Cyber Security
Sacisoft
List of tables and figures
Introduction (Brief Summary)
Rich Picture Analysis
Analysis Based on Case Study
CATWOE Analysis
Customers
Actors
Transformation Process
World View
Owners
Environmental Analysis
Purposeful activity models
ISSUE CATALOGUE
Interventions
References
Cyber Security Initiative in the United Kingdom
Name
Institutional Affiliation
Course
Due Date
Instructor
Contents
List of tables and figures
Introduction (Brief Summary)
The cyber threat is widely evolving and diverse. The threat continues to grow rapidly. There is a possibility of threats occurring from various players including hostile states, organizations sponsored by states, organized crime groups and activists inspired to hack. This increasing threat are growing rapidly, and thus various states are improving their defenses against cyber-attacks. In this regard the United Kingdom’s government produced a report detailing its progress in the creation of national cyber security program. To date the government continues to make good progress in implementing the program. The program is meant to mitigate risk and change attitudes and take advantage of growth opportunities to the economy (National Audit Office, 2014) .
According to research published by the national audit office, the national cyber security program has an 860 million euros budget and is divided into four objectives meant to be tackled by the program; (National Audit Office, 2014)
1. Stopping, inhibiting or tackling cyber crime and making the United Kingdom a secure hub for businesses all over the world.
2. Creating resilience to cyber attacks in the United Kingdom and protecting the country’s interests in cyber space.
3. Assisting in the creation of an open and stable cyber space which can be used by the nation publicly and safely to support open societies.
4. Further enhancing and building the United Kingdom’s cross cutting knowledge and ability to tackle all the country’s security objectives.
The initiative as the research further details is managed by a team in the office of Cyber Security and information assurance in the cabinet office. This team reports directly to the deputy national security adviser.
The United Kingdom’s initiative has been hailed as a purposeful initiative meant to bring safety and cyber security to the entire nation. However, the initiative has various problems. The main problem is obviously the pace of the initiative in comparison to the rapidly growing cyber threat level being experienced in the world.
[1]Table describing attacks between 2014 and 2015 worldwide (Johansson, 2018)
The following graph shows the number of major cyber-attacks recorded and publicized all over the world in the year 2014 and 2015. This data was presented by Gaurav Pendse, a senior product development analyst, at Nasdaq global information service. This was data presented in a report posing the question for the reason in the growth of cyber security initiatives. This shows clearly that cyber security needs to grow rapidly to counter the rapid growth in cyber threats being recorded each day.
In this regard it is accurate to state that the United Kingdoms’ pace in countering cyber attacks though objective is not rapid enough to counter the ever increasing and looming threats of major cyber attacks. However, it is important to note that the Cyber program has been detailed and very transparent in detailing various cyber threats experienced in a bid to alert the average tax payer of value for their money but still the fact that the nation has not evolved fully to handle the ever-increasing threat of cyber-attacks (Johansson, 2018) .
Rich Picture Analysis
The Global Cyber Security Capacity Centre (GCSCC) is a leading international Centre that is dedicated to research on efficient cybersecurity capacity building in various nations. The Centre also promotes increase in the scale, speed, quality and impact of cyber security capacity building all over the world. The GCSCC following an invitation by the United Kingdom government set out to review cybersecurity capacity in the UK. The review was meant to enable the UK to determine areas of capacity in which the government can strategically fund to allow the nation experience more cyber security. The following pie chart indicates the pie chart presented by the GCSCC (Toft, et al., 2016) .
The GCSCC categorizes cyber security in five distinct stages based on their review and research on a nation’s cyber security capacity. However, the stages are used to describe areas of industry or national importance and significance. These areas are rated based on these stages to allow a country note which of its areas are lacking in adequate on proper cyber security capacity to areas which are well developed in terms of cyber security initiatives. The stages are five namely; (Toft, et al., 2016)
1. Start-up: this means that an area has no cybersecurity maturity. This also means that cybersecurity is at its very initial stages and no concrete proper actions have been taken to create considerable cyber security capacity. It also means that an area has no observable evidence of cyber security initiative.
2. Formative: Cyber security initiatives and capacity building has been initialized but it is disorganized or adhoc and poorly defined.
3. Established: Elements of cyber security initiatives and capacity building are in place and working, however there is little though to resource allocation of such initiatives. There has been little decision making regarding relative investment in the cyber security.
4. Strategic: Here a cyber security initiative has identified and streamlined important areas and has also factored out less important areas for a nation.
