘security and continuous monitoring’ and ‘detection processes’.

4. Respond The function respond covers the direct responding to an incident. The direct respond should make sure that the damage is kept to a minimum and that the incident is ended as soon as possible. Respond is, like detect, also closely related to situational awareness. Note the link to business continuity as described in ISO 22301 with this function. The categories of this function are ‘response planning’, ‘communications’, ‘analysis’, ‘mitigation’ and ‘improvements’.

5. Recover Directly after the immediate incident is over, the recovery should start. This function is also related to situational awareness. Also with this function note the link to business continuity as described in ISO 22301. The categories of this function are ‘recovery planning’, ‘improvements’ and ‘communications’.

Potential elements for framework This standard defines cyber in a way similar to this research. Due to this similarity, the functions as described in the NIST framework can all be used very good in a cyber approach. At the previous section the link between the functions and the dimension is already shortly pointed out. The other way around, the three dimensions are OK covered by the functions of the NIST framework. Cyber governance is covered in the functions identify and protect. Not the whole of cyber governance is covered (for example the links to the organisations goals are not really covered), but large parts are. Risk management is broadly covered in the functions identify and protect. With the three functions corresponding to situational awareness, this dimension is better covered with this standard than with any of the other standards. The NIST framework functions together have a good good (though not complete) coverage of the three dimensions, so all the five functions will be included in the cyber approach design in chapter 5.

3.3.6. PAS 555 Full name: PAS 555 Origin: BSI Website: Link to PA Consulting website [93] Last revision: 2014-05-01 Size: 22 pages (including appendices)

Short description & background The Cyber Alliance (consisting of Cisco, Control Risks, G4S, PA Consulting Group and Symantec) have sponsored the creation of a cyber standard by the British Standards Institution (BSI). This has resulted

9note that NIST uses a similar definition of assets as is used in this thesis

PUBLIC VERSION 32 3. The cyber security standards landscape in the creation of PAS 555:2013. This standard describes requirements for an effective cyber security approach[94]. PAS 555 was created with the following principles in mind [93]:

1. A comprehensive approach to security is essential Information security was too much focussed on technical aspects [93], PAS 555 therefore also takes social/human aspect in mind. Furthermore the whole security chain is viewed from risk assessment, mitigation and protection, to detection, respond and recovery.

2. Effective cyber security means reaching into all parts of the economy, big and small The aim of this standard is to help both small and large organisation. This is done from a vision that, although most standards are focussed on larger organisations, the smaller ones are also essential for the security of all organisations due to the connectedness between organisations.

3. Outcome-focused works better for cyber security To prevent describing specific technologies that should be used (which can get outdated), PAS 555 is focused on the results, rather than the methods and controls.

The Dutch cyber security council has recommended this standard as starting point for organisations to organise their cyber approach [95].

Organisation This standard is a product of a collaboration of public and private partners. BSI is the copyright owner, but the standard is sponsored and supported collaboratively by Cisco, Control Risks, G4S, PA Consulting Group and Symantec. BSI is the British local independent standardisation organisation and represents the UK in for example ISO.

Aim and scope of standard PAS 555 aims to be a comprehensive framework for cyber security for small and large organisations. They identify six areas in which 25 (sub)clauses are formulated. These clauses together cover a cyber approach on a high level. The six identified areas are:

• Security leadership and governance clauses In this area six clauses are included. They cover the governance aspects of cyber security; from management structure to business resilience and commitment to cyber security culture. They cover the dimension governance but include a vision on security that, according to PAS 555, should be adopted in the strategy of the whole organisation as well. This is part of the first principle as described above. This area contains nine clauses in total.

• Risk assessment The goals formulated cover the management of assets, threat assessment and vulnerability assessment. In this way the (major part of) the dimension risk management are covered. Note that this covers the ‘what do we need to protect’- part or risk management and not the counter measure part (the mitigation) and reducing of the risk. This is formulated in three sub-clauses (and a general sub-clause).

• Protection and mitigation This area covers protection from threats from inside and outside the organisation, on both physical and technical threats. Furthermore it covers the ‘resilience preparedness’ in order to reduce the impact of a cyber incident. The sub-clauses are ‘people security’, ‘physical security’, ‘technical security’ and ‘resilience preparedness’. Note that with people security not the security of people, but the threats from people is meant by PAS 555.

• Direction and response This area covers monitoring (internal and protective), awareness and incident management. This area should also cover the trend recognition if things change in the environment of an organisation. The four sub-clauses are ‘external awareness’, ‘internal monitoring’, ‘protective monitoring’, and ‘cyber security incident management’.

PUBLIC VERSION 3.4. Analysis of the compared standards 33

• Recovery This area covers the return to ‘business as usual’ after an incident. This covers the operations, the investigation, the legal process and the assurance of data protection in four sub-clauses. This is part of the dimension situational awareness. This is also a crucial part for the realisation of cyber resilience; the better the recovery after an incident the better the resilience.

• Compliance analysis and continual improvement Goal of this clause is to create a ‘learning organization’ in order to deal with the changing environment with developing and dynamic threats. This clause has no sub-clauses.

The four areas ‘risk assessment’, ‘protection and mitigation’, ‘direction and response’ and ‘recovery’ can be closely linked to bowtie model (introduced in chapter 2) and the earlier discussed NIST framework. The first two mentioned can be situated on the left hand side of the bowtie (preparation), while the second two can be situated at the right hand side of the bowtie (response and recover). The PAS 555 standard focuses on the ‘what’ rather than on the ‘how’. There is in appendix A of the standard a table in which the link between PAS 555 and ISO27001 (and others) are shown. Most interesting is the fact that clause 14.3 of PAS 555 is not covered by any other standard. This clause is called ‘protective monitoring’ and entails the monitoring of the own assets, strongly related to situational awareness10. Note that PAS 555 also connects remarkably well with the conceptualisation of a cyber approach as shown in figure 2.4; the ‘security leadership and governance’ clauses correspond with the dimension governance, the clauses ‘risk assessment’ and ‘protection and mitigation’ match with the dimension risk management, the clauses ‘direction and response’ and ‘recovery’ correspond with situational awareness and ‘compliance analysis and continual improvement’ correspond with the update cycle.

Potential elements for framework Because the areas identified by PAS 555 match quite good with the conceptualisation of the cyber approach, all the (sub-)clauses mentioned in PAS 555 can be used as elements in a cyber approach. However, some clauses are more interesting than others. For example clause 14.3 is not covered in ISO 27001, or any other standards according to appendix A of PAS 555. This is therefore an extremely interesting element. Other extra interesting elements because they are not as good covered by information security standards are security culture (clause 4), resilience related clauses (clause 10, 13.4 and 15.3) and external awareness (clause 14.1).

3.4. Analysis of the compared standards A first interesting point is the coverage of resilience; as summarised in table 3.1 resilience is not covered in all standards. Roughly said the newer the standard, the better resilience is covered. The insight that aiming for resilience instead of being free from harm is not yet adopted in all standards. Another interesting point is that, while all standards are constantly evolving, it is clear that COBIT 5 and ISO 22301 + ISO 27001 have a much larger background/history to built further on. With that, they also have ensured their position in the landscape. The role of the NIST framework and PAS 555 is hard to tell, because they are relatively new and organisations need time to place them (including their insights) in their own approach. Clear is that with their focus being more on resilience, they will without doubt have influence on the next versions of ISO 27001 and COBIT 5.

3.4.1. Coverage of the three dimensions The three dimensions earlier identified are not covered equally in the standards. A lot of standards cover risk management (in particular risk management in general), a bit less about (cyber) governance and no formal standard was found about situational awareness. However, as showed in the discussion of six specific standards, the more recent standards focussing explicitly on cyber cover situational awareness a bit more. Situational awareness is not mentioned explicitly, but the monitoring (both internal and externally), reacting quickly on incidents and recovery after them is given more attention in the standards PAS 555, the NIST framework and the Cyber risk resources for practitioners. The analysis made by these three standards is in line with the analysis in chapter 2 about the different properties of cyber versus information security. The two standards focussing more on information

10Note that this supports the observation that situational awareness is almost not covered in the standards currently available.

PUBLIC VERSION 34 3. The cyber security standards landscape security, ISO 27001 and COBIT 5, are still very valuable standards. Their coverage of both governance and risk management for information security can be used for cyber as well. Note that, although cyber is in our view more broad than information security, information security is still important; the lessons learned from information security (standards) should still be used and adopted by organisations. However, the approach should be extended in such a way that the specific cyber aspects are covered as well. Both ISO 27001 and COBIT 5 take some first step to transform towards a cyber standard, but there is still some work to be done. ISO 22301 covers business continuity, an important aspect for cyber resilience. This standard is not focussed on cyber, but the principles from the standard can be used at the cyber domain in order to bring that cyber resilience more close. This standard does link to the recovery part of situational awareness. Generally speaking one could say that new standards that cover (parts of ) the cyber aspects better are being developed. However, situational awareness is still underexposed and an overall approach linking the three dimensions together has not been found in the standards available.

3.5. Summary In this chapter the cyber security landscape is discussed. The role of standards in different phases of the creation of a cyber approach is elaborated upon and auditing and legal aspects of standards in cyber are given. The independent standardisation organisations, specialised interest groups and governmental parties together shape the cyber standards landscape. In a way similar as described in the garbage can model issues are debated, private/commercial and public stakes are weighted, coalitions are formed, pioneers take steps ahead of the rest and in that ‘rough play field’, standards are created and adopted. This results in a very diverse set of standards around with a lot of different aims and scopes. Six of those standards related to cyber security are analysed and elements that are of importance for a cyber approach are identified. A cyber framework must cover these elements or at least be compatible with them (requirement for the design!). The six standards that are analysed cover the three dimensions cyber governance, risk management and situational awareness not equally. Situational awareness is covered the least, although newer standards tend to give it more attention. This could indicate a trend which indicates a shift of focus to also include situational awareness and resilience in the cyber standards available.

PUBLIC VERSION 4 Exploring cyber issues

With the standards landscape explored, cyber issues and requirements for a cyber approach are researched by interviewing experts. In this way, the link between a cyber approach on paper from literature and standards is enriched (and tested) with practical experience of experts. Nine explorative interviews with nine respondents were conducted. The experts are information/cyber security experts from the field, working at major IT-service providers, government agencies or in the chemical industry. In this chapter the interview explanation, the interview structure and the lessons learned are described. The lessons learned include insights about the use of standards in practice, the three dimensions, general findings and the identification of five cyber issues. For privacy reasons the respondents are only referred to as ‘respondent X[random number]’.

4.1. Interview explanation and structure To make the link between the literature and standards described on paper to the practice of cyber security, different experts are interviewed. The nine experts interviewed are experts with practical experience keeping their (part of the) organisation secure from cyber threats. The experts together cover experiences from over six countries worldwide with different cultural backgrounds, both from government and commercial perspectives. In order to get as much information from the respondents as possible, semi-structured interviews were used. In this way respondents could zoom in to parts where they have the most experience in. The interviews had a duration of 70 minutes on average. For practical reasons most of them were conducted via teleconferencing methods. The interviews were written out (based on a recording and/or notes made during the conversation) and analysed with help of colour annotation of an expert. The structure of the interviews is based on the three dimensions extended with an introduction, section about standards and best practices and general cyber experiences. The dimensions were covered in the order:

1. Cyber governance

2. Risk management

3. Situational awareness

Cyber governance connects well with an introduction about the role of the respondent within the organisation. Next risk management is discussed because that dimension is better covered in existing standards and best practices. Situational awareness was linked to risk management via monitoring of threats. General cyber experiences were discussed as closing theme, discussing the experiences from all three dimensions together. Note that within the three dimensions, also the update cycle was discussed. For the extensive interview structure used during the interviews, see appendix B.

PUBLIC VERSION 35 36 4. Exploring cyber issues

4.2. Standards in practice During all the interviews, the use of standards in practice was discussed. Interesting was that, although the standards analysed in the previous chapter claim to be quite complete and comprehensive, none of the experts interviewed used or advised the use of one standard alone. In practice standards are or used as starting point for a cyber approach, or used to upgrade parts of the existing approach. Two respondents (X4 & X9) independently mentioned the use of SABSA1 as starting point of (information) security architecture. In one example, based on this architecture methodology, a start of the organisational structure was developed and with help of other standards the approach is made complete. In other words, in practice not one standard alone is completely adopted as cyber approach; an archi- tectural standard or the existing approach is taken as starting point to base the approach on, which is further enriched with other cyber standards. Furthermore, besides serving as source of inspiration, standards also contributed to the ability to communicate about the approach. Using a standard helps to communicate with other parties (both internal and external) because the terminology is clear for everyone. Respondent X9 especially added that mappings between different standards and between standards and own controls/methodology can also the communication.

Another interesting point was the certification of approaches based on standards. Several respondents argued that for them certification was only interesting if there was a business case to certify for a standard. The business case could be strong enough if:

• Certifying is legally required (for a specific activity)

• A customer requires certification

• Certification gives a competitive advantage in acquiring new orders/assignments

Respondent X3 said that they only certify parts of the organisation that have a business case, because implementing a standard fully brings a lot of extra costs with them without a better working cyber security approach. Furthermore, the scope of the standard and the audit that’s the foundation for the certification is essential for the value of certification. Certification of a more technical standard with concrete controls and tests2 was seen as much more valuable than a broader standard focussing (mostly) on processes3 Respondent X6 adds that by keeping an eye out for new standards and developments, make it easier to adopt to a standard if the business case for that standard would be strong enough later in time.

A paradox with standards also showed during the interviews. A standard can never be covering everything, it needs to scope to a certain area. However, if it is too wide, it will be too general to be useful according to some4 while if a standard gets too specific it can become more of a binding or rigid5. Therefore one standard cannot be sufficient for an organisation; a combination of standards will always be needed, and they need to be applied by professionals who can link the different standards together, forming a comprehensive approach. In other words, all standards have their strong points and weak points6. By combining strong points of different standards together an approach can be formed. One standard cannot cover everything, but the standards landscape also covers not everything yet. For example, cyber aspects are not yet fully covered according to respondents X1, X8 and X9.

1Sherwood Applied Business Security Architecture, methodology developed in 2009 to develop and design risk-driven security architecture [96] 2The example of SOC1 and SOC2 of ISAE 3402, developed by the International Federation of Accountants (International Fed- eration of Accountants (IFAC)) [97] was given independently by two respondents (X6 & X9) as valuable audits about security performance. 3Respondent X9 mentioned ISO 27001 certification less valuable for their organisation and their partners, because it was not giving them real insight about if the security measures were sufficient. Respondent X6 independently gave similar critics by stating that critically viewed a ISO 27001 certification only means that you have a management philosophy and do risk management, but nothing about your level of security. 4For example respondent X8 told thought so of PAS 555:2013 5For example respondent X1 said about ISO 27001 that it is too rigid; it misses practical insight and there is not always enough flexibility to deal with the fast occurring cyber threats. In the view of respondent and X9 following SABASA strictly does not work because it will make your approach not flexible enough 6Respondent X9 gave the example of KPIs of COBIT as a strong point.

PUBLIC VERSION 4.3. Cyber governance findings 37

Respondent X8 and X9 gave as example ISO 27001; it covers the basics of information security, especially the control measures. but there is not yet a similar standard that can deal with the dynamics of cyber developed yet. Besides missing on the dynamics of cyber, respondent X5 misses standards about the logical control (the layer between high governance and low technical standards). To further cover things not dealt with by standards, several respondents told that they use best practices to fill in the gaps. As already stated in section 3.1.2, standards are often faster and more flexible than official legislation. However, respondents X4 and X8 noted that new technologies in cyberspace develop so fast that also standards cannot keep up with them. This means that cyberspace environment changes fast and that within the approach and cyber standards used enough flexibility is needed to deal with these changes in the environment, especially with the new technologies. A last finding regarding standards in practice can be found in cultural differences; these have influence on how the role of standards is seen. Roughly spoken, in Europe and North America it is more seen as a guideline that can be used as inspiration (and communication tool), while in (South-)Asia the standards are taken very strict and certification is an important aspect both internally and externally to justify their approach. A European respondent even warns that complying to a standard is more like fulfilling the bare minimum than being the best. The respondent from South-Asia said that they used additional standards, but once they choose to use a standard,they make sure that it is implemented and used completely (at least, as completely as possible). Standards are more seen as a must do, than an inspiration. Both views of a standard can be useful, as long as standards are still reviewed with enough criticism and not blindly followed. The fact that, even when fully implementing (or is tried to fully implement) there are still additional standards and guidelines necessary shows the lack of completeness of standards.

