CYBER SECURITY AND PRIVACY

Prof. Saji K Mathew

Department of Computer Science and Engineering
IIT Madras
 INDEX

[Link] TOPICS [Link]

Week 1
1 Introduction - Part 01 4
2 Introduction - Part 02 10
3 Introduction - Part 03 16
4 Foundations - Part 01 26
Week 2
5 Foundations - Part 02 34
6 Foundations - Part 03 44
7 Security management, GRC - Part 01 - Prof. Saji K Mathew 51
Week 3
8 Security management, GRC - Part 02 - Prof. Saji K Mathew 60
9 Security management, GRC - Part 03 - Prof. Saji K Mathew 65
10 Contingency planning - Part 01 - Prof. Saji K Mathew 78
Week 4
11 Contingency Planning - Part 02 - Prof. Saji K Mathew 87
12 Contingency Planning - Part 03 - Prof. Saji k Mathew 97
13 Cybersecurity policy - Part 01 - [Link] K Mathew 109
Week 5
14 Cybersecurity policy - Part 02 - Prof. Saji K Mathew 116
15 Cybersecurity policy - Part 03 - Prof. Saji K Mathew 126
16 Risk Management - Part 01 - [Link] K Mathew 135
Week 6
17 Risk Management - Part 02 - [Link] K Mathew 145
18 Risk Management - Part 03 - Prof. Saji K Mathew 152

1
19 Cybersecurity: Industry perspective - Part 01 - Prof. Saji K Mathew 158
Week 7
20 Cybersecurity: Industry perspective - Part 02 - Prof. Saji K Mathew 169
21 Cybersecurity: Industry perspective - Part 03 - Prof. Saji K Mathew 178
22 Cyber security technologies - Part 01- Prof. Saji K Mathew 192
Week 8
23 Cyber security technologies - Part 02 - Prof. Saji K Mathew 199
24 Cyber security technologies - Part 03 - Prof. Saji K Mathew 213
25 Foundations of privacy - Part 01 - Prof. Saji K Mathew 218
Week 9
26 Foundations of privacy - Part 02 - Prof. Saji K Mathew 229
27 Foundations of privacy - Part 03 - Prof. Saji K Mathew 236
28 Privacy regulation - Part 01 - Prof. Saji K Mathew 248
Week 10
29 Privacy regulation - Part 02 - Prof. Saji K Mathew 256
30 Privacy regulation - Part 03 - Prof. Saji K Mathew 264
31 Privacy regulation in Europe - Part 01- Prof. Saji K. Mathew 279
Week 11
32 Privacy regulation in Europe - Part 02 - Prof. Saji K. Mathew 289
33 Privacy regulation in Europe - Part 03 - Prof. Saji K. Mathew 298
34 Privacy: The Indian Way - Part 01 - Prof. Saji K. Mathew 306
35 Privacy: The Indian Way - Part 02 - Prof. Saji K. Mathew 316
36 Privacy: The Indian Way - Part 03 - Prof. Saji K. Mathew 324
Information privacy: Economics and strategy - Part 01 - Prof. Saji K.
37 Mathew 334
Week 12
Information privacy: Economics and strategy - Part 02 - Prof. Saji K.
38 Mathew 344
Information privacy: Economics and strategy - Part 03 - Prof. Saji
39 [Link] 355

2
40 Privacy: Strategy and safety - Part 01 - Prof. Saji K. Mathew 362
41 Privacy: Strategy and safety - Part 02 - Prof. Saji K Mathew 375
42 Privacy: Strategy and safety - Part 03 - Prof. Saji K. Mathew 383

3
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 01
Lecture: 01

Good morning and welcome to this course - Cybersecurity and Privacy. I want to
welcome you and I thank you for signing in for the course Cybersecurity and Privacy.
Today is the day of introduction and therefore we will be breaking the ice and also get to
know what the course would contain, in terms of contents of what I would deliver from
this course and what I expect you to do as part of this course or the coursework. These
are the two main things that we will discuss but I will also try to motivate you about the
topic. So that is very important when we start- Is this topic important? Is cybersecurity an
important topic? And should it really bother or should it really be a matter of concern for
practising managers, irrespective of what you manage? Should managers be concerned
about cybersecurity? And if so, why? That is something that we would try to address in
the first session so that you have a clarity of why one should credit a course or why one
should actually spend so much time going through a six credit course to do, to understand
cybersecurity and privacy. So the title is Cybersecurity and Privacy.

I just want to know what is your understanding about cybersecurity? So you can just talk
about, what do you mean when you hear this term cybersecurity? There are two terms-
cybersecurity and privacy. So it is an "and" there. So feel free to talk about it. As to what
is your understanding? So, cybersecurity is more about vulnerability management of the
computers and the network system, so that the data whatever is there that gets protected
and you know unauthorized use of the data without the knowledge of the owner.

Okay good. So you have three keywords. One is data, other is about vulnerability, third
is about unauthorized access. So these are certain key terms that is associated with
cybersecurity .Anything else? Any other thoughts on cybersecurity? Okay, what do you
think about privacy? That is the second term.

See, the title is actually consisting of two key terms- cybersecurity and privacy. Okay
good. So we talked about two things one is privacy,is about me and my data which I choose
to disclose, I choose not to disclose and other is the security layer which exists at some
level, some system level. Alright, so there are two things cyber security and privacy and
the interface or the intersection between the two is also important. So, how is cybersecurity
and privacy related? So that is another aspect of the course.

4
 Okay, let me actually give you some more background information as we go, to get a
motivation to understand- Is cybersecurity and privacy a current topic? Is it an important
topic? And is it relevant to managers? So, here is an email I received some time back from
the director of IIT Madras and when you receive an email in your official emailbox and
it is from the top boss,you pay attention to it. So his name is written and it is a request and
there is content of course to meet him and of course it ends well, best regards, name and
designation, right. So what should I do to this email? And I know Professor Ramamurthy
,he does contact people when he wants to give some specific roles or administrative roles
particularly ,he did have this habit of calling up people or writing personal emails and
doing like this. So this is an instance of that kind. So what should be my response? I
should check the email id.

Why should I do that? Because you know ,we do not check the sender id when you get
an email from your colleague or from your area head or department head .We just have a
lot of communications going on. No. How, why should I doubt this mail? Sir, there is no
need to be suspicious according to me because it does not demand anything like sensitive
information from you, just asking you to drop an email. But I must tell you, I did check
who sent this mail.

I got suspicious. Can you imagine, what is the source of suspicion? This is? Well, that
is okay. It is an internal mail, so this is fine. The signature part is fine, the address,
everything is fine. Okay, it looks informal.

The pattern is different from the other way of getting the same. Okay, yeah, I agree with
you there is a slight change in the pattern, this is written like a very personal mail, you
know, there can be some personal element when people write you professionally. But
more than so but it is very personal. Can I have a quick, that is also fine,moment please.
So this does not sound professional ,as you sensed, I also sense you know I do not expect
him to say-" Can I have a quick moment with you?", right.

So I became suspicious at that particular content. This cannot be from the director, okay
or this may not be from the director because this is not the choice of words when you
typically write to a colleague or in a professional setting. So and then, of course, as you
suggested I decide who is sending this email, of course that is the first check all of us can
do when we have a doubt,okay. And I found this email coming from a Gmail, not from
the IITM domain and therefore this is obviously suspicious and we call this kind of mails
as phishing mails. We typically call it phishing mails, but it is not just a phishing mail.

Phishing mail, all of us get every day, in fact a lot of junk mail comes asking for our bank
details or other kinds of personal information. We know that this is obviously phishing

5
mail but here it takes time to resolve this because it is a colleague or it is a director and his
address is given at the end. And the sender also knows that, well, I am a faculty member
of IIT Madras and Professor Bhaskar Ramamurthy is the director, of course, the former
director. So someone knows, who is who, in an organization okay. Somebody has actually
collected background information, okay.

We call it typically social engineering okay. So, this is social engineering based phishing
mails, where the chance of one responding to this is much higher, okay. So not just a
phishing mail someone from Africa writing ,I have a lot of funds to transfer why do not
you share your bank account details. We obviously know, I do not have, I do not know
anyone out there but this is from a non-circle based on social engineering and this is
called spear phishing ,okay. Spear phishing is very specific ,based on social engineering
where people or the hacker or the hands behind this, have done background study, okay.

So then subsequently of course, Professor Ramamurthy sent a follow-up mail to all the
colleagues because he knew that this phishing mail was circulating in the institute ,okay.
So, this is sometime back and this is very recent, okay. So ,couple of weeks back, the head
of our department wrote, again a similar mail- "Can you do something for me?" right.
And here,again you see, the professor, you know, the proper title of the faculty member,
the name and the signature, you say it is full signature. So, you usually tend to reply
immediately, okay.

So, what I essentially want to say here is that, we face this kind of problems or this kind
of threats in the world of internet, in the world of so called, cyber world often and it is all
part of our experience or it has become part of our day to day experience. What I am trying
to do is to sample, to sample some instances which I came across either individually or
from newspapers and to give you a sense of what is going on in the environment in the
current times, okay. This is a text message I received,you know, in fact two weeks back
and the text message asked me to do a verification of my PAN card, okay and it gives a
link to the SBI site and I am sure all of you have,most of us have our account in the State
Bank of India,okay. And of course, since this is request from a bank, you tend to respond
to it ,right and it led me to this site, you know SBI and this login page looks exactly the
same, okay, the bank logo and whatever fields you generally fill in, in the same font, in
the same format is given and then you have to enter the captcha code and looks like I
should be entering this data and signing in, to do whatever formality is required to keep
my account on. But is there a problem here, I think by now all of us or most of us are
familiar, so when you get a message to sign in somewhere, you go and the first thing that
you look is what is the what is the website, is it giving the right address or it is giving a
fake address In this case, we know that this is not SBI website from where we sign in, it
is online SBI, but it is something else.

6
 So, as soon as ,even when I sign into a bank account on a regular basis, I of course check
the address because sometimes a wrong address may pop in and we may be signing in and
the signing in data including your username, password may be going elsewhere. So, yeah,
let me continue this so, I just show you some things I faced as an individual, okay as an
individual or of course this phishing mail is something that went to everyone so as a group
or as an organization, we do come across instances of cyber security or cyber security
related issues and these are clips from leading newspapers of India where it recently
reported increasing number of cyber attacks, okay. And the last piece is about ransomware
attacks, have you heard of ransomware attacks? okay but denial of service attack is
different from ransomware, we will be we will be discussing a case on denial of service
but ransomware is a, is another kind of a security threat where the one who attacks, so the
hacker, takes control of your machine and encrypts, in fact encrypts your machine and ask
you for money to release it. It is like when you lock your house and go away and when
you come back you find that your house is, there is another layer of a lock on your house
and you cannot enter the house because somebody else has locked and the hacker is quite
fair, well, I will give you the key to enter but give me some money, okay ,and let us not
make let us not make it complicated, just give me some money, the key is with me- take
the money, take the key, unlock and go in, okay. So it is ransom, you know the word
ransom is, about you know, it is about paying to release someone ,okay ,so ransom
redemption etc related words, so you have to pay a ransom to release your machine from
someone else's control,okay, ransomware infact ransomware is one of the most frequent
attacks, in terms of threat intelligence in today's world,ransomware has become very
common and this is something about which the world,as a whole is concerned about, okay.

Here is a report ,again from newspapers, as I said, this is another sample which happened
predominantly in the western world, where the POS machines, you know, the POS
machines are typically in a retail store, when you buy something and when you check out
,there is a POS point of sale machine, where you actually do the checkout process and
make the payment and then take your items and come out, but if suppose in a very busy
day on a retail store if the POS machine stops working, okay, then you know the kind of
chaos and also you know the operations just stop there because companies which are
automated, they would not have a manual process to continue business, okay. So your
shops just close down and this did happen in 2021 when retail stores which used the POS
software built by Kaseya,okay, Kaseya is an IT company which provided POS solutions
and several retail stores in the west stopped because there was a ransomware attack, you
see, what is the ransomware attack- the hacker just want 70 million dollars to restore the
machine and the most of the times, the hacker is very is a good thief, you know you call it
good thieves, you pay the money and it is done, you know, the machine is released but if
you do not pay the money it is, it is very very difficult, okay, to become operational and

7
generally in my reading, I found that companies just pay the money and restart the business
okay. The only exception I came across is in Chennai, okay, so Chennai corporation’s
PC’s were attacked by hackers and it was a ransomware attack, okay and Chennai
corporation refused to pay the money, okay, because they found that the machines were
very outdated ,okay, so they were running on windows 8 and it is very easy to take control
of machines which are not updated with the operating systems and they said ,okay, let it
be locked forever so they did not pay but for critical business operations when ransomware
attack happened ,okay, so it is huge loss, okay, so per hour loss will be very huge as
compared to the ransom that the hacker is asking for ,okay. So and that has become a
serious nuisance in today's world and here is more report so I am not exactly following a
chronological order in actually presenting to you the different cyber attacks that happened
in the recent times but this is November-December 2022, you must have read this in
newspapers about All India Institute of Medical Sciences. So, five servers were hacked by
the cyber criminals and they took control and you know the biggest concern when a
hospital's data center gets, comes under attack, okay, this is a different type of data, this is
healthcare data,okay, and someone takes control or someone gets access, you know, you
said unauthorized access, okay, somebody gets unauthorized access to my personal health
data, okay, in India we may not be so concerned about health data but health data when it
goes into the wrong hands has huge implications ,can you imagine why,so much so that in
the US, there is a act called HIPAA, okay ,so that relates to healthcare it is a regulation for
healthcare data alone, why is the world so concerned about healthcare data protection, can
you can you just imagine and give me some quick answers, once you have a health
condition.

So health care data is super sensitive because the the person whose health data is leaked
the the person actually faces huge embarrassment ,okay and it the person also can face
losses in an organization or it may have higher consequence and that is why the top hospital
of the country when their servers were attacked or came under cyber threat, it became a
huge concern, huge national concern. So we see cyber attack happening in all spheres,
you know, all domains, it is not just, we just saw Kirloskar, you know ,it is a manufacturing
company, we saw AIIMS healthcare, these are all very recent news, so you just open the
newspaper, everyday newspaper this is what I see , there is some piece of information or
some, something that is covered about cyber security, almost everyday, okay. So we all
talk about digital world,digitization, digital India and so on, so you see a very bright side
of how digital technologies are actually enabling the growth of the economy or enabling
the country to actually progress, be in the line of progress, we also see alongside a dark
side,there is a bright side- very bright side of digital and there is also a dark side or the
dark world that develops alongside and that is the concern of cyber security okay, so the
world consist of good people and bad people, okay. So there are bad people in the world
,who understands the weaknesses or as you use the word vulnerabilities and can exploit

8
those vulnerabilities very, very well and damage, cause damage and losses the impact of
such actions can be very high ,okay, to the extent that the recent, I think this is E&Y report,
which is summarized in the newspaper, which shows 91 percent of the organizations
reported at least one instance of cyber incidence in an year, at least one incident. So think
about that 91 percent of organizations do actually face at least one incident an year, okay
and it goes on to report how cyber security is becoming a top priority for CEOs or leaders
of the organizations.

So this is, the this piece is of grave concern to me, okay, so you know the changes that is
happening in transportation.

9
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 01
Lecture: 02

The matter of concern is this, suppose you are riding a digital car and you are going at
high speed, and you know that the even the speed is controlled by computer. And today,
you have internet connected cars , you know, how does the car get updates? It is through
the Internet . So, Tesla says when you wake up in the morning and when you enter the
car, the car may be updated, as compared to what it was in the previous day. So, the car
becomes newer and newer every day- good, great, very exciting that is what the digital
world is. But suppose, somebody gets access to your car, who is a bad guy or who you
may term as hacker and if a hacker takes control of your car, when you are running at a
high speed, just imagine, not just one car but the whole traffic. And these are potential
scenarios for the future in transportation and that is where actually this report shows the
International Centre for Automative Technology, which actually test cars before they are
released.

Now, the test of cyber security has become much more stringent. So and that is what this
particular report says, every car is tested for cyber security and that is because of the
potential damage of very, very serious nature which can cause damage to not just the car
but damage to human life. So digital world can actually enable human life, it can also
destroy human life today. It is not just about a computer attack where you lost some data
from a computer but beyond that, it can actually bring systems to a halt and also damage
people.

Look at that, so this is September 16, 2019- this became a talk of the town, I remember
when I was having my evening walk, faculty members particularly working in cyber
security or in computer science were stopping and talking about this particular attack that
happened on Ramco refinery in Saudi Arabia and this happened at 4 am in the morning
and the company was going public and suddenly the news breaks that the refinery got
shut down on this particular day, it got shut down not because it was short of raw materials,
not because the workers did not report, not because there was a power failure, not because
there was anything that is commonly understood as the course of shutdown, but it was a
cyber attack. It was a cyber attack, there was a cyber attack and a refinery was halted on
one fine morning, okay, and you see the tool used by the hackers, they used drones, okay,
they use drones, okay they use drones to shut down a refinery, you understand the
seriousness of this condition okay, of course nothing can stop IIT Madras, okay, so even

10
if power goes off or even if every digital support system goes off , I can still continue to
teach but you know that by and large several segments of the industry and government,
are overly dependent on computers to function, okay, for day to day operations, the
operational dependency of organizations especially with ERP systems, okay. You know,
Citibank, long ago said we are a branchless bank ,okay, what that means is we do not have
we do not need branch, you know, it runs on computers, it runs on network computers
and ERP systems okay and if therefore the software stops functioning or the computer
network stops functioning, the bank stops functioning, okay, even if people are present
they cannot do anything, okay. So the criticality of information systems to run several
organizations is very very high in the modern world, not just computer systems but the
need to have internet to run organizations, to have connectivity to run organizations has
become very high and very critical today and that is what you see in the Saudi oil refinery
and today we have a development known as smart connected devices, smart connected
devices. IOT is a example- Internet of Things,okay and you know in Internet of Things,
there are devices other than, you know, the personal computers or the laptops which you
use, of course they are computers but IOTs are like computers with processing units which
can actually connect to the internet and transmit data ,okay.

So for example, a sensor in a refinery, a temperature sensor, okay, in a refinery which is

nothing but a device which may not have any display but it is a sensor, it may be cable
connected or it may be cable less but it is actually sensing and transmitting data about
temperature okay and since it is internet connected, today experts say any device that is
connected to internet is not safe ,that is the basic principle, any device, any system that is
internet connected is not safe, okay. So if an IOT is connected to internet and it is sensing
a very important parameter for process control and if it comes under the control or if it is
hacked or some unauthorized access happens, you can imagine what happens, okay, if
temperature is, say 500 degree centigrade and the hacker makes it say 5 degree centigrade,
you know the controls that comes into picture you know ,it actually can totally damage
the system, okay, in terms of because of the wrong signal. So, IOTs can do a lot of good
- Manufacturing 4.0,okay,it is based on, you know,this high end devices or smart
connected devices, okay, and you see a lot of hype in literature or trade magazines that
4.0, you know we are going to the new generation of digital technologies and
manufacturing with digital technologies but that is a bright side, okay, this can do a lot of
good things.

When I used to work in manufacturing, 10 years in process control and we did not have
much of digital technologies, it was mostly analog technologies and of course computers
were used in control but if there is a sensor ,the sensor is connected by wire to a controller
okay, so there is a signal that actually, standard signal that transmit between the sensor
and the controller, okay and therefore there is no way somebody can access that and

11
manipulate that etc. But the same sensor when it becomes digital and digital plus internet
connected, okay, so the potential for unauthorized access becomes high because it is
internet connected and when the whole world relies on digital technologies connected to
internet, instances like this actually becomes eye openers. So, it brings in the severity of
the potential dark world that can actually make all this extremely vulnerable, you know,
the world is vulnerable and look at this, of course there was politics in this after the attack
happened and the US said Iraq Iran is behind the Saudi attacks and then you see what
happened to Iran a few months later. A US drone strike on Baghdad airport which killed
Qasem Soleimani who was actually a dear citizen or the commander and highly respected
name for people of Iran, okay so that is a country to which he belonged, of course a
different country can look at the same person from a different perspective but to that
country he was a great hero and he was killed and who killed him? That’s the important
question, it is not a soldier who killed him ,okay, it is not a gunshot but what killed him
was a drone, it was a drone that was used by the United States to kill a military leader.
So drones have come, drones have come into the picture of the cyber world and that is the
important point I want to bring to your notice, when as we start this course on cyber
security, okay, cyber security used to be called as information security or there are two
courses or two topics information security and cyber security, okay.

So cyber security is a more recent term that is used to describe security of computer
systems in the modern world but generally people believed what is most important in
computer systems is the data, because in information systems you must have learned,
what is the purpose of information systems? Basically information, they are information
systems, okay ,they create data, they store data,they transmit data, they process data, okay
and they present data, okay, data to information, to knowledge and so on, okay ,in addition
to process automation. So that is what computer systems do or that is what information
systems do but you see the scope widening in recent times from security to information
versus security to infrastructure, security to people , what has become more insecure is not
just machines, not just data but also people, the potential to cause damage to people has
become real, it is not imaginary, it is not like a scientific fiction , okay, it is not more a
fiction, this is as actually happened and here is more from my collection of questions of
course, you must have heard about Air India's data breach few years ago and how it
actually caused huge embarassment to the company and here is another technology
company, which some of you may be members of and which is very much in the news,
the Twitter, okay A technology company coming under cyber attack, okay and you do not
expect that to happen right, they we generally expect them to be much smarter than the
hackers but the Twitter handles of celebrities like Bill Gates or the contestant for American
elections was hacked by hackers and that was a huge embarrassment to Twitter at some
point in time and they had to explain ,why it happened and what actions they are taking,
they had to come in public and give an explanation ,okay, and this is something that you

12
can imagine when you are a reputed organization or you are working for a technology
organization, okay ,suppose you are working for TCS ,the Indian company, okay, you
know that TCS website was hacked some years ago and that was a joke because every
newspaper reported it in as a highlight, okay or as a headline, because it is a fun reporting
it, okay, an IT company's website hacked, okay and that is all they know about technology
, you can actually make fun of them okay and TCS had to explain that, well, we do not
maintain our own website, it is outsourced, okay. Alright, so here is the summary, so I
am not going to teach cyber incidents and why it happened and get into politics or get
into popular media much but the purpose was to give you an overview of cyber security
in the current world, okay and the first thing I want to summarize is cyber security is a
current and serious problem ,okay, it is happening okay, more digital would invite more
cyber security problems, okay, when digital computers were less or computerization as
we called it was less, we did not have much news about cyber attack in the newspapers.
If you read newspapers of the 60s or the 50s, nobody talks about cyber attack, nobody
about talks about information security, you know, probably there was no course like that,
okay but with more adoption of technology , we have the growing concern about protecting
this technology, okay, against the evil ,okay, against the dark world, okay and popular
media suggest to us this and the second reason as i said, is the pervasiveness of digital
technologies and all of us today use digital technology on a daily basis, what is the
frequency of you looking at your phone? how many times you look at your phone? you
need frequent updates right, you keeps running in you, I am actually missing my phone ,
I have kept it from me because I want to focus on you but the phone is there this is
something that you want to take you know, so some scholars say frequent information is
a need for people. So when you are getting it you know ,you use it does not mean it is
addiction, does not necessarily mean it is negative.

Although elders may scold you that you are closer to the phone than to us or to me etc
but that is norm of the day ,okay and I do not see it changing okay, I do not see the world
walking back or turning the clock back to the 50s or 60s, we are going to go forward ,
okay, but what that essentially means is that we have to manage, we have to learn to
manage the cyber threats with which we live, okay The cars can run into accidents. So,
solution one -stop using cars, right and solution two- increase safety -focus on safety so I
think route two is sensible,right , we cannot stop using digital technologies we cannot
throw away our phones and today live, okay or we cannot stop using the internet, okay,
some people do, okay, there I, I know people, IT professionals are, not IT professionals,
IT faculty who do not use instant messaging like whatsapp they just do not want to use,
okay. So, you can keep away, there there are people who do not use televisions at home ,
there are people who do not have any social media account, so that is one way of protecting
yourself, of course, to protect yourself you lose something, right, to gain something ,you
lose something so it depends on what you want to gain but generally we see people are

13
not willing to lose the privileges of the digital world, okay, the the better life that it gives
us or it promises us, okay. Autonomous cars may be great future of transportation when
, when transportation becomes much more efficient , okay and also it becomes
personalized all that is huge potential for future , but we should also be aware that it all
comes at a cost and safety is something that should not be compromised. So, essentially
it only tells us that attention- attention due attention should be paid to the the threats or
the cyber security at different levels.

The second point I highlight there is , cyber security affects different units okay, it affects
individuals, okay, you can recall some of the instances I reported which is an individual
level attack, you may not, it is not because you are an employee that you are getting
attacked, it is not an organizational infrastructure assets that is being attacked but it's
attack is on you, okay, your bank account or your individual data. So individuals,
organizations,society and government are all vulnerable, okay, these are all different units
,so all these units have cyber challenges or cyber security challenges ,okay so the the
landscape is wide , it affects different domains, it affects different types of organizations,
we talked about healthcare versus manufacturing, All these have different implications So
it is not restricted to certain domain alone, it is it is quite open to different domains, okay
and government should also be concerned about cyber security in two ways number one,
government systems can be attacked, government data can be leaked, okay, government
possesses a lot of data, you agree with it, with Aadhaar which will be one of our case
studies , as we proceed in the course, okay, it is a load of personal data that government
collects and stores and once it goes out to the wrong hands, okay, it is people's data or
people's privacy, that is compromised, okay, so there is a cost to it. So government should
be concerned about cyber security and also government's role is to ensure the safety of
citizens, the welfare of citizens, essentially the welfare from that point of view its
government's role also to formulate policies and regulations, regulate the cyber world in
such a way, that it actually, the the country is safe and the country progress and the
country does tap into the digital technologies without compromising security, okay, so
that is a big order, okay and that is the challenge every government is facing,okay. No
government wants to discontinue digital technologies, particularly India, you know so the
government is tech savvy ,which is good ,okay, but at the same time there are huge
challenges that are related to privacy and data protection, okay, privacy issues and data
protection issues which is a close cousin of cyber security, okay, so both are interrelated
,okay , it is getting national attention, okay and when we explore the regulation across
the globe on data protection, we will see , of course the developed countries and also a
developing country like India, okay,what is happening in data protection world in India,
okay and of course this is related to technology, this is related to privacy and it is also
related to politics and I must preempt potential biases that you may see in me when I
discuss politics ,okay, so because each of us can have an opinion in politics, okay , but I

14
would try to remain as government political party neutral as much as possible but different
governments face different challenges,okay and they change their taunts when they move
from opposition to ruling party but privacy is an important issue of the day, okay. And
the fourth point as a background and motivation for the course I want to stress is the role
of technology in cyber security .

I would articulate that technology has a triple role, okay, technology plays three roles in
cyber security, technology can be source of threat ,okay, so somebody talked about denial
of service attack okay,denial of service attack is actually an attack on a network or a
computer using another computer It is a script that runs on one computer to sort of stall
another computer, so it is a technology that is used for cyber attack, okay, so technology
itself is a source of threat. That is one role of technology, okay and there are scripts
available in public , if you want to actually try out denial of service attack, okay. Second,
it is also an asset to be protected, it can be a source of threat, it is also the asset that
organizations need to protect, okay. When your data center, your databases, okay or your
important devices like your computer - in ransomware your computer is the asset that
actually gets attacked .That is the asset that you need to protect, okay, so technology is a
threat, technology is an asset and technology can also be used as a defense weapon, okay,
so how do you defend your technology? So protection mechanisms which we will discuss
in one of the sessions, predominantly uses technology it deploys technology, the firewall
technology for example, is a technology to defend or protect your assets okay and
therefore my my articulation that technology is triple , okay, it is not, it is not just one it
can be a source of threat, it can be a weapon and it is also the asset that needs protection
So when we use the term technology in cyber security, keep in mind what are you referring
to okay, and that clear understanding is important.

Generally we may think that, well cyber security technologies mean technologies that you
use to protect your assets, no not necessary, okay ,not necessarily you need to understand
the nuances.

15
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 01
Lecture: 03

Okay, let me actually ask this question openly. What do you mean by security? Leave
cyber security. So the course deals with security. Protection from threats, protect whatever
is important to you. Okay, Is there anything general? When do you feel secure? The
general meaning of the word secure. Okay, okay, let us talk about general physical
security.

Let us also include not just information security, but physical security. Feeling safe,
feeling safe. What is that feeling? So the point is security is a psychological sense as well
in the general sense. Information security has also a emotional dimension but as you
pointed out, it is a quality or state.

In a general sense, security is a state, a state of being safe or state of feeling secure. Well,
everything is fine. There are no miscreants, there are no people who are trying to, you
know, attack or intrude and cause damage to your property, your assets, your information
or yourself, you are safe. So these are the constant concerns we have for our survival. So
when we change the unit from individual, so I asked you a personal question, in fact but
when you go or change the unit from individual to organizations, organizations also have
assets to protect.

For us as individuals, we are the asset, my body or my life is the most important asset
and then my information or what I carry in my mind, you know, that is the next asset that
I have as a individual, but it is a whole. And for organizations, they have plenty of assets,
physical assets and informational assets and that used to be the scope of cyber security or
information security in the past. And that is why I said when cyber security is referred to,
the general understanding was it is about securing information. It is about securing
computers. It is about securing computer networks.

And that is the scope, nothing beyond that. But today, the scope is also about securing
what is added to. So yeah, we are coming to the definition of cyber security versus
information security. In information security, as I said, you protect information as an asset,
data and information. For example, your databases, like in AIMS servers, you know,

16
people got access to AIMS database servers, that should not happen.

It is a breach of data. So and therefore, it is related to information security. So can you

imagine what would be the added dimension in cyber security? Information security is a
part of cyber security. But when you refer to cyber, there is a little more or in fact, there
is much more. There are different aspects of security when it comes to the organizations.

When you discuss organizational security, there is physical security of various

infrastructure elements of an organization, then there is personal security, operations,
communications, network, information and so on. So that is security in general. For
example, before you enter the institute, IIT Madras, there is a gate. There is a gate and
what is the purpose of the gate? And there are security personnel deployed there. So, the
institute has invested in creating a gate, we call it a security gate.

And we have security people deployed there , 24 by 7, essentially to ensure security of

all that is mentioned here. It is about the assets of the organization. But how are they
ensuring the security or what is the role of that security? So, that is where the discussion
of how security is ensured or what does a cyber security do? So, one word is definitely,
you use the word verifying, you said authorized access, etc. So, we will discuss that more
systematically, what does cyber security do? But essentially, a security system ensures
that people who enter the campus are authorized to enter the campus. Those who have
the right to enter, only enter and others do not enter.

Or conversely, those who have the right to enter should be able to enter. They should
not be denied entry. And those who do not have the right to enter, should be denied entry.
So, you can also see false positives and false negatives can happen there,in security system.
But their role is to ensure that.

But if that has to be done, then they need to know who is who, Who is trying to access,
whether they have the authority or not. So that is a verification. We will get into the details
of how cyber security is ensured. But there are some confusing terms here like cyber
security versus information security That is one. Otherwise , of course, let us look at, you
know, the words,you know, we should be very clear about the basic terms that are used,
the dictionary meanings in fact.

So, there are two words cyber and security. What do you think- which is correct? There
are three ways in which you can write cyber security, cyber security with a space in
between, cyber security with a hyphen in between, or cyber and security together, which
is correct? Hm? All are correct. Okay, good. Okay. So you probably you say all are
correct, because you may be reading so, in in different articles of papers.

17
 Is that so? Okay, let me see how I wrote this in the title. I gave a space in between, cyber
and security are two words. Is that okay? Okay. A is more common in reading.

A is more common. Okay. Well, you are right. All the three are correct. But only one,
only one condition. If you use one convention, like you write cyber and security
separately, follow that consistently.

In the same paper, you should not use different forms. If you choose cyber security as
two words, which is the norm in in Europe, typically in Europe, they use the two words
differently. And then follow the European convention. The last one is the US convention,
cyber security is written as one word. And if you follow that, then you follow that
consistently, it can be written as one word.

So therefore, if when you read journals or articles, which originate from the US, you will
always see it is a one word. But if it is European, you will see these are two words. So
you can follow any, so there and in India, we reach a compromise, the compromise is B,
you put a hyphen, because you do not want to displease anyone. So, that is also fine, in
some literature people do so. But adding a hyphen, instead of that you can add a space or
whatever you you think you like you can, there is no problem, but follow one consistently.

Now the word cyber security - cyber. So and the word cyber, we need to understand that
correctly. Cyber is a word that became associated with computers or the networked
computers, or predominantly the internet and the world of internet, I would say from 90s
onwards, the cyber world, we use that word cyber. It is a prefix to many words. Today
we have cyberspace, cyber coolie, cyber world, cyber cyber.

So this cyber, well, I do not know who did this, because the word comes from cybernetics.
Cybernetics is a Greek word. And cybernetics actually means somebody who is steering
a ship or a vehicle, the steerman, someone who is in control of that. So cybernetics means
control. So that is one word, you know, in Greek it is one word.

So somebody pulled cyber out and used it to represent the internet. So internet connected
world or internet connected systems is generally referred to as cyber systems or the cyber
world. Just keep that in mind. It is a new, it is a new terminology. And cyber security in
that sense, since it connects to the computer systems or networked world, it denotes the
security of the networked world, the computer networked world.

So, that is the connotation in terms of word meaning - cyber security, cyber denoting the
internet world. And cyber in terms of netics, it is cyber security means security of the

18
world of internet. And that is where actually we differentiate cyber security from
information security and for your information, International Telecommunication Union,
which is a global body for telecommunications, digital technologies, old body. They have
in 2008 given a definition to cyber security, which I have reproduced here.

It is not from a textbook. But it is a kilometer long. So, they are trying to include every
aspect of the sphere of computing, every element and every aspect of sphere of computing,
which includes tools, policies, security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best practices, assurance, technologies, all that
is related. So therefore, you know, many of them are correlated. So the definitional clarity
is, is an issue, but cyber security is all inclusive, the security of everything that is under
the cyber world. And therefore, cyber security would also involve users or human beings.

Do you think that is a concern? It is not just the information, but you as a user or you as
a user, having an account in a social network like the Facebook. One thing is, your profile
should be safe and no unauthorized access should happen. Well, that is an information
security concern. But there are other concerns about security, which is your own security
in the cyber world. You know, there are cyber attacks on individuals.

There are movies today, right? People have been bullied or the so called cyber crimes.
Our TA is Binod, so Binod's research is related to cyber crimes. So there are criminals in
the cyber world, who can actually cause physical damage to you through these channels.
The security of individuals from cyber crimes is a concern or it is a part of cyber security.
It may not be information security it is a bigger scope.

So, in definition, I would say, cyber security is information security plus individuals. For
example, if there is a drone attack, well, the drone has surveyed your premises and there
is of course, leak of information, they have done intelligence, but it is going to attack me,
it can kill me. So, my safety through technology, through the use of technology or
information technology is also under the purview or under the scope of cyber security.
So cyber security covers everything, users and systems. Information security is more
about the systems and their security.

Now, since it is an emerging phenomenon, we will borrow a lot of concepts from

information security because the concepts have been developed well in the literature of
information security. And I am going to introduce the course outline to you now. And
you will see that your textbook is titled information security, okay, information security
So,it is predominantly the textbook deals with information security and other aspects of
cyber security will be covered through extra reading materials, which I am going to give
you. So, we will be covering both the aspects of information security and security in the

19
cyber world. And as I outlined, the cyber security seeks to ensure three aspects or security
can be understood in three elements, confidentiality, integrity and availability or it is
generally known as CIA, CIA triangle.

There are three dimensions of security - information security. And I will be dwelling on
these three concepts in the next class. We will try to parse out and get into the details of
what is confidentiality, what is integrity and what is availability. And these pertain to
information, confidentiality of information, confidentiality, sorry, integrity of information
and availability of information. That is the purpose of information security management.

Yeah, so the protection of information and its critical elements, including the systems
and hardware that use, store and transmit that information. This is a definition of
information security. Information security definition as given by Whitman and Mattord.
And this you have the 2018 book, which is your textbook by Whitman and Mattord , one
of the leading textbooks in the field of information security management. I must caution
you about the expectations from the course, as I take you through the course outline.

Information security can be taught as a technology course, from the computer science
perspective. Information security can also be understood from a managerial perspective,
management and governance perspective, where technology is one aspect. Technology
does exist. And we need to understand the role of technology in cyber security
management.

But it is not a study of technology. Cyber security is much more than cyber security
technologies. So, this course as outlined in this textbook 2018 covers the management
and governance aspects of cyber security management or what managers should know
about security of information assets and security of other assets like including people in
an organization will be the predominant focus of this course. So for example,
cryptography. A CS course may dwell on cryptography for several sessions because that
is an underlying technology to ensure confidentiality. When information is transmitted
from point A to point B, node A to node B, the node A sends that information to node B,
to be read by someone.

And the purpose of cyber security is to ensure that only person who to whom it is
addressed, to whom it is intended, should read that information and nobody else. And
that is confidentiality. And the role of cryptography is basically to ensure that nobody else
reads it, even if somebody accesses it. You cannot sometimes prevent access. You know,
I am talking to you and all of you understand.

I hope most of you. Is my English okay? I guess in India, my English is okay. Well, we

20
have some different pronunciations in different states but by and large I am, okay. Why
do you understand me? Same medium of communication or same language. We see
language X is based on a shared understanding of the words and the structure of words is
the grammar. So, you and I understand most of the words I use in a similar sense.

And you also know, when the words are connected what they mean. So, we have a
shared understanding. and therefore the communication happens. But if I use a language,
say I use Greek, which nobody understands in this class, I may be teaching the same thing.

You are here, you have access. You are very much listening to me. But do you get what
I am saying? You do not understand the thing. Maybe from the body language you get
something but in the world of computer transmission there is no face expression. It is
only the text or it is only the information. You do not get anything out of it because it is
another language.

You call it deep encryption. Because it is encrypted even if you gain access, you cannot
understand. So, it is a very important technology from the technological perspective. But
when we look at, I am just giving an example. When we look at encryption, we try to
understand what are the different types of encryption and how they are used? But we will
take the application perspective. What does encryption do, than how encryption
algorithms work? That is the technology domain.

So, we look more from the applications of technologies in cyber security management.
And I will have a case study in the next class, which would actually help you understand
clearly. Is cyber security a technology problem or is cyber security an administrative
problem? But if I raise that question now, what would be your quick thoughts? It is both.
It is more an administrative problem. What makes you think so? Because it is a technology
that is attacked most of the times and it is the technology that is used to attack.

So, therefore the focus should be on technology. Technology as a tool and administration
as the framework or administration as something overarching which deploys techies. So,
that is actually a view which techies may not appreciate because they say , they say today,
we are moving towards zero trust systems. Zero trust means no trust in human beings,
trust none. I have some articles on that. So, you have to develop and deploy technology
such that you do not have to be dependent on anyone's credibility.

So which is actually an approach where humans are less important or the technology
takes you know, gets a higher importance in managing cyber security. That is a good
debate and we will see as we go. So these are actually opinions that you have in your
mind about what cyber security is whether the management is more important or

21
technology is more important. But some of you argue, both are important. So let us
examine certain important cases of data breach that happened in the recent past and that
will be an important ingredient of this course.

We analyze cases to understand what went wrong and what action was taken
subsequently. And then you will understand cyber security as a more complex problem
and data breach of big organizations has not only technology issues but huge
administrative issues. And you will also see that has regulatory implications. Government
wakes up, when they actually see instances of data breach. So, it is not just technology
problem, well, it exists at some stage.

It is an administrative problem at the organizational level. And it is also a regulatory

issue, in when data protection is not regulated. There is no one to question you. So, why
should some company invest so much in cyber security or in data protection. So, the law
of the land also becomes important. And you must be aware our country is today debating
a personal data protection, as a law, as a bill.

Of course, there is politics in it but you can see the criticality of the issue today within
the digital world. And have you heard of GDPR? Very good. So, you can see that it has
gone beyond administration to policy and regulation at national levels. So therefore seeing
cyber security as a narrow firewalls in putting up intrusion detection systems or firewalls
or whatever protection mechanisms at the technology level, well, it is a important element.
But there also need to be administrative and government systems and standards.

Standards to manage cyber security and also policies and regulation to govern at a
country level these issues. So that is what cyber security and privacy today are. So, in this
course let me actually take you through the contents of the course. Maybe what I will do
today our time is almost up. In the next five minutes, I will just give you a very brief
overview about the course.

And maybe the course expectations as to what you are supposed to do in the course. I
will explain to you maybe a little more, in the next class. So, the philosophy of the course
is what is outlined here. And I have posted the course outline and the course extra reading
materials in Moodle already.

So, you can gain access to it. So, there are mandatory reading materials which are related
to the course. And there are also supplementary readings, which are research papers or
articles and even videos that actually would help you develop understanding about cyber
security, which is posted or referred to in the course outline. So, let me end with the course
learning objectives. Course learning objectives are fourfold.

22
 There are four objectives from this course. Number one , to recognize cyber security
from technological and administrative perspectives. So you must see that it is both. It is
not just one. And in this course, I am not going to sort of ignore technology.

And just make it a management talk. But we would definitely look at technology as
threat and technology as asset and technology for protection. So all the three aspects of
technology would be covered in the course. As I said, it has a threefold role in cyber
security. And I must also say that I am not the expert in cyber security technology
especially from the protection mechanism point of view.

So, that requires a lot of technical knowledge and experience. People are do exist in the
domain who are experienced in cyber security technologies. So, as part of this course, I
will be bringing in someone who can talk about cyber technologies from experience and
involvement much more. And that is a part of the course, a part of the pedagogy. So, you
will have a guest talk from industry and all your doubts, you should actually ask him not
me. In the sense, this is more like a sort of interaction with a cyber security practitioner.

That is the understanding. And so, how is this CL01 the course learning objective
covered in the course. I will just take you to the session plan. You can see, I am covering
foundations of cyber security, information security and related concepts with the help of
your textbook and also research articles, principles of information security management,
confidentiality, integrity, availability, etc. What do these concepts really mean? That will
be covered in the next session. So, this is about cyber security fundamental concepts and
you will have a case study of Target corporation.

One of the defining instances of cyber security breach was in 2016 alongside the same
time I think it was 2014 when Sony Corporation faced another huge data breach. These
two together actually shook up the world not just these companies, not just industry but
government as well. Because cyber security has become much bigger or in terms of size
and impact. So, that is why I have selected a representative case of the Target corporation
and we will analyze that case.

Security management, governance, risk and compliance. So GRC generally there are
frameworks. There is an ISO standard, there is GRC framework, which can be
implemented by organizations for overall management of cyber security. So, instead of
looking at it bits and pieces, buying some updates on a new technology, how do you
actually implement cyber security as a practice, as a management framework in an
organization and becomes compliant with certain standards. So what are those standards?
That will be one discussion in the course. And then, let me actually put it in your mind

23
right away from a cyber security management perspective.

Management is about planning, management is about managing resources at a

fundamental level. So there are two types of planning. One is called contingency planning.
Contingency planning is to manage contingencies where the basic premise is despite all
the steps that you have taken to protect your systems, things can go wrong.

Contingencies can come. Planning is done by human brains, who cannot predict the
future completely. You can have some prediction but predictions can go wrong. Then
what do you do? That is contingency. So, contingency planning is one dimension of cyber
security management.

The other dimension is the risk management. In risk management, there is no assumption
that something has gone wrong. But the assumption is something can, what are the things
that can go wrong? And how do you actually protect your systems against that? So, one
is about proactive or you know sort of preventive. Risk management planning is about
preventive. You prevent your systems from all potential disasters that can happen.

Contingency is about reactive. Suppose something go wrong, how do you do the

firefighting? How do you fight the fire, that is broken up? And then things restore the
systems to normal operation. So fundamentally I would say cyber security management
deals with these two aspects, contingencies and risk management. So, these are the two
important aspects we will be covering from a management perspective in this course. And
then there is cyber security policy which is a reference top, reference document for
understanding priority for cyber security and resources for cyber security, etc. So, as I
said, we will, I will take you through the foundations, fundamental concepts and also, we
also look at the technologies for cyber security.

So as I said, there will be a guest lecture, security technology, cryptography and security
I have dedicated one session to outline. So, I will be doing that from a confidentiality
point of view. And there is also something known as passive defense versus active defense
today. A lot of technologies are actually deployed for passive defense,to protect.

So, you also have heard offense is the best defense. Can you offend the hackers? Can
you attack them, instead of they attacking you? That is just a thought, but active defense,
you go beyond being, you know, building walls, you go beyond that, you tried shooting.
So that is the, so but what are the legal sides? I know you must be very aware. It is not a,
it is not a trivial thing. And then you can see the course slowly moves from topics related
to cyber security to privacy, Information privacy, and its landscape and one of the
important things this course does is to familiarize you with the landscape of regulation,

24
privacy regulation in different parts of the globe.

So that is, and including India, North America, Europe and India. And so, there are
several cases that I will use to illustrate this and help you understand the concepts clearly.
So that is what the course is. So I will thank you very much. Have a good day. Thank
you, sir.

25
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 02
Lecture: 04

Hello and welcome to the second session of cybersecurity and privacy course. So, in
the last class we had a brief introduction about cybersecurity and privacy, actually we
were trying to understand what the title means. So, it is like laying the foundation for
foundation and today is the foundation for cybersecurity. So, we will dwell on certain
fundamental aspects of cybersecurity, predominantly cybersecurity and privacy as a
topic, we will do after a few sessions on cybersecurity gets over and you will get to
appreciate what is, what are the connections between data privacy and cybersecurity
through, of course, through several sessions that follow. So, essentially cybersecurity as
an administrative issue, is what this course is focusing on. So, in administration you
need to administrate, you need to manage several resources.

So,you have to as managers , you manage human resources, you manage technological
resources you manage tangible and intangible resources of a organization. So
essentially, we do not look at cyber security as a technological issue alone but we also
look at it as a broad or much bigger issue concerning governance and management of
organizations. So what are the frameworks that are available what are the standards that
are available for cyber security management in practice is a part of this course as I
outlined in the previous session. And we would also be looking at technology in a three
dimensional perspective, as I explained in the last class, as technology as a source of
threat, technology as an asset to be protected and technology also as a tool or as a
firewall for protecting your cyber assets.

So there are three aspects to technology in this course. And the cyber security
challenges are emerging, we have seen that in the last class. So, I am going to bring
certain diagrams that actually help you understand the concept of cyber security or
information security in a holistic way, understanding what are the different dimensions
of it. So one such diagram is this and of course the title is information security, As I
explained to you in the last class, cyber security and information security are closely
related. Information security is a part of cyber security and it is a most important part of
cyber security I would say and therefore you can understand it from multiple
dimensions.

You can see, there are three major dimensions - information security as the main

26
concept or the main central concept, the main concept and then you can see there are
three concentric circles, which constitute three dimensions or three constituents of
information security which are network security,computer and data security and
management of information security. And in the intersection, you see the intersection, a
shaded intersection which actually emerges from the management perspective in terms
of color, you can see that but which is central, you know, which is common to all the
three. So, in other words, you can see that policy guides, policy is the reference for
security related practice, security related decisions, for example, how much should an
organization invest in cyber security? We are going to discuss a case today where there
is an organization which is invested as much as Pentagon, invests in security. So huge
focus on cybersecurity, that may not be the case with all organizations. So the policies
would differ from organization to organization, depending on the criticality of the cyber
assets and other considerations, that organization choose, chooses.

So, they make choices on cybersecurity investments. So the policy is the intersection
and policy guides decisions as I said, then you see network security and computer and
data security. Other way to think about it is, well, this is about in data and information.
So in data and information, there are three aspects, one is data storage, other is data
transmission and the third is data processing. So these are the computing elements- data
storage devices, data transmission and data processing.

So, security pertains to these three aspects of computing. You can see computer and
data security involves data, databases and computer means processing. So the
applications that process the data. So that is one aspect, storage and processing and the
third aspect is data transmission. You can see network security when data or information
is transmitted from node A to node B, there is a chance of data breach or you know
unauthorized access to the data and therefore that is another aspect or another aspect of
computer security or information security.

So data storage, data transmission and data processing - three aspects of computing
needs protection and should be secured and that is what is represented in this diagram.
And, well, in order to do that, you need management practices and management policies
. There should be human resources, there should be technology for protecting these
assets and there should be decisions on ,how much to protect and how much to leave,
how much to leave - that is also a decision management actually, may not over invest in
security, we will see that. So all these are pertaining to the administrative dimension of
cyber security. So you can see cyber security is not one - cyber security involves all the
three and there is a need for understanding and also practicing it, as an integrated effort
to protect cyber assets.

27
 Now, this is a very important aspect of cyber security as a course, any course in cyber
security you do, be it a technology course, be it a management course, you will have
these three concepts which will be a common fundamental set of three concepts -
Confidentiality, Integrity and Availability. So, this is often called the CIA triangle, CIA
triangle. So, what is CIA triangle means one way to understand it is, CIA is the purpose
of cyber security,what does cyber security do? Cyber security ensures that
confidentiality, integrity and availability of information is secured. So it is like the
purpose, what is cyber security’s aim to achieve, it aims to achieve confidentiality,
integrity and availability of information,information in the cyber world. Well, that is the
most dominant or most important concept, the concept, set of concepts that pertain to
cyber security.

Of course,the cyber world goes beyond information today , so those aspects we will
slowly integrate into the lessons that are coming up but at a fundamental level, if you
look at the purpose of information security,it is to ensure these three aspects which are
important for computing for it which are important for secured storage processing and
transmission of information. So there may be other aspects, other concepts also related
to cyber security, for example accountability. So those are related concepts, we will
discuss them one by one. So let us try to understand what each of these concepts are,in
some more detail as we go. So I will get into each of these concepts in the coming slides
but let us have a holistic understanding of cyber security or information security, I am
using it, these two terms synonymously now.

So, here is an NSTI SSC security model, also known as McCumber cube or John
McCumber is the person, who proposed this cube which makes understanding about
cyber security holistic, very holistic and if you look at it closely and if you are in the
practice of cyber security, this cube ensures that you do not miss anything. do not miss
anything, you do not miss any aspect of cyber security. There are three dimensions that
McCumber cube actually represents in a cubical form, the first dimension is the
computing dimension which we discussed, storage processing transmission these are the
three roles of computer systems and that is where your information and data reside. So
those are the assets and those are the devices which actually are involved in the storage
processing and transmission of data. The second dimension is the objective or the
purpose of cyber security which is availability integrity and, sorry, confidentiality,
integrity and availability.

So when computer systems store, process and transmit data,they should be secure,
what does security means - security means confidentiality, integrity and availability. So
these three dimensions of computing should be protected with respect to confidentiality
integrity and availability. Now how do you do that? How do you actually protect?

28
There are three methods to ensure cyber security, they are number one, policy, number
two, education and number three, technology. These are methods to ensure cyber
security in terms of confidentiality, integrity and availability for data and information
storage, processing and transmission. So it is very intuitive, the important lesson here
is, suppose you look at one cell of this cube, it does not miss,it looks at all the three
dimensions for example, there is an application so that is for data processing, look at the
center dimension.

So this is for this particular cell, you will look at it from three dimensions. So for
example, this is for data processing and integrity of data processing has to be ensured
and this integrity has to be ensured with respect to policy, education and technology. So
this, the number of cells of course, you can, you know say, so three into three into three,
so each cell is holistic and when as my practicing managers, you can actually ask these
questions, you know, are all these cells considered in cyber security? Due attention has
been paid to all the three dimensions across all the cells. So that is the, that is another
fundamental concept or a fundamental framework to understand cyber security - the
McCumber cube. Now, let me also take you through the CIA triangle which we
discussed, which I propose as the three objectives or the purpose of cyber security.

The first concept is confidentiality. What is confidentiality? Confidential information.

So I have heard in administrative circles, if you want to make something public and
make a gossip out of something, put some document is so called, you know you want to
actually leak it out, put it into an envelope, close this and put a heading - confidential
and give it to a clerk, that will be the talk of the town the next day. So the moment you
say confidential, you become curious. So people are curious to listen to conversations or
tap data which is not theirs.

There is a human tendency, sometimes it is out of many reasons. So I can't tell you all
the reasons why people want to access others information. There can be malice, there
can be evil intentions, there can be fun, there can be, it could be by mistake also. So
there could be human errors but it can happen due to several reasons. The purpose of
cyber security is to ensure that if person A sends an information to person B and person
A wants this to be read only by person B and not by any C, system has to ensure that,
this transmission of data from A to B is confidential, that is it is read, only by B and not
by C.

And three scholars, of course, they are not scholars, they are also entrepreneurs, you
must have heard about this name Rivest, Shamir and Adleman, they actually, we will
refer to them later on in encryption techniques, when we discuss in a later class. So they
published a paper in 1978 in IBM systems journal where they actually represented

29
confidentiality using the diagram that is given here. Alice is sending a confidential letter
or a message to Bob and then there is the evil Eve, actually wanting to intersect or
wanting to know what is going on. So that is where, the aspect of confidentiality comes.
A data which is confidential should be read by only the intended recipient not by
anybody else and that is what confidentiality is.

And you can think of the application of this concept in so many situations or so many
contexts in business and in society. For example, who accesses your private
information, who has access to your credits or your academic performance. So, the
institute can give access to those who can access it and those who should not access it,
as those who are not supposed to access it, should not do it. So the data has to be
protected against unauthorized access unauthorized access. And see for example, best
example is our Aadhaar database.

Aadhaar database is biometric and it is your personal identity. And it is the

responsibility of the country to ensure that this is not accessed by people or anyone. It is
my data. So, that is where the privacy aspect comes in. And when I shared it with
someone, it should be used by that entity or the data processor only with those for whom
I have given permission, I have given consent to share the data.

There is always a consent between the data collector or the data processor and the data
subject. And therefore that contract should be maintained and that is what
confidentiality is. Confidentiality is the responsibility of the data collector to ensure that
data is shared only with the intended recipients and not with unintended recipients. So
how do we actually ensure this? So, in order to ensure confidentiality, there is need for
information classification. For example, in an organization there is personal data and
there is data about your salaries for example, in a company when you work, And the HR
department has to ensure that your salary data is known, can be accessed by maybe
certain superiors but not by your peers or your subordinates.

There is a policy. So the policy has to be implemented in the database access.

Essentially you are ensuring confidentiality as to who can access and who cannot access.
So therefore information need to be classified. We will discuss information classification
later, as to what is confidential and what is not confidential or what is top secret as in
the US military. And then documents have to be secured in terms of storage and the
security policies has to be applied and people need to be trained and so on.

That is the confidentiality aspect of information. So you will see in systems that ensure
confidentiality, when an information passes from Alice to Bob, the jealous Eve may be
able to access that data. You may be able to intersect and even if you intersect you

30
cannot actually make out what it is. Caesar cipher, you know, Caesar used to
communicate with his commanders through someone. But if someone on the way reads
that you do not understand anything.

So that is encryption. We will come to that. The second aspect of cyber security is
integrity. What do you mean by integrity when you hear this word what comes to your
mind? Completeness. Yeah, integrity means purity, completeness.

Okay. No compromise on the quality. Yeah it talks about quality. It talks about
completeness. It talks about purity. Is that the word you use? Okay.

Alright. Okay. So we refer to people, you know, the so and so person does not have
integrity and so and so person high integrity. So integration, integrity means whole, the
full. So if part is missing, somebody is really good in doing job but somebody gets into
malpractices. So we say, integrity is questionable. Some aspect is fine but some aspect
is missing.

Integrity is that. There is an information that is transmitted from A to B. That is the

whole information. At A, it is the whole information but when it reaches B, part of it is
missing. For example, you are giving your CV. You are sharing your CV with
placement and you have your complete CV.

But somebody is jealous about your CV and removes your work experience. Then, I
hope it does not happen, but then information is passed. CV is passed but integrity is the
problem. Part of the data is stolen or missing or somebody actually changes your work
experience. Say, you said, 10 years and somebody makes it 2 years.

You alter the data. So you also manipulate it. All that is about the integrity of the data.
So when data passes from A to B, the data should reach B intact. We call it intact,
without any damage, without any manipulation, without any change and it should be as
it is.

That is the integrity aspect of data. And in practical scenarios, for example if you share
your data in with your employer and employer does not give you access to your
personal data or your professional or your bio data. And suppose you did a certificate
program or you updated your, you want to update your CV. But as an employee, they
do not give you access to your data. Then again, it is a matter of integrity.

You are not able to update your data. And today, by regulation it is required that when
a data, a subject shares the data with a data controller or a data collector, the subject

31
should have access to that data wherever it is stored. I should be able to make changes to
that data. It is my data and I should have access to it. It is one of the privacy rights.

It is also about the integrity of the data. The data is incomplete. And suppose, it can
also happen when somebody entered that data into a database, your date of birth is
entered wrong. And date of birth matters in employment. Suppose you are born in year
2000, suppose it is entered as 2010, there is a big problem out there. Even one year
change can actually affect your promotions and so many things.

So it affects you and you are the affected party, others may not mind. So it is
somebody else's problem but user must have access. So it is a problem of data integrity,
essentially. So it reflects in so many aspects in organizations, in government and in so
many other settings. So integrity is therefore a very fundamental aspect of information
security.

Confidentiality and then integrity. Who has access to your data and protecting your
data without damage. That is the second aspect. And the third dimension of cyber
security is availability. Well, availability is the other side of confidentiality.

Data should not be available to unintended audience. But data should be available,
when it is required by the intended party. When you are in need of information, it
should be accessible and available. So it is the other side. It should not be accessed by
someone who does not have access rights but it should be accessible and always
accessible as per contract, based on the contract. And therefore availability is very
critical in certain business context.

Availability of databases. Suppose you are trying to book a ticket, an airline ticket or
train ticket in IRCTC. And you try to log in, you log in and you are about to reserve but
the database is not available, it is down. And maybe you want to browse and see your
past reservations some information you want but the database is not accessible. You
have signed in and therefore you have the privilege to access your data.

It’s your data, you are not accessing somebody else's. You are within confidentiality
but the system should allow you to access your information when you are in need of it.
And this is the time for you to make a reservation and the data is not available. It is a
problem of availability. So, in order for computing systems to ensure availability, they
need to make provisions for that. Cyber security management requires to ensure data is
available to those who are intended recipients of the data.

And availability is related to reliability. If systems are reliable, they will be available.

32
So therefore, reliability engineering, especially in computer systems, ensures the
availability of data or databases or access to computing resources using a method known
as redundancy. Redundancy is the word. So,how much of redundancy, if one system is
down, the processing or access should not stop, should be available from other systems.

So availability by redundancy. So I am just giving a clue as to how technologically you

will ensure availability and availability is also a function of how much. There is a
99.9999 so the number of nines after the decimal point. So, that is a sort of contract also
when it comes to B2B in terms of IT contracts, in terms of availability. So when critical
systems run on IT, availability is critical and therefore by contract, by service level
agreements, there will be contractual arrangement between parties to ensure availability
of systems.