5. Dynamic: In this stage a cyber security initiative has already been established and is highly dynamic to allow change of strategy depending on prevalent circumstances that may affect a nation. This implies a highly advanced cyber security imitative which has components of rapid decision making, resource re-allocation and responsiveness to changing environments.
Based on these stages the GCSCC reviewed various areas of the country in various stages in the below diagram.
Accordingly, areas such as national infrastructure and resilience and other areas such as cyber security market place were ranked lowest in the initial stages while other areas such as cyber education and training and cyber security legal framework s were ranked among the highest. However, this leads to the previous problem acknowledgement that the United Kingdom is increasing its effort in cyber security; however, the country’s pace is wanting. The reason for such a low rating in cyber security marketplace is the country’s delayed cyber marketing strategy. Thus, this means the program for cyber security is failing in its business objective and therefore creating a problem.
Analysis Based on Case Study
There have been a couple of analysis conducted on the United Kingdom Cyber security program to map out the country’s cyber security industry due to a poor understanding of the industry as evidenced by a survey conducted by Pierre Audoin Consultants for the Department for Business, Innovation and Skills. According to Pierre Audoin there are three main threats of cyber attacks which affect the cyber security industry. As such the cyber security initiative should be built to handle these three main threats namely;
1. Criminal behavior; which are attempts at fraud and general criminal behavior
2. Hacktivism: Act of defacing online content with an aim of disrupting corporate or government activities.
3. Espionage: gathering intelligence illegally with an aim of gaining competitive advantage among nations or companies. (Pendse, 2017)
Furthermore, Pierre Audoin details that the cyber security industry is composed of four submarkets or sectors within it. The sectors include defense and intelligence; this is a submarket focused on making sure the nations secrets are secured. Here we have the security and intelligence agencies. Another sub sector is the government which incorporates all the government cyber security funded tasks and it includes health security, education data security, crime and criminal justice information and all essential governmental operations. This also consists of enterprises which basically means that the cyber security market is comprised around large commercial enterprises which need their day to day businesses secured. Finally, we have the SMEs and customers who also have cyber security needs which are however less in sophistication and scale in comparison to other sectors of the cyber security market (Pendse, 2017) .
Pierre Audoin analyses the UK’s cyber security industry in comparison to other countries in the international market for competition analysis. According to Audoin consultants extensive research data the UK is among international leaders in the cyber security industry. Based on an analysis conducted ion eighteen countries there is no break away leader but a group of countries but a group of leader countries with similar strengths and weaknesses in their cyber security initiatives. The research concludes that the United Kingdom’s cyber security market is growing and is quite sizeable. However, the growth is not uniform in all sectors. In some areas growth is more attractive than others. Suppliers are also many, but actual players are but just a handful.
In conclusion the United Kingdom is an acknowledged world leader in cyber security in terms of technical aspects. However, its administration of various certification schemes basically lacks a general commercial focus. A lot of smaller and medium organizations lack access to governmental contracts and thus this presents a problem in the procurement sector of the government. The biggest growth opportunity for the United Kingdom’s cyber security market lie with its SMEs. Here the market is largely untapped, and the cyber security initiative would do well to focus more funds into this sub sector of the cyber security market.
If we look at the root definitions of the problem facing the United Kingdom’s cyber security initiatives, we can identify a basis that can explain the how to approach solving the problem. We can use the CATWOE methodology to explain this approach. The cyber security market is a broad and large spectrum with various sub sectors and hence such an analysis will help narrow down the cyber security market to better understand the threats and problems affecting the initiative and hence help in seeing a way forward for the initiative.
CATWOE Analysis
Customers
The customers affected by the problem are the various sectors of the cyber security market. These include, the government, the defense sector, large enterprises and the SMEs and individual customers. In the instance of an attack all these parties would suffer variant losses. The government and large enterprises would suffer increased competitive advantage due to leaked information through espionage. Defacing of corporations online would also probably lead to huge losses in consumers. The defense sector would be adversely affected and leave the nation to attack vulnerabilities in the instance that the defense sub sector is breached. SMEs and individuals are the least likely to be attacked since major attacks are normally targeted to steal data and or deface organization with an intent of gaining funds, i.e. ransomware (Pendse, 2017) .
Actors
The most likely actors are government and the private sector companies. According to research conducted by Pierre Audoin consultants there is a problem with the United Kingdom’s procurement process where most of the smaller private companies are not easily chosen for government contracts mainly involving cyber security. This is a weakness since private sector companies and large enterprises should work together to carry the cyber security initiative and ensure its success. In this light it is also to mention the government as a large actor and with a huge role as an actor in the cyber security initiative. The government provides most funding for the cyber security initiative. As suggested by research it would be wise fir the government to direct some funds into SME and individual consumer sector to improve cyber security from there all the way up (Pendse, 2017) .