4.3. Cyber governance findings During the interviews, the connectedness between the different parties in the security landscape was mentioned often. For example, in the Netherlands recently the cyber unit of the Dutch government, the National Cyber Security Centre (NCSC) has set up ISACs7 in which information between partners can be exchanged. Furthermore, in every interview the roles of other actors was discussed. The fact that the performance of the cyber security of individual organisations is influenced so much by other organisations, can be defined as a form of a network dependency. For the prevention of incidents, checks and balances are important for governance to prevent incidents according to respondent X4. These checks and balances need to be incorporated in the division of responsibilities (split certain responsibilities) and the design of the processes and procedures. Another theme that rose during the interviews was the organisational structure. More specifically two matters arose: (1) the division of responsibilities between the local security department and the central security office and (2) the position of the security department relative to the line organisation. The first matter concerned for example respondent X7. In the view of the respondent, the handling of issues now takes more time than necessary, because part of the monitoring and access to the monitoring data is kept at the central security office. This balance is for all organisations unique. Because the respondent thought in their case it could be more efficient, changing could be an option. Important is that a balance is found that works for whole the organisation. The placement of the Chief Information Security Officer (CISO)8 in the organisation is a nice starting point for that discussion. Respondent X9 gave a nice rule of thumb for the position of the CISO: ‘if an organisation is less mature in cyber security the CISO office should be located near the IT department (because there is a lot to improve there), but in more mature organisations it is better to be closer to business and senior management to be better able to represent business to the IT department’. On the second matter, respondent X5 suggested a more integrated security team in the line organisation, because security is often seen as a cost, while it is more some form of a basic requirement (or insurance as respondent X6 calls it); the idea of bringing the security department more close to the business, so the basic requirements are better integrated in the business process. Downside is that the independence of

7ISAC=Information Sharing and Analysis Centre. There are eleven ISACs [98], they are centres initiated by the National Cyber Security Centre to bring together knowledge and experience from different sectors. 8Note that one could argue that a consequence of the analysis that cyber security is more broad than information security could be that the function CISO transforms in the function of a Chief Cyber Security Officer (CSSO) or Chief Security Officer (CSO)

PUBLIC VERSION 38 4. Exploring cyber issues a security department could suffer from being more integrated into the line organisation. For each organisation the balance should be found in order to keep the security covered and the business functioning efficiently. As a way to internally encourage the switch from information security to cyber security, respondent X9 had good experience with the tactic of ‘convincing rather than enforcing’. By using mappings of wanted (new) standards to specific standards of different departments, convincing that there was a need for additional measures was much easier. A final governance related theme discussed in the interviews were the legal aspects. Several respondents argued that privacy is an important aspect of a cyber approach; respondent X8 mentioned the big data trend and the need by a lot of parties to link all data as an extra reason for good privacy protection. For the privacy aspects, but also (other) legal aspects legal requirements need to be translated into control measures and fulfilled in the approach suggested respondent X9.

4.4. Risk management findings Important theme in risk management is the finding/statement that ‘risk and reward need to be in balance’, meaning as much as the measures taken should not me more costly than the asset it protects. The assessment of the risk (what do I want to protect, what is its value, what is the business impact if we lose it/if it fails and what is the chance of it going wrong) is therefore an essential step in the risk management process. As respondent X4 pointed out, the nature of the company and its goal is essential to find out what the core activities and services are and consequently what needs to be protected most. An extra way to make sure all the important risks are covered, shared by respondent X3, is to use an asymmetric risk matrix; for example if an impact is very high, counter measures are always needed, also if the probability is very low. Respondent X3 told of the risk tool used at his organisation; this ‘classic’ risk tool is in his view not very efficient, but it is very precise. Note that this could give trouble in the future because cyber is more dynamic than information security, so time can become a much more crucial factor than it already is now, potentially resulting in an not properly functioning risk management. Another risk of the approach of using a very detailed tool for the risk management is that if not enough changes during the cycle of the risk management, it can become a routine for the people who have to fill in the risk related factors. Routine can lead to sloppiness, resulting in missed risks or threats or miss judged impacts. Especially because several respondents concluded that the question ‘How to determine what risk is acceptable and what not?’ that in the end it is a subjective choice; you can structure the decision process with models, structures and procedures, but in the end it stays a human decision to accept a certain risk level or not. Because of the subjectiveness it is important to minimise sloppiness. Respondent X3 therefore stressed that routine should always be prevented in the risk management. Ways to do this is to check the analyses with external experts, do workshops, organise internal checks, etc.. For the active part of risk management, taking the measures to keep control and risk in balance, information is needed. This partly comes from monitoring measures effect, but this is also where situational awareness plays an important role in cyber security; the information about threat developments, recent incidents, etc. comes from situational awareness. The other way around, situational awareness can only be done if it is known what should be protected and what the priorities are. This link was extra mentioned/described by respondent X8.

4.5. Situational awareness findings Situational awareness is the least developed in the field; organisations are starting to create situational awareness (although they often do not call it that), but it is still underdeveloped. This is supported by the experts. For example, respondent X2 thinks that biggest challenge for his organisation is the follow up on incidents. More ‘’tentacles’ and more (near) real time information is needed to be able to react quickly on incidents. Respondent X3 thinks that the monitoring of threats is not yet structured enough at his organisation; the gathering of intelligence about threats and the ability to pro-actively and reactively (as classified by respondent X6) react on them is weakened because of the lack of organisation. Furthermore, as respondent X5 stated, the ability to continuously assess new risks gets in danger. An incident handling team is essential for a good reaction to an incident stated respondent X5. As

PUBLIC VERSION 4.6. General findings from the interview 39 respondent X9 stated it: ‘strictly organise the responsibilities during a response and train for it, but leave the action plan flexible in order to be able to deal with new sorts of incidents’. In this way a swift reaction to an incident can be organised. The process can be trained more easily than each possible incident. But if the process of solving a crisis is trained properly, any new situation should be able to be solved rather quick. For the recovery, it is very important that, besides back-up etc., the cyber forensics are in order; as respondent X7 said, the forensics are important for the proper close up of an incident; the flaw in the system can be recognised and fixed, in a positive case the offenders can be prosecuted and repetition can be prevented (by the fix and the deterrence of the prosecution).

4.6. General findings from the interview Besides the findings in the expert interviews about the three dimensions, some general points were made. Findings related to cyber resilience are further elaborated upon in section 4.6.1. As concluded earlier, the connectedness in cyberspace is large, and therefore the dependencies as well. The role of the government in this complex playing field is very different in the countries covered by the experts interviewed. In the Netherlands, the NCSC9 is busy with initiatives like a national response network (NRN) and a national detection network (NDN). Shortly put is the NDN meant for sharing threat intelligence with different actors in the network and the NRN is to organise help from peers in the network. Both are on voluntary basis. It is still under development, but can contribute a lot for the situational awareness of organisations. With initiatives like these, the Netherlands is quite active in cyberspace. However, not all countries are as actively busy with securing cyberspace (or at least the part important for their vital infrastructure). Historically, this can be explained because the internet was created as private/academic network with no formal role for the government. However during the development of internet, a lot of vital infrastructures are connected to cyberspace and because of that public interest in cyberspace rose. Respondent X3 argued for the creation of a European agency to help organisations gather threat intelligence. The creation of such an agency would fit into the trend of governments getting more and more involved in cyberspace. Because of the decentralised nature of cyberspace, it brings a lot of challenges to influence it for a government, because they are the example of centralised organised/organising body. Another complicating factor according to respondent X8 are geopolitical issues. Best described global issue is perhaps the cyber espionage between the United States and China (for example in [29, pp. 138]). The different natures of the regimes and different interest can cause tensions. And due to the connectedness of cyberspace and the (real) physical world, these espionage actions can have real world consequences. As respondent X8 stated, ‘how long will the super powers allow digital espionage before they react kinetically (in the physical world). When does cyber espionage become an act of war?’. Another (related) challenge are the legal boundaries; crossing physical borders in cyberspace is no effort, but that has legal consequences. An example was given by respondent X9, about HR systems. In a global organisation, if you centralise your HR, which legislation should you use? The one from the country of the employee, the ones from the country where the physical server is based? And if it is outsourced, who is the owner of the data and who has the final responsibility for the security? Respondent X8 thinks that these issues related to the legal aspects are one of the key challenges for organisations to solve together in order to make a fair and stable playing field. Furthermore, as respondents X8 and X9 emphasize, the privacy is an important aspect of a cyber approach. This can be of employees of an organisation, of clients, partners or any persons and organisation involved. With a cyber approach, the risk of information overload is big according to respondent X8. A specific threat that cannot stay unmentioned is the existence of Advanced Persistent Threats (APTs), for example mentioned by respondent X3. This is a category of threats that have in common that they use advanced methods, are persisting in reaching their goal and often have a lot of time and resources available to reach that goal10. Respondent X3 sees this as a big risk for data leakage and un authorised use of systems. With the design and implementation of the cyber approach, it is important that the end users are

9The NCSC is the part of the Dutch central government involved in cyber and is part of de ministry of Justice. They work together with both actors from the academic and the business world [98]. 10Vervilis and Gritzalis wrote an interesting comparison about the four biggest APTs so far publicly known [99]

PUBLIC VERSION 40 4. Exploring cyber issues not lost out of sight as respondent X4 stated. The security measures should increase the security, not hinder the users. Furthermore, the users are both the weakest point and strongest defence in one as respondent X6 stated; they can (accidentally or on purpose) cause a lot of damage to a system, but their professional view can also filter out suspicious things and prevent incidents. Investing in users of the system can therefore be an interesting investment. On an higher organisational level, respondent X6 also stated that the input of the different organisational layers about the security should be heard and used when the cyber approach is evolving. An interesting observation was made by respondent X8; The gap between the (knowledge about) technologies a lot of organisations use and their dependence on it is quite large at the moment. In other words, the technical knowledge behind services organisation are dependent on is often not available internally. This makes the organisation vulnerable when incidents occur and therefore can harm the resilience and possibly the functioning of an organisation. Solutions could be to (1) gather that knowledge internally by hiring skilled employees, or (2) to gain partnerships with external (trusted) parties to be able to quickly access specific knowledge if needed. A final example of how the cyber and physical world are connected. Respondent X9 told that in the outside world there have not been that many great incidents, although last year an incident of a German steel producer has been reported. The damage was so severe that the plant had to be amortised11. This is almost the worst case scenario (no people were harmed). Respondent X9 thinks only the Stuxnet attack on Iranian nuclear facilities is of a similar scale/impact. These incidents show the connectedness between cyberspace and the physical world.

4.6.1. Cyber resilience findings All respondents were asked to give their opinion about the cyber resilience of their organisation. These answers differed from ‘the only official answer can be yes, we are resilient’ to ‘we are on the way, but we are not sure if we could handle big incidents’. Interesting is that the more a respondent seemed to know about cyber security and was aware of the challenges ahead, the less ‘resilient’ they would call their organisation. Respondent X8 describes it as ‘if a threat breaks through the resilience it can manifest itself and hurt the assets and interest of an organisation’. As the incident with the German steel producer shows, or better said the uniqueness of that incident so far, only in extraordinary situations the true resilience of an organisation can be shown. The respondents identified several factors that are important for cyber security in their view. Re- spondent X6 noticed that the creation of a security culture is very important. This relates also to the user/human aspect. Furthermore respondent X6 stated that management involvement and commitment is very important; only with their support, an organisation can truly evolve to a resilient organisation.12 Respondent X9 formulated the role of standards to cyber resilience; he thinks that, because of the interdependencies between actors in cyberspace, collaboration is needed. A complicating factor for collaboration according to respondent X9 is that X9 thinks the overall level of cyber resilience is not very high at the moment. While collaborating with others, their cyber resilience might not be very high, potentially influencing the resilience of the own organisation. Standards could help to solve this issue partly; for effective and efficient collaboration, standards are needed, because they can make communication more smooth and can help to establish a minimum level of trust. Therefore respondent X9 thinks the development of new, more cyber related standards and the evolving of existing standards are both very important to reach a better resilience level for all kinds of organisations.

4.7. Cyber issues identified In the interviews the experiences with dealing with cyberspace have been discussed. There are five main issues distilled from the interviews, that are key aspects of a cyber approach and that make cyber security different compared to information security. The five issues identified are discussed below. The numbering of the issues is for reference purpose only, not to define levels of importance.

Issue 1 Parties in cyberspace are highly dependent on each other (Network dependencies) As noted by several respondents, every organisation operating in cyberspace is to a certain

11See for example this BBC news item [100] about the incident. 12Respondent X6 did not know PAS 555, but note that these two factors are also mentioned in that standard.

PUBLIC VERSION 4.8. Summary 41

extend dependent on others. This issue is also recognised by the World Economic Forum [34]. The consequence of the dependencies are that only looking at the own organisation is not enough. At least looking to outside developments and trends is the least that should be included in a cyber approach. Furthermore, partnering with other organisations is essential for creating cyber resilience; as Clark et al. state in their paper, organisations need to participate together in order to reach a sufficient resilience level [101].

Issue 2 Dynamics of cyber are larger compared to traditional information security The environment of organisations in cyberspace changes constantly, and much faster than with traditional information security. This is partly because the connectedness is so high (related to issue 1), but also because technological developments are quite swift. And with a very diverse set of threat sources (for example identified in [5, pp.9, table 1 ]) and the asymmetric aspect in protecting assets versus attacking it, make it even more dynamic. Because the dynamic of the environment is so high, time aspects of an approach become even more important; can there be a quick reaction? How long does it take to be running as usual again? Is our risk analysis efficient enough? Do we process our threat intelligence fast enough? All questions that rise due to the dynamics of cyber.

Issue 3 Assets to protect are constantly getting more diverse Cyber security covers more than only information; the assets that need protection with cyber security have broadened to also cover services and communication channels. Furthermore the societal impact of cyber incidents is changing and the soft side (the humans behind the cyber world) is influenced as well. For the day to day operations, a lot of services, communications and processes are IT related; for example, even if no information is stolen, but the (internal) communication is down due to a cyber incident, it has huge consequences for an organisation and potentially also for the functioning of the society. This makes the need to also include these in the protection vital for the success of an approach. A consequence of this issue is therefore that in the risk management assets definition needs to be broader, the monitoring should also cover these and new developments need be watched closely.

Issue 4 Incidents in cyberspace can have huge consequences in the physical world As the incident with the German steel producer and the Stuxnet case show, cyberspace is connected to the physical world, and actions in cyberspace can have physical consequences. Especially seen the geopolitical challenges as identified earlier this chapter, this issue has a huge impact on the cyber approach of any organisation. The possible links between cyberspace and the physical world need to be included in the risk management and situational awareness (both the monitoring and the reacting and recovering).

Issue 5 The general level of cyber resilience is rather low Often cyber resilience is not an a desired level, if there is even (enough) attention to the subject. This is an important issue, because it influences how actors in cyberspace can (and will) interact with each other without unnecessarily harming their own cyber resilience. A consequence of this issue is therefore that interaction with others in cyberspace should be done with great care.

4.8. Summary In this chapter the interviews conducted with several cyber practitioners (experts from the field) is described. These interviews have resulted in the identification of five issues that needs to be dealt with when dealing with cyber security: (1) Parties in cyberspace are highly dependent on each other (network dependencies), (2) Dynamics of cyber are larger compared to traditional information security, (3) Assets to protect are constantly getting more diverse, (4) Incidents in cyberspace can have huge consequences in the physical world and (5) The general level of cyber resilience is rather low. These issues have influence on what a cyber approach should cover and therefore serve as requirement for the cyber framework, which will be designed in the next chapter.

PUBLIC VERSION

5 Designing a cyber framework

In this chapter, a cyber framework will be designed and further elaborated upon. This will be done based on a short wrap up of the design challenge in section 5.1 and a discussion of the requirements based on chapter 2 (principles), chapter 3 (elements of standards) and chapter 4 (cyber issues) in section 5.2. Next, the cyber framework itself is presented and described in section 5.3. Finally, the importance of cyber resilience is argued for and a suggestion to measure cyber resilience and use it as indicator for the performance of an implementation of the cyber framework is presented in section 5.4.