And therefore if a client is asking for more availability, you can imagine the service
provider has to invest more in redundancy. And therefore, the cost will be higher. So
therefore, you can always ask for 100 percent availability but 100 percent comes at a,
sometimes an infinite cost. So, these are concepts that are related to cyber security -
confidentiality, integrity and availability and these three terms, even if you forget
everything else, should be by heart to you, as students of cyber security. Even if you
have woken up in the middle of the night, what is cyber security doing? confidentiality,
integrity and availability.

So there should be straight recall of these three concepts. Let me illustrate it with an
example. So there is an image of course, what does it take you to, this image, biometric,
the yeah, the retinal. So somebody is taking a biometric scan of the eye. It can be
different aspects of the eye, we will see that later.

33
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 02
Lecture: 05

So, there should be straight recall of these three concepts. Let me illustrate it with an
example. So, there is an image of course, what does it take you to, this image?
Biometric the, yeah, the retinal. So somebody is taking a biometric scan of the eye. It
can be different aspects of the eye, we will see that later. But you all have an Aadhaar
card.

So you all went for Aadhaar identification, that was the stage of identification. So, the
first concept related to cyber security is confidentiality. And in order to ensure
confidentiality, one of the first steps is identification. I gave the example of the security
gate.

Security gate, if people come to the security gate to enter our institute, the security
actually decides whether someone can enter or not. But how do we, how will they
decide whether you can enter or not? You cannot simply look at the face of people and
decide. You cannot just look at if somebody is smiling or somebody is well dressed or
not well dressed, you know, these are not ways. There has to be some credible
mechanism by which people can be identified. Without identity, you cannot ensure
confidentiality.

Who is who? Whether somebody is given the right to access or not, is based on
identification. So you can see that in all data collection efforts, be it by government or
by organizations, the first step is to create identity. As soon as you join IIT Madras in
your initial enrollment process, there is an identity creation process. You provide your
data and you provide supporting documents and based on that, the administration
actually agrees or they have those processes to identify you. And based on the
supporting documents you have given, you are given finally an identity card.

So how will you enter IIT Madras if somebody stops you at the gate? Here is my
identity. And that identity card identifies each of you as a student,as a student of IIT
Madras. But if somebody stops me, I also have an identity card and I show that identity
card and I am identified in a different role. I am not identified as a student, I am

34
identified as a faculty. You have your ID card in front of you.

So a student of IIT Madras. Well, a student can enter. Of course, the dates are also
important, not an old card. So they check that and that they let you in. But if there is no
identity card, they cannot actually make a decision, it becomes very difficult.

So the first step in confidentiality is identification. Identification is the process of

creating credible identity for individuals who can access computing resources. You can
imagine the effort done by the government in creating an Aadhaar ID for you. The most
difficult stage is the identification process. Because government had to use vendors,
existing vendors and the government verified their credibilities and outsourced this job
to vendors to create identities or to collect identity information and finally assign an
identification number, which is called Aadhaar number to every individual.

That was the identification process. Identification process, creating an employee ID or

a role number or an Aadhaar number, an account number, all these are actually part of
identification process. So the first step in security is identification. Who is who? And
the second step in confidentiality or in cyber security in general, it pertains
predominantly, to confidentiality. So that is why I am saying it is linked to
confidentiality.

So, after identification comes authentication. Or in other words, only if you have valid
identities, authentication will work. Now, suppose you go for your passport or suppose
you go for getting a SIM card for your mobile services, you want to have a new SIM
card, you go to Airtel. So there is any service provider not Airtel, it could be Jio,
anyone. So they have a need by government regulations to identify you as to who you
are.

So there is an identification process. So there in Airtel, you cannot produce your IIT ID
card. That is not a valid ID . A valid ID is to prove that you are a citizen of India. And
you have a unique ID, identification ID or number provided by the government of India.

That is the sort of identification they require to give you a telecom service. And
therefore, you may go and claim in a telecommunication service provider's office that I
am Saji, please give me a SIM card. And so and so are my credentials. Well, you claim
to be Saji, you claim to be a citizen of India, we want to verify that. We want to
authenticate, who you claim to be.

We want to verify. So authentication is nothing but verification. So you come to the

IIT gate and say I am a student of IIT Madras. Well, give evidence. So your ID card

35
serve us a source of your authentication.

It is already created, identification is done, you have the ID card. For authentication,
you produce your ID card. In a passport office or in telecom service and related
services, they ask you to place your fingerprints. There is a fingerprint reading device
where they ask you to place your fingers. What are they doing? They are doing
authentication.

Because in my Aadhaar ID, I have shared my biometric data. Biometric data is stored
in the Aadhaar database. And when I claim that I am X, let us check whether you are X.
X's credentials is what actually is already stored. So as X, I am giving my credentials.

If the credentials of my biometric matches with the credentials which are stored against
X in the Aadhaar database, your authentication is done. You are, you claim to be X and
you are actually X, we verified. Authentication is nothing but the verification of
ensuring a person is who he or she claims to be. That authentication is the entry, the
gateway or the entry into a computing system or an organization. Once authentication is
done, you are allowed, you are inside.

You get the point, you showed your ID card, you are in. But you have to create the ID
card, that is identification. Authentication is, well, verification. Whenever there is a
need to access resources, you need to show that identity and then there is an
authentication process. You try to access your Gmail or your Yahoo mail or your IIT
mail.

What do you do basically? There are two fields there. One is, you write your user ID.
What is that? Saji@iitm.

[Link]. That is my email ID. Well, fine. That is what I claim to be myself. But it could
be you tomorrow, want to see my emails, what is going on, between someone or
somebody, you know, you have something in the email which you want to see. You can
claim to be me. So therefore, there is authentication.

Well, you claim to be Saji, fine. So, tell me your password. So, password is, you can
say another, biometric is one, you can say, password is one of the long standing
methods of authentication. You basically disclose something which only I am supposed
to know. This is something I know, you know, biometric is something I have, password
is something I know and only I am supposed to know.

That is the secrecy of password. When I enter my password, the system will cross

36
check whether the password is correct and then you are authenticated. Essentially,
password is also a method for authentication, whether you are me or you are somebody
else. And if of course, my password has leaked, of course, you can become me. So that
is, that is a weakness and therefore, you have multi factor authentication today, We will
discuss that later. So, authentication based on the criticality of services that you are
actually signing into, is a very, very important step in cybersecurity - identification, then
authentication.

And the third important word is authorization. All these three are together key concepts,
for particularly, for confidentiality - identification, authentication and then comes
authorization. Authorization is about defining the level of access, what you can access
and what you cannot access. Suppose you enter IIT campus as a student, as a student,
you have certain privileges. For example, you are allotted a hostel room, you can
straight away go to your hostel room and enter the hostel room, you are allowed, but you
cannot enter a faculty room, that is not allowed.

So, therefore, there are certain privileges, when it comes to databases, or say Moodle,
look at Moodle, which we use for our course management. There is a student login, there
is a faculty login. So the authority, level of authority to access information is limited for
different roles. And that is known as authorization. So a system based on your, after
your authentication, provides access to resources based on your access rights.

And if authorization is to be done effectively, then the access rights have also need to
be defined properly. So who is who, what are the different roles and what are their rights
to access etc, need to be predefined. So in summary, you can imagine two aspects of
cybersecurity or management or information security management. One is to classify
information, information need to be classified and people also need to be classified.
And then there has to be a mapping between people and information.

So, that actually decides the level of authority. So we will understand these concepts a
little more in the upcoming sessions as to how to do an information classification, what
are some of the standard practices available, say in industry, in military, and so on. And
also how people are classified, in terms of their roles. We will get into those details
later, but at a fundamental level, these are three key concepts. Do you have any
questions here? Otherwise I move on to explain a couple of items more and maybe you
will be able to relate to these concepts in the case that we are going to discuss.

What went wrong? When we look at certain instances, you can see where was the
problem, was it with identification, authentication, authorization, or was it with
accountability? So accountability is related to incidents. For example, suppose there is

37
an incident in the campus, someone entered the campus who is not supposed to enter the
campus and created a problem or someone entered the ladies hostel in the night, who is
not a student, who is not a faculty, who is not a staff, then that person had no authority
at all. There is a problem of authentication. The person who is not supposed to enter,
entered or got access to systems. Now, what action to take? There comes the problem of
accountability.

If something goes wrong, who is to be held responsible? Who was, for example, in our
general security scenario, who was the person in the security, in the security post? Was
that person sleeping? Or how did that person get in? So therefore, who is responsible for
cyber security breaches or incidents need to be ascertained for taking actions, simply for
taking actions in the case of incidents. That is known as accountability. That is where
any data breach, who accessed and how that person got access, should get assigned to
someone, some role. Again, we will illustrate that using case studies, as to how this
accountability can be fixed. If nobody takes responsibility, then it will happen again.

And you do not know. And what was the vulnerability? And that is something which a
administration should take action upon. And therefore, sign in and log data, which are
to be maintained strictly in organization is based on the principle of accountability.
Keeping logs and keeping complete history of who signed in and who signed out into
systems need to be maintained, for the purpose of accountability. What we do now in
the next 15 to 20 minutes, we will actually discuss the case that was shared with you
reading R3, which pertains to a major incident in the world of cyber security.

Okay. I would say this is major, because this particular incident had implications for
industry and government, because government is also responsible for welfare of people.
And when major incidents happen, that affects large number of people, it could be due
to absence of or not having proper regulations, proper laws and law enforcement in the
country. So therefore, government also comes into picture and this is one such incident,
which was discussed world over. So, we will look at this case of Target corporation.
And we will ask three questions, which are given here.

One is to start with, identify technological and managerial vulnerabilities that led to
data breach at Target. This was reading R4 earlier, that is why the slide is showing it,
but it is actually R3, Okay. Yeah, so, first question, so who wants to answer the
question? So, I would leave it to you, you can, somebody can actually give introduction
to the case, just summarize the case as a whole without, you know, giving any solutions
or without doing a why why analysis or why this happened, but what happened is
something that we can start with. And then we can look at why.

38
 So anyone can actually answer. So what is this case about, what happened actually?
We can see that Target has to, for maintaining their payment systems on the day of, we
can say, the period of Thanksgiving 2013. The problem occurred when Target
outsourced or we can say, gave the responsibility to a third party, like a Faisal
Mechanical Services, which are supposed to control their climate services but due to
some, it made hackers, it gave access to the payment systems, which leaked the
customers information, payment information, such as credit card information and various
information to the hackers, which they commoditized. So what do you know about
Target corporation? Where is this company based and what do they do? Target? It's a
retail chain based out of the US. This is the retail chain based out of the US. Target and
Walmart are close competitors in the North America and they are into retail.

So and retail is a great business in the US, great experience and that's where people go.
And what is the season, when this incident occurs? Christmas and Thanksgiving. So,
looks like this is pre planned, right? Some hacker has pre planned to really hurt and
harm the company, when the company is actually looking forward to a huge sale during
the Christmas time. You want to add something to the case? Yeah. Just want to add sir,
actually implementing , in a data protection system is a different aspect and actually
following and actually knowing about that data protection system is another aspect.

Like, they had all the multiple firewalls and all the data protection system and all the
other safety measures like automatic, you know, deletion of the malware and malicious.
But then that function was off in this particular case and the employees were not trained
or not aware about that thing. Okay. So, invest, you are saying, in other words, investing
in cyber security technologies is one, but practicing is something different.

Okay. That is what you are actually trying to say. So yeah, so the case in point Target
corporation, United States, Thanksgiving, Christmas period and when sales is at peak,
there comes major report or a report a headline in the newspapers that, data breach. And
that puts the company into a sort of big embarrassment and major crisis, a major crisis at
peak time of sale. Now that is the incident, that is what happened. And this happened, of
course, I think 2016 is, 2013- 2013 is the year when it happened. And you can see there
are several case studies written on this, not just the article I shared with you because it
is very important dominant data breach.

So let us look at the first question. We say vulnerabilities. Every hacker exploit
vulnerabilities. These terms, exploit and vulnerabilities are technical terms related to
cybersecurity. For example, we are conducting this class in this room.

And this class is meant for participants of this course. And the room is not locked. The

39
room is not locked. That is a vulnerability. That is a vulnerability.

But not everyone outside is interested to come in. And suppose somebody wants to
disrupt the class, somebody can come in. But when somebody passes through the
outside, one notices that the door is closed and one may not enter in. But if somebody
knows the door is not locked, the hacker is exploiting that particular vulnerability.
Somebody who knows what is the vulnerability, exploit it.

So that is called an exploit. The exploit here, not all vulnerabilities may not be
exploited. But there is, there are certain exploits here in this particular case. So, I am
asking you to identify the technological as well as the managerial vulnerabilities. Can
you think of, can you classify them into two? Yeah. So in this case, the information on
the credit card data was stored at the POS terminal.

But even captured in that. Even the data transmission to the centralized systems of the
company was encrypted. But the terminal itself stored data without encryption and it
was accessible to anyone. So that was a technology vulnerability point. And at the same
time, the managerial part of it was that the IT system had disabled some of the security
measures or ignored the warnings that the system was supposed to do.

So you have gone to the managerial issue. So if you stay on to the technical part, one
vulnerability was data that is POS data captured, including the credit card information
within the POS system or the computer, where the billing is done. In the RAM, in the
memory of that computer, it is not encrypted. When it is transmitted from the computer
to a server, transmission is encrypted, but within the system, it is not encrypted. That is
a technological vulnerability.

Is there any other, that is very good point. Is there any other technical vulnerability?
The team has shut down the, like they turned off the malware detection software.
Malware detection software, they turned it off. So they could not detect anything with it.
Malware detection software was turned off because they wanted to receive emails and
other internet access.

So they have turned it off. So what kind of malware detection software they had? Was
there updated or was there really up to date or it was like, They were used to do that -
internal and external assessment. So it was up to date, but they, because it was turned
off, they could not know whether it was injected or not. Yeah. So, but you have entered
the second aspect.

If somebody turned off, then it is a human failure. One more technological aspect,

40
which is there is that, they allowed the third party vendors to their payment system or
they should have limited the access towards it and that is what caused the vulnerability.
So that is actually a problem of access. The vendor had access to the POS and what
vendor, what was vendor's role or the third party's role here? It was a vendor for
actually infrastructure maintenance or climate control, basically doing infrastructure
maintenance and that vendor should not have access to POS data. So,there was actually
a problem with the configuration, which is a technical error again, which is a technical
problem, but is it a technical problem or managerial problem? It is a problem with
configuration.

It is difficult to put it into one bucket. It is a technical problem. It is also a oversight or

somebody did not pay attention there. So it could be an error. It may not be by
deliberate action, but it is an error. It is a technical issue, but a management issue as
well, a configuration issue. So where does this fall? Is it identification issue? Is it
authentication issue or is it authorization issue? It is an authorization issue.

It is an authorization issue. That vendor had no authority to access that. So

authorization was not clearly configured. So then we are getting into both. So I asked
you to identify technological issues, but then you see that both are sort of so much tied
together. You know, it is difficult to say it is a technical issue alone when human actors
or human roles are involved.

So therefore there is interplay between the two. But purely from an administrative
perspective, what would you articulate as the reasons for the breach? Pure
administrative failure. They have, did they have audit, audit processes? What does the
case say? They had multiple systems like we had multiple firewalls and intrusion
detection and more detection practices. They had intrusion detection systems. They have
malware detection and reporting, not just detection alone, but reporting as well. But
they due to many false positives like in the various emails, they have received hundreds
of emails per day.

So like, there was also provision of deleting the malware as soon as the system
detected it, but they turned it off, citing many false positives. Well, that is a very
interesting point. What are false positives in malware detection? And what is its role in
the configuration of malware? You just found that somebody turned off the malware
detection software. There is some reason, simply people do not do these things.

There is some reason why people do this. And the reason is what he is trying to
articulate. Can someone explain it more, further as to what is false positive in alarms?
In every alarm and detection, there can be false positives and false negatives also. And

41
yes, you understand. The objective of the malware is to identify malicious software or
installation, but sometimes it may highlight something which is genuine, which is
correct information as incorrect.

That is true positive. That is true positive and it may hamper. That is the role of the
system. That may hamper the day to day operations. False negative would be that
someone who is not authorized access of software, which is not authorized access, is
given access to the information and carry out some malicious activity. So that would be
a case of false negative. So because, but false positives impact the day to day operations
in some way, the tendency is to switch them off, if it is highlighting too many things as
malicious.

False negative is very dangerous because somebody is actually a miscreant, but

identified as not a miscreant. So that is a problem. But if you do not have malware
protection, so everyone is in.

So that is a problem. So there are you can see there are multiple levels of protection.
One is by configuration, you assign authority. And if in authorization there is a problem,
then the malware detection sort of monitoring systems must be able to report that. But
here multiple failures, a series of failures. One is authorization issue.

Second is, the next layer also did not work because you simply switched it off. And
you switched it off because of false positives, meaning that someone who is someone or
something which is not actually a problem, but doubted as a problem, is highlighted.
And suppose these reports come every hour or there is an alarm that is happening every
hour and many of those alarms are actually false alarms. Actually there was no issue.

There was only a doubt. Then, what happens is the efficiency of operations get
affected. You, this smooth operation becomes a problem. So every time there is a likely
malware that is reported and the system is stalled, then you know, people are standing
in the queue. So you can imagine someone who is operating the POS, you know, the
system stops because of malware, imagine. Then it is affecting the smooth operation of
the, of the retail outlet.

So the complaint goes to the IT department. The IT department will say, well, there is
no problem, we are clearing it. But this, if this becomes frequent during operations, it
affects the efficiency. So one conflict here is, the conflict between efficiency and
security. When you implement very tight security, there may be a trade-off with
efficiency.

42
 And that trade-off is something that needs to be understood. There are other instances
of trade-off which we will discuss later. But cyber security systems may affect the
efficient operations. And there the easy shortcut is,well, switch it off. Just keep going.

So bypassing is immediate step that sometimes engineers tend to do in planned

operations as well. Yeah. So like this false posting and false entries are just actually
like the type 1 and type 2 errors. And actually no system can be 100 percent reliable or
100 percent, you know, precise.

And just bypassing is just like removing the filter. Then, that filter is not there. So filter
has to serve its purpose actually. So that actually, we will talk about solutions later.
What should have been done or what should the company do is an important thing. But
people in order to address the loss of efficiency tend to bypass security or safety
measures.

We can relate security with safety. Bypassing it is the easiest. And you see that was
actually done. And what do you think about the log, the login, sorry, the log files. Was
there complete logging done or logging was not complete. Is there any mention in this
case, about it? So that is another thing which engineers try to do because if there is
complete logging of processes, system can again become inefficient. So they try to do
that. So these are some of the bypass that managers tend to do or engineers or technical
people try to do to address the problem of efficiency.

So there are technical issues. There are managerial issues. It is a combination of both
which led to this particular incident.

43
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 02
Lecture: 06

Let us come to the second question, I will give you a summary in the next few slides.
The second question is about the impact, what happens? Well, there is an incident, despite
all the investments of the company in cyber security, a major incident happened, but what,
how do you actually assess the impact of it? Can impact itself look at tangible or
measurable or quantifiable impact? You want to answer? Yeah. Yes, as in this case we
can see that it has various impacts such as monetary impacts with various stakeholders
such as banks, credit unions and people and businesses . Credit may not be credit unions,
but credit card companies. Credit card companies, payment providers. Credit unions are
different, we will discuss later.

And as well as the government institutions as to. Which ones? Government.

Government. As compliance policies and it was a watershed moment in the cyber security.

All got affected, but are there some measures of how much was the impact? how much
was the loss? So in total, net total it was around 100 million US dollars. Okay, 100 million
dollars and where did the company have to spend this money on, where did, how did this
go out? Like, it went partially to banks and 10 million to people and it was from insurance
companies, it was a pay out of 90 millions and for like credit payment providers like Visa
and it was settled for around 20 million dollars and for banks. So there were individual
customers who sued Target, they were also banks and credit card companies which
actually went to the court. So actually you can imagine this company which is doing very
well, Target, beautiful when you go out, very spacious retail outlet. So people love to go
there and shop and you must, some of you may have shopping experience, but all of a
sudden what happens to the image about the companies? Well I lost my, lost my credit
card information and that credit card or my bank account details has now become
vulnerable.

And therefore some customers can go to court and that is what happened and then of
course there has to be settlement of that in the court where the company pays fine. So
that amounted to a good sum which is 100 million US dollars. So that is a tangible. What
do you think about the intangible aspect? Along with tangible loss, there is also intangible

44
cost. Like sir, as far as this intangible is concerned, like the trust of the customers you
know that has suffered, the reputation of the company that has suffered and also the
opportunity cost is there.

That business what the company has lost actually. In accounting you have a word,
goodwill. Goodwill loss is a major loss. Customers may go to Walmart now, not to Target.
So I, you know I, once your fingers are burned, then you would not actually try that again
even if they take a lot of positive steps at least for quite some years, you may not go there.

So that does happen. So all of you have experiences stopping business with certain
businesses because of bad experiences and then you do not go back. And for this company,
goodwill is very important because retail space is very competitive and you have equally
good shopping experience in other places in similar locations. So why should someone
go to Target? So they very much care about it. So the goodwill loss is a major impact.

So let me actually take you through my slides and these were your answers and you have
attempted well. So let us together understand and wrap up this case of Target Corporation
which gives us, is there anything that you want to add? Yeah sure. The previous slide.
The previous slide. Questions.

Okay. So another intangible impact from my point of view was that it also affected the,
it also made the government to rethink about how they were framing their policy
regulations because a paragraph was mentioned in the article saying that, they already
had few policy regulations in place but they were not properly framed saying that in this
case Target had also had to repay customers whose data was not actually damaged. They
were breached but they were not damaged it seems. So in such cases, it also affected the
stakeholder's reputation from customers point of view as well as from government's point
of view and they found that there is more need because a significant proportion of their
population, obviously, their data is located in such retail chains as well. So they found
that, in such case of a breach, they had to redefine their policy framing regulations in
order to take care of such losses in the future as well. So that was another intangible
impact post which, there are a lot of policy regulations that came into play.

Okay, so how to address data breach instances and who is responsible and how much
you pay as fine. Okay, so all these are actually matters of regulation as well. If there is
no law against privacy or data breach, then companies can continue to do what they do
but unless the law requires them to act responsibly, there will not be redressal of these
issues. Also sir, we have to see the role of chief technological officer or the CIO, chief
information officer and how they have to act in a strategic measure you know, to conduct
the training and the awareness of the employees. Okay, towards the cyber security

45
measures.

Okay, this is about government policy, this is about company policy. Yes, internal.
Okay, so you know this is in terms of action taken or in terms of reflection of what went
wrong and what needs to be done further. So that was actually the effect of this incident
on, you know, some stakeholders like the government, like the top management and so
on. So let me actually summarize this case with the help of slides so that you know there
is clear understanding of what happened and what could have been done to prevent and
what was done actually to prevent subsequently and what are some of the open questions
now.

So, as we saw in 2013 this happened during the Christmas Thanksgiving season and
Target has 1797 US stores, it is a large corporation and Target was actually
technologically very updated, you know as we saw that in the beginning. The company
had huge investments- 1.6 million malware detection, dollar 1.6 million malware
detection tool was installed six months back. So why should they actually face such a
problem despite having this investments.

Okay, so it used the same security system as the CIA, not the CIA triangle which we
discussed but the CIA, the intelligence agency of the United States. So it is like, they are
they were very updated in terms of protection mechanisms like the, like the government.
So they had multiple layers of protection, we have seen all this and they also had periodic
audits like the external validation , benchmarking assessments, all that was done. So
people and processes were also in place for Target Corporation and they complied with
data security standards in the credit card industry, everything is being done. So that is the
case often times, you do whatever is required for regular compliance but incidents happen
still and you can say, they are still happening, you hear about data breaches in recent
times as well.

Despite this happening in 2013, organizations still have data breach issues. What really
went wrong as we said, hackers gained access to Target systems through a vendor's access
which was not defined correctly. And of course, it failed to segment its network to ensure
that third parties do not get access to the POS system, that was a failure. Can we can call
it techno managerial failure? and that is what hackers exploited, as I said in the beginning.
And so they actually used this connection to upload malware into Target's systems and
what happens, that is the exploit.

So the malware used by hackers was programmed to steal Target's customer data from
the point of sale. And the real vulnerability, the technical vulnerability, was the problem
of encryption you know which was exploited using RAM scrapers, which is the particular

46
software they installed in the POS system, to tap data from the POS system, RAM
scrapers. And we discussed the impact. Customers and banks have filed more than 90
lawsuits as the case suggests and in numbers, Target's profit for the 2013 holiday shopping
period, fell 46 percent. So there was an immediate impact, financial impact which is the
loss of revenues during the peak period of shopping and in sentiment or in goodwill, they
lost the goodwill of customers, investors and lenders.

Now, let us look at it from the administrative point of view. So this is like the Titanic.
So you are running a ship, you are the captain of a ship and for a captain, of course, taking
you to point A to point B is the objective and taking you safely is the real objective. But
so therefore, safety is critically important to the leadership of cyber security, cyber security
management. So you can see that in such a context, for such a reputed organization
somebody switched off the malware reporting system, which is actually safety.

So somebody compromised on the safety. Have you watched the Titanic? and you know
the Titanic, this is Titanic is historical, right. What went wrong with Titanic? There is
research done on this, on Titanic. The movie is, of course very nice. What was Captain
Smith's error? You can take a while to recall.

You know, it was Captain Smith's last ride, he was going to retire. And he had a smooth
sail. The sea looked very calm outside, you know the blue sea people are having fun, they
are having good time, enjoying the time enjoying the ride ,sea is calm, his last ride,
everything looks fine. And then he started getting warning. Warning from nearby ships
that there is a iceberg and Captain Smith apparently looked outside and how can there be
an iceberg? Everything looks fine, the sea is calm.

So you cannot believe when this riding is smooth you tend, sorry for making it dramatic,
it may not be exactly what happened but everything looked safe outside, apparently
everything looked safe outside. You know from history that he did not act on that warning.
He ignored the warning and went for a cocktail, that is the story. So if a captain ignores
safety warning, what could happen is the historical example of Titanic. So here is it from
literature, as to what happened.

He was over confident for too big to fail. Yeah, good point. He was over confident, the
weather was calm and clear and it gave no perceptible reasons, you know, mind can be
very deceptive. So everything looks fine, like I look at the class, everyone seemed to be
fine and enjoying, but do I know if you are learning. I need to actually conduct an
examination or actually make it a little more objective or scientific to rely on what I
perceive.

47
 Perceptions can be good, perceptions can be deceptive as well and it appears that wrong
perception, played a role in this Titanic incident. And that is a warning for actually
managers. So, since it is a beginning of the course and this gives a management direction
for future practicing managers who are related to cyber security management, attitude
does matter. As managers you are responsible and any safety warning, any warning that
is related to safety, should not be ignored. We all fly aircrafts, we all travel in surface
transport, be it trains, be it buses and systems have been put in place, to ensure that your
journey is safe.

Well, what do you think is the most safe transport mechanism- is it road transport, is it
train or is it flight? Is flying more safe or buses more safe or train more safe? You have
read about it or it is your, you want to imagine. Statistically. Your answer is correct,
actually flying is the most safe. Based on data. So you can imagine the extent of effort
and there are very strict protocols and they follow the protocols and nobody would, unless
someone goes out of mind, you have some incidents like that, you know a pilot flying a
aircraft to, you know, into some mountain and killing everyone.

So there are rare incidents but otherwise these are all safe thanks to the protocols and
thanks to the safety mechanisms built in and if you bypass that you are actually, you are
the captain of Titanic. If you are actually bypassing safety. I strongly suggest Andrew
Grove's book, Only The Paranoid Survive, for managers. This is an old book but you, in
management talks, you actually come across several terms that he coined in the book -
Inflection point, 10x force, he modified Porters five forces and said if one force is 10
times others, what should the manager do, you know, very insightful thoughts. And the
key point in the book is, you know, be a paranoid, doubt everything.

You tend to think that everything is going fine and you want to believe that everything
is good. Because the managers just do not do it. You worry about everything. He said, I
worry about plants, I worry about people, I worry about market, I worry, you know,
paranoid is a negative word, you know, that it is very negative but it is a sort of the attitude
that he tried to build, when the competition was very high and it took decisions which
actually led or show correct directions for Intel particularly, signing out of the memory
chip business and so on. The book is very, very useful for managers.

Of course, it is a bit dated but for cyber security, I would say paranoid mindset is a very
important mindset. Look specifically, at the case of Target corporation. I just want to
bring to your notice some important takeaways. Number one, lesson on employees ability
to circumvent security. So one key learning from this incident was that despite huge
investment in cyber security, if managerial processes are not foolproof, there is no point.

48
 All that investment do not make sense, if there are vulnerabilities in management. So
importance of management in cyber security got more highlighted after this incident. We
have security systems or security technologies like the CIA but what happened. So that is
because of administrative failure. Number two, as the case says it was a watershed moment
for cyber security regulation.

So there are several laws in the US. We will be exploring the regulation or regulatory
landscape in different regions in the course But despite that, there were lack of clarity in
terms of what needs to be done when there is a breach, how it should be reported , what
kind of redressal mechanisms should be followed etc. So there is no one comprehensive
regulation for cyber security and privacy in the United States. European Union has it, but
it is still evolving in US, even today. Number two, we looked at the tangible laws and
we found it is 100 million and look at the size of the company - a 72 billion, that is the
revenues and you lose 100 million from that, it is like a pickpocket, you know, somebody
stole 100 rupees from your pocket, How does it matter? So one advice ,we will see in
cyber security management, there are different positions a management can take in cyber
security. You can ignore this altogether and we will face this in the court.

We do not want to make huge investment in cyber security. If there are incidents, we
will see in the court. So when a 100 million loss, it does not matter. So one industry
observer said that is a quote I have given, as long as the fines are not putting business into
bankruptcy or even serious financial parole for that matter. Executives and boards are free
to decide they are better off investing the bare minimum in a security, in security and
saving the rest for possible breach cost and fines.

So ignore the warning, is another management position. What do you think about it? Is
it a good stand? Can companies choose to invest bare minimum in security and face it in
the court? So government as a regulator or government as a body which wrecks the interest
of people this may not be right but companies can make a choice in the absence of
regulation. Well, they will comply with the law if there are incidents. For example, you
lost some money, I will compensate, I will pay fines, that is fine but we do not want to
create such large system for cyber security. So it may also be influenced by the extent of
competition in the industry because if some players put in more security, customers will
have more trust in those and automatically everyone else will sort of be forced to enhance
security.

Yeah, that is a valid point perhaps the intention of Target, in making huge investment in
cyber security was also to signal to the market, well, your data is safe with us and we
have invested so much in cyber security, you are safe. But despite that, of course the
incident did happen but your point is, if you do not do that, if you do not invest and signal,

49
it may affect your reputation in the market and it may become a disadvantage in the market
which is correct. You can see that, that is why probably the company has made that
investment. So shying away from that, may not be the right choice in competitive
environment.

Good point. So we will see when we discuss risk management, cyber security risk
management what are the options available to decision makers in cyber security and how
those options can be exercised ? Okay, it is like some of you decide, oh well , I do not
write the examination or I will repeat the course. So it is like you know I do not, I am
busy now but I am making an informed decision, well, I have a plan. It is not that you
are just closing your eyes against safety hazards but you have a plan, if it goes wrong, I
have a plan, well, I will write it later. So that kind of an informed step is potentially
possible and that is being done also. So we will take that up as a separate discussion in
risk management later.

Any questions? We are done for this session but if you have questions, we can discuss or
we can close. Okay good, so we have an introduction to cyber security at a fundamental
level, the CIA - confidentiality, integrity and availability and mechanisms to ensure them
and we also discussed a case where you see, how security breach, data breach did happen,
despite efforts by the company to secure the cyber assets. And we are learning certain
lessons and we will refer to this case again when we discuss, more concepts in the coming
days. I will see you in the next class. Thank you very much.

50
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 03
Lecture: 07

Hello and good morning, welcome back to this course, Cyber security and Privacy - third
session. So today's topic is Governance, Risk and Compliance or in short, this is known
as GRC. GRC is a common terminology in cybersecurity circles. So we will get introduced
to this broad framework, this broad management and governance framework. As we saw
in the previous sessions, this course is about cyber security management, not cyber
security technology. So technology is a constituent, but we are looking at how
organizations can manage cyber assets effectively.

So it is a, we are looking at it as a management issue. And when it comes to management,

you are already aware, most of you are students of management, we know that we talk
about standards and frameworks and, you know, more systematic way or more efficient
way of addressing issues in manage, management or management is about managing
resources or cyber assets are resources to be managed by organizations. So as we go, we
look at what these concepts really mean, like what is Governance, what is Risk and what
is Compliance? So of course, the item in the middle, that is risk, is something that we are
going to elaborate further in the subsequent sessions because cyber security is a source of
risk or cyber threats are sources of risk for organizations and they need to be managed.
So we need to develop much clearer understanding about risk management in the context
of cyber assets.

So that is our plan for today. We will discuss broad frameworks, we are not going to get
into the details of how, what they constitute and how, for example, how they can be
assessed or measured and how they can be controlled etc, which will come in the
subsequent sessions. Alright, starting where we stopped in the previous sessions, we
already are aware that the world is digital today or a lot of things that we do today is
related to or through digital technologies. We have a bright side and also we have a dark
side, which is the cyber threats. So good people and bad people are the positive views
and the negative views of technology.

And we can see organizations have been victims of cyber attacks in the past. And we
may think that with advancement of technology, cyber threats would cease to exist, but
unfortunately that is not the case. So the volume, the cyber incidents in terms of volume
and in terms of impact, in terms of impact are growing. So you can see the most recent

51
data breach, which I have shown in this graph is of Marriott. So this was in 2019
December, there are incidents after that, but this is what I am showing.

So you can see the number of people affected, it is 500 million. So 500 million data
records were compromised in the sense, unauthorized access by hackers or external
people who are not supposed to access that, could access the private data stored in the
database of the Marriott hotel chain. Who knows, if you stayed in Westin and you actually
shared your credit card details or you booked online, it may be out in the dark world for
sale. So that is the sort of vulnerability that you feel, you know, Air India's data breach,
you immediately fear, well, you have booked airplanes online and using your credit card
and who knows whether you saved it or not, you may have forgotten or your credit card
details, it is fine, but for efficient online activities, you generally save your credit card,
you may have your credit card details saved in Amazon. I am not threatening you, if
Amazon's data breach happens, you know, all of us will be in a soup including me.

So that is the world. So it is, it has not stopped, but it is only going up. And therefore,
we discussed Target stores data breach, which is also shown here is much smaller in terms
of its extent but you can see this is growing. And therefore, organizations, these are major
attacks on organizations. It is like thieves entering the premises of an organization and
stealing away assets.

So and therefore, just like there is physical security, there has to be cyber security to
protect your cyber assets. So that is the premise. Well, you can wish everything well and
live on, but the future will be bright and future will be good and there is God above
watching over everything. So all that is good thinking, to calm down your mind. But you
know that as managers, you will always wish for the best, but prepare for the worst.

That is what we say. So, fortune favors the prepared mind, is a very famous quote by
Louis Pasteur. And you know what it means, you can leave things to chance, but because
oftentimes future is unpredictable, you can not actually predict, but how prepared are you
for an unpredictable future? So have you thought through, what could go wrong? Have
you accepted that things could go wrong and how prepared are you ? So one thing is to
say that nothing is predictable and you know, so whatever we do, still things can go wrong
etc. and take a stance, well, do nothing. The other is well, things can go wrong, but we
may not be able to do.

So that is Louis Pasteur, be prepared, be prepared and be prepared. So that is the message.
So broadly, there are three approaches to cyber security management. From a higher level,
I would say if you look at cyber security management from a broad perspective or you
stand in front of an organization and then think in broader terms, what are the different

52
approaches that one could take to manage cyber assets? Then, I would figure three
approaches. These are not given exactly in your textbook as it is, but I am actually
referring to multiple sources to build these three categories.

So the first approach is the GRC approach, which we are actually dealing with today,
which is very popular, which is the framework based approach. So in this, you can actually
think of the, in the first method, which is GRC, you are looking at cyber security and
cyber security management as one among the many risk management initiatives, you need
to have in an organization or cyber security is a part of the risk management framework
of an organization. There are other risks that an organization needs to manage and the
cyber is one. For example, there is operations risk, there is market risk and so many other
risks that constantly affect organizations. Therefore you function in an environment and
therefore, there are internal and external threats and organization faces.

One category is the cyber related risk. But when it comes to risk management, you do
not look at cyber security alone, you make it a part of a overall enterprise risk management
framework or also known as ERM, we will come to it in the next slides. So cyber security
as a part of the overall governance, risk management and compliance with law,
compliance with regulations, compliance with internal and external standards. That is one
broad approach to, I would say, the broadest approach to cyber security management, you
do not look at it as an independent constituent, but you actually manage it as a part of
something else, a bigger initiative. The second approach is the standards driven approach.

Standards driven approach looks at cyber security as a separate issue or a separate

category and it is distinct from other risk that an organization faces maybe or you may
actually be, it may also depend on the size of the organization and the nature of the
organization etc. For example, a small organization, a medium sized organization may not
have GRC framework or larger frameworks in place, but they would still need to address
cyber security. So one way of addressing cyber security in a standard way is to implement
a cyber security standard, which is defined by standard bodies like the ISO or the NIST.
NIST is an American standard body and ISO is European. So they have defined standards
for managing cyber security.

So when you implement the standard with the help of a consultant, you actually are
implementing certain practices or certain practices that would ensure that your cyber
assets are protected. So that is, I would look at the standards driven approach as a distinct
approach or different from the GRC approach because you are focusing on cyber security
alone. But there could be cases where a standard is adopted as part of the GRC framework
as well, that can also happen. If you know depending on, I said the size of the organization
or how big you are and what, how much of cyber assets you have etc. would determine

53
how you go, but these can exist independently, this can exist together as well.

That is the point I am making. And the third approach, I would call it the textbook
approach. And that is what you are going to learn. So if you actually go by GRC, ISO etc.
you should go for training.

Because standard training is available in the market to get trained say on ISO, IEC 27001
or some of the standards in GRC, which we are going to see, there are standard training
modules available. So that actually helps you to do things in an organization. But our
approach here in this course, this is education or training. And therefore, to help you
understand various concepts related to cyber security management. So in your textbook,
you would see there is an organizational planning approach which they have suggested.

So many of the practices that are under GRC or under the ISO are covered actually in a,
in the textbook, but not necessarily complying with any of the standard frameworks or
standards that exist. So in the organizational planning approach, cyber security is
presented as something that should be prioritized in the strategic planning of organization.
So there should be a priority at a strategic level, at a higher level. So cyber security is not
just something that should be considered at the operational level, but it should be at the
strategic level. And contingency planning is a constituent of the organizational planning
approach.

So there is strategic planning, there is also contingency planning. And so both this put
together actually addresses cyber risk. So that is the perspective or the view that in an
academic course that we take. And this could be implemented as standards or frameworks
differently. You might be aware that there was a major cyber attack on banking
institutions some years ago in India.

I guess 2016, when credit cards, sorry, debit cards became vulnerable. And following
that the Reserve Bank of India made cyber security as a strategic initiative mandatory for
banks. So this has to exist separate from the IT management. So there used to be IT
department, IT head and so on in all banks. But RBI has made cyber security management
a strategic part of banks today with that incident.

Of course all of us today have the chip based cards. That is another thing that RBI made
mandatory for all banks. So, there are structures that regulatory bodies would insist on
certain domains of business. And then you have no option that you have to treat cyber
security as a priority. But that may not be the case, say with certain other domains like
education.

54
 There is no mandate that we should have a CSO and also a chief security officer or chief
information security officer. We do not have one because there is no regulatory body
insisting that. So this could vary from organization to organization as to how much you
invest in compliance or how much you invest in cyber security. GRC may be a mandatory
requirement, compliance may be a mandatory requirement. Then you, your business is
global and you have to work with organizations which insist or partners, business partners
who insist on such kind of frameworks.

So now, coming to the next level to understand GRC approach that is governance, risk
and compliance approach. There are again three broad approaches. But before that, let me
ask you this question what is, what do you mean by governance? You hear these terms
governance and management. So here the word is governance and not management. So
there is a government for a country.

And then of course, there is central government and there are federal governments and
there are local governments and there is a government within the organization or within
the subgroup where we belong to - functional aspects of rules and regulations that are.
Rules and regulations. Yeah, emergency response. So that is very much specific to cyber
security. But governance as a term, is a higher order term than management.

So generally, we know that there is a governing body for organizations. There is a board
for organizations. So the governing body's role is to institute a management or
management structures, management procedures and also monitor them. So there is a
governing body means a governing body is an overarching body. There is a higher body
which is continuously monitoring the health of an organization.

They have placed management systems in place. So for example, the CEO is actually
chosen or selected by the governing board. So they place management in place. So
governance is the higher body which is responsible for the overall organization. And of
course, then of course , you have the C level executives and other management structures
which actually makes the organization function and go in the direction it should go, set
by the strategic priorities of the organization.

So governance when you actually bring the word governance to cyber security you are
actually looking at cyber security as a strategy. So at a very higher level and it is having
the highest priority as far as an organization is concerned. So that is the meaning or that
is the implication, when you link cyber security with governance. So there were standards
that were developed for governance of organizations in the 90s. Again, this is a topic we
will touch upon later.

55
 The Sarbanes Oxley Act or SOX as it is known as an accounting standard in the United
States, was developed post major scandals that happened in the United States. Accounting
scandals that happened in the United States. And such scandals can completely bankrupt
an organization and a large organization like the Enron, if you have read about, could go
bankrupt in a short time because of scandals. And that is a result of absence of governance.
There is no body that is monitoring whether this organization is functioning healthy or
not.

And if you do not have that supervision or that guardianship I would say, then the
organization exists today but may just get vanished because of major scandals or major
fraud as we call it. So and subsequently there was, of course compliance for accounting,
compliance for managing its IT. So one of the jobs that was created for IT industry post
the scandals, thanks to the scandals, is implementation of standards, particularly
accounting standards and control standards for organizations because IT became a system
that can actually help implement compliance in organization because you cannot manually
monitor, manually check or manually report. These are actually very huge tasks and
therefore IT systems came in place to implement control and compliance of standards like
accounting standards in organization. So there are standards that were built by information
systems community.

COBIT is an example. COBIT is a specification or is it a, it is a standard for GRC

specified by ISACA, Information Systems Audit and Control Association. ISACA is a
global body and if you want to get trained, I talked about GRC training or standards
training, if you want to get trained on security, ISACA is one body and there is a local
chapter always, Chennai has an ISACA local chapter. You can actually visit their sites
and see what activities they do. So ISACA is the body which framed the COBIT standard
control objectives of information related technology and COBIT framework provides for
managing cyber security and it also provides for managing other aspects of risk in an
organization or compliance in an organization. So this is Information Systems Audit and
Control Organization.

So basically from an accounting perspective also, COBIT enables monitoring and

control. So it puts in place control systems in one sense. So this is IT based control of
organization.

So IT gets the priority here. So that is the root. The next framework is the COSO
framework which is expanded as Committee of Sponsoring Organizations or COSO.
COSO has a framework for GRC, framework for Enterprise Internal Controls. So it
stresses on controls. The key term there is control, not risk. So I will show what are the
areas where this COSO framework focuses on in terms of monitoring and control.

56
 So it is a framework initiated by American Accounting Association or AAA. So this is
a framework that is specified by an accounting body not an IT body. So COBIT is from
an IT community, COSO is from accounting community. So there are, these are two basic
frameworks and COSO got expanded as Enterprise Risk Management Framework or
ERM. ERM is standard term in large organizations, ERM framework.

So you know, you talk to large international organizations they will talk about their ERM
framework or ERM initiatives as to what they do. So bringing all risk under, as a risk
that organization has to manage and cyber risk is one of them, as I pointed out in the
beginning. So what ERM has done is, it has added certain specific clauses or specific
elements to COSO. So it expanded COSO to make it a ERM framework, Enterprise Risk
Management Framework. So from accounting and internal controls, COSO expanded to
the larger enterprise, risk management of the larger enterprise and that is COSO ERM.

So this is risk based approach. So there are three broad frameworks when we look at
GRC standard frameworks. So which are available in the industry for any organization to
adopt one is COBIT, second is COSO and third is COSO ERM. So these are GRC
frameworks that are available and there are actually industry bodies associated with each
of them. So this is at the enterprise level not at a specific cyber security standard level
like the ISO or NIST, wherein cyber security is a constituent of this framework. Now, we
refer to internal controls, we said the COSO focuses on internal controls.

So what does this term internal control mean? So that is what I list here, for the purpose
of understanding. And then of course, you can go to the next leveL, then you will see
more details for each of this. But what does it try to control? So what are the control
systems that are put in place in the form of processes and processes that needs to be
controlled? So there are processes for safeguarding assets, processes for maintaining
sufficient records, provide accurate and reliable information, prepare financial reports
according to established criteria, promote and improve operational efficiency, encourage
adherence with management policies, comply with laws and regulations. These are
different aspects of controls.

So the control systems focuses on these areas. So this of course, breaks down into further
details when it comes to implementation of the processes in the form of standards. So the
internal controls work in three aspects. And again this is very intuitive. There are
preventive controls which deter problems from occurring.

So it is futuristic or it is preventive in nature. There are detective controls. It is like you

identify or you detect and then of course, do the firefighting. Those are known as detective

57
controls. And corrective controls, post detection how you actually do the course
correction.

That is the corrective controls. You know, just like in any maintenance activity, you have
similar terms like you have preventive maintenance, breakdown maintenance and
corrective maintenance. So this is very similar to that. But essentially internal controls
work in three aspects and what they try to control is what I showed in the previous slide.
That is for a broad understanding of what is the role of control in organization.

You can look at it from the perspective of accounting controls. So that there is no fraud,
there is no thing or there is nothing that can actually lead the organization to bankruptcy
etc. So these are three aspects of the controls that organizations put in place for
governance purpose. Now we come to the COBIT framework, the specific COBIT
framework. What is prevalent today is COBIT version 5.

So you can go to COBIT site and explore further. This COBIT implementation is usually
a project done by IT organization because COBIT is implemented through information
systems. So they have the, so what is COBIT? So it is based on the few principles that is
mentioned here. Again stakeholder needs, covering the enterprise end to end, applying a
single integrated framework, enabling holistic approach and so on. So these are actually
ways to understand COBIT.

So COBIT essentially looks at the entire enterprise. This is something to keep in mind.
So when they say end to end, it is not looking at cyber security alone, but it is looking at
the health of the organization end to end and put in place standards through information
systems or IT systems to manage them, to monitor them, to control them. So controls will
have specific elements as we discussed already, but this is a system for safeguarding the
health of an organization end to end, health of an enterprise. So COBIT 5, when you look
at it broadly, you can see it separates governance and management.

So we just discussed what is governance and what is management. So this is drawn from
the COBIT standard, the introduction. So you can see what is the role of governance and
what is the role of management. So governance is above management. Governance put in
place the management and it directs, it evaluates and it is monitored. And so therefore, a
governance framework should have constant feedback from the management systems and
they should also be able to inform the management systems.

You can see that. And so the COBIT framework particularly functions based on four
steps that is shown here - Plan, Build, Run, Monitor. And there are similar strategies in
other standards also which you can relate to. So plan and for planning it has a separate

58
set of processes known as APO, build they have standard set of processes, run and
monitor. So these are abstractions.

So it breaks down into us, more details as we go down. I am not getting into that. But
the idea is to give you a sense of what are these frameworks. These frameworks manage
health of an organization or manage risk of an organization at a higher level for the entire
organization. And it is done through certain standard processes. So they actually
implement this using certain processes and structures, which is depicted here.

So that is what we mean by COBIT standard. And you can appreciate that COBIT would
contain cyber security or cyber assets as part of the assets to be managed. Then let me
also give you an overview of COSO and COSO ERM. As I said earlier, COSO is a
standard that has emerged from the accounting community. And initially it was only meant
for internal controls.

And then it expanded to enterprise risk management or ERM, COSO ERM. COSO is a
accounting body. It is a committee which actually developed this framework. And COSO
ERM further expanded for enterprise risk management. And as I said before, they added
three more elements to COSO to make it COSO ERM.

And there you can see that in original COSO, there was risk assessment. And in COSO
ERM there is also risk response. So therefore, it actually became a closed loop. So you
not only monitor the risk, but how you respond to risk. We will discuss this part in more
detail when we discuss risk management from the cyber security perspective. What are
the different options available for management to respond to cyber risk? We will see that
there are five different ways.

But COSO also, your textbook also talks about it. So responding to cyber risk, when you
actually do a detailed risk assessment activity, then you will find that certain assets are
more vulnerable than others. So how do you actually prioritize and put in place systems
to respond to cyber, potential cyber risk? Okay, so then there are actually objective setting.
Objective setting here in COSO ERM would mean objectives for the entire organization,
not just for risk management. What is the overall objective or management objective that
the organization needs to attain and how your assets are actually protected or enabled to
reach the overall objectives of the organization? So, assets are procured or assets are
invested in, for reaching certain objectives. So therefore, from that perspective, are assets
available or ready for supporting the organization and its objectives? So even the
identification is the third item that is added to COSO to make it enterprise risk
management framework.

59
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 03
Lecture: 08

Now, as I said in the beginning, there are three different approaches to GRC -
Governance, Risk and Compliance, GRC. One approach is to follow frameworks like the
COSO, COSO ERM or COBIT, which are fairly large and very detailed frameworks, I
would say for large organizations. If you have a startup in IIT Madras Research Park, you
do not have to think of COSO ERM. So you are a small organization or even if your
organization is a mid sized organization, the ERM may not be the approach. But if you
are, say into e-commerce or your business is online business and your customers actually
reach you through the online mode and if you are not concerned about security, then there
is an issue. You may not have to worry about a large enterprise framework for risk
management.

Your governing body may already be doing it. They may be aware of it, but they may
not have invested in big standards or audits of that kind, because those are all investments.
But cyber security definitely is something that you need to manage because of the assets.
And so sometimes for technology organizations, the major category of assets is the cyber
assets.

And therefore, think of in my MIS course, I asked students to compare Madras Cements
versus Infosys, compare the assets. It is not the equipment, manufacturing equipment that
form the assets of IT or a technology organization. It is basically the cyber assets
including people. And therefore, it is different in terms of the strategy to protect them or
safeguard the assets. So that is where the standards that are specific to cyber assets become
important.

Standards which are specific to cyber assets. And that is what the ISO / IEC standards
are about. So these are standards developed specifically for cyber security management,
very specifically for cyber security management. It began with the ISO 1700 standards or
sorry, it is not ISO 1700, BS 7799. It began with BS 7799 meaning it is a British Standard,
which was developed for cyber security management.

And ISO adopted this and it became an ISO standard later. So I will show you different
variants or different types of ISO standards specifically for cyber security management.
So BS standard is the fundamental standard where the ISO standard originated for cyber

60
security. And ISO / IEC 17799 : 2005 has 133 possible controls. So it is like a large
standard and it was renamed as ISO 27000 series starting with ISO 27001 which is the
basic standard in the PDCA format.

Have you heard of PDCA ? If you worked in industry, particularly manufacturing

industry, which I did. PDCA is a common term. Plan Do Check Act. Plan Do Check
Act. We saw a similar set of processes for COBIT But essentially plan before you do,
plan and do, then check whether what you did is correct and then act on it.

So PDCA is very intuitive. So you do for especially, for activities for process
improvement in manufacturing and in of course, whenever you have technology, you need
to improve continually and PDCA is such a framework. So it followed, ISO 27001
basically is a standard to ensure that your cyber security systems are active and is in the
improvement cycle. So you have today, what in the industry or in the standards body
there is a set of standards known as ISO 27000 series of standards. ISO 27000, whenever
you hear keep in mind that it refers to cyber security management standards provided by
ISO.

And if you go to the ISO website , you will see that these standards run into several, more
than 50 and each of them addresses a very specific cyber security management
requirement. For example, infrastructure management, there are separate ISO 27000 series
for infrastructure. So which standard you need to implement ? It could be, if you talk to
ISO consultants they would say no, not just one, you need this, you need that, they will
try to sell as many standards as possible. You know that we are an ISO certified
organization, IIT administration not academics. So as an example, I want to show you the
46th standard of ISO 27000 series.

ISO 27799 is a standard information security management in health, using ISO / IEC
27002 guides. So the fundamental standard is a 27002 but it has been customized or it
has been specified particularly for certain horizontals and verticals I would say. Healthcare
is a vertical where there is a specific ISO 9000 standard. Infrastructure management is a
horizontal but it may have a specific standard. So they have developed specific standards
for various verticals and horizontals of IT.

This is one way to abstract it, what is ISO? What does ISO standards do? They have
different standards that you can adopt depending on the nature of use of IT and the nature
of your business. If your healthcare is your business then they will offer one and if within
healthcare depending on the nature of IT application, they will actually offer a set of
standards. So for example there is a standard for network security. So it actually works
in, across different dimensions as I said, vertical and horizontal. Now you need to

61
appreciate that the standards are developed by certain bodies and there is politics also.

So as managers you should not be very naive, you should also know well what is going
on because consulting organizations would approach you as managers, well, why do not
you go for ISO. And keep in mind that all of these are investments and you need them
but there is competition as well in the industry for standards. So as I showed to you there
are GRC approach, there is ISO approach and then you will also see, there is a competing
body known as NIST. So ISO standards have been criticized, if you actually read literature
and in particular ISO is not something that is very acceptable in the United States.
Although today's US organizations also go for ISO but their preferred cyber security
standard would be the NIST.

Because it is developed in the United States, particularly for US military and such kind
of sensitive applications of cyber or IT. ISO is European and well, that actually informs
you about what politics you can accept in terms of interest. So each regions and regional
politics will have its own interest. So there are criticisms, I am not making a very informed
statement on politics because some of those allegations may be correct as well but I am
only providing you what is available in the public domain, in terms of claims and
criticisms of different standards. So NIST, I think it is expanded as National Institute of
Standards and Technology.

This is actually a US standard setting body not just for cyber security but for generally
for technology. So if you have to understand say about cloud computing technology
standards etc. you can again go to NIST and look at that. So it is a generally standard
setting body for technology. So NIST has worked intensely and intensely on cyber security
and developed several standards.

But a distinction of NIST standards is that unlike ISO, they are accessible, accessible
openly. These are open standards. We call them open standards. These are not
proprietary standards. If you have to get an ISO 27001 series of standards and even for
understanding how is the documentation done, what are the different courses of different
standards, in 27001 series.

It is not available in a open domain. If you search for it you do not get it. But if you want
to access NIST SP 812 - computer security handbook, go and download it. It is openly
available.

NIST standards are open. ISO standards are not. You have to pay for it. But one is to
have the standards available open for developing understanding. But implementing a
standard, may require more knowledge. So you have open source software and

62
proprietary software.

And all the world should be implementing open source solutions because they are free
and they are open. But that is not what you see in the world. There is Microsoft. There
is Oracle. And all these technology companies which sell software and make their money,
they used to make their money through selling standard, sorry selling licenses so far.

Of course, the mode is changing to cloud. But in any case, they make their money out
of the software that they build. But at the same time you also see similar software,
database. There are open source databases.

But the world is a mix of both. If you look at in terms of adoption I would say, the
proprietary software are used more than the open source software. Why so? Here again
the debate between ISO and NIST is open versus proprietary. So the whole world should
be NIST while ISO is still prevailing. Just think and respond, give one or two possible
reasons. Maybe Sir, at times the open source is also not entirely free.

If something like premium, some version, the initial version that is free and the upgrade
version that is costly. That is true in the case of software I agree. There is a basic version
like you know, you may be working with R, R studio, for example. The basic version is
free but if you have to develop applications using R, studio etc.

Then you have to pay premium. So this one way of attracting people onto that platform.
In platform based business basically you need participants, you need people to start using
it. So that is another approach basically to sell something at the end. But there are software
which there is no interest to sell anything at all. It is for consumption by a community
without commercial interest, that also exists.

So your first answer is that support. Something is available free but who will implement
this and who will continue to support us when it is implemented? So that is a important
question. So the service part. Product is available but service. So and essentially today's
scholars would argue that it is service that you consume.

It is not the product. Product is basically to provide you certain services. So the service
fulfillment is the most important thing. Not buying the product. So therefore that is a
missing element and if a proprietor like Microsoft sells, its operating system, it comes
with both.

So therefore that is a challenge. The second is reputation. I think you are referring to
reputation. So having a standard like ISO which has certain reputation in the market

63
versus having something which does not have equal reputation. Well, is NIST reputed?
Yes, it is reputed. But it is only a standard in an abstract form but implementation requires
expertise or specific expertise and knowledge.

And there, of course you may need consultants. Is there anyone in the class who have
worked on NIST standard? Anyone from industry? No. ISO, ISO 27001. Depends on
the class size when I teach executives, of course they come out openly with what they did
and what their experiences are.

So that is fine. It depends on how much of practice you are familiar with. This is
perfectly fine. So, there are guides and standard specifications by NIST which you can
access and then get more familiar with. So soon I will be giving you an assignment.

Do not worry. That will help you familiarize with NIST. And NIST's website is
something that all students should visit to get a sense of what these standards are. And
then in order to work on one assignment, you will require one or more NIST standards.
For example, how do you do contingency planning systematically? So there is NIST
standard available for that.

So you do not have to imagine many things. You do not have to develop this aspects
from the scratch. This is already specified. Of course, you have to think through your
problem or your context and customize it but you have to have a broad framework
available for different activities pertaining to cyber security management. So, are there
any questions at the end? So the purpose was to familiarize you with the frameworks and
standards for cyber security at a practice level or at the industry level. If you have
comments and questions, you can put it straight away or else we would actually discuss
a case for the day.

So let us have the first case discussion by the student groups. So the first group is going
to discuss the case of iPremier. So iPremier is a case that is shared with you and iPremier
has three versions A, B and C. Today we are going to discuss the first, A.

Sounds like a detective story. So let us actually get into the details. And this is a case I
think, how our business school documented in the 2000s. When I started teaching MIS, I
came across this case and they have updated it around here, you can see there is a 2018
version of it, which is what we are going to discuss in the class. Alright friends, please
come over and take charge. Next 30 minutes is yours.

64
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 03
Lecture: 09

So, good morning everyone. Today we will be presenting a case, the iPremier company
case. It is on distributed denial of service attack. So first, we will start with a small
introduction to the company. So iPremier company is in the e-commerce business and
their product which they sell are luxury, rare and vintage goods. So the prices of the
products range from hundreds to tens of thousands of dollars.

Their clientele is basically a high-end clientele. So their customer trust with the products
which the company is selling as well as the services offered by the company is going to
be very crucial for the success of this company. And in 2017, they have over 1 million
regular customers in their database. Regarding the competition that the company faces,
iPremier is already one of the top two websites in that field.

Their main competitor is Market Top and though the product is the main good which
they are selling here, they feel that the competitive edge which iPremier enjoys is actually
the user experience enjoyed by the customer. So basically on attractive websites, the after-
sales service, the seamless service for the customer while purchasing and using the goods.
Coming into the management culture of the company, so the company basically comprises
of younger long-term employees who have been there with the company for long and
experienced lateral hires. So the salaries are above average salaries and mostly the above
average part comes as stock options for the employees and the compensation is linked to
the performance. So the entire atmosphere is very very intense and with quarterly reviews
and removal of unsuccessful managers.