Transformation Process
The transformation process of increasing the government’s pace in dealing with cyber threats lies in the defense, and SMEs sub sectors. The government should first improve its defense budget. This should be a result of identifying the areas which are more important than others. Large enterprises are backed up by their financial base and on their own they can easily invest large amounts of funding in ensuring and insuring themselves against cyber-attacks. The governments defense against cyber-attacks lies mainly in its defense and intelligence industry (Pendse, 2017) .
In this regard the sub sector would be improved with a view to make it more focuses to cyber security counteractive measures and intrusion preventive measures.
SMEs and individual consumer subsector is the least of the sectors affecting the cyber security market. However, this is also the largest sub sector and hence improving it, since according to numerous research this area lies untapped, has the potential to accrue large benefits to the government in terms of opportunities and newly developed ways to improve its cyber security initiative. This stems from the understanding that a team is only as strong as its weakest link. This means that if the SMEs sector remains unfunded and untapped it will continue to be a thorn in the cyber security initiative of the United Kingdom.
World View
The big picture currently in the world is that there is a huge need for increase in cyber security initiatives. Therefore, most countries are looking towards ways of improving their own cyber space. This is due to the increasing influx of technology in previously non-technological practices. There is an increasing automation of services and the world is currently taking the same direction in terms of seeking to revolutionize normal tasks previously analog. Therefore, there is also a rapid growth in hacktivism and criminal activity centered in the dark web. Therefore, a cyber security initiative is the right way, however it must be enabled and funded to enable it to reach a dynamic perspective where it can react to the changing cyber security market place and the evolving hacker activities currently emerging all over the world (National Audit Office, 2014) .
Owners
The Owners of this problem is the government and the four sectors or institutions that make up the cyber security market place in general. This is since anything that affects the cyber security market place affects these sectors directly. The government however is the breakaway owner due to its responsibility as a fund distributer to each of these sectors to make sure that the cyber security initiative is maintained and kept perfectly. Thus, in this view the government is the ultimate owner due to its leadership position and its enormous contribution directly to the cyber security initiative.
Environmental Analysis
In the final analysis we look at the standpoint of environmental constraints. The government is bound to experience varying pressure due to the competitive nature of the cyber security marketplace which basically is affected by inventions and innovation that enhance cyber security among the countries of the world that occupy the helm of international technological leaders. This can lead the government to succumb to pressure rather than engaging in practices that enable the country to develop preventive and counteractive cyber security measures.
Purposeful activity models
Organizations from the international spectra such as the ITU have put in to lime light the fact that the security of information and technology are a priority for international relations. On a general point of view, cyber security is at publics best interest and the only way ensure a reduced index in cyber related crime is through eminent collaboration between all parties. These cyber threats and attacks are a global issue and must hence be treated as a priority. Bellow is a detailed account of measures that contribute to the comprehension of the United Kingdom cyber security initiatives.
Economic Class
The economic impact from the cyber security menace is categorized to two. The technological advances being experienced in the ICT stations in the United Kingdom make it more susceptible to cyber-attacks through their interconnectivity. From a different angle of view, the more the development index of technology the high the chance of being able to fight cyberattacks.
National Culture
Research by scholars such as Silvius have produced a detailed account on the cultural aspect s of the nation. This is expediated in the non-compliance behavior and attitude of the employees. ( Silvius A.J 2010).
Legal Measures
Employing of detailed legislative laws that govern the misconduct and misuse of the technology for criminal gain will help in ensuring that cybercrime is reduced. The United Kingdom government
Secure infrastructure
The United Kingdom government should ensure that the public including giant organizations update their ICT infrastructure models to a more secure one so that the attacks can be easily maintained.
Institutional Measures
Government and non-governmental organizations are over dependent on the global networks to maximize their market reach. To ensure that their relations and connection are secure, a need a rise to nationally coordinate the institutions by the government.
Human Development
This revolves around government and non-governmental campaigns to the public educating them on the cyber security threat and how to avoid information infringement. this can be done through ensuring their credit details are secure.