5.1. The design challenge wrap up Cyber security is fundamentally different from information security because of the hyper-connectedness in cyberspace as Helbing [42] and the World Economic Forum [34] call it. The hyper-connectedness causes three fundamental properties of cyber security that makes it different from traditional information security, which are summarised in table 5.1.

Table 5.1: Cyber security versus traditional information security

# Cyber security Traditional information security 1 Highly dynamic environment More stable environment 2 Link with physical domain No direct link with physical domain 3 More diverse assets (and continuously changing) ‘Only’ information

Due to this hyper-connectedness and the different properties it has with information security as a consequence of the hyper-connectedness, the complexity (of the risks) of participating in cyberspace are huge. There is no absolute risk-free participation in cyberspace, but the key to success can be to implement such an approach that those risks can be managed. The ‘classic’ risk management from traditional information security cannot deal with all risks due to the complexity of the environment. Furthermore, the role of standards in an approach is interesting because (1) they can provide useful elements of a cyber approach and (2) the role of standards play in a cyber approach is different than in traditional information security; Brooks [102] discussed that there are no ’silver bullets’ in software development because software development is inherently a complex issue. A parallel can be made to a cyber approach; because a cyber approach should help organisations participate in the (complex!) cyberspace in a responsible way, it is inherently a complex issue with therefore no ‘silver bullet’ solutions. This changes the role of standards in cyber security compared to traditional information security. Also, a framework supporting the development of a specific cyber approach can therefore not be a blueprint, but has more the role of a guideline for (1) understanding the elements an approach should cover and (2) make sure all important aspects are covered. Measuring the success of a cyber approach is also different compared to information security due to the described differences. Where prevention has the main focus in traditional information security,

PUBLIC VERSION 43 44 5. Designing a cyber framework in cyber the importance of the detection and response grows. These relate strongly to the (cyber) resilience of an organisation; can we detect and respond good enough to stay functioning as organisation? To be able to measure the performance of a cyber approach, some factors related to cyber resilience should be adopted as key performance indicators (KPI’s). So, a cyber framework for large organisations that aims at reducing the complexity and reaching cyber resilience, that gives standards a (new) role and guides an organisation in the development of their (specific) cyber approach can help to participate in cyberspace in a responsible way. As addition, a suggestion on how to measure resilience can help to measure the performance of a specific cyber approach.

5.2. Requirements To come up with a cyber framework, requirements for such a framework have been gathered with the research as described in the previous chapters. The requirements set the boundaries and contents for a cyber framework. The requirements are discussed per chapter they (mainly) are based on.

5.2.1. Design principles from chapter 2 Based on Helbing [6, 42]1 two principles for designing a cyber approach are presented. Based on the literature research done in chapter 2 and 3 and the interviews as described in chapter 4 three additional principles are added. These principles serve as a requirement for the cyber framework because the framework should be compatible with the principles (else the framework cannot aim properly at cyber resilience). Furthermore, the principles can be used when designing a cyber approach for a specific organisation; in that case they can serve as guideline for the designer to deal with the trade-offs that pop up while making a design. The principles therefore serve two roles; (1) as requirements for a cyber framework and (2) as guidelines for when designing a specific cyber approach. The five suggested principles are shortly discussed in this section. In appendix C a presentation of the principles in the format as suggested by The Open Group [103] is provided.

Principle 1 - Use modularisation A cyber approach will inevitably consist of a system of systems. This principle aims at making the sub- systems as simple as possible (also in line with the KISS-principle2), while not oversimplifying. Helbing [6] describes as main advantage that this helps for resilience because it makes it easier to disconnect a sub-system (temporarily), it reduces the connections with other (sub-)systems and therefore make the complexity more manageable.

Principle 2 - Use local autonomy Helbing [6] describes three principles, which are very closely related; the use of self organisation and of distributed control and to stimulate diversity, here merged as use local autonomy. This principle can help for resilience, because (organisational) structures ‘naturally’ evolved tend to be resilient against disruptions, because they “reconfigure themselves according to ‘their nature’ ”[6, pp. 3]. Related to this the responsibility (control) that should also be local. Helbing states that local autonomy can improve adaptation, to fit local needs. Furthermore it enables quick reactions in case of an incident. By giving freedom to smaller sections of the organisation, diversity is also stimulated. Due to diversity some parts stay functioning at a certain disruption. Or formulated differently, if a bug is found in one (sub-)system, it is more likely the other (sub-)systems do not face the same problem. Furthermore, stimulation of diversity improves collective intelligence and innovation according to Helbing3.

1The principles were obtained from [6], but are (indirectly) already described in [42]. 2KISS stands for ‘Keep it simple stupid’, which originates as design principle from the US Navy from 1960 according to [104, pp. 596] and is now used in many different fields like for example software engineering [105]. 3Note that the guidelines from higher in the organisation should find a balance in the trade-off interoperability and central control versus the described advantages from the first two principles in order to ensure interoperability between sub-systems. More on the balance between the first two principles can be found in section 5.2.1

PUBLIC VERSION 5.2. Requirements 45 with all new sub-systems security is thought of from the beginning. Furthermore, it can also be used when a (sub-)system needs an update; from the beginning of the update process, security should be included in the requirements/list of business demands.

Principle 4 - Design with the (end-)user in mind The (end-)users are essential for the resilience of an organisation. As stated by COBIT (cyber principle 2 [80]) and two independent respondents, the end-users are an essential part of the cyber approach of the organisation. By keeping the (end-)users in mind while designing, they can be stimulated to spot and report any anomalies in a system. By using both ‘use-cases’ and ‘abuse-cases’4 during the design, it makes sure that the security should enable users, not hinder them in their work, while security is kept on an acceptable level.

Principle 5 - Partner up As for example the World Economic Forum [34], ISF [108], (employees of the) NCSC [101] and many others state, establishing partnerships with others is an essential part of participating in cyberspace responsibly; with combining forces the dynamics can be better dealt with and experiences can be shared among each other, benefiting all actors in the network. Furthermore, internal collaboration helps to deal with all relevant aspects of cyber and helps to reduce impact of incidents. This also helps to ensure an up to date information position, which is essential for a cyber approach. Therefore this fifth principle, partner up, is included as essential ingredient for becoming more resilient.5

De-central versus central coordination in the principles Principle 1 and 2 are on sight conflicting with each other; modularisation means some kind of central coordination on what properties a system should have while local autonomy means that responsibility and organisational choices should be made (as) local (as possible). However, they can be both followed if they are used in a balanced way. For the more technical (hard) side of systems it can be most efficient to use modularisation (obliged from higher in the hierarchy of an organisation), while the more social (soft) side of systems are better fit for local autonomy. To get best of both worlds, a balance should be found that can differ per organisation. When designing with the principles, this balance should be found based on the characteristics of the organisation, the experience of the organisation (more cyber maturity means more local autonomy is responsible to argue for) and the insight of the designer(s).

5.2.2. Elements of standards from chapter 3 In chapter 3 six different standards are discussed. As described, the elements from these standards can serve as inspiration for a cyber approach. As requirement the elements of the standards should be covered and/or be compatible with the developed cyber framework in order for it to be complete. Standards can deliver elements of the cyber approach, specific controls and insights. Per standard is shortly discussed what is important as requirement. In section 5.3.1 the coverage/compatibleness of the different standard elements and the cyber framework is discussed.

COBIT 5 sets the stakeholder value as most important goal. The cyber framework should be compatible with the principles from COBIT 5 to realise the stakeholder value with help of information.

IRM Cyber risk resources for practitioners is a high over inspiration for risk management practitioners. The self-assessment questions from the summary give a good input for the cyber framework. The separate chapters could be used as inspiration when designing a specific part of a cyber approach.

The main message from the ISO 22301 is to take business continuity into account, with help of the PDCA-cycle. The cyber framework should therefore cover the important aspects of the PDCA-cycle6.

4this phenomenon is for example described by [107] in software development 5Note that in practice it can be hard to share information with others, especially in highly competitive markets. Furthermore, the fifth issue (level of cyber resilience) also complicates partnering up with others. However, to be able to deal with the dynamic environment of cyberspace, working together with others is essential, so this principle serves to make sure that this is covered. A starting point could be to intensify the contacts between existing business partners, verify that they can be trusted and to slowly expand this collaboration. An independent (governmental) party could help sharing information between competitors, like the NCSC is doing with the ISCACs [98]. 6Note that business continuity is of key importance for the recovery (and with that the resilience) part of an approach.

PUBLIC VERSION 46 5. Designing a cyber framework

ISO 27001 is a collection of diverse security controls. Not all of them are on the same abstraction level as a cyber framework would be, so not all of them can be included in a cyber framework. An example is control area 10 about cryptography; this can be an important element of a specific cyber approach, but it differs too much per organisation what a responsible encryption policy would entail. The cyber framework should therefore not necessarily cover all control areas, but they should be compatible with an approach setup with the framework.

The functions from the NIST framework for cyber security should be fully covered, because they are on the same abstraction level of a cyber framework and give insights about the newest insights in cyber security.

The clauses from PAS 555 are also important to cover (at least indirectly), because they represent the newest insights on how to deal with cyber and this standard covers the resilience part the best of all standards.

5.2.3. Issues from practitioners from chapter 4 Based on the interviews, five cyber issues have been identified as problems that occur when dealing with cyber security in practice. The cyber issues should be covered by the approach, so the cyber framework must enable coverage of the issues identified. The implication (requirements) for the cyber framework are shown in table 5.2.

Table 5.2: Implication of cyber issues for cyber framework

# Cyber issue Implication for cyber framework 1 Parties in cyberspace are highly depen- The cyber framework must enable monitoring of dent on each other (network dependen- dependencies & assurance and enable collabora- cies) tion with other parties 2 Dynamics of cyber are larger compared The cyber framework must enable flexibility with to traditional information security respect to monitoring and reacting to threats from cyberspace 3 Assets to protect are constantly getting Asset management and monitoring should be more diverse complemented with services in the cyber framework and new developments must be watched closely 4 Incidents in cyberspace can have huge Both in monitoring and the risk management, the consequences in the physical world physical aspects and impacts of the link between cyberspace and the physical world must be included 5 The general level of cyber resilience is Working together with others in cyberspace should rather low always be done based on verified trust (verified by own or independent experts)

5.3. Cyber framework As concluded in the design challenge wrap up, the hyper-connectedness of cyber changes the risk management needed in a cyber approach compared to information security. To be able to notice incidents and developments in the environment faster situational awareness can be added. This means splitting the ‘traditional’ risk analysis in roughly a preparation part and detection and respond part. Because in cyberspace the environment changes so fast, a specific protection for each individual possible incident is not realisable; instead, the focus on quick detection, response and recovery can make sure that goals/mission of the organisation is not endangered. This does not mean that protection and prevention is not important any more; these are the basics, however for even better security the detection and response need more attention. The exact response for each specific incident can also

PUBLIC VERSION 5.3. Cyber framework 47 not be trained, but the crisis management needed from management can be trained7. With a smooth and quick response, a fast recovery can be enabled. To realise this, a risk management cycle in which the assets (selected broadly) are identified, protection is set in place (control measures) and response and recovery for an incident is prepared can be used. This can be supplemented with a situational awareness cycle that covers the detection of anomalies in the systems related to assets that need protection and response and recovery after an incident is detected, extended with the gathering & analysis of intelligence both internal and external of the organisation. Some information/boundary conditions from outside of these cycles are needed to properly set those up. The mission/goal of an organisation is important, because that influences what (kind of) assets are important to protect. Furthermore the boundary conditions, both different (kind of) resources needed and (properties of) organisational structure are important to enable these cycles. Feedback about the performance of risk management and situational awareness cycles is needed in order to monitor if the cyber approach still functions in according with the set mission/goal of the organisation. Finally, for a complete cyber approach the cultural values and risk appetite of an organisation are important to let the risk management and situational awareness cycles function. These things together form the cyber governance dimension. The above has resulted in the design of a cyber framework, shown in figure 5.1. Based on the governance definition of [40], the governance elements are split in three main blocks, (1) Mission/goal, (2) boundary conditions and (3) Oversight and monitoring long term. The mission/goal element covers the main mission/goals of the organisation; What does it want to achieve? What kind of service does it want to deliver? Etc.. Related to the mission is how to achieve that; what kind of activities are deployed to reach the goal, how much risk do we accept with these activities and what are the core values of the organisation? This is like the DNA of the organisation. To realise the mission/goal of the organisation, the mission/goal should be translated into the boundary conditions for risk management and situational awareness. The boundary conditions consist of the allocation of the financial, human, social and technological resources and the decisions on the organisational structure (what are the (demands for) the procedures, processes and who gets what responsibilities). To check if the boundary conditions are still sufficient for proper functioning of the risk management and situational awareness, there should be oversight, evaluation and monitoring of the long term results. This can be done with auditing (both internal and external). As part of the monitoring, the balance between central steering and creativity of the (sub-)systems should be watched and adjusted if necessary. The results from the oversight should be included in the revision of the mission/goal of the organisation every 3-5 years. In accordance with the oversight results and (minor) changes to the mission/goal, the boundary conditions should change as well. From the governance dimension, partnerships with other organisations/actors can be initiated, resulting in collaboration in all three dimensions governance, risk management and situational awareness. The risk management cycle consists of assess the risk, control and monitor, completed with the risk acceptance and the asset depository. With the risk assessment, based on the monitoring, goals of the organisation (from governance), the risk acceptance (based on the risk appetite) and gathered and analysed intelligence (from situational awareness) the risks should be assessed. Based on this assessment and the assets repository, control measures can be taken. This can be (1) to accept a risk, (2) to take measures to bring the risk back to an acceptable level, (3) risks can be transferred to an external party (for example an insurance company) or (4) the risk can be to avoided (for example by stopping the involved activity). Control also entails the preparation of respond and recovery plans in order to deal quickly with incidents when they occur (input for the situational awareness cycle and the mission/goal block of cyber governance). Control is monitored and this monitoring results and lessons learned from incidents are input for the risk assessment. The risk assessment has as function to watch the long term risks and make sure that they stay in control. The situational awareness cycle consists of monitoring, respond and recover, completed with gathering and analysis of intelligence (both internal and external). The monitoring of the situational awareness is a combination of incident detection and the monitoring of developments in the environment that could influence the functioning of the organisation. This monitoring is based on intelligence and the assets that need protection. If an incident is discovered, the response starts. With a focus on crisis management from the management and involved technical team the incident can be stopped. When

7For example with help of serious gaming as described by [109] and others.

PUBLIC VERSION 48 5. Designing a cyber framework the incident is under control, the recovery starts. Recovering as fast as possible with as little resources needed as possible is the goal, because than the organisation can keep realising its mission/goal. After an incident the lessons learned are input in the risk management cycle, in order to check if something in the preparation needs to change. The mission/goal of the organisation should be kept in mind during the response and recovery, because that determines priorities. The gathering and analysis of intelligence is essential for effective monitoring, because this gives the information which can help early discovery of an incident. For the gathering of intelligence, it is important to know the social and technical dependencies on other parties because these could be weak points of the protection. The external intelligence can be gained from partners and from public sources.

5.3.1. Check cyber framework with requirements As discussed in section 5.2 three categories of requirements were identified, five principles, different elements of standards and five cyber issues from practitioners. Per category is checked if the requirements are fulfilled for the cyber approach. First the principles. The five principles are all compatible with the cyber framework. Principle 1 till 4 are not covered directly, but when working out a specific cyber approach they should be used to fill in the details of that approach. Principle 5 is directly covered in the cyber framework with the link between ‘governance’ and ‘environment’ ‘participating in the cyber community’ and indirectly with the ‘gathering of internal intelligence’ (because collaboration internally is needed for that). Next the elements of standards. In appendix D the coverage/compatibleness of all elements of standards is shown per element of the six discussed standards. All elements of standards are not a strict requirement; they do not have to be directly covered by the cyber framework, as long as the framework can be used to construct a cyber approach that is compatible with these elements the framework can be a help when designing a specific approach. From the check with all elements of the compared standards can be concluded that the cyber framework fulfils those. Third and last the cyber issues. The five implications as presented in table 5.2 are covered; issue 1 directly with the link between the environment and participating in the cyber community (and the link with situational awareness), issue 5 can be included by creating these links responsibly and issue 2, 3 and 4 can be included when designing a specific cyber framework in the situational awareness cycle (2 and 3) and the risk management cycle (3 and 4). With the coverage of the identified requirements from these tree areas the cyber framework fulfils the requirements.