So basically the characters in this case study are Bob Turley who is the Chief Information
Officer and he has just recently joined the company. Next we have the CEO, Jack
Samuelson. Bob Turley feels that he enjoys the confidence of the CEO, even though he
has just joined really recently, because right now, he is in New York with a high profile
assignment. Tim Mandel is the CTO, Chief Technical Officer and one of the co-founders
of the company. Bob Turley has a good working relationship with Tim Mandel.

Next character is Warren Spangler who is the Vice President of Business Development
and then we have Peter Stewart who is the legal counsel for the company and who is
providing the legal perspective to the various incidents in this case. Joanne Ripley is the

65
Operations Team Leader who is taking care of the cyber security operations for this
company and Leon Ledbetter is another employee in the Operations Team. We have
developed a storyboard kind of presentation, explaining what is happening in the case and
we hope you enjoy it. So the events in this case begin at early 4.30 am in the morning.

So Bob Turley gets a call from Leon Ledbetter from the Operations Team. So, " Why
are you calling me at 4.30 in the morning, Leon?" " Mr. Turley, we are facing trouble
accessing our website and we have just been receiving mails which says - Ha Ha Ha. I
am new to the organisation and have no idea what I am supposed to do.

" At this moment Bob Turley decides to directly call Joanne Ripley who is the Team
Leader for the operations. " Okay hi Joanne, can you say what is going on actually?" "
Bob, right now I am not sure what is happening but it actually does not look like a simple
DDoS attack." So while this conversation was going on, Bob Turley is interrupted by
another phone call. This time it is from Warren Spangler, the Vice President of Business
Development. " Hi Bob, I hear something is happening and I am sure stock is going to
take a hit tomorrow but you just don't have to worry about it" I will handle the PR.

" " Okay thanks Warren and we are also working from our side to achieve the best solution
that is possible. Thanks for your input." After that interruption Bob Turley goes back
with his conversation with Joanne Ripley. " So Joanne, can you tell me now, do you have
any emergency procedure since the attack has happened or do you have any incident
response team or crisis management procedure which we can follow now?" " Bob, actually
we have got a BCP but it's not been updated and we actually haven't practiced incident
response." Bob Turley had actually expected a company like iPremier to have an updated
disaster response plan and an incident response plan but he was surprised that they didn't
have all that but he also realized that it was his responsibility as a CIO to have looked
into these issues.

So now he has gone back discussing other options with Joanne Ripley. " So Joanne, so
what is next? What are your options and are they stealing our data?" " I can't give you an
answer right now. I am not sure what's happening. Let me first go to Qdata where our
server is and access the web server to see what's going on." So Qdata is the data server
for the website and they have been a long time service provider for iPremier.

However iPremier knows that they are not actually a very competent service and the
only reason they chose Qdata is because the proximity to the office. Now Bob Turley
decides he needs to call Tim Mandel, the CTO with whom he has a working relationship
and to get some advice on how to proceed. " Hi Tim, hope it's a very exciting morning.
So it seems like we are being under attack and so should we proceed by cutting the

66
connections?" " Cutting the connection, I would not recommend it but we might because
we might need some evidence but it is highly unlikely that we can preserve the log data."
The log data detailing feature had been removed as a part of a measure to increase the
customer experience by 20% because that will delay the interactions.

So that feature has been removed and now perhaps they might be rethinking about that."
This time, another interruption and this time it is Peter Stewart, the legal counsel. " Hey
Bob, it is Peter Stewart from the legal counsel. I would recommend you to completely
cut the connection because it will risk our customer's personal information." " Okay, I
understand your perspective, Peter.

So thanks for the input and I will see what I can do." And now Bob returns back to his
call to Joanne. So, " Hi Joanne, what is in, any update?" " Bob, they are not letting me into
the building. Can you please escalate this issue? It's very urgent you know what it is.
Now I think, it is an attack on our firewall.

" So this time, at 5.27 Jack gets the call which he had been hoping he would not get. This
is from the CEO. Bob gets a call from the CEO. " Bob, this talk is probably going to be
impacted and we will have to put a solid PR phase on this but that is not your concern
right now.

You should focus on getting us back and running. Understand Bob?" "Yeah, sure Jack
and though everything is not going according to our plan but still we are working our plan
and we will try to get the best solution. Thanks for having my back." " So hi Joanne what's
the situation now?" " Bob as expected, it is a DDoS attack. It looks like a SYN flood from
multiple sites has been directed on the router that runs our firewall.

" " So what can we do right now? Is the customer data safe at least? Are we sure of it?" "
I can not cut the traffic in as they are spawning the zombies. There is nothing that makes
a DDoS attack and intrusion mutually exclusive. So I am not sure if they are stealing
away our customer data." Okay, at 5.26 the entire attack suddenly stopped and Joanne
now calls Bob again to give an update on this new development.

"Hey Bob, the attack just stopped. It just stopped. I did not do anything. " Oh my god
really? So I mean, what are we supposed to do now? To just cut the connections or can
we resume the business as usual?" " The website is perfectly running. We can resume the
business as usual but I recommend we shut down and let us search what the issue is.

" " Okay I will consider." So at the end of all these events, Bob now has to make a decision
and he knows that his advice is the one which the company is going to follow. So basically

67
he has four perspectives from four different people starting with the CEO who wants to
get the business back up and running. At the same time he wants to ensure that the
customer data is protected and there are no legal backlashes to whatever action the
company is going to take. At the same time he is looking at his Ops team leader, Joanne
Ripley, who has recommended that they shut down everything and get expert cyber
security consultants to go over the entire system and check if there are any time, ticking
time bombs or any customer data breaches which they have not actually known about right
now. On the other hand we have the senior management from the business development
side who is represented by Warren Spangler who has already mentioned that he wanted
to, he has a personal motive in this because he wanted to encash his stock options so he
wants to get the business back up and running because the stock prices will take a hit for
a long time.

And finally we have the legal advice, legal perspective provided by Peter Stewart who
has called for, had asked to cut the connection and to protect the personal information
and avoid any legal consequences. Based on these four inputs and perspectives, the
decision will have to be taken by Bob Turley Okay, so now coming back to the case and
the presentation. So we've been hearing DDoS attack, DDoS attack in the whole
presentation, that is what the iPremier had faced. So let's just deep dive into what DDoS
actually is. So DDoS stands for distributed denial of service and is often used as a network
attack and these attacks are a subset of denial of service attack.

So what are denial of service attacks? So these are attacks where the attacker attempts to,
you know, overwhelm an internet connected asset with the aim of making it unavailable
to the legitimate user. So an analogy for this can be like, if you have been someone who
has been travelling in the public transport, always every time, especially in the Mumbai
local, if you have travelled, the doors will be always crowded with passengers. So the
legitimate user who needs to step out in the station, might not be actually able to do that.
So this is what actually denial of service attack actually does to victim's, you know, server.
Now that we understand what denial of service attack is, let us understand how is DDoS
different from DoS attacks.

So in DoS attacks, it just uses a single source device and then creates fake traffic and
exhausts the server resources. And this usually occurs in a very smaller scale. And in
attacker's point of view, it is actually very easy to identify the attacker in this case. But
then DDoS is a higher level of DoS attacks. And as you, it uses multiple systems to send
real time traffic in order to overwhelm the victim's server.

So let's just have a quick look on how DDoS work. So the attacker actually infects a set
of devices using a malware. This malware can be sent using any uniphishing mails or

68
messages. And once the attacker attacks all the devices, these are in control of the attacker.
So these systems are commonly in cyber world is known as botnets and the network
connecting all of this network consisting all of this botnets is commonly referred to as the
zombie network.

So the zombie network is the network that the attacker controls to flood a targeted
website or server with traffic. And this is how the attacker is able to crash or disconnect
the victim's server from the internet by flooding a lot of traffic into the system. Now let's
talk about the DDoS attackers motivates. So a motivation, so it can be either hack activism.
So in hack activism, it is a form of activism, which we normally see in our scenario.

But in this case, say for example, this is our e-commerce giant. So there is somebody
who has a bad feeling about the site, just wants to shut down the site in form of an activism
can do this. It can be cyber vandalism, it can be a cyber warfare. It can also be an extortion
in order to get money from the company or it can also be rivalries as we have already
seen, this is a highly competitive e-commerce platform and it has also have high
competition. So in this case, we are not sure what was the motive but these are some of
the motives, we have identified.

Next, coming to the analysis, what do you all think that actually went wrong? You can
answer this based on today's, in the light of today's class, that we had. So you can answer
it based on the managerial perspective or the technical perspective. Actually, based on the
case study, iPremium, they were lucky and fortunate that it was just a failed attack or
attempt. The website was not actually hacked but they were actually in the business of,
you know, catering to all the premium customers and all the credit card information and
all. So I think based on the options, that four options you were mentioning, they should
shut down their services and do some introspection and they should really invest to
upgrade these cyber security measures and all.

This is not like a failed attack. They did attack. It is a DDoS attack. But yeah, we will
be considering the options in the later. The hacker was actually not that successful to
hack the website.

So that damage was not there. We are actually not sure of what exactly happened. We
will be dealing with it right further. So right now in case, given the incident What actually
went wrong? Like the managerial side. So I will talk about the technical side. So they
had given the entire technical management to QData, which was actually not investing in
advanced technologies.

That was one of the main reasons. And also one of the founders of this iPremier company,

69
had a personal relation with QData. So it was not also ready to go for other companies.
That is an answer. Another one aspect which is highlighted in the case studies is that they
had an emergency response plan, but it was not updated with respect to time and most of
the contacts and all were not updated. So that is one aspect which they need to update
all the emergency plans from time to time.

From a management perspective, firstly, it is described that there was a very intense
working culture and variable pay of the specially senior managers, managers was entirely
based on stock options. So the senior management's focus was on driving the stock price
up. And that led to various steps like they should be very intense, trying to get sales,
trying to have the website up and running all the time without so much focusing on
consolidating what they had already achieved as their customer base, looking at the risk
part of especially cyber security. So there was never, I mean, like he mentioned, the
business continuity plan was outdated because there was never a focus on it.

There was no disaster recovery plan. There was no incident response plan. So there were
a series of effects from a management side because of the entire focus on driving the stock
price up. With technical perspective, they were not storing the log data. They made a
compromise in storing the log data. which will lead them to not able to investigate the
case in the future and identify what was the cause and found out who did it.

So thank you all for the response. You were all correct. And in light of today's class, if
we are to tell a verdict, the thing is that the company, iPremier did not consider cyber
security as one of their strategies. They didn't give priority and has been rightly pointed
out by Sir. It was the stocks or it was the profits that keep them driving.

So they lack security and risk expert. And as we studied in today's class, actually being
an e-commerce company, a top e-commerce company, they should actually follow some
sort of a framework or at least take into consideration the ISO standards or any other
standards. But they failed to do that and they did not also have a contingency plan as
well. So now as Sir already told in the class, thanks that this attack actually happened.
Now that iPremier will be more into the cyber security and might take this as a strategy.
Now handing over to Nithish, to check what all can they do forward.

So now again back to you guys. Let's now consider for a moment that you are Bob and
we will let us continue with the case because now the case ended at Joanne calling Bob
and saying that the attack has stopped. And now Bob is in the position of making a
decision because Joanne said that the attack has stopped and the websites are up. So they
can either continue to resume their business as usual or they can shut down the systems,
I mean the servers and then collect the data to identify what type of attack was it, from

70
where it originated to understand more about the nature of the attack. So considering that
you are Bob, can you guys throw a light or what should be best, should be done? Should
they shut down the systems or should they be resuming the business as usual? Any idea?
Yeah, over to you. I feel that they should shut down the system because rather than going
by the personal interests of the people in the company, they should not be exposed to any
other attack by any hackers here after.

So it's better to shut down the company, I mean shut down the system. Okay, good. So
first of all, it was the even we are suggesting the same thing. Our immediate course of
action should be to shut down the server systems to collect whatever data is actually
present and you know even in the short term long term to conduct a thorough forensic
audit. And the major reasons as already mentioned would be to understand more about
the nature of the attack and as Sir, as rightly mentioned in the previous class, hackers try
to exploit the vulnerabilities present in our system.

So we should be able to be in the correct position to identify the vulnerabilities present

in the system. This will also help us to safeguard from the future attacks. And now what
will be the second immediate course of action? So considering or take it up more as a
follow up question. So consider that you are now shutting down the servers. What should
you be saying to the PR? Should you be saying that it is a regular server maintenance
issue which we are trying to solve or do you want to disclose that a cyber attack actually
happened and we are in the process of rectifying it? So what would be your opinion on
that? Yeah, I think that they should disclose that it was a cyber attack.

Because if there is any ethical problem in the future as a good governance and ethical
structure that a company has to follow, I think that they should disclose because that
would improve their trust among the stakeholders that they have actually disclosed the
vulnerability that they had. So I think in the future perspective, it is better to disclose.
Yeah, so you are right. Because first they should dealing with the PR team and maybe
they can issue a press statement or at least a tweet which has been done recently saying
that there was a temporary, unusual, irregular attack that has happened on our systems
and they can say that they are trying to give more importance to the customer's privacy
and hence they are trying to resolve the issue ASAP. And the main reason for this is that
first of all from the company's perspective, they are responsible for what had happened
because they did not have a proper crisis management team or even an incident response
team.

So first of all, they are responsible and it is better to disclose it. And moreover from the
legal perspective, tomorrow if any customer comes up saying that my data has been stolen
and even if they try to sue the company in such cases if the company has already hid the

71
fact then, it will be a major damage for the company. So considering the future actions as
well, it is better to disclose and that is what even major corporations like LinkedIn, Gmail,
they do. Whenever they face an attack, they openly try to admit what has happened.

So this would be the immediate course of action. And well, now let us also consider long
term alternatives. Considering this happened, we have also tried to come up with long
term suggestions which the company can follow and we have also listed them in the
descending order of preference, our team's discussions preference. So, the first one would
be to replace Qdata that is, to outsource or contract a new service rating company for
proper security reasons because we already saw that Qdata security management was
outdated and they also had a problem in retaining the staff. And the second alternative
would be to develop an internal IT system, that is insourcing their own cyber security
management and setting up their own teams and the servers and get them back up running.
And the third alternative would be to recreate the whole architecture which is by staying
with Qdata but updating their own mechanisms whatever they have, so that their long
term commitment also still continues while updating their procedures.

And to be a bit more elaborative, we have also come up with the pros and cons of each
alternative so that it will give us a better understanding, while in the descending order of
preference as already mentioned and I will quickly go through these. So the main pro of
replacing Qdata is that they will be dealing with, they will be outsourcing to a major,
either the top market player or major market player so that they will be obviously having
the state of the art infrastructure and they will be having improved defence mechanism
with constant updates and patches, which unlike how Qdata was obsolete. And they
obviously, post the attack if they are switching to a major player it will also have a positive
attraction over the public and leading to increased customer trust. And the three major
disadvantages would be that now if they are switching they have to work from the scratch
because obviously and this will also lead to increased spend on financial resources. And
it will also be time consuming process because they have to migrate the data from the old
server to the new company's servers and there will obviously be a lot of switching cost as
well as time consuming process and moreover third point as mentioned, it affects the
personal commitment with the owner of the Qdata but again at the end of the day, we
have to do what serves the company best and that is why we have we are, we consider
this to be the best alternative.

The second would be to develop the internal IT system because as mentioned in the
article, it has already been mentioned that insourcing their own cyber security
management team has been in their cards or in their bucket list for a long time but they
have been prioritizing their sales as what one of our fellow mate mentioned because of
the stock options and other incentives. So a good time would be now to refocus their

72
priorities and the main advantage of this would be that, they will be having full control
over the database system as well as cyber security team and since that has been insourced
they will be quickly able resolve the issues, whenever they detect. So and moreover it
will also be cost effective in the long run but not in the short term, but definitely it will
be cost effective and might even save a lot of, you know, billions of dollars of revenue
for them in the long run and again the major disadvantage would be, it will be costly
however they have to install the servers they have to hire a new team, maybe a lot of
team cyber security teams you know crisis management teams and everything obviously
it will again be time consuming and outcome is not guaranteed because you know, when
new types of attacks start coming up daily cropping up daily, so they will have to be
constantly updating, so they might not be as effective as the new market player but still
this can be considered worthwhile. And now, the third alternative would be to retain their
relationship with Qdata while recreating the architecture but again the advantage would
be that it helps avert the switching cost to a new market player for iPremier, it helps them
save time in returning to normalcy, compared to switching and migrating their data and
moreover the long term relationship is restored but the con is that if we never know
because already Qdata is performing bad and we never know how ready they are to accept
to modify their terms as well as to their technology and this updating process might again
take a significant amount of time that is why we consider it to be the last option in our
data.

So we consider this was and hope insightful and enriching session. If you have any
questions, you can follow. Excellent presentation but I disagree with you. So your
suggestion is that the company shuts down and does forensics, examines intensely whether
customer data has been stolen and put in place cyber security systems and then restart
their business and what is the guarantee that when you do all this and restart your business,
customers will come to you because it is a very competitive market. There is Market Top
which is the major competitor and this is niche product or high end products that they sell
online and it is online, the moment the customer feels that my data is not secure and it is
not secure to do business with iPremier I may not come back, you shut down, you did a
lot of things, that is fine. I have competitors to go to, so you may be actually shutting down
your business itself you may be closing your business, if you shut down and go for IT
maintenance for a long time.

So what do you think about it? Sir, if you are not following this procedure as well, we
believe that the company might shut down because again, we are not sure what has, who
caused the attack and what has been stolen. So if we try to resume the business as usual
it might go okay, fine, for a shorter period of time but we should also remember that the
person who are targeted also had the audacity to send a Ha Ha email messages. So it
means that it was a proper targeted attack and it is, we can be 75 percentage sure that there

73
was some data that has been stolen or they might have even installed some bots that might
be transferring data internally, without us noticing it. So considering these security risks,
if we try to resume it as usual business might go but later on people, this hack, some other
external party Business is gone.

No, if you're hiding the fact, if you're hiding the fact. See the issues of customer trust
so if you hide that information that this attack has happened, then this information gets
revealed later by whoever has done the attack, it might be the competitor himself is doing
this attack on us and he reveals it, then the loss of customer trust later when customers
find out that, high level clientele find out this company has been hiding information from
me, it will be greater than what will happen now, right now we can take ownership of the
situation and try to reassure our customers that we are working on it, there will be loss of
customers. So this is about shutting down your business or closing your business versus
what potentially can happen in future which, if there is a way to manage that, you may
still be able to run your business. The other aspect which you are not considering is about
job security. So this is Bob and Bob is in the stock market I think he is in New York,
taking care of company's stocks or publicity but the company is attacked and at the
bottom, right and it may not exist tomorrow, so won't some people be trying to safeguard
their jobs because this is a company which easily fires people and you know somebody
has to take ownership, you know that they are also trying to pass bucks or you can see
they are trying to safeguard their jobs also. If you read it carefully, so if Bob does not
have job tomorrow, how would the behaviour change? Well, actually the point is during
the case itself Bob develops a new reason , he says, " I have been there only for three
months, how will you expect me to handle such a big crisis ?" So he has already developed
that excuse which he is going to say, however the CEO calls him he gives him a very
professional answer, like you take care of this problem you get the business back up and
running, which is your job.

and he doesn't tell, he doesn't do any reprimand of Bob or no blaming of anybody he

wants that in process business to continue, so since the CEO is so focused and more
professional in that manner, we can Bob can hope that he might still have his job and at
the same time what Bob says is correct, he is only been there for three months and perhaps
he has been he has overlooked the fact that this company, new company does not get
updated its business continuity plan binder as well as the incident response plan. So those
things are things which he is going to be working on after this and Joanne Ripley, in the
final part of the case also mentions when she accesses the data center, she talks about the
firewall and she just makes the statement that the firewall is so bad, we should actually
work on this, so she has been there for a long time. So with regards to job securities since
the company has not focused on it or made cybersecurity a strategic priority which is a
high level decision which the CEO is also going to be involved in making such a decision

74
So job security is not going to be much of a issue right now and moreover the blame is
partially on each of the senior managers right from not having an updated binder, so
everything from having not checking the proper firewall, not checking the contracts and
Qdata and everything, so partially everyone is responsible, so we have to come to that and
make a decision yeah, yeah, so we are discussing what is internal now, but essentially
your decision will have an implication for survival of the company and on the market so
if you are going by shutting down, then what is your PR strategy? Because what do you
communicate to people, we are shut down because we are under cyber attack may not
work, the PR strategy is, as Nithish had mentioned, would be like we would send an
immediate tweet or notice that such an incident as high level and high level of traffic has
been observed in our data which is not as part of the usual behavior and therefore we are
shutting down this website to do some routine maintenance and check for any
vulnerabilities We saw that most of the big players like Google or YouTube, they have
also faced similar situations and Amazon whatever so everybody has faced similar
situation and what they actually did is, they have told the public this is what is going on,
so it is always better to let the public know exactly what happened and I also suggest that
not let the public know exactly what happened but we can say that we are suspicious of
some irregularities, irregular traffic in the system, so we can maybe play with the words
because when we did some secondary research on what the major corporations did,
actually the proper forensic data audit takes months or even years to come up with a proper
report so maybe initially what happens is the major corporations release a statement
saying something has happened then they are trying to get it back and even after some
few business days, four to five, the business comes back usual and starts running but the
final report of what exactly happened there is some corporations released years after. For
example, in the case of LinkedIn it was after three years, they later came up and said that
these many number of accounts have been lost or they are in the jeopardy of losing their
information. So the aftereffect might be even be a bit later, but right now, shutting down
for a few business days is a better option is what we consider and we can let that know
to the PR team as well.

So choosing among the which is the lesser evil that is what you are actually but I think
the most important thing to consider is the fact that this is a company which is in high
competition, it is online and it has to continue its business, any option that leads to
bankruptcy or closing of business, although it may be technically correct but it is not
correct for business, so that is the tension that we have here. So there is, these are all
risky options but you have to choose among them. So therefore that is why he asked what
is the PR strategy ? If you are going by this then there is a public statement one has to
make why the business is shared and that is a very very important statement and in one
of the cases that come up, that itself was a discussion and you can see how they made a
public statement, maybe the PR becomes the most critical aspect of your decision. On the

75
other hand you already evaluated if you go by, well business as usual it is much more
risky I would say If you know the reason, as to why the attack happened, you know there
was a failure and while the failure happened is very clear to the organization or to the
technical people, then you are fine you have actually addressed it, now you can go forward
confidently if you have taken corrective action and preventive action, then you can go
forward but in this case the attack just stopped, the attacker stopped .

They were at the mercy of the attackers. They just stopped. So somebody is having fun
and you have not really diagnosed what was the problem, so you can do what prevents
the attacker from doing it again and therefore there is no option but they have to actually
find out, so that can further strengthen as to why the attack stopped they do not know. If
they run the business again another day, it can happen in the same way so therefore it is
important that they stop there and diagnose correct and then move forward okay, so that
can be a strong recommendation, okay so let us wait for the B and C. Is there any other
comment ? Regarding the recommendation right, the second point what you have said
regarding the exposure to the public with the PR announcement, during the incident the
management also concerned about the stock market which may affect their business and
if you see about the instance timing it was a DDoS attack which has happened in the
early morning around 4 or 5 which is a non business service in perspective of a business
but it is since the e-commerce most of the customers would not be able to use that same
and moreover maybe 90 - 95 percent of the customers do not even know that the attack is
even happened or not, so is it correct for the PR team to make an announcement which
may affect their mark market or stock market when most of the customer did not know
about this attack ? So whether it is good for the PR team to make it such an announcement.
Say , for example in future they come to know, the public, that this attack has already
happened and the PR is just issuing a statement without mentioning the attack but it is
server maintenance and in the future if someone from the public says that, okay, my
personal data has been stolen, then again this PR only will have to face the public.

So it is always better to reach out to the public and say what is happening. That yeah,
my concern is you know shut down for how much time? what do you visualize how long
it is going to take to implement all those safety measures and upgradation of the system,
normally normally how much it takes ? Yeah, so it depends on the scale of data and
normally when we did our research like in two weeks or sometimes even business days
might take the data how much is the attack? So in our case, we really do not know the
scale of the attack but like when we did our secondary research what we came to know
that it depends maybe just days, one or two days or it might also extend till weeks Yeah,
this is the CEO's question, that is the CEO's question, you want to shut down for how
long? So that is the first question anyone would ask and you don't know actually
sometimes, right and that answer is not acceptable, you know this is the sort of real-life

76
scenario that you will come across, they want you to tell the time but you do not know,
you know so uncertainty is not acceptable. So but you are thrown into a situation like
that, you know at this moment and that is a dilemma in the case and you know the other
thing that one of the participants suggested that, that is that is normative, they should have
had a parallel system You know, so they should have a hot site or a warm site or a cold
site, some thing to switch to, when an incident of this happens but actually it is not there,
they did not have, they did not have any strategy cyber security strategy they had to build
all those, so you can just be wishful this should have been there ,that should have been
there, in this case and should be should not take much time, you know tell me how much
time, nobody is in a position to say anything and that is a sort of attack that is depicted
in the case. That is the sentence you know so it is an eye-opener for the organization this
organization can die or can go forward, we do not know so the case actually presents a
real-life situation where if you are not prepared and you are online, you can go out of
business, if you do not have cyber security measures so we will wait for cases B and C
with the sequels of this cases to understand more about what happens next, okay, in the
next class. All right, thank you very much.

77
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 04
Lecture: 10

Hello and welcome to Cybersecurity and Privacy course and today's topic is Contingency
Planning. So we are building foundations for cybersecurity management, so we are trying
to understand fundamental concepts and we are also looking at cases as part of this course
to also understand what is going on in the environment and to connect of course, principles
and practice together, that is the effort in this course. So we will discuss the different
aspects of planning as a whole in cybersecurity management and understand a wholesome
aspect of planning first and then specifically go into contingency planning in today's
session. There is another aspect of planning, which is for risk management which will be
in another session. So both have different objectives and I think I highlighted this already,
one is preventive, other is reactive. So today we look at reactive, okay, incident happens
then what you do, okay, that is what contingency planning is, the other is incident should
not happen, so you try to protect, so that is a separate path.

So we already discussed in detail the case of iPremier company in the last session and
we understood how a company which is very ambitious in terms of future prospects, very
professionally managed company actually got into a great shock, you know it is not just
an incident of low degree but something of a huge shock in the early morning hours,
okay. So incident happened at 4.30am, if I recall correctly. So I think we also discussed,
a drone attack in Saudi Arabia on a refinery which also happened almost at the same time,
4.

15 or 4.30. So in India we call it Saraswati Yamam, right the morning, the time when we
actually sleep or it can also be a time when you can have very high productivity mentally.
But essentially that is the time when the world is sleeping mostly and that is the time, the
hackers choose to shock organizations. So and we also saw how the company was ill
prepared or not prepared at all to face something of this kind and then you saw, since there
is no plan to follow in the event of an incident, nobody knew what to do, Everyone was
actually asking the other or suggesting the other and worse, try to protect one's own jobs
or one's own roles.

So that is what happens when there is no plan and we do not have clarity on things,
okay. So contingency planning is essentially to address that aspect of what to do if things
go wrong. We wish and plan such that, things do not go wrong, but despite that things can

78
go wrong then what course you take, that is the essence of contingency planning and the
case teaches us that this contingency planning is very important. There can be several
scenarios like Target Corporation despite having invested a lot, invested a lot in cyber
security, still breach happened and here is iPremier company, which did not care about
it and it happened. So it can happen and it can happen and therefore the point is, there
should be a clear plan that actually, in case of fire, for example, you know what to do.

So there are oftentimes you know the fire or the safety department actually gives context
drills, you must have seen that you know, they create fake incidents and try to sort of
alert people so that they ensure that the protocols are followed in the case of an incident
and they are able to restore the organization to normalcy, okay. So that is the purpose of
contingency planning. So let us move on. Yeah, so it actually, Gilbert very well explains
what happens if there is no contingency planning, right, like the iPremier company. Yeah,
so you just have to yell or in theory, they call it emotion focused to coping.

You do not know how to cope, you cannot use your, mind does not work because there
is no clarity, then you actually become emotional. And then you call for help or yell or
runaway or wish that there is nothing wrong etc. So these are our, tricks that our emotions
play and we have to be very careful. As managers your responsibility is to protect the
assets of your organization, number one. Number two, also if an incident happens to bring
back the operations to normalcy at the earliest.

So these are very important as far as cyber security management is concerned. I just add
a small insight from another case again, published by Harvard Business School. The case
actually discusses about a company called IVK, something like iPremier and IVK is an
established company and there is an IT department there. And there is a newly joined IT
director, who after assessing the preparedness of the organization for cyber security
challenges, suggests that we should, the company should invest more in cyber security.
And apparently, the director of IT made a proposal to invest in a Intrusion Detection
System or called IDS.

In yesterday's case we saw that there was an incident happened but they do not know
there was an intrusion or not because there is no intrusion detection system for reporting
it. In the case of Target Corporation you know, that there was an IDS but it was not,
actually it was turned off. So but there is no IDS at all. So IVK's director wants the
company to invest in something. So you know, in corporations you can, as managers
you can propose capital budget projects, new projects, revenue budget and capital projects,
capital budget.

In capital budget you make proposals for new systems and when you do that it goes to

79
the corporate office for evaluation. So then there will be a steering committee or a high
level committee who actually looks at project proposals that has come from different
departments or different functions and then prioritize them. So evaluation and
prioritization of projects is a corporate task. And what happened to IVK's IT department's
proposal was, the proposal was dropped two years, consequently two years. And the
steering committee said, " No, we do not want this project, we do not want to invest in
this project.

" So the reason, reason is given by the finance department or the you can imagine the
CFO. What is the return on investment? If you invest in an IDS or a latest firewall, how
does that money come back? Suppose you invest 100 rupees, for a finance guy, the 100
rupees should come back, say in 3 years or 5 years, as 150 or 200. So you have you
should get more money than what you invested then only it makes investment sense okay,
business sense. But in the case of security systems does it give any return and then why
should a company invest in it? So you can quickly share your thoughts. Sir, it does give
a return but then there is no definitive period or time frame when the returns will come,
the return will come in the form of intrusion getting detected, your data being safe, so that
you are able to take evasive measures at that point of time to safeguard your data or critical
information which can be in the form of credit card information, financial, banking
information such thing which will cause larger impact in the long run if that information
got out into the domain.

Well you may be right that is the same argument the IT director must have given, if we
do not invest in it, we may have this loss, that loss, goodwill loss and so on. But the
finance guy will ask well, tell me how much money you get back ? Show me the ROI. So
the message is, you quantify it. So they can say IDS costs this much, say, 5 lakh rupees
or say 25 lakh, whatever. So, 25 lakh given, what is the return ? Give us money.

They want 25 lakh as 30 lakh, How it will flow back ? it should be quantified over a
period of time. How will you do that? Sir, in this case, in case we want to quantify, what
is the return which we will get ? Is it, will be in the terms of, say, suppose the information
gets leaked, then what kind of that legal ramifications would be there, how much that
would cost the company as in the case of iPremier, the legal advisor was advising that we
are likely to go into lawsuit. So that cost is there, then secondly in the event of some
critical information getting leaked, some patent information or something, what is the cost
of that, the company which has already spent on it, that will be the cost factor which
somebody else will not need to spend. So if we want to categorize it, so this is how which
somebody else will not need to return. Okay, okay, okay, okay, I think you are thinking
in the right direction.

80
 Is there any other answer, just to add on to that yeah, take the mic, We could present
it as 2 scenarios, if we do not make this investment, what the, what this kind of an event
can lead to negative sales impact over a period of time versus if we make this investment,
the sales impact and the legal cost taken together would be much lower. So this will have
a lower negative ROI compared to doing nothing. This is what you are suggesting right,
there is a cost to the company if no investment is done. How do you estimate it ? This
has to be estimated, this has to become numbers at the end. So that is consultant's job,
right, you have to, in order to convince the management, you actually have to collect
data, you have to sample, there has to be some sort of sample data that you use to arrive
at this figures, potential cost involved if cyber security systems are not in place .

yeah you are saying something, yeah. Like they can estimate the number of incidents and
how long will it take to fix and what will be the cost to fix those incidents. Okay. Okay.
So similar company, how much, what is the probability of it being attacked and how long
will it take to recover.

Yeah. How long will it take loss of revenue because during the period, you know
website is down, all these can be added up to give a number. Yeah. Yeah. Yeah. So I
will say there is a difference between these two, right and what do you think which will
be higher, which cost will be higher ? Yeah.

So I will say there is a difference between these two, right Yeah. Yeah. Yeah. So I will
say there is a difference between these two, right and what do you think So you are
actually trying to minimize cost here, okay because there is no revenue, no revenue that
you are generating by investing in an IDS or in security system but you are trying to
reduce cost. So which cost should be higher ? Ideally if there is no investment, the cost
will be higher okay, so this will be plus plus, this will be plus okay.

So what you are trying to rationalize is, how much cost will be less if you invest in a
system or in a upgraded security system and that reduction in cost should be much higher
than the investment that is required. That is the rational for any investment right, You
save more than what you invest, then the finance guy will be convinced but where you
know where the director went wrong is that, you know, he got disappointed because the
company is not willing, despite me giving all the reasons. So still qualitative compulsions
or arguments do not really sell for finance department they actually require quantitative,
proper quantitative rational yeah. Again Sir, the question is how much to invest because
it is not one time investment.

Yeah. It has to be you know every time upgraded, so it is something like dynamic cost.
Yeah, yeah, so yeah, this is dynamic absolutely. You can see as the environment becomes

81
more fluid in terms of cyber security it becomes increasingly difficult to make this
assessments. So we are going to discuss this topic in more detail in risk management
because that is essentially at the end of risk assessment, a company has to determine how
much to invest and that should be proportional to the risk okay and that exact assessment
of risk is the highest challenge. And you can see the difficulty in this estimation, in the
absence of cyber insurance in our country.

It is very difficult to get cyber insurance done for cyber security risk and that is a field
still emerging and if you read literature on cyber insurance which one of my students is
working on a project on cyber insurance. So we find that this is an area which is of very
high importance but very difficult, due to difficulty in exact assessment. So you are right,
this should be the way theoretically to do this but making this estimates accurately would
be a challenge. So these are, this is related to the environment but doing nothing is not
an option, you need to have reasonable safeguards and the senior management should be
educated to understand what is this cyber security and why it is important to invest in it,
basically to save costs not for new revenues. So that is an understanding finance guys
need to have , you know it is not like it will attract more customers or things like that or
you know, more sales, nothing of that sort is not going to happen there is no new revenues
stream that is generated but it protects.

So you can see that the two cases both iPremier as well as IVK points out that the cyber
security was a low priority for the company and that low priority by the senior
management actually resulted in the situation that we saw and in the IVK's case it was
the inability of the IT department to articulate the savings from cyber security investment
and from the senior management's perspective, it is their lack of understanding about what
cyber security challenges are and that also requires more understanding. So again, I think
this is again Gilbert so this is well illustrated if you do not invest in cyber security what
people resort to because technical people knows what can go wrong and they will be very
disappointed, you can see we have more cases coming up in today's cases you know, how
they are actually worried because they know, and they try to do something, to protect the
organization. Managers or non IT managers may not be able to appreciate that. That
brings us to the topic, so we are going to discuss contingency planning. So before that,
what is planning? Planning is the integral part of management, what is a manager's role?
Basically to manage resources and how does a manager manage resources? Planning,
proper planning, so proper planning is fundamental aspect of any management.

So if the planning particularly in the context of cyber security is to align with the goals
of the organization. So essentially organization wants to go somewhere, the iPremier
wants to go somewhere in terms of its market competitors and future, but if he has to
go somewhere, it also needs to have cyber security to protect its cyber assets so that it is

82
able to attain its goals. So the purpose of cyber security planning is to enable an
organization to achieve its goals, its business goals. So the cyber security planning is very
much related to the goals of the organization in that sense and you also know from theory
already that if you plan, it helps you reduce losses or optimize your resources and it also
enables you to coordinate and that coordination will require proper structures within the
organization. So all that is a part of planning, and you know this great person or one of
the founding fathers of the United States, who said " If you fail to plan, you are planning
to fail.

" Who is this? Yeah, Franklin Turbolton, you know there is an investment banking
company so they are all sharp finance minds who also said time is money, right. So it
was Benjamin Franklin and it brings us in abstract terms how important planning is and
again in abstract level also, let me actually put this as to how when you make high level
plans for an organization or a mission, you also keeps gives importance to safety or
security. You must have heard about moon mission, right who actually charted the moon
mission somebody gave a talk in 1961 in a university, before this decade ends that is the
1960s, America should send a person to moon and getting back safely. It is not about you
send him out there, does not matter what happens, okay bring him back to earth safely,
okay. So you can see how well documented or well thought out is this mission .

Safety is given paramount importance in that statement. It is not about showing a, you
know, running a victory flag in moon and ending there. So this is essentially what
planning at a higher level means, the consideration for security should be embedded within
the goals of the organization, okay and this was Kennedy, John F Kennedy, and when
did this really realize? This was 61 and when did man land in moon? 69 okay, July 69.
So did this happen, it did happen well, that is separate project it is a good case for project
management. So information security planning - there are two types of planning as I said
already, contingency planning and organizational planning.

Let us look at the right side first, organizational planning consists of three categories
Operational planning, Tactical planning and Strategy planning. This you must have
already studied in management lessons, basic management lessons the order is not put
correctly in the textbook. So I have just copied it as it is, but it should be operational,
strategic planning, tactical planning and operational planning in terms of range, time range.
So the organizational planning for business objectives is one aspect. So there has to be
cybersecurity plans alongside these different types of plans.

So for example there should be a strategic plan for cybersecurity, there should be tactical
plans and there should be also operational plan which is day to day activities. Day to day
monitoring versus say medium term plans which are tactical plans and long term plans,

83
typically 3 to 5 years which are strategic plans. So cybersecurity planning should align
with those plans, that is one aspect of planning and it is in that planning you take care of
the risk that is faced by different assets of the organization and make your planning to
protect and prevent. Essentially this kind of organizational planning is to protect and
prevent potential incidents. Your it is basically to safeguard yourselves but when you
come to the left side, the objective is different.

The objective of contingency planning is essentially to restore systems, restore the

operations of an organization to normalcy in the minimum time, meaning that it assumes
that an incident has happened, and if it happens, what do you do such that the operations
are restored with minimum impact. That is objective of contingency plan. So contingency
planning are, is of 3 types - incidents response planning, disaster recovery planning and
business continuity planning. In short they are called IRP, DRP and BCP. In the iPremier
case you must have read somebody was saying we have a BCP binder but we do not know
where it is.

So BCP is a type of planning in contingency planning and let me summarize you,

summarize this for you here. What is the basis for deciding whether one should follow an
IRP, DRP or BCP? The basis is the impact, okay. How much impact a particular incident
has ? So there can be low impact incidents in the systems of a organization. For example,
somebody detect detected a potential virus in a one localized PC. So one PC is not
working or something is not running.

It is an incident we should, the the technical team must be alerted but operations are
going on. So it is called an incident and how you respond to that incidence is the IRP.
Low impact incidents. The next level is the disaster recovery. Disaster recovery incidents,
they are also incidents but they are of higher impact.

For example, some operations are shut . E-commerce operations is not running, and
therefore it is impacting the organization's business or transactions. But it may not require
the organization to shift its operations to another site. There are incidents of that severity
where you cannot continue in the same site at all which is known as business continuity
planning. In you know you are all familiar with the Chennai floods . Every IT company
was moving out of Chennai, and there was a big planning that was required at the
organizational level, at the leadership level.

So the extent of impact in a BCP is the highest, and that is a call an organization takes.
We cannot function here anymore. It could be technology reasons. It could be otherwise
. BCP is a generic term where organization has to shift its location.

84
 Disaster is high severity but you do not have to move out from here. You can restore to
normal operations after some time. So incident is minor. There is an incidence but
operations are going on. So this obviously shows that there has to be a management effort
to determine the impact of incidents and to classify them based on that impact assessment
and then move to appropriate action.

For example if you take iPremier's case, there should be some basis to decide whether it
is a incident or a disaster or a BCP or a business continuity situation. What is the case
and then follow that guidelines immediately . So yeah, so this is my own diagram. This
is not from the textbook to illustrate the various aspects of cyber security incidents.

We are talking about incident. What is an incident? An incident is a attack, a particular

thing that really happened and why incidents happen? Incidents happen through certain
vulnerabilities . If you look here, an organization has assets. In cyber security, they have
cyber assets.

It could be your data center. It could be even your people. But that is what is targeted,
by the external world. There are hackers or the negative world and they are looking for
opportunities to enter and distract or destroy your systems. And they enter through these
gaps . There are many gaps. There are potentially many gaps in the firewall that you
have set up or in the walls that you have built around your data center, physical or virtual
.

But these are all gaps are called vulnerabilities. And a hacker may use a particular exploit
. Hacker exploits a particular gap, and intrudes into your system . Once the intrusion
happens, it is a incident. Sorry, this become an incident.

And an incident can be of three types. One is low, medium, high. That is what we saw
as impact of incidents. So the extent of damage, that is caused. And therefore based on
the impact of the incident, some action needs to be taken. Once this kind of an incident
happens.

So that is the purpose of contingency planning. And so what is illustrated in the picture
is, somebody is walking And you can see the sole of the shoe, right. There are knurls on
the shoe. So it gives grip on the road. So that is sort of protection. Somebody has taken
precautions, even if there is a banana peel on the road, you may not fall.

But it depends on the extent of slipperiness Because there was a rain also, you know,
you may fall actually despite all the protection that you have taken. So this is a picture
that you can keep in mind in my own way of illustrating, what is a cyber security incident.

85
You have protection but despite that there are vulnerabilities and hackers can exploit that
and then there is an incident. And if an incident happens you need to respond .

This is the contingency planning . Deals with the incidents. It deals with the incidents.

86
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 04
Lecture: 11

So, generally planning requires a certain abstract statements and those abstract statements
are done by those who are part of the strategic team or senior management team of an
organization. So, the senior management or the board and the senior management
develops value statements, vision statements and mission statements for an organization.
These are some sort of the samples I have drawn here. Values means what you will stick
to, in conducting a business, vision means where you want to reach in a given period of
time and mission means what activities will you do, will you choose to do that aligns
with your mission, sorry your vision. So, that is what a mission statement is. These are
examples of companies you actually probably adore or like.

Now strategic planning is always top down , of course, there will be inputs from the
bottom but planning actually implies that well, it is an activity that is led by the top . So,
organizational strategy planning, I do not have to repeat these lessons because you have
familiarity with this. Now I am translating this into the cyber security world, into the
world of cyber security well this may already exist. The purpose of a proper cyber security
management planning is to ensure that alongside this, the organization is able to plan the
security organization is able to plan for cyber security management in line with the
priorities, strategic priorities of the organization.

And you can see that you also need to have a structure for cyber security as a sub
organization you can see cyber security as a sub unit or a sub organization of a large
organization and it should have its own structure. For example, you can see that there is
a role here. What is that role? CISO , that stands for security, top security officer . So, in
cyber security apart from the IT, there should be a separate CISO or a C level executive,
who reports to the CIO . CIO may be the head of the whole information or IT but there
is an immediate role of CISO, who report to a CIO and the role of CIO is to understand
both business and technology and cyber security and build policies.

Tomorrow next class is going to be on cyber security policy . The policy is something
that is initiated by a CISO keeping in mind the strategic priorities of the organization and
therefore, in order to draft a policy and in order to operationalize a policy and in order to
build a structure and then sustain that structure, you need a top role for cyber security .
And I hope in today's case, you will see that the organization you discuss did not have a

87
role called CISO. So then, once an major incident happens then they then they see that
well, we do not have this kind of structures we need to have them, we do not have a
policy, we do not have contingency planning. So, there has to be someone who leads
these initiatives at a strategic level at a top level, particularly when your organization is
large and your cyber assets are large and you are critically dependent on IT systems to
run your business.

And you also know in India, RBI mandates that every banking institution should have a
top role like a CISO role in addition to a CIO There should be a security top executive
whatever you call it director of security or CISO or whatever there has to be a separate top
role for cyber security alone. So, the job description of the CISO, chief information
security officer does not involve that cyber security term, it is CI standing for information
CISO's job description is to create strategic information security plan or the policy and
plans in accordance with the policy and also prepare budgets, prepare plans, tactical and
operational and monitor, comply with law, there are a lot of nuances when you actually
implement cyber security in a informed way in an organization. And you will also see that
when an incident happens the role of CISO becomes extremely critical as to what to do
and what to communicate to the public etc. Now that is one part of planning, I stop there
on the organizational planning which is alongside the strategic planning and building
structures, processes etc and we will continue that path in the risk management when we
discuss risk management a couple of sessions from here. But now, we switch to the other
part of planning which is contingency planning.

Contingency is, you know it is an unpredicted unaccounted for incident which can
happen. Unaccounted in the sense, despite all your preparation, things go wrong and those
contingencies you need to have, you know in accounting we say, contingencies it is a
accounting head you know, which are not planned but still can happen, contingent
situation. So, as shown in this slide, the main goal of contingency planning is restoration
to normal modes of operation with minimum cost, that is a goal of contingency plan. So,
that is what the team, the CPMT as they are the team is shortly called Contingency Plan
Management Committee. In large organizations there will be a separate CPMT team, a
team which actually plans contingencies and prepares the policies and documents which
we will see in a short while for contingencies .

So, CPMT team is an oversight team which typically oversees contingency planning
process there will be subcommittees within, instituted by CPMT for various activities but
CPMT is like a higher level team for contingency planning alone . Now what does
contingency planning involve ? We have seen this incident response, disaster recovery,
business continuity, this is in terms of impact . How severe an impact is in terms of
money ? So, as far as possible everything should be quantified and converted to values

88
which are measurable in currency units , then it becomes easy in other than, qualitative
descriptions. So, contingency planning essentially helps you classify incidents into one of
the three and contingency planning is monitored by CPMT we also already have seen that.
But what is missing in this diagram which is again drawn from your textbook is an activity
known as business impact analysis.

It is assumed that BIA is contained within contingency planning, that is why that block
is not separately shown but it is important to understand this . The Business Impact
Analysis or BIA is the most important assessment a contingency planning committee or
a CPMT initiates . That requires the committee to look at the severity of various attacks
and if that happens, what would be the business impact on various business processes .
Now when we analyze risk management, the other planning, basically protective, you will
see that the unit of analysis will be, unit of analysis will be assets. You start with assets
and if an asset is attacked, what will be the impact that is how you do the evaluation
process.

Whereas in contingency planning your unit is business process you analyze at the level
of business process. For example if the order fulfillment system does not work or it is
hacked, what is the loss? So that is a process which is attacked or a process which is
stalled So that is a process which is attacked or a process which is stalled and there is an
impact for that. So you, the unit that you choose to analyze in the case of contingency
planning is the business processes and the impact of incidents on business processes is
what you analyze. And I will give some examples and this is available in your textbook
also. Now we will come to more specifics here, the business processes and recovery
criticality.

So I said contingency planning specifically looks at business processes and then they
try to estimate impact in terms of time. Time is money right, the time for which if a
business process goes down or there is a downtime, what is the financial impact, that is
what they look at. Now in order to do that, they arrive at certain timelines and there are
four standard time related parameters in BIA process business impact analysis. They are
maximum tolerable downtime or MTD, recovery time objective or RTO third, work
recovery time or WRT and fourth is recovery point objective or RPO. I will try to put this
into a diagram so that you will better understand this but here I have given you definitions
of that .

So, maximum tolerable downtime, it is a tolerance of a manager, of a process manager.

Suppose there is an order fulfillment system which is an application and suppose that
application stops to function , well, you ask the manager who is the process owner,
somebody is responsible for that particular process , not a technical guy who operates that

89
business. And that person has to tell us or tell the BIA team how much time is tolerable,
how much downtime is tolerable without having substantial impact on business . Well
somebody would say well, one hour downtime is fine, we can manage. Of course, the
process guy is the person who understands business, there is some reason why, there is
some rational.

But ideally you would expect if you ask that question, if you are a BIA committee
member and you go to a process owner and ask, how much you would allow your process
to be down, If you ask me the question, the answer is, no downtime, we are working with
critical system I know what our customers will switch to competitors, we cannot allow
any downtime zero downtime that should be the MTD. And what alternate question would
the BIA guy would ask, we can expect to ask. Zero can be the ideal and that is what you
should say, but there is a problem with zero. How do you make the process guy think?
Yeah so we will come to that, you are thinking , so you have to think and articulate. So
the process guy has not given enough thought to cost.

There is a cost of downtime, there is another cost also which we will see in the subsequent
slide. So MTD could be ideally zero but cannot be zero. So there has to be a recent time
which the process accepts as downtime that is MTD, that is like a reference. Once MTD
is established the BIA can now work on two timelines which is the recovery time
objective and work recovery time. Recovery time objective is if the manager says, process
owner says one hour downtime is fine, then the technique the BIA team has to say in one
hour time, I have two things to do one is to restore the server or whichever system is not
running to operation, it should start running it becomes functional.

The other is the operations restore, system is ready does not mean that the operation is
ready, you know you have to do a lot more preparation to start working on that . So there
is a work recovery time and there is a recovery time objective, RTO is, well, server is now
ready for use, then the operational employees come and then sign in and then do their
formalities, do the checks that is required that is another time which is called work
recovery time. And then you find that you know your operations cannot be, cannot be
starting from the instance it went down because we do not have a backup . So it it may
take more time actually to come back to normal operations depending on some of these
aspects. So therefore the fourth timeline is coming which is recovery point objective.

RPO is nothing, but the point in time to which a system can go back, this is purely
dependent on the backup policy. If you are backing up the system every hour so maximum
one hour data may be lost so your RPO is one hour, you can go back to one hour maximum
. But if your recovery policy or your backup policy is for everyday one backup then you
may not have that much privilege. So, RPO depends on the criticality and these are

90
timelines set by the management to manage contingencies. So, BIA team's responsibility
is to ensure that these timelines are set if they do no exist.

And then based on say an MTD which is the overall acceptable downtime, determine a
rational RTO and WRT and also establish an RPO, a backup policy. Once these things
are done, then you can go forward. So, this diagram actually illustrates the four time
related parameters we discussed MTD is the sum of RTO and WRT. RTO is the time
taken to bring the system live, the system goes live here and it becomes operational here.
So, RTO and WRT together is MTD and MTD is a time accepted by the process owner,
not the technical team.

And RTO and WRT are times that are worked out by the technical team based on how
much time is allowed to go down . And RPO is again the recovery point objective is a
backup policy and also depends on criticality of the business . Now this is again an
illustration of the concepts we discussed. We already saw that BIA, business impact
analysis uses business process as a unit . So, one should first identify which are the
business processes in the organization which are automated by applications.

Business processes are what get automated by applications. So, a invoice process is
automated, you know it is using applications. Suppose the invoicing goes down, it has an
impact on business, then you pressurize the process guy to specify what is the MTD .
How to pressurize, we will see in the next slide . He cannot, he or she cannot give 0 hours
and some rationale is worked out , 72 hours is what you can tolerate maximum.

There will be losses but this can be tolerated maximum. And then you can see that they
work out subsequently the recovery time objective is 36 hours which is less than, the RTO
will be less than the MTD obviously because WRT is also involved. You can see it is 36
which is half the time . So, half the time is allotted for work recovery. So, so but this need
to be worked out for each business process.

So, you can see the role of a BIA team in contingency planning is to analyze business
processes which are automated and arrive at this timelines and then work on further
processes which we will see. And here in this particular illustration you can also see that
they use FIPS 199 which you are also going to use in your incident analysis in your
assignment. So one could also determine the severity in terms of confidentiality, integrity
and availability as low, medium or high . So, that gets documented in a process like this.
Based on this concepts let us go to the next item which is about the cost balancing.

So, by now we are clear that contingency planning involves business processes and
contingency planning involves time which is downtime. And downtime means cost, but

91
here in this chart we are saying downtime is not the only cost, recovery also is a cost. If
you have to restore business processes which is disrupted back to operations, again the
cost of recovery is a function of time. If you say 1 hour is what you can tolerate, BIA team
can say yes 1 hour, but the cost of recovery can be very high, you may have to have a
hot site always ready or a warm site ready . There has to be a parallel system for which
investment has to be made.

We call it redundancy, to make the system available you need to have redundancy.
Redundancy is a cost. So, you can see there is a optimum time that has to be worked out
to balance the cost of recovery and the cost of disruption . So, length of disruption time is
the x axis and cost is the y axis. So, when length of disruption time is made low say a
region like this , disruption time is made as low as possible by ensuring redundancies and
you can switch over to a new system immediately etc, very good.

But your cost of recovery in terms of systems that you have to keep ready for fast
recovery goes up. So, the cost is borne by the organization right. The process owner can
always say it should be here or here . Then somebody has to show this graph, well Boss
fine, I am fine, but we have to see if the organization is willing to invest so much to
reduce the cost of recovery. So, therefore you can see the trade-off between cost of
recovery and cost of disruption which will be the typical scenario and therefore you know
the optimum point is the point of intersection between the two graphs.

So, this concept should be clear in the mind of managers because ultimately it is a
negotiation for time. Contingency planning is basically a negotiation for time. In how
much time you objective is to bring back the system back to normalcy, minimum time at
the earliest. That earliest is the objective given by the management, that earliest depends
on these two aspects, cost of recovery and cost of disruption and how much you are
willing to invest. So, contingency planning cannot be done without the involvement of
management and their willingness to invest in redundancies, to ensure restoration of
systems based on priority .

Now this so, rest of the contingency planning in terms of what you do can be understood
using this diagram or this particular block diagram very well. You can see that there is a
switching from IRP to DRP and DRP to BCP depending on the impact of the incident .
What is the impact of the incident on business processes determines, what action is
triggered? An IRP is triggered if the impact is low. It switches to disaster recovery, if it
is next level and it switches to BCP business continuity planning, if you cannot continue
business in the same location. So, I would say this will be led by, it also depends on who
leads the initiative or who leads this particular activity or task.

92
 This will be typically the CEO, because you are shifting, you are moving from one
place to the other . This can be by the CIO, there is a major incident, but your contingency
planning says that this can restore to normalcy within a few hours. So, you have an
estimate of that, it is not that you have to switch to another place . And this can be done
by tech, this is a small incident. So, the impact determines whether it is an incident or a
disaster or a BCP.

So, there actually there is a difficulty in the articulation because the terminologies
whoever gave it, is not well done . Distortion and disaster, well, these are two you know,
it characterizes the incident, but BCP is the process. So, you can only say business
continuity is a total disaster sort of thing, highest disaster. Yeah, you can also say the
restoration is in the same site, in the disaster recovery. It is in the primary site, you do not
change or switch the site.

Now rest of the activities involved in the planning are descriptive and they are described
in your textbook. I will take you through these slides which describes them, but they are
easy to understand, self-explanatory most of them as to what you do before, what you do
during and what you do post etc. So, for familiarity, I would take you through these slides
and what is incidence response plan and what is incidence response, as to what you do
and how you do is the plan. And we have already seen that it is a reactive measure, fine.
And IRP has three phases as I said - before the incident during the incident and after the
incident.

For example, during the incident what is the protocol, post incident, you need to
document the incident as to what happened and there has to be a structured documentation
of any incident that happens. So, these in a organization which follows the CP should
follow these protocols or these rules in cyber security management. So, all this should be
available, the plan should be available prior, if the IRP has to be implemented. And
during the incident of course, you have a procedure, for example , if it is identified as
something that requires shifting the site, the BCP comes into picture and the BCP follows
a process. And that is the BCP documentation or BCP binder and who should be contacted
etc are all well described in that document.

And after the incident of course, you document and then move on having restored the
system. And there is also the question of how do you actually detect incidents. Intrusion
detection or intrusion detection systems do exist technologically and therefore, the system
should be active and you should have active logs and active reporting systems. And
conceptually Pipkin and others identifies three categories of indicators for incidence. They
call it possible indicators, probable indicators and definite indicators.

93
 May be the incident that we are discussing in iPremier is throwing some light as to some
things can be an indication of a higher disaster that is going to happen . So, they are
probably indicating something worse, the future can be worse than what it is now. So,
there are indicators of these categories which requires expertise and experience to use .
And some of them are actually described here . Change to logs for example, is a definite
indicator of something is going wrong.

Yeah, threat intelligence so, well incident means something that has happened. Threat is
something that is, that could happen. So, both are different. So, here we are talking about
well, something has happened and even after happenings if you do not have systems, you
may not know .

But what indicates incidents is what is described here. So, we are talking about threat
intelligence which is about what potentially can happen . Incident response, well described
here as to how you respond and you should have people, process, technology essentially
to respond to situations like the alert rooster, alert message and so on, how you
communicate it to people once an incident happens etc. And an incident should be
documented in a structured format and that should cover what, when, where, why and
how. So, there should be structured templates or documents which are available when
you actually implement standards for cyber security. Well, here is a example of a
incidence response plan by Carnegie Mellon.

And the idea here is to help you appreciate how detailed it is. An IRP document can be
very detailed getting into definitions of course, intro definitions, roles and responsibilities,
methodologies, different phases in incident response and guidelines for the incident
response processes. So, these activities are documented in a very detailed way in leading
organizations. Also there should be clear documentation as to when an incident becomes
a disaster and when a disaster becomes a , BCP category. And there should be, if these
are all management processes , there should be after action review as to does it improve
or does it become worse.

So, and this point is very important . We come to this important point which is law
enforcement involvement. In the case that we discussed in the last class, there was again
lack of clarity as to should it be informed to the government or can we contain this within
the organization. And that clarity should be there with the organization or how to decide.
And when we discuss regulations particularly of the kind GDPR which is prevalent in
the EU countries, by regulation it is required that an incident be reported, it should be
reported to the government.

You cannot hide it under the carpet, it is against law. So you do not have a choice, but

94
you can make a case by suggesting that this was not known or why it was not disclosed,
there has to be a clear case. Otherwise the law requires that, GDPR requires in 72 hours,
a cyber incident should be reported or 3 days, in 3 days the report should be given. So
therefore, there has to be sufficient knowledge for a cyber security management
organization to determine reporting to government and reporting to public . And law
would require that , so that aspect is also important. And disaster recovery as the name
indicates is based on the severity and this is major incident.

So you can think of the iPremier case which is a major disaster, business is down, right.
And they do not have a BCP of course, they have to manage within the site and that
discussion is on. Let me actually leave these slides for you to read and these are taken
from your textbook, I do not want to spend time. Unless there is something that I need to
describe you in a lot more detail, BCP and DRP we have already defined what they are.
And in BCP there can be many strategies, you can have a hot site, you can have a warm
site, you can have a cold site.

Hot site means there are say, 2 sites running parallely, if one is down the other is ready
to run. So you are very, you are ready to restore your business processes, may be certain
business processes which are most critical immediately, there is now a very, very low
down time. That is known as the hot site strategy, warm site is well, not immediately
ready but can be made ready within defined timelines. Cold site is the lowest but there is
a site possibly you can actually bring into operation within a longer period of time. And
then there are other options in cyber security management parlance today to use sites
which are time shared, lot of options which requires expertise and knowledge of the
domain to determine.