ISSUE CATALOGUE
Interventions
From the above discussed failures of the National Cyber Security Program by the British government, it is apparent to come up with interventions that can be put in place to ensure that the program is successful. According to the findings above, it is evident that there are three failures in the project. The first failure is the slow pace by the government to implement change in some areas that require faster intervention. Secondly, the program has failed to encourage trade and exports in cyber products area of poor performance. Lastly, cabinet office is managing the programme effectively but cannot yet demonstrate a clear link between the large number of individual outputs being delivered and an overall picture of benefits achieved. However, this challenge must be set against the inherent difficulty of measuring how safe the United Kingdom is in cyberspace.
It is vital to understand that the National Cyber Security Program was not a total failure it had its success in a number of things. For instance, the UK cyber security program boasts of a very superior legal measures system against cyber-crime. The In this paper, there are three interventions that are proposed to deal with the failure of the project. The interventions are centered on dealing with the weak points of the program (Ross, 2009).
In institutions and organizations of all sizes, the potential outcomes for security gaps and blips are perpetual; showing representatives about the dangers and how to do their function safely is the main genuine approach to limit the shot of a rupture. Each gathering, from the official administration to engineers, to general workers, has its own comprehension of security and it's critical you address them on their level. We should investigate a portion of the ideal approaches to build cybersecurity mindfulness among the diverse gatherings in your business institutions (Hales and Chouinard 2011). The interventions are: increased public awareness of importance of dealing with cyber-crime, advocating for public behavior change, and the government should also increase its pace to deal with new threats and changes in the field of cybersecurity.
Cybersecurity mindfulness needs to begin at the highest point of the pyramid. The C-Suite should be knowledgeable on dangers to the business institutions overall, as well as educated on how they can put the business institutions in danger on the off chance that they're not cautious themselves. Officials are probably the most looked for after potential casualties of programmers, due in primary part to their closeness to touchy data that can be stolen or held over their heads for a payment.
In addition, administration groups have the best impact over whatever remains of the business institutions, and their underwriting is basic to the accomplishment of any activity – including your cybersecurity mindfulness program. A SANS Foundation overview found that the greatest boundary to actualizing cybersecurity mindfulness programs was an absence of administration financing and purchase in. Unmistakably there is a distinction between security groups and administration, and your cybersecurity mindfulness program needs to bounce that obstacle with a specific end goal to be fruitful.
Security is a business driver when done right, and a gigantic business chance with possibly significant effect when it comes up short: It's up to your group to guarantee that administration is both mindful of your dangers and steady of your endeavors. Therefore, the government, as an administrative unit, should increase its pace in reacting to changes and implementing required changes as the field of cybersecurity is facing changes throughout; it is common knowledge that solutions to a given problem in cybersecurity at one moment are not necessarily a solution to the same situation at another situation.
Another intervention to make the National Cyber Security Program more successful is the advocating of behavior change. The users of the system determine the success of any given policy or program. When users are made aware of the importance of a given program, there is also need to come up with behavior change strategies. There are many cyber-crime cases that are as a result of the poor habits of the users. The National Cyber Security Program has described various behavior changes that are required to deal with the problem of bad users behaviors that risks the occurrence of cyber-attacks (Damenu and Beaumont 2017). As discussed above, the intervention of an institution’s management in dealing with the behavioral change of its staff plays a great role in ensuring that the personnel adhere to changes.
References
Cyber-attacks one of the biggest threats to the world in 2018 says WEF
CYBERSECURITY: INDUSTRY REPORT & INVESTMENT CASE
Dols, T. and Silvius, A.J., 2010. Exploring the influence of national cultures on non-compliance behavior. Communications of the IIMA, 10(3), p.2.
Ericsson, G.N., 2010. Cyber security and power system communication—essential parts of a smart grid infrastructure. IEEE Transactions on Power Delivery, 25(3), pp.1501-1507.
Global Cyber Security Capacity centre
Hildick-Smith, A., 2005. Security for critical infrastructure scada systems. SANS Reading Room, GSEC Practical Assignment, Version, 1, pp.498-506.
Ross, R.S., 2009. Recommended Security Controls for Federal Information Systems and Organizations [includes updates through 9/14/2009] (No. Special Publication (NIST SP)-800-53 Rev 3).
Damenu, T.K. and Beaumont, C., 2017. Analysing information security in a bank using soft systems methodology. Information & Computer Security, 25(3), pp.240-258.
Hales, D. and Chouinard, P., 2011. Implementing Capability Based Planning within the Public Safety and Security Sector: Lessons from the Defence Experience (No. DRDC-CSS-TM-2011-26). DEFENCE RESEARCH AND DEVELOPMENT CANADA OTTAWA (ONTARIO) CENTRE FOR SECURITY SCIENCE.
National Audit Office
Comments
Post a Comment