5.3.2. Role of standards in a cyber approach The role of standards in a cyber approach is a different one they had in information security. Due to the hyper-connectedness and the dynamics prescribing how an approach would look like exactly has become even more impossible than with information security. The added value of standards can be to prescribe on a high level what aspects should be covered. This completed with best practices (for example cyber approaches from peers), the cyber framework and the design principles, which can support in the design of a cyber approach for an organisation. Formulated differently, the high-over standards and the technical standards (on the lowest implementation level) will be the most important standards. The layer in between requires a more tailor-made approach, which can be created based on standards and the developed design principles and cyber framework. However, the most important role for standards will be for communicating purposes; with the need to further cooperate with other organisations, standards can help to ‘speak the same language’ and share knowledge and intelligence more effectively. The technical standards STIX and TAXII are interesting examples of standards about exchanging threat intelligence [78].

The practical use of the framework is further discussed in the evaluation based on a small case study in chapter 6.

5.4. Measuring of cyber resilience When a cyber approach based on the suggested design principles and the cyber framework is in place, how can the success of the approach be measured? A common used method is to use a scorecard with different key performance indicators (KPIs). This is where resilience could play a key role. As

PUBLIC VERSION 5.4. Measuring of cyber resilience 49 concluded earlier, due to the hyper-connectedness in cyber the focus in cyber security should shift from (only) protective also to reactive (or from (only) the left side of the bowtie of figure 2.3 , also to the right side). The number of incidents (alone) is therefore not a good KPI for an approach, especially because that does not take the reactive part of a cyber approach into account. And the reactive part is more important, especially because in cyber preventing all possible incidents from occurring at all is near impossible due to the hyper-connectedness. Therefore including factors that describe the cyber resilience of the organisation are interesting to also include. Before zooming into a measuring of cyber resilience, a small addition to section 2.2 about cyber resilience and why to pursue it. In multiple security/safety areas the use of resilience as goal instead of preventing all incidents from happening. A great example can be found in water management; in a report from TNO [110], a literature review about resilience in water management is conducted. In their historical context part about resilience they state that:

“The motto is: learn to manage by change, rather than simply react to it and try to resist change. Uncertainty and surprise are part of the game and we have to learn to live with it.”[110, pp. 6].

Although water management is a completely different area of safety/security, this quote could have been written about cyber security as well; the reason to aim at resilience is because it is a way to deal with the high uncertainty and surprises that are also part of cyberspace. This illustrates why multiple aspects of resilience should be part of the measuring and that aiming at resilience fits in a movement occurring in multiple safety/security areas.

For the measuring of cyber resilience, different aspects will be taken into account. Folke [111] describes three resilience concepts from different backgrounds: Engineering resilience focussing on effectiveness and control, ecosystem resilience focussing on persistence and robustness and social- ecological resilience focussing on the adaptive capacity, transformability, learning and innovation. To measure cyber resilience as complete as possible, the focus will be on the engineering aspects, but completed with ecosystem and social-ecological resilience aspects. Based on a technical report from ENISA [112] the effectiveness of a cyber approach is illustrated in figure 5.2. In this figure the service level of a (part of a) system is shown and how it could develop after an incident. As soon as the incident begins the service level can drop. The time till the incident is discovered and the service impact till discovery together form the effectiveness of the monitoring. Note that the impact an incident can have before it is discovered is strongly influenced by the control measures taken in the risk management cycle of the approach. The next phase is the response phase. The service impact till the incident is ‘under control’8 combined with the time to get there is the respond effectiveness. Next is the recovery phase. The time needed to return to the original service level or another acceptable service level combined with the service impact to recover from is the recover effectiveness. Note that the service level line in figure 5.2 does not describe the ‘standard course’ of an incident; the line could go up or down in different phases at different angels. At a specific incident, the service level decrease could also stop as soon as the incident is discovered. A measurement for the service level should be chosen based on the service. Measuring from service level agreements can serve as inspiration for those. To be complete these effectivenesses are complemented with three additional factors. (1) resources needed (based on [38]), (2) adaptive capacity and (3) robustness (based on [111]). The resources needed are added because only the effectiveness based on the factor time is taken into account, while financial, human and social resources used are also important for the efficiency of an approach. The robustness can be measured by the amount of service impact that can be endured without losing the ability to evolve to a acceptable service level again. The adaptive capacity is harder to measure, but this could be measured based on the time needed to respond to changes as noted with the analysis of intelligence in the situational awareness. Dependent on the specific mission/goal and characteristics of an organisation, the resilience can be measured in a score-card like method with different weights for the different components of cyber resilience. Note that this is a first suggestion on how to include cyber resilience related KPIs into

8Different organisations can use different definitions for under control. For this figure is chosen to take the point where the service level does no longer decrease is chosen. An alternative could be to set the ‘under control’ point at a minimum accepted service level.

PUBLIC VERSION 50 5. Designing a cyber framework the (long term) monitoring based on a short literature review and more research is needed to further develop these. However, because resilience is so important for responsible participation in cyberspace, this measuring suggestion can help to take the first steps in including this in the monitoring. A visual summary of the measuring suggestion of cyber resilience is shown in figure 5.3.

5.5. Summary In this chapter five design principles for a cyber approach are formulated based on literature research, the analysis of the standards landscape and the conducted interviews. The design principles have two roles; (1) they serve as input for when designing a cyber approach to help dealing with design dilemmas and (2) they are a requirement for a cyber framework, because that needs to be compatible with these design principles. Based on the research done and the requirements from the design principles, the elements of standards and the cyber issues a cyber framework covering the elements of cyber governance, risk management and situational awareness has been created. Finally, as extra addition, a first suggestion on how to measure cyber resilience has been done. These results and the issues identified in chapter 4 are evaluated in the next chapter.

PUBLIC VERSION 5.5. Summary 51 ) External External social and and social technical ( intelligence Dependencies Dependencies Environment Participating in Participating the cyber community cyber the analyse analyse & intelligence Gather Gather respond and recover & Short term respond and recover Goal ) creativity external . s . + Performance of Performance Oversight results Oversight Situational awareness Situational Risk management and management Risk internal internal ( evaluation and monitoring long term long monitoring and evaluation , Auditing Auditing v steering Balance Oversight

Goal Organise oversight Organise culture   / & Mission Figure 5.1: Cyber framework Core values of values Core organisation appetite Risk Boundary conditions Boundary

  boundary boundary conditions Translate to to Translate Response and Response Recovery plan Recovery & Goal structure Lessons from incidents from Lessons Financial Human Social Technological aspects Legal Policies Procedures Processes Responsibilities control Organisational Organisational Risk appetite Risk &

Resource allocation Resource         Boundary conditions Boundary control & Long term risk Assets to protect to Assets Risk Risk Asset Asset repository acceptance

PUBLIC VERSION 52 5. Designing a cyber framework

Incident Service level

Service impact till discovery 1

Discover time Service impact to recover from 3 2 (=Total service impact)

Service impact till incident under control Recover time Time till incident Time under control

Figure 5.2: Effectiveness of cyber approach (based on [112, pp. 33]) (Triangles link to figure 5.3)

Monitoring effectiveness 1

2 Respond effectiveness

Recover effectiveness 3

Cyber resilience Resources needed for recovery

Adaptive capacity

Robustness

Figure 5.3: Measuring of cyber resilience (triangles link to figure 5.2)

PUBLIC VERSION 6 Evaluating the cyber framework

To check if the issues based on the interviews and the developed design principle and cyber framework can be useful for large organisations an evaluation of those has been conducted. In this chapter the methods used, the evaluation results and options to further evaluate are discussed.

6.1. Methods used - interview based on questionnaire and case study To check if the results of this research are valid and can be valuable for large organisations, the respondents of the formal interviews (which resulted in the issues) have been asked to evaluate on the results based on a questionnaire. The questionnaire and a summary of the results was sent to the respondents approximately three weeks before the (teleconferencing) interviews. The questionnaire can be found in appendix E1. The form of a interview based on a questionnaire was chosen give the respondents the opportunity to reflect on the results as time efficient for them as possible. In this way, the cooperation of most respondents was ensured. Six correspondents were able to discuss the questionnaire in a (teleconferencing) interview of each approximately 30 minutes.

As an additional method to evaluate the framework, a case based on DigiNotar has been worked out. Goal of using this method was to show the usability of the framework.

6.2. Results of evaluation interviews During the interviews all respondents recognised the issues as identified in chapter 4. Based on the feedback of the respondents, the fifth issue was added. Different respondents further emphasised the special importance of one or more issues. Together the respondents named all issues at least once; an indicator that these are the main issues occuring when dealing with cyber in practice. The design principles seemed complete and useful to the respondents. Two respondents suggested to shrink the amount of principles from seven to a maximum of five. Furthermore, the relation between the first principle (use modularisation) and the next three was unclear; these three have been put together in the current second principle (use local autonomy) and an additional section to explain the balance between de-central and central coordination has been added (section 5.2.1). Based on these comments, the principles have been reformulated and further explained. Overall the respondents agreed with the principles and all respondents thought they could be useful in practice (after minor changes). The respondents thought the cyber framework also covered the most important aspect, although some minor additions were suggested. One respondent suggested to include a place in the framework where legal aspects can be included. Furthermore, besides procedures, also policies are thought to be important. Therefore those two aspects have been added to the framework. Furthermore, one respondent suggested that the analysis on a more tactical level that is now part of the situational

1Note that because based on the evaluation interview some (small) changes were made to the end results, there are differences between the questionnaire and the final results.

PUBLIC VERSION 53 54 6. Evaluating the cyber framework awareness should be part of governance instead. In his view, the situational awareness cycle and these analyses are not on the same level. However, based on the MITRE vision on situational awareness [50], the intelligence gathering and analysis is kept in the situational awareness. In this way the provision of boundary conditions and evaluation is also kept more separated from the actual security processes. So they might not (yet) be on exactly the same abstraction level, but because these aspects are important to work closely together, they are left at the situational awareness block. All respondents thought the framework served its two goals: (1) they provide insight in the elements needed for an approach and their relation and (2) the respondents thought the cyber framework could be helpful when designing a cyber approach. Note that the changes as described are already processed in this version; to prevent confusion only the final results are described in this thesis. Reflecting on this method and how it was applied, making it as efficient as possible for all respondents had as advantage that most of them were able to cooperate with this evaluation interviews. However downside was that not all of them had time to extensively prepare the interviews, making detailed comments on the end-result hard to expect. Therefore, further evaluation with experts in a setting in which all details of the results can be discussed would probably give additional insights.

6.3. Results of case study As an additional evaluation of the designed framework, a case is worked out for a certification authority based on the DigiNotar case. In this section the case will be introduced and the framework will be used to sketch the properties of a cyber approach for an organisation like DigiNotar was.

DISCLAIMER: The DigiNotar case is used because of the extensive reports available [20–22] and is used only to demonstrate the use of the framework. This analysis is not meant to better understand what went wrong with DigiNotar or to do any special recommendations for that specific case.

6.3.1. The DigiNotar case DigiNotar B.V. was a company which provided digital certificate services. It was found in 1997 as a collaboration from different notaries in 1997. In 2011 they were hosting a number of Certificate Authorities (CAs). These certificates included ‘PKIoverheid’ certificates, which were used to secure communication between citizens and several Dutch government departments. “The certificates of DigiNotar were used worldwide to secure digital communication on the basis of a Public Key Infrastructure”[21, pp. 3]. A CA plays a key-role in a PKI; this is a framework in which the identity of other parties in the internet is verified. Shortly explained with the traditional Alice and Bob example2: when Alice wants to send a private message to Bob, she first requests Bob’s certificate including his public key. Alice can verify this certificate at the CA that has checked Bob’s identity earlier. If the CA confirms Bob’s certificate, Alice can send Bob a message encrypted with the public key of Bob so only Bob can read it by decrypting it with his private key. However, when a hacker has access to the internal side of the CA, the identity of Bob is no longer sure for Alice, since the hacker could create a fake certificate and claim to be Bob, deceiving Alice. In their investigation Fox-IT concluded that (a) hacker(s) gained access to the internal part of DigiNotar and a rogue wild-card certificate for the ‘google.com’ domain was created, which was used for man-in-the-middle-attacks on over 300,000 users, situated mostly in the Islamic Republic of Iran [21]. Because the integrity of the other CAs hosted by DigiNotar (including the CA related to the Dutch Government), several parties lost their confidence in DigiNotar as CA and as a result DigiNotar went bankrupt on 20 September 2011 [115]. DigiNotar started as a notary acting online as a third party, but their role had evolved towards a key player in the trust of communication on the internet. To show the usefulness of the designed framework, they are applied to DigiNotar in the next section.

6.3.2. Applying the framework to DigiNotar The framework is applied to a copy of DigiNotar just before the hack. To prevent confusion with the real DigiNotar, it will be addressed as ‘the organisation’. As CA, the goal/mission of the organisation (as

2These names originate from [113, pp. 10] and are commonly used to explain cryptography principles. The example is based on[114]

PUBLIC VERSION 6.3. Results of case study 55 part of ‘cyber governance’ in the framework) could be something like: “Creating trust online ” , since their core business was providing certificates and digital signatures. For the core values of the organisation, this means that stimulating an open culture in which the security approach is regularly critically reviewed both internal and externally is of key importance. The risk appetite should be quite low, because the organisation practically sells trust. This trust should not be endangered by (unnecessary) incidents; 100% security is not a realistic goal, but the more essential both technical and organisational parts of the organisation are responsible for the creation of the trust, the less risk should be accepted.

In the risk cycle (as part of ‘risk management’ of the framework), the assessment of the risks should therefore be made with a low acceptance rate in mind. Based on the risk assessment, the control measures need to be taken to protect the important assets. The most important assets are in this case the servers creating and validating certificates. The control measures need both to be preventive (network architecture with different segments, access management, related also the physical security) but also reactive; what to do when an incident occurs? The long term risk and control should be monitored by evaluating once every period (could be a year, but seen the key function in the PKI of the organisation and the societal impact of a breach, this can be intensified to once per quarter or once a month).

The response and recovery plans form an important bridge between the long term risks (dealt with in ‘risk management’ from the framework) and the short term respond and recover (dealt with in ‘situational awareness’ in the framework). To create an effective response plan and recovery plan, it is of key importance to practice incidents with all involved parts of the organisation. This means that one of the control measures should be a yearly (or even more often, based on the threat level) big exercise of an incident with all the organisation. What should management do? Who will take care of public communication? What measures will be taken? Etc.. By exercising a major incident, the actual reaction when it happens is much easier and flaws in both the response and the recovery plan can be identified in a non-critical phase for the organisation. From the respond plan it should become clear what the main priorities are, who is responsible for what, and how to react. After an incident with a certificate (server), it should be clear what other certificates are effected after the response plan has been executed. The compromised certificates should be revoked and all external parties should be in- formed. Furthermore, the forensics should be ready to use for internal and external investigation. The logs of the servers should be stored separately in order to make alteration harder and the investigation go more smooth. The recovery plan should make clear how to get back to the desired service level. This means that after the recovery plan has been used, the customers of affected certifications should be able to rely on their (replaced). Note that if an incident can be handled successfully it can enlarge the trust in the organisation, although this is hard to achieve.

To know when an incident has occurred, the monitoring (part of ‘situational awareness’ of the framework) is essential. Detection methods can include intrusion detection/ prevention systems (IDPS)3, network monitoring, but also other performances can be checked (physical inspection, log checks, etc.). Furthermore, when there is (concrete) information about attack attempts, monitoring can be intensified on the potential targets. Such information can come from the intelligence gathered and analysed. As key player in the PKI environment on the internet, it is essential to keep up to date about latest developments. This varies from knowing which software has weaknesses to know which kind of attacks are often performed (on peers). Exchanging information with other CAs to know what they are facing and share what kind of things you are dealing with helps to make the whole PKI framework more secure. Furthermore, internal developments are also important to watch. Knowing when which server is updated, a new firewall gets installed, an organisational change takes place etc. can help to spot potential weak points or critical phases and can be reason to take measures to mitigate those risks. Especially developments related to the core activities (creation and checking of certificates) should be noted and included in the risk analysis to prevent unnecessary high risks. Another important aspect to include in the intelligence analysis is the dependencies; the less dependent (core) services are the better, but if there are dependencies these should be included in the monitoring and risk assessment. Separating responsibilities and segregating in the (physical) network should be the key aspect of the approach of the organisation.