So what it means is BCP is a separate strategy for which you need to know the market,
you know you need to know what are the possible options and then that knowledge should
be available within the organization , within the region where you function. Alright, these
are self-explanatory, I move on . For the benefit of time I would leave this for you to read.
Yeah, let me come to this point and close the lecture here and then we will discuss the
case. Testing contingency plans, so are we ready if an incident happens ? So this is again
the role of the security organization to keep the organization alert and ensure that they are
ready if an incident happens.

So there should be periodic checks , sometimes mocks, to test the preparedness of the
organization. And I have given you a link here which you can go and explore to
understand practically how some of these tests are done in organization. You must have
heard about red teams, blue teams and purple teams . Red teams in an organization plans
a simulated attack, blue teams defend, purple teams moderate . So how the attack could

95
have been better or how the defence could have been better, so they learn lessons from it
and then go further on.

So this is a sort of testing process through emulating potential incidents. And I had a
practicing cyber security manager who came and did a drill like this for the students. We
will see if that is possible this time. So these are the practical ways of continuing to ensure
that contingency planning is done and it is active and healthy to face up an attack or an
incident if it happens. Do you have any questions? Or for at this time I would suggest
we switch to the case.

So I would have the next team to come and present and discuss the case, iPremiere B
and C. Thank you.

96
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 04
Lecture: 12

Good afternoon everyone and welcome to the part 2 of the case which is iPremier
Company's part 2, distributed denial of service attack part B and C. The group members
are Lokesh, Sanjana and myself Subisha. So, let us go through a quick recap of part A,
which the previous team had already discussed and these are the main people involved
and Bob Turley who had recently joined as the CIO is faced with a very grievous challenge
that is a DDOS attack for which they had not been prepared enough. So, these are the
people, Jack Samuelson is the CEO and he had already warned Bob Turley about the
operating procedures deficit which is there in the company which he had to tackle, but
this was in the back of Bob Turley's head and there is Joanne Ripley, who is the
operations team head who is running behind the hosting data company and the iPremier
and there is the CTO Tim Mandel, there is a legal counsel Peter Stewart and Warren
Spangler who is the VP of business development who is right now very much thinking
about the stock prices rather than the security measures. So, the story till now is that
iPremier is one of the top two retail chains that are existing right now and most of these
customers used credit card information that is why they are very much worried about
whether the customer data has been leaked or not. So, this company had an intense work
culture in which only talented people only the younger people were retained mostly and
the technical architecture, they were not giving that much importance and they had given
it to a hosting company, a third party Qdata, which had outdated architecture and the
staff attrition rate was very high in Qdata as well.

So, the attack which was a DDoS attack and this complicated the system because there
was no detailed logging as such which was there in the iPremier company and they had
not invested in good firewalls to defend such a attack of bigger scale and there was as we
have seen all these contingency measures like BCP, IRP, DRP, nothing was implemented
and in place. So, so the end of the attack was automatic and basically iPremier had no role
on it and they were unsure in part A whether the firewall was breached or not and they
were also unsure whether the customer data was leaked or not. So, there there are only
two options either to shut down and rebuild completely or disconnect temporarily from
the internet or continue as usual. So, basically these are the reasons that went wrong, that
is why iPremier has come to this situation, the technical issue is that there has not been
any detailed logs till now.

97
 So, the recovery part is very difficult as of now and there are many DDoS protection
softwares that are existing in the market, but none of them have been used by iPremier
or Qdata. So, the firewall was outdated and was not able to handle this amount of traffic
and the service also lacked the capacity to handle this much traffic and also they were
thinking of moving to an internal IT team which has not formalized yet and the managerial
problems are that, it was much of a young workforce, who had lesser experience and the
Qdata should have been replaced a long ago, but it was standing still due to personal
interest and a greater investment was required in security which was not invested and as
I already said there are no emergency firefighting plans and there was no simulation attack
or routine checks of security infrastructure which were in place and even they had not
even thought about a PR strategy to tackle such similar attacks. So, and also Bob had not
taken the advice of Jack seriously which was about the deficit in operating procedures.
Now, we will move on to part B and C to know what has happened. Okay.

So, I will be discussing part B of the case. So, previously as she recapped the company
is not sure whether they should disclose publicly about the attack. So, what iPremier
actually does is a few hours after the attack they actually disclose publicly that they have
been a victim of the DDOS attack and the attack lasted for a period of 75 minutes around
midnight and post this they actually implemented new security measures and this is
actually more reactive rather than proactive as we saw in today's class. So, I will be
discussing about the security measures in the following slides and one important thing to
be noted here is that they were not sure if the firewall is breached or not. So, they tried
to gather evidence whether the firewall was breached or not.

So, how did they do that? So, they examined files on every production computer and it
was examined on the basis of the identity and the size, that is probably the name of the
file that is to check the identity and the size of the file but they did not check whether the
contents of the file were altered or replaced and they did not have a mechanism to check
that. So, now Ripley who is the operations team lead had to make a decision in such an
uncertain situation and he recommended that all the production computers had to be shut
down and they should be disconnected from the internet and they had to rebuild the
software system using the developmental files. So, these development files were less
likely to be tampered. So, they were used to rebuild. So, let us see what they actually do.

So, first the security measures instituted were, they restarted all the production computer
equipments. So, these were done in a phased manner because if all were done at the same
time, it would cause inconvenience to the customers. Next they conducted a file to file
examination. So, this was done to ensure whether all the files were actually existing in
the computer, I mean, in the system or not. Then they had a study on the technology
solutions.

98
 This was done to see whether the files, all the files were present and whether the content
was altered or not. They also had a project to move to a more modern hosting facility.
They modernized the computing infrastructure to build a more sophisticated firewall.
They brought additional disk space and enabled high levels of logging. So, as she
mentioned earlier they had actually disabled detail logging and this was done because this
would cause a performance penalty of 20 percent.

So, the company actually wanted to focus on performance and they did not pay much
attention to the security measures which was again a mistake that the company did. And
last the next they also trained more staff in monitoring software. So, training the staff is
extremely crucial because they should be aware whether the attack has happened, what
type of attack it is and how they should react to the attack. They created an incidence
response team and practiced a simulated attack. So, they actually had talks about an
incident response team to be instituted earlier, but they did not implement that, which
was now implemented.

They retained a cyber security consulting firm and they instituted third party security
audits. So, now as I mentioned, Ripley's recommendation was to disconnect all the
production computers from the internet, rebuild the software systems from scratch and
this would actually take a time period of about 24 to 36 hours to completely rebuild. So,
obviously this had lot of confrontation from others and there were other recommendations
such that one was building a new site from a new facility from the developmental files
and later once the new site is ready, the old site can be switched off. So, now it is a time
that we need to take a decision whether to go for Ripley's recommendation or whether to
go for the resistance. So, now I want to ask you guys which you think should be the option
that they should go for? Can I have like a raise of hands of those who think option 1 is
better, for option 2 ? Okay.

So, can we have reasoning why you think option 1 or option 2 is better? If you go with
option 1, there will be a shutdown of minimum 24 hours to 36 hours of the business, but
with option 2, even though building a new site is an option, the existing site will be up
and running, so the business continues. So, when we shift to the offshore new site also,
there may be slight delay in the business, but it may be up and running with the new site.
Okay. But again it is not a question of just the time you want to see the technical viability
and the cost.

Okay. Yeah. Okay. So, one consideration is time, the other is cost. Anyone has any
other comments to make? Just to add to the cost perspective, with option 1, for the time
duration which it is shut down, there will be no sales coming in. And that timeline could

99
also extend based on how it is being implemented. Option 2, there will be additional cost
where we will have more visibility, but at the same time sales will continue to come for
that duration.

So, from a financial perspective, option 2 seems better. Right. Maybe we can have, I
would suggest maybe we can have a moderated option to saying that we will know,
because with every passing minute, if we keep the old site running up, we will be
obviously facing some secret issues which we are unaware of as of now. So, what we
can do is we can start building the new site and later when we have a kind of certain
visibility that this site might lack some "t" hours and at that time after getting that
visibility, we can switch off this later site. I mean, I am not saying that we need to switch
off the old site only when the new site is built, but maybe sometime in the transition, in
the middle so that we can ward off the risk from the old site.

Okay. So, yes. So, we weighed the pros and cons of both the options. So, with respect
to option 1, the advantages is that it is less time consuming and the process is well
documented, though there would be some expected time lag and it provides guarantees
with respect to the files. However, the disadvantage is that it degrades customer
satisfaction and when it is in very stiff competition, it is one of the top two players. This
is the time when they actually want to gain profits and grow and at such a crucial time,
they will be losing on customer sales and getting into increased competition. So, with
respect to option 2, the advantage is that there will be no loss of sales and the new site
will be free of all vulnerabilities because it is being rebuilt.

The disadvantage is that it is going to be extremely costly to obtain space in a hosting

facility and in new equipment and keeping the old system live can actually have, can still
be prone to other attacks which they are not sure of and building a new facility and new
equipment will actually be more time consuming. That is what we feel and it is mentioned
in the case that to come to normalcy, it would take about 3 weeks. So we feel that we are
going for an option which is not exactly option 1 and 2, a middle ground, where we are
suggesting that the server, a parallel server should be running and until the issue is being
fixed in the original server. So when today's class we also saw that there should always
be a parallel server which he mentioned that as hot site. So this parallel server can be
turned on, if there is any issue with the original server.

So this should be done and one important thing is so far they have never taken any steps
to diagnose the source of the issue. So this also has to be implemented. So moving on.
Can I ask a question? Yes. So your solutions, your options you created are quite fine
because that is a debate that is there in the organization.

100
 So some are opposing this shutdown for one to one and a half days and instead suggesting
that well, build a separate site but run the business as usual. So that is of course
advantageous because nobody knows, business got disrupted. But the concern is coming
from the technical person. You can see Ripley is just not satisfied because you don't know.
And I think the specific problem here is that they examine the files and all files are there.

For example, file names are correct. That is checked. But they are not sure if the file
contents have changed. Yes, exactly. So in that case again they are not sure there was
intrusion.

There was actually new files installed or old files, existing files, tampered. They do not
know. They only know that all the files with the same names exist. And since they do not
know and since the attacks stopped on its own, the technical person feels that it is still
unsafe. And then you say that we will build a parallel site say in a few months time.

We do not know how long it is going to take. Till that time what happens? Another
attack can come in and it can be much bigger embarrassment for the company. So this is
the scenario. So the moment you say that I am going by option 1, sorry option 2, you are
saying that we are just ignoring what happened. We will just build a new site and keep it
ready whenever a future attack happens.

But what is the guarantee that an attack will not happen tomorrow? See the hackers are
smarter than the CIO. See the hackers are smarter than the CIO. Actually we have those
recommendations at the end of these presentations. After the case. No, no when you
stand at this point in time.

See the thing is that with more information you can do more things. But when you stand
at the end of this case, all that you know is well what has happened and this is what you
have in terms of systems and what you should do further is based on the information at
this point. And a technical person would say well, if it attack happened yesterday morning
it can happen tomorrow or anytime. And somebody stopped it on one's own.

So you are not sure. And that is why they insist on the recommendation, shut it down,
do a thorough examination. That is why we also mentioned here that they should diagnose
the source of the issue by conducting forensic audit etc. So this would actually bring them
to a better situation. But that requires shutdown. That requires shutdown which the other
side is opposing saying that well, let us not do that because you lose customers.

That is the, you are between the what you call the sea and the devil, right. It is a catch
22 situation, very difficult situation. Okay, you are going with one option. So moving on

101
part C would be taken over by Lokesh. So again now in part C we will see the sequence
of events.

So first thing the senior management has decided not to shut down the business for a
comprehensive rebuild of all the production platforms. And then the second step what
they do is they have accelerated building the new site with whatever the available
resources and instruments is currently at the site which is not affected. After 2 weeks there
is an incident, there is a call from an FBI agent saying that the iPremier is attacking their
competitors. And the source is from one of the, one of the systems which is inside the
iPremier company, it is in the production site. So what happens is only then they go and
check the file and they kill the file.

So they say that that is when they recognize that the firewall has been penetrated. And
they also assume that the hackers have misdirected their attention saying that since it was
in suspiciously it was stopped, the attack was stopped and they did not receive any further
requests. So they thought that the attack is over but they did not expect this type of attack
to be done. So it is the attacker, so the hacker, it is called as the suppressing the fire during
the retreat. So now we see the after these issues when it has gone to an catastrophic level,
so there is 3 issues the company is facing.

One is to implement the Ripley's recommendation. So if you go by that, if you initiate at

this stage, it will be an, it is a source of an illegal attack. So if you start rebuilding it then
FBI will be obviously suspicious and you will be almost destroying the evidence or
whatever or you might, the evidence of, although you are not attacked it will still be shown
that you are the attacker. So if you do that this is one of the issues. And then the second
issue is how to handle the situation between the iPremier and the Market Top.

So definitely Market Top, the company is going to file a lawsuit against the iPremier.
And here the question is how the iPremier will approach and what they are going to say
to the Market Top to convince them or to get them on the like, on the same tracks of
understanding. And also there is another issue on what they have to say publicly. Their
database server has been compromised and also they could not identify any potential or
significant individual customer who have been affected and in either they are not sure
whether the data cards numbers or the credit card numbers are stolen or not. They are still
in the dilemma and they are also perplexed whether this could have been happened or
not.

So that is the other issue. And if they, if the credit card data is stolen then also again
there will be an lawsuit filed for the violation of the credit card processing agreement. So
now coming to the Ripley's recommendation, so do you, any of you have any suggestions

102
on what you should do further, or what to do with the options available? How the issue
can be solved? It is theoretical. So run the services from a parallel Qdata server. Since
they are the, they are the third party services which they have provided, so we can suggest
them to give us in separate server and which could be fixed immediately by all the
development files we have and keep the site running. And during that development site
we, since it is an e-commerce website, so we can allow the customers to surf and not
make any credit card payments until the issue is fixed.

And if the product is really needed at any emergency like within 2 or 3 days, they can
go for a cash on delivery. So that is more safer rather than not giving the credit card
details. And then how to handle the situation between the iPremier and the Market Top?
So here is the question of an, the trust between the iPremier and the Market Top. So we
can request the FBI to conduct a diagnosis at the iPremier our at the iPremier company
and share the report with Market Top. So that will create a sense of trust and also evidently
that iPremier is not the source of the attack, although the attack is coming from another
site, the zombies which they call.

And they can collaborate with the Market Top and also they can build an security, ensure
the security for their businesses like both of them, they both of them could be benefited
if they come together. If not, they will be filing a lawsuit and both of them will be in the
like, they would create an public attention and both of them would give an negative
impression from the customers and both of them would lose their market shares. And
what to say publicly? We say that, publish the incident report and the countermeasures
taken. So what has happened from the start of the event to the end of the event and how
they have tackled it and published their current incidents report whatever they have done.
And then on the site we can, since we are not allowing them to make any credit card
payments immediately, we can flash a message saying that the services are under
maintenance and take a time to fix the issue.

So this is the one of the solutions we are providing. So any of them have any concerns
with this or any countermeasures from your side? Thank you that was very enlightening.
Sir apart from what they have told, so even if you start off with a parallel server, there is
no guarantee as the same attack will not happen on that server and that server will not be
able to prevent the same. So the question comes that how do you prevent it? So there
has to be, anything which is connected back to the internet and it goes down, it will go
down the same way. They don't have an answer for this, they could understand the impact
also and it is likely to be the same in the next scenario also. So how do we do that? In
this thing, the only probably the critical part was the credit card information and banking
information, so the aim is to separate that from that particular server and I think the
solution lies in that that the financial information which is there needs to be segregated

103
and should not have a direct access with the digital platform basically.

So there in comes that maybe it requires a more analogous method of keeping record
and there has to be some kind of human interface, which has to intervene over here. So
that even if the next system gets breached or any other system you can connect in any
number of systems, you can have any amount of firewalls in this thing. If it is connected
to this digital platform, it is likely to get affected. So human interface and more analogous
means maybe the answer to protecting this.

So before going to like I can answer that but after. No, it is not a question. After two
slides, we will provide you more detailed recommendations. So before going to that, we
have two incidents, recent incidents which is taken currently. So one is the Microsoft
services which has been affected now in the last two days previously. So they, what
Microsoft immediately they did is they report, they went publicly and on the Twitter
handle, they published that they are facing this incident and we are going to fix it and also
they are given an updates on each time what is happening.

So that creates a sense of trust among all the business and almost all the business are
dependent on the Microsoft teams and the Microsoft services and here there is a report
saying that the major affected services is the Outlook and their website and then the Excel
and the locations are highlighted probably it is not visible, I guess. Those are Bangalore,
Chennai, Hyderabad, India, Nagpur, Mumbai and Delhi. So these are the locations which
are majorly affected and now the businesses, it has to keep running on. So what they do
is they go for this, they are told that they have isolated the problem to network
configuration issues and we are analysing the best mitigation strategy to address this
without causing the additional impact and within two hours, they were able to fix this
issue and the services were on.

and the business were back. Now here in the next slide we will see how the businesses
and the employees have been reacted. So here one of the maybe,the employees so they
took a vacation. So they say that Microsoft teams has stopped working which means that
work has stopped. So it is a kind of break for them but they did not like, what you say
they did not have any other issues, they just needed a break so this two years gap, it was
a break to him. And then there are few other responses, for privacy we have blanked it
out.

So it says, come on it is up now why did you fix it so soon ? The days when exchange
was on prem were better at least the outage used to be for few hours but they fixed it
within 6 to 9 minutes. So they were very well advanced and they had a good protections
and the firewall updated and since because of that they were easily able to fix the issue

104
and there is another response which says that thank you for the service down, spent all
the day solving the issues for the full box, inbox and enterprise plan and here you see he
is ready to move to Google for an one TB plan. So Google is also one of the email
services, Google and Microsoft they provide and it is still a competitor. So they are ready
to move to other plans if the issue is not fixed in a quicker time and also you can see that
the stock at the time when the incident was reported, the Microsoft stock has dipped for
almost 20 USD dollars. So this is the kind of impact a business can have when such
incidents it occur in the real scenarios.

And next we see one of the major cyber attack, the DDoS attack which Google has faced.
So on it was in the last year on June 1st, 2022 the cloud armor customer was targeted
within series of HTTPS attacks which peaked at 46 million response request per second.
So how they tackled this, they had a tool called as cloud armor adaptive protection, it was
able to detect and analyze the traffic early in the attack life cycle and it blocked the attack
ensuring the customer service stayed online and continued the servicing their end users.
So they did not shut down their businesses they let the customers, their businesses and the
other customers to be online and they did not affect their usage. So there were, as our
widgets are told there should be some functions which should be like segregated, so here
one of the function is they allow them to stay online and use these certain services but
the back end they were fixing it.

So how the attack was stopped - one is the rate limiting capability to throttle the attack.
So here the rate limiting, they had an protection and they had an rate limit saying that their
server could accept only 1 million request per second but here there were 46 million
request per second that is how they detected there is an breach and they controlled it. So
by, they were already aware of this attacks which is happening and they controlled it. So
what happens is, here the layer you can see, the 7 layers which is mentioned. So the third
and fourth layer is the where the infrastructure layer is getting affected and the sixth and
the seventh layer is the application layer based attack.

So here the Google were facing an infrastructure layered attack so which is on the third
and the fourth layers and then they had an depth in depth defence in depth strategy. So
which means they had to control, they had a different controls for each of the layers so
they did not have an as a package, they did not go on single for each for a like one layer
there was a protection and that is how the hackers were able to attack the third and fourth
but not the other layers. So here they also had the threat modelling that is practicing the
attack and as we saw that red, blue and the purple strategies. So they practice the threat
modelling and that is how they come, they build their own practices So here they had an
proactive and like they had a two options proactive and reactive strategies but they were
not reactive in this case it was a proactive strategy which they have used. So this is the

105
case we have gone through and now we go on for the recommendations.

So before that any questions? Yeah, this is a really good current insights you have
brought to the analysis especially about Microsoft and Google and how they are really
transparent and competent professionally competent to face cyber attacks and which is
evidenced in public but the only small issue is you are jumping out of context. So here
are two technology companies, that also world's top technology companies who are
competent, technically competent and then comparing it with a non technology we cannot
say non technology company but their primary business is retail. But they have IT assets
which is managed by a third party Qdata and Qdata's competence is questionable, that is
what we discussed in the last class. So in fact for cyber security they are dependent on
Qdata whose data center is not equipped with the state of the art cyber security
technologies. So even if they build another site, the primary requirement as somebody
suggested from the audience is they should have updated firewall, they should have
updated intrusion detection systems and only then they should migrate, otherwise there is
no point because you know, they are again vulnerable.

So that is again another investment and another decision that the company has to take.
So these are basically, it is like comparing apples and oranges but fine, it gives some
updated information as to how, what is the professional practice today versus what the
company is actually struggling with, no strategy for cyber attacks at all. So we have
recommendations. Yeah so, for there are so many mitigation techniques, this can be
preventive, detective or reactive and mostly these are technical mitigation techniques that
we are suggesting and first one is to reduce the attack surface area that is by limiting the
option for attackers. As Sir had discussed today, there will be vulnerabilities no matter
how much protection you give.

So to reduce that is the first option and there are content delivery networks or CDNs
which what happens is when a huge number of packets come in and there is unusual
traffic, these CDNs will distribute this across many multiple servers that are lodged in
the internet and this will reduce the, you know, server traffic at one point of time. So
these CDNs are used by almost all the leading companies, e-commerce websites like
Amazon etc because they are constantly attacked by DDoS and these CDNs will help
reduce the traffic at one point of time and second point is knowing what is normal and
what is abnormal. In iPremier company what had happened was abnormal amount of
traffic during non-business hours, that is when everybody was sleeping. So that had to
be, you know raised as an abnormal activity which was not done by the Qdata as a
architecture and next is plan for scale and their servers were not capacitated enough to
entertain that much amount of traffic. So we have to have load balances and shift loads
when such amount of traffic happens.

106
 So usually what leading companies do is they have DDoS protection services. In 2018,
when GitHub was attacked by a malicious DDoS attack, what it had is a Akamai Prolexic
which is its DDoS protection software and this effectively, you know, tackle that DDoS
attack. So they can also follow that suit and they have to deploy firewalls for sophisticated
application attacks. There are different kind of firewall and it depends on the cost that
you invest, the protection the firewall will give. So there are packet firewalls, there are
MAC filtering firewalls and there are hybrid firewalls. So as we go more advance, it will
give protection against all the vulnerabilities.

So they have to go into firefighting mode and invest in these kind of firewalls to you
know, see if there has been change in the content of the files or there is any potential for
future attacks. So they have to invest in this. So these are basically management side
reactive measures. So they have to invest in this.

So these are basically management side reactive measures. So once an attack happens,
what they have to do? So this CIA is the basis of cyber security, in this the A that is
availability was not even there in the first place. For example, Ripley did not have access
to the Qdata server and they were not letting her in, when the attack happened. So that
should not be the case and our suggestion is that they move to internal IT team, so that
these kinds of incident do not happen. Then there has to be DRP, IRP and BCP which
was not in the first place.

So IRP is something that they do during the course of the adverse incident. DRP is the
disaster recovery. So after the disaster has happened, what are the recovery steps that
needed to be done and BCP is as we have said, run the process in a parallel website. So
that was not there and that has to be implemented and the hardware and software needs
to be updated. For example, there are so many DDoS protection softwares that are existing
and being used by all the companies like there is unified threat management devices,
UTMs then there is express data paths. So all these can be implemented by them as well
and the roles and responsibilities had to be adhered.

For example, when this attack happened nobody knew whom to contact. They were not
even in a position to go for a conference call and have all the options being considered
at one point of time. So they were confused as to what to do. So as NIST suggests, there
is a 7 step contingency management plan that is mentioned in the textbook as well. So
there is a contingency management committee, management team which is CPMT and
there is a champion, there is a project manager and there are members. So this CPMT
team has to be formed in the first place who will be the first responsible if such an attack
happens.

107
 So as Sanjana said, the first thing is to be identifying the source of the attack and
immediately forensic report has to be recorded and maintained and finally they can also
go for a parallel server in which they can keep the business running if this stops. Thank
you. Okay, thank you. Thank you.

108
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 05
Lecture: 13

Good morning and welcome back to this course on Cybersecurity and Privacy. We have
already seen certain fundamental concepts related to cyber security. We have not been
under the domain of privacy, information privacy yet. But cyber security as a management
and governance issue is what we have been discussing and trying to understand both from
a conceptual as well as from a practical point of view. So, we have seen how organizations,
unless they have a management approach and management planning built in, as part of the
organizational process, how the business can be struck down or the business can be shaken
and sometimes go bankrupt, if cyber security is not given due importance. And therefore,
this topic becomes extremely important to go forward.

So in the last session, we discussed planning, planning that is required for managing
things. So we know that that is fundamental, to manage anything, you need planning, you
can do things without planning and you know how inefficient it is. So particularly in cyber
security, when the environment is extremely fluid and changing and increasingly
threatening, especially if you have a large number of cyber assets in your organization,
then it becomes a critical topic. So cyber security requires planning and any planning
requires some sort of reference to start with.

How do you prioritize cyber security? How important it is? If I do all the planning, is
the organization committed to it? Would they be willing to provide resources for cyber
security? We have seen one small incident yesterday, the case of a company called IVK,
which did not approve investment in cyber security technology, because it appeared that
it is not a priority for the organization. So it is important for managers to know, how
important cyber security is as a priority area and do the people in the top management
recognize cyber security and its importance ? What is the position? Is it really informed
position or is it some sort of arbitrary positions that the organizational top management
has taken? So all these are important questions, when we come to cyber security
management. So therefore, that brings us to the topic of policy. Policy is actually a
document in the case of cyber security, which acts as a reference. Now, let me actually
put this question to the audience.

When you hear this term policy, what comes to your mind? What is your thought, when
you think of policy, in a very general sense? Use three terms - Rules, Regulation and

109
Norms. So these three are different, particularly rule is a generic term, but regulation and
norms are different. There is something called social norm. For example, come well
dressed, come dressed at least. So that is a norm, you can actually decide to dress the way
you want or dress or not, it is all up to the individual.

But why do you come, why do you try to come well dressed in the class? There is no
rule written anywhere, there is no regulation as such. Nobody can take you to court if you
well, dress in whichever way. There is no such thing as regulation, but it is a norm, it is a
social norm. What is an acceptable norm? So that is one aspect by which the society
functions, you know, largely the society functions based on norms, social norms, you do
things because there are others. And that is, there are expectations from the society.

The other thing is the law, law is, regulation is something that is legally enforceable.
Somebody violates that particular rule, which is part of a regulation, somebody can take
you to court. So that is the point. So, is a policy a regulation? If it is legally enforceable,
then it is a regulation, otherwise not. When I shared the course outline with you, did you
notice a term called policies? If you read it thoroughly, there is a section called policies.

So policy is something which shows you, what will be the position of the instructor on
certain important topics related to the course. For example, plagiarism or examination,
examinations. So malpractices, there are strict positions the institute has taken and it is a
reflection of what is the institute's position on the conduct of, the code of conduct of
students. That is a policy, meaning a policy applies to everyone. A policy is to ensure
something collectively, not for specific individual, It is in the collective interest.

For example, if somebody copies, it is and it is okay, if I say okay, you can copy or you
cannot copy. I am not fair, I am not being fair, it is about the fairness. So and therefore,
you form policies in such a way that certain objectives of the course is met and it gives
some sort of balance or equity in the process of delivering the course. So a policy is such
a document which an organization develops to ensure that the organization is able to
attain its objectives. While ensuring that people are not affected or their personal space is
preserved and it does not sort of affect others or it is not imbalanced or unjust etc.

You have to actually take into consideration many aspects, we will go about that. So
policy, we all agree that it is a binding document for everyone to follow and it has certain
objectives. Now what is the objective of a policy? Policy can either enable, policy can
also disable. If a policy is not formed well, it can also disable an organization. As you
have already seen in the case of cyber security, there is an organization which does not
have a policy at all.

110
 There is no document to refer to as to why should it be a priority, who has said it. Well,
there is no document, there is no such thing as something that the organization has
accepted and communicated well, down to the members of the organization or in the
hierarchy. So let us move on. Well, these are just introductory motivational slides like
policy influences progress. So you know there is something called IT industry in India,
which did not grow for several decades after independence.

And when did the growth actually start? It started with certain basic policies. There was,
you know, policy on computer software export, which actually discouraged foreign
investments in IT in the country. And therefore, you know, we thought we can actually
develop our own technology indigenously, etc. So there were many models that
governments tried out, not blaming them because that was a different time period in
history. So then you can see certain landmark regulations like software technology parks,
and economic liberalization, etc.

, are broad country level policies, which encouraged an industry. In the absence of that
policy, the industry may not have grown. See post, you can see, when did actually India's
IT industry start growing? You can see that major change happening from during this
period. That is, when there was new economic policy and foreign investments in IT, IT
industry, IT exports, IT services exports, all became possible because the policy allowed
it. So and then we are very proud of an industry today.

It has come into being, because of a change in policy. So policy influences progress,
that is at a bigger scale or a higher level, at a country level. Policy can also influence
behavior of organizations. Policy can also influence behavior of individuals. There are
several studies on employees' compliance with organizational policies or cybersecurity
policies.

Organization may formulate some cyber security policy. But sometimes the policy can
be so, policy can make your day to day functioning very difficult. For example, you are
not given an internet access in the organization. And then, if you do not access the
internet, maybe it is for the purpose of security, but you find it very inefficient doing
certain activities, getting certain search done, or you know, referring to certain important
websites, you cannot do that. And sometimes the timelines, deadlines given by the boss
may be very tight, but you do not have access to resources.

And it is seen that people violate policies. So policy violation and policy compliance is
a function of many things. And therefore, if the policy is not well framed, taking into
consideration the objectives of the organization. If it hampers the objectives and make it
very restrictive, then also, it is not good for the organization. So, one thing is to protect,

111
other thing is to progress.

And this is the trade off that we discussed already that when you make your intuition
detection very active, then it affects your efficiency or if the logging is turned on, it is
good from a safety point of view, but inefficient from a functional point of view. So I will
show you the term of reference given by government of India to Justice Sri Krishna
Commission, who first framed our data protection, but your personal data protection bill.
So the government said, protect the privacy of people without inhibiting the potential of
digital technologies. So digital technology should be used, but at the same time, privacy
should not be compromised. You know, these are like two parallel lines.

So the purpose of regulation is to bring a balance between these two. Whenever there
are two parallel things or conflicting things, you need regulation to bring a balance. So
that is the, so policy is embedded, of course within regulation because regulation is legally
enforceable. Policy need not be depending on the context, but regulation is basically a
policy. It actually directs how a particular domain or a particular issue should be
addressed or conducted.

So therefore, if a policy is well framed, it can motivate people and invite the right
behavior. If it is ill framed, it can actually make people rather violate the policy. So if it
induces fear, for example, a policy can induce fear, if you violate, this will be the
consequences, there will be huge penalties, punishments, etc. people may comply and
keep in mind when people comply, they are complying for the sake of the regulation, it
will be at the cost of work output or efficiency etc. So therefore, it is a very important
topic, how you bring the balance between efficiency and safety, in the context of cyber
security policy.

Now, with that introduction of policy as a document that is developed and implemented
for ensuring the objectives of the organization, ensuring safety and security of assets, it is
an essential foundation for effective cyber security programs. Without a policy, when you
have doubts or crisis, there is nothing to refer to. Suppose there is no constitution for
India, then what happens, you can imagine, there is nothing, why, how can an institution
like IIT Madras function unless there is a constitutional provision for it, everyone can set
up their own shops and make all sorts of claim because there is no reference. So, you
need these fundamental documents to ensure what we want to achieve and to prevent what
is not expected. So, you see the next point in the slide indicates certain important
principles in cyber security policy formation.

In all policies these apply, but we can look at it from the specific context of cyber security
policy. The number one, is a policy should never conflict with the law. A policy is

112
formulated in our setting for an organization, a cyber security policy is formulated for an
organization. And certain sectors by regulation, it requires that there should be a cyber
security policy, Banking institutions is an example, RBI requires every bank should have
a cyber security policy, defining structures, defining processes. Now when you formulate
it, it should be in line with, compliance with, regulations and the law of the land.

An important case in point which is referred to in your textbook is that of Enron

Corporation and Arthur Anderson. Have you read about that scandal - Enron scandal in
90s? I was working in industry that time, it was an event that shook the whole world
because major accounting fraud by Enron. The company was going bankrupt and they
had an auditor and that was Arthur Anderson. So audit means, you know you audit and
say the company is very healthy. So audit is going on and audit reports are produced and
the company's work is going on, but actually the company is going through major fraud
and scandal and it was not detected or reported.

And that is when the government woke up, not only in the US but all over the world.
Because a company can go bankrupt if there are no regulations or standards which are
publicly available for people to scrutinize. So mandatory reportings, compliance with
certain accounting standards, Sarbanes Oxley Act, all got the regulation, got stricter post
that event. But during the incident, something happened.

So of course, this went to court. So Enron and Arthur Anderson actually had to give
their response to what happened. So Arthur Anderson wanted to wash their hands and say
we are not responsible. Something happened whenever we, when we audited everything
was fine. But what happened after that, you can always say, you know, we found
everything fine.

It must have happened afterwards. So what Arthur Anderson did was, it destroyed all
documents of evidence which was related to the audit. For example, emails and
documents. So then they framed a policy known as shredding policy. Shredding policy
is, at what frequency you destroy your documents. Our, I think our institute has a
shredding policy.

The examination answer scripts need to be retained for four years, I believe. And after
that it can be destroyed. So they periodically come to collect the answer scripts from us
and that is the shredding policy or retention policy. So Arthur Anderson framed an
interesting policy known as any document need to be retained, to the time till it is relevant.
So that is a very, not an year, not a number, till it is, who decide, whether it is relevant or
not.

113
 Once you make a qualitative statement, then it is subject to interpretation, who interprets
it. So one can say, well, it is no more relevant, the audit is over, everything is fine. So we
just, so actually they destroyed all evidence pertaining to the audit by framing a policy
that a document can be shredded or destroyed after it is found not relevant. Now the point
was, it was seen as a destruction of evidence because it was seen as a policy that is in
conflict with the law. And today you see, there are strict regulatory requirements to retain
evidence say in telecom and in several sectors, not qualitatively but specifically in terms
of numbers, which are measurable and which are without dispute.

So when you form policies, it should be in compliance with the law. This is one example.
I am citing another example which is at the bottom of the slide. That is, I think all over
the world, child pornography is illegal by law, in any country. Now suppose, you have
access to internet in your organization and someone say is addicted, you know this is
personality disorder, somebody is addicted to some form of pornography and these sites
are accessed from the organization.

Who is responsible? Is the employee responsible or the organization responsible?

Organization, employee is not responsible. Both are responsible. Individual is responsible
understandably. But why should the organization be responsible? It is the individual who,
say internet connectivity is provided for accessing sites that are required for work. If
somebody did something wrong, then that individual should be responsible, why
organization should be responsible.

Yeah, but organization can say in the code that we have to let employees access internet
for work. And if we stop that, work cannot be done. And if an employee accessed a site
which is illegal, that is the employee is responsible. We have to give internet access
because that is required for work. Any different opinion? Is organization liable or not
liable? That is, why should they block because anyway it is understood it is against law
and you are you know, even otherwise individually we are not supposed to access such
sites.

You know the National Law actually, IT Act actually prevents to the best of my
knowledge. So why should the organization care about it? It is at your individual risk you
are doing it. Yeah, that is true but the organization should take an effort from its side to
block the sites. Yeah, so the point is, the organization can make a claim in the code that
it is individual's fault, if there is a policy. Based on what are you saying? Well, it is
understood, it is there in the law.

No, do you have a policy which clearly suggests that the access to internet is for work
and employees are not allowed to access any site which is prevented by law ? That is a

114
policy. There should be clear policy statement, then say well, here is our policy and this
individual has violated the policy. Then it becomes a stronger argument plus policy
implementation. One is to frame policy, other is policy should also be implemented. And
the organization also has to take due care in implementing the policy.

That is where your argument becomes valid. Well, block the sites which are not supposed
to be accessed by law, Then your argument becomes more strong by saying that well, we
have done due diligence in our firewalls, these sites cannot be accessed. But the problem
is, there can still be sites which come up every day you may not be updated that some
sites can still be bad sites which people access but then you have policy. It becomes policy
violation. So therefore, a policy, a cyber security policy should be in line with the law of
the land and it should have provision to, if you give internet resources or cyber resources
to employees, the policy should ensure that it is used in accordance with the law of the
land.

That is organization's responsibility. That is one thing to keep in mind. Are we following
the law? Have we, do we have all the clauses to ensure that laws are not contradicted or
confounded as in the case of Enron, where they had a very convenient policy, which is
not acceptable. So, it should be able to stand up in court, that is the consideration. So,
you may work tomorrow on policy, on you know it may not be cyber security, any policy.
A key principle is do not contradict the law and it should stand up in the court tomorrow.

So, you should be aware of providing laws and regulations related to the topic. And it
should be properly supported and administered as we said, you know the firewall should
actually not allow access to those sites. And policy should encourage, this is the negative
side and policy should actually encourage success of the organization or in attaining the
objectives of the organization. So one thing can be to block access to internet, then how
do you work? So you have to give access or you have to tap the potential of digital
technologies as the government said, at the same time without compromising privacy,
You know, that is a big call. So that is why we see you know that it is a never ending
debate to form policies on privacy.

And involve end users of information systems in policy formulation. Well, this gives a
picture of where policies and you can see that in this, a policy is in the outer side circle,
meaning that policy is referred in all the cyber asset related activities of the organization
right from networks, individual systems and then specific applications. So, policy is a
binding document.

115
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 05
Lecture: 14

And to understand related concepts, concepts that are related to policy. For example,
there is policy and then there is procedure. And policy and procedure are different. So
that is what this slide illustrates, policy, standards, procedures and guidelines. I would say
standards and procedures are the next level of policy. Policy is broader.

Policy is abstract. Policy relates to the strategic purpose of the organization and also
ensures that the organization achieves its objectives without compromising on law and
freedom of individuals etc. So, it is a very broader philosophical level statement, where,
in standards actually provide you more details of how the policy would be enacted or
implemented. It is the next level.

And it will always refer to the policy. It will can be very strict on cyber security. It can
be moderately strict, based on how the policy is formed. I can give an example. Today,
we will be uploading certain policies of, cyber security policies of certain organization
from different domains on your module.

We do not have time to present different policies, but refer to those documents. It will
give you a picture of how policies are different, say in healthcare and education. The
priorities would be very different. So, that also depends on the sensitivity of information
and data that needs to be protected. But in India, I can say the cyber security policy of an
academic institution may not be as strict as that of a healthcare organization.

But if you go to the West, say I showed you the document related to Carnegie Mellon
yesterday, how detailed it is, because privacy concerns differ across cultures and
countries. And therefore, the law is also different. So therefore, it may get stricter in future
in all domains, but it differs across domains. Standards are the next level of documents.
I deviated a bit.

And procedures and guidelines are documents that implement the standards, drawn from
policies. And as we saw previously, policy is a document that needs to be implemented
at the end, as management guidelines and technical implementations. So at the granular
level, if you say that the employees should be able to access legitimate sites, but they
should not be accessing sites which are prohibited by law, that is a policy statement. Now

116
at the procedural level, firewall configuration rules. That is a procedure.

How your firewall is configured. That is the technical procedure. So you can see policy
has laid down importance on some aspects. The procedure becomes something that
implements that particular aspect of policy. So that is how you differentiate between
policy standards, procedures and guidelines.

And it also requires that policy is disseminated or policy is communicated to the

employees of the organization. Policy is not something that you frame and keep in a
master document in the corporate office. And employees have no clue about it. That is
not policy. Policy documents should be disseminated or policy should be made known to
the individuals.

And you know, so when you join any organization, of course you read, you get a
document on the code of conduct. Some organizations do, some organizations do not do.
If you join a TATA, any TATA company, there is something called TATA code of
conduct, which is framed by TATAs and organizations, you know, in the beginning. So
if you join TCS for example, there is a code of conduct. And it is mandatory for you to
actually know, what is the code of conduct.

But in certain other organizations, there is no such document as code of conduct which
is drawn from the policy. Let me not mention which are those organizations, but it can
happen. So policy dissemination is the responsibility of the top management. And
particularly in the domain of cyber security, there is something known as SETA, S E T A.
S E T A stands for Security Education Training and Awareness.

You may come across this terminology in cyber security related documents. SETA is
Security Education Training and Awareness. What you are going through now is the E,
Security Education. It is a full course that you are doing on cyber security. You are
learning fundamental concepts.

You are going through certain theoretical concepts, I would say. But we see what you
learn in the course is much more than how to do things, which is what training does. So
it immediately prepares you, prepares you for certain practice. But there should also be
long term education imparted on people, especially employees and also awareness. So
that is where the drills, the mock-ups and so many things periodically is done to make
people aware, particularly about new developments.

So if you are in an organization and if there is no security awareness programs, you and
if you have a lot of cyber assets and if you are in a particularly in a new organization, like

117
the iPremier, keep in mind it is your responsibility also to ask for it. What are the cyber
assets we have and what are the policies here and do we know everything. There should
be periodic training and awareness programs initiated by the organization. If not, at some
point you may also be running for your job. Because in a place where there is no clear
policy and practice of cyber security when things go wrong, you know, it can shake up
the whole organization.

So I think we are going to the next level in understanding what is policy, what is standard
and what are cyber security practices, which is the implementation aspect. So policy, by
nature is a long term document. You do not change a policy every day. It is not an
operational document.

It is not a procedure. It is a reference document. It is a master document and it should

not be changing frequently. There are other documents that can change. For example, if
you, if some aspect of regulation is updated, for example, if our personal data protection
act becomes a law and it suggests that a cyber incident should be reported within 24 hours.

GDPR says it is 72 hours. It changes to 24 hours. You do not have to change the policy.
You have to change, well, the standard related to compliance. Because policy will say,
state that the organization should comply with the law of the land.

It is a broad statement. How you comply, is a specific detail which will come in the
standard and procedures. So therefore what I am saying is, compliance to law is insisted
in the policy. That does not have to change. Details can change, in terms of the subsequent
documents. Now policy is having three dimensions or I would say it is a, you can see it
as a hierarchy.

The first, the top document is the Enterprise Information Security Program Policy known
as EISP. Now the second level is the Issue Specific Information Security Policies known
as ISSP. And System Specific Information Security Policy or SysSP is the last level. At
a higher level, at the enterprise level, the organization says employees will be provided
electronic mail communication facility. And it should be used in accordance, with the
procedures and guidelines.

That is a policy statement. At the next level, at the issue specific information security
policies there should be a detailed policy on email, email use. What are the policies at
the next level, pertaining to the issue of email communication ? For example, how much
storage space you get. And what kind of emails you can send and receive in a, in a
organizational email account. Generally you are not supposed to use it for personal
communications. It is for professional communication.

118
 So these are actually guidelines that comes at the issue level, the next level. And the
third level is System Specific Information Security Policies. This is the implementation
stage. The institute says you can have up till 5 GB storage. Well, at the time of
configuration, the server it will be configured as 5 GB and you cannot exceed 5 GB.

That is the third level of issue, system specific information security policies which
becomes the rules, which are configured technically and for which guidelines are given.
So policy operates at three levels, at the enterprise level which is the highest level, which
is related to the organization strategy, mission and vision. Issue specific is about, you
know, it takes into account the various technologies that the organization has and issues
related to that. So the second can also be called the technology philosophy of the
organization. It could be about electronic communications, it could be about, it could be
about file storage, it could be about cloud, it could be about various other aspects of
technology that the organization uses.

So it is at the technology level. And third is it at the configuration level. So this is a broad
purview of policy. Now I have already explained this. So EISP or Enterprise Information
Security Policy or EISP sets strategic direction, scope, tone, tone is also important, the
choice of words. How important something is, how light something is, depends on the
choice of words.

Most important or critical, you know, if you use those words, you have to keep in mind
that well, it is a very critical thing. Or if somebody says our organization gives due
importance, that is a bit subject to interpretation, what is due? It is a bit subjective and
that is where actually you bring in words and English vocabulary is so wide. So you can
actually choose words in such a way that it communicates what is the priority that you
gave to certain areas and what is the less priority possibly you may give to certain other
areas. And you have already seen that if you give top priority to something, you are
committing resources, you are committing money, you are willing to pay the cost that is
required to implement it. Assigns responsibilities for various areas of information security
and guides development, implementation and management requirements for information
security program.

So policy is a document, but policy is also a plan or it is a basis to plan the subsequent
activities, choice of technologies and implementation of technologies. So if you ask the
question, what is the TOC, Table of Content of a EISP, broadly it will have the sections -
statement of purpose. What is your purpose? When you read a policy probably this is
the first thing come, what are you trying to achieve through this? And that is what is
connected to the objective of the organization. And what do you mean by information

119
security? Are you covering only data information or is it a broader level like cyber
security? What is in scope? Does it involve people or it is only about databases? So you
have to actually make the inclusion, exclusion statement very clearly in terms of
definitions because it is a reference document. You will see that detailed definitions of
terms in the EISP because that is where you clearly say, what do you mean and what is
the scope etc.

And of course, need for cyber security as to why this due attention is paid and who, what
are the roles related to it? For example, do you have a CISP, Chief Information Security
Officer, CISO, sorry. Is there a post of CISO? Keep in mind hiring a CISO is a, it is a
costly position, there is salary involved. So hiring such expertise is a cost to the
organization and then there should be a subsequent organization, a sub organization. So
that is a investment in people resources. Is the company committed to that? If not, you
do not mention that in the policy document.

You may look at the, you may search for a policy document of IIT Madras. Is there a
CISO job or not? Possibly you will not find, at the moment. We have not realized the
need for it. But go to Apollo Tyres, sorry Apollo hospitals and see what is the cyber
security structure they have. They have a CIO, CISO, they have everything which is
required to professionally manage the cyber security of that organization.

Refer to some of the policy documents which we are going to upload. You will find this.
And reference information technology standards and guidelines. For example, if you are
going to follow an NIST or ISO standard, then you can actually give a reference to that
in the EISP, but not the details. Then comes the next level, which is the issue specific
security policy or ISSP.

Keep in mind EISP, ISSP, SysSP. SP standing for security policy. These are standard
terminologies, conceptually standard terminologies. A textbook for example or research
papers may all use these terms. But there could be variations in terms of these roles and
their labeling in organizations. So, somebody may call the top person in cyber security, a
Director - Cyber Security.

Somebody is not well informed for example, but you need someone to head this. They
have not gone through security training. The top management has not got cyber security
training. So they may give more other terms.

So there is Director - IT, in several organizations. So that may not be the right thing,
which is generally accepted. It is a CIO. So you may, my point is, these documents may
be titled differently, but in a more generic sense or conceptually correct sense, it is the

120
next level of cyber security policy is the issue specific security policy, which provides
detailed targeted guidance to instruct organization, to secure use of technology systems.
So as I said, ISSP is the technology level. EISP is more into the organization and the cyber
assets.

Here you do not refer to the organizational priorities etc, in the ISSP. Well, email use or
cloud use etc. It refers to technologies and lay down clear guidance on the use of
technologies. That is what issue specific cyber security is. And also it gives guidance on
how these systems are controlled, monitored etc.

For example, malware detection and if there is an, if somebody accesses a site which is
not legal, the firewall can actually detect that and it can also detect from which machine
the accesses happened etc. So there is monitoring involved, which the employee should
know in a document. And the third aspect is what I have highlighted. It serves to indemnify
the organization against liability.

So Indemnification is a legal term. Are you familiar with this term "Indemnify"? What
do you mean by indemnification? Protect yourself from what? Indemnify would mean to
absolve someone of the responsibility - absolve someone of responsibility. So, do you
think in an IT industry, in an IT organization, should the organization indemnify
employees by policy? For example, if someone makes illegal access to a site, should the
employee be indemnified? Depends on the intention. Okay. Intention of whom? The
employee. Can you elaborate that? But what intention would be right and what would
be wrong? Intention actually, with what intention he was trying to do that.

Okay. Whether that was wrong or in the right sense. Okay. Part of the duty. I can give
an example, you validated. Suppose an employee accesses a illegal site, by mistake. For
example, there is a spam mail, where you get a lot of junk and out of curiosity you just
clicked on something and it took you to a site which is illegal. It is actually a, it is not by
intention that employee went there, but it is by mistake.

But of course, there should be evidence for that, but you can always. So in such cases an
employee should be indemnified. Like it also depends whether that was a normal
negligence or a gross negligence because now gross negligence will obviously. Yeah,
yeah. That is something which is repeatedly happening or it is a standalone incident.

Yeah, so there can be events where employees need to be protected. But here it is talking
about indemnifying the organization. The policy should be such that it protects the
organization. Tomorrow, an employee does something wrong and the court should not be
drawn to the court.

121
 The employee should defend oneself. That is actually a problem, sometimes. See in
certain professions, IT we can actually debate because it is employee's fault and so on.
But in certain professions, if an employee is not indemnified, people will not go for that
job. Because there can be more frequent legal issues in certain professions. And certain
professions by nature, you may take risk and do certain things.

A good example is the medical profession. In medical profession, doctors treat patients
and the patient's status would be very different. Some have come with prior serious
medical problems and the doctors sometimes have to try out different medicines because
something is not working. Of course, they take consent of relatives before doing such
critical things. But in certain cases, despite in normal course of treatment also, it may not
be doctor's negligence but patients can actually respond and die. And see in such cases, if
the doctor has to go to court, then the profession becomes very uninteresting.

So that is why in medical practice, the doctors are indemnified. It is the hospital that
fights for the cases. So indemnification from such consequences is important for
employees, not for organizations in such cases. The healthcare system protects its doctors.
But in certain other cases, the organization would indemnify itself.

That is what we see here. Because the patients, sorry, it is not the patients but the
employees can actually misuse or abuse resources and that is the more likely thing to
happen. So issue specific security policy also have indemnifying clauses. That is where
it helps you in the legal fight, often times. So examples of ISSP issues and topics here
for you to develop better understanding. It is a statement on the organization's position on
an issue and the issues and topics could be like the emails, worldwide web, the policy on
worms and viruses, hacking, testing of organization on security, to what extent you can
go and you should not go.

And now a policy that is still evolving is work from home. Post pandemic, there is the
work from home arrangement and also bring your own device. Using your own devices,
sitting at your home, you will be accessing the resources of the organization. And
generally it is reported that, when employee is not in the, within the walls of the
organization, when you are the there is, when you are elsewhere in your own place of
comfort, there is some sort of absence of a perception of a guardian, you know, the place
of work serves as a sort of there is some guardian out there, somebody is watching, you
know. So in the absence of that, the likelihood of commission of non-compliance is
potentially high.

So these policies are still evolving. So one is you have to allow work from home, bring

122
your own device. At the same time, it should not work against the interest of the
organization. So this is actually a policy situation, policy reframing situation. So
components of the ISSP again, there will be statement of purpose. And as I said, this will
be more based on different technologies, different issues.

It gets into that details, for example, prohibited use, systems of management, monitoring,
physical security, encryption, all these will be detailed in the ISSP. Issue specific systems,
sorry, issue specific security policy, violations of policy, policy review and modification
and limitations of liability, indemnification, etc. So it is a very detailed legal document
because this is also a document that you use, to defend the organization in case of
violations. And the third is the stage, when you come to the implementation stage.

And that is known as system specific policy. Policy should be stated, policy education
should be given or should be disseminated and policy should also be implemented. Or
you have to create enabling situations. You cannot tell in the court that we have stated in
the policy clearly that an employee should not do this or do that or access this or access
that, but your firewall is allowing everything to go in. That actually becomes problematic.

So therefore, there should be two aspects to SysSP. One is the management guidance,
other is the technical specification. Management guidance is like a procedure document.
How you configure your firewall ? For example, that is a guidance document or a
procedural document. And what is the configuration document actually, that is the
physical or technical configuration. And management guidance document basically is
generated to ensure the CIA, confidentiality, integrity and availability within the purview
of the policy and law.

And for example, who accesses. So there is something called access control list or ACL,
which is implemented at the technical level in computers, say in Windows or in your iOS
machines, the access control list is something that is configured. So different levels of
access and privileges. So the technical specs basically operates in two levels, broadly as
ACL or access control list and configuration rules. I will just give you some screenshots
as examples of this because this is the detail of technical spec. So access control list is
nothing, but certain roles and what documents that role can access.

So it is a detailed mapping of roles and access privileges. For example, who can access
a particular file. So there is a file which falls into a particular category and then each user
belongs to a particular category. So that category mapping on, between resources and
people is the ACL broadly. ACL actually in detail lays down who can access the system,
what otherwise the users can access.

123
 So we discussed this earlier when we discussed CIA. When they can access , you can
set timelines also. When access is prohibited. For example, in some institutions you
cannot access internet in the night. And in IIT there is no restriction, I believe. Where
otherwise users can access the system, is it from the organization or outside, whether it
is a LAN or open anywhere.

How the access can be done and so, for example, biometric versus password access as a
simple example and what are those resources. And what are the access privileges, can
you read only or can you write, can you create, for example, can you create a new table
in a database or can you just write a query, modify, delete, compare, copy etc. So this is
all part of the ACL and ACL is very detailed in terms of its implementation. This is the
windows XP ACLs, just as a small example. On the left side you see different roles, from
administrators to backup operators, guest network configuration group, power users and
so on and what are their privileges.

Configuration rules - One is the ACL, other is the configuration rule. Configuration rules
actually finally implements the rules, that are stipulated in the ISSP and in the
management guidance that we have seen. Here is an example. The firewall configuration
rule. Simple thing, which are the sites which can access the internal resources of IIT
Madras that is and which sites cannot or which are the sites a user from the institute can
access, outside. All this traffic flows through the firewall and once you set this rule -
accessible, not accessible, those sites will be blocked.

The rule is embedded within our firewall, within our system. So we control the flow of
information through specific configuration rules like this. Some of you may be familiar
with this, you may have actually seen firewall configuration. This is a technical job.

I do not claim expertise here. This is basically awareness as to what they do. Doing this
is a more detailed activity. IDS configuration rules. Intrusion detection systems are
systems that prevent intrusion and keep in mind, IDS and firewall are two technologies
that actually are deployed to control access. A firewall is something that can prevent
access to and from, the system.

You cannot access outside, others cannot access inside. Both the rules can be
implemented. So it prevents, it is preventive , it is protective. An IDS is only detection.
It is a detection system.

It is an alarming system. Some access has happened, it does not prevent. So that is the
level at which these systems work generally. So both are different.

124
 One is for detection, other is for prevention. All right. So that is about my class. Do
you have any questions on policy? So we have traversed from policy at a top level to a
ground level. We touched the tyre in terms of firewall configuration or IDS configuration
as sort of examples to understand how policy is formulated and translated into issues and
then finally implemented at system level, at procedural level etc. So now we will discuss
an article which was published as a series in Harvard Business Review.

So the first in the series is about Internet security and Internet insecurity. Good. It is not
about security but it is about insecurity. So let us listen to the third group who is going to
present this. Thank you.

125
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 05
Lecture: 15

Good afternoon all. Today we, members of group 3 are going to present an article that
was published on HBR, which is based on internet insecurity. This article basically
discusses a new approach apart from the traditional approach, a new approach how we can
prevent cyber attacks, a new approach of cyber defence apart from spending on cyber
intensive resources. So we will first present our key statistics that says that there has been
a growing trend of increasing cyber attack over the years. It shows that in many areas like
USA, North America, Latin America as compared to 2021 there has been a certain jump
in cyber attacks in 2022 and the most attacked industries in 2022 has been government
sectors, healthcare sector, education sector and specifically critical infrastructures. The
global volume of cyber attacks in Q4 in the year 2022 has been an average, on an average
basis, weekly it has been 1168, which is really a staggering figure.

So the question that the article asks is whether investing in latest cyber defence guarantee
a success in preventing malware attacks and it argues that no amount of spending on
defences will actually, can actually protect us or guarantees that it will shield us from
cyber attacks and so it introduces to us a new approach and over the, over our presentation
over the course of our presentation, we will see what will be the new approach. So as we
see that over the years starting from 2021 there has been an increase in global cyber
security spending. By 2025, it is projected to touch 460 billion dollars and over the years
it has been increasing at an average rate of 15%. This research was done by Kasper Sky,
which revealed that in the year 2022 the expenditure on cyber resources is going to exceed
the 300 billion dollar mark and the cumulative spending from 2021 to 2025 is going to
touch 1.

5 trillion dollar. So now let us focus, what are critical infrastructures, what are the sectors
that come under critical infrastructures and how they are becoming more and more
complex over the years. Now the energy sector, the power generating plants, the
telecommunication sector, some manufacturing sector which are critical, apart from the
transportation sector, water treatments, all these come under critical infrastructures. Now
let us see why the complexity is growing. Earlier all these sectors were decoupled, they
were not dependent upon each other but due to over dependence on power, maybe even
in the transportation sector we have battery driven, so for charging these battery driven
vehicles we need charging stations which are connected to the grid as an example.

126
 Even the telecommunication sector is being related, being connected with the energy
generating units, smart grids and all. So this has been, this all this critical infrastructure
like generation distribution is becoming more complex because they are now a network
of connected device, They are forming a grid. So even if one of the critical infrastructure
fails that can lead to a devastating chain reaction and the entire system can fail. Some of
the news articles that we found, like regarding the cyber attacks that has happened over
the years on critical infrastructure specifically in Saudi on Saudi Aramco, then some
nuclear attacks on South Korean nuclear plant. Again the Chinese are targeting our Indian
power grid, they are developing some malware named as RedEcho, Ukrainian power grid
was also attacked.

So we will see some of them. An example can be Saudi Aramco, which is one of the
largest oil generating companies in Saudi Arabia and from 2012 itself there has been
multiple attacks, like in 2012 there has been one phenomena, one virus name as Shamoon
that stole all the passwords that attacked specifically more than 35000 systems, wiped
entire data, stole passwords and even they prevented the computers from rebooting. There
was a lot of outage in the system and even the system took 2 to 3 weeks to restart. So
there was a lot of financial impact. Apart from that even in the 2017, a malicious software
attack happened which targeted the safety controller system.

The safety system was compromised and it stopped working so it led to an entire
shutdown of the system. Again in the 2021, in July what happened that again, it fell victim
to an extortionist attempt where the data, sensitive data of the company got leaked by one
of their third party contractors and the hackers demanded a whopping 50 million dollar to
get the data deleted. Now apart from this refineries and all, we see that the power grids
that are also facing some cyber attacks, sophisticated cyber attacks. Recently, on April
2022, when the Russia Ukraine war was going on, the Ukrainian government said that it
just had a narrow escape from the cyber attack which was led by the Russian agencies,
Russian spy agencies where they targeted some of the largest energy generating companies
of Ukraine and they tried to trigger a blackout by stopping the grids and it was done, it
was the effort was done or the intention was to, you know, if you induce a blackout, the
invasion would have been softer and easier. So obviously they were lucky to escape.

