In recent years, information technology (IT) has grown from an enabling technology to an important technology we depend on in our everyday lives. For example, IT is required for the proper functioning of personal devices that store our personal information, but is also present in
...
In recent years, information technology (IT) has grown from an enabling technology to an important technology we depend on in our everyday lives. For example, IT is required for the proper functioning of personal devices that store our personal information, but is also present in the on-board computers in pacemakers and systems controlling nuclear reactors. Next to the diversity in ways in which IT can be applied, interconnectivity of devices is also an important characteristic in the IT world. This is because interconnectivity between devices allows geographical distance to be immaterial for activities taking place in cyber space. The extent to which we have incorporated IT into our society, is illustrated by events in which incidents damaging IT structures have led to serious consequences for individual, organisational or even international Internet users. Recent information technology (IT) incidents like the Heartbleed bug illustrate how having the same Transport Layer Security/Secure Sockets Layer (or TSL/SSL) protocol vulnerability can result in serious consequences for these previously mentioned Internet users. Similarly, if incidents such as Diginotar had become widespread, the use of eGovernment services would have been put to a stop. This would have been done in order to protect the public from hackers, who would have used this opportunity to obtain personal information. Thus, cyber security now extends beyond physical borders because of the important place IT holds in influencing today’s society and the direct interdependence between different kinds of users and IT. The after effects of crimes and exploitations on the Internet harm individual users as well as government agencies, (non-) commercial industries and international institutions. Yet, because instances such as Stuxnet have not led to high impact incidents, the importance of IT security may not be evident to many of us. Although most incidents do not become widespread, protecting cyber space is still seen as a great challenge. This is mainly because the IT environment could be seen as a vital nervous system that has strong connections with the various IT components. Currently, there are several different types of approaches to ensure protection of cyber space. These can be categorized on an individual, organizational, industrial, national and international level in order to provide security. Examples of such approaches come from articles published by the media, but also from consultancy agencies who present this information in trend reports and security methods. Subsequently, the term “methods” used throughout this thesis is derived from these approaches in the form of international standards, best practices, and national security regulation in the form of strategies, industry guidelines, and company security models. ? While each of the different approaches and methods highlight the importance of proper protection against cyber threats, they focus on mitigating risks in the immediate environment of the respective stakeholder. Thus, each of these approaches only lends itself for proper protection of a single party, not cyber space in its entirety. Another limitation is that current methods originate from the field of information security, which is technology-driven and thus focuses on individual risks. This leads to inability of the resulting models to address the challenges of socio-economic aspects of cyber space. Our problem analysis thus shows that there is a gap between what society expects and what technology delivers. This is highlighted by the lack of an overarching framework that attempts to address mitigation of systemic risk extending beyond the individual stakeholder’s area of interest. In order to overcome this gap, this thesis aims to give an outline of requirements for an analytical model that enables multi-actor cooperation to jointly secure cyber space. To understand the complexity of the problem, the first step is to analyse which types of stakeholders are active in cyber space and how they secure themselves and their assets. This is analysed in Chapter 2. In chapter 3, desired properties are provided which will deliver an outline for a model to support multi-actor cooperation. This is done by identifying the actors and methods from literature and practice to support various security approaches. Interviewing practitioners in turn contributes to show which theories are still widely used and motivate method choices in Chapter 4. Ultimately through these various analyses, this research provides an outline of a model that enables multiple actors to collaborate and coordinate security within the various domains of cyberspace. The result of our work is a collaboration model to bridge the gap, shown in detail in Chapter 5. It provides a new perspective of how various stakeholder groups could work within a network setting. Key features of this multi-actor cyber security collaboration model are: Identifying roles and responsibilities of various stakeholders in cyber space, varying from individual users to global players; Combinations of interacting with external actors in order to jointly resolve an incident or crisis. The Diginotar case study in Chapter 6 was used to conduct thought experiments that validated our model’s analytical perspective and provide key investigations for further research. Limitations of time and available sources meant that this thesis is just a starting point for analysing the possibilities of integrating the perspectives of various actors into one close entity. A complete analysis and integration will in future enable us to coordinate efforts in jointly securing our cyber space. Because our designed model briefly touches upon these complex subjects; further studies could look into initiatives within each level to find more details e.g. roles and responsibilities, as well as actions that could help collaboration and seek out the effectiveness of interaction within every level.