Print Email Facebook Twitter Towards a cyber approach for large organisations Title Towards a cyber approach for large organisations Author Verkerke, A.T. Contributor Van Den Berg, J. (mentor) Hulstijn, J. (mentor) Van Gelder, P.H.A.J.M. (mentor) Bulder, E. (mentor) Faculty Technology, Policy and Management Department Information and Communication Technology Programme Systems Engineering, Policy Analysis & Management (SEPAM) Date 2015-12-15 Abstract Participation in cyberspace is of key importance for large organisations (and the functioning of our society), but to participate responsibly a comprehensive cyber approach is needed. Cyberspace is a dynamic and complex environment due to the hyper-connectedness and therefore such an approach should aim for cyber resilience to cope with this complexity. Standards can form good inspiration for the creation of a cyber approach. However, due to the differences between traditional information security and cyber security the standards do not cover the cyber domain completely. At this moment there is a knowledge gap on (1) what elements a cyber approach for large organisations should cover and (2) what role standards can play in such an approach. Furthermore, aiming at resilience is not (yet) common practice. This research therefore has as main goal: To design a cyber framework that helps large organisations to develop a cyber approach. An analysis of the cyber security landscape has shown that a diverse set of actors create in a garbage can-like model a diverse set of standards with different aims and scopes. Six standards are further analysed resulting in elements of standards that are important for a cyber approach (requirement for cyber framework). The analysis further shows that the main standards are still mostly based on traditional information security and do not yet (all) cover the main aspects of cyber and/or resilience. Semi structured interviews have resulted in the identification of five issues that needs to be dealt with when dealing with cyber security: (1) Parties in cyberspace are highly dependent on each other, (2) Dynamics of cyber are larger compared to traditional information security, (3) Assets to protect are constantly getting more diverse, (4) Incidents in cyberspace can have huge consequences in the physical world and (5) The general level of cyber resilience is rather low. These issues form requirements for the cyber framework. Based on literature research, the analysis of the standards landscape and the conducted interviews, design principles for a cyber approach are formulated. The design principles have two roles; (1) they serve as input for designing a cyber approach to help dealing with design dilemmas and (2) they are requirements for a cyber framework, because that needs to be compatible with these design principles. Based on the requirements, a cyber framework has been designed with Hevner’s design science methodology. The framework covers the three dimensions (1) cyber governance, providing the goal/mission of the organisation, boundary conditions for and evaluation of the other dimensions and (2) Risk management, covering the long term risk balance with a cycle covering assessing the risk, control and monitoring. These two are completed with (3) situational awareness, providing the incident detection (monitoring), short term response and recover completed with the monitoring of (strategic) developments in the environment. With the addition of situational awareness the framework provides the needed addition to participate in cyberspace responsibly. The framework serves as (1) tool to gain insight in the elements and their relation needed in a cyber approach and (2) as a ‘check-list’ for a designer when designing an approach. Due to the important role of situational awareness in the framework, it helps to develop a cyber approach that results in a better cyber resilience of the organisation. These results have been evaluated with six of the respondents from the other interviews based on a questionnaire and a case based on DigiNotar. Besides these contributions, the most interesting conclusion of this research is the changed role of standards; because of the complexity of the (risks) of participating in cyberspace, a ‘silver bullet’ solution cannot be made. Therefore standards are still useful for high over requirements and technical implementation, but for the layer in between a more tailor made approach is needed. Standards will still play a key role in cyber security, because part of the way to deal with the complexity of cyber is to cooperate with partners and standards can help to communicate between partners. The results of this research could be further evaluated with expert workshops on specific cases. Further research could be done to test the developed principles and the framework in practice, to develop of a decision support framework to help select specific elements of standards for large organisations and the measuring of cyber resilience. Subject cyber securitystandardscyber resiliencecyber governancerisk managementsituational awareness To reference this document use: http://resolver.tudelft.nl/uuid:31a67615-89c6-40d5-9f48-d73c0a7e832e Part of collection Student theses Document type master thesis Rights (c) 2015 Verkerke, A.T. Files PDF Thesis_Verkerke_Final_Public.pdf 3.25 MB PDF Scientific_article_Verker ... _Final.pdf 411.23 KB Close viewer /islandora/object/uuid:31a67615-89c6-40d5-9f48-d73c0a7e832e/datastream/OBJ1/view