So now coming to the fact that there is a tradeoff of capability versus vulnerability when
the digital transformation is considered. As we have seen that in the industrial control
system there is a rapid digitalization application of IOT, AI-ML, Cloud technologies have
made the decision making entirely very fast and efficient and in the age of high end
companies it has become really indispensable all these technologies and nowadays the
industries are also dealing with terabytes of data on a regular basis, so this is making the

127
entire system very fragile. As we know data is a new one, so all the decision making
everything is being driven by the data and that is why there are many vulnerabilities that
we need to address. Now the next part will be addressed by my friend where the growing
vulnerabilities and the techniques that we need to devise to deal with those things, will
be discussed by my friend Lokesh. Thank you, Sir.

Now the thing is, does fast pace of digital transformation requires increased security ?
Why now, the question comes? Because nowadays the use of digital transformation and
their growth is more. There could be many reasons and COVID is also one of the reason
and that digital transformation is happening at a faster pace. Whatever may be the
company, whether it is an organization or industry they are moving towards more, towards
digital aspects so that they could remain in the competition, so that they could get better
and effective decisions and employees need modern tools to be effective. The things
means we could see automation, IoT, cloud computing they are using, organizations are
using extensive, but the thing is, so we are moving more towards digital aspects. So does
it requires, the question is does it requires more increased cyber security or will the
reliance on cyber security got reduced? Now the question is.

But when we got into facts, it gives the result that as we are go as the digital
transformation is happening at a faster pace, vulnerabilities are also growing. For example,
we are using a complex hardware, you know the technologies are coming so that complex
hardware and software tools are using. So in order to enhance the capabilities in the same
way, vulnerabilities are also increasing at the same rate. For example, vendors even also
do not know what they are, means what are the vulnerabilities associated with the design
of new hardware and software tools. When they are exploited means, when they are
attacked by some threats they are getting, you know, for example information systems of
the US companies they even, they are using some advanced information systems, so in
order to detect the threat itself, they are taking more than 200 day, 200 days on an average.

In some of the cases, they are being notified by some third parties. Here the issue is,
every company or organization looking for fast and better solutions, reduction of human
errors and reducing the cost. But the thing is they are welcoming the other end of risk,
like cyber risk means they are investing in new technologies, reducing the cost of
employees, labor cost, everything dependence on the human and everything. But again
they are investing in returns in cyber security means again they are driving up the cost.
This is happening with the invention of, means with the fast growing of digital
transformation.

So what else could be done, means when there are any problems, we will implement
some checks some proper checks in order to handle such situations. One is hygiene.

128
Hygiene means generally we suppose people , some people used to go to doctor in order
to regularly check their health and during COVID times we used to sanitize very
frequently. All these things we used to do in order to protect ourselves from the disease.
In the same way we have a concept called cyber hygiene where the organizations or the
companies use in order to check the security of data, users, networks, everything.

But these are some benefits but the, how it is assessed means there is an advanced
performance monitoring solution that can scan the entire IT environment of a company.
So it will scan means what are the assets available, what are the vulnerabilities associated
with that assets, and it will provide a performance scorecard whether it is critical or low,
medium or high. Why we are doing these things is, just to keep the bar against the hacker
or the threat so that they could not peep into the company's network or the organisation
network Some of the regular approaches of cyber hygiene is deploying the latest software
and hardware tools, regularly training the employees in order to avoid and inspect the
issues and also separating the important information systems from the other networks.
Some of the practices at the organization level, from an IT perspective if we means
generally we have to change the passwords every month and it should be very complex
and means we cannot use the password in a simple manner, it should contain special
characters, like that, if we talk with respect to the passwords and installing new security
patches periodically and if we, there are zones everything means, we cannot get access to
entire means, every aspect in an organization. It got limited to only some of the users but
doing so means investing millions of rupees but millions of amount, it does not solve the
problem because nowadays hackers are more, they are more conscious and a targeted we
cannot escape from a targeted attack that is one of the reason.

Another reason is we cannot create comprehensive inventory of the company's hardware

and software assets, in case of asset intensive industries such as a transportation, energy
etc. And one more limitation is, if there are suppose, if we consider a large power station
there are more substations, they are widely dispersed, in such cases if we are rolling down
any upgrades in one system, suppose if there is a, if the hacker got into, entered into that
network then it as said by Sayan, entire grid can be collapsed at a time, that that could
also be a possibility. So after seeing all these limitations, we can see that how much you
invest in technology or in resources everything, we cannot avoid the attacks. So the only
means, one of the solution that, that is available is reducing the dependency on digital
aspects, means moving away from digital aspects to some other means, some sensitive
systems we can completely reduce the reliance on the digital aspects, that that can be
explained in the next slides by Vijay. So we get back to the article in question and this
article, HBR article was written by actually Andrew Bochman and basically from the
headline of the title itself it goes in a different direction it says that it is not cyber security,
it is cyber insecurity.

129
 So as previously explained by Sayan and Lokesh that the aim is that, ultimately that you
have to reduce your dependence upon the digital platforms and anything which is
connected to the internet. So in, towards this idea now this gentleman Andrew Bochman
or in short he is called Andy, now this guy works in the Idaho National Laboratory and
at the Idaho National Laboratory came up with a novel concept and they have been
working on it for a few years now and this different approach was that they said that firstly
you identify the most essential, the critical functions as which is likely to jeopardize the
entire operation of whichever sector one is in. You reduce and eliminate the digital
pathways which any attacker or any threat which is there, so you reduce those pathways,
you can not totally eliminate them but you reduce as much as possible and you shift away
from full reliance on the digital connectivity and keep contingency plans or build
redundancy in that, so that you the critical function continue, even if there is a attack. So
now this was the Idaho National Labs stepwise concept approach they basically devised
two basically frameworks the first framework they called as Consequence Driven Cyber
Informed Engineering or CCE in short and the other was a companion framework which
was developed which is called the Cyber Informed Engineering. So the difference was,
the Consequence Driven and the other was Cyber Informed Engineering.

Now though broadly, they are both the same but the level that which they have been
perceived to that they will deal, is different, which I shall be explain in subsequent slides
and as you can see on the view file that Andrew Bochman has been working in the INL
laboratories in here he is a senior grid strategist and they published a number of books
and this particular article refers to the book which is being shown on the view file. He is,
he has been providing guidance to not only US government but other governments and
industry leaders also. He is a ex-Airforce personnel and he was working in IBM and other
known companies also. So moving on, so just a short definition about the Cyber Informed
Engineering and the Consequence Driven Cyber Informed Engineering. So the
Consequence Driven Cyber Informed Engineering developed by the Idaho laboratories
the basic objective was that they wanted that the hierarchy should have a change in the
perception as they view cyber threat, not as a cyber security but rather see it as a cyber
insecurity.

No system which is connected to the digital platform is secure, no matter how many
firewalls we build, no matter what our protection detection system. So the aim was to
build in redundancy that even if there is an attack if your critical functions continue to
function in the way they are supposed to. So how do we do that? So we will come to that,
the next framework associated with that at a slightly lower level is the Cyber Informed
Engineering. So the difference being the Consequence Driven and this was a companion
framework developed by the same laboratories, as I said it is similar to the Consequence

130
Driven Informed Engineering in many respects. The objective over here was that when a
system is being designed especially in the industrial digital platforms, the cyber risk
mitigation factors or aspects should be integrated right from the conceptual stage itself.

Now we design a boiler or a big platform thereafter it is connected to the digital grade
controlling system thereafter we think about securing it with various cyber assets. But the
CCE says, as an engineer, when we think, when we conceptualize something is required
some problem needs solving, try to figure the cyber aspect beforehand only in the concept
in the design phase and in the production phase itself. So that it saves a lot of time and it
is much better secured and the redundancy is built in when it is brought online in any
domain. So from the engineers perspective, this was a challenge because you have to
understand the impact of cyber attacks across the entire product or the program life cycle
of whatever you are building. And as the cyber threats, they keep on evolving, they impact
the design, the development, deployment or the program life cycle of whatever and
operational phases of all stages of a system it can affect at any stage.

So wherever you find the loop, the cyber threat might manifest itself. So the CCE and
the CIE processes basically teach to heed and incorporate the cyber security aspect right
from the beginning itself. It basically says that you start incorporating the cyber aspect
from the engineering perspective right at the conceptual stage itself and that no system is
safe. It is not saying that you do away with automation, it says that you build in
redundancies you take care of the threat aspect well before and have contingency planning
or continuity planning or redundancy so that your critical functions continue to move on.
Now this, the implementation as suggested by the INL laboratories as given in the article
was that initially they were thinking that the CCE master plan they will be implemented
by the INL personnel and thereafter subsequently by INL trained personnel across,
through various service firms and the corporate hierarchy, it was aimed at the corporate
hierarchy basically, the those who are responsible for the regulatory compliance litigation
CEOs and CFOs and basically those critical supervisors or those people who are actually
overseeing the critical operational functionalities in any industrial sector, the safety
systems expert the operator, those who are going to be the first responders to any kind of
malfunction or any issue which is there in the plant.

So the process was basically, the first process was a four step process as shown on the
view file- the phase one was, as we said the critical word over here is the consequence
driven. So the consequence driven is what is the ultimate the greatest loss or most critical
function in my domain or my responsibility which is likely to jeopardize the entire setup
or the entire business or the entire goal of my firm. So that basically that would be the
consequence and that would be the priority in a CCE This should be targeted, that this
should not shut down in the event of a cyber attack. So that becomes your consequence

131
prioritization. Now in order to do that, you carry out a system wide analysis.

In that system wide analysis, you are basically looking at what are the pathways which
are coming to this, which may result in this particular consequence and from that you
carry out, that okay, these are the pathways and how these pathways will be targeted,
through what all means and through what all people, where would they be located. So
you carry out analysis like that and finally once you have carried out an appraisal from
the first step to the third step, you come to the final step that having based, that this is my
consequence, these are the key system, key pathways from where they are going to attack
and these are the kind of people or the targets which they would like to attack and they
will be likely located over here they will be looking for this thing, you come to, then you
come to the mitigation and the protection measures, which you would like to implement
and that basically says that, get back to or at least incorporate some kind of analog or
disconnect from the digitalization, not totally but as far as possible, so that you critical
functions continue to move on. So as shown in the article the same processes, identify
the Crown Jewel, that is the main function, you map the digital terrain through which the
people are likely to approach you or carry out their threat and then you eliminate the
likely attack paths through to reach that consequence by the cyber adversary and you
generate the options or mitigation measures to thwart those actions. So these are the
recommendations which are given in the article and the article suggests that firstly you
need to learn to think from the adversaries point of view. So you have to take a very
neutral view and think from the cyber attacker's point of view as to where they would
like to attack your institution or firm or whichever domain you are in.

So for that, you have to wargame that scenario, you have to sit across the critical people,
the people responsible for risk mitigation, the expert the supervisors and then you have to
take an opinion from each one of them what do you think is the most critical in your
domain, what do you think is the most critical and there it will lead you to a one main
critical factor or few critical factors which are likely to jeopardize your company and
there one you will get your consequence, your prioritization, you will get. So not
withstandingly constantly high levels of cyber hygiene as was mentioned by Lokesh you
can have all levels of cyber hygiene but when a determined attacker is there, as given in
the article, no matter of what sort of security we take, it is only going to prevent those
10-15% of the attacks and a dedicated attacker who has got the resources will eventually
get through your system, that is how the digital platforms work, there is vulnerability and
there is also help also or the facility also but vulnerability also exists. So employees need
to be aware, a cyber safety culture has to be there, and so that you are able to recognize
whenever such a threat has started manifesting itself, which can manifest itself in any
manner like a small glitch, a small trip somewhere, so that particular person who will be
the first responder has to know okay, now it has started if you, if you do not do that, you

132
will reach that it will finally affect your critical system, then it might be too late and that
is why this CCE is designed that even once that thing has happened you can go back to,
you can go back to activating your redundancy or contingency which you had built in the
system. So what kind of contingency planning, you have to support your critical
functioning you have to war game and go on to what is my critical functions you have to
maintain that continuity as we discussed as far as possible maintain a air gap network,
especially from the internet and your redundant system, it should not happen that again is
connected to the digital platform or to the internet. So you, one system has been attacked
and your redundancy platforms are also being attacked so your contingency plan will fail
over there only, so this aspect has to be looked at and thereafter the article says that, what
is the requirement of this, basically because traditionally, when the engineering goes from
the conceptual stage nobody pays much attention, the curriculum does not include the
cyber aspects and the cyber aspects is an afterthought as we discussed before that people
think about it at a later stage once everything has been installed okay, we will put a
firewall, we will put an intrusion detection now that the thing has been connected, we
will do, take all these things and now it will be secure but it does not work like that and
engineers it says, that engineers know their job very well, they know that we are an
engineer we have to weed out all these problems so that is there in the systems which
they design, conceptualize design and produce but the cyber aspect also needs to be known
by the engineers and when they are designing anything they should be made aware to
incorporate this aspect also, as far as possible and why this is there is, because therefore
there is as far as definition is concerned of this that the awareness of the security
challenges in the operating digital and non-digital industries is very less and the INL says
that this is a philosophy and not some kind of step by step process, so it is a philosophy
that everyone must imbibe, that this cyber aspects have to be taken care of well at the
conceptual stage itself and their objective they say that is the promulgation of a strategy
to learn and view cyber like any other modes of failure it is also a mode of failure which
an engineer, while designing the system should say, there are many other modes of failure
but he should also figure that cyber attack is also or can also be one of the modes of failure
and I should figure it in my plans well in advance.

So this initially as I was telling that, the main difference between the consequence driven
and the cyber informed engineering, if you see the second part they are both the same so
what makes it different, what makes it different is, if you see to the left top of the slide,
the consequence driven basically is carried out at a very higher level, that is the national
security level events by a well organized state sponsored or person people with lot of
resources and all, at a lower stage, cyber physical attacks or targeted IS attacks is what
the cyber informed engineering says that it will deal with at a higher level, at a more
broader level it is the Consequence Driven Cyber Informed Engineering which says that
it has been designed to take care of those kind of threats. So to conclude, as the article

133
says that these are the things which we must keep in mind, cyber attack vulnerability, all
organizations which are dependent on digital technologies are vulnerable to an attack and
can be attacked, may be attacked and cyber adversaries are highly skilled and it is a field
or it is a domain wherein they are keeping, they are more updating themselves rapidly. So
you need to catch up. The strategy is, as far as this article and INL says as brought out in
the video also, they are saying that take a step backward, we are not saying that completely
shut down, take a step backward and backward in the sense, incorporate analog technology
so that you are away from what has affected you, that is the digital platform as far as
possible Continuity and survivability should be the goal of the firm and that is how we
should look at it, when we talk about Cyber Informed Engineering. Yes, cost wise an
analysis should be there and management has to be there and as brought out over there,
higher cost initially but the potentially devastating price of business as usual, it can lead
to disastrous consequences and for a penny, a pound might be lost, so well in advance
all these concepts, these thought processes should be incorporated by the people
responsible or looking after the respective domains.

That is all from our group over here. Thank you for the presentation. So it gives us an
introduction to the cyber security concerns in the modern era where the author said that
any system that is connected to the internet is not secure. So this is a very disturbing
statement and we have a case which is a sequel to what is discussed. So in that context
we will take this idea forward. Protecting the shader, that is the next case which is a
sequel to this so we will look at it from a more practical point of view and that is in the
next class. Thank you very much.

134
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 06
Lecture: 16

Good morning and welcome back to the sixth session of Cybersecurity and Privacy
course and today we are going to cover Risk Management. So the risk management as a
title looks like a very generic topic but in this session we are going to cover risk
management pertaining to cyber assets or its cyber risk management that we are going
to cover. So the management part of cybersecurity is the focus of this course and we
saw that when we have to manage assets efficiently we need planning. So planning is
the heart of management and we saw planning falls into two categories as far as
cybersecurity is concerned. One is the contingency planning, which we discussed
already and we also saw if there is no contingency planning procedures and structures in
place what happens to organizations, they are struck and they have a shock and they are
not prepared and there is huge losses and loss of reputation, loss of revenues and so on.
And that actually calls for contingency planning as to how you respond to incidents.

So it is a reactive aspect of cybersecurity management. The other aspect of planning is

planning to prevent occurrences of incidents. How do we prevent cybersecurity
incidents? It is not about reacting to incidents but it is about preventing. So protecting
the assets of the organization.

We also saw that in contingency planning, the analysis or the focus is business
processes. Business processes get affected, when there are cybersecurity attacks. So the
focus or the unit is actually business process. And today you will see that for the
purpose of risk management the unit is going to be, not business processes but assets. It
is assets that you need to protect.

So these are subtle differences between contingency planning and planning for risk
management, risk management. All right. So let us move on I think. So yeah, so to
introduce what is risk at a philosophical level we look at Sun Tzu. Sun Tzu is, of course,
the military philosopher of China who lived 500 years before Christ and who continues
to be a great influence not only for China but for strategy, military strategy.

And see the three classic statements that he makes. If you know the enemy and know
yourself, you need not fear the result of a hundred battles. Well, there is a difference
between what battle and war. If you know yourself but not the enemy, for every victory

135
gained you will also suffer a defeat. And if you know neither the enemy nor yourself,
you will succumb in every battle.

So there are two things that are highlighted here, know the enemy. So who is going,
who is, could be external, could be internal but in the case of cybersecurity. But there is
an enemy, there is an enemy, okay and know yourself. So these are the two aspects,
basically we are going to cover in risk management. Risk management is about what is
the nature of threats that you have from the environment, internal and external.

And what is it that you have to protect yourself from this, the protect yourself from the
enemy. Okay, so the word enemy actually makes a lot of sense. Somebody who is
aiming to hurt you or to sort of create losses for your business and so on in the case of
cybersecurity. So what is risk management? As I said it consists of two aspects,
knowing yourself and knowing yourself is in the specific case of cybersecurity is
knowing your assets. And knowing your preparation, your assets and your current
preparedness to protect against the enemy.

That is the knowing yourself part. And knowing the enemy is the intelligence about
the external threats that are potentially existing and could actually become an attack in
future. So the threat versus internal assets and your preparation. So that is what actually
we are going to cover in risk management. Essentially, risk management covers these
two aspects.

So risk management is the process of identifying, assessing and reducing risk facing an
organization. So there are three steps in risk management. First step is to identify. What
do you identify? Basically in risk management you identify, what are your assets that
needs to be protected. And you not only identify your assets, you also identify what are
the threats.

The threats and the assets. And then how well prepared you are. So that is the
assessment part. Identify them and then assess your preparedness or your assets
protection mechanism, current protection mechanism. And then you will find as a result
of this assessment process, you will find some gaps.

And how you close those gaps. And then there is a management decision as to how
much you want to invest, what are the options available etc. That is about reducing risk.
Look at the word used, it is about reducing risk. Sometimes you use the word
mitigation.

There is a difference between reducing and mitigating. So these are nuanced

136
differences, we will see that. But the purpose of risk management is not to eliminate
risk but to reduce risk. You have already told us in the world of internet, there is no 100
percent security. So if you use internet connected devices, there is no guarantee for
tomorrow.

Alright, so that is what we are trying to do. Identifying, assessing and reducing risk. I
think I used this diagram already to tell you threats, external as well as internal. And
what is an attack? An attack is an incident that happens through some residual or some
leftover vulnerability in the organization. And that is exploited and then it becomes an
incident.

And therefore the chance of that happening is actually your risk or a proper assessment
of what is the chance that a threat can become an attack and if that attack happens what
is the impact. So a risk is an overall assessment of that. So we will see that in the
coming discussion using different slides. Now today there is this term, attack surface
which may figure in some literature, not in your textbook. So attack surface is a good
visualization of threats and assets.

Threats and assets. If you see that there are two dimensions to an attack surface
sometimes also known as attack vector. They use the term vector also, attack vector,
attack surface also. So in talks, you can see people just keep using this kind of terms,
sometimes without meaning what it means. Whenever you hear the term vector, you
have to keep in mind that it is about a construct, something that consists of more than
one item. You know the difference between a scalar and a vector.

Speed is a scalar because it is only about speed. It does not talk about direction but
when you add direction, it becomes a vector because it is two dimensional. So in a
similar way you can see in attack surface, you do not just talk about threat alone. Threat
along with assets. It becomes more useful information.

So it becomes a vector. It has multiple dimensions to it. So the y axis is about the
different types of threats that exist and the x axis or the horizontal axis is about the
assets that your organization has. So every attack actually aims at some asset or some
asset gets affected and as a result of the asset gets , getting affected certain business
processes will get affected. So that is how this happens. So an attack vector, sorry an
attack surface actually enables a manager to visualize what threats did materialize or did
happen and what were the assets that were affected and in what sequence.

You can see the breach at Equifax is a case that we are going to discuss in a, after a few
sessions. So you will understand how severe and how varied the attacks were in terms

137
of the different hacks that were used and which actually resulted in data breach not one
or two, hundreds of millions of records of a credit bureau. Equifax is a credit bureau
which actually stores the credit card and a lot of credentials of individuals which were
stolen and that happened in 2017, not in 2000s when IT was evolving, a very recent, not
very old case. So that shock, that is another big shocking incident in the cyber world
and somebody has charted that attack surface in terms of the specific threats that
happened with unpatched vulnerability, misconfiguration, these were issues but which
were the assets that were affected correspondingly, that is what is shown here. Storage
was affected or probably routers was affected.

So you can see what was the sort of target that the hackers used. So it actually plots it
two dimensionally, known as attack surface. There is also the concept of residual risk
before we go to risk management, we should be clear about what is risk and what is
residual risk. Actually the purpose of risk management is to assess residual risk not
actually risk because every organization, any sensible organization will have some
mechanisms to protect its assets, at least there will be a security post, so that thieves do
not come in. So there will be certain built-in mechanisms to protect or safeguard your
assets.

So you can see in this bar graph, the bottom part is about amount of asset value
protected by safeguards. So there is some basic protection that is available to every asset
owned by a national or any organization which functions rationally. Look at Windows,
as an example. So many of you may be Windows operating system users. So Windows
operating systems come with certain basic protection.

There are built-in protection against vulnerabilities or against threats in a basic

operating system. Even if you do not install a firewall or antivirus software you still
have protection, built-in protection, that is the base. There is a base protection available
and in addition to that you know, there so, threats are that are very dynamic in nature.
So therefore in order to have more protection for your cyber assets you may choose to
install an antivirus software or a firewall etc. So that is the second level, amount of
threat reduced by safeguards additional safeguards that you put in.

That is your choice, how much you have invested in that. The third aspect that you can
see in this diagram is amount of vulnerability. So after protecting your system using the
basic base level protection and also additional protection that you give, there could still
be gaps. Those gaps are known as vulnerabilities. So vulnerabilities is something that in
cyber risk management, you act on.

That is for example, if you have not installed latest updates, Windows updates or

138
patches, you are vulnerable. That is a vulnerability, you can see that in many recent
attacks the patches were not installed, particularly in Windows and that is the
vulnerability that was exploited by hackers. So that is, but if you are updated, if you
actually update your system regularly and consistently with security patches, then you
are actually further reducing your risk. And even after these three levels of protection
that you put in place there is still this much of risk and this is known as residual risk.

Residue means leftover. So there is some risk that is leftover, which is the residual risk.
So the purpose of risk management, the first two stages, identifying and assessing risk
essentially is about assessing residual risk. You have assets, you have certain protection
mechanisms but what is the risk that is still existing, what is the residual risk ? That is
what you try to assess in a systematic manner in risk management process.

All right. Now about risk management. So this diagram illustrates the different steps
and phases, different phases and steps involved in risk management. So there are three
phases one, two and three. Three phases in risk management. The first phase is risk
identification. The second phase is risk assessment and third phase is risk control.

This is very logical -Identify, Assess and Manage or Control. So you cannot control
unless you know, you cannot manage unless you measure. So that is a management
principle. So therefore, the first phase in risk management is risk identification and
what are the steps involved in risk identification. This diagram gives you a sense of that
and that you can look at when you look at the different steps, you can see the first steps
corresponds to assets, what do you have.

So that is about your assets, know what you have. So that is about your assets and also,
you also look at threats and vulnerabilities. Identifying assets, identifying threats and
vulnerabilities. So that is the specific exercise in risk identification. You identify each
asset, cyber asset and identify the different threats that can actually impact the assets and
also look at current protection mechanisms and have, so based on that identify
vulnerabilities, identify existing vulnerabilities.

Risk assessment is the next phase and in that phase, you actually assess two important
measures and those are very important in the calculation of residual risk. One is called
loss frequency. The second is known as loss magnitude. Loss frequency and loss
magnitude. Once you are able to measure and compute them or estimate them I do not
say compute, you are able to estimate them, then you can calculate risk, here it is
essentially, it is residual risk, calculate risk.

So in our discussion we are referring to residual risk as risk. So you will see that the

139
formula for risk has two components in it, loss frequency and loss magnitude. The
effort in risk assessment process is to finally arrive at these two measures so that you
can have a quantitative assessment. A quantitative assessment of residual risk using
these two measures and you will see that loss frequency is related to probability. There
are n threats in the world, does not mean that all the threats would materialize or all the
threats are equally likely.

There is, there are probability scores associated with different risk. And also you have
your own protection mechanism. So a threat has to occur by passing through our
existing protection mechanism. So there is a likelihood of success also. So you can
imagine that there are, it is probability driven.

The threat is something that is driven by probability that is what you look at here,
when it comes to loss frequency. Loss magnitude is related to impact. Suppose an asset
gets attacked, then what is the loss involved? What is the loss magnitude? And there
are, so that loss magnitude can differ from asset to asset. There are certain assets which
are high valued and there are certain assets which are low value. And therefore say,
think of a e-commerce server, your company is purely running on running online and
the e-commerce server, suppose it is hacked or by some reason, there is a cyber attack
on it, your entire business stops.

So that value of that asset, it is not just about the cost of buying that asset but the value
of that asset for business is very high. So as compared to maybe some office PC which
is used for, you know, for much smaller scope of work, that its asset value need not, may
not be very high or it may be low to medium. So therefore loss magnitude is also a
function of the value of the asset. And then you can once you have these two parameters
estimated, you can actually calculate risk and risk acceptability. How the organization
wants to respond to this risk, residual risk is an organization's decision.

So therefore then, comes the risk control, select what are the options available how do
you justify the selection of a particular option and in organization, there has to be
financial justification. And how you do that and then, once you select a particular option
then monitor it, monitor and continue to do the assessment. This is a dynamic process
risk management is not something that stops at some point, it is not like strategic
planning which you do for five years and then close it, this is a very dynamic process.
And how dynamically it is being done, you know, you have to get feedback from
different industry types. You have a guest talk from industry, so you may shoot many of
these questions related to practice, to the person who is going to come in the next
session and do not reserve any questions for me.

140
 The first step is risk identification. Let us go through these steps and take some
example to understand how you can actually quantitatively, assess risk, cyber risk. So
risk identification is essentially knowing yourself in the, in terms of war strategy. What
do you know about yourself? Basically your assets. So any sensible organization which
is preparing to protect itself from cyber attacks should know what are the assets, the
organization has. And if you have worked in professional organization, you know that
every asset has a tag or a identifier.

Look at any asset. So I do not see any tag ID written on this but there will be an ID for
every asset, not in educational institutions necessarily. But our department DOMS has
asset tags and basically a tag is an identifier and along with that identifier, you will
have the complete descriptive information about that particular asset. So identification is
about knowing, what are the things that you have which needs to be protected. So you
can identify them, give an ID and also have a database, that is the best way to keep
asset information. And what are the different types of assets an organization can have,
in the context of cyber assets ? That is what is shown in this particular table.

You can see that the assets fall into six categories. Are people assets? People are
assets. Cyber bullying, Binod's research topic, probably evolving is actually an attack on
an individual. So an individual is an asset, if an individual in an organization is attacked
or bullied or if her or his information is stolen etc, this is nothing but a cyber attack on
an individual. So people are assets, procedures are assets, your policy is an asset and
your data, databases, they are assets. So organization should know what are the
different databases you have.

Software, hardware, networking components, all of them are actually assets, asset
categories. You can see these are asset categories and the table also describes what do
they do, what do they, what is the functional aspect of each of these categories typically.
So once, if you are doing this for the first time and if you are a small organization and
you want to do cyber security management first effort is well, these are the categories,
you have identify each asset and characterize them. So you can actually also gather
descriptive information about your hardware, software and network assets, the hard and
soft constituents of your IT system. And this depends also on the maturity of the IT,
maturity of the organization.

And as I said every asset will have certain asset characteristics or attributes. So when
you add an ID you know it is an you can imagine a database, so ID is like a primary key.
So you look at a say a software, so a software, an operating system has an ID and then
you can have different attributes of that particular asset stored in a database like the
name, IP address if it is applicable, MAC address as a type, serial number,

141
manufacturer so on and so forth. These are typical characteristics of IT assets. So
essentially we are talking about an asset database, asset identified, asset stored, asset
information stored in a database in a structured way.

So physical hardware and software assets, it is intuitive but you also need to identify
people procedures and data assets, people of course, the HR database, you have
employee ID or a roll number etc. There are procedures which also need to be
numbered, you know typically in a standard based system like the ISO, you have every
procedure, will have a ID. So and, so that enables an organization to keep its assets
systematically. Now yeah, so there are different types of assets for different asset
categories that is what this slide illustrates. People will have different attributes, for
example security clearance level, you know this is military language, what that means is
what is the level of access or what is the authority, we talked about authorization, you
know authentication and then authorization, what is the access level an individual has,
okay.

Has an individual, for example in military setting access to confidential documents or

secret documents or top secret documents, so this all is defined in the people asset
identification stage. So therefore when you access a particular individual you know
what is the level at which individual can access information, information assets. And
you can see alongside people you also see data, so data is one asset which people access
and therefore data also needs to be actually stored, data assets need to be stored with
respect to its different characteristics, like who is the owner, creator and what is the size
and where is it stored, is it online or offline and so on and so forth. And then like
procedures, who is, what does the procedure do and what is the intended purpose, where
is it stored and attributes like that. Now, here is an example of data classification
because we are predominantly looking at cyber security from information security
perspective, okay.

So in information security, data classification is a very important aspect, just like people
are classified in terms of their authority, data is also classified in terms of its sensitivity.
So data classification can be done differently for different types of organizations, okay.
If it is a business organization, you may actually classify data as public for official use,
sensitive, classified, this is an example, okay, four levels. And then of course, the
clearance level is defined in terms of these four categories. We saw in people's case,
they have a security clearance level, which is the level at which a person can operate, is
in terms of these four classes.

And of course, US military has the most meticulous way of organizing data and you
can see there is unclassified data, which anyone can access about military, sensitive but

142
unclassified data, someone from military should tell me what that means, but it is
unclassified means it is accessible, yeah. Restricted, that is confidential data. Basically
we have one which is we have security classification, unclassified data, there is a base
classification. That is right. Then comes the restricted part which is basically restricted
to few personal, yeah, few personal or limited people, then you come to the confidential,
then the secret and then the top secret.

Yeah, so unclassified and sensitive are different in the sense, you restrict it to some
extent, that is what they are saying. Confidential means it is confidential and access
levels are very clearly defined. And secret data, it is about the number of people who
can access, right and you know people at what level can access. Top secret of course,
you know military has its own methods for defining and giving this kind of access,
maybe the president or the prime minister or the commander in chief, so those are the
type of people who have access to top secret in the military setting.

So people classification, asset classification is what we are looking at. There are
different types of assets, right from hardware, software, people and data and they need
to be classified, they need to be described in different terms. And the next important step
as far as risk assessment is concerned, now you can see the term has changed from
identification to assessing, okay. We are now trying to assess the value of each asset,
okay. Because some assets may be very important or critical to run the business and
some assets may not be critical, but important. So, as I said the assessment of an asset
value is not based on the purchase value of it, but its impact on business.

So you can see generally for assessing value of asset, an instrument or a questionnaire
is used. We can actually get expert information on what is the asset value. So typical
questions in a, when you use an instrument for asset value assessment, is like, which
information asset is the most critical to the success of the organization, which generates
most revenue, which brings highest profitability, which is the most expensive to replace,
which is the most expensive to protect, which will cause the highest liability, so on and
so forth. So you can see, you can think of a scale, of say 1 to 5 in terms of the each item
in this questionnaire, okay.

So that is what, how the asset value assessment is done. So here is an example, this is
just taken from your textbook. So there are different assets which are already identified
and classified and tagged. So one is this is, this pertains to a bit old generation, so they
are talking about electronic data interchange, used in e-commerce. So EDI document
set 1, EDI document set 2, you can see they are using three criteria for assessing the
value of an asset. The three criteria are impact on revenue, impact on profitability,
impact on public image.

143
 That is what this organization does, okay. There are different questions you can ask,
but based on these criteria, they actually arrive at a score, arrive at a score, a score
between 1 and 100 for every asset. And each of these criteria has a weight. So it is a
weighted score that you actually use to arrive at the value of an asset, okay. And you can
see that there is one asset which is, whose value is 100 here, right, customer order via
SSL. So that is the asset which hits a value of 100 because if customers cannot place
order, your business stops there. Thank you.

144
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 06
Lecture: 17

Alright, so now we have, we have looked at assets, we also have looked at the way to
assess the value of assets. Now we are looking at the other category which is threats. So
threats also need to be identified and threats also need to be assessed, okay,
identification and assessment of threats. So how many cyber threats are there today?
You can say many, okay, that may be better, a qualitative term there are many, okay. So
but actually hundreds, okay. So I am not going to spend any time discussing each of the
hundreds of threats that exist.

But there is something known as threat intelligence, okay. Threat intelligence actually
is very informed information about what are the current threats, cyber threats and what
is the criticality of each threat, which is the most likely threat, okay, which is the most
frequent threat and which are the threats which have high impact etc. So this
intelligence is something that is available, not with me, not in the textbook because it is
dynamic but with professional bodies. So you talk to a practicing manager on cyber
security, you will see, they have subscription to threat intelligence.

And the bodies which do this sort of analysis and data aggregation analysis and CERT,
C-E-R-T to some extent is a body which provides this kind of information. But for more
information, you need to have subscriptions or you need to have network with cyber
intelligence bodies. And therefore that is the terrain we are entering now, as to what are
the threats that exist and against which you need to protect your assets, you know, your
textbook may talk about a few threats. But what I have done is, I have a more
comprehensive list of cyber threats and their descriptions, to give you awareness about
what are the different types of threats and which I will be posting in the module. So you
go through them and some of the threats which are prevalent today, anyway we are
discussing in along with case studies.

So you get to know about them more, okay. Alright, I think each of this would be
discussed in some detail in the cases to follow. So I do not spend time on describing
each threat at an item level or individual level. But threat, like asset are also classified.
See when you have too many things, what you do? You classify, alright.

A manager needs to manage things efficiently. So you classify. Why there is product

145
segmentation in marketing or why there is customer segmentation? So you know, you
cannot actually create product for each individual. You create generally product for
customer segments. So therefore segmentation is the way to deal with complexity, or
classification is the way to deal with complexity.

And here you can see again, threats can fall into say, 12 categories, 12 classes. So they
are acts of human error or failure, compromises to intellectual property, deliberate acts
of espionage or trespasses. What is espionage? Mike, Mike, okay. Espionage is an act
by someone who is working from within inside the organization, against the
organization. Yeah, yeah.

So this is basically someone who is or was a part of the organization or a country,

actually betray the country or the organization by leaking out information. You have
several cases of espionage related to US military. So we will touch upon that as we go.
So espionage is a serious but higher level issue. So that is one category.

Information extortion where you actually try to threaten people and extort or get
money or assets from people, that is another category. You can also see in this
classification, the last one is technological obsolescence. Is that a threat? Technological
obsolescence is classified as a threat category. If your machine is not updated, if you are
having a Windows 8 and you are running your critical business on Windows 8 and you
do not want to invest in software or hardware, you are running a high risk of cyber with
respect to cyber security. And you have cases after cases where machines became
vulnerable as they are not updated.

So that is a threat category. So you can see that threats fall into categories. So that is
the way to understand. So when you look at each item or each threat, try to imagine
which category of threat that is because that numbers are limited. And this is again
drawn from a paper communications of the ACM where some scholars published
information on threat severity or they try to rank the threats.

And you can see for ranking the threats, they have used a mean value that could be
with respect to occurrence and their weight, the mean and the weight it is not clearly
described here but you can see, there are aspects to the threat in terms of how severe it is
going to be and what is the sort of likelihood or what is the frequency with which that
particular threat is happening. And there is of course, a standard deviation which is
calculated there. But to assess the weighted rank of a threat, they multiply the mean
with the weight, the mean with the weight. We do not know how these weights are
assigned but the mean value calculation is from data. So essentially this particular table
tells us that in cyber intelligence for threat or in threat intelligence, you quantitatively

146
assess the threat.

There is a assessment, there is a value, there is a score that is given to each threat. And
therefore, threats can be ranked or threats can be sorted based on the weighted rank of
each threat. Some threats are not likely or they are not having any impact and therefore
they get low value and some threats are highly likely and highly impactful and they get
high scores So this score of threats are with intelligence bodies which needs to be
available for cyber security management, particularly for the assessment of threat. This
is not something that you can do internally. When we looked at assets and asset
identification and valuation, this is something that you can do internally.

This is, assets are internal to your organization and its valuation is also internal. You
can run a questionnaire survey and finally arrive at the valuation of assets. But threat
intelligence, you do not have the data. This is external data. And therefore for threat
intelligence, you will be dependent on external bodies.

So once you have assets and threats, you can now imagine there is one axis of assets
and and another axis of threats, okay, threats and assets. And then there is a threat-asset
combination. For each threat and asset, there is a combination. And that is where you
ask this question, what is the vulnerability, as far as this threat and this asset is
concerned. Now we have gotten into the micro detail of risk assessment at a threat asset
level or asset threat level.

So vulnerability is something that you assess at each combination of asset and threat.
When you consider these two together, what is the vulnerability. That is something that
has to come from experts. Or that is something that has come from judgment. Are we
fully protected? Is this asset protected from 1 to n threats and to what extent? Are there
some leftover vulnerabilities or are we 100 percent?, okay.

So that is called vulnerability assessment. So you can see that between asset and threat,
you know, it is shown in the diagram. Between an asset and threat, lies the vulnerability.
A vulnerability is with respect to a given asset and a given threat. Now you will see
how, this is an example, vulnerability assessment of a DMZ router, okay, but well this is
a technical term, essentially a proxy system.

Now you have a real server, you have a proxy server. Proxy server just act as a shadow
or a, you know, a copy of the real server. So that kind of a system, so they are taking a
router from that zone and then assessing the potential vulnerabilities. So you can see
that you took one particular asset and then you are going through each threat and
describing what are the potential vulnerabilities. You get the point? Take one router

147
and all the threats, and then describe, what potential vulnerabilities exist.

That is the process of assessment of vulnerability. For every threat, this is done for
every asset. Now I will take you to this important spreadsheet, which is used in risk
assessment. So you can imagine this is a, this requires a spreadsheet, because this
pertains to cell. There is a cell which pertains to two dimensions.

So each cell will actually chart the vulnerabilities. So threat vulnerability asset
worksheet or so known as TVA worksheet, is the final tool. I will show you an example.
And this is in your mind already, I believe. You have one axis which is for threats, you
have the other axis which is for assets.

So as we said, so the DMZ router, so that is one asset. So you can see that assessment
of the vulnerability is done for each threat. So the first column would list the different
vulnerabilities for asset 1, with respect to different threats. So the TVA spreadsheet is a
tool or an instrument used to assess vulnerabilities in a detailed way, for all threats and
all assets. Once you have this in place, you have a fairly good assessment of what are
the vulnerabilities, the organization has.

And you also know that you can rank order the assets and rank order the threats here,
because you have the asset valuation done. So therefore you can rank order them. The
threat intelligence you have and therefore you can rank order them. So therefore the top
ones or the first diagonal can be the most critical in terms of the vulnerabilities, okay.
So that also helps you to look at threats, the vulnerabilities in terms of their criticalities,
alright.

So that is the TVA spreadsheet. And in the world of practice, TVA spreadsheet is a
very important instrument for vulnerability assessment, okay. So when you hear the
word vulnerability in cyber security, always keep in mind it is with respect to a
particular threat and a particular asset or a vulnerability. What is vulnerable? We say I
am vulnerable, right. Because you feel very vulnerable. So I have an asset, as an asset I
am vulnerable with respect to 1, 2, 3, 4, N threats.

So therefore keep that perspective in mind. Now having done or having prepared your
TVA worksheet, you are inching towards the next step of quantitatively assessing risk or
doing the risk assessment in numbers. So there are two terms as we saw in the beginning,
loss frequency and loss magnitude. These are the two terms that are used to calculate
risk. So what is loss frequency? Loss frequency is an assessment of the likelihood of an
attack combined with expected probability of success.

148
 So there are two probabilities here in a sense. One is how likely an attack can happen,
okay. A DDOA versus a phishing attack, which is more likely today, that is an external
intelligence. So what is the probability of that attack versus if that attack happens,
what is the chance of success, okay. An attack can happen but you are fully prepared,
with your malware protection or with your firewalls updated.

So if you do not have a firewall or if you do not have updated security systems, your
vulnerability or your chance is high, okay. So that is what you do during the
vulnerability assessment. So these two probabilities together, well you can imagine to
get this, you need to have those probability values, somebody need to tell us, okay. You
need to have this data. Otherwise it becomes qualitative assessment.

So in quantitative assessment, you need to have access to data to arrive at these two
probabilities, likelihood of attack and likelihood of success. These two together defines
loss frequency. It is, it assigns a numeric value. Use external references of values, of
course we discussed this already. So it is a probability which combines attack likelihood
and success probability.

The second is the loss magnitude, loss frequency and loss magnitude, standard terms
in risk assessment, risk computation. Loss magnitude sometimes is referred to as asset
exposure. This term exposure is sometimes used, right. Exposure is well, you have an
asset and there is a particular attack possible. But the asset may not be completely
exposed, okay.

Part of the asset may get exposed. So if it is 100 percent exposed then it is the loss
magnitude is high but if it is not, then it is proportionate to the exposure. So what is this
particular value? It combines the value of information asset with the percentage of asset
lost in the event of a successful attack. So if an attack happens, what percentage of that
asset is stalled or impacted is the basis, for measuring loss magnitude. So there is a asset
value multiplied by the percentage of asset affected during an attack.

So the product is the loss magnitude. We will take an example as we go and then you
will understand this a little better. Well, here is the magical formula for calculating
residual risk. Residual risk, okay, I have not used Greek letters, it is actually more
textually described so that you very well understand what it is. Loss frequency times or
loss frequency into loss magnitude minus So loss frequency into loss magnitude minus
the percentage of risk mitigated by current controls plus measurement uncertainty. There
are 4 constituents in the calculation of residual risk.

Loss frequency into loss magnitude. Typically you will think that this is risk but it does

149
not stop there. So probability into impact, usually risk is described as that, what is the
probability of something going wrong into what is the impact. Usually you describe
risk as that but you can see, this is a more detailed formula that is one aspect of risk, loss
frequency into loss magnitude or probability into impact minus the percentage of risk
mitigated by current controls . There are certain current controls in place that is
mitigating some of those risks, so you minus that.

But then you add a measurement uncertainty. So we have to keep in mind that the loss
frequency and loss magnitude are estimates. These are not objective, this is not
objective assessment, this is often subjective assessment and therefore there can be
errors and that is called measurement uncertainty. So you add that and uncertainty as a
value is added, you know, so that you know you are looking at risk, so you always be
prepared for the worst, okay. So we are actually adding a worst case to the risk that is
calculated using loss frequency, loss magnitude and the current controls. Alright, I think
you just keep this formula in mind and then let me give you a problem and try to
calculate the residual risk, this is the question, okay.

Well, I give you 3 minutes, just try to work out the, calculate the residual risk. An
e-commerce database has 10% chance of an attack this year based on industry reports,
that is one attack in 10 years. InfoSec department reports if the infrastructure is attacked
there is a 50% chance of success, based on current asset vulnerabilities. So they have
calculated vulnerabilities quantitatively. So if that particular attack happens, there is a
50% chance of success.

So you got the two probabilities there and the asset is valued at 50, that is a scale, in a
scale of 0 to 100 and InfoSec informs that 80% asset will be compromised by a
successful attack. So you have the exposure there. So these are 75% accurate, estimate
risk.

You forgot the formula. You can note it down. LF into LM minus current controls
plus measurement uncertainty. So basically you have to calculate loss frequency, loss
magnitude, current controls and measurement uncertainty. These are the 4 values you
need to calculate residual risk. What is loss frequency? Loss frequency is a product of
chance of attack into probability of success. So therefore chance of an attack is 10%
means in probability terms, this is 0.

1, correct. And what is, yeah, so chance of success is 0.5, right, 50% at that. Anyone
got the final value? No? Okay, this is 0.05, agreed, okay, we will go. Loss magnitude is
the exposure, right. So the asset is valued at 50, okay, 50 is the value of the asset into
what percentage of it is exposed, 80%, okay.

150
 So therefore 0.8 is equal to, correct, 40, 40, exposure is 40. Now current controls, is it
mentioned? It is not mentioned in the question, okay. So therefore we just do not add
any value there. So then measurement uncertainty, there is an uncertainty of
measurement. So yeah, so you have to, you are going to calculate risk as probability to
impact LF into LM, right.

So LF into LM, LM is equal to 0.05 into 40 means how much? 2. Now there is no
current control. So essentially this particular estimate of 2, has a uncertainty. What is
that uncertainty? It is only 75% accurate, meaning it is 25%, there is 25% error, okay.

So the 2 has a chance of 25% error. So error is equal to 25%. So measurement

uncertainty is that error into the value which is estimated, right, which is equal to,
measurement uncertainty. Measurement uncertainty is 0.25 into 2, that makes it 0.

5. Therefore residual risk is equal to 2 plus 0.5, is equal to 2.5, okay. This is a textbook
problem solving. LF into LM is 2, loss magnitude into loss frequency is one aspect of
risk. That is what you estimate based on asset value, threat, estimate, etc.

Each of these are prone to error, these estimates are prone to error. So when I
calculated this value 2, it is an approximation, it is an estimate and that has some error
which also they have actually, you know, this is a textbook problem, okay. So they have
some assessment of it. So I am calculating measurement uncertainty as a worst case.
Because of this inaccurate assessment of LF and LM, my value of 2 may be
underrepresented.

So I want to actually add that 0.5 as measurement uncertainty to increase the value of
risk, essentially saying it is not just 2, I am a bit uncertain about this 2, okay. So 0.5 is
added by calculating error into that value 2. Yeah. Okay, so I will stop here because we
need to have the case discussion and I have overshot a bit.

And here it is worked out and this problem is of course, very simplistic and actual
estimation of these value quantitatively would be a challenge and you can see in real
world, you can ask the practitioner next week as to how they do the TVA sheet, to what
extent are they able to objectively assess these values and calculate risk quantitatively.
Often times, we can see this is done qualitatively than quantitatively because of the
difficulty of getting the exact quantitative estimates, okay. The risk mitigation or the risk
management, now having got these values and for different assets, what action the
organization should take in terms of controls and monitoring is the next step, okay, the
third phase which we will discuss in the next class.

151
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 06
Lecture: 18

Good morning everyone. So moving ahead with the last group presentation that was
basically on internet insecurity. So today our group number four, comprising of myself,
Colonel Jagvir, Prasad Deshmukh and Sanjay Prasanna, we are going to present the case
study that is, Protecting the Cheddar. So the case study is all about a company,
Newhouse Cheese Company. It all started way back in 1811 when Cole Newhouse, he
immigrated from the Wales and established the cheese making company. It got very
popular, yeah in between they faced a great depression, economic depression but they
innovated their business, they tied up with the supermarkets and they had a tagline-"
From Wales with love.

" Later on in early 2000, the fifth generation, Chadwick Newhouse, he took over and the
company invested lot of, lot of amount in the digitalization of the precision control
monitors and devices. So basically, there are six characters in this case study. There is
CEO, Chadwick Robert Newhouse also with the nickname, Chad and then CISO, Frank
Armen, the CEO, Bruce Boyle the CFO, Jenny Cruickshank and deputy to CEO, Sara
and a cyber security consultant Jack Parem. So basically the case study, it starts with a
scenario where the Chad, the CEO of the company, he had just wired $ 49,999 to a
someone, unknown person because the company has, is a victim of a ransomware attack
and the hackers, they have actually gained access to the company's system and they
have demonstrated the shutdown of one of the temperature control critical device and
they also claim that they have accessed to certain sensitive recipe files of the
organization and on the advice of his legal lawyer, the CEO has paid the ransomware to
the attackers.

Now the case, this the current scenario is about a meeting which is taking place
between the top executives and the CEO, Chad is really in a very angry mood and all the
top executives, they are not able to make eye contact with him. " So what do we do?" ,"
Yes Mr. Chad I have been seeing some new intrusion monitoring systems on the market,
I suggest we increase the budget for them and also we have to review our incident
response protocol because SCC will come knocking to see our plans and procedures." So
how much we have already spent on the system?" " About 6 million dollars." " 6 million
dollars and still the breaches have increased.

152
" So now there is an uncomfortable silence in the meeting room and then you know, all
of a sudden a lady voice that comes from the back of the room and she is actually Sara,
the deputy to the CEO. " So why are our system even online? Shouldn't family recipes
just be locked up on a paper? Why do we need them digitally and the pasteurization
equipment and all?" So Sara briefed all the meeting heads about a new risk management
process that she had read. It stated that the overly complicated software system are
making organization more vulnerable to such attacks and it is not only the software
system but also the anywhere and anytime access to the critical system of the
organization. Many consultants recommend that the organization should put the humans
back into the process and reduce the digitization. Now again this scene actually, shifts
three weeks after that prior crisis meeting and on a workstation, the CEO and Frank the
CISO and Sara, they are on the workstation and there is a fourth guy, the cyber security
consultant, Jack Parem.

" Mr. Jack as you can see, the sensors in our tank send us real time data about
everything. It tells us about our impurities, our temperature and bacteria, bacteria
content. It saved us millions of dollars." "And the system is networked?" " Of course,
otherwise we have to be in person monitoring the systems always.

So if anything goes out of order, we will get alerts. So this is very crucial to our cost
savings." " And who has the access to the system?" " Basically it is anyone with a login.
We usually give it to two or three people. Mostly it is me.

Last time I even logged into the system from my hotel." So the process continued for
three weeks. In the process, the tech guy revisited all the processes of the factories and
understood how the processes work. He mostly followed a four step plan. The first step
was identifying the most critical information and the processes.

He visited each process, talked to the stakeholders and understood how the process
exactly works. The second step was mapping the digital terrain in which those processes
rested. It consisted of understanding the hardware and software part of the system. Also
how the network is structured. And not only about the technology, it also involved
understanding how humans are interacting in the system, understanding the supply chain
and everything.

Third step, it was the most important step. In this step, the inputs from the first step and
the second step were used and the most critical, likely part of the attack was identified
based on the criticality and the openness of the system. In the fourth step, they
generated, the options, about the attack based on the criticality, the attack which is most
likely to happen and how critical it is. And during the steps of the evaluation, we can see

153
that Jack and every senior executive have undergone various intensive process of
understanding the system. So, they were already exhausted and the kind of, they got an
insight, like how they were really into digitization, that like, how much deep they have
invested into the digital networks.

So, from the consultant's perspective, he found three points of failure. And he, he
briefly sorted out into three categories, three are outcomes. In the first one is he found
four pathways into the network and a hacker access industrial control systems. And the
third one is one system was compromised by bot. And further his recommendations was
that, first one he evaluated the thermization process which he advised the them, to take
it completely offline and completely offline.

And then the second process was he advised them to remove the, the network controls,
network temperature controls and automatic automated temperature adjustments or the
other option was to keep them or and backstop them with human manual controls. And
the third one, he found that during the penetration testing done by himself, he found that
he was able to take control of the access control, he was taken control of the control
systems and was also able to access all all of their recipes which was a huge eye
opener to Chad. He was especially very shocked to know about, that his recipes could
be accessible which could really hit this bottom line. So, we see that in the meeting a
very heated discussion and debate takes place on the various suggestion offered by the
cyber security consultant. "So whole point of going digital was to save money, going
offline would kill the bottom line.

" " Look Mr. Bruce, the goal is not to take back to your stone age, it just to reduce your
digital pathways. The most likely vectors that any attack could possibly happen. So,
even so, even though there is very likelihood of attacks. So, I would really suggest to
you to look back, look at the situation here and and make corrections." "So, you want
us to roll back the business 20 years, for a one in a million chance.

" " Look Frank, I came here because you were attacked by a ransomware, but frankly
ransomware does not scare me, listeria does. If you check recent health hazards created
by companies, you can really see the consequences of a major catastrophe. So, it could
really affect every company." So, just to give an idea about a ransomware and how it
works, basically the hacker or the bad guy, either he creates the ransomware himself or
he can buy atleast from the cyber criminals. In fact you will be surprised now a days
there is something called as RAS, ransomware as a service, they are business models
and they are creating and selling all these ransomware software to the criminals.

And after that the cyber criminals basically exploit the social engineering skills and all

154
and then he enters the access to the system and he encrypts the IT system and the data
whatever possible. And basically the main intention is to you know, ask for the money,
ransom and at times they ask in a cryptocurrency form also. So the audience, we would
like to know your opinion - Should Chad implement consultant's recommendation? The
consultant's input is that we take most critical parts of the value chain off the digital
environment for protection and we do not essentially move back 20 years, that we
remove all of digitalization or digitization which has been built in. So, this the, this is an
in between solution which will ensure that some form of optimization is obtained
through the digitization process but at the same time, the critical assets are protected.
So, it could be in my opinion good to move in that direction, identify which are the
most critical assets and move them offline.

Anyone, any other suggestions? They should go ahead with that and we had already
covered regarding this, we had there was a presentation also that was that Cyber
Informed Engineering which basically says that your critical systems should have a
contingency plan already mapped out and so that anytime such a thing happens, you can
always as far as possible, try to keep them out of the digital connectivity loop. so that
nobody can attack them. So, yes definitely that particular concept works out very well
and will continue to work out well in the near future also. Yeah, even I would suggest
an in between solution because going completely offline might not be that useful
because for example, the sensors might be tracking the temperature and all and we
might need the help of IoT to track those changes and you know for the predictive
maintenance of the machine that are being employed, it will help in increasing the
efficiency of the system in the long term. So, completely moving offline just for the
cyber security risk sake might not be a fruitful option in the long term.

So, but just as sir mentioned we can identify the critical aspects of the business and then
just move them alone offline or just restrict the access within the local environment or
something like that can be pursued. Okay, I have a question, If you go back or roll back
the system to manual controls, can there still be manual errors because when human
beings control temperature or monitor temperature, you are trusting human beings and
that is why you go for automation because human beings, human errors are quite
possible. So, you go for automation and in automation you have other problems created
by humans. So, do you see the solution as going back or something else because human
errors can still happen. Yes Sir, you are right Sir, in fact the errors can be there, in fact
the earlier when the company was, had not digitalized, they were facing lot of problems,
there were lot of wastages were there because the human error and all and that was the
purpose they went for digitalization and just for the sake of that actually we have
displayed some of the pros and cons.

155
 So, in case the company goes for a mix, you know, system of manual and combination
of the digital. So, certain pros are there actually. Yeah, obviously like the first one in
case of pros, obviously there will be isolation and prevention of the critical system. So
that there is a least damage. So, we have something called as you know, theory of least
privileges.

So, in case someone access to that so he is not able to access the in totality or the
complete system or so that he access only the compartmentalization is there. Again, in
case the second point what we have displayed here that the production, in case someone
accesses, the attacker. So, the complete production may not be hindered some of the
manual system may still be as a backup or as a parallel system, they still will be working.
And thirdly the sensitive data that is more secured in offline mode because we might be
having trustful and faithful employees, obviously that can be debatable again as you said
Sir. And fourthly there might be less chances of unauthorized access, that will obviously
be there but yeah, that chances can be reduced.

Again coming on to the some of the cons. Since firstly the company has done lot of
investment in terms of money in the automation and digitalization. So now again
reverting back to the manual mode. So, it is all on the cost of that automation and
money spent, it is something like a sunken cost, that money has already been spent. And
secondly yeah, the investors once they will come to know about this thing that might
affect the reputation of the company and the trust you know, in the mind of investors
and public.

And thirdly, obviously the raised cost might be there because they have to hire faithful
employees and train them and this skill enhancement that is required. And fourthly
during the initial stage actually, this setting up of the parallel system, there might be
some hindrance to the operations, that will obviously be there. Yeah. So, this case as
you presented illustrates the cyber security challenges to the industry, particularly
industrial automation when it is going towards IoT devices industry 4.

0. There are lot of pluses as you showed and there are also risk and major risk which
can create financial loss but also, as you pointed out, loss to lives you know listeria,
where it is about changing the composition of a food product. You know if you consume
that product which is actually got produced not following the standards, then you are
eating something which is, you do not know you can die, if you eat that product. So, the
kind of consequence that if industrial controls are affected by cyber attackers is very,
very high and severe. And also, you see this case highlights the ransomware attack. So,
already there have been major ransomware attacks like the WannaCry, NotPetya which
happened at the country level.

156
 It is like you know, the WannaCry was possibly done by North Korea and NotPetya by
Russia. So, this is also part of cyber attacks at a national level. I did not know for sure
but these are actually observations in reports. So, they say NotPetya case, they actually
encrypted your machines and they asked for ransom but even if you pay the ransom,
they did not release the machines. So, in this case it says, you have to pay $49,999 and
your machine is released.

And if that happens it is fine, you can go on but if as in the case of NotPetya, if they do
not release the machine even after making the payment, it is like killing your systems.
So, the consequence of ransomware which is very much highlighted in this case, is very
high at the moment and in terms of threat intelligence, that is a very high threat in
today's world particularly in industrial controls. And solutions are still evolving you
showed some of them and let us move on with risk management in the next session also.
And in the next session of course, you have someone from industry coming in, perhaps
you get more insights.

157
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 07
Lecture: 19

The topic that I was given is about Cybersecurity Threats, Solutions and Challenges.
There is a structure to the presentation that I have prepared, but I do not mind varying
away from the structure, so that we can have a lively interaction. After all, this is supposed
to be an industry exposure to you, ok. We look at realistic problems, realistic problems
with realistic solutions. So, and I also gathered that not all of you have technical
background. So, I try to cover some of things without much technical things.

So, I added some concepts and other things which you would require to know. Now, let
us start with cybersecurity. Why do everybody think cybersecurity is important? Why do
not you just read this quote? The only system which is truly secure is the one which is
switched off and unplugged, locked in a titanium safe, buried in a concrete bunker and is
surrounded by nerve gas and very highly paid armed guards. Even then I would not stake
my life on it.

Think about this. So, why would a person who has spent a lot of time studying cyberspace
make a statement like this? There are certain fundamental issues about cyberspace. The
first fundamental issue is, what we call as cyberspace means anything that is connected
and can interact with each other, over the airwaves or the other type of waves, is
fundamentally designed to be cooperative in nature. So, cyberspace is built on
cooperation, coordination, trust. So, if you say I am sending you a packet, you are most
welcome to receive it.