3Note that DigiNotar actually had an advanced IDPS, but because it was not used optimally (placed before firewall and standard configuration used) it gave a lot of false positives, making it harder to spot intruders [21]

PUBLIC VERSION 56 6. Evaluating the cyber framework

The boundary conditions for setting up the risk management and situational awareness are important to match with the goal of the organisation (part of ‘cyber governance’ from the framework). By the allocation of resources, the most secure choices should be implemented as cost efficient as possible (and not, the security should be implemented as cost efficiently as possible!). This means that for example resources for separation of responsibilities and the segregation in the network should be made available. Different choices for the organisational structure are acceptable, as long as key aspects of the approach as mentioned above, like separation of responsibilities and external and internal oversight, etc., are covered.

The oversight, evaluation and monitoring of the performance of risk management and situational awareness is of key importance (from the ‘cyber governance’ part of the framework); to enlarge the trust in the organisation, third party inspections to confirm the decent processes and structures should be in place. The scope of each audit should be not too small, and together all external audits should cover the important aspects of the cyber approach. This means that both the preventive and the reactive side of the protection should be audited. Furthermore, penetration tests by changing external parties should be included in order to spot weaknesses that remained in the approach even after the own risk analyses. As mentioned before, an active participation in the cyber community is key for the organisation; not only in sharing . This can be done by participating in one or more of the ISAC’s of the NCSC, participating on conferences, advise customers, etc..

6.3.3. Added value of the framework In the previous paragraphs the developed framework is applied on the DigiNotar case; starting with the goal of the organisation in cyber governance, moving through risk management and situational awareness back to cyber governance the case has been described. Due to time limitations of this research there has not been created a detailed network architecture4 and/or organisational structure diagram5 and/or a set of cyber related processes and protocols 6, however the key aspects of those and improvements compared to the original DigiNotar situation are (implicitly) described. The added value of the framework is that it helps to coherently describe the cyber approach of DigiNotar over the three dimensions risk management, situational awareness and governance. It helps to quickly understand what is needed for a coherent cyber approach for the organisation and due to the important role the response to incidents the resilience of the organisation could have been improved with help of this framework.

6.4. Further evaluation As concluded at the end of section 6.2, further evaluation can be done. A way to further evaluate the results is to organise an expert workshop. Goal of such a research would be to gain insights on the practical use of the framework. Such a workshop could be organised with three phases. In phase 1 the opinions of experts related to the use of standards and the properties of a cyber framework can be explored. In phase 2 the found results of this research can be introduced and worked further on in a smaller groups based on a case (for example the DigiNotar case). Finally in phase 3 the results of working with the case can be presented to each other and experiences on how to use the framework and the principles can be shared. Such a setting could provide detailed feedback from experts on the usability and completeness of the results of this research.

As a preparation for the workshop, or as stand alone additional evaluation, the DigiNotar case can

4Note that the placement of the IPS behind a firewall, the separation of different CAs on different servers and an update process for all software are three of the improvements to the architecture what DigiNotar was and what could have been done (with hindsight after the incident) based on the framework and [21] 5Splitting of responsibilities and scope of audits, are two of the improvements to the organisational structure of what DigiNotar was and what could have been done (with hindsight after the incident) based on the framework and [21] 6response and recover plans worked out and frequent exercises with the whole organisation are two of the improvements/additions to the processes and protocols list of what DigiNotar had and what could have been made (with hindsight after the incident) based on the framework and [21]

PUBLIC VERSION 6.5. Summary 57 be worked out in more detail. A detailed technical architecture can be drawn, a organisational structure can be given, response and recover plans could be outlined and a (setup) description of processes and protocols can be provided. These can serve (1) as extra feedback on how useful the framework (and principles) are and (2) can be the needed input for a workshop with experts.

6.5. Summary The found issues from practitioners, the design principles and the cyber framework have been evaluated with interviews with the respondents of the semi structured interviews. The respondents did recognise and agreed with the found results, some additions and changes were made to complete the end results. As extra exploration the option to include factors covering cyber resilience have been discussed with the respondents. They agreed that some factors about cyber resilience should become part of measuring the performance, but how exactly to measure the factors still needs more research. Additionally the case of DigiNotar has been explored with the usage of the framework, showing it can help to quickly describe a case coherently covering all relevant aspects and give direction for improvements. Further evaluation could be done by performing an expert workshop to use the developed principles and cyber framework in practice.

PUBLIC VERSION

7 Conclusions and recommendations

In this chapter the main conclusions and contributions, recommendations, the research limitations, discussion and future research possibilities are discussed.

7.1. Main contributions and conclusions This research was centred round the main research goal:

To design a cyber framework that helps large organisations to develop a cyber approach.

Together with the construction of the cyber framework, some additional contributions are created. The main contributions of this research are:

1. Identification of issues when dealing with cyber in practice

→ give insight in the

2. Five design principles

→ to support designing a cyber approach aiming at cyber resilience

3. Cyber framework

→ to make clear how the three dimensions cyber governance, risk management and situational awareness together form the core of a cyber approach

→ to support the designing of a cyber approach aiming at cyber resilience

4. First suggestion on operationalisation of cyber resilience

→ to measure the performance of a cyber approach

7.1.1. Issues when dealing with cyber in practice Based on the interviews, five cyber issues have been identified as problems that occur when dealing with cyber security in practice. A cyber approach should cover these issues and therefore a cyber framework should cover these issues also (indirectly).

Issue 1 Parties in cyberspace are highly dependent on each other (Network dependencies) Every organisation operating in cyberspace is to a certain extent dependent on others. The consequence of the dependencies are that only looking at the own organisation is not enough. Looking to outside developments and trends is the least that should be included in a cyber approach. Further- more, partnering with other organisations is essential for creating cyber resilience; organisations need to participate together in order to reach a sufficient resilience level.

PUBLIC VERSION 59 60 7. Conclusions and recommendations

Issue 3 Assets to protect are constantly getting more diverse Cyber security covers more than only information; the assets that need protection with cyber security have broadened to also cover services and communication channels. Furthermore the societal impact of cyber incidents is changing and the soft side (the humans behind the cyber world) is influenced as well. For the day to day operations, a lot of services, communications and processes are IT related; for example, even if no information is stolen, but the (internal) communication is down due to a cyber incident, it has huge consequences for an organisation. This makes the need to also include these in the protection vital for the success of an approach. A consequence of this issue is therefore that in the risk management assets definition needs to be broader, the monitoring should also cover these and new developments need be watched closely.

Issue 4 Incidents in cyberspace can have huge consequences in the physical world As the incident with the German steel producer in the winter of 2014 and the Stuxnet case show, cyberspace is connected to the physical world and actions in cyberspace can have physical consequences. The possible links between cyberspace and the physical world need to be included in the risk management and situational awareness (both the monitoring and the reacting and recovering).

7.1.2. Design principles Based on Helbing [6, 42] five principles are developed. The principles serve two roles; (1) as requirements for a cyber framework (a cyber framework should be compatible with these principles) and (2) as guidelines for when designing a specific cyber approach (to support the designer when dealing with trade-offs). Note that the modularisation principle can best be used in the more technical part of systems, while the local autonomy principle can best be used in the more soft parts of a system. A rule of thumb for the second principle; the better the cyber maturity, the more benefits using local autonomy can offer.

Principle 1 - Use modularisation A cyber approach will inevitably consist of a system of systems. This principle aims at making the sub- systems as simple as possible, while not oversimplifying. Helbing [6] describes as main advantage that this helps for resilience because it makes it easier to disconnect a sub-system (temporarily), it reduces the connections with other (sub-)systems and therefore make the complexity more manageable.

Principle 2 - Use local autonomy Helbing [6] describes three principles, which are very closely related; the use of self organisation and of distributed control and to stimulate diversity, here merged as use local autonomy. This principle can help for resilience, because (organisational) structures ‘naturally’ evolved tend to be resilient against disruptions, because they “reconfigure themselves according to ‘their nature’ ”[6, pp. 3]. Related to this the responsibility (control) that should also be local. Helbing states that local autonomy can improve adaptation, to fit local needs. By giving freedom to smaller sections of the organisation, diversity is also stimulated. Due to diversity some parts stay functioning at a certain disruption. Furthermore, stimulation of diversity improves collective intelligence and innovation according to Helbing. Of course, guidelines from higher within the organisations can be made to make sure that the different sub- systems keep operating together.

PUBLIC VERSION 7.1. Main contributions and conclusions 61

Principle 3 - Include security from the start As mentioned by several respondents, security is (still) too often only included at the end of a design. Similar to principle 6 of the ‘privacy by design’ principles [106], security should be included (‘embedded’) from the start of a design and not included later as add-on. This principle helps the resilience, because with all new sub-systems security is thought of from the beginning. Furthermore, it can also be used when a (sub-)system needs an update; from the beginning of the update process, security should be included in the requirements/list of business demands.

Principle 4 - Design with the (end-)user in mind The (end-)users are essential for the resilience of an organisation. As stated by COBIT (cyber principle 2 [80]) and two independent respondents, the end-users are an essential part of the cyber approach of the organisation. By keeping the (end-)users in mind while designing, they can be stimulated to spot and report any anomalies in a system. By using both ‘use-cases’ and ‘abuse-cases’1 during the design, it makes sure that the security should enable users, not hinder them in their work, while security is kept on an acceptable level.

Principle 5 - Partner up with others As for example the World Economic Forum [34], ISF [108], (employees of the) NCSC [101] and many others state, establishing partnerships with others is an essential part of participating in cyberspace responsibly; with combining forces the dynamics can be better dealt with and experiences can be shared among each other, benefiting all actors in the network. Furthermore, internal collaboration helps to deal with all relevant aspects of cyber and helps to reduce impact of incidents. This also helps to ensure an up to date information position, which is essential for a cyber approach. Therefore this fifth principle, partner up, is included as essential ingredient for becoming more resilient.

7.1.3. Cyber framework Based on the developed design principles, the elements of standards from the comparison of six major standards and the identified issues from practitioners, a cyber framework has been designed with Hevner’s design science methodology. The framework covers the three dimensions (1) cyber governance, providing the goal/mission of the organisation, boundary conditions for and evaluation of the other dimensions and (2) Risk management, covering the long term risk balance with a cycle covering assessing the risk, control and monitoring. These two are completed with (3) situational awareness, providing the incident detection (monitoring), short term response and recover completed with the monitoring of (strategic) developments in the environment. With the addition of situational awareness the framework provides the needed addition to deal with the hyper-connectedness (and its consequences) of cyber. The framework serves as (1) tool to gain insight in the elements needed in a cyber approach and what their relation is and (2) as a tool for a designer when designing an approach to make sure all important elements are included. Due to the important role of situational awareness in the framework, it helps to develop a cyber approach that results in a better cyber resilience of the organisation. The framework is shown in figure 5.1.

7.1.4. Suggestion on measuring cyber resilience Because of the importance of cyber resilience as indicator for the performance of a cyber approach (based on the developed principles and framework), a first suggestion on how to measure cyber resilience is done. Six factors based on literature have been formulated:

1. Monitoring effectiveness Could be measured in the average time to discover an incident

2. Respond effectiveness Could be measured in the average time it takes to stop further impact on the service level

3. Recover effectiveness Could be measured by the average time it takes to get back to the desired service level

1this phenomenon is for example described by [107] in software development

PUBLIC VERSION 62 7. Conclusions and recommendations

4. Resources needed for recovery Could be composed of financial, human and social aspects

5. Adaptive capacity Hardest to measure, but could be based on time needed to respond to changes in the environment

6. Robustness Could be measured by the maximum amount of service impact from which can be returned to a desired service level

These factors need further research in order to become useful, especially on the exact units to measure them on, but they can serve as a good starting point for further research.

7.1.5. Evaluation The main contributions (end results) have been evaluated with the respondents of the semi structured interviews. These evaluation interviews have resulted in some additions and changes to the end results of this research. Overall, the respondents thought these artefacts were complete and could be useful when designing a cyber approach. Additionally the cyber framework has been used to describe the DigiNotar case. This has shown the ability of the framework to support quick and comprehensive analysis of a case and the ability to help identify improvements to a cyber approach. Further evaluation can be done by expanding the DigiNotar case and conducting a workshop with experts working together on a case.

7.1.6. Additional insight This research has shown that participation in cyberspace is important for large organisations, but to participate responsibly a comprehensive cyber approach is needed. Such an approach should cover the dimensions cyber governance, risk management and situational awareness. Such an approach aims at creating cyber resilience, by which it can help to cope with the complexity of the cyber environment which is created by the hyper-connectedness of cyberspace. Standards can play a key role in the creation of a cyber approach; from the studying of the implications of the the differences between information security and cyber security and the analysis of different standards can be concluded that standards will remain of vital important for a good cyber approach. However, their role is changing; because of the complexity of the (risks) of participating in cyberspace, a ‘silver bullet’ solution cannot be made. Therefore standards are still useful for high over requirements and technical implementation, but for the layer in between a more tailor made approach is needed (which can be constructed with help of the developed design principles and cyber framework). Standards will still play a key role in cyber security, because part of the way to deal with the complexity of cyber is to cooperate with partners and standards can help to communicate between partners.

7.2. Research limitations This is a highly explorative research. Due to the practical limitations of this research, only a limited number of respondents were interviewed covering only a limited number of disciplines. Especially because this is a fast developing area, not all (new) developments and visions could be incorporated in this research. The fact that this research is aimed at general large organisations is a limitation in itself; only general conclusions are conducted of which it is likely that they are also true for a diverse set of disciplines. However, each discipline has its own specific characteristics. To do justice to these individual characteristics, additions to the research contributions can be made for specific disciplines. However by conducting a broad literature research including several sources including new and state of the art standards and making sure the cultural backgrounds of the respondents was diverse, still a good overall picture was created of the field in this research. To validate that the framework and design principles can also be used in a diverse set of disciplines, more research is needed in which also more respondents from different areas could be interviewed.

7.3. Discussion In this section, some thoughts about developments/dilemmas in the cyber security field are provided.

PUBLIC VERSION 7.3. Discussion 63

7.3.1. Default door open or door closed? During the interviews a interesting dilemma came up; should the ‘door’ by default be opened or closed? One respondent talked about the hack at a German steel producer end of 2014 causing a factory to close [100]. For safety reasons, the default setting was door open; in that way during an incidents employees could get out safely and people able to solve the incident could get in. This door open policy is more common in safety related case2. However, in more security related cases the default setting is door closed; with a safe you want the default setting to be closed. For example you do not want a safe to open when power is cut off, because the protection part would fail for example in case of a power out. With cyber both kind of goals get intertwined; both safety aspects and security aspects play a role. You do not want intruders to gain free access when a system fails, but in case of emergency you also want to be able to access systems as fast as possible in order to fix them, especially when physical damage and/or human lives are at stake. Being aware of these conflicting stakes is essential to be able to properly weight them and to make a choice for the default setting for a specific system.

7.3.2. Partnering up, but with who? Related to the fifth principle, partner up, comes a dilemma; to gain more resilience working together with others (internal and external) is of key importance, however due to the lack of cyber resilience in the field (issue 5) the own resilience can be harmed by working together with others. So partnering up sounds great, but with who? And how to make sure that trust is built? Furthermore, sharing intelligence about threats with competing organisations might not be in the direct interest of an organisation. This is one of the great challenges in improving the general level of resilience in the field. A start can be made by starting to set up an own network of partners with who already is worked together on in other fields. This can then slowly be expanded to more others. A minimum level of cyber resilience could be required to join, which could be verified by independent experts. However, based on what criteria these kind of ‘audits’ could be is not yet agreed upon in the field. The framework might be able to help in this process, but this needs to be verified in practice. Another possibility is that an independent party, like a government, organises a network in which information can be shared. More on the role of governments is given in the next section.

7.3.3. The role of governments in the dynamic cyber environment Governments have a special role in the cyber domain. Because cyberspace has become so crucial for the functioning of our society (for example critical infrastructure like the electricity network is now connected to the cyber domain in a lot of countries), the governments have a national safety responsibility to make sure the IT-enabled activities keep functioning. However, the internet has emerged bottom-up, while a government has more a top-down structure/approach. Like with all new technologies governments need to find a balance in letting the bottom-up structure of the internet provide the environment for new innovations, while in the mean time making sure that key functions/ critical infrastructure is not needlessly endangered. Doing nothing could endanger functioning of society in the long term, but intervening heavily endangers the advantages cyberspace could offer. A balance should be found in the approach of governments towards cyberspace. Governments can help other actors to create more cyber resilience; as independent party they can help to connect parties together and help to build a bond of trust. On what scale or on what level such bridging should happen is not yet clear; one respondent suggested the creation of a European agency (comparable to the Dutch NCSC) to provide organisations with threat information. However, such an organisation would have a much greater distance with all organisation compared to such an agency organised at a national level. On a national level it is easier to build the trust needed for setting up networks to improve resilience. How this will develop is still unsure; a major incident could set the political mindset for the creation of such an European agency, but else the national networks might turn out to be more efficient due to the trust they are able to generate.

2For example, with scuba diving the regulator providing air from the tank is by default providing air, a mechanism (membrane) is installed to ‘regulate’ the air supply. In this way, when something is broken in most cases air is provided, giving the diver the opportunity to keep breathing while reaching to the surface safely.[116, pp. 30]

PUBLIC VERSION 64 7. Conclusions and recommendations

7.4. Future research possibilities A lot of research related to cyber approach and standards can be done. Three possible research topics are further discussed in this section.

7.4.1. Further evaluation of results with an expert workshop A way to further evaluate the results is to organise (an) expert workshop(s). Goal of such a research would be to gain insights on the practical use of the framework. Such a workshop could be organised with three phases. In phase 1 the opinions of experts related to the use of standards and the properties of a cyber framework can be explored. In phase 2 the found results of this research can be introduced and worked further on in a smaller groups based on a case (for example the DigiNotar case). Finally in phase 3 the results of working with the case can be presented to each other and experiences on how to use the framework and the principles can be shared. Such a setting could provide detailed feedback from experts on the usability and completeness of the results of this research. As a preparation for the workshop, or as stand alone additional evaluation, the DigiNotar case, as discussed in chapter 6, or some other cases could be worked out in more detail. A detailed technical architecture can be drawn, a organisational structure can be given, response and recover plans could be outlined and a (setup) description of processes and protocols can be provided. These can serve (1) as extra feedback on how useful the framework (and principles) are and (2) can be the needed input for a workshop with experts.

7.4.2. Measuring of cyber resilience and the role in managing an approach At the end of chapter 5 a first suggestion on how to measure cyber resilience is done. These factors could be the starting point of further research towards this topic. This is an important topic, because the creation of factors that can measure cyber resilience can support in the management of a cyber approach which aims at resilience. This research could be focused around three area’s: (1) what are the factors that define cyber resilience (2) how should they be measured and (2) how can an approach be managed based on these factors? Such a study could consist out of a literature study and expert interviews to identify the factors, a case study (both on paper and in practice) to observe if these are indeed the correct factors and to see how such a cyber approach can be managed based on these factors.

7.4.3. Develop a decision support framework to select elements of standards As concluded in this chapter the role of standards is changing. High over standards, detailed technical standards and standards that enhance communication are likely to play a major role in the cyber security standards field. However, for a specific cyber approach elements of standards can still be an important input. This can be as inspiration or as element to fully incorporate in the approach. However, as shown in chapter 3, the standards landscape is quite complex; how to choose elements from all the standards available? And based on what criteria? Research resulting in the development of a decision support framework to select elements of standards to include in an approach for a specific organisation can help organisation to develop the more ‘tailor made’ approach to fill the layer between the high-over standards and technical standards. Such research could start by interviewing practitioners on how their cyber approach was created, what kind of (elements of) standards they used and why.

PUBLIC VERSION Bibliography

[1] Paypal Inc., Welcome to the paypal information centre, (2014), last accessed 2015-05-08.

[2] Consumer Reports, Big brother is watching, (2009), last accessed 2015-05-08.

[3] R. Schürmann, Helft nederlanders heeft digid. (2009), last accessed 2015-05-08.

[4] D. Wall, Cybercrime: The transformation of crime in the information age, Vol. 4 (Polity, 2007).

[5] Nationaal Cyber Security Centrum, Cybersecuritybeeld nederland 4, (2014), last accessed 2015- 09-23.

[6] D. Helbing, Responding to complexity in socio–economic systems: How to build a smart and resilient society? SSRN Electronic Journal (2015), 10.2139/ssrn.2583391.

[7] M. Whitman and H. Mattord, Principles of Information Security (Cengage Learning, 2011).

[8] R. von Solms and J. van Niekerk, From information security to cyber security, Computers & Security 38, 97 (2013), cybercrime in the Digital Economy.

[9] T. Caldwell, Setting the gold standard, Computer Fraud & Security 2013, 15 (2013).

[10] E. Humphreys, Information security management standards: Compliance, governance and risk management, Information Security Technical Report 13, 247 (2008).

[11] A. R. Hevner, S. T. March, J. Park, and S. Ram, Design science in information systems research, MIS quarterly 28, 75 (2004).

[12] P. Offermann, S. Blom, M. Schönherr, and U. Bub, Artifact types in information systems design science – a literature review, in Global Perspectives on Design Science Research, Lecture Notes in Computer Science, Vol. 6105, edited by R. Winter, J. Zhao, and S. Aier (Springer Berlin Heidelberg, 2010) pp. 77–92.

[13] Springer, Springer link, (2015), last accessed 2015-09-02.

[14] IEEE, Ieee xplore digital library, (2015), last accessed 2015-09-02.

[15] Elsevier, Scopus, (2015), last accessed 2015-09-02.

[16] Elsevier, Sciencedirect, (2015), last accessed 2015-09-02.

[17] SAGE publications, Sage journals, (2015), last accessed 2015-09-02.

[18] John Wiley & Sons, Inc., Wiley online library, (2015), last accessed 2015-09-02.

[19] R. Yin, Qualitative research from start to finish, first edition, (Guilford Publications, 2011) Chap. 6, pp. 129–154.

[20] R. Prins, Interim Report DigiNotar Certificate Authority breach, Tech. Rep. (Fox-IT BV, 2011).

[21] H. Hoogstraaten, R. Prins, D. Niggebrugge, D. Heppener, F. Groenewegen, J. Wettinck, K. Strooy, P. Arends, P. Pols, R. Kouprie, S. Moorrees, X. V. Pelt, and Y. Z. Hu, Black Tulip, Tech. Rep. (Fox-IT BV, 2012).

[22] T. Joustra, A. Brouwer-Korf, F. Mertens, E. Muller, and J. Visser, Het DigiNotarincident, Tech. Rep. (Onderzoeksraad voor de veiligheid, 2012).

PUBLIC VERSION 65 66 Bibliography

[23] M. Castells, The network society: From knowledge to policy, (Washington, D.C.,Center for Transatlantic Relations, Paul H. Nitze School of Advanced International Studies, Johns Hopkins University, 2005) Chap. 1, pp. 3–21. [24] H. Zhuge, Cyber-physical society—the science and engineering for future society, Future Gener- ation Computer Systems 32, 180 (2014), special Section: The Management of Cloud Systems, Special Section: Cyber-Physical Society and Special Section: Special Issue on Exploiting Seman- tic Technologies with Particularization on Linked Data over Grid and Cloud Architectures. [25] M. Conti, S. K. Das, C. Bisdikian, M. Kumar, L. M. Ni, A. Passarella, G. Roussos, G. Tröster, G. Tsudik, and F. Zambonelli, Looking ahead in pervasive computing: Challenges and opportunities in the era of cyber–physical convergence, Pervasive and Mobile Computing 8, 2 (2012). [26] H. M. Salim, Cyber safety: a systems thinking and systems theory approach to managing cyber security risks, Ph.D. thesis, Massachusetts Institute of Technology (2014). [27] Capgemini consulting & MIT Sloan management, The digital advantage: How digital leaders outperform their peers in every industry, (2012), last accessed 2015-09-03. [28] R. Tadeusiewicz, Threats in cyberspace, NAUKA 4, 31 (2010). [29] P. Singer and A. Friedman, Cybersecurity and Cyberwar: What everyone needs to know (Oxford University Press, 2014). [30] J. van den Berg, J. van Zoggel, M. Snels, M. van Leeuwen, S. Boeke, L. van de Koppen, J. van der Lubbe, B. van den Berg, and T. de Bos, On (the emergence of) cyber security science and its challenges for cyber security education, in proceedings of the NATO STO/IST-122 symposium in Tallinn, October 13-14 2014. (Cyber Security Academy and LDE Center Safety & Security, 2014). [31] D. Craigen, N. Diakun-Thibault, and R. Purse, Defining cybersecurity, Technology Innovation Management Review 4, 13 (2014). [32] ISACA, Cybersecurity fundamentals (ISACA, 2014). [33] M. Cavelty, Cyber-Security and Threat Politics: US Efforts to Secure the Information Age, CSS Studies in Security and International Relations (Taylor & Francis, 2007). [34] World Economic Forum, Partnering for cyber resilience, (2012), last accessed 2015-08-06. [35] E. Perkins, Top security trends for 2015-2016, (2015). [36] M. Simonsson and P. Johnson, Defining it governance-a consolidation of literature, in the 18th Conference on Advanced Information Systems Engineering, Vol. 6 (2006). [37] ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT., COBIT® 5 (ISACA, 2012). [38] Y. Y. Haimes, On the definition of resilience in systems, Risk Analysis 29, 498 (2009). [39] Oxford Dictionaries, Strategy, (2015), last accessed 2015-09-14. [40] Independent Evaluation Group World Bank, Governance and management, (World Bank, 2007) Chap. 12, pp. 71–82. [41] OECD, Oecd principles of corporate governance, (2004), last accessed 2014-09-15. [42] D. Helbing, Globally networked risks and how to respond, Nature 497, 51 (2013). [43] SANS Institute, Reading room, security trends, (2015), last accessed 2015-09-14. [44] Sophos Ltd., Security threat trends in 2015, (2014), last accessed 2015-09-14. [45] M. R. Endsley, Toward a theory of situation awareness in dynamic systems, Human Factors: The Journal of the Human Factors and Ergonomics Society 37, 32 (1995), http://hfs.sagepub.com/content/37/1/32.full.pdf+html .

PUBLIC VERSION Bibliography 67

[46] G. P. Tadda and J. S. Salerno, Cyber situational awareness, (Springer US, 2010) Chap. 2, pp. 15–35. [47] F. Heintz, J. Kvarnström, and P. Doherty, Bridging the sense-reasoning gap: Dyknow – stream- based middleware for knowledge processing, Advanced Engineering Informatics 24, 14 (2010), informatics for cognitive robots. [48] K. Smith and P. A. Hancock, Situation awareness is adaptive, externally directed consciousness, Human Factors: The Journal of the Human Factors and Ergonomics Society 37, 137 (1995), http://hfs.sagepub.com/content/37/1/137.full.pdf+html . [49] A. A. Nofi, Defining and measuring shared situational awareness, Tech. Rep. (DTIC Document, 2000). [50] MITRE, Situation awareness, (2015), last accessed 2015-09-14. [51] S. Russell and P. Norvig, Artificial Intelligence: A Modern Approach (3rd Edition) (Pearson, 2009). [52] J. Backhouse, C. Hsu, J. C. Tseng, and J. Baptista, A question of trust, Commun. ACM 48, 87 (2005). [53] J. Mehan, Cyberwar, Cyberterror, Cybercrime: A Guide to the Role of Standards in an Environment of Change and Danger (IT Governance Ltd, 2009). [54] K.-K. R. Choo, The cyber threat landscape: Challenges and future research directions, Computers & Security 30, 719 (2011). [55] W. Kleinwachter, From self-governance to public-private partnership: the changing role of governments in the management of the internet’s core resources, Loy. LAL Rev. 36, 1103 (2002). [56] S. Purser, Standards for cyber security, Best Practices in Computer Network Defense: Incident Detection and Response 35, 97 (2014). [57] M. Power, The Audit Society: Rituals of Verification (OUP Oxford, 1997). [58] J. van Praat & Hans Suerink, Inleiding ict-auditing, (Sdu uitgevers, Den Haag, 2013) Chap. 1, pp. 1–5. [59] H. Mintzberg, Structure in Fives: Designing Effective Organizations (Prentice Hall PTR, 1983). [60] L. Teck-Heang and A. M. Ali, The evolution of auditing: An analysis of the historical development, Journal of Modern Accounting and Auditing 4, 1 (2008). [61] U. Pagallo, Responsibility, jurisdiction, and the future of “privacy by design”, Investigating Cyber Law and Cyber Ethics: Issues, Impacts and Practices: Issues, Impacts and Practices , 1 (2011). [62] K. Alshitri and A. Abanumy, Exploring the reasons behind the low iso 27001 adoption in public organizations in saudi arabia, in 2014 International Conference onInformation Science and Applications (ICISA) (2014) pp. 1–4. [63] S. Donaldson, S. Siegel, C. Williams, and A. Aslam, Cybersecurity frameworks, in Enterprise Cybersecurity (Apress, 2015) pp. 297–309. [64] R. Ali, Technological neutrality, Lex Electronica 14 n°2, 2 (2009). [65] International Organization for Standardization, The iso story, (2015), last accessed 2015-08-10. [66] ANSI, homepage, (2015), last accessed 2015-09-16. [67] NEN, Homepage, (2015), last accessed 2015-09-16. [68] ISACA, About isaca, (2015), last accessed 2015-10-08. [69] The Institute of Risk Management, Cyber risk and risk management, (2015), last accessed 2015-08-10.

PUBLIC VERSION 68 Bibliography

[70] I. S. Forum, About us, (2015), last accessed 2015-09-17.

[71] ETSI, Homepage, (2015), last accessed 2015-09-16.

[72] MITRE, Corporate overview, (2015), last accessed 2015-09-16.

[73] SANS, About sans, (2015), last accessed 2015-09-16.

[74] ENISA, European union agency for network and information security, (2015), last accessed 2015-09-16.

[75] NIST, About nist, (2015), last accessed 2015-08-12.

[76] M. D. Cohen, J. G. March, and J. P. Olsen, A garbage can model of organizational choice, Administrative Science Quarterly 17, pp. 1 (1972).

[77] MITRE, Cybersecurity standards, (2015), last accessed 2015-09-16.

[78] A. Miller and B. Emslie, UK CYBER SECURITY STANDARDS, Tech. Rep. (Department for Business innovation & Skills (conducted by PwC), 2013).

[79] ISACA, What is cobit 5? (2015), last accessed 2015-08-10.

[80] ISACA, Transforming Cybersecurity: Using COBIT 5 (ISACA, 2013).

[81] R. E. Stroud, Introduction to cobit 5, (2012), last accessed 2015-08-11.

[82] Cyber risk resources for practitioners, (2014).

[83] International Organization for Standardization, Iso 22301:2012 societal security – business continuity management systems — requirements, (2012), last accessed 2015-09-16.

[84] S. T. . D. Austin, Business continuity - iso 22301 when things go seriously wrong, (2012), last accessed 2015-09-17.

[85] I. O. for Standardization, Iso 22301:2012 societal security – business continuity management systems — requirements, (2015), last accessed 2015-09-16.

[86] International Organization for Standardization, Iso/iec 27001 - information security management, (2015), last accessed 2015-08-10.

[87] M. Kaur and A. Jones, Security metrics-a critical analysis of current methods, in Proceedings of the 9th Australian Information Warfare and Security Conference, Edith Cowan University, Perth Western Australia, 1st December, 2008 (School of Computer and Information Science, Edith Cowan University, Perth, Western Australia, 2008).

[88] Wikipedia, Iso/iec 27000-series, (2015), last accessed 2015-08-10.

[89] Deloitte, Iso27032 - guidelines for cyber security. deloitte point of view on analysing and implementing the guidelines. (2012), last accessed 2015-08-10.

[90] M. E. Hathaway and A. Klimburg, Cyber security framework manual, (NATO Cooperative Cyber Defense Centre of Excelence, 2012) Chap. 1, pp. 1–43.

[91] National Institute of Standards and Technology, Nist releases cybersecurity framework version 1.0, (2014), last accessed 2015-08-10.

[92] The White House, Office of the Press secretary, Executive order – improving critical infrastructure cybersecurity, (2013), last accessed 2015-08-13.

[93] PA consulting Inc., Setting the standard for cyber security – introducing pas 555, (2015), last accessed 2015-08-07.

[94] Pas 555:2013 cyber security risk - goverance and managemetn - specification, (2013).

PUBLIC VERSION Bibliography 69

[95] consultancy.nl, Cyber security raad adviseert pas 555 standaard, (2014), last accessed 2015- 09-17. [96] A. C. . D. L. John Sherwood, Sabsa enterprise security architetcure, (2009), last accessed 2015- 09-21. [97] I. F. of Accountants, Staff overview - international standard on assurance engagements (isae) 3402, assurance reports on controls at a service organization, (2009), last accessed 2015-09-21. [98] Nationaal Cyber Security Centrum, Isacs, (2015), last accessed 2015-09-21. [99] N. Virvilis and D. Gritzalis, The big four - what we did wrong in advanced persistent threat detection? in 2013 Eighth International Conference on Availability, Reliability and Security (ARES) (2013) pp. 248–254. [100] BBC News, Hack attack causes ’massive damage’ at steel works, (2014), last accessed 2015- 08-03. [101] K. Clark, D. Stikvoort, E. Stofbergen, and E. van den Heuvel, A dutch approach to cybersecurity through participation, Security & Privacy, IEEE 12, 27 (2014). [102] F. Brooks, No silver bullet essence and accidents of software engineering, Computer 20, 10 (1987). [103] The Open Group, Architecture principles, (2006), last accessed 2015-09-03. [104] T. Dalzell, ed., The Routledge Dictionary of Modern American Slang and Unconventional English (Routledge, 2009). [105] F. Hanink, The kiss principle, a developers must, (Unknown), last accessed 2015-10-10. [106] A. Cavoukian et al., Privacy by design: The 7 foundational principles, Information and Privacy Commissioner of Ontario, Canada (2009). [107] P. Hope, G. McGraw, and A. Anton, Misuse and abuse cases: getting past the positive, IEEE Security Privacy 2, 90 (2004). [108] R. Stevenson, M. Clement, and J. Creasey, Cyber security strategies achieving cyber resilience, Tech. Rep. (Information Security Forum, 2011). [109] T. Susi, M. Johannesson, and P. Backlund, Serious Games : An Overview, Tech. Rep. HS- IKI -TR-07-001 (University of Skövde, School of Humanities and Informatics, 2007). [110] S. Jansen, I. Immink, A. Slob, and J. Brils, Resilience and water management: a literature review, Tech. Rep. (TNO, 2007). [111] C. Folke, Resilience: The emergence of a perspective for social–ecological systems analyses, Global Environmental Change 16, 253 (2006). [112] P. Trimintzios, Measurement Frameworks and Metrics for Resilient Networks and Services: Tech- nical report, Tech. Rep. (ENISA, 2011). [113] D. Newton, Encylopedia of Cryptography (Santa Barbara California: Instructional Horizons Inc., 1997). [114] Mount knowledge it consultancy, Strong authentication for 2012, (2012), last accessed 2015- 11-26. [115] DigiNotar B.V., 2012-09-18, (2012), last accessed 2015-11-26. [116] D. Orr and E. Douglas, Scuba Diving Safety (Human Kinetics, 2007). [117] R. Wieringa, Design science as nested problem solving, in Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology, DESRIST ’09 (ACM, New York, NY, USA, 2009) pp. 8:1–8:12.

PUBLIC VERSION 70 Bibliography

[118] J. Turner and R. Müller, On the nature of the project as a temporary organization, International Journal of Project Management 21, 1 (2003). [119] Microsoft Inc., Understanding digital certificates, (2015), last accessed 2015-11-29.

[120] T. Viljoen, Deloitte. cyber security. empowering the cio. (2014), last accessed 2015-05-21. [121] G. B. White, The community cyber security maturity model, in 2011 IEEE International Confer- ence on Technologies for Homeland Security (HST) (2011) pp. 173–178. [122] RAND Corporation, Cyber warfare, (2015), last accessed 2015-08-13.

[123] M. Rouse, Dmz (demilitarized zone), (2015), last accessed 2015-08-14. [124] D. Fischer, What is a man-in-the-middle attack? (2013), last accessed 2015-11-29.

[125] J. R. Boyd, The essence of winning and losing, Unpublished lecture notes (1996).

[126] R. Basu, Implementing Quality: A Practical Guide to Tools and Techniques (Cengage Learning EMEA, 2004). [127] R. Bidou, Security operation center concepts & implementation, (2005), last accessed 2015-08- 14.

PUBLIC VERSION Appendices

A Design science research method

In this appendix the design-science methodology is further discussed. After the research goal and the sub-questions as presented in chapter 1 are shown for the overview, a short introduction to the methodology and why it is useful for this research will be given. Than the design science research framework will be discussed in relation to this research. Finally, the design guidelines from [11, pp. 83] will be discussed for the designed artefact.

A.1. Research goal and sub-questions For the overview, the research goal and sub-questions as presented in chapter 1 are also shown here: Research goal: To design a cyber framework that helps large organisations to develop a cyber approach. Sub-questions: 1. What is the importance of a cyber approach? 2. What are the relevant cyber security standards for large organisations and how can they support a cyber approach? 3. What are the issues organisations need to deal with a cyber approach in practice, especially regarding standards? 4. Given the answers to the previous questions, what would a cyber framework for large organisations look like? 5. Is the designed framework useful for large organisations?

A.2. Introduction to design science research method The design science methodology is a scientific way to design something practical that produces new scientific knowledge as well. As Wieringa argues, the design-science research connects practical problems and knowledge problems and deals with the mutual nesting between those two [117]. While practical problems need to influence the world so “it can better agree with some stakeholder goals” [117, pp. 1], knowledge problems do not seek to change/influence the world, but to better understand it. Both is valid research, but they require different methods because they have a different end-goal. The mutual nesting requires design-science research to use a specific set of research methods, resulting in both a contribution to (a) knowledge problems and (b) practical problem(s). In his fundamental work for design science, Hevner et al. [11] linked the business need for the development of artefacts and the scientific value of developing theories about/related to these artefacts which can be added to the shared knowledge base of design scientists. Note that also for artefacts to be designed in such a way that they can influence the world as desired by some actors goals, (some) scientific knowledge about the world is essential; so the business environment and the scientific knowledge base need each

PUBLIC VERSION 73 74 A. Design science research method other in a way. Hevner et al. provided this methodological context with help of a framework which shows the interface between design science, the (social) environment and the scientific knowledge base. Wieringa has made some additions to this framework in order to better include the mutual nesting of knowledge and practical problems. To place this research in a scientific context, the frameworks of Wieringa and Hevner et al. have been combined, as is shown in figure A.1.

This research deals with both practical problems and knowledge problems; practical problems arise when organisations need to think of their cyber approach: What is needed for a (complete) cyber approach? Who should be responsible for what? How can standards help for our approach? etc. These are examples of practical questions. However, there are also knowledge questions related: What makes cyber security different than information security? How do different dimensions of a cyber approach relate to each other? etc. Both categories need sufficient answers in order to deal with the practical and the theoretical side of cyber approaches of large organisations. In the next section, the relation between each element of figure A.1 and this research is discussed.

A.3. Design science research framework The framework of Hevner et al. and Wieringa basically consist of four elements and the relation between each other. Firs of all there is the environment, consisting of people, organisations, technology and regulations. For this research, the environment is heavily influenced by the standards available. Furthermore, the technological developments shape the environment because they determine both the threats and opportunities of participating in cyberspace. From the environment, the business needs have been distilled; combining the principles from chapter 2, the elements of standards from chapter 3 and the issues from practitioners from chapter 4, the high over demands for a cyber framework have been identified. The (practical) relevance of this research is that it helps organisations to set up a cyber approach in order to deal with the dynamics of cyberspace. The practical problems relate strongly to the environment. As already stated in the questions above, the practical problems tackled with this research relate to the organisations approach towards cyberspace. These are captured in sub-questions 4 and 5 of this research. Then the right side of the figure, starting with the knowledge problems. The knowledge problems relate strongly to the practical problems; the need to figure them out comes from the practical urge for them. And to gain that knowledge, input from practice is needed. Sub-questions 1, 2 and 3 relate to the knowledge problems discussed in this research. The knowledge base consists of theories, frameworks, models etc. related to cyber security. This knowledge comes from experience, theoretical research, etc.. The development of standards, and the knowledge that can be abstracted from them is also an important factor. The rigor of this research can be found in the describing of the need for and the relations between the three dimensions cyber governance, risk management and situational awareness. The designed artefact contributes to the environment, because it can be applied by large organisations and it contributes to the knowledge base because of the aspects and dimensions of cyber security that are researched in order to be able to design the artefact. The interviews contributed to specifying the needs for the artefact from the environment and the practical use of standards, while the literature research provided answers to the knowledge questions relevant for a cyber approach. The expert validation and the case study made sure that the designed artefact is indeed useful for the stakeholders needs, in this case the cyber approach of large organisations can be better designed with help of the designed artefact.

PUBLIC VERSION A.4. Design science research guidelines 75

In figure A.1 the design-science research framework depicted from Wieringa and Hevner, including the positioning of the sub-questions is shown.

Design-science research

Relevance Rigor

People, Business Applicable Knowledge Organisations, needs Practical Mutual Knowledge knowledge base nesting Technology problems problems (Theories, (Q4+Q5) (Q1+Q2+Q3) frameworks, Regulations models, etc.)

Application in the Additions to the appropriate environment Knowledge database

Figure A.1: Design-science research framework (based on [11, pp. 80, figure 2] and [117, pp. 10, figure 5])

A.4. Design science research guidelines In table A.1 the research guidelines as described by Hevner et al. [11] are shown. This is completed with how the guidelines are used in this research.

PUBLIC VERSION 76 A. Design science research method

Table A.1: Design-science research guidelines (obtained from [11, pp. 83, table 1])

Guideline Description from In this research Hevner et al. Guideline 1: Design-science research must A framework has been created as a vi- Design as an Artefact produce a viable artefact in the able artefact. It is presented in figure form of a construct, a model, a 5.1 method, or an instantiation. Guideline 2: The objective of design- The objective is to design a cyber Problem Relevance science research is to develop framework. This approach combines technology-based solutions technological elements and it aims to important and relevant to help handle the relevant business business problems. problem of keeping an organisation secure while participating in cyberspace. See also section A.1 or 1.2 for the complete objective. Guideline 3: The utility, quality, and efficacy Evaluation with help of an expert eval- Design Evaluation of a design artefact must be rig- uation and a small case study is done in orously demonstrated via well- order to demonstrate the utility, quality executed evaluation methods. and efficacy of the designed models. Guideline 4: Effective design-science re- The contribution to area of the de- Research search must provide clear and signed artefact is that the mutual re- Contributions verifiable contributions in the lation between the three dimensions areas of the design artefact, (cyber governance, risk management design foundations, and/or and situational awareness) and cyber design methodologies. resilience is showed coherently. Guideline 5: Design-science research relies The methods used, literature research Research Rigor upon the application of rigorous and semi-structured interviews for the methods in both the construc- (preparation of the) construction and tion and evaluation of the de- expert interviews and a case study for sign artefact. the evaluation are rigorous methods. Guideline 6: The search for an effective With multiple iterations, the cyber Design as a Search artefact requires utilizing avail- framework is created. For the overview Process able means to reach desired only the final version is presented. ends while satisfying laws in the problem environment. Guideline 7: Design-science research must Because the artefact is especially Communication of be presented effectively both organisational orientated, the pre- Research to technology-oriented as well sentation is more focussed on the as management-oriented audi- management-oriented audience. How- ences. ever, the technical-oriented audience can easily connect technological details (from standards, or own used architectures) within the approach, so the technological-oriented audience is also served with the presentation of the designed artefact.

PUBLIC VERSION B Interview outline and questions

In this appendix the general outline of the expert interviews is presented. Time estimate

Introduction ~ 5’ • About myself • About my thesis project – Goals of the project – Explain different phases and role of this interview • Discuss length of interview • Discuss themes of the interview

→ (1) Best practices and standards, (2) cyber governance, (3) risk management, (4) situational awareness, & (5) general cyber experiences • Discuss agreements – about anonymity and secrecy – recording of the interview – sending the transcript – sending the final thesis (public version)

Main interview ~ 60’ 0 Function of respondent within his/her organisation (~ 5’) • What is your function? • What is your background? • What are your responsibilities? • … 1 Best practices and standards (~ 15’) • How would you describe your cyber approach? → What are the elements of your cyber approach? • Are you satisfied with your current cyber approach? • How did your organisation come up with this cyber approach?

PUBLIC VERSION 77 78 B. Interview outline and questions

• How flexible is your approach? • How do you keep your cyber approach up-to-date? (OODA or PDCA, or …) • Have you used best practices to come up with your current cyber approach? Which? • What standards do you use? → And what others do you know? → And why not use those? • What are you missing in the standards currently available? • What do you need to make better decisions about standards? • …

2 Cyber governance (~ 10’) • What organisational structure do you have to govern your activities in the cyber domain? • How do you report (internally) about your cyber approach? • Could you describe your cyber governance (process)? • What are you currently missing in your cyber governance? Or what issues do occur in practice? • …

3 Risk management (~ 10’) • How would you describe/define risk management? • How do you estimate the risks for your organisation? • How do you decide which amount of risk is acceptable? • Where could your risk management be improved? • …

4 Situational awareness (~ 10’)

• How do you monitor possible threats? • How would you describe/define situational awareness? • Do you use real-time monitoring? • How do you make sure you keep monitoring the right things? • … 5 General experiences with cyber security (incidents) (~ 10’)

• What are according to you the biggest issues currently in cyber security? • What are the biggest challenges for your organisation? • Would you call your organisation ‘cyber resilient’? • Did you have a cyber incident recently? → Were you happy with the response? • To what extent do you work together with other companies/government organisations for your cyber security? (National Cyber Security Centre. See also NCSC (NCSC), other PPPs or commercial partners?) • What achievements in/elements from your cyber approach make you really proud? • …

PUBLIC VERSION 79

Concluding ~ 5’ • Shortly summarize

• Check if all relevant issues have been discussed • Repeat agreements made

• Ask what respondent thought of interview • Thanking the respondent

Total time ~ 70’

PUBLIC VERSION

C Elaboration on the seven suggested design principles for cyber

In this appendix the five suggested design principles for cyber from chapter 5 are presented in the format as recommended by the Open Group [103].

Principle 1 - Use modularisation

Table C.1: Design principle 1 - Use modularisation

Name Design principle 1 - Use modularisation Statement Make sub-systems of a cyber approach as simple as possible, without oversimplifying Rationale By making the interaction of sub-systems as simple as possible, the complexity between those systems is minimised and isolation of sub-systems is made easier, which both improve the resilience of the system as a whole Implications → Less interactions between systems, so easier to manage complexity → Also easier to (temporarily) ‘cut off’ a (sub-)system if necessary

PUBLIC VERSION 81 82 C. Elaboration on the seven suggested design principles for cyber

Principle 2 - Use local autonomy

Table C.2: Design principle 2 - Use local autonomy

Name Design principle 2 - Use local autonomy Statement Let sub-parts of the organisation decide their own organisational structure, let them be responsible and stimulate diversity (within some boundaries from the main organisation) Rationale Organisational structures of ‘naturally evolved organisations tend to be resilient against disruptions, because they “reconfigure themselves according to ‘their nature’ ” [6, pp. 3]. Furthermore, local autonomy can improve adaptation to fit local needs and diversity can make the system of systems less vulnerable for a single disruption at one of the (sub-)systems. Implications → More resilience due to local optimisation

→ More efficient cyber approach due to ‘forces within the system’ instead of ‘forcing the system’

→ Enables quick reactions to incidents → Improves collective intelligence and innovation

→ Interoperability should be guarded though!

Principle 3 - Include security from the start

Table C.3: Design principle 3 - Include security from the start

Name Design principle 3 - Include security from the start Statement Include security from the beginning of the development or update of a (sub-)system (embedded security) Rationale When security is included from the start of development/update it will not be forgotten and can function as optimally as possible Implications → Ensures adoption of security in the design → Ensures efficient implementation of security

PUBLIC VERSION 83

Principle 4 - Design with the end-user in mind

Table C.4: Design principle 4 - Design with the end-user in mind

Name Design principle 4 - Design with the end-user in mind Statement Keep the implications for and role of the (end-)users in mind during the design of a cyber approach Rationale The end-users can be the most important asset for the protection and also the greatest weak spot; when security enables users, they can contribute to the security Implications → End-users should be stimulated to develop awareness and knowledge → The end-users should be involved in the development process as soon as possible

→ The use- and abuse-cases can ensure an optimal form of enabling users in a secure way

Principle 5 - Partner up

Table C.5: Design Principle 5 - Partner up

Name Design Principle 5 - Partner up Statement Work together with other actors on your cyber approach (both externally and internally) Rationale With combining forces the dynamics can be better dealt with and experiences can be shared among each other, benefiting all actors in the network Implications → Standards for communicating purposes will play a key role → Investing in relationships will get more important

→ Improves the information position to know what to protect

PUBLIC VERSION

D Coverage/compatibleness of elements of standards in cyber framework

In this appendix the coverage/compatibleness of elements of the six standards that are compared in chapter 3 is shown.

Standard Table number COBIT 5 Table D.1 and D.2 IRM Cyber risk resources for practitioners Table D.3 ISO 22301 Table D.4 ISO 27001 Table D.5 NIST framework for cyber security Table D.6 PAS 555 Table D.7

Table D.1: Coverage of COBIT 5 in cyber framework (Part I)

Element of standard Coverage/compatibleness Principle 1 - Embedded in the goal/mission of the organisation Meeting stakeholders needs (governance) Principle 2 - A cyber approach can cover the enterprise end- covering the enterprise end-to-end to-end, due to the use of the three dimensions Principle 3 - Cyber approach can serve as a basis for a single Applying a single integrated framework integrated framework Principle 4 - A cyber approach set up with the framework can Enabling a holistic approach be that holistic approach COBIT 5 (Part I) Principle 5 - With governance as a separate dimension, the Separating governance from management management mainly takes place at the organisational parts where the risk management and situational awareness is managed and is therefore separated

PUBLIC VERSION 85 86 D. Coverage/compatibleness of elements of standards in cyber framework

Table D.2: Coverage of COBIT 5 in cyber framework (Part II)

Element of standard Coverage/compatibleness Cyber principle 1 - This is covered in the risk management cycle and Know the potential impact of cyber crime the analysis of intelligence in situational aware- and cyber warfare ness Cyber principle 2 - This is not directly covered in the cyber frame- Understand end users, their cultural values work, but is covered by the suggested principle and their behaviour patterns 5 (see table C.5 ) Cyber principle 3 - The business case is covered in the ‘Oversight, Clearly state the business case for cyber evaluation and monitoring long term’ block of security, and the risk appetite of the en- governance and the risk appetite is covered in terprise governance and risk management (as risk acceptance) Cyber principle 4 - This is covered by the dimension cyber gover- Establish cyber security governance nance Cyber principle 5 - This is not directly covered by the cyber frame- Manage cyber security using principles and work, but is compatible with this framework enablers Cyber principle 6 - This is covered in the risk management and de- Know the cyber security assurance uni- pendencies (analysis) in situational awareness

COBIT 5 (Part II) verse and objectives Cyber principle 7 - This is covered by the risk management cycle Provide reasonable assurance over cyber security Cyber principle 8 - By using the cyber framework a systematic cyber Establish and evolve systemic cyber secu- security is established rity Process area 1 - This is covered by the ‘Oversight, evaluation and Evaluate, direct and monitor monitoring long term’ part of governance Process area 2 - Alignment is covered by the different flows be- Align, plan and organise tween the dimensions Process area 3 - This is not directly covered by the cyber frame- Build, acquire and implement work, but is compatible with this framework Process area 4 - This is not directly covered by the cyber frame- Deliver, service and support work, but is compatible with this framework Process area 5 - This is covered in each dimension Monitor, evaluate and assess

PUBLIC VERSION 87

Table D.3: Coverage of IRM Cyber risk resources for practitioners in cyber framework

Element of standard Coverage/compatibleness ‘Governance and assurance’ questions - The questions in this category are covered by the effectiveness and integration, responsibili- blocks from cyber governance ties, risk appetite, agility, investments, culture and auditing ‘Understanding the risk’ questions - These questions are mainly covered by the risk identification of different kinds of assets, management cycle, completed with the depen- impact, and 3rd party dependencies dencies block from situational awareness ’Incident response’ questions - The questions in this category are covered by detection, response, business continuity the situational awareness cycle from the cyber and accountability framework ‘Training’ questions These questions are not directly covered in the cyber approach. However, principle 5 (C.5) strongly relates to the development of users as

IRM Cyber risk resources for practitioners well, so the cyber framework is compatible with the training questions

Table D.4: Coverage of ISO 22301 in cyber framework

Element of standard Coverage/compatibleness Establish (plan) This is not directly covered by the cyber framework, but is compatible with this framework. The plans are made in the governance dimensions and are related to the monitoring of the performance and the mission/goal of the organisation Implement and operate (Do) This is not directly covered by the cyber framework, but is compatible with this framework. The implementation takes place at the dimensions risk management and situational awareness Monitor and review (Check) This is part of the monitoring of the performance ISO 22301 as part of governance Maintain and improve (Act) This is not directly covered by the cyber framework, but is compatible with this framework. Maintain and improve are initiated in the governance though

PUBLIC VERSION 88 D. Coverage/compatibleness of elements of standards in cyber framework

Table D.5: Coverage of ISO 27001 in cyber framework

Element of standard Coverage/compatibleness Control area 5 - This is covered in the ‘Organisational structure’ Information security policies block of governance Control area 6 - This is covered in the ‘Organisational structure’ Organisation of information security block of governance Control area 7 - This is not directly covered by the cyber frame- Human resources security work, but is compatible with this framework Control area 8 - This is covered by the ‘Asset repository’ and ‘con- Asset management trol’ block of the risk management Control area 9 - This is not directly covered by the cyber frame- Access control work, but is compatible with this framework Control area 10 - This is not directly covered by the cyber frame- Cryptography work, but is compatible with this framework Control area 11 - This is outside of the scope of this framework, so Physical and environmental security this is not (directly) covered Control area 12 - This is not directly covered, but an important as- Operations security pect of the implementation of a specific cyber ap- ISO 27001 proach Control area 13 - This is not directly covered, but an important as- Communications security pect of the implementation of a specific cyber approach Control area 14 - This is not directly covered, but an important as- System acquisition, development and pect of the implementation of a specific cyber ap- maintenance proach Control area 15 - This is not directly covered, but related to the Supplier relationships dependencies with external parties from the situational awareness Control area 16 - Incident management is covered in the situa- Information security incident management tional awareness cycle Control area 17 - This is not directly covered in the cyber frame- Information security aspects of business work, but business continuity management is continuity management strongly related to creation of resilience, so indirectly this is covered Control area 18 - This is not directly covered by the cyber frame- Compliance work, but is compatible with this framework

PUBLIC VERSION 89

Table D.6: Coverage of NIST framework for cyber security in cyber framework

Element of standard Coverage/compatibleness Function 1 - Identify This function is covered by the risk management cycle, specifically ‘assess the risk’ block Function 2 - Protect This function is covered by the risk management cycle, specifically the ‘control’ block Function 3 - Detect This function is covered by the ’monitor’ block of the situational awareness cycle Function 4 - Respond This function is covered by the ‘Respond’ block of the situational awareness cycle Function 5 - Recover This function is covered by the ‘Recover’ block of the situational awareness cycle NIST framework for cyber security

Table D.7: Coverage of PAS 555 in cyber framework

Element of standard Coverage/compatibleness Security leadership and governance These clauses covered by the governance block. clauses Some indirectly ( clause 6 business architecture strategy, clause 7 capability development strategy and clause 11 compliance with legislation and other standards) the others directly Risk assessment This clause is covered by the risk management cycle, specifically the blocks ‘assess the risk’ and ‘asset repository’ Protection and mitigation This clause is covered by the risk management cycle, specifically the blocks ‘control’ and the response and recover plan. Note that physical se- PAS 555 curity only indirectly is part of the scope of this framework; the part that is linked to the cyberspace is part of the physical security, the other aspects are not (although this framework is compatible with that) Direction and response This clause is covered by situational awareness cycle, specifically the internal and external monitoring and the ‘respond’ block Recovery This clause is covered by the ‘recover’ block of the situational awareness cycle of the cyber framework Compliance analysis and continual im- This clause is only covered indirectly through the provement ‘Oversight, evaluation and monitoring long term’ block of governance

PUBLIC VERSION

E Questionnaire for validation of results

In this appendix the questionnaire as sent by e-mail to the respondents is provided.

Thanks again for participating in this research. Your input has been of great importance for the end results of this research. If you could answer the questions below with a few sentences, I can validate the end results of my research. This questionnaire is about the summary of the results of my research, which can be found as attachment at this e-mail. Your answers will stay confidential and anonymity is guaranteed.

1 Cyber issues identified Based on the several interviews, I have filtered out four main issues that professionals busy with cyber security (you) have to deal with. These are discussed on page 1 and 2 of the ‘Summary of end results for validation’ document. 1. Parties in cyberspace are highly dependent on each other (Network dependencies) 2. Dynamics of cyber are larger than with information security 3. Assets to protect are broader (including services & communication) 4. Cyberspace is linked with the physical world Questions:

1.1 Do you recognise the issues identified? Please explain.

1.2 Do you miss anything in the cyber issues?

1.3 Would you like to add an issue or issues? Why?

2 Design principles for a cyber approach Based on literature research and the input from the interviews, seven cyber principles are suggested to use when designing a new cyber approach. The principles are discussed on page 2 and 3 of the ‘Summary of end results for validation’ document. Principles:

PUBLIC VERSION 91 92 E. Questionnaire for validation of results

1. Use modularisation 2. Use self-organisation 3. Use distributed control 4. Stimulate diversity 5. Design with the (end-)users in mind 6. Frequently (re-)consider the assets to protect 7. Partner up with others

Questions:

4 What would you add to the principles? Why?

5 What principles would you change or leave out at all? Why?

6 Do you think these principles could be useful when designing a cyber approach?

3 Cyber approach framework Based on literature research, the input from the interviews and a comparison of several standards, a cyber approach framework has been designed. This framework shows the basic elements a cyber approach should have and how they relate to each other. The framework is discussed on page 3 and shown on page 5 of the ‘Summary of end results for validation’ document. Questions:

7 Do you think the cyber approach framework is complete? What would you add or leave out?

8 Do you think this cyber approach framework could be useful when designing or evaluating a cyber approach?

4 Operationalisation of cyber resilience In order to measure the performance of a cyber approach, an operationalisation of cyber resilience is suggested. The operationalisation consist of the elements:

• Monitoring efficiency • Respond efficiency • Recover efficiency • Resources needed for recovery • Adaptive capacity • Robustness

The operationalisation of cyber resilience is discussed on page 3 & 4 and further illustrated with two figures on page 6 of the ‘Summary of end results for validation’ document. Questions:

PUBLIC VERSION 93

9 Do you think all components of cyber resilience are covered in the definition? What would you add or leave out?

10 Do you think this operationalisation of cyber resilience is useful in practice? If applicable, what would you change to make it useful?

5 Final remarks Do you have anything to add? Please fill in your remarks below. Questions:

11 Do you want to add something about the summary of the results or this questionnaire? Please fill them in here.

Thanks again for participating!

PUBLIC VERSION 94 E. Questionnaire for validation of results

PUBLIC VERSION Acronyms

APT ...... Advanced Persistent Threat

CA ...... Certificate Authority, see also Certificate Authority CGEIT ...... Certified in the Governance of Enterprise IT CIA ...... Confidentiality, Integrity and Availability CISA ...... Certified Information Systems Auditor CISM ...... Certified Information Security Manager CISO ...... Chief Information Security Officer CSA ...... Cyber Security Academy

DMZ ...... Demilitarised zone. See also Demilitarised zone

ENISA ...... European Union Agency for Information and Network Security

HR ...... Human Resources

ICT ...... Information and Communication Technology IDPS ...... intrusion detection/prevention system IFAC ...... International Federation of Accountants ISAC ...... Information Sharing and Analysis Centre ISACA ...... originally ‘Information Systems Audit and Control Association’, however now only used as an acronym [68]. See also ISACA ISMF ...... Information Security Management Framework ISO ...... International Organisation for Standardisation

KISS ...... Keep it simple stupid, see also KISS-principle KPI ...... Key Performance Indicator

MITM ...... Man-in-the-Middle attack, see also Man-in-the-middle-attack

NCSC ...... National Cyber Security Centre. See also NCSC NIST ...... National Institute for Standards and Technology

OODA ...... Observe, Orient, Decide, Act. See also OODA

PDCA ...... Plan, Do, Check, Act/Adjust. See also PDCA PKI ...... Public Key Infrastructure, see also PKI PPP ...... public private partnership

PUBLIC VERSION 95 96 Acronyms

SABSA ...... Sherwood Applied Business Security Architecture, see also SABSA

SCADA ...... Supervisory Control and Data Acquisition SOC ...... Security Operations Centre. See also SOC

TNO ...... Dutch Organisation for applied scientific research

WEF ...... World Economic Forum

PUBLIC VERSION Glossary

Certificate Authority A Certificate Authority (CA) is an organisation playing a key part of a PKI (see PKI); they provide the certificates which users can check to verify identities online.[119]. CIA principle CIA principle is the principle from information security that stands for confidentiality, integrity and accountability. Confidentiality means that the information is only seen by the persons who need to see it, integrity means that the information that is shown is accurate and consistent and availability is if the information is available when needed. Cyber approach Cyber approach is the way an organisation approaches cyberspace with all its direct and indirect IT-enabled activities both in technical and socio-technical aspects, especially in the dimensions cyber governance, risk management and situational awareness. Cyber governance Cyber governance is the preparation for, making of, and implementation of decisions regarding goals, processes, people and technology related to cyber activities on tactical and strategic level. Based on [36]. Cyber maturity is a way to describe how far an organisation is with organising its cyber security. Maturity levels are for example defined by Blue Coat, Deloitte [120] and “The community cyber security maturity model”[121]. Cyber resilience Cyber resilience is the ability of an organisation to withstand a (major) disruption (with prevention, repression and mitigation) and to recover within an acceptable time and composite costs and risk. Based on [38]. Cyber security Cyber security is the organization and collection of resources, processes, and structures used to protect specific assets in cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights. Obtained from [31, pp. 13]. Cyber warfare Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks. Obtained from [122]. Cyberspace Cyberspace is the realm of computer networks (and the users behind them) in which information is stored, shared, and communicated on-line. Obtained from [29, pp. 13].

Demilitarised zone A demilitarized zone is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the internet [123]. The DMZ connects the untrusted network to the trusted network, but it exists in its own independent space to limit access and availability of resources. The key benefits of this system are that an intruder must penetrate three separate devices, private network addresses are not disclosed to the Internet, and internal systems do not have direct access to the Internet.[32, pp. 45].

PUBLIC VERSION 97 98 Glossary

ISACA ISACA is an independent non-profit developer of knowledge and practices for information systems. It was founded in 1969 and has an information auditing background. Now the focus is more on a broad range of IT governance [79].

KISS-principle The KISS-principle (Keep it simple stupid) is a design principle which originates from the US Navy from 1960 according to [104, pp. 596] and is now used in many different fields like for example software engineering [105].

Man-in-the-middle-attack A Man-in-the-middle-attack is an attack where “the attacker [places] himself, or his malicious tools, between the victim and a valuable resource, such as a banking Website or email account.” [124].

NCSC The National Cyber Security Centre (NCSC) is the Dutch part of the central government that has as mission to help increase the resilience of Dutch society in the digital domain and, by doing so, help to create a safe, open and stable information society [5].

OODA The OODA loop refers to the decision cycle of observe, orient, decide, and act, developed by John Boyd [125].

PDCA PDCA stands for the Plan, Do, Check and Act cycle [126], also used in ISO 22301 [83]. PKI Public Key Infrastructure (PKI) is a framework in which online authentication is made possible. With use of public keys (known to everyone), private keys (kept secret) and verification from a trusted third party (often a Certificate Authority) messages can be send online while making sure only the intended receiver can read them. [119].

Risk management Risk management is managing the risks related to cyber activities both from the technical and the socio-technical layer of cyberspace. Obtained from [30].

SABSA Sherwood Applied Business Security Architecture (SABSA) “is a methodology for developing is a methodology for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives”[96, pp. 1]. Situational awareness Situation[al] awareness is the perception of the elements of the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. Obtained from [45, pp. 36]. SOC Security Operation Centre (SOC) is a generic term describing part or all of a platform whose purpose is to provide detection and reaction services to security incidents. According to this definition Bidou distinguishes five operations to be performed by a SOC: security event generation, collection, storage, analysis and reaction[127, pp. 1].

PUBLIC VERSION This page is intentionally left blank

PUBLIC VERSION 99