INSTITUTE OF SECURITY AND GLOBAL AFFAIRS FACULTY OF GOVERNANCE AND GLOBAL AFFAIRS – LEIDEN UNIVERSITY MASTER THESIS CRISIS AND SECURITY MANAGEMENT Cyber resilience in organisations A meta-study on the key issues for organisations to draft a cyber resilience policy Program: Master Crisis and Security Management Student: Meret Keeris Student number: 2106183 Date of submission: 13 January 2019 Subject: Cyber resilience in organisations Word count: 19954 Thesis Supervisor: Dr. E. de Busser Second Reader: Dr.ir. V. Niculescu-Dinca Cyber resilience in organisations Master Thesis Meret Keeris Contents 1. Introduction ............................................................................................................................ 3 2. Context ................................................................................................................................... 5 2.1 Current frameworks .......................................................................................................... 5 2.2 Need for research ............................................................................................................. 6 3. Methods .................................................................................................................................. 7 3.1 Literature review .............................................................................................................. 7 3.2 Case studies ...................................................................................................................... 8 4. Introduction to the topic ....................................................................................................... 10 4.1 Definitions and bordering concepts ................................................................................ 10 4.2 Cyber security versus cyber resilience ........................................................................... 11 4.3 The need for cyber resilience ......................................................................................... 12 4.4 Cyber resilience of European organisations ................................................................... 13 5. Literature analysis ................................................................................................................ 17 5.1 Factor 1: Understanding the organisation ...................................................................... 17 5.1.1 Organisational identity: culture, awareness, behaviour .......................................... 17 5.1.2 Asset identification .................................................................................................. 19 5.2 Factor 2: Effective management .................................................................................... 20 5.2.1 Risk assessments ..................................................................................................... 20 5.2.2 Financial resources .................................................................................................. 21 5.2.3 Deciding on measures ............................................................................................. 22 5.2.4 Roles and Responsibilities ...................................................................................... 23 5.2.5 Response .................................................................................................................. 24 5.3 Factor 3: The cyber chain ............................................................................................... 26 5.3.1 Interdependencies .................................................................................................... 26 5.3.2 Cooperation ............................................................................................................. 27 5.3.3 Ecosystem ................................................................................................................ 28 5.4 Factor 4: Regulation ....................................................................................................... 29 5.4.1 Purpose of regulation .............................................................................................. 29 5.4.2 Regulation on the protection of critical infrastructures ........................................... 30 5.4.3 Regulation on data protection.................................................................................. 32 6. Case studies .......................................................................................................................... 37 6.1 Case study 1: The DigiNotar incident ............................................................................ 37 6.1.1 The hack explained .................................................................................................. 37 6.1.2 Technical security of DigiNotar’s systems ............................................................. 39 1 Cyber resilience in organisations Master Thesis Meret Keeris 6.1.3 Awareness, assets and risks ..................................................................................... 39 6.1.4 Roles and responsibilities ........................................................................................ 40 6.1.5 Response .................................................................................................................. 41 6.1.6 The cyber chain ....................................................................................................... 41 6.1.7 Regulation ............................................................................................................... 42 6.1.8 Recommendations of the Dutch Safety Board ........................................................ 42 6.1.9 Response of the Dutch governmental crisis structure ............................................. 44 6.2 Case study 2: The WannaCry attack at the NHS England ............................................. 45 6.2.1 The attack explained ................................................................................................ 45 6.2.2 Technical security of NHS’s systems ...................................................................... 46 6.2.3 Awareness, assets and risks ..................................................................................... 46 6.2.4 Roles and responsibilities ........................................................................................ 46 6.2.5 Response .................................................................................................................. 47 6.2.6 The cyber chain ....................................................................................................... 48 6.2.7 Recommendations of the NAO ............................................................................... 48 7. Discussion and Conclusions ................................................................................................. 49 7.1 Discussion of results ....................................................................................................... 49 7.2 Conclusions .................................................................................................................... 54 7.3 Limitations of the research ............................................................................................. 55 7.4 Future research options .................................................................................................. 55 Bibliography ............................................................................................................................. 57 2 Cyber resilience in organisations Master Thesis Meret Keeris 1. Introduction Yearly 1.5 million cyber-attacks translate to 4000 attacks every day, 170 per hour and almost three every minute (Deloitte, 2016), associated with an average cost of $3.86 million U.S. dollars for each successful attack resulting in a breach, where the average time to identify a breach is 196 days (IBM, 2018). These numbers demonstrate the hardship in securing cyberspace. High pace developments in technology constantly throw up new challenges (Linkov, 2013). Organisations can therefore no longer deny the need for cyber security and are urged to implement security measures. However, the rising number and complexity of cyber- attacks makes preventing cyber incidents a difficult – if not impossible – endeavour. Rather than aiming to prevent cyber incidents from happening, the focus has shifted towards cyber resilience, which helps to bounce back, minimise the impact and ensure process continuity (Conklin, 2017). Furthermore, cyber resilience is not a merely technical issue, but encompasses organisational, business, financial and legal aspects (Van der Meulen, 2015). Technology is the accessory, and for organisations to improve cyber resilience there is need for a comprehensive approach that considers the multiple dimensions and aspects of the issue. Current cyber resilience frameworks offer clear overviews of five main steps in the process towards cyber resilience, but often lack the wider organisational context and a connection to practice (Bagheri, 2017) (Knapp, 2009). This thesis presents a comprehensive overview of the issues that are currently left out, underexposed, or sprawled across the literature on cyber resilience. It adopts a helicopter view to the literature and combines strategic, organisational and legal perspectives to increase the understanding of organisations and academics on the non-technical aspects of cyber resilience.