Look at any of the protocols that you have studied TCP, IP anything. There is nothing
in the protocol which says, no I want to first talk to my computer, my OS, I want to
receive it or not. It was not designed like that. It was designed to be a very friendly space
where everybody can interact with everybody. Even now most of the protocols do not
validate.

Some of you must know about the BGP routes. The biggest cyber attacks happen by
BGP routes. BGP servers are the big servers in internet which decide how the internet
packets move between big networks. Like I am sending a packet from India to let us say,
another company in America, we cross multiple BGP routes. So, the route says I know
how to go to America, everybody believes, yeah he knows.

158
 Nobody is going to question, how do you know ? So, this is the type of trust that is
embedded in cyberspace. Now when you have built a space which is, where trust is at
the heart of it, how do you implement security? This is the route of all the challenges in
cyberspace. So, you have created a space where trust is at the root of everything,
Everybody is nice, everybody is good, how do you catch rogues in that space? Ok. With
this thought let us go through briefly. So, before we start the standard part, let us go
through the definition of cyber security.

It is nothing but a body of technologies, processes and practices involved in protecting

individuals, organizations from cyber crime originally, now cyber warfare. So far so good.
And so now you when you say, it is designed to protect, what is it designed to protect?
We have to be more specific than being, you know. So, a definition does not illuminate
unless until it is specific. So, usually they talk about 5 principles out of which 3 are
considered as generally a triad.

So, the first one is confidentiality, integrity, availability and then there is also
accountability and auditability, correct. These are the 5 principles that we are supposed
to maintain. When you say I have a cyber security system in place, you are able to say
that my data is secure, it is given access to people who have rightful access to it, my data
cannot be tampered with, which is integrity component. So, if you tamper with it, I will
know and when I want to access my data, I will always have access to it, which is
availability. Accountability means I can always identify who has made changes to my
data, correct.

Auditability means it cannot be tampered, whatever changes you make. I should be in a

position to say, " No, you did it at that time and you cannot deny it, no repudiation and a
more academic jargon, fair enough. Now, let us look at the scope of cyber security. This
is a projection roughly in 2021, I am sure all of you must have gone through statistics like
this. And I will tell you from my experience in industry, probably these statistics are based
on 20 to 30 percent of the crimes which are actually reported.

A large number of crimes or attacks are not reported for obvious reasons, correct. So,
the statistics that are built based on 20 to 30 percent itself is so staggering, Shocking isn't
it, why is this happening? Because almost all the businesses are moving digital and not
many businesses have thought about security in digital. Like I told you when you build a
house, you first build a compound wall right, you do not build house and then think of a
compound wall. In digital space is exact opposite, you first build a house and then you
think of a compound wall. See, these are the challenges that we have, which is why cyber
security continues to be a big issue and will continue to be a big issue.

159
 So I do not want to go over these statistics here, I am sure you guys can read it. Now let
me ask you, when do you think the first cyber attack would have happened? Let us put a
date to it, a year, make a guess. Come on 10 seconds, 20 seconds. 70s, 80s okay, good
answer. Just spend a moment looking at it, can you guys read it? It is too small.

Let me see if I can zoom it little bit. Can you guys read it now? There was an attack on
a Soviet era pipeline. The story on how it was done, is what we can now call as a logic
bomb. The Soviet could manage to build pipelines but they could not manage to build
software to control the pipelines. The software they had to source from a Canadian
company.

This is the peak of cold war. So the Americans have reached out to the Canadian
company, planted their own programmer and inserted a logic bomb, which triggered and
destroyed the pipeline which was built at a huge cost and had a very, very significant
economic impact on the Russia or that time, Soviet Russia. Yeah, it is now, it is now
accepted by the Americans too. So this is the time it started. So what I, what I am trying
to highlight here is cyberspace, right from the beginning was never a space of peace.

So today we have a concept in warfare largely called as, no conflict no peace stage. So
you have peace, you have conflict, right. Now there is something between both of them.
It is called no war, no peace. So you are not really at war but you are not at peace either.

There is constant conflict going on. So this is what accurately describes the cyberspace
today and cyberspace has always been like that. So that is what I am asking you to start
thinking as, correct. So before we go further into a technical concepts, I thought you
should have some clarity about the key concepts because without which your
understanding of the whole class will be significantly impeded. So let us look at couple
of concepts.

So I will try to cover broadly two important things about you know, general concept of
cryptography, operating systems and networking concepts, security concepts like triad
and we will also look at couple of other things. What is an operating system? If all of you
know, please say that Sir we know it, I will move on to the next slide. What is an operating
system? What does it do? In simple terms, it provides an interface between the human
element that is sitting there and the hardware that we need to operate on. So it can be
anything, it could be starting from a small raspberry pi to your own laptop so.

Correct. So it is an interface between the human and the input output and compute - three
things. Correct. There is a compute infrastructure, there are input devices, there are output

160
devices. The human interacts with the input devices, the compute connects to other
devices, performs the work and displays from the output devices. This task is made super
easy by operating system, which means when you say I have switched on my machine,
so you interact with the operating system.

Operating system tells you," Okay my Boss, all the devices are ready to listen to your
commands. Please tell me what I should do next." Play the song. Okay boss I will play.

Fetch the file. Application " Okay, here is the file." Application says, can you process
this, processed. Can you send this to the speakers? Send. You see operating system is
the one which runs behind. It is everywhere but yet not felt.

You think it is intuitive, just double click. Correct. So this is the heart of the cyberspace.
All battles are fought in the applications and the operating system space.

Nowhere else. Correct. Now we look at another thing called as rings. This is extremely
important concept. It is a hardware concept. Now when you are trying to fight for control
over the devices, like for example, I want to find out what your location is. I want to be
able to destroy your hard drive data.

I want to be able to steal your personal information which means, I have to have full
control over your system. How do I do that? So there are two, three approaches. One
approach is at the operating system level. So multiple layers of defense. Operating system
creates this is kernel which means the secret room, nobody should enter.

There is user space. You are free to play inside this. You try to cross this and get to
kernel space. No, I won't let you do that. But all hackers want to do that.

Correct. Because if you become the watchman, can anyone notice you as a thief? So
every thief wants to immediately down the police cap and say I am a watchman now, I
am watching over everything. Correct. So all thieves, which means all the hackers when
they enter the computer system, they always want to abuse the operating system powers
and hide in the plain sight pretending to be part of the operating system. So there are
inherent defenses built in the operating system and there are also inherent defenses built
even in the hardware level. But not all operating systems use them effectively.

Even now, the latest version of Windows does not use most of the hardware protections.
It is important to know that this space is not attended to, even today. So when you say,
you are operating at ring 0, the hardware fully listens to you. The processor fully executes
all the commands you send. Ring 1, ring 2, ring 3 are restricted levels where you have

161
limited access, limited access.

So the kernel or the operating system largely operates in ring 1 or ring 0. These are the
hardware level. Clear? Now I will also touch about couple of concepts on cryptography.
How many of you know what is cryptography? Cryptography is like the basic term if you
understand like encrypting the message so that someone from the middle does not
understand it and the targeted audience reads it, using the key or whatever.

Brilliant. So cryptography means ensuring the CIA of the message that you are sending
me. It reaches me very safely, confidentiality is maintained, integrity is maintained and
it is available to me. Correct? Now how do we achieve this? There are multiple ways.
How do we do it in home? You and your sister will keep fighting, pretending to be
fighting, shared passwords. But the challenge is let us say, we both are separated by a
common distance.

How do we share the password? If you figure out a way to share the password, we can
use the same platform to send the message to, right. So how do you operate when you
both are separated? There is not so reliable environment between you both. Let us say, I
am talking to you, we both want to exchange a message. There are so many other ears
listening, how can I whisper to you, without crossing them? Maybe they may not be
paying attention but can I take a risk? I will not.

So I will consider this space as compromised. I cannot. So this is why the shared
symmetric encryption algorithms won't work. Now second problem, this is called
symmetric encryption. Basically we both use the same key. Now another challenge is let
us say, we kept on exchanging messages.

Obviously you also know the messages now will look gibberish. Let us say you are
copying all the messages sitting in the middle. Today you do not know, you do not know
him and you do not know me. Later one day you know. You caught hold of me, slapped
me thrice, took my password.

You will be able to decrypt all the messages. Correct? Complete compromise. Another
risk in this. So these are the challenges that people experienced during World War I and
World War II and with the proliferation of communication technology like radio waves.
Radio waves are open for all.

So this challenge became extremely critical. I am sure all of you must have known about
Enigma, cracking. This is exactly what it was. And I am sure you guys understand Enigma
is a single reason why the allies have won the war.

162
 It made a huge difference. Don't forget that. And they kept it a very good secret. That
is also equally responsible. Correct? Now to overcome this challenge, people came up
with a very interesting algorithms. Algorithms like for example, public private key
encryption.

Now imagine it like this. You have a door. In the first example we both shared the same
key. Correct? I lock, you unlock. Same key. What if I have two keys, one key to lock,
one key to unlock? Same way you have. So I take a simple trunk, put my message in it,
lock it with your key, send it to you.

You only have the secret key to unlock it. Now your key is known to everyone, public
to lock. Let us say, I am trying to send a message to you. I know with what key I should
encrypt it for you. I have no idea, how you are going to decrypt it. Everybody clear on
this? So everyone let us say, we all are sending our keys.

Everyone will announce their public key. This is my public key. You want to send me
a message, please encrypt it with this. If you encrypt it with this, I can guarantee you that
no one else would read it, except me. Same way you want to send a message back to me,
here is my public key, please encrypt that message with this and send back to me. Clear?
When I receive your message, I use my private key to decrypt it and my private key is
safe and secret with me. Clear? Now how do we generate these private keys? We use
something called as hash functions.

What does hash functions do? Hash functions take any random block of information and
convert it to a sequence of random alphanumerics. Those functions are mathematically
verified, to be one way. Like, I give you a big block of data, it generates one unique
number. You modify one small bit, one bit in this data, the whole number changes, Point
number 1. Point number 2, If you just know this number, you can never reconstruct this
data back.

Clear? So today what we have is MD5 or other type of hash functions. You pass 700
MB file, it still generates 128 characters or 5 MB file, still 128 characters. Clear? Now
in this example you see the cat, the image of the cat, in the image below, one whisker is
missing. You could barely notice it, but look at the hash function output. So even if one
bit changes, everything is changed, which is why hash functions have a great value in
forensics too.

I have got a data from, I have got a file from you. Did anyone tamper it in the way? I
compute hash value to check. Matching? Okay, Nobody tampered this. Which is when

163
you try to download anything on the internet, below the download link there is always
MD5 hash value. After you download, check it. Is it matching or not? If it is not matching,
while you are downloading, somebody tampered it.

Clear? So it is a one-sided computation, highly efficient, quickly you can do. So this
has like multiple applications. Clear? Yeah. So it looks so simple, now you can see how
it actually looks. It is a pretty pretty complicated stuff and requires lot of compute and lot
of effort.

Nowadays, we have hardware also for it. Yeah. Now let us look at networking concepts.
When we are communicating on the network, how many of you realize how many
different different types of work happen? Let us say we are talking on WhatsApp. I made
a call, let us say, if not I sent you a message you on WhatsApp. Just understand how many
layers of packaging happens in the data.

Just imagine let us say, we are two computers. I have sent a packet to you. Now when I
say computer, who is receiving the packets? The operating system is receiving. Operating
system says ok, network device give me this packet. Now operating system first question
will be yeah, am I supposed to receive it or is it for someone else? Because there are so
many machines on the network, you know. How do we know? So it first says ok, my
MAC ID is matching with this MAC ID.

So probably my packet. How many applications are running on my platform? I may have
2, 3 LAN cards. Which LAN card should go to? Which network should it get to? I open
up further and see IP. Ok, IP is matching with this. So probably this part of my network.

Then opens up one more packet and says ok, now I got this. Whom should I give it to?
So it looks at port now. Port is nothing but a unique identifier for a process which is having
network connection. Is it browser? Windows update? It can be 1000 other things. Just
ok, this looks like a Windows update packet.

So I will give this packet to Windows update. Now Windows update is also wondering
ok, is this for which user? About which file? How would I know? The further layering,
presentation, application. You see each layer helps you further resolve, resolve, resolve.
So that the packet that is received or sent, accurately reaches its destination. We do not
understand all of this, it looks so magical but a lot of packaging happens. So the message
that you send is this small, it gets wrapped, wrapped, wrapped, wrapped, wrapped,
wrapped multiple times and then gets sent on the network.

So this is a mature model which came out of years of experience. We call it OSI model.

164
Clear? It has 7 layers, you all can see it. Usually when we call IP, TCP IP right. So here
the IP is, layer is called the network layer.

MAC IDs, you know MAC IDs which are unique to a LAN card, they are the data link.
And the ports and other thing come under the transport layer, TCP. TCP is control protocol
basically, yeah. Clear? Just look at how the packets look wrapped up.

Now you can clearly see, the data is only here. This is the only data. Now see how much
about, how much amount of Jing bang happens. So that you actually get the packet. Same
with TCP, data is here. In TCP and UDP, there is a difference.

Now I am sending you a movie, I just want to say hello. Are they same? They are not
same because movies are such a big file, I can't send you in one go. I have to send you in
a sequence of packets. What if you miss one packet? Everything is gone, it is useless. So
I pay extra attention to ensure that you receive the packets in the same sequence I sent
you.

So I wait for you. Correct? Let me give an example. I have sent a packet to let us say
Vinod. I have sent, I am waiting Vinod, acknowledge please. It may happen that Vinod
has acknowledged, but that packet is lost.

So I don't know. What should I do? I send the same packet, but he doesn't know. So he
will have the same packet two times. Will the file open? It won't. So there is a lot of
coordination that is inbuilt into the protocol. In that situation, he will not accept my packet
also, he will wait.

Let us say, he sent a response. Now he doesn't know whether I got it or not. What if I
have not got it? Now I also have to say again, yes you sent me the acknowledgement, I
got the acknowledgement. Then the loop is complete. I send okay, I have sent you packet
one.

He says, I received packet one. Then I say okay, I understand that you received packet
one. You say it's a three way thing. Only then we move to the second packet. So by
design it is slow, but it is very reliable. Which is why, it is not used for video conferencing,
audio conferencing, streaming movies.

Because the streaming movies if you lose one packet, there will be one blurred pixel.
How does it matter? You can still see. If you are looking at audio packet, there will be
one small 'keee' sound.

165
 Doesn't matter. So there we use UDP packet. I keep sending 1, 2, 3, 4, 5. You will
receive 1, 5, 7, 8, 9. Still fine. You can still hear, okay. So that's the difference between
UDP and TCP and the regular TCP packets.

Another concept that you need to know is access controls. These also can be
implemented at the network layer, also can be implemented in the hardware layer. Okay.
There are multiple protocols. What is access control? You are on my network.

Who are you? How do I know? Do you have access to my network resources or not? I
have a printer. I am sure even in IIT, you guys have printers. Can you randomly connect
your laptop to the cable and then print? You have to authenticate yourself. So that process
is done with this. LDAP, Kerberos, Radius, these are the ways to identify every person
on the network uniquely.

Because if I don't identify you uniquely, I don't know who you are. Correct? Now the
next problem that you all have to learn is firewalls. What's a firewall? It is a security
guard waiting at the network entry and network exit.

His rule is very simple. Saab ne bola hai, ID card nahi hai tho bahar jao. Andar nahi aane
dunga. Correct? ID card hai but aap [Link] class mein ja rahe ho, aap [Link] ho toh nahi
jane dunga.

Correct? Class nau baje shuru hogi,aap aath baje aaye ho,bahar jao,nahi aane dunga. So
we frame rules. Those rules are implemented very strictly. Ab dekhiye,same securitywala
kaam army wala bhi karte hai, securityguard bhi karta hai, class ke bahar wala bhi karta
hai,correct. Kaam me difference hai, koi jyaada dimaag lagayaga, koi kam dimaag
lagayega, koi bahut carefully dekhega,koi bahut paranoid hoke dekhega, koi bahut
cheezem sambhalega aapse se like, bahut cheez batao, id card dikhao, yeh dikhao, correct,
so the layer of data that you consume to verify is different at every level. So depending
upon this, there are multiple layers of firewall.

If I am verifying your access at a lower level, I am a layer 2 firewall. At a higher level,

which means IP level, I am a layer 3 firewall. I am even able to see, yaar aapka whatsapp
toh chal nahi raha yahan pe aapka packet kaise aa gaya yahan par. Toh, I am at
application layer. So at each layer, you add more, more intelligence, more, more data,
which means more processing and more expensive.

Toh first level firewall, bahut basic kaam karti hai. Jo security check karte hai, woh aise
aise kaam karta hai Koi kuch karta nahi hai, toh us type ke firewall hai. Uparwala ekdum
serious aur, CISF jaisa, ID dikhao, photo match nahi ho raha aadhar se, jao , aane nahi

166
dunga So that level firewalls, Clear? So these are like the different layers. So I will try to
cover quickly because most of the cyber security things happen because firewalls slip up.
Correct? Agar firewall sahi hoga toh koi andar aayega hi nahi,correct? So, which is why
it is generally important to have a rough idea about how the firewalls work.

So it is a packet filtering firewall. Woh har packet ke upar naam dikhti hai kaun hai ye,
kahan se aaya, TCP IP sessions hai kya recognised IP hai kya, IP ranges match ho raha
hai kya, andar aane diya, woh split karti hai, trusted network ka packet bahar nai jana
chahiye, untrusted network yahan nahi aana chahiye, toh simple again basic rules
implement karti hai yeh. And this is how most of the regular corporate networks look. Ek
baar dhyan se dekho usko, So, router routes packet between different networks. Kaise
karte hai yahan pe? Ek demilitarised zone hai, which is safe zone , wahan pe apna asset
kisset daal do, koi ko koi farak nahi padta,no monitoring nothing there, aapko jo karna
hai ,karlo.

So you have controlled access from outside, unfettered access through the inside, via a
simple proxy. Proxy bus itna record rakhti hai ki, kaun ho aap ,correct hai, multiple
networks ko connect karne ke liye, alag se separate separate routers aati hai yeh internal
hai, yeh external hai, inki configurations alag, sab alag. This is how actually a, genuinely
a company looks like. ab aap socho As a hacker, if someone wants to breach, what should
they breach first? And if you let us say you breach something, where will you hide first?
aap kahan se aa rahe ho, yahan se aa rahe ho, ya yahan se aa rahe ho, kahan se aayenge
hacker, koi shakk abhi tak, no doubt na, so everybody comfortable in hindi, Who is not?
Okay, I will switch out English only. So hacker will come from this side.

Fair enough so far? Let us say he broke this, where will he go next? Hide there, wait for
an opportunity, then get him. Now we understand why this is very important. So any
unpatch sorry, any unpatched vulnerabilities in the routers, firewalls are the cracks in your
wall. Keep hitting there, it will fall. Once you get in, comfortably stay here, nobody will
notice you, then get out.

I am sure all of you must have seen that movie Dhoom. If you want to catch A, you
should think like A. Correct? Please. So there is one more thing called cyber espionage.
If you go back to the previous diagram, so you said okay, there is one way we can take
route through the routers, the networks and everything. But in terms of cyber espionage,
if you really want to get into the inner workings of how the per people dynamics are
working within the organization, so that in a way, you could attack the entire system rather
than taking down the information assets that is there within the organization. Now you
monitor the activities, how things are going on and then you do things.

167
 So that is a different route from the other side, attacking people from the personal level,
then going through the entire. Correct. See, so in that case what you have effectively
done is you have directly reached here without going through the struggle because you
fooled an individual employee. So through social engineering or whatever you call it,
okay then you can reach directly.

So it is an easy way out but it can also be easily caught. What if you pick the wrong guy?
The whole operation is gone. Correct? Cyber espionage is finished. You are totally
exposed now. So there are risks and advantages. So but what we are looking at is the
traditional way of looking at cyber espionage.

Now espionage or cyber warfare is just a difference of motive. You are a thief. You can
also do murder, right. So you have sneaked in, got inside, you can do whatever you like.
So it is just a difference of motivation but here we are looking at skill. The skill is same
or is it not same.

We look at that too in the next slides, okay. Now you see how usually people connect
from outside. LDAP or Kerberos, any one authentication server directly identify yourself,
then you are connected to the network. So these are the gateways to enter the networks
and I am telling you honestly not many people understand how they function. This
explains why, despite the billions and billions of budgets that are spent, people screw up
on basic things. Clear?

168
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 07
Lecture: 20

Another concept called VPN. Now, let us say we talked about a company with 5 branches,
4 branches. So, do you think they will have copies of same data, same servers everywhere?
That does not make sense, right? So, they will create a central repository of information,
central repository of everything. Now, how do other locations connect to it? So, this is the
beginning of a concept called as a private network. This 5 organizations which are parent
wise one organization or to be on a one private network. But can that private network be
real? Can they lay lines directly from Hyderabad to let us say, Chennai or Mumbai? It is
very expensive, right? So, they use internet, but create a tunnel between themselves, a
private encrypted tunnel.

So, this whole process is called creating a virtual private network. So, this is the internet.
So, there is a node, this is called a VPN server or VPS, virtual private server. So, you
identify yourself to the VPS, then VPS will assign you a private IP and make you virtually
part of your office network.

So, this office network could be in Delhi, you will be sitting in Chennai. This VPS will
assign you a IP as if you are in Delhi. So, you can access all the resources in Delhi, clear?
So, now a Chennai office member can participate, deal, access resources in Delhi through
the process of VPN. Now, think about from the point of view, hackers perspective. What
is VPN to him? Key to the kingdom.

If I can fool the VPN or a VPS server, I am in, nobody will even know, clear? Now,
you see how it actually looks like in real life. Correct? The multiple VPN servers
connecting each other, this is how all big companies, all big organizations actually look
like in cyberspace, correct? The group is as strong as the weakest one in the group. Now,
you guys can visualize, where things will be bad, fair enough, clear? Yeah. Now, let us
look at the common things. I am sure you guys have seen CIA triad.

So, I would not spend much time on it. Let us quickly look at how a cyber attacker
actually attacks, what are the steps involved ? This is no different from a regular
commando ride that you see in movies. How many of you have seen Uri? Most of you
almost, I think I would expect most of you. Whatever preparations they do, think about
this. Have they done enough reconnaissance? You have seen the bird flying all over the

169
place, that small bird goes and comes.

How much of effort they put in to identify the tunnels, satellite imagery, connecting the
dots, that is called? Ok. Then after reconnaissance, they have identified that the best way
to get in would be in the night. So, that changes lot of things, correct? They get air dropped
in a helicopter which makes very little noise. They do not want to wake them up. So, they
get dropped away from the field.

Have you seen the movie? All of you have seen the movie, right? Correct. So, that means,
picking right weapons for the fight, which in cyber language means, once you have done
your homework, you have identified the cyber assets that are available. So, like in the last
example, it could be a VPN, it could be a server, it could be any damn thing. Now, you
have to pick a weapon that will be effective against it, correct? Prepare. Then next part,
go and shoot.

Works, there is a crack. Now, you got inside, exploit. Now, you have access to the
operating system. What will you do now? Will you come back? You want to remain there,
do your work. Maybe you come to steal information or maybe you come to destroy the
server, whatever it is, you have to deliver your payload and retain access, that is called?
Because all these steps are happening from delivery to installation, is happening without
your visibility.

You cannot see it as a hacker. They are all happening. Once all this is happened, you get
an alert. "Yes Boss, it is done", to the command center. We will see with one more
example.

So, that is much more clearer to you. Then you do whatever you want to do. Keep it as
a botnet, try to copy the data, try to destroy the server, whatever you feel like. So, broadly
they are all called as kill chain, cyber kill chain, clear? Now, we talked about how people
generally prepare hacking. So, like we said you know in the initial discussion about
ransomware and others, see how people usually try.

This is how most of the cyber hackers do. They randomly pick huge number of email
addresses and keep sending payloads, with a hope that some of them will compromise.
Then from them what they do? They collect more data from that system because that
system is mostly inside a network or could be an email address, you get more leads, then
you spread again. You keep spreading. So, over a period of time you will have a large list
of vulnerable machines at your command, correct? This is totally unplanned random,
probably looks like a spam mail, clear? So, here usually let us say you are looking at a
cyber security situation.

170
 Nobody has specifically targeted your company or your organization. It is just going in
the flow, you could be one unfortunate victim and I am telling you in my experience lot
of big, big companies fall victim to such operations. And then there is a specialized
operations. This is cyber espionage. They are hell bent on targeting you and you only,
correct? Now here they very focused, launch attack, collect details from one victim first,
then expand, expand, expand.

They do not launch operations against everyone. They are fully focused only on those.
Now here the weapons are different, tools are different, everything is different. Because
in this earlier model, you have a risk of getting exposed. What if you targeted a cyber
security researcher? Everything is gone, it simply published two page report.

We will see one report also like that, correct? So, this is more expensive, dangerous and
tough also, clear? Of course, these principles we have already discussed. So, what does it
mean and all that, yeah. And these are the common terminologies that I am sure you should
know. But if anybody wants to clarify anything, please feel free to ask. How many of you
know difference between a Trojan and Malware? I am just kidding.

What is the difference between Trojan and Malware? Malware is a general term, if Trojan
would be particularly specific. Correct. Takes a payload within a payload. This is a
question to ensure how many of you are not sleeping.

Yeah. So, Trojans are one type of malwares. Their primary objective is to give a back
door to the attacker, correct? Ransomware and Trojan. Can a Trojan become a
ransomware? Yes, it can. Yes, that is the point.

Yes, you should understand. Phishing and spear phishing, what is the difference? Spear
phishing is more targeted. Absolutely, phishing is random emails, not really targeted effort,
not really focused effort. Imagine someone does lot of research and finds out that I have
a daughter who is studying in Doon school, writes an email to me, tries to phish me out,
that is spear phishing, which means what do you conclude, Number 1? Attacker is
motivated, he only wants you. It is an important input or not? Correct? So, in cyber jargon
people do not talk about command and control, they use a very loose word called C2,
alright C2.

It is basically C and C. There is also another terminology called C and C, command and
control. So, if your machine is compromised, the machine is managed through a command
and control. It is again another machine, whose job is to keep taking pings. It keeps asking
are you alive? Are you alive? Are you alive? Yes, I am alive. Say this is a command for

171
you, do this.

Fetch me all the images, fetch me all the files, send huge packets to this computer. So,
all that type of stuff. How many of you understand, what is the DOS? Denial of service
attack? Please. So, denial of service attack is basically some server is providing some kind
of service, the person who is attacking or the hacker who is attacking basically wants that,
that service should be denied to all the clients or the customers and this is done by
overwhelming that server.

Correct, very true, very true. What is distributed in it? When does it become a distributed
attack? The same thing is done from multiple. Very true. So, basically see these are
volumetric attacks. So, what happens is whenever you are on a network, you have a limited
bandwidth available. When you are running a computer, you can only handle so many
connections at a time.

Now the objective is to overwhelm it, so that you are not able to serve your legitimate
customers. So, how many have you, have you ever seen this type of attacks before in your
lifetime? Yes, the website is simply not responding, that is how you would see it as. So,
what is actually happening is the website is serving customers who do not care about it.
Correct, this is a very common form of cyber warfare or very simple crude way of settling
accounts on the cyberspace, ok. Now you will hear another very common set of concepts
like this vulnerability, exploit and payload.

If you do not understand this, you do not understand cyber security effectively. So, it is
important that you guys understand these things. So, just look at the example for a
moment. This is a bunker buster bomb. Can you see it clearly? See it clearly and who can
explain me what is vulnerability, exploit and payload? I need three people to explain.

Anyone else? What is a vulnerability? Here, here, Binod here. Usko pata hai.
Vulnerability can be said as a weak link in the security which can be. Absolutely, in this
example, what is a weak link? Show me what is example. The thinnest part where the
bunker buster is launched, the thinnest part, again the weakness.

Correct. Now does that mean that you are able to exploit always? You need a material
with sufficient strength to break through that. That is called exploit. Now that you have
gone inside, you need to be able to deliver something which will do your job. I will come
with a clear example. How many of you know Microsoft word document exploits?
Microsoft word has lot of vulnerabilities.

So, it can allow any hacker to execute arbitrary commands, ok. So, that is a vulnerability.

172
Someone exploited it. Basically, it can run any command that you say. Someone exploited
it to run his own commands which are loaded from an internet server.

Then it became a exploit. What does a command do? Download a Remote Administration
Tool and install it. This is the payload. Clear? So, in that, in this example the hacker
identified a vulnerability in Microsoft office, weaponized it to create an exploit, so that
when you double click it or run it, it downloads the code from a computer that he controls
which will install a payload on your machine. Which is the deadliest part in all of this?
The payload. Most of the anti viruses try to identify payloads, not the exploits.

Some of them these days also look for signatures of exploit. It is a different matter. But
it is a rapidly changing thing. Clear so far? Everybody understands the concepts? Now,
like I said payloads, how do they look like? They are pretty simple lower level software.

They give you very good control of the machine. They can be bought for 15, 20 dollars
on dark web. There are many people who sell it. If your victim is not really cyber aware,
you can make him install it randomly. Simply say, it is a flash update, new app to install,
get bonus, Amazon is giving 200 rupees extra, Flipkart has giving 50 percent sale. I am
sure all of you have received all those messages.

Those are all prompts to make you install Rats. We did Rat, means a remote
administration tool. There was a genuine use of Rats like for example, Team viewer,
Ammy admin. These are all genuine tools. People have inspired take inspiration from
them and built their own tools.

So, that nobody can detect them. Correct? So, there are many open source tools also like
Puppy Rat, Qrat. There are like huge markets where they sell access to a Rat, which cannot
be detected by anti viruses. That market is dark web market. So, DarkComet, Atom
Logger, all of them. They are sold license because anti virus is also changing every day.

So, the person who is making this Rat has to constantly update, so that it does not, which
is why they charge you annual subscription. As long as you keep the annual subscription,
your Rat will continue to be alive. Otherwise it will get caught. See the business model?
Post Covid use of key loggers sky rockets.

I am sure this is the extent that we all expect, right. Nothing wrong about it. Suddenly
lot of people who do not understand how to operate in cyberspace, have access to
cyberspace. So, they all most of them, fell victims to this game. There is a huge market
in India also.

173
 Just have a look at how a command control panel looks. I will zoom it. Good, good, good.
So, this is a special type of a Trojan or malware called a Stealer. It's job is to steal
passwords.

Just see it briefly on the screen. So, the stealer name is Vidar, correct. So, what is it
stealing? Passwords that you use to log into sites. So, who are the victims? Two victims
on the screen. The first victim is from Brazil and second victim is from Lucknow. Based
on the IPS, I mean based on the IP, it looks like the Reliance Jio customer probably.

Maybe a mobile guy or a desktop or a broadband guy, we do not know. So, what are the
details that the stealer stole? Redbus.

in, [Link], [Link], [Link], [Link] domains are stolen. How did
they steal it? Through which application they delivered it? Winrar archive.

zip data. How big is the file? 0.13 MB data, correct. Oh yeah, I am sorry, I just drive it
little bit this side, yes. Yes, you can see it the date and time, command control information.
You are selling it for who? All those details are here. These are the command control looks
like, clear. Yeah, why the hundreds of supply sources like this on the dark web, hundreds,
hundreds, hundreds.

Because like I said, it is a easy business, you make once, you can sell as many as you like
and people will happily pay you on bitcoins and all that whatever type you like. So, there
is a thriving business, it is a huge business on the dark web. If you traverse in the dark
web, there are hundreds of forums where people try to sell this to you, cheaper price and
all that, all that and you do not know you may be running it, you may become victim, that
is also there, correct. And adding to this is constant updates of vulnerabilities which are
discovered every day. Every day something or another is discovered and not everything
is patched, correct.

Now let us look at one Trojan, so that you guys get a complete idea of how it looks like.
So this is a Trojan called Qbot. Qbot basically is part of a first phase random emails, you
know they send random emails hope for a target, collect it, put them into a botnet. Then
think about how do you monetize the botnet, ok.

See the way it operates. Clearly see it. I will zoom in, zoom in, zoom in, zoom in, zoom
in, I will zoom in. This is a phase 1. So, this uses what platform? Ok, I can call it ok. So,
it uses an attachment with a zip file.

Why zip file? So, that the email scanners cannot scan. So, you download, you unzip the

174
file. So, the file that you have scanned which is a zip file and the file that you are running
now on your machine are two different things. See the ingenuity, smartness, correct. So,
when you open what happens there is a malicious XLSM file, which is in it.

When you open it, what happens? It will execute Macros. Here the vulnerabilities are
Macros. Macros are designed by Microsoft to make your life easier, to automate lot of
tasks. Now the attacker is exploiting it to do his tasks, on your machine. Clear? What
happens to it next? It downloads the malicious DLL file separately, binary separately,
there is first stage payload and from the first stage payload it loads the actual Trojan.

After that the, see the stages. Can you see the first level download, second level download,
persistence? Now here ransomware and trojans, it depends on how the bot manager wants
it to be. Collect some random documents, random emails and then sends it to the master,
which is your command control. Now command control looks at sample documents that
it received and realizes, oh my god this guy looks like a guy with lot of money.

Let us ransom him. I will place like a random fellow who does not have anything. Let
him buy my botnet. I will make him just click random ads, get some advertisement money.
You guys can see clearly now, how it all operates. I will show you some emails.

There is a real thing which we, compromised email address, real email. Hello please read
this and confirm regards. See the zip file. Now if you receive an email like this from your
boss what will you do? Yes sir, I will do sir. Correct? That is what they count on.

Now read this one, another trick, another trick. Please familiar yourself with the attached
file and reply here, if you have any questions. Do not call me. Reply here only because if
you call me, I will tell you I did not tell you.

Correct? This is how this world operates. Same document again here too. Yeah, now if
you look at the malware you can see lot of things are hidden here. Can you see hidden,
hidden, hidden, hidden, hidden, hidden? So there are many sheets in the excel, in the
excel file which you cannot see. When you open the file it looks like this, enable content,
what does it say here, Macros have been disabled. It will force you to enable it.

So it is a clever use of exploit plus social engineering. Background you can see. Sir it is
a data pro that you are using. Data pro form.

Yes it is. It is not data pro you do not need data pro for this actually. Ok. But yeah data
pro is this one. Yeah. This is data pro. Data pro is a debugger so that you can look at the
source code to understand the malicious component more easily.

175
 There are many other tools like Ghidra. Ghidra data pro. Ghidra is released by US
intelligence, NSA. It is a good tool but nobody trusts it, but then it is a good tool. Yeah,
now we have seen roughly some idea, So far any questions? Nothing now? Clear,
everything is clear, super duper? Yeah now, let us look at we have talked about small,
small actors. How do you define a cyber attack? Now we look at the serious players in
this game.

The serious players are called APTs. APTs are people who run this as a serious business.
They have their own motives. They could be government trying to compromise other
governments or it could be a group of hackers who are in it to make a lot of money.
Because building these softwares, finding bugs, exploiting, weaponizing, targeting is a
very, very expensive business. It is not as cheap as it appears to people, correct. So it is
basically an attempt to gain unauthorized access to a computer or a system or a network
with intent to cause damage.

So broad difference APTs have, some other higher motives which is why they are called,
they are advanced and they are persistent, they are after you, they are not going to give up
so easily. They do not give up at all and they continue to be a threat. A regular hacker
leaves you behind, goes after something else, but APTs do not go. So the most dangerous
threats that we look at are advanced persistent threats like another one example of APT
group is where India was developing vaccines during corona, all our healthcare companies
were relentlessly targeted, to copy the vaccine source code, to copy the vaccine mixtures,
formulations and all that. So that is an advanced attack and it is a persistent attack, they
did not give up till they get what they want, clear.

Of course, lot of people have lot of motives, we will talk about some of them. The first
motive steal data, this is also called as cyber espionage. Second one disrupt and third is
destroy. So usually technically we look at cyber attacks in 3 Ds.

The first one is called disrupt. You basically irritate the functioning of any system. Next
you degrade, I used to manage 100 customers simultaneously, I can only do 50 because
you destroyed two of my servers or you are just doing worse on me, my bandwidth is
getting wasted at you. Last one is, so these are the 3 Ds, correct. One recent example we
had was the power grid of Mumbai, the Tata power's power grid suddenly came down,
nobody had any idea why, I leave it to you to imagine, correct.

Just keep that thought with you. Let us broadly look at what type of attacks that we
usually see. These are the types of attacks that we usually see, the top 15 attacks, I am
sure all of you will understand something about these attacks, if you don't please ask me.

176
I have sorry, sorry. Distribution of malware, web based attacks, phishing attacks, web
application attacks, spam, denial of service, identity theft, data breaches, insider threats
botnets, physical manipulation, damage, theft and loss. How does that happen? Take a
USB drive and put it, I will explain in couple of examples also, ransomware, espionage,
crypto jacking. What is crypto jacking? Crypto jacking is when you take over other PCs
or something to basically start mining for cryptocurrencies.

That is crypto mining, crypto jacking could also mean taking over your wallet directly,
clear. These attacks everybody understands now, fair enough. Let us also look at one
sample APT group to continue our discussion going back. So, SideCopy is an APT group
which probably is affiliated with Pakistan. So, nowadays we see it with lot of Chinese
help, naturally expected. So, their malware modules are constantly under development,
continuously they evolve, but the code remains are very same, the actors are keeping track
of detection, you know you can see that efforts they are trying to change their source code.

So, that no longer this antivirus detects that antivirus detects and they are also smart
enough to fool others by trying to copy another probably Indian APT group, by copying
that group's tools you want to mislead others. So, this also happens, now this is an
application which Government of India developed to prevent people from accessing
illegally email accounts of government officials. So, this group started a campaign
distributing a malicious version of that application, by saying you seem to be hacked.

So, please download this application and use it henceforth. I will just put a screen on
this. So, this is the actual application. So, they started using this similar copy of this
application, correct. How do they do it? Here you see this one, I will go back.

Now you have seen this application, mail hyphen gov dot in, how many will notice it.
Happily distributed this. So, this was an operation which they worked also.

177
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 07
Lecture: 21

These are the most popular groups that you see today, largely I try to not include any
state actors, these are organized to cyber groups which are basically hackers for hire or
their own enterprises, they make lot of money on their own, I will try to cover couple of
them, so one of them is like a very very famous one which I am sure you will also read
about it henceforth when you notice it now, it is called Lapsus$. So Microsoft found it
first, so they gave it name called DEV-0537, they are like they have their own Telegram
channels, you can also follow them on Telegram, they declare happily what they are doing
and how many have got hacked, how many, how much money they have lot of things and
they even invite others by saying, ok your company is not treating you well, this is the
payload, please run it inside your network, we will ransomware them and we will split
the profits with you. So this is the type of thing they have done and they continue to be
active even today and they also try to create hype by saying we are a very simple, very
simple hackers, we do not know much tech, we are not heavy tech, so which is why we
are like you, we can share profits with you, I mean the different type of marketing, a
different type of marketing approach Lapsus$ and of course, we can also look at couple
of activities that happened in the Russian Ukraine war. The Russian Ukraine war is
specifically unique because the activities that you see during the war are fought by
organized cyber groups which are not known to have any affiliations with the respective
governments, so the borderline fall under cyber activism, so some of the cyber groups of
Russia started targeting Ukrainian and the western assets, same as some of the cyber
groups of Ukraine and the west started targeting Russian interests without any
provocation. What say they just started doing it on, it is like they are waging their own
civilian war between them. So this was another very very important thing like lot of
DDoS attacks happened continuously, independent hacker groups, anonymous have
started targeting Russia and similarly Russian groups have targeted, so this type of things
and there are some groups where both of them were there, they split and they fought, they
shared their source code, there is a group called Conti, the group source code was dumped
saying we will no longer work with Russians, so all sorts of things you know happen in
the cyber space.

Now there is a huge spike in attacks because of the cyber war between them, so this is
like, for example you see Quad9 is one thing which was like heavily targeting the Russian
and the Poland and other the Ukrainian and the Russian countries by Russian hackers, so

178
there is a huge amount of activity increase from them, clear? Yeah, so far so good? Yeah,
now we will little bit talk about, now we have seen the attacks, attackers and all that, now
let us talk about how do we defend, how do you even know that you are under attack is
the first question that I would always ask, look at these two news stories, this is about the
attack that I talked about, the Bombay attack, can you guys read it? No, cannot read now
I will just rezoom it, let me put it, this one, let us read this one first. This attack happened
in the peak of Indochina conflict, oh sorry not this one, but yeah think about this, clear?
Let us look at the other one too, it is even more interesting. Clear? So the first part of the
article, the first one that I have shown you was not so clear, there is a chemical accident
randomly happening, there is similar accident happened in the Neyveli Lignite
Corporation also during the peak, so that probably it is connected, yeah but that being said
the second article is more or less clear, is not it? What did the government of India name
them? They did not name, why? This is another characteristic of the cyberspace,
attribution is very very tough. Just because the server is in China, can you say that Chinese
have attacked us ? Just because server is in Russia, can you say that Russians have attacked
us ? It would be anyone you see, so this is the challenge that you have inbuilt in the
cyberspace.

Now that being said think about it, now we care about protecting our assets, which assets
we should protect most, can you protect everything? So how do you prioritize? Any
thoughts? So in ISO 27000 guidelines, there is one classification called categorization of
information assets. Now based on the relevance of information that is being stored within
the, I am talking about the information assets only, so based on the relevance of the
information that is being stored and processed within the organization, organization
should take measures to categorize this information. To simply put, what you basically
mean is organization has to identify what is critical to it. What do you do with the country
then, how can a country, country pick what is it, but can the country defend everything?
Now see the Indian Army got all our borders, what do we do in cyber, where are our
borders, do we have borders? If you guys just call me on WhatsApp, mostly our traffic is
going by Singapore, where is the border? We are here, I am here, how do we got the
border? So we can not protect all that much is clear, right. So what do we protect is what
we call as critical information infrastructure.

So we protect primarily what is known as critical information infrastructure. How is it

defined? It is defined as those facilities, systems or functions whose incapacity or
destruction would cause a debilitating negative impact, very strongly negative impact on
national security, governance, economy and social well being of a nation. So it is a very
loose definition, but still gets you some idea of what will be considered as important,
clear. So under this, this is a part of the Information Technology Act, section 70A of the
Information Technology Act. Now under this government of India has notified an

179
organization called NCIIPC, I will cover that, the organization has notified these as the
critical sectors that it would want to protect first.

So we are talking about protection here which means you are not hacked yet, this is before
the hack. What are the sectors? Power and energy, banking financial services, telecom,
transport, government organizations and strategic and public enterprises. So the
enterprises which manufacture are essential medicines, which manufacture railway
wagons, ships, defence equipment, nuclear power corporation, they are all covered under
this enterprise. But honestly tell me, are all equal in this list? Let us look at the
relationships that they have with each other, I will zoom it a bit. Now you will understand
the challenge of cyber sector.

Let us say if power goes down, what will happen next? A power grid is compromised
by a cyber group, what will happen next? Can hospitals run? Can government run? What
will you do if you keep all the banks everything up, no power then what? It is over? Power
obviously comes first, you have power, internet is not working, what will you do next?
So telecommunications, ok internet is working, neither you can pay nor you can buy nor
you can move, transport is not working, what do you do? You see the internal linkages
between these sectors are very very delicate. Just imagine this thing, during the COVID
lockdown period I would say Zomato, Grofers, they are critical infrastructure because if
they go down, half of the people will die of starvation. You have money, you have
everything but then what? Think about it, we are transporting vaccines for that bit, for
that stretch of the railway line it is critical to me because of that there is an accident in
that railway stretch or inside a tunnel, I am gone. So that is again critical to me. So the
concept of criticality is very, very fluid and very very tough.

This is the reason why governments find it very difficult to respond to the challenges, so
does industries. Now as an industry you think about it, how will you define what is
critical? How will you identify this is critical to me? You simply say it is profits, what
about intellectual property? Access to it, employees, accidents, compliance how many
things exist? How can you prioritize them and say a circle around it? So these are the
complex challenges. Let us look at some of the attacks that we have endured in the last 2
years, last 2-3 years, just observe them. These are all attacks targeting India and see
possible motives that the fellows would have. You guys can see it.

There are more. How many critical organizations have we covered so far? How many
sectors have we covered so far? If you simply sit and make a list, you will realize all your
critical sectors are being attacked one way or another and largely lot of our data is already
gone out. What next? Power grid attack, correct? So we can create a taxonomy to
understand the attacks also. I will elaborate this later but just for now hang on with this

180
one and see. It is a power grid attack, most likely a nation state.

India is to sabotage our functioning or to affect our reputation. Think about it, how would
your countrymen feel or rather how would we feel? The peak of a war, one of our enemy
communicates that in the right in the heart of your country I can make the lights go off.
What is the message? Cyber physical, it is not just a pure cyber attack, there is physical
consequences. Which means there is something that has to do with this world too, power
was gone. Software hardware communication supply chain we do not know yet how they
breached it.

What they have done manipulated system resource and injected unexpected items so that
it crashed effectively. It is an active attack not silently ignored it is actively triggered and
run. What was compromised? The integrity of the system is compromised. It was not
supposed to fail. See it now, at the end of the day similar type network how many we have
here? If this is susceptible, most likely they are too.

Now what is the message to us? Look at my reach, what I can do for you. So to protect
this type of institution, government has created an organization called NCIIPC. It is a
National Critical Information Infrastructure Protection Center. It is a long tongue twister,
but if you understand the word critical information infrastructure, it is easy. It is a nodal
agency established under section 70A.

So it designates and issues lists of critical sectors and issues guidelines on how those
sectors must be maintained. So it sets standards. You are an oil sector, you are power
sector, so you should follow these guidelines and if you have any incident or any
suspicion, please report that to us. We keep monitoring the cyberspace, whenever I find
something, I will tell you. When I tell you, you better do it because it is not about your
business it is about the whole country now.

Clear? So these are the sectors, we have already seen this part. The challenge in India
always continues to be [Link] are so many agencies. Even now, we have seen, we
have not talked about a very important agency called CERT-in. So far we have not talked
about it now because CERT-in role immediately begins, when there is a breach.

CERT-in literally means computer emergency response team. So it is an emergency

response. Emergency response is after an accident, in this example after an attack. The
job is to come and immediately put bandaid, bones, skins everything and say okay, okay
now you are up and alive again. Correct? Now where does the role between the NCIIPC
and CERT-in come? The logically probably it means the NCIIPC job is before the
protection, CERT-in is after the protection.

181
 But is it easy to split it like this? CERT-in also, as they have listed on their website, they
also provide audits based services, so companies should audit their organization. So also
there is one more thing, there are different organizations that follow along NIST, ISO and
other guidelines as well. So how many in today's scenario, the Indian organizations, what
do they follow exactly? Are they following these audit, what are the audit guidelines if
they want to, in this realm of cybersecurity? See, basically CERT-in is an agency which
regulates the cybersecurity industry in India. How do they do it? By saying that I am
empaneling this list of companies to give you a certificate that what you are doing is safe,
something called the 'Safe to Host' certificate, correct. Now government of India, unless
and until it is exceptionally critical system they do not expect you to follow any standards.

But the companies follow for their own benefit, international standards like ISO 27001.
Like you said, this is something that everybody would like to follow, to give assurance to
to their customers that okay, your data is safe with me, to the investors proprietary
technology is safe with me, nobody can copy it. And to get a certificate of ISO 27001, it
is recommended that you follow certain empanelled guides only. Because now there is
an independent agency CERT-in has nothing in, nothing for itself right. It wets and says
these 10 companies can give you that certificate because I know they are good, tick, tick,
tick, tick done.

So only then you take certificate from them, which way most of the banks let's say I am
regulator like bank, like RBI, I am asking you as a bank are you safe in cyber ? How can
you answer that question ? I have given you a framework, how do I know that you
followed everything? So the easy way for you to tell me, " Sir dekho, this is a, this is a
certain empanelled organization, they have audited me and they gave me a certificate
saying that I comply with all the regulation that you want me to follow. That is an
independent proof, correct. Now let us say, I am an international bank with a national
branch, Indian branch, now I will also follow European guidelines or I will definitely
follow international guidelines like ISO 27001 or NIST framework of USA, NIST
frameworks, ok. It is largely left to us, there is no guarantee as such, but if you are a
critical infrastructure NCIIPC issues separate guidelines, you have to follow them and
they are to be read with your regulator guidelines, your regulator is also issuing one, they
are also issuing one. So, you have to harmoniously read both and in case you are breached,
CERT-in also issues one and when there is a breach, do you really think people will stop
without stealing money or destroying something, something like that would happen.

So, cyber crime also has their own list, the cyber crime police branch will come and say,
"Ok, what happened, you tell us everything. " You see that way, we have like huge number
of organization which deal with this. Now your regulator is also worried let us say, you

182
are a bank, RBI is worried "Yaar you lost the money, now how do I answer to all the
depositors ?" Now you see how many people are playing an active role in this space. This
is a big challenge in India, honestly if you ask me, I hope the, this clarity comes up then
everything will be much better for everyone, yeah. So, this is a taxonomy which I have
just given you as an example, you seen in the Seibel grid act, right.

So, this is a general taxonomy which some academicians have brilliantly made and
unfortunately I am not able to remember the paper. So, this is a brilliant way to understand
attacks, I can run you through couple of examples so that you can get an idea, but before
you do that, just remember the key points. Who is the source of threat? What is attacker
motivation, scope of the attack, domain, which part of the world? Is it the information
technology or the, my machinery which is called OT ? So, regular computers in the office
are called IT, my machinery in the factory is called OT. The difference is this, it is called
operational technology, I should include this in the concepts only, this is information
technology. I am sitting in the headquarters compiling reports, sending emails, receiving
emails I become part of information technology, I am running a machine which generates
outputs, measures values, packages and all that, this is OT.

So, every organization will have both of them IT or OT, OT leads to more dangerous
outcomes. It is a chemical factory, blow up, nuclear power factory, leakage, we will see
couple of examples. So, this gap always exists in theory, the hackers always enter from
here and want to go here. So far clear? Yeah, there are like attacks on every sector, let us
quickly run through couple of them. Daimler Chrysler lost their intellectual property rights
for a car and obviously, one of our friendly, one of our not so friendly countries, have built
a car which exactly looks like that couple of years later.

How many billions of dollars lost? I will leave it to you. This is a very funny thing. So,
an employee was very upset with the management for firing him. So, he mixed drinking
water with sewage by manipulating the control system with a simple radio, running
around the sewage plant. So, just travelling around in a car, kept on broadcasting message
open the gate, open the gate, open the gate, clear.

So, he held very old attack a similar type like that, is the ransomware I think yeah,
sabotage this is pretty decent one, but 2016. Crypto mining I am sure you all know, but
this time it is on SCADA machines not on the IT infrastructure which means what you
can remember, most of the sensitive machinery inside factories are openly connected to
internet and they are so insecurely connected that a hacker could comfortably use them
to mine cryptocurrencies. Understand? This is a regular, is a regular financial group one,
it is energy group Riviera Beach group Ransomware, regular one. This one, I am sure all
of you will remember, Ukrainian power grid was brought down by the Russians, as a

183
message before the war, follow my line or I will bring you down. It is a debatable issue
how effective cyber weapons are, but then there was an attack on this too.

Another similar attack 2013, now this attacker could have practically blown up, but he
did not blow up, for whatever god known reasons, thank God. Stuxnet the most famous
of all, how many of you know Stuxnet? Anybody else, anybody else? Ok. So, let us ask
him, he has not spoken so far. What is Stuxnet, Babu? Stuxnet was allegedly a US based
attack, it was done to like, the Iran was trying to develop nuclear weapons. So, to prevent
that, this is a type of APT, they installed it via SCADA networks to to, they altered the
centrifuge speed to over shoot its limitation, to so to break the centrifuge and delay their
development in the nuclear.

Very correct, how many of you understood clearly? Anybody has any doubts? I will
quickly summarize it, nevertheless. So this was a first attack which had a very tangible
clear outcome. The outcome that the attacker expected was to slow down the Iranian
nuclear refinement process. So, they cleverly calculated the way to do it would be by
destroying the centrifuges which are used in the enrichment of uranium. Now how do
you destroy the centrifuges? They cleverly crafted a malicious application which was
deployed on to the centrifuges.

How they did it is a different story, I am sure you guys will go back and read about it, it
is definitely worth a read. What does that malicious application do? Let us say, you are a
control engineer in the plant, you are looking at the centrifuge screen the common the
HCI, the human computer interface screen. It says centrifuge is spinning at 20000 rpm.
Happy, very happy, you go for have a cup of coffee and watch. But what in reality was
happening is this malicious application was kept on showing 20000, 20000, 20000 on the
screen.

In reality what it was doing, it spins the centrifuge to 40000, suddenly slows it down to
5000. 40000 slows down to 5000. So what happens? Rapid wear and tear. So by the
time the plant operators realized, all the centrifuges are destroyed beyond compare.
Understand, clear? So by the time they awoke, they have to rebuild the centrifuges again,
it is all gone.

This happened in 2009, do not forget that. Of course, this we do not know is it an attack
or attack probably it is an environmental disaster but it also had a cyber implications.
Control systems are gone. Now once the 2009 attack happened, now the Iranians also
understood, oh we can also do this and they happily returned the favour by launching
attack on the Saudi Arabia Oil company called Aramco. But a much simpler attack unlike
the so sophisticated attack that probably US and Israel jointly did because they seem to

184
get, same attack triton, similar type. See after the Stuxnet, the attack infrastructure moved
away from your laptop, my laptop, to your factories and my factories or your sensitive
installation, to our sensitive installations.

Steel mills, hydro power plant, you name it, I mean tell me a sector that is not covered
in these attacks. This is a very funny attack, the publicly visible billboards on the roads
someone hacked it, saying Godzilla is attacking us. People actually panicked in US.
Another similar portal attack, this is also an OT attack in 2012, correct. Now let us look
at how do you secure by collecting threat intelligence.

How does country secure themselves against foreign attacks? By building a good
intelligence framework. What does it mean? You collect information about your enemy's
operations, inside the area of interest. Now for you the area of interest is outside your
organization and also lot of things inside your organization. So let me quickly go to
another slide.

Now you see this. So this is your area of operations. Your hackers must be talking about
you in social media. Are yaar, their firewall is weak now, their firewall module is outdated.
Would you not be interested? We have got 5 emails of their top management
professionals.

Their passwords are leaked now. Why do not we try hacking them? Do not you want to
know? People are talking about you? Point 1. Point 2, in deep web, you may be running
one random server distributing information from your product for your testing teams.
Someone has figured it out, oh, this is running here. Must be on a random IP address. No
domain name, nothing, but they figure out it belongs to you.

That is an end point, correct. Same conversation could be happening in dark web.
Someone is trying to buy access to your servers or must have figured out a way to secretly
pick up source code keys from GitHub. All this is happening everywhere, correct. So this
is also source of threat intel that you're collecting by constantly watching, what is
happening about me. And also collecting huge amount of data from your own devices.

You have 3 machines where there is continuous failure of login and that happened at
2.30 in the midnight and then one success. Do not you want to know? How do you know?
By collecting logs from all the devices. Then what do you do with it? Fuse it into a
platform called SIEM, SIEM, Security Information and Event Management systems. They
basically automatically compile all the logs, do some analytics on it and tells you what
you should be caring about.

185
 They are called SIEMs which is what I roughly captured here as SIEMs, correct. They
are the ones who will tell you. So this is why you have something called as SOC, Security
Operation Center. What does Security Operation Center do? They constantly evaluate
feedback coming from the SIEM. Now SIEM says, oh, there are like 7 - 8 break-ins inside
your network which means you are screwed really, right.

So what would you do? You elevate it to level 2, level 3, level 4 and analyst with amazing
amount of experience will quickly look at and say, " Sir, I think we have a ransomware
attack, rapidly spreading inside our network." Ok. This is how people today fight. They
collect threat feeds from these networks, fuse it with your own data, run some analytics
and try to hunt for threats inside their network. You found a threat, then what you do?
These are the 3 approaches that people follow.

EDR, Deploy Endpoint Detection which basically a simple way of putting anti-virus
which is connected to cloud, correct. Second is called MDR. Use this information, SOC
information and the endpoint information, deploy a third party outsider to come and fix it
or deploy a more advanced software inside your network to do all these jobs. It is extended
detection and response. So far so good? Yeah, but broadly speaking this is how people
generally study.

Because of a management background, so you should definitely know this much.

Guidelines, processes and all this, it flows from top to bottom like this. You have to first
frame a good policy, then you have to adhere to good standards because framing because
framing a policy should not be silly. We will be cyber resilient ok great, but what is cyber
resilience? We will protect our critical infrastructure, what is critical? Now when you say
protect, according to what standards? According to ISO standards, applicable government
standards.

Now how do you implement the standards? Guidelines, correct. Now when you come
down to the guidelines, your employees have to make sense of the guidelines. Then you
have SOPs, standard operating procedures. Now if you are, this paperwork is solid and
you are able to explain all this to your respective hierarchies, trust me 99 percent of your
work is done. This is where lot of slips between the lips and the cup.

You have good policies, no understanding of standards. Policies and standards, no

guidelines so that your employees have no idea. Boss is thinking we have ISO 27001,
none of the employees understand it, its value. So they keep doing what they usually do,
which is very very risky. So these are the challenges that you face.

So generally speaking, my advice will be like this, ok. Broadly if you are looking at as

186
a big company, probably you will be worried about you being a CIP threat, you are being
a critical infrastructure and you have threat. So you should look at issues like vendor
security. You may be safe, but your vendor is not, then what? Your vendor has access to
your network. Otherwise how would you know? He is filing bills, he is collecting data,
he is delivering inventory, collecting trunk boxes, everything right.

So it is not enough that you are safe, your vendors also should be safe. And factories,
not to be totally ignored, smart monitoring. Now what do you mean by smart monitoring?
Anomaly detection. How is anomaly detection done? ML models. Because like we said
you know, if everybody understands guidelines and standards, 99 percent of the work is
done. Can you trust everybody to understand? Can you create a ML model to verify this?
Yes today.

I will give you a simple example. An employee regular coming hours are 9 to 6. Log in
after 9 o clock. Very easy, you know something is definitely wrong with this. And there
is a log in without corresponding log in from the access card. So person did not come, but
there is a log in on the server, how? So these are multiple patterns that you can generate,
best by identifying anomalies.

To study all this, you do not even need to do anything special, just keep looking at what
is normal by observing the data network for more than 2 months, 3 months. Then observe
all benchmarks which are beyond this, it is over. Make sense? This is where extensive
use of ML is going to come. And ML is going to come in analysis of malware.

Now malware writers are also using ML to obfuscate what they want to do. So to fight
a malware writer who is using ML, you need ML to analyse, that is another trick that is
happening. So, and of course, but that being all said, this standard principles will continue
to be of great value. These are basics. So, you are denying an attacker space to operate.

You are making it tough for him to operate. That is the best you can do, know, apart
from everything else. Yeah. So, I want you to leave with these thoughts. When you are
working for an organization, always start with these questions. Who is my attacker? Is he
going to be internal or external? You should know the answers.

Keep searching all the time. What is his skill level? Script kiddie means he does not
understand much of cyber. So, he will only pick easy fruits. You can convert easy fruits
into traps. You create one server, which nobody else knows, nobody else visits.

Anybody who visits it, is a hacker because no regular employee will ever visit that.
Unknown guy is inside the network, na? Those are traps, you can build them. Semi skilled

187
guy, you can still catch him with good EDR, XDR, these type of networks. Highly skilled
guy, very tough. You need to deploy a separate team.

You need to have, you need to be very paranoid about your core assets. If you are a
national enterprise, this is one something that you will be worried about, correct. Now,
next now you found an attacker, why is he attacking you? Espionage or maybe to just
demoralize you. Let us imagine you are working on a very sensitive project which will
transform your company. Someone leaks your source code, dumps it on internet. A better
connect, you are releasing a super hot movie, someone dumps it on Torrents tomorrow.

Go on. This is the motive. What is the motive? You should understand the motive, very
important because capabilities are easy in cyber. Motives are very tough to gauge. Now,
inside the network, who is the target? Then you will understand, focused or unfocused
company. Make sense? Any other questions, boys? Sir, what are the, these ethical
hackers? Ethical hackers are hackers who have breached, but do not want to retain control.

They just want to alert you, which is why if you look at my old slides. The payload wala
slide, is basically it also had a slide on ethical hacking. This one. This is what ethical
hackers do. They identify everything, except short of exploiting the situation and then
leave it there. So, instead of running a malicious payload they run calculator, just to prove
the point to you.

You get the message, na? They will come and tell you, you have a problem. Obviously
99 percent, nobody agrees. Then say look at your computer, the calculator will come in 5
minutes.

Ting. You know it works now. Correct? This is the sample information. It is available
on the web page. It is vulnerable. Please patch it. So, guy with a motivation not to exploit,
but to alert.

These are called ethical hackers, white hats, all this. A guy with the evil mind is called
a black hat. And usually generally speaking, puritanically speaking, hacker is a good word.
It means a guy who is interested in understanding internal workings and one who is so
curious that he want to improve it by even destroying it or playing with it.

So in our times, Cracker used to be the guy who is a negative guy. Now people do not
differentiate. Ya, but when I was studying in the college. So, if you have your guy cracker
when probably you are not a good guy. A hacker is a good term which means you are
curious, you want to understand the intricacies of every system and then do what you do
not expect the person to do. Like you have a username password, type in Tamil.

188
 Is a programmer expecting you to type in Tamil? Let us see what happens. So, that is
the curiosity of a hacker. Yes sir, with the evolving of the cyber crimes, what are the,
some of the you know gaps in the cyber security policy of India. See the like we covered
in the presentation, the biggest gap in the cyber security policy is there is no clarity on
whose role is what. There are many agencies which are trying to do their bits, like you
look at this one.

There is a massive list of agencies which are trying to operate inside the cyber space. It
is really tough. There is a brilliant article by Ken. Look at this, the title of the article is
what? Too many cooks. Look at the agencies, how many are there which are operating on
cyber space.

And first of all we do not have a good cyber security policy at all. We have cyber security
policy from 2013. It is old and outdated. So, there was a lot of news about coming up
with a cyber security strategy by the current national cyber security coordinator who
works in the PMO. Somehow it is not come out yet. We need to solve lot of issues, like
India is only country where protection and response are two different entities.

Like we have NCIIPC and CERT-in. Usually they both are under one organization
everywhere, like in UK we have national cyber coordination center NCHQ, comes under
the NCHQ. We also have NCCC.

We also have CERT-in. We also have lot of other organizations. Huge proliferation in
India. Everybody is trying to do something, something, something, something. There is
some lack of cohesion and coordination at the national level here. But I think they will do
something about it, I am sure because this is, cyber security has been a great priority area
for the government, at least for the last 3-4 years, I am personally I am watching it. I am
sure maybe that cyber security strategy will come up soon.

Lot of people are you know, anxiously waiting to read it. Sir what kind of, there is open
source intelligence techniques that are there. So do you employ open source intelligence
techniques to real world applications also because from my observations in the darknet
forums that are there, for example, you have lot of data breach that is out there. You can
actually go and download it, for example if you go look at Zomato, Dunzo, you can get
the GPS coordinates as well of what the last login was. So how do you use this information
if you get and what other methods that you employ currently, that you can protect and
defend the different organization, also for consulting the different organizations that are
consulting you, how do you approach them, Sir ? See the information that you access
from the dark web is strictly not a information that you can rely upon because you do not

189
know if that is actual term which came from Zomato or not.

I am being purely clear. Second part, you have no right to user information, it is not your
information, let us say if it is true too because the hacker is saying it is my information
that I stole from Zomato. How do you know ? Point number 1. Point number 2, Point
number 2, you have right to user information, you do not have the right to user information.
So if you do not have right to user information, can you capitalize on it ? Cannot.

But there is open source intelligence relays on. See the idea, see the definition is that you
have to look at the definition of the open source. Open source is anything that is public
and you have right to use. So this information you cannot use for actually building but
then people, see this is about the people who want to follow the law. But we are here in
cyberspace, cyberspace people usually you know there are many hackers who do not want
to follow the law.

So they have access to all the information. Now some hacker has dumped on the forum
saying this is Zomato data. So people randomly pick 4, 5 and see yeah this is. But how
can we assure that that information is actually accurate. We do not know who dropped
the data.

We do not know what his motivate is. Maybe it is 50 percent accurate, 50 percent not
accurate. Maybe it is a plan, we do not know all that. See that is a challenge in dark web.
You have no authenticity or veracity of the data. Now you go and ask the companies,
mostly they say I do not know, this is not my data. Now under those circumstances, how
do you give a qualified advice to a customer that this is, this is the data that is leaked out
and according to our information, this and from this data is valid.

You are under threat. So but that being said, you can always advise him, probably this
could be true. Please take precautions. So you stop there. You do not cross that line.
Separate questions from question from this. So for example, if there is a consulting
company, comes to you and we need to identify our vulnerable spots within the
organization.

So what kind of approach do you follow while, I mean working with the consulting
companies. So basically this engagement is called a red teaming engagement. So in the,
in the market, we call this as a red teaming engagement. So what does the red team do?
Help you understand how vulnerable you are by showing you where your defenses are
weak.

This is very similar to ethical hacking. So ethical hacker actually hacks. Red team comes

190
till the point of hacking. They do not. They just point it to you and they do it in a
consultative manner. They tell you I am going to test this system, only to the top leadership
of the organization.

Nobody else should know. Then there is no point now. Everybody will cover up
immediately. So it is called a red teaming engagement. As a part of red teaming
engagement, you do vulnerability analysis, you do penetration testing, then you come up
with a report, then you also depending upon the organization and the mandate they give
you, you look at, okay what type of standards that I am supposed to follow, how many am
I really following, what are my gaps, then you do a gap analysis, then you help them
understand how to plug those gaps, again as a consulting engagement. Correct? While
this, in this process, you look at everything like the way a hacker would look at it. Like a
hacker would start by identifying vulnerable usernames and passwords leaked in the dark
web or just doing a quick analysis of your web pages, quick analysis of your data on
Github, quick analysis of your data on lot of other places, correct. Maybe he can target
your vendors, maybe you can simply call up your employees and say, okay I am CEO
speaking, so I do not have access to my phone, can you please tell me your OTP ? All
those things.

So, the red teaming engagement objective is to test you really, are you ready for a cyber
attack ? Correct. In some cases, you also do stress testing, you DDoS it and see, but that
again as said, this is a consultative exercise. You may get a red teaming engagement, you
do not act unilaterally, you consult then slowly, slowly grow, clear.

191
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 08
Lecture: 22

Hello and good morning, welcome back to Cybersecurity and Privacy course, we have
been discussing a risk management, cybersecurity as a risk to be addressed for
appropriate solutions, that is what we discussed in my previous session, I know you had
a session with Mr. Sai last week and I am hopeful that you could get lot of insights from
experience, from practical experience in handling cybersecurity issues. So that is one
aspect that complements the theoretical, conceptual inputs on cybersecurity
management. So today, I plan to summarize what we discussed in risk management
and then close that topic and then move on to cybersecurity technologies. So the topic
for today is to give an overview of technologies that are used, particularly for protection.
So we have seen different roles of technology but we would intently look at the
protection role of cybersecurity technologies and then of course, we will discuss a case
on defense, especially we are looking at technology today from the defense point of
view, How can you deploy technology for defense against attack? So risk management,
so in risk management we saw that risk management is basically a preventive measure,
we try to identify assets because assets are that which are attacked or become the target
of enemies.

So therefore we found that for risk management, there are three stages, the three stages
are one, you identify. You identify yourself and you identify your enemies. So
essentially you identify your assets and you also identify the threats, potential threats
and then the next stage is a assessment. So assessment mean, it is all at a quantitative
level, you try to measure you try to bring some sort of precision to each of these
categories.

So you have identified your assets but how do you value them ? So if they are affected,
what is the impact, what is the financial impact and therefore there has to be some
valuation of these assets. So that is one aspect and then you also look at threat
intelligence, what is the probability that particular threat would materialize and you
know, threat would occur and if that occurs what is the chance that it will be successful,
given your existing defense systems? So we actually finally discussed two important
measures that are used in assessing risk. The loss frequency and loss magnitude, loss
frequency and loss magnitude and we found loss frequency as a product of probability
of an attack into probability of successful attack, success in the sense, it actually

192
happening in your system. So that is loss frequency and loss magnitude is the exposure
of a asset. So asset value multiplied by how much, what percentage of that asset will be
exposed.

So these are actually measures that one need to have and once these measures are
developed, you can actually arrive at the final measures for calculating risk. So we also
found that risk is an overall measure or we call it residual risk, the risk that is left after
implementing certain protection mechanisms, that is the residual risk. Residual risk is
the product of loss frequency and loss magnitude minus the protection from existing
systems plus a measurement error, a measurement uncertainty, not just error, you can
actually calculate measurement uncertainty from the error. So that is the residual risk in
a very detailed level of quantitative measurement. So assume that you have assessed
risk for each asset.

So we, the unit is asset, so you go by asset, so each asset has vulnerability, each asset
has a value, so you know, you actually arrive at the vulnerability by mapping each asset
to a threat and then you assess the vulnerability of each asset. So we have a TVA
worksheet and finally you also calculate the risk pertaining to each asset. Now this is
actually placed before management. So the management is given the information, well
you have so and so assets and these are the risk under which they run. So the
management has to take decisions on risk management.

Finally risk is something that needs to be managed, you have made an effort to
quantitatively estimate risk for each asset and you say, your so and so asset, asset X is
having this risk in a relative scale. Now, so what, what do you do? Action has to come
from the management, you are informing the management you are running at so and so
risk, some have low risk, some have very high risk, some have medium risk and so on.
So what are the options in front of the management to manage the risk? So there are five
options for risk management, that is what is depicted in this slide. You can see, the first
option is defence, second is transfer, third is mitigation, fourth is acceptance and fifth is
termination. So it is not just one option, defense is not the only option, often times we
think that cyber security is to develop defense systems.

But you can see in management literature, defense is one of the options and that is not
the only option. A management when it is informed about the assets and risk and a
comparative scale for all the assets, it could take a call in any direction and that has to
be, of course justified as to why are you taking a particular path. So a justified path has
to be taken for managing risk. So defence is essentially, well you find a risk, your e-
commerce server has a high risk and you just do not want to leave it as it is. So you
immediately want to step in and put in place safeguards.

193
 So you decide to invest more in cyber security technologies, you decide to recruit a
CSIO, so you may invest in people, you may invest in technologies because your
decision is to defend. So if an attack occurs tomorrow, we want to be fully prepared or
as prepared as possible. So that is basically an effort to reduce the risk. So when you
increase your defense, you are basically reducing your exposure or reducing the chance
of success of a attack and therefore you are actually building a defense against potential
attack, option one, that is an investment decision. Transferal, can you imagine what is
transferal? This is another management option and it is a very smart option and this is
what many non IT companies would do about their cyber assets and that is essentially
to transfer risk from the owner of the asset to a third party.

Outsourcing, essentially outsourcing, in outsourcing the management of your IT assets

is transferred to a third party vendor, a service provider. So look at say, TCS providing
IT services to a US client. So it takes responsibility for the running of the systems and
there are service level agreements. So what the client want is that the system should be
available at say 99.99 percent and so on.

So that is the responsibility of the service provider to ensure that the system is
available. So cyber attack is something that the vendor needs to manage or the risk of
the owner is passed on to the service provider. So that is one way. What do you think
about cloud computing? Today's storage has moved to cloud. He is talking more of
transferring this entire data management and everything to cloud computing wherein
that would be actually a third party vendor.

Because if we see, transferral itself becomes a superimposing topic which includes all
these defense, mitigation, acceptance, termination itself and because it is a very broad
based when you transfer some, the entire risk management to someone, as a transferal,
like TCS or so, then they start taking care of all these aspects from defense, mitigation,
acceptance and termination. They may, but each of them are separate strategies, you
may still own. So a company can transfer, it can also choose to own. So then the
mitigation is actually the responsibility of the client. So it depends on what choice.

Once the risk is transferred, the vendor may try each of these options again because
they have to manage the risk. So that is right. But yeah, that is but the client can
continue to own the assets and take one of these options, option other than transfer. Can
we say that transferal basically means, more towards this cloud computing? Cloud is
one option. There is something called managed services in IT.

You are from the IT industry. What is managed services? Say Wipro or TCS, manage

194
the IT services for a third party. What that means is that the assets may still be owned by
the client, in terms of the material ownership but the services are managed. It is for the
service provider to ensure that the system is available. So cybersecurity management of
the asset of the client becomes a responsibility of the service provider.

So that is another model that is called managed services. So there are different options
available for managing cybersecurity or transferring the risk to a third party and then we
sort of you know, we do away with handling it yourself because oftentimes you do not
have the expertise, internal expertise to manage cybersecurity. So you give it to a
professional who can do that. You have a point. In this transferal model, actually then,
still you know, we might be unstable to the customers, we might have transferred.

Yeah. As I have mentioned. Yeah. You recall a case right which we discussed, which
is the case of iPremier. In the case of iPremier, the company had transferred the risk to a
third party but the third party was unprofessional. They were actually not updated.

They were even worse than the client's knowledge about managing cybersecurity. So
therefore it has to be professional management, of course. So let us move on, the third
possibility is mitigation. Oftentimes we use the term mitigation and risk management
synonymously with defense. Defence and mitigation are two different strategies.

Defense is where you build defense against attack. You build a firewall against possible
attack, that is defense. But what is mitigation? Mitigation assumes that attack has
already happened, as in contingency management or contingency planning. So in
mitigation, having an incident happened, how do you minimize the impact? How do you
actually minimize the impact of an attack? That is the effort towards mitigation. So risk
mitigation means you are not building defense systems but you are trying to minimize
the impact of potential attacks.

So for example, if you invest in contingency planning, you actually create a team for
contingency planning, you invest on a hot site. Are you defending? It is not an
investment in defense. It is an investment in reducing the impact and therefore it is a
mitigation strategy. So you have to look at it from two aspects, you know in terms of
managing risk by the client, of course. One is to invest in defense technologies, other is
to invest in mitigation.

Mitigation means how do you reduce the impact . So those, you know, so separating
resources or allotting resources for contingency planning and having contingency
planning in place, is in itself, is an investment on mitigation or it is a mitigation strategy.
So that is the third option. So defense and mitigation are different, keep that in mind.

195
Oftentimes it is used, I have heard people using it synonymously but it is not correct.

Mitigation is reducing impact and the fourth option is acceptance. So you can recall
discussion of some of our cases like Target corporation. So some experts suggested,
why bother so much you know, you are say 70 billion company and you lost 500
millions. That is a small tip and does not matter. So do not over invest, do not do
anything about defense or mitigation, do not invest further on cyber security.

We will face or we will cross the bridge when we come to it. So but keep in mind,
these are all informed management decisions. Therefore, if your choice is acceptance,
you should know the economic implications. So how much is the loss and how much is
the gain and there has to be a economic justification for opting that path. So you know,
so you can imagine conditions under which an organization may just be ready to accept.

So I think to a large extent, academic institutions like ours, have chosen the acceptance
path, in the sense, we are not too much worried about cyber security, cyber attacks and
if something happens tomorrow, your data is leaked or hacked, well we will face it. So it
is not such a critical thing. So we just will accept it. We will see when this happens
because we do not have so much of investment in cyber security. So it is an acceptance
strategy based on, sometimes based on the criticality of data, criticality of applications
etc.

And the fifth one is termination. Termination means, well the investment in cyber
security has to be so much that it does not make any economic sense to have that
business unit or have that business. So the cash flows or the revenues versus the cost,
does not justify in having that business itself, you may terminate the business. You may
stop having or you may do away with those IT assets. You may actually sell it off. That
is also an option, based on economic justification.

So five options before management and an informed management, a rational

management should take decision based on economic justification. So what is the
economics of it? So let me go ahead and conclude this. So risk management strategies
aside, as I showed it you from the textbook, using the textbook language but there are
different standards which use, may use a different terminologies for the same thing. For
example, a standard for documenting risk given by NIST is SP 830, that is one.

So they use a slightly different language. You can see the equivalent language there.
ISO uses a slightly different language. So this table summarizes them. So essentially the
generic concepts are drawn from the textbook, you can see it in the first column and
then standard specific nomenclature could be different. And you may also note that

196
there are standard ways of documenting risk, once you actually assess them.

So as I just said, controls is something that needs to be justified, essentially economic

justification of cost and benefits of each option. So as students of management, you
must always, already be familiar with cost benefit analysis. For any investment decision
by a management, you actually look at cost and benefits and the simple argument is that
the benefit should be more than the cost and how much it should be more than the cost,
actually is often used to, you know, to give a go ahead to a project or no go ahead to a
project. So gains should outweigh the cost and that is the basic principle in justifying
cyber security risk management options as well. So when you take a particular decision,
say investment in defense or investment in mitigation mechanism, it is a actually an
economic, economics is involved, you are putting money into it to build certain systems,
to protect or to reduce impact etc.

So you need to actually arrive at a cost benefit sheet for that each option that you have
and one of the form, one way of doing that is shown in this slide, you can see you can
note that you first use a, you first arrive at a term called annualized loss expectancy,
Annualized loss expectancy, in the next slide I will show you, how to use this measure
to calculate the cost and benefits. So annualized loss expectancy is the annualized loss
magnitude, SLE is nothing SLE, single loss expectancy is nothing but the loss
magnitude, that is asset value into exposure factor, this we have already seen, this is loss
magnitude. So essentially loss magnitude into, you annualize it based on number of
occurrences in an year, you actually have an estimate of what is the loss magnitude over
an year that is, that is what ALE is, annualized loss and once you have this figure,
annualized loss expectancy, then you use that to calculate the cost benefit analysis or to
do the cost benefit analysis. How do you do cost benefit analysis or overall gain or loss
would be given by this formula, overall gain or loss, it can be a positive number, it can
be a negative number. So you have seen what is the annualized loss expectancy so that
you take, say an asset and know the loss magnitude and you annualize it and now you
look at the current now, prior is before taking an action, so risk management experts
have done already the risk assessment and there is currently a annualized loss expectancy
and then the risk management guys propose that you invest in certain technologies, is
the protection or mitigation or whatever.

So then post that investment, you expect a different ALE because now you have better
protection or better systems in place. So annualized loss expectancy post investment,
that is ALE post, this is ALE prior, this is ALE post. Now when you invest in a new
system to improve your cyber security, you also incur a cost, that cost is annualized
ACS. ACS is the cost for implementing the control, annualized cost of the safeguard,
ACS. So what do you expect, which would be a higher term, ALE prior or ALE post,

197
whose value would be higher or should be higher? ALE post would be higher? It is
about loss right, your, when your system is vulnerable, the losses are likely to be more.

So the current losses, expected losses are more because you are more vulnerable, your
asset is more vulnerable. But now you invest ACS, you invest ACS to better safeguard
your system and therefore you expect that the ALE, the loss will go down. Now the loss
expected loss will be going down but you can see the trade-off that is coming in, in this
part, ALE post plus ACS. So what justifies the investment in a technology for reducing
the risk is ALE post plus ACS. This term should be less than ALE prior, then you have a
gain, then it is a positive cash flow, then it is a gain, that is easy to understand right, this
is nothing but cost benefit analysis.

So this term, so if what happens if ACS is very high, then actually it does not justify
the control at all because your gain actually goes down. So reasonable investment in
cybersecurity to improve your risk would justify that investment, if not it does not but
you can see that all this economic analysis requires quantification and also monetize,
expressing these terms in monetary values, okay and that is a separate effort but
conceptually your investment should reduce the losses sufficiently to justify that
investment, okay that is the rationale in this formula. And now we have seen risk
assessment, then taking a particular control strategy, risk management strategy and then
having, well gone ahead with the particular decision, it is important for the organization
to continuously monitor because what you have at the time of an investment is an
estimate of gains or losses, okay but actual can be very different. So the management
also has to see that your investment is delivering the expected gains. So therefore,
monitoring of the risk control strategies that you have put in place is the next effort.

198
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 08
Lecture: 23

Which is cyber security technologies, so we are seeing that as part of cyber security
management, you can actually choose to defend or make your defense stronger or invest
in mitigation mechanisms. So what are those mechanisms, what are those technologies
that exist in cyber security to provide you better security or reduce your cyber risk and
well, feel more safe with the new safeguards? So that is the discussion today. So this, let
me put an disclaimer, this is an overview, so each of these cyber security technologies are
topics, distinct topics in the field of engineering and technologies. So I am not getting into
the details, particularly the detail of design but from a managerial perspective for
awareness, for having a decent awareness of what do cyber security technologies do and
where are they used and probably some functional aspect as to how they work, for
example, Cryptography, how does it work ? So that is the sort of plan for this session.
Well, I encourage you to watch some movies related to cyber security, I know you watch
a lot of science fiction, well I am just presenting two of them which I have watched and
it was you know, these are not recent movies when you have so many cyber security
incidents. In particular 1984 is a book, of course written by George Orwell in 1949.

So he wrote the book in 1949 predicting what would be a potential scenario in 1984 and
it is a classic, of course. George Orwell is someone who is highly respected, especially in
political philosophy, I would say he has a book Animal Farm, I recommend that book for
you to understand what is politics. And his book 1984 is about surveillance, so how
surveillance or surveillance technologies would become a very powerful tool for
governments to enter into the private space of individuals and then, you know the
government would decide what citizen would do, you know that kind of a situation is
what is depicted in 1984. It does not mean that that is the world we live in but we also
understand potential abuse of surveillance technologies by agencies who have power.

So it is a power asymmetry essentially, that plays out here, you know you are vulnerable
you do not have much say in what government should do and should not do. So the other
is, Minority Report of course, you like Tom Cruise, I am sure so Steven Spielberg, famous
movie which was released in 2002, Minority Report. So you can see the retinal detection
for access to systems. So that is a important topic in the movie. So access control is a
mechanism for ensuring cyber security.

199
 So this concept we have already discussed, access control and we know the CIA triangle,
coming back to the fundamental aspect of security - confidentiality, integrity and
availability are the objectives of cyber security and a mechanism for ensuring
confidentiality, integrity and availability would involve four steps. This also we have
discussed or covered in one of the sessions - identification, authentication, authorization
and accountability. Now in this session, we are going to see how technology can be used
for this access control mechanism. We have discussed what access control do but briefly
we will try to see how access control technology serve to effect the function of CIA or
how access control is enabled by technology. So identification, we have discussed this
already, it is about getting your ID okay, each one who wants to access a system or a
cyber asset or a cyber service should have a ID.

So creating ID is the first step, we have seen this already and now there are different
types of IDs. So the ID card is the classical one. An identifier is something that uniquely
identifies a user. You know in British era or for governance in particular, you need to
identify citizens and you did not have all the current technologies. In those days, during
the colonial days but they used to identify individuals.

When I was in school, there was no ID card but I was identified uniquely, do you know
how you were, what was the system in schools and colleges to identify people ? Not
biometrics. Not even your photograph. There will be certain unique marks in your body,
okay a black mole on the right cheek. So I recall that being recorded every time when
they talk about my ID. So permanent body marks, seeming that these marks are permanent
and the particular spot where that mark exist in your body may be very unique to you.

So but you can see it is it, whether it is very unique or not, you can always question but
that those were the methods or rudimentary methods that existed for identification. But
today you have advanced techniques and the second step is, of course authentication. Once
you have the ID and that ID is stored somewhere, okay when you present yourself for a
service, then whatever you present is compared with what is stored, okay so that
comparison is known as authentication, whether you are the person whom you claim to
be, okay. You say I am X, I need to verify that you are X, so authentication is the process
of establishing you are whom you claim to be and how is the authentication done? There
are different methods, some of the methods are shown here. It could be using something
you know.

Password is a method for authentication. Password is something that is unique, only you
know, okay and it is stored and you have stored your password and then you give your
password because only you know this and it is compared. Passphrase is, I think getting
some importance today because password can be sort of cracked. So passphrase is a longer

200
expression, it is a phrase, not a word. Okay, so that is another method.

Password I think, was developed in MIT many decades ago, passphrase is under
discussion today and you also know the one-time password today, okay. We live in the
era of multi-factor authentication. I think one of the groups referred to multi-factor
authentication, okay authentication can be done using one factor like the password or
passphrase. Authentication can also be done using multiple factors. For example, you log
in, if you, if you today log in to say, State Bank of India for accessing your bank account,
I first say what is my username.

That is my ID, that is what I claim to be, okay that is the first step. You say who you are,
okay we want to verify who you are. Give your password, okay. I give my password.
They compare my password with what is stored, that is first factor authentication.

The first factor is the password, okay. Then are you a man or an animal, okay? So you
have the CAPTCHA code. So that actually as a second step, ensures that you are a human
being, not a script. Then you are allowed entry into the next level. In the next level, there
is a OTP, OTP actually goes to a different device, okay.

So password is in your mind, it is stored somewhere, okay. In the multi-factor

authentication, the second factor comes from a different device, okay. You have to read
that from something you own, okay something which is yours, okay and that is your
phone. You know in India, of course because of our tele density touching close to 100%,
that has become a mechanism for multi-factor authentication. So the one time password
is the second factor, I would say, the second factor in authentication.

So there are three factor authentication and so on which Apple uses. So basically to be
very very very sure that it is you and not anybody else, okay. So it increases the level of
access control, when you have multi-factor authentication. So the other methods are, you
know you have smart cards, you have fingerprints, retina and iris scans, okay. These are
properties of the eyes which are unique to an individual.

For example, the blood veins or the vessels in your retina, the patterns are very unique
to each individual, just like your fingerprints or the iris scans which is actually the pattern
around your pupil, pupil of the eye. So these are actually parts of your body which are
unique to you, okay and that, when it is captured using camera and stored becomes a ID,
becomes an ID of you. That is your identity, okay so which can be used for authentication
and the fourth type of authentication could be using what you produce- your voice, your
signature etc. You know that is something that you produce. So you can see the different
methods of authentication using different types of IDs or a combination of them, which

201
is called multi-factor authentication and this can be biometric.

That is a part of your body or it can be, you know non biometric. So both can be used in
combination. Now since biometric devices are widely used in cybersecurity, particularly
for access control. From a technology point of view, one must be aware of certain
limitations of biometrics. So this graph depicts the limitations while using biometric
devices.

In India, I have read the cases of implementing e-governance services particularly for
rations, okay, so one of the challenges India faces while deploying digital technologies is
the problem of digital inclusion. So in urban settings, we are all privileged to be very
aware and updated about technology and we use technology. You can go to a retail store
and use any payment methods today which you want. You can use a UPI, you can use a
credit card or a debit card, you can pay in cash but if you go to a rural area in a, farmer
does not have a credit card and may not be even aware. So they are excluded from the
benefits of digital technology.

So what the government in several states try to do is to make it easy for them and include
them also into the benefits of digital technology. So they developed fingerprint based
authentication for providing ration. So in Krishna district of Andhra Pradesh, where I
actually met the IAS officer who was implementing this project, it came for a competition,
a national level competition and I was one of the judges and they made a good presentation
on how the system was implemented. So a farmer could actually come to the ration shop
and may not be having a wallet or cash but still can get her or his ration by just showing
the fingerprints. So the fingerprint biometrics is already taken from these users and stored
in the system and the, there is a Adhar and Adhar linked bank account.

So the bank account is also linked to the ration system, the distribution system. So when
you actually want a ration, say 2 kg of rice and then you show that I want the payment to
be done from my bank account directly. So you authenticate, do that, so then you show
your fingerprint with that the payment will be completed. So this is like acting as your
credit card. So in credit card you swipe, Hey, take my fingerprint, it is very good thinking
but they face problems while implementing this solution because the ridges, the ridges in
the finger, they get worn out, especially if you are doing manual labour.

So the system was not able to sense it and that was a technology challenge they faced in
implementing this solution. Then they came out with not just one fingerprint but make a
combination, do a combination of all the five fingers, so that the probability of
identification or correct identification improves and with that the system was
implemented. So that is the case study. So what I am actually suggesting is in using

202
biometrics, there is the false positives and false negatives and you know that there is a
trade-off between false positive and false negative. It is like controlling the entry into a
system.

Suppose you know, many of you entered for an MBA program into DOMS through CAT
score. CAT score is an important score for admission. Suppose the Institute decides or the
department decides, we are going to make it very strict, we do not want bad students here
at any cost, we only want good students. So 99.99 is the CAT score for entry into DOMS.

You see what happens, you are actually trying to ensure that the students who enter are
really good. So you are trying to prevent, what do you call false positives. There should
not be any bad students. So that is your major concern. There should not be any false
positive.

So then what happens? CAT of course is a questionable, it is a, at the end of the day it
is a measurement and there can be measurement error. You know somebody who could
not do well on that day for the CAT examination but is actually a really good student,
because the score is you know, not exactly matching. What about someone who has 99.8
? That student may be better than somebody with 99.

9. These are all you know, you know not very actual measures of someone's aptitude for
management and therefore it results in false negatives. False positives is strictly controlled
but then it actually increases. False positive goes down, false negative goes up. Suppose
you relax it, okay.

So this is not good. So you actually relax it, you say 80% is fine for admission, okay.
Basically your false negatives will now go down. You will not have students rejected.
You are actually, control the rejection. It is like type 1 and type 2, you know in hypothesis
testing.

So the false negatives goes down but the false positives go up, so you can see that trade-
off. That is what is compared here, FAR and FRR. They stand for false acceptance rate
and false rejection rate. When you increase FAR, your FRR actually is low; when FRR
goes up, FAR goes down. So the optimal point is known as Crossover Error Rate, CER.

CER is the optimal point and that is what is specified. A CER is typically specified in
biometric devices and one should be able to check what is that CER and is it a desirable
CER ? Is it sufficiently low, is something needs to be checked and it has an implication
for FAR or false positive and false negative and of course, you think through the problem
in hand and decide whether this is an acceptable biometric device or not. So that is a brief

203
about evaluating biometrics and the property of biometrics, in terms of acceptance and
rejection and the trade-off between the two and the concept of crossover error rate, which
is the optimal point. The widely used biometrics today are the fingerprints, the retina,
blood vessel pattern and iris. Iris is the random patterns of freckles, pits, striations,
vasculature and coronas.

These are different attributes of iris. The iris has multiple attributes, this is a, combination
of this becomes unique to an individual, okay. Watch the movie which I suggested, you
will see the use and abuse of these biometrics. Well, we move from access control to
firewalls, okay. So we are broadly discussing what are the technologies for cybersecurity
from a protection point of view, for protection mechanism. So one is you know, you
strictly control access, who can access the system, okay and make it really impossible for
unauthorized users to access the system.

So biometrics actually increases that protection and other, which are widely, the other
system which is widely used and which today, all of us are aware is the firewalls, basically
to prevent unauthorized access to your data center or your servers, okay. So it is about,
like building a fire, a wall which is burning around the classroom and you know, the
enemy cannot actually enter in here, that is the metaphor here. But essentially what a
firewall does is it provides access based on identity. For example, if someone from a
particular IP address is trying to access a database server, okay. The firewall can decide
whether that person can access the database server or not.

So the rules is built into or configured in the firewall, who can, which IP address cannot
access a given system and if someone uses that IP address and try to access, the access
will not be granted. So that is what a firewall does. It actually specifies who cannot, who
can access or who cannot access, okay and who can access is all other than who cannot
access configured in the firewall typically and there is also the concept of and this
particular diagram illustrates what a DMZ, DMZ means. So in this particular diagram you
can see there is a terminology known as trusted network. What is a trusted network? And
then there is untrusted network, here.

A trusted network in firewall literature or in cybersecurity literature means your network,

okay. That is your network, your internal assets, cyber assets, okay. This is internal or this
is your data center. Typically you take it as your data center, okay consisting of different
servers and applications that is running services for your organization, okay.

That is the trusted network. What is the untrusted network ? Any network that is external
to the organization is untrusted, okay. Because it is external, you do not know, okay. So
always go by you know, we do not trust it unless we know. So this is external. Now since

204
the external world is varied and you know there could be good and bad and ugly in the
external world, you need to have some mechanisms in place to provide access to your
trusted network and one method of that is to avoid direct access, okay.

You do not want any external agent to directly access your trusted network, to directly
get into your trusted network. Suppose they want certain resource, certain data from your
trusted network, that is not directly provided. A copy of your resource is available in a
dematerialized, demilitarized zone, okay. Sorry it is not dematerialized - demilitarized,
okay. I am sorry for the mispronunciation, demilitarized zone, DMZ.

So the DMZ is a replica of the trusted network. So the external agent is given access to
the DMZ, not to the trusted network. So it actually builds a sort of proxy, okay. It is a
proxy system that is a mediator between the external world or external systems and your
trusted network, okay. So you are aware of proxy servers which we also use in our data
center, essentially to insulate your trusted network from the external world.

That is what a proxy server do and this is another mechanism. Firewall is, of course an
application where you configure who cannot access your system using firewall rules,
okay. So it prevents access, okay. Now the third category of technologies used for
protection, okay to ensure confidentiality, integrity and availability of your cyber resources
is cryptography and cryptography is a technology basically to ensure that data or
information is not accessed, is not used, not accessed okay. Here the access control is not,
the access is not controlled, someone despite all the firewalls or all the biometric systems
and all that you have put in place, somebody can still gain access to your system when
data is moving from source to destination, okay. There is a flow of data, data in
transmission, while data is being transmitted someone who is not supposed to access, okay
the imposter or the evil, okay can still gain access.

Assume that somebody gains access, how can you still prevent that information is not
leaked to that person? That technology is known as cryptography, okay. So in
cryptography you do not control access .In cryptography you assume that somebody has
access but still, well you made all the efforts but you do not understand what you got,
okay. So that kind of a strategy is used in cryptography. So essentially in this, there is a
person Bob and I would call Alice, who is his girlfriend possibly.

So Bob sends a secret message or confidential message, he want, he does not want
anybody else to receive that message, right. Only Alice, probably Valentine's Day
message. So but somebody is very curious. There is someone who is very jealous there,
right. Yeah in this setting, there is a jealous guy, okay so who wants to actually see what,
what Bob is sending to Alice and that is a problem.

205
 That is something that should not happen, okay. So in cryptography, what you use, do is
you encrypt. You encrypt the message or there is a message and there is an encrypted
version of that message which, the encrypted version is not something that is legible or
not something that can be understood, okay because it is different, you cannot see the
message in it. You can only see some characters there but it does not make any sense to
someone who accesses it, okay that is krypt, kryptos. Actually I think it is creek, means
hidden writing, okay. So encryption is the process of hiding the information by encrypting
it.

So cryptography there, of course evolved over several years in the world of cybersecurity
and of course during the World War there was, you know the Germans used cryptography
and it was broken by the British scientists, you know, you can. You have popular movies
on that today. But this is something that is actually employed in the, in cybersecurity. All
of us uses Whatsapp right, and we all feel confident to use Whatsapp to send a message.
Bob to send a message to Alice because as soon as you start texting, there is a message
from Whatsapp to you saying that all Whatsapp messages are end to end encrypted, end
to end has a meaning, okay.

End to end means from the sender to the receiver. There is no one in between, it is
encrypted, not even Whatsapp can read your message. That is what end to end. So there
is no any, there is no other system as of now. We do not know what government will do
in future. That is where the problem of power of technology or a symmetry of power of
technology actually comes but as of now there are those messaging applications which
provide end to end encryption.

So basically, there is a plain text or message, that is the original message and it is sent as
a bit stream over a communication channel and the bit are grouped into blocks. It could be
blocks of 8 bits or 16 bits and so on and each block is what gets encrypted. The blocks are
encrypted and we will see some of the mechanisms or methods for encryption as we go.
Cipher is the transformation of the individual components, the characters, bytes or bits of
the plain text into an encrypted component so and the cipher text or cryptogram is that
unintelligible encrypted message or encoded message.

To decipher means to decrypt. So you have an encrypted message but for someone at the
other end, Whatsapp encrypts your message. When you send "Hi" and send it to someone,
Whatsapp encrypts it but at the receiving end, the receiver should be able to read it as Hi,
not as a, not as something else, not as an encrypted message. So it has to be deciphered
or therefore there has to be decryption and you will see that decryption always involves
use of a key. Key is the key to encryption, some of it is locked and someone should be

206
able to unlock it and you know decipher the message. So key is a very important concept
in encryption and what I am discussing here or trying to present to you must be known to
many of you.

because these are sort of common, this is common information that is available in any
textbook on cybersecurity or information security. So there are two types of, broadly there
are two types of encryption methods, the symmetric key encryption and the asymmetric
key encryption. Symmetric key encryption and Asymmetric key encryption. So there are
two ways to manage the key, you see that there is a key, a message is encrypted, so it is
encrypted using a key. It is like locking your message and you put your message into a
locker and hand it over to the recipient, it goes as something that is locked.

So the recipient should have a key to unlock it and then you see the message. So that is
concept here. So now you can see symmetric key, in symmetric key encryption there is
only one key, there is only one key, the key that you use to encrypt and the key that you
use to decrypt, it is the same. The same key is used for encryption and the same key is
used for reading. Now obviously you can see the trade-off, the plus side is, that makes it
simple.

You have only one key to manage, there is no multiple key. But how do you manage that
? If Bob wants to send his message to Alice, he encrypted it but how will you inform
Alice who is in some other place that this is the key I have used? The key has to be passed
to the recipient. But if you assume that the network is unsecure, anybody can access the
network, access cannot be completely controlled, that is assumption in encryption and if
you send your key to the same unsecure network, the key can also be accessed and that
makes the whole arrangement little, you know vulnerable and therefore key management
is a challenge. You can see the key again passes through the same network and therefore
that is a limitation of symmetric key encryption. And that is overcome in the asymmetric
key encryption which is depicted in this diagram. In asymmetric key encryption, the
asymmetry is in the key, the key that is used for encryption is different from the key that
is used for decryption or for reading.

There are two keys here and typically known as public key and private key. There is a
private key and public key. How do I illustrate this ? Here is Alice and what Alice does
is, what Alice want Bob to often send messages to her. So Alice actually generates two
keys. One is, Alice gives a key to Bob which is her public key, okay When you send your
messages use this key to lock. When Bob uses Alice's public key, when Bob uses Alice's
public key to lock the message or to encrypt the message, the message is encrypted and it
goes to Alice.

207
 Alice does not use the public key to open it. Public key cannot be used to open a encrypted
message. You need another key which again resides with Alice. Alice has two keys, one
is private key, other is public key. So Alice can use her private key to open that message.
See here the advantage is the public key may go to the sender over the, you know unsecure
network, that key is used for encryption, but public key cannot be used for decryption.

You cannot read the message using public key. The private key resides or stays with
Alice and that makes the system secure, okay because you use two keys, public key for
encryption, private key for decryption and that method is known as asymmetric key
encryption. So it is like Alice has a master key you know, in when you travel by airplanes,
you are supposed to lock your suitcases with a particular lock which can be opened by
TSA, right. The TSA I get it is marked TSA so the master key is with the airport
authorities, they can actually if they want open that, so it is like Alice has the master key.
So in one sense and the public key can be used only for locking, not for unlocking that is
the approach. It is not exactly the same, what I am giving as an example but it is a sort of
two different type of keys that is used for encryption and decryption and on a lighter note,
you can see Alice has distributed her public key, not only to Bob but to many others, okay.

So now we come to the third aspect of key management, which is the digital signature
and certificates which are commonly used in in networks when messages are passed from
one node to the other, for one sender to receivers. You often come across this term digital
signature and digital certificates, okay. So what is the digital signature? Sometimes you
see that, you know your system, your browser wants you, you know, this is not a secure
site or this does not have a updated certificate. So this also pertain to the domain of
encryption but here the asymmetric process is reversed. You see that in previous example,
the sender has the public key and the recipient has the private key.

When you change that, the sender sends a message with his or her private key and the
public key is used to open. That is the method used in digital signature and digital
certificate. The purpose here is basically to prevent non, to ensure non repudiation,
something called non repudiation. This is an important concept, especially in blockchains
as well.

Somebody should not refuse that I send the message. There are certain contexts where
this particular role is very important. Non repudiation is very important, okay. Suppose
in a look at banks, suppose you sign a cheque, okay and give to someone for getting it
monetized from a bank branch, you signed it. That person files a case saying that it is a
signed document, it is a signed cheque and the, you refuse to accept that you signed it, that
is repudiation.

208
 So in banking systems, you know, this is something that blockchains ensure. You cannot
refuse, if you have actually signed something. So non repudiation in business transactions
is an important requirement, non repudiation. Indian government implemented certain e-
governance projects very successfully, e-governance projects like the passport seva is one
example and also another project that is implemented by the government is for mandatory
filings by companies. Companies need to file certain documents like the annual reports.

All listed companies or all registered companies need to file that with the government.
Now this if it is done manually, it is very inefficient. So Government of India decided to
automate the system. So TCS was the IT company which developed the system for
automatic filing of mandatory reports and then there was this problem of non repudiation.
Suppose your company X and you are filing your mandatory documents to government
and how can the government ensure that it is you who sent it and tomorrow you should
not be denying that you sent it, and suppose you want to correct it or manipulate it etc,
there should not be any provision once you send it.

It is you who send it and you cannot refuse, non repudiation. So that was actually done
through another project of digital signature where each company was given a key to sign
the document before it is sent to the government. So that digital signature project was
actually implemented by many IT companies. Basically one of my students did a project
on this with Satyam computers those days and Satyam was distributing the private keys
through a dongle which actually they obtained from the government. So this third party
or the IT vendor acted as a key manager for the government.

So the key implementation was done by the third party. Essentially the purpose you can
see here is more than security of the information, along with the security of the information
that is passed, the non repudiation. Someone should not refuse ownership of the document
that is filed also was important. So that is a different context and you can see the other
context, where the digital certificates are important. When you actually type the address
of a particular site, you want to visit, say IIT Madras. The browser needs to ensure that
you are actually accessing IIT Madras and not something else and all genuine, you know
the organizations would try to have a digital certificate to, for your browser to verify that
it is IIT Madras.

So they verify IIT Madras's digital certificate. So you can imagine that digital certificates
are like signatures, signed by the company, managed by a third party. So your browser
will access your digital set, the digital certificate of the site you are trying to access with
that resource and verify. Well you are fine, there is a certificate stored somewhere which
authenticates that site, that is known as digital certificate. So I will quickly take you
through some of the common methods or some of the broad techniques for encryption

209
and then close this session, may be in another, less than 10 minutes, so that we have time
to discuss the article.

Encryption technically in a generic sense have, can be implemented by three methods.

Substitution, Transposition and XOR. This is technical. Some of you may be familiar with
what is an XOR gate in digital circuits, Exclusive OR .

That is one type. Transposition is another type. Substitution cipher is a third type.
Substitution, transposition and XOR are three methods used in encryption. This is
described in your textbook as well. And talking about substitution, there can be mono
alphabetic substitution, there can be poly alphabetic substitution. To illustrate that, the
encryption methods, particularly using substitution is very old and it was used by Caesar
in his communications with his commander and that is widely cited, when we talk about
encryption.

If Caesar has to send a very secret message to a command, commander, you know there
is no other channel. There is no digital channel. Those days you have to send a message
to through someone, through a messenger. So the messenger should not be able to read
that So Caesar would not write the message in, in a Latin or in a language that is commonly
in circulation.

Then he would change it to something else. He will encrypt the message. So can you read
what was said, What is Caesar communicating to his commander ? This is the message
that Caesar would send to his commander. If it is written in English, well you have one
minute, say when your letter is A instead of A, you will say B,C,D, instead of A, you will
make it D. So you advance it by a number and that is known as Caesar's cipher. Meet me
after the toga party, that is what that, that encrypted message actually communicates.

Now you can see the formula for that, right. It is p plus k and k is the number that you
add. So here what is the value of k? m m n o p, so you add 3. So and then substitute your
character with character after three positions, that is why it is called substitution. You
substitute each character with a character in the alphabetical series based on a constant
number, which is k. It is p plus k, of course you have a situation when the alphabetical
series ends, then it actually routes back to the first number or the beginning.

So that is the, that is the use of mod 26, meaning it actually goes back to the first position.
So this is Mono Alphabetic Substitution, in the sense it is the same rule that applies for all
alphabets. The same rule that applies to all alphabets. You can have Poly Alphabetic
Substitution, where for each alphabet, there can be a different rule. Then, so the key here
is, well the key here is k, right.

210
 Here there is a key for encryption which is k, once that key is known, Caesar is gone,
right. If you, if the messenger knows the key, then he or she can read the message. This
is Poly Alphabetic Substitution where for each character, there is a different substitution
method. When it is A, which letter is to be substituted is determined by a key, there can
be a key.

So here is a problem for you. Use IITM as the key, DOMS need to be encrypted, using
poly alphabetic substitution. So what you do is as I said, for each letter there is a different
rule, There is a different rule. So I go to D, D is to be encrypted. So where do I, what do I
use? I yeah, so D becomes L. So instead of going through each of this I will, sorry you
use the key to determine the substitutes.

That is known as a poly alphabetic substitution. Read your textbook more. They have
more examples. Transposition is, you know that bit streams are transmitted in blocks, here
it is blocks of 8, 8 bits and again substitution is by transposition. For each bit in the block,
there is a different rule. So it is block wise transposition and each bit having a different
rule for encryption. So that is known as transposition and therefore when you apply this
particular rule or particular key to each block, the plain text gets transformed into the
cipher text.

For each position you have to apply the rule or the key, the key is nothing but the rule
for changing the positions. This is known as transposition. ' Exclusive OR' some of you
may know the truth table of Exclusive OR, if you have learned, this in engineering.

Otherwise do not worry. Exclusive OR is represented like this. You have two inputs, X1
and X2 and this is your Y, whatever. So the X1 X2 Y. Y is the output. When both the
values are the same, the output will be 0.

When they are different, the output becomes 1. When it is 1 0 again 1. When it becomes
1 1 again 0, that is Exclusive OR. Now you can see, how the encryption is done using
Exclusive OR. A message blocks are this, for each bit you apply a key. So you can see
that when it is 1 and 1 it becomes 0; 0 and 0 it is 0, 1 1 0, whenever there is a difference
it becomes 1.

So that is the Exclusive OR. in encryption. So I am just outlining three broad techniques.
It does not mean that encryption is so simple as what I am describing but to give you basic
principles of encryption and maybe I would summarize this particular topic and some of
the encryption standards in the next class and with that summary I will, so I will recall

211
today's discussion and summarize and close this in the next class. So I will close it here
and we will listen to the presentation on active defense today.

212
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 08
Lecture: 24

Hi everyone, Good morning. So, we the members of group 5, myself Mano and Bhuvan
Dubey, we are here to present and discuss about the topic, about the article, 'Active
Defence and Hacking Back'. by Scott Benito. He opens up with an article with a tagline
where if we don't want, if you want to stop the bad guys from internet, we should need to
fight them back. This is a tagline of this article where he starts with, and in this article,
he interviews the primer, two primers, one is Dorothy and other person, Robert M. Lee,
where he takes their perspective about active defence and hacking back strategies and
explains why whether we need to go with active defence or not, with this justifications.

So, with the introduction from Dorothy, Dorothy Denning is a professor from Naval
Postgraduate. He is a professor of Naval Postgraduate and also a fellow membership from
the computer missionary and he was co-authored many articles and books and specifically
one topic he discussed about active defence is that, when properly understood active
defence is neither offensive or necessarily dangerous, where we describe about active
defence. Second to move on with the next person, that is Robert M. Lee, he was the co-
founder of an IT security firm Dragos, where the company works with US government
on many particular project.

In specific to mention about the company Dragos, the security firm into October 2017
identified a malware which was specifically targeted to work on the industrial system,
which may destroy or damage the industrial system products, which may cause damage to
the people. Later in August, this malware was identified foot forth and then attacked with
the Saudi Arabia country, but the attack however has been failed. So, this was a quick
introduction from both the primers. So, from Sun Tzu, he says that security against
defence implies defensive tactics; ability to defeat the enemy means taking the offensive.
And also one of the other famous quote that Mao Zedong says the only real defence is
active defence.

So, why active defence? To protect the most valuable information, something more than
deployment of security software and network monitoring processes is required. Second,
even high amount of spending on technology defences can secure the critical systems and
help keep pace with the hackers. The main point of active defence, active defence in a
sense, it comes after the attack or intrusion happens. Once an attack is happen or intrusion

213
is detected, what kind of an active defence mechanism a company and organisation takes
in order to rectify it or else in order to fight back for the intrusion. Yes, a direct defensive
action taken to destroy, nullify or reduce the effectiveness of a cyber threat against the
asset.

This is the quote by Dorothy Denning. With an example mentioned in an article where
Dorothy Denning explains an event, a hackers event happened for the Georgian
government, where in Russian hacker tries to take sensitive information from Georgian
government through the malicious code in one of their Georgian government systems.
where he uses a malware, gets into the system and try to use the keyword USA and NATO
to search for the documents. This incidence was identified by the Georgian government.
In order to, instead of stopping the attack, they wanted to identify the attacker in the same
way he was able to attack the, he was able to intrude into their system.

So, the Georgian government instead of stopping the attack or isolating the system, they
prepared a spyware and install and inserted into the systems with the keyword NATO
Georgian with wth the keyword, NATO Georgian document. So, since the you have hacker
was searching with the keyword USA and NATO this documents spyware, which the
document is consisted as spyware were identified by the hacker and it has been taken back
to the control system of the hacker where the spyware on downloaded into the control
system, opened up the camera, webcam of the hacker, take a snapshot of the hacker and
send back to the Georgian government. This example, Dorothy Denning specifically
mentions that the activity the Georgian government took, maybe some people may say it
is an illegal activity because instead of isolating or protecting their government, they
specifically created one more malware, is basically a spyware to identify, but in the
perspective of Georgian government, it under their legal constraint, they wanted to
identify the hacker and also to know what are the data's which the hacker has taken back
and also they want to legally take action against the hacker. So, this was the active defense
tactic which the Georgian government has taken back and with this the other examples
are the monitor of intuition and if detected, response by blocking further network
connections from the source or identify a shutdown, a botnet used to connect a DOS
attempt. If need to be shut down we can or else we can also go with the active defense
tactic which is followed by a Georgian government.

With this should hacking back be accounted, this is a question for to be discussed. So,
in order to protect ourselves, we should also hack back if an organization is going to
attack, from an intrusion or any bad actor. So, do you have any inputs on it ? Should
hacking be accounted? An organization tries to, whether they should try to protect their
system or else they should try to hack back the attacker, in order to get more details about
the attack and also to get back the data. You mean to say it is kind of counter attacks

214
strategy but then it should be identified that who is actually hacking us. Yes, it is also a
counter strike attack where it has two perspective, either you the organization tries to
attack a hacker to identify and also take a legal action attack it seems.

More important is get back the data whichever is stolen in, in cases. With this in expert
opinion why we do an active defense, that is hacking back? This is to gather intelligence
about the source of intrusion. When an intrusion error did happens, we should gather more
in some to help us to gather more intelligence sources from the intrusion and determine
what data is stolen. When an attack happens we may think this, what is the specific
sensitive information taken ? But the attacker may have also taken other information
which we may not insights to. Then identify the attacker for law enforcement, to bring
charges.

This is the important point where the company wants to identify the attacker and bring
in force for the law enforcement support. We also have a con support where, why not do
it? Again this could be illegal. If an attack, if an bad actor tries to attack an organization,
if the organization tries to attack back an individual person, that is again comes as an
illegal activity which is hacking. And the second is, no evidence that attacking, the
attacker works. Some it is again we have to try the multiple ways to identify the
vulnerabilities, to attack the, to find the ways to reach the attacker but sometimes it may
not also work.

Next could compromise government operations. This may involve with the organization
how sensitive data they are dealing with? The expert advice is hacking back without legal
authentication is unethical. Targets are too evasive and networks are too complex,
transversing in a system. So this is what the opinion on active defense.

Next. Thank you Manu. So we have seen why active defense is needed. Companies
have been trying many different strategies. Spending has been going up but it is very
tough to keep pace with hackers and what it is, we have seen the active defense which
there are different strategies. We will look at some more details but often hacking back is
confused with it.

We saw that hacking back is probably classified as something unethical, while active
defense is something which is actively pursued by various organizations but often lines
get blurred and the example which Manu gave about the Russian hacker, hacking the
Georgian government systems and Georgian government using a sort of a deception to
get more information on the hacker. Now do you think was that ethical or was it
something which should not be pursued or not? Open for discussion. In such situation, in
such situations actually the government tried to protect its people. So it is not about being

215
ethical or not. It is about securing your systems and infrastructure, mitigating the damage.

So I guess, it will be ethical to do it, to prevent further attacks from the intrusions. That's
a good point. Any other inputs? Even in case of, you know legal terms at times there's
something called as self-defense. At times in case of self-defense, you have to attack the
other person and that is justified. Anyone else would like to give input? Also in this case,
like we can see that it was due to the hacker's presence of inserting malware into the
Georgian system.

So due to his attack, he got the malware like the government didn't exclusively try to
hack back into the attacker system, but instead placed within one of their systems. So it
got uploaded in the hacker system. So it was within their jurisdiction of, you know
government's operations in securing the systems. They did not exclusively transfers to,
transfers to the attacker's systems. So it was ethical from a opinion.

So I think most of the points are covered, that why it can be considered ethical. The
Georgian government is taking an action for its national security. It did not go out of its
network or out of its system to install anything. It was the hacker's own code that led to
sharing of information about the hacker. But at the same time, there have been experts
who have raised counterpoints, that the assumption is that the spyware will go back to the
hacker system but the hacker may be using a lot of intermediate system from innocent
people, where the spyware may get installed or worse, that attacker could be using a
network computer which would then end up impacting a lot of other computers in that
network - could be university, could be hospital, could be energy facility etc.

So we can see that, you know there are arguments on both sides. Now in this case it was
a government taking an action. So probably it will tilt towards ethical in the interest of
national security but a similar action by an organization will probably be in the grey area,
right. So what, now the question is what is ethical active defense strategy and if you draw
parallel from combat in the field, monitoring from the size that are coming in, is passive
monitoring, but shooting them down, once it is inside your own airspace, that is active
defense and there are some examples we have seen earlier, some more like thwarting a
DDoS attack and creating a log, sharing of information, cooperating with law and law
enforcement agencies. These are all different grades of active defense strategies and, and
in fact the US homeland security show, calls it a gray zone.

On one end there is passive strategy of installing antivirus of building firewalls and on
the other end there is an offensive cyber, right outright attacking the hacker and in between
there are a range of options starting just from information sharing to intelligence gathering
from the dark web or even going up to having a ransomware of your own, white hat

216
ransomware going on rescue missions. So you can see increasingly if you go towards the
right it becomes greyer, risks are higher but also impact is higher. So how as managers,
can we take ethical considerations while planning active defense for an organization? The
writer of this article has published another paper which looks at some considerations for
ethical and legal principles for cyber defense. Looking at authority that the organization
should have authority to take whatever action, usually within the internal system, It is fine
but once the strategy involves going outside, it would require authority from the
government or the courts or the law enforcement agencies. Similarly third party immunity,
there should not be any intentional harm to the third parties.

It should be deployed only to mitigate the threat. For example, if you are accessing a
computer to shut down a botnet, it should not harm any other files or it should not,
disabling a computer would not be needed, essentially. Another point is proportionality,
that the cost that will be incurred should be proportional to the benefits that are expected
out of certain actions. Something we saw into this class as well and human involvement
is something which the writer highlights because ultimately even the automated defenses,
they will have to be settings or thresholds to be defined by the human. Accountability will
be to someone in the organization and hence even for automated system, some degree of
human involvement should be there and last point, civil liberties, the right to privacy and
free speech, even for a hacker should not be breached upon.

For example, personal information should not be shared. So these are inputs from the.

217
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 9
Lecture: 25

Welcome back to Cybersecurity and Privacy course. So we discussed technologies in the

last session and the session before that, of course, you had a industry perspective or a
practising manager's perspective on cybersecurity technologies and I noticed that a lot of
technologies were covered which from multiple perspectives and you also had an
overview of what is current and what is currently, current focus of cybersecurity
technologies and intelligence. So and I, some of the topics I discussed was again
reaffirming or again, re-informing what you already covered in the session before that. I
would conclude the session on cybersecurity technologies. So you have already seen there
are technologies for controlling access, access control. You can access an information
stored in a, stored or transmitted in a computer network and that of course, we have seen
current technologies for identification, authentication, authorization.

So all these are based on technologies. Then you also found that access, even when it is
controlled in the best way, still unauthorized access can happen and then the next step is
when data is being transmitted from point A to point B or node A to node B, then you
encrypt the message that even if someone gains unauthorized access, that intruder does
not understand what is being transmitted. So encryption technologies is something that
we looked at and encryption is a technology that is very important and very critical for
cybersecurity systems to function and I would say it is at the heart of the matter, it is the
heart of the matter when it comes to technology. If there is no encryption, there is no e-
commerce, just think about it.

You cannot actually send your credit card information on a public network, when there
is no security. It just would not be trustworthy. So the trust in computerized financial
transactions is thanks to cybersecurity using encryption technologies. And you are also
aware and it is also covered in the industry talk, about blockchains. Blockchains as a
current and evolving technology and blockchain technically as a linked list.

One block is linked to the other in a system and we can also articulate that in terms of
security, it ensures confidentiality through encryption, unauthorized access, unauthorized
reading of information is prevented through encryption and encryption also ensures non-

218
repudiation. I think we discussed that concept. Once somebody makes a transaction, you
know there is a private key that is used to transmit that information and one cannot deny
that, that you made a transaction and that is transmitted with a private key of that
individual and therefore it cannot be repudiated, it cannot be denied. So that is another
feature of the blockchains, non-repudiation, confidentiality and also integrity. Or in
blockchain terminology, it is called mutability.

Once a transaction is made, it cannot change. So there is a hash function, which I see that
you have already discussed. A hash function once it is generated for a block, you cannot
change that hash value which is generated. And therefore if you try to make a change in
the original block which cannot be done, then the hash, you know with the hash value
changes or the hash is permanent and therefore any change is not possible because a hash
function generates a hash value for the block forever, it is immutable. And I saw a very
nice slide illustrating that as to how hash functions actually ensures immutability of
blockchains.

So the industry standards that exists for encryption, you could note that an initiative to
have a open standard, data encryption standard DES ,was developed by IBM. It was a 64
block size with a 56-bit key and here is Rivest, Shamir and Aldeman who actually
employed people and cracked that code. And therefore DES was no more secure and that
they became very popular and RSA key or the RSA was developed by these three
gentlemen, I think one of them from Israel. And so the standards have to change and
become more unbreakable. So you have triple DES standard today.

219
 And the other one, most widely used is the Advanced Encryption Standard, AES which
pertains both to NIST and ISO; and RSA standard, another competing standard developed
by Rivest, Shamir and Aldeman. These are the encryption standards that exist in the
industry and key length could be either 128, 192 or 256. And depending on the number
of bits in the key, the key becomes more complex, in terms of the ability to break the key.
So well, I have just taken this from your textbook, there is some research on the difficulty
in breaking a key in encryption. You can see how many years it may take to break a 128-
bit encrypted message.

So you can count the number of years, if you can. So essentially what it says is once an
encryption is done, say using a 128-bit encryption or 64-bit encryption etc., it is virtually
impossible to break the key and read the message. And to the best of my knowledge, I
have not read about an incident where an encrypted message was decrypted by a hacker
and read. That is something which I have not come across.

If you know, you can share with me. So once a message is encrypted using a standard
encryption, encryption standard, it is virtually impossible. So that is the assurance or
guarantee that encryption technologies provide. So but there are other ways of actually
hacking, but it is extremely difficult, extremely, extremely difficult to break the key. So
we will close with that note.

So technologies for cyber security is something that we try to cover. And today let me
actually take you to another scenario which is related. The second topic in your course,
which is Privacy. What is Privacy and what is its linkage with security, cyber security?
And why this linkage is important etc, is going to be covered in the subsequent session.
So we also look at what is currently happening in the domain of Privacy and in particular,
Information Privacy.

So our focus would be more on Information Privacy. And we will come to that as we go.
So we will try to find the difference between Privacy and Information Privacy and the
connection between Cyber Security and Information Privacy. So today is an introductory
class and we will also have a case discussion towards the end to understand the
implications of privacy for individuals and organizations. Well, this is something you
must have, if you are actually watching popular media like TV, this is something I am
sure a few years ago you watched.

220
 WhatsApp claims that messages are encrypted end to end. So I was watching this news
and I saw a WhatsApp message between two individuals, Two celebrities of course, you
know them by face. That was shown in the TV screen. That was appearing in the TV
screen. If I do not know if you recall what was the conversation that was shown in the TV
screen, it was about substance abuse or weeds.

So you know, popular media actually had a lot of interest in actually watching and
commenting and digesting and talking about it for quite some, after some months. But
the important thing is, well, here is an encrypted text which is available in public domain,
number one. And number two, even if somebody got access by cracking the encryption,
you know, which I just said is impossible, then how can a TV channel publicly transmit
a private conversation? So it is a conversation between two individuals. I may talk to you
something which is very private to me or I may talk to my wife or someone, some private
message or I may send a text which is very private. How can a TV channel, first of all
gain access, that is question one and second, make it public? Do you have comments?
Question one, how was it cracked? Was encryption, is encryption vulnerable? I am not
sure of this case but I think the one possibility of, because WhatsApp has a feature of
backing up the chats to Google Ray which was initially unencrypted.

So the law enforcement could have access to their Google or the leakage of credentials
of Google accounts. So from further that, they could have gained access to WhatsApp
chats in plain text. So you are saying it is not the encrypted message that was accessed
but it is the backup. So it looks like you have tracked the story. Actually how, you know
the government agency which actually had a crackdown on this was the Narcotics Bureau

221
of India, Narcotics Board of India, Narcotics Control Board, NCB.

So, so here is the government. So government if they want, can access information for
governance. And that is one aspect of it but it is not the government, this message is not
in the custody of government, it has gone public. So you are saying, so both of you are
saying it is not the problem with encryption. If a message, a WhatsApp message is backed
up in some drive, then that is not encrypted.

WhatsApp does not guarantee that the backup, backed up message would be encrypted
or it is not readable. So there is no encryption or guarantee for message that is stored or
backed up, which is true. That is what happened in this case. How, that is how they got
access. The they meaning the government agency for investigation purpose.

But this is public. What justifies that? So that there is another dimension to it. That is a
dimension of privacy. Can a private conversation be made public by a TV channel? No?
Then, I think TV channel is still operating, right? They have shown everything that was
going on between two individuals. I think I expanded it wrongly. The National Narcotics
Control Bureau's NCB, they were probing this incident because it became public.

And but it, but during the investigation, whatever information or text messages they
gathered also became public. And of course, we do not doubt the encryption. So I want to
reaffirm that, WhatsApp gives us end to end encryption. And its encryption standard is
open and public. I have given a reference to WhatsApp security.

There is a white paper which is given in public and where they have described the
complex process of encryption they follow. For example, there is a distinct key for every
message that is transmitted. So it is very secure and it is not the encrypted message that
was cracked. But it was the backed up message. So that is, that actually answers the first
question I have asked.

And the second question is not answered. How can private chat messages be displayed
in public? Channels defend themselves. These individuals can of course, file a defamation
case. You know, this is actually my private information. Some years ago, you know, of
course, maybe 6 or 7 years ago, there was a similar case when Ratan Tata's conversation
with Niira Radia was leaked.

It was available in YouTube for you to listen to. And Ratan Tata filed a case in the
Supreme Court against that leakage to the public. So it is an intrusion into the private
space of an individual. But what would the government or what would the TV channel
would say? This is just showing what is WhatsApp message about backup. Media and

222
messages you backup are not protected by WhatsApp end to end encryption while in
cloud.

So they have a disclaimer there. So this is actually a very complex topic. I am touching
on a topic which is legal, political and it is not easy to resolve. There is something called
public interest. The media say, well, this is in the public interest. The public interest or
national security, which is government's argument, which is provided for even by the
court, that government for the purpose of national security can access private information.

That is a caveat. When we make tall claims about privacy as a fundamental right and so
on in the country, it is not an absolute right. This is something we would see in detail as
we go and touch on regulation. But we know that there is no 100 percent guarantee for
privacy, although there are secure technologies. And politics means, you know, so there
is a ruling party and opposition in democracy. The ruling party would like to have control
because they have to govern and the opposition would always question that.

And when the opposition comes to the ruling party, they will actually change their stance.
So my take on this is a political party while in power will stress on national security and
while in opposition will advocate privacy rights. You can observe this as power changes
hands. So there is, there is grey area in privacy, which we all would see as we go and we
also discuss cases. You must be familiar with this term, the big brother.

Big brother was coined by George Orwell and I referred you to 1984. And it is in the
book 1984 that he coined this term, big brother as the government or the one in power.
So there is a huge power asymmetry between the government or the power centre and the
governed people. And that gives certain benefits to the government because they can
know and they can use technology for security and welfare, they can also abuse
technology for political gains.

Both are hard fights. I am not criticizing any political party or individual or any particular
entity. These are possibilities. These are actually, you know, these are all human systems.
So you see, in India we have an Indian Telegraph Act, which was enacted by the British
in 1885. That is the act which gave access for government to communication between
individuals.

Government was able to actually, if they wanted they could actually tap the mails or
letters sent by individuals, one individual to the other individual. There are so many cases
in history where government actually took or tapped mails between private individuals.
So you can call it a draconian act. But has any government changed this? We have two,
you know, two political parties at the moment. So has any government changed this? So

223
this is convenient for governance.

So you need actually, you need access to information to make decisions. But the
downside of it is that it could be misused. This could be misused. So we live with that
reality. So these concepts at a philosophical level, Michael Foucault, the French
philosopher was the first one to write about technology and power and the asymmetry of
power and of course, George Orwell, 1984.

So how many of you would agree if IIT Madras installs a CCD camera in your room?
IIT would say that well, we want to ensure that girls are secure. Say there is some incident,
some, there was some theft in some room and somebody got into a girl's room. So after
that the institute decides we will keep a camera in each room. Would this be okay with
you? No? Uncomfortable.

Uncomfortable, okay. But it is for your security. Then you are saying two things, one is
that we want to be secure in the campus, other is that we also want privacy. Let the girls
speak. Actually this is the real case. Some years ago, the institute initiated this CCD
camera installation in girls hostels, in all hostels, even in our apartments in each floor
there is a camera now. So they came with this camera to the girls hostel corridor and the
girls went on Dharna, "No CCD camera here.

" And what happened? Do you have a camera now in the hostels? You have, right? They
won and you lost. So but don't you see it as an intrusion into your private space? No, this
is called panopticon. The term is panopticon. There is one point sitting where you can
actually have control over the entire infrastructure. You know for this system, surveillance
system there is one point where all this information is displayed.

You know this is called panopticon or being observed while the subject does not know.
You do not really recognize. So privacy advocates actually at least have brought this topic
to the point that if there is a CCD camera, it should be written and it should be known to
people that you are under surveillance. It is mandatory.

It is informed to you that you are under surveillance. So it is up to you whether you
want to be there or not. So that is sort of compromise but administration has the rights to
monitor its space, without really getting into your rooms. If you, if it gets into your room
then actually it becomes a private space. The corridor is not a private space, it is a public
space.

That is the argument. Which is difficult to get through when it comes to students. There
was a hard time of negotiation. I think one of my colleagues was involved in it. Now the

224
other side of privacy. Is not privacy as a topic just a talk? Who cares? Have you used a
postcard for sending messages? That was our communication in the 80s.

You might have. Yeah, we have used. Yeah. So in postcard we used to write every story.
Probably the postman of the location would know everything about everyone. Right? And
there are movies on this. So Marykutty delivered. That is a typical message that will go
from one family to the other when there is a delivery or when there is a function.

So you write almost everything personally. But then the writer was aware that it is in his
own liability actually. Yeah, yeah. You know in our society we function in a particular
way. Till the time somebody came to us and made us conscious, this is privacy.

You are an individual. You have a private space. This is your life. And nobody should
get into or intrude into your private space. We have become more and more, we have
been made conscious of privacy.

This is my observation. So there is an era. So I belong to Gen X. So 70s and 80s, privacy
is not something, we do not talk about privacy. What? You know, you talk about
everything in groups. And so as our connection to the western world increased, where a
society which is very individualistic and researchers would say that we are a collectivist
society. So we have joint families, we have communities, religious communities
particularly, where sharing of information is like, you know, information is a public
property.

225
 Everyone knows everything about the other, you know. So same with, you know, social
scientists argue that we were not very caste conscious in India. So Indian society
functioned by [Link] all belong to a caste.

I do not know what is my caste. But we have caste based on work. What kind of work
you do. So just like all the engineers or IT professionals get into one group, because they
have common things to share, you know, common, most of your day you spend on your
work. So they became communities, you know, this is my observation again. So these
are natural group formation. So natural affinities, you know, people form into groups,
which per se is not wrong.

But when caste became a hierarchy, there is abuse and there are so many other evil effects
of it. But just to say that everything about caste is wrong, may not be very appropriate.
But that is again the Western school of thinking. Look at our society through the lens of
the Western theory or Western concepts.

So we became caste conscious, we became privacy conscious of late. Now when did,
what is the origin of it? When did this discussion on privacy became, become very
prominent? If you read literature, particularly management literature and law, you will
find that it traces back to 1890. Somebody defined what is privacy. Till that time, well,
there may be situations when privacy matters or somebody got into someone's home or
private space, etc. But it became an important issue for, for, at a national level, I would
say. In the 1890s, when two scholars, Samuel Warren and Louis Brandies published a
paper titled 'The Right to Privacy' in Harvard Law Review.

That was 1890. 1890 has something to do with technology. That is the same decade
when a company, a company which functioned for successfully 400 years and now of late
in the digital era closed down. That company began in the 1890s. And it was an outcome
of the product that that company produced, their privacy was intruded. And it was a, it
was a dominant player all throughout 400 years.

But in the digital era, they could not survive. No. It is a product. Not Nokia. Nokia, I
do not think it is that old. Cell phones. So let me give you more clues.

So what happened is one of them, you know, they were entrepreneurs also. So one of
them actually went for a evening party, a party. And it was actually a private party. So
where, you know, it is the United States, so they were again celebrities and one of them
sat close to a woman.

And that appeared in an evening newspaper next day. And this guy was shocked. Well,

226
I had a private time or a private chat with someone. And here is my picture, Photography.
So camera, photography camera, Eastman Kodak began as a company in the 1890s and
photography became possible. And not only photography, photographs could be, could
appear in newspapers, where it goes public. That is the point in time, the power of
technology to intrude into private space became very, very clear.

So that is when they started thinking, well, this can happen again, this can happen to
anyone. Photography is something that captures a moment. We, today, you know, the
social media is, you know, flooded with pictures which we want to transmit, but the
moment it affects us negatively, we are all concerned about privacy. So technology or the
era of technology, computer technology and photography and so on, actually brought in
this issue of privacy. And that is when there was a paper and these people defined privacy
as the right to be let alone.

And that continues to be a classical definition for privacy. Every individual has a right,
that is a right to privacy. Essentially, if you actually look at it through the lens of social
science or an individual as an entity, there is something called freedom. An individual
has a freedom and every constitution, every democratic constitution ensures that
individuals have freedom. And that freedom is a part of an individual's autonomy. That
is basically the question or the matter at stake in privacy is autonomy of the individual.

Autonomy is something that you want and a constitution grants to individual. Because
at any cost, even if I do not have food for one time, I would still like to have control on
where I go, what I do, whom I talk to. I need to have that decision right with myself, it
should not be taken away by somebody else. So when I have a private conversation, it is
my private conversation. And nobody, including government has any right to get into that
space. See a quote from William Pitt in 1763, even if the poorest of poor is sleeping in
his hut, no government has the right to get in there.

And of course unless by warrant, that is a legal aspect. You simply cannot enter into
someone's private space. That is intrusion into privacy. So privacy, your privacy in a
general sense as you see here is about an individual's right to autonomy or individual's
right to freedom. So the overarching concept is freedom. And some scholars say therefore,
why talk about privacy separate from freedom, it is already embedded in freedom.

So they say, there is no distinct concept, but others say it is called coherent delism. So if
you read literature, so there is a coherent concept called privacy distinct from freedom,
you know, that is the other argument. And this public versus private debate, of course it
is the Greeks who thought a lot about everything. So it is Aristotle who articulated that
there is a public space called poilis and there is a private space called oikos, you know the

227
Greek words. So these two distinct words, public space versus private space was actually
given to us by the Greek scholars. And ever since the idea is to separate these two spaces
and give an individual the freedom to conduct oneself the way one wants in the private
space, but in public space, since it is not just you, but there are others.

So there is need for governance, there are, there are need for rules and regulations and
all that. Therefore you cannot say I will do whatever I want to do on the street or in a
classroom. It does not work because it is a private, public space. So this is what I said
Reductionism versus Coherentism, meaning that there is a distinct concept versus there is
no distinct concept debate. Let us leave that there.

228
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 9
Lecture: 26

There is an economic view of privacy. When economists look at privacy, they do not
care much as Posner in 1975 said, Privacy is not important so long as there is no economic
consequence. Does privacy have economic consequence? Any quick answer? Yes sir,
means if there is any data leakage or personal information of a particular organization,
then it will impact the entire organization. Absolutely right. So organizations collect and
store a lot of personal information. The leakage of that actually incurs liability, therefore
there is economic consequence there.

Identity theft is, may have economic consequence. So there is economic consequence of
privacy and we have one session dedicated to this, the economics of privacy in as we go.
So you have pointers already. Then there is post after economic view, there is a feminist
view, I am actually referring to Stanford Encyclopedia of Philosophy and their discussion
on privacy to give you an overview.

So feminist would see this private space not very positively. Their argument is that
defining, say family as a very private space where nobody else can enter, no mediator can
enter or nobody can listen or overhear etc, actually is in the favour of man but not women
because in many communities women are very vulnerable and there is lot of women abuse.
And if there is no guardian, there is no guardian, sort of third person it can lead to violence
and abuse of women and therefore strict private boundary for privacy is not in favor of
females. That is one argument. Now let us actually move slowly from Privacy, the concept
of Privacy to Information Privacy which is our focus area.

So Alan Westin is often known as the father of Privacy, father of Information Privacy.
Till that time he consistently studied the topic of privacy and wrote several books and
published several papers on Privacy. So Alan Westin is a name you cannot miss if you
study Privacy. So his definition of privacy is the claim of individuals, groups or
institutions to determine for themselves when, how and to what extent information about
them is communicated to others. So in other words, this is the definition of Information
Privacy.

Information Privacy is an individual's control over one's information. I will decide what
I disclose. I should have that right or I should have that autonomy. So Privacy,

229
Information Privacy as control over one's information is a fundamental definition of
Information Privacy. Just like in the case of Privacy, we saw the definition is the right to
be let alone.

So that involve your physical, your body also, your whole. As a whole what is privacy?
The right to be let alone. But what is Information Privacy? The ability to decide for
yourself, what you share or what you do not share. So that is the difference between
Information Privacy and Privacy. Now the topic of Information Privacy became extremely
important with the rise of technology.

So it started with photography or cameras and it became very complex when

organizations including government and other organization, business organization started
collecting and storing and analyzing individual's data in databases. And then there was
increasing awareness about individual's information or employee's information and
citizen's information to the extent that in the computer era, the US government actually
instituted a committee, US Secretary's Advisory Committee on Automated Personal Data
Systems. In 1973 they actually produced a report but this committee was constituted by
the US government because they found time has come to make some sort of guiding
principles or law about privacy because data is stored in the databases and there is a
concern for privacy. This particular report provided five principles known as Fair
Information Practice Principles, FIPP, FIPP it is called FIPP, Fair Information Practice
Principles. It is known as the most fundamental foundation for Information Privacy
because we will be reviewing various regulations of privacy, security and privacy in
different regions of the world, Europe, India and maybe North America.

230
And we will see that FIPP actually is sort of a guiding principle for all these regulations.
So what does FIPP say? It said there must be no personal data record keeping systems
whose very existence is secret. No company including government can collect and keep
data about an individual in secret. If any agency collects my data and stores it, I should
know. It cannot be secret.

That is principle one. Principle two, there must be a way for a person to find out what
information about the person is in record and how it is used. I must, if my data is stored,
collected and stored, I should have the right to access that information. Can you change,
make changes in your Adhaar data? Can you access your Adhaar data? You can, you can.
There is a procedure for making changes as well and correcting errors etc.

So this is principle two. There must be a way for a person to prevent information about
the person that was obtained for one purpose from being used or made available for other
purposes, without the person's concept. So if [Link] collects or you provide your
information to Shaadi or a matrimonial site for the purpose of finding a partner or for
marriage in our country, then it is a lot of private information that you actually share there.
Now Shaadi has that in your database, in their database.

What do you think? Do they share that data with other agencies? You should read their
privacy policy and decide whether you should go for these sites or not. They have,
sometimes these companies have got perpetual rights to transmit your data anywhere. So
we will go, that is why regulation is becoming stricter and stricter today. So if an agency
is sharing the data that is collected about you to some other agency, it should be with your
consent. That is the third principle.

There must be a way for a person to correct or ammend a record of identifiable

information about the person. If I want to correct some things, there is an error, I should
be able to do this. Nandan Nilekani when he developed the Adhaar idea, so he several
times, I have listened to him saying that we collect only most basic data that is required,
nothing more. So the basic principle is collect only that data which you need, nothing
beyond. So and it has a purpose and the data should be used only for that purpose.

If you collect anything extra, the purpose should be clear. Just for the sake of it, you
cannot collect data and store. It should be purpose driven. Fifth principle, any
organization creating, maintaining, using or disseminating records of identifiable personal
data must assure the reliability of the data for their intended use and must take precautions
to prevent misuse of the data. So now here the onus or the responsibility of securing
private data is on the data collector.

231
 A agency which collects data should be able to secure the data or data breach is a breach
of law, is a breach of the privacy principle. So it is a company's responsibility to invest
in security by going by this FIPP's principle which became regulation in many countries
already. So these are the basic underlying principles of Information Privacy which first
got outlined in the Fair Information Practice Principles. And in the domain of Information
Privacy, you would often come across these three entities, reference to these three entities.
This is very much there in GDPR, when you actually have an overview of GDPR in
Europe.

Data Subject, Data Controller, Data Processor, there are three entities. Data subject is a
person or an individual whose data is collected. That is the Data Subject. Data Controller
is the agency which collects data. It also takes decisions about the data.

The Data Controller can process the data that is collected, can store the data, can also
share that data with another entity, which is a Data Processor. Or the Data Processor and
the Data Controller can be one entity also. So if say, ICICI bank has your banking data
and it shares the data with an analytics company, Fractal Analytics. So the data is passing
hands from Controller to Processor. So it becomes a third entity which has access to the
private data of the Data Subject.

So we need to visualize these three entities across which private data actually gets
transmitted, stored and processed. We have Personal Data Protection Act, which of
course, got dropped in recently and it is, government is reworking this Act. But in the
original document, they had similar concepts like Data Subject is called Data Principal,
Data Controller is called Data Fiduciary and Data Processor is called Data Processor.
Fiduciary is someone whom you entrust your data with. So before I hand over the session
for the case, there is in research, in research literature there is a concept called Concern
for Information Privacy.

So privacy can be a talk, you know you can keep talking about my right, your right,
regulation, this and that. But In research, particularly in consumer research and also in
economic analysis of privacy, you need to have measurable concepts. You should be able
to measure what is the privacy or what is the concern for privacy. So that is where scholars
developed a scale or a measure of privacy. And if you look at closely these measures
which can be measured using a scale, a Likert scale or whatever.

So they look at four dimensions. You can see there are four dimensions to Information
Privacy. One is concern on collection, second is concern on unauthorized access, third is
concern on errors and fourth is concern on secondary use. These are quite intuitive. When
you talk about your privacy, actually what are the concerns, what is, you know, where all

232
you have concern.

One is about collection. Why are they collecting?, What is the purpose?, etc. You know
something that is related to the collection of, collection itself. Second is unauthorized
access, having collected would someone else, who is accessing my data, my health data,
my, you know my family data and so on. So that is unauthorized access as a concern.
Errors, you know I was in GATE examination the previous week and one student was not
able to log in for giving the, taking the GATE exam.

And we found that the reason is the password is linked to the date of birth and the student
has entered a wrong date of birth in the GATE database. So the GATE created a database
based on the wrong date of birth, which we could see what is the date of birth in the
system. But the student is trying with the actual date of birth. Then of course we checked
it with the, you know ID card and all.

So it was only an error. But in this case, we allowed the student to write the exam because
it is an error. But the student's concern now is I need to correct that error. So concern to
correct errors pertaining to private data. And secondary use, will the entity pass my data
to somebody else? And then what happens? This is an important concern in the
Information Privacy space. So keep those four dimensions, which can be measured using
scales, but that is what you mean when you talk about Information Privacy or concern for
Information Privacy.

233
 Collection, unauthorized acces, errors and secondary use. This is to give some sort of
historic milestones about evolution of Information Privacy from the 60s to 2005 and
beyond. So as I said, Alan Westin did not live in the social media era, but you know the
privacy concerns are growing and growing where you can see countries are regulating the
flow of information. And Supreme Court had to intervene in our country and say, privacy
is a fundamental right. So you see the discussion on privacy is, has become a public
debate.

And the primary reason for this to happen in our times is, there is, we call it information
era, we live in the information era. The biggest change that has happened in the last few
decades in the human evolution is the Information Revolution. And that is a very positive
effect. You know the digital technologies has made life much convenient, much easier.
And we flow today, but the dark side of that is that information about you is flowing.

So and that is a huge concern, misuse of information. Information is, you know, plenty
and is available and can be stored efficiently, can be transmitted efficiently but that also
has a dark side. Why should organizations worry? You look at the several cases of data
breach and the liabilities that have happened in the recent past. Tomorrow in the next
class, we have a discussion of a data breach of 2017.

And that is not very far in history. So you see that this is a major concern for
organizations. And therefore, Information Privacy should really be taken seriously by
organizations or the leadership of organizations. And you see that change happening, in
addition to a CISO's post, you now have, you now have a information, there is an office
of, a special office for Information Privacy. You will see those changes when we discuss
certain specific cases. Why should individuals worry? Organizations should worry
because they have liability.

Individuals should worry because it is my private data, I can be harmed. And I can be
embarrassed. Embarrassment is a pain, it is actually a pain. And therefore, that can harm
you, that can harm your career, that can harm your personal life, your family life, your
existence

234
 So this affects individuals. So when I joined research, PhD program, this is one book I
read and there was not much focus on privacy in those days. But I enjoyed reading
Database Nations, Simson Garfinkel's Database Nations, where in the United States the
individual's information was available to credit bureaus. Credit bureaus collect and
process and give information about individuals, their spending habits, their preferences,
etc to merchants or online merchants or you know. So this is something, profiling of
individuals is something that is happening. But at the same time, well this is positive for
merchants, but this can harm individuals.

So Simson highlighted several cases where individual's privacy was affected. But when
it, when they went to court, the decision was in favor of the business, not in favor of the
individuals. Why so? So that is something that we should enquire. You know of course,
there is something called privacy, terms and conditions of privacy, which we all generally
agree. And once you agree, there is no legal remedy, you agree.

So beware of matrimonial sites. So let us discuss a very interesting case today. So before
that, yeah, so I belong to this generation. So the best thing is that we shared a lot, but
nobody knows. But if you guys put it, everybody knows. There is a record about what
you do in the digital space.

And many of those social media organization, of course, now regulation is changing, do
not actually delete your information, they retire you, but they do not delete. But we do not
have to worry. So, so we have the case on We Google You, right, so which pertains to the
case of privacy, which includes an organization and individuals. So let us try understand
with this, with this case, the issue of privacy in more detail.

235
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 9
Lecture: 27

Good afternoon everyone. We are group one comprising of Shriraam, Nithish and myself,
Anna and we meet again for another case discussion. So starting off with the presentation.
So privacy is power. What people don't know, they can't ruin. But in this modern digital
world, we all know that has been discussed in the class.

This power is something that we cannot fully exercise. In this age of social media, any
individual can access a wealth of information about a particular person just with few
clicks. With social media sites like Instagram, Twitter, LinkedIn and whatnot, the
individuals are allowed to share his or her personal information as well as private
information on the net. And anybody who has access to internet can access them, including
data of what they achieved, what they did, and everything including what you buy, what
you watch, where you go, etc.

There are many benefits for social media as well as internet, but it also has potential loss

236
for your privacy. There can be many threats including social engineering, spear phishing,
etc. that we had discussed. Additionally, nowadays, companies are using all this additional
information that are available to assess an individual to know what his or her personality
is and to judge whether this person is potential candidate for the job. And this is where
we are coming to.

As for every interview, we say that the first impression is everything. But with internet
and social media screening, more impressions are assumed of a candidate by the
companies, way before their interview. So according to a survey that was conducted in
2020 by Harris Paul, it says that 71% of the companies do agree that a social profile is an
effective way to screen candidates. And amongst them, 55% have admitted that they have
found some content about a candidate that caused them not to hire that applicant. Also, a
study which was conducted again in 2020, found that social media has become a cost
effective as well as less time consuming tool for the hiring processes.

As you know, social media, it's like free of cost and you get a ton lot of information about
an individual way beyond the resume. But as you all know, too much of anything might
not be that good. So invasive background check is collecting an individual's data that is
far more required to just check the qualification of a particular individual for a job. It can
be any personal information like your relationship status or the credit score which reveals
your financial status or it can be your medical history that can be used to embarrass you
or any ailment that can disclose your potentiality or it can also be the information
regarding your race or ethnicity, all which can invade your privacy. And also when

237
looking at the hiring process, it can also bring in bias or discrimination.

So keeping all this in mind, let's start with our case for today. So the case, We Googled
You. So it is about a company, Hathaway Jones which is a luxury apparel retailer with
sales of over 5 billion. So the current situation as of this case is that the Hathaway Jones
is facing a declining sales situation and one of the reasons is that the customer's taste is
actually changing and the younger people whom the company had targeted earlier, they
are now searching for much more affordable clothing with flair which the Hathaway Jones
is not able to provide at the moment. So their strategy is, the CEO strategy as of now, is
to tap into the Chinese dream and so they want to be successful in China where there is
apparently a huge market for luxury apparel and as you can see there is a queue outside
luxury stores and this is, they are aiming to tap into this in order to turn around their
company.

So we will just look at the various characters of this case study. First we have Fred
Westen, who is the CEO and the person in charge of this transition to China and so he is
an experienced person working with various luxury brands before and he is bidding on
the Chinese market and so his personality is that he is, he doesn't care that much for rules
and procedures, he just wants to hire the best people for the job and get the best possible
team to ensure that they can do a successful job in the field. Now we come to the second
character which is Virginia Flanders, who is the Vice President of HR and she has been,
she has served in the company for all her life and she is considered to be part of the old
guard by Fred Weston who is new to the company and therefore she is not part of Fred's

238
inner circle. She is a stickler for rules and she also believes that Fred Weston is not
treating the internal talent right, by getting new people to come, outsiders to come into
the company and run the business of the company. At the same time she is also very
methodical, very diligent and she is very analytical, she pursues proper background checks
and goes an extra mile to ensure that the right people are indeed entering the company.

And now we come to the candidate, Mimi Brewster who is the main person in this case.
She is a very talented person, she has good credentials. She studied in the top colleges all
over USA and she is very ambitious and driven and she is an expat from China and she is
fluent in Chinese, which is one of the most essential skills as far as this company is
concerned for its transition to China and she has displayed good leadership capabilities
and good leadership capabilities in her previous company, where she has done product
launches and as we can see, as we will be seeing that she has also has some streak of
activist tendencies and she has also led this in these activities, activist activities. So we
will go through the sequence of events how this case goes. So as mentioned before,Fred
has planned to get Hathaway Jones into the Chinese market by entering in three cities
Beijing, Guangzhou and Shanghai and he's assembling a winning team.

So just to get the point he wants a winning team for this and he is in search of a manager
who can get this delivered. At the same time his friend, John Brewster suggests that his
daughter Mimi Brewster is looking for a job and asks for Fred to give her a chance and
an interview which Fred agrees and in his very first impression of Mimi Brewster, he is
extremely impressed and he is already decided, made up his mind that he is going to hire
this person and he feels that this girl is the right person for the job and he does not want
to lose her. At the same time, when he recommends this, forwards a name to the HR, who
is more diligent in this case and she runs a Google search for her name and she searches
for nine pages. Most of us don't even search for more than three but she searches for nine
pages and the ninth page she finds that Mimi has been involved in some activist activities
which may not look favorably on the company, one of which is that she led a protest
march against the World Trade Organization and another incident protests against the
Chinese authorities for the death of a dissident journalist. Now she brings this to the notice
of Fred and Fred himself acknowledges that in today's world if we search deep enough
you can actually get dirt on anybody and he also like, in his mind he remembers that he
had been much more glad about the town, so when he was young and all this could also
be part of that and at the same time he also realizes that leadership involves taking some
risks and taking some, such activities are what actually define a leader and now, if you
are going to show that in a negative light that might be a problem for any, the person he
is searching for.

At the same time, so he now decides to give Mimi Brewster another chance and asks for

239
her to come back and give a second interview and at this time, the Virginia, the HR VP
points out that Google searching might not actually be entirely legal at that moment and
ask for company lawyers to be present to figure out the legalities of that interview. So at
the end of this case, we are left with two questions, whether the company was actually
right to dig deep on the internet and scan for Mimi, by going through Google searches?
Is it a violation of her privacy? And the other question is whether the company should
actually hire Mimi and their argument for both cases. Now we will just discuss the
business impact of this case before proceeding on to the discussion about the questions.
Thanks Shriraam. Now let us take a step back and analyze the case of whatever has
happened, now that you guys have understood the case to some extent.

Well, we already saw that Fred wants to make a winning team for their Chinese expansion
strategy. Now let us just consider the two possibilities for the second question, which he
discussed earlier. If in case they hire Mimi, then few years down the line there is a
possibility of their competitors attacking or you know or getting the information regarding
her past involvement in such protests or other activities and then using that to attack this
American firm, Hathaway Jones and do remember that Hathaway Jones is an American
firm and now they are planning to enter into China and they want to succeed in that as
well and as I think that you guys should be aware that, aware of the economic and no
trade war that is happening between US and China and all other conflicting interests
between these two countries and you know these should be a possible very good
information, to attack on the company and this will, this might actually affect their loyal
reputation of the company and image if they and you are opening inside China and now
moreover, consider that the damage has been done, more this might also increase their
customer acquisition cost as well as the customer retention because Chinese people, they
are from high context culture and you know what, they give more preference to, you know
loyalty and they are more traditionally oriented and that's what even Mimi refers to her as
one liner or pointer during her conversation or during her interview with Fred. So she
mentions how they are culturally oriented and how they like things related to
Confucianism as well as the business point of view. So in case if it gets leaked and the
Chinese people get to know that one of her, one person from their kind is looking for an
American firm and was also involved in previous protest which was against the Chinese
government because where in a second protest she actually was against a dissident
journalist, who was actually protesting against the government.

So if they get to know all this stuff, obviously it might affect not just the image but also
the impact they might have on the customers over, maybe buying and again the cost of
undoing this damage might also be very high and stakeholders, we are not still assured of
and then Chinese government might come up with their own regulatory issues of some
policies of that sort, which we might not be sure of and now consider the other part of it.

240
If in case, the organization that is the Hathaway Jones does not hire the candidate Mimi,
there is a possibility that obviously her being an excellent candidate, she might come to
be aware of the fact that she was actually rejected based on the previous involvement in
protests and other such activities and this is actually wrong because you know, candidates
they have the right to sue their employers or even the organizations under civil law and
even some other privacy law stating that, because they have been biased or prejudiced on
the basis of discrimination, racism, ideology, opinions or beliefs and favouritism during
the recruitment process. So she has her own legal standpoint because based on which she
can even sue the company and you know protect her interest and this might also be
challenging for the company as well, going down the line. So let us see how we can deal
with this case. I am coming to the same question of, same coming to the same questions,
actually if you analyze this case, this case has two aspects to it.

The first question will actually deal with this privacy aspect of it, information privacy
and individuals privacy aspect of it, while the second is actually more of an human
resource management type of question. So let us see and how we can deal with the first
question and now it is actually, I am opening it to the audience. Do you guys think was
the company right to dig deep on the internet to scan Mimi or is it a violation of her
privacy? Coming on to the first question, actually is it cannot be called as a violation of
her privacy because it is already there on the public domain, okay and no one is hiding
that and she's also not hiding that. Sure, and secondly coming on to whether the company
was right to dig deep on the internet, yeah that the company can always do because it is
giving us some kind of general view about the social profile of the candidate, that is there.

241
Yeah and any other opinions? I also agree with the view that all the information is publicly
available and whatever activities that Mimi had engaged in, she would already know that
there is press coverage for those events and it may be shared, probably she herself knows
that this information is available on the internet, if there was any objection that would
have come towards the press which published this information.

So the company looking at that information which is available is, I don't think a violation
of her privacy and from a company standpoint, before it hires any candidate, it does some
kind of a background check. Before internet they would do it physically, they would talk
to reference or sometimes talk to people who are related. This is another additional step
or could be a substitute step that the company is trying to follow to background, to do
background check about the candidate. So I do not think the company has violated any
law in terms of privacy. Cool and also another point which we not forgot but which we
would like to stress upon again is that, this incident actually, these protests actually
happened some a decade earlier, I guess before the interview, so there was a long period
of time gap between the protests as well as the interview that is currently happening right
now.

So that is why she could not actually remember the fact that she was involved in protest
and the know, her digital presence of such protests in which she was involved in and yeah.
Any other opinion? Final call. So let me proceed with the case and as you guys already
said you guys both of you are right actually because the general takeaway from the whole
thing is that companies from their standpoint, they have their own right to do their
background screening as well internet screening policies based on which they can screen
their candidates and their social media presence as well as what all publicly available
information are present, based on them but the extent to do which they use their power to
collect such information is what, is what where the know the lines blur and moreover the,
there are two things to be considered, the extent to which they go for collecting the
information as well the second aspect would be on what rational or premise they know,
hire or reject a candidate because it should be only based on the professional reasons
based on which they are substantiating their argument. It should not be on the basis of any
personal reasons or her own ideology or belief based on which they are rejecting a
candidate. So these are the two main key aspects which any organization should be aware
of and coming to this case especially, you guys were right, the company was completely
right in their aspect to do that internet scan but when Fred asked Virginia, HR girl to
confront again, call upon Mimi, she actually hesitates and her actual words were, " We are
still studying the legal and privacy implications of internet searching practices in an
attempt to define an appropriate position for the company.

It's a bit risky letting her know that we are considering not hiring her because we Googled

242
her". Now you guys told me that it's completely okay for the organization to do a basic
Google searching but why do you guys think she's afraid or she hesitates to say that saying
that it's a bit risky, Any idea? These are, these are her exact words from the case It is kind
of a discrimination actually by the company, in case the company reject her solely on the
basis of her that Google log back ten years back, in fact a decade back but still it is publicly
available, right because personality is again dynamic and she may not be following that
thing. Yeah but I mean, the company is also writing a standard saying that if in case down
the line it gets publicized it will definitely affect their company reputation, so actually
another possibility which it suggests have you read the case is that, well it actually
suggests possibly that they don't have a well defined framework for background checking
and screening policy based on which to the extent to which they should go and how they
should use the information to reject or select a candidate. So then our main suggestion
would be to draft a proper check line or guide list because she does not refer to that
checklist but she just openly comes and conference Fred are saying all these details, so
we are just, will be coming or going over with suggestions of how a company should you
know, frame their background screening and internet screening profile and policies based
on which they can go forward confidently without consulting their lawyers and stuff. So
a well drafted background screening and internet profile screening policy should always
comply with multiple layers of Information Privacy where the first one would include
data protection regulations that are specific to that one country as well as in general,
Information Privacy and some individuals privacy right that are specific to the own state
or country and that complies with the Constitution, whatever the rights they grant and also
the local privacy laws based on jurisdiction in which the company lies.

So there are multiple layers to the Information Privacy and organization should also
ensure that they complete all the layers of this Information Privacy and since this is an
Western company, we also thought of covering the some of the major Acts, yeah yeah.
Does it is mandatory for the committee to reveal the reason of the rejection? We will be
discussing that later, that will be the second question actually. So some of the major
policies which the company or organization, organizations should comply with or which
are kind of infamous are provided below where the FCR is the Foreign Credit Rule Act,
where it comes under Constitution as well as an act which guidelines how the
organizations should use the consumer information as well as the customer information as
well as any individual or candidates information based on which they, how they assess
their credit history as well as the criminal records and how they should not be biased
towards which they're using their information for and infamous GDPR as you all know is
a general data protection and regulation act and the key point to be observed here is that,
any organization that is using the information of European Union citizens alone, should
get their explicit concern from them before doing their background check and information
policy that is, they should let the individual or make them aware that they would be doing

243
a background check on them, which does not, so we can understand the extent to which
EU goes to protect their information privacy of their own citizens and EEOC is the Equal
Employment Opportunity Act based on which you know the organization should not
discriminate on basis of any particular attribute as such and NLRI is another such
important act which is National Labor Relations Act based on which it actually protects
the employees in an organization to conduct their own protests and you know to take part
in such activities related to workers unions or any other such protests and the organization
should not cite such activities and you know, reject or you know, have fire a candidate.
So this has some sort of relevance but this is more in the western region and HIPAA act
is another important Act which actually protects the personal health care information and
it actually guidelines and it actually prevents the organizations from you know, collecting
health, personal health care information data of their employees or individuals or even
customers and you know, what there have been many cases of instances where you know
organizations have used, breached the HIPAA Act and where they have collected the
information of such candidates and customers and based on which they fired the
candidates. Because in some cases, there have been some candidates with serious ailments
and but which did not matter at that point of time but down the years down the line, that
might affect the productivity and in turn might affect the organization based on which
they know rejected such candidates and after the candidate got to know that he actually
sued the organization where it went into some very serious legal proceedings.

So it is such Act where the company should be aware of and should comply with and
other state and law which you need to be aware of and some other key suggestions would
include the organization should limit their internet search to publicly available information
as you already mentioned and should avoid candidate's private spaces, like you know,
they are stalking their you know their social media accounts like Facebook or Instagram
to a deeper extent, especially when it was, if it is in private profile and the information
should be always relevant to the opening position. Where whatever information they are
collecting and moreover they should also be transparent about their process and a good
suggestion would be to let them know the candidates that they will be obviously doing a
background check as well as an inform internet screening policy based on which they
would be scrutinizing their social media presence and all such stuff. So the company needs
to ensure a proper screening policy which they will have based on which they can confront
Mimi and ask. And now the second question would be, I will just quickly go through this
HR question. Do you think Mimi be hired or not? And these are the possible options
which you can see in the suggest screen and which option do you think will be suitable in
this case? She should be hired in case she deserves it.

Yeah but what if in case of any problem or how the company should deal with, how
many? I guess irrespective of her political ideology she should be judged based on her

244
expertise for the job and if she has the qualities for which are required for the expansion,
then she should be hired. So which option would you ideally suggest? One, two or three?
You can just say loudly. Okay, hands up vote for three. So ideally we came up with option
three, where they can confront Mimi because they obviously want to hear their side of the
story as well. And another information to be noted is that not everything in the internet is
true.

So there is a chance of it being falsified or you know, it being fake and it being
manipulated. So it is always right from the organization point of view to hear the other
side of story and you know confront Mimi and then take a decision of know, how to
proceed with her. So yeah, now I hand over to Anna. Now that we have seen the company's
perspective being the employers of organization, of future employers of an organization,
let's see what we should be prepared of in this digital era. So after hearing this case and
being aware of what the companies do, you're almost sure that almost hundred percent of
the companies do background check of our digital, you know social presence.

So if there is something that is embarrassing or negative about you, that you would post
it say, ten years back after listening to this, you don't just go delete your account because
erasing your profile, we found that in a survey one out of five employees suggest that
while searching for an individual if they are not able to get anything related to that
individual online, they think that the individual has something seriously to hide from
them. Hence there is much, less likely to hire that particular candidate. So the best thing
is to clean and have a good presence in the digital world. So use social media to your
benefit, since that you know they will be doing background check, make sure that you
post relevant data and also your achievements about you, about a professional life in a
much cleaner way in the social media and next as the case suggests, We Googled You,
make the mantra you Google yourself at least frequently, say after a few, like in a few
months duration, just Google yourself to know what is there, something bad that has been
written about you on the internet. Also professionals suggests that you keep an Google alert
of on yourself, so that if by chance anything is written about you, anything pops up, you
will be one of the first one to be aware of.

And also the present strategy that we see is that many employees create multiple or
separate social media account, one is for the professional setting which is public and other
is like the private locked one which is just, which just has friends which are very close
and your relatives. And lastly, most important thing, be mindful of what you post, say
anything that is being online is, will remain there forever, even if you are deleting it. So
be mindful of what you're posting and hence with this we conclude. Hope this was an
insightful presentation and made yourself aware of your social presence, digital presence
on internet.

245
 With this we conclude. Thank you .Yeah, very good job of presenting the case, bringing
all the facts that is related to decision making and you gave three options and you chose
the third option. But I am a bit concerned as to, even if you confront Mimi, it's going to
be one or the other, right. She says well, I was an activist when I was studying in Stanford
or wherever, I did all that and that's what I believe. But her credential standards, you also
find she is one of the most suitable candidates to lead a new business in China.

She knows Chinese language. She is an MBA from Stanford, she has similar work
experience, she Is a female you know, it's all positive. And as you said if she's not hired,
competitors would hire her and she would definitely contribute to the competitors. So
that is plus side but I don't think you are seeing the other side completely. As to, if you
decide to hire her after doing all the credentialing, it is there in the public domain that she
has done anti China activism. Yeah, so in the third point Google yourself and I was
checking, there are companies that can actually help you to erase whatever is there on net
and to bring up a good image about yourself.

So the company is actually willing to hire her based on a performance and credentials.
But there is actually inner party, inner organizational politics here. The HR manager and
CEO are not in good terms. So HR manager is trying to, because it is Fred's person you
know, Fred is trying to bring his person in, which the HR manager doesn't want. So she
would be negative about anything that, if she will not allow that to happen.

Where are you raising? Yeah, yeah, yeah there is. Organization is a complex entity you
know. So it's not very smooth. Even we wanted to discuss the possibility of, branches of,
for that particular solution, which is to confront Mimi and take a decision. Where the first
branch would be, as she told we can either try to remove such post wherever there to know
directly, since it was mentioned it was some news article and some Facebook post, we
can directly either ask the channel to either remove or edit the post or something of that
sort or we can try to again build up a positive image over the social media presence by
writing good about the Chinese government or how in general, by taking diplomatic
standpoint and making that more visible, compared to the old, earlier her involvement in
protest and other activities and the second branch or second suggest suggested alternative
would be to, not let go of her, but keep not at the same time, not permitted to go to China,
by keeping her in US and let her handle the overseas operations of taking some strategic
decisions of how the store should open, how she, how they should relate to the culture,
local culture and everything.

So basically they may, the organization can keep her in US, under Fredo in the same
organization where she will oversee the operations of how they are expanding into China

246
and then you know, years down the line, of seeing how the climatic standpoint of, how
liberal or communist the Chinese government is, they can plan to you know, push her
down that side. Yeah but that may defeat the purpose because she is being hired for China.
It is not doing anything because the local culture is what she is familiar [Link]'s where
I felt that, we felt that we need to reach a middle one because we can never say that, yeah
we can take we cannot take a leap of faith by just hiring her even though she has some
bad influence in the internet digital profile. So we can just confront her and just negotiate
or reach a middle ground saying that, you do have a lot of opportunities inside, let and
she's an expatriate, though she does want to work there but still she's an expatriate.

So she might be okay with you know, working overseas and then going there to deal
with, that's what we came up with. But you must also keep in mind that governments are
very very very, what do you say, I mean, you can put it as a hyperbole, in the sense they
are very negative about individuals particularly Chinese government, who question their
authority, it is an authoritarian government. It is not democracy, you know the Tiananmen
Square event, do you do you, so they just crack down and kill students who protested
against the government, that's it. So there is no place for protest in China. The government
decides and it is authoritarian and anyone who questions their authority is not welcome
there.

Just like Indian government is how, you know how difficult it is for a Pakistani citizen to
come to India? They, currently we are holding a conference and there is a Pakistani born
German citizen, the German scholar but parents live in Pakistan. You cannot come to
India. Government has made it almost impossible for such a person. If you have origins
in Pakistan, even if you are the citizen of another country, it has to be informed to the
government and then government works with the German government and delays and
almost denies.

So this is how governments function. So one is the credentials, as you are suggesting. If
the candidate is good, you should select. You know that is very straightforward but the
other is the political side of it. So both you know, you call it legitimacy of organizing, for
an organization to function legitimately in a place, one has to look into both.

That's what, that's the complexity in the case. So you are actually exploring via media
options, hire and try for some time, train her you know, put her on probation. So these are
possibly options I can think of, all right. Thank you.

247
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 10
Lecture: 28

So, good afternoon and welcome back to Cybersecurity and Privacy course. So we have
slowly moved from the cybersecurity space to information privacy space and well, we as
we go we will observe that a lot of concepts are common but privacy seems to be a
concern, right. Privacy is a concern as I presented yesterday, particularly information
privacy concerns. Individuals and groups and organizations are concerned about their
personal privacy as well as their information privacy. So how do you address that privacy
concern? So a focus of cybersecurity is to address privacy concern. So how you address,
how well you address, how badly you address, all that is part of the information privacy
domain and therefore both are closely related and today as part of this, today's session we
have a case for discussion and that case will show us how cybersecurity and information
privacy are closely related.

And what should organizations do and what they should not do and that will highlight
and also teach us lessons that as future managers, you should learn about cybersecurity

248
and privacy. So today's topic, with today I want to start discussion on the need for
regulation, okay. So privacy exists at the individual level and it, when it becomes
collective it becomes groups or organizations or industry, industry domains and then
country, okay. So certain instances of breaches will teach lessons to government as to, if
certain breaches can affect millions of people, okay then the government should be
concerned.

it is not one individual who is affected but there is a pervasive effect of privacy breaches
on individuals. So it also brings to light the fact that organizations are storing citizens data
and role of government is the welfare of citizens . So therefore if the industry is not
regulated then people's welfare will be affected. So that is the aspect that we will see in
today's session as well as in today's case. So let us move on.

I hope we start with the old country song, Eagles fan here, in the of course, this is a song
of the 70s and it got Grammy Award and in my college days, this used to be very popular.
So when you walk through the rooms, you hear the song playing and it is sort of you know,
it is a lovely song and it is a lovely, it talks about a lovely place called Hotel California,
it is a lovely place. So you see the, how the lyrics end, you can check out anytime you
like but you can never leave. In business or in management literature, we call this lock-
in, right. There is something called lock-in, you lock into something, you enter there and
once you enter, you cannot leave.

So you know many products and services are like that. So lock-in is a part of digital
products management. You see, why you go to Amazon all the time or why you have your
preferred bank, why you have your preferred mobile service provider. Because you are
locked into it, you know. There is a switching cost, when you actually try to move from
that service or that product to another, right.

So the switching cost is inhibitive or prohibits us from moving on and so is the world,
the world, the world of the web or particularly the social media you are actually locked in
there and even the social media platforms also do not want to actually let you go, okay.
They will not let you go because your connections are so strong there. So oftentimes we
are in Hotel California when we are in the, when we are in the digital world. Okay, we
thought we could sign out anytime but we are not able to sign out . So lock-in is built into
the business strategy of platforms, large number of participants and participation is a
important part of building any digital platform.

You look at Facebook or you look at any of, not just social media, even operating systems.
Okay, you find it difficult to change from one OS to the other, it is a lock-in strategy. So
therefore certain information that you have disclosed about yourself and certain

249
connections that you have made, it is forever. So there is a, so you can choose not to go
there, you can choose to be anonymous. I know I have friends particularly in Germany
who do not use any social media.

One of my colleagues in Information Systems with whom I collaborate, does not have a
WhatsApp, does not have any of the social media use at all or accounts at all, that is one
choice that you make. You do not want these services, you can opt out of email as a whole.
You do not need to have your cell phones also. You can still be alive and live, right. We
have lived that life also, you know for several decades.

So all these are actually necessities that is, you know created for you and you actually
get in there, choice is yours, okay. Whether you want to share your data to get a service,
whether you want to give your search key to Google or not, is your choice. Once you
give your search key, Google knows what you are searching for and it is linked to you,
what you are actually looking for, and that is your choice. So what you search for, is a
part of your profile. So therefore disclosure is left to the individual as this cartoon shows.

I like privacy but it makes it difficult to enjoy life, right. We can still be alive but we
cannot have a life, right. That is what, that is how businesses define life for us or very
shrewd entrepreneurs have thought through what your needs are and created systems for
that and created exchanges for that purpose. Well, yesterday I talked about one of the
matrimonial sites, okay that is where you share a lot of personal data and have you ever
read this fine print of a privacy clause, the clauses in the privacy statement which you
clicked. I agree you have to, of course press that radio button and it is a long statement,
okay.

So if you read the fine print, it will read like this, With respect to content you submit or
make available for inclusion on publicly accessible areas of the site including but not
limited to your contact details, you hereby unconditionally and irrevocably grant to Shaadi,
the license to use, distribute, reproduce, modify, adapt, publicly perform and publicly
display such content on the site and [Link] center members from time to time. This
is sort of perpetual agreement with them that you clicked, I agree you did not pay them
anything, right. What you give them is what, it is a exchange, where you give your data
and they give you service. Gmail is free but in business you learn there is nothing free.

There is no free lunch, somebody pays. So sometimes these exchanges are not monetary,
right this is you know, non-monetary exchanges is a part of digital platforms. So that is
why we saw yesterday that it is difficult to challenge or difficult to win a case of data
exchange with corporations in the court because you have agreed. Legally you have agreed
to the clauses and they have evidence for it. But the other side of it is, you know it is like,

250
well they have made all that statement in a long privacy legal document which you do not
have the time to read, one because you have some need to gratify, you know economists
call it immediate gratification, you know, you are looking for some service and you are
in a hurry.

You want to connect with someone, you want to, you know my friend has it. I also need
to have it. Who cares, what is privacy statement ? Click, then you went on. So nobody
has time, immediate gratification and that is something that is exploited by platforms.
They know that you will agree and a study by Luca and Bazerman, both are faculty in
Harvard Business School and they recently brought out a book on online experiments
which I read.

So I came across this facts which they present, takes 76 working days to read and
understand, a typical privacy policy. So you may read some of it but you will not
understand because it is legal language and you are not a legal expert. So there it is a
technical language which is difficult. And number one and therefore you have no choice.
If you want the service you just agree.

It is by design like this. This is an issue which is one sided, you know privacy agreements
are sort of one sided documents. Regulation is trying to accept it because it is not a fair
play. A user has to agree without understanding what it means. And of course, that is a
need but it is not fair, there is a issue of fairness here.

That is why somewhere there is a need for regulation and when we discuss GDPR as we
go, we will say GDPR actually tries to address this issue of, you know unfair exchange of
information. And these scholars also found that they report a number of online
experiments platforms too. When you actually sign into your Facebook account, you are
a participant in their experiments almost every day. They are actually testing out, which
where you go, which profiles you spend time on or which advertisements you respond to
etc. They are constantly observing but actually in experiments or in any research which
involve human subjects, they are supposed to take your consent to participate in an
experiment or a survey.

It should be an informed consent process but they do not. And again there are legal
safeguards in their favour, for example in experiments if you actually tell you, it is an
experiment then the purpose of experiment can be defeated. Now this is one side of
privacy and the legal safeguards for privacy etc. But on the user side okay, you see there
is absence of regulation or regulation is still evolving and you also see that it is in favour
of corporations to actually exploit certain, certain needs or desires of individuals which
they can actually exploit using these platforms. So there is a question of fairness there but

251
on the other side very few people, very few people want to be let alone.

Privacy is the right to be let alone but actually you do not want to be let alone, you want
others to know about us. You know that is the sort of, yeah that says that is a social need,
the need to socialize and that social life is moved from physical to virtual, you know that
is what we see but the need to socialize is basically human need. And they, so human
beings also want to make selective disclosure. What is your Facebook profile, what is my
Facebook profile, do people know about what I am really, do I disclose that, you know
you have a selective disclosure, and that is to make an impression or a statement about
yourself, you want, what you want to be, right. And so the platforms have to be designed
in such a way that it fulfill your need to define yourself in a way that you want to do it
and in that need, in that sort of strong desire, you actually end up disclosing a lot of
information about yourself.

So the another scenario is you know, you when you go for buying things, be it online or
be physical stores, there are loyalty programs. So today you do not need a loyalty card,
you just need to give your cell phone number, That is your primary key, you know against
which, you know they insist often that you share your phone number with the retailer but
is it mandatory? I do not. I stop sharing. I said No, I do not have a phone number. So then
you still can buy but sharing that number is up to you.

The moment you share that number, next time when you go they are actually keeping
track of what you buy. So buyer's behaviour, your preferences, all that constitute your
profile. Now if you have a loyalty card or a, you are a member of a loyalty program, say
of Titan, for example where I am a member. So they actually accumulate certain loyalty
points for you and then you get some discount or you know you get some money back and
so you have signed in, wherein you have disclosed your information. Sometimes Adhar
number, sometimes phone number and some basic descriptive data about yourself.

But who compels you. There is no compulsion. Can you, it is a request. You sign in,
Why you sign in? Because you get some benefits and all benefits, some comes at a cost.
The cost is, they are actually monitoring what you buy. So there is data about you that is
involved in any loyalty program.

You get bribed to share your data, the discounts that they gave or the benefits that you
get is a small remuneration for letting them know you. One is they are able to offer you
services in a targeted way. In the sense, they understand your preferences and recommend
products for you. The other is, data has a monetary value and they can actually sell your
data. So many retailers in the United States, I have read, make more money from data
than from their products.

252
 So we agree because we need service. They use your data, make money out of it but when
you get to see that, in the moment you are affected by the trade of data, then you raise
privacy concerns. Otherwise you do not have a concern. So this is known as privacy
paradox. People want both. You want both, you want to experience service, you want the
best email experience from Gmail and they you want them to give it free to you which
obviously cannot happen.

They want to share what you write with advertisers. They want to make their money. So
an individual may not be reading your emails but the text is scanned to understand what
you are actually writing, you know. A lot of analysis is possible with emails.

So they make their money with your data. You want service. So it is a, it is designed an
exchange and therefore there is a paradox. It is conflicting to claim privacy when you are
actually getting something using your data from a service provider. So to sum up, personal
experience and privacy, these are conflicting needs. You want the best personal experience
in online services.

At the same time, you also want privacy which is not possible, okay. If you have to take
something from the top, you raise your hand, something falls off, right. So this is known
as privacy paradox. Now can this paradox be resolved? No, that is a difficult question.
So you give your, share your identity and you get certain privileges and it is your choice.

It is your decision whether you want the service or not. But what is worse is when it
comes to government, when you are citizen of a country there are certain mandatory
disclosures that government will require and government's point of view will be that in
order to secure you in a country, we need to know you, and therefore you cannot
completely hide yourself anywhere in the world. And that is what Derek Smith, CEO of
Choice Point said when his company, today we are going to discuss another case which
is similar to Choice Point, a credit bureau whose data breach happened in 2005. Today's
case is about 2017. This was way back in 2005 which actually again brought the issue of
privacy into public debate and into policy making, into regulation, everything.

So Derek Smith was under fire that time and he said and many people started criticizing
the industry itself. This credit bureau or organizations which collect, process, profile and
sell information about individuals, which corporations need for credentialing and many
other purposes but the industry itself is fake or not fake industry itself is illegitimate
because they are storing individuals information and they are not able to protect it. And
so individual identities should be kept anonymous was a argument and to which Derek
Smith responded, you have a right to privacy but in this society we can have a right to

253
anonymity. Right to privacy and right to anonymity are two different things. You have a
right to privacy but you cannot be anonymous in a planet.

You have to belong to some country, right. That is how we have defined our territory.
We have defined territories. In the colonial era, the British try to make most of the world
theirs. But still, then it is you belong to one of the colonies. So you have some identity,
you identify with some territory and that is how, that is how humanity exists in the world
and therefore you cannot be anonymous anywhere.

For yourself to be affiliated and to enjoy the privileges of being a part of a country, right
. You enjoy a lot of privileges when you belong to a country, when you belong to an
organization but if you have to get that, you have to say who you are and some basic
information needs to be with the government. So that is, that that is the other side.

We fail to see that sometimes. Now Right to Anonymity. So what is anonymity? So we

need to have clear clarity about some of these concepts. What is privacy and what is
anonymity, okay? So okay, let me not put that question to you. So before going into
defining or understanding these concepts of privacy and anonymity and secrecy and so
on, let us also understand what is personal data and personally identifiable data, okay or
personally identifiable information? PII, often it is called. Personal data is any data that is
related to you which is yours. Okay, your name, your age, your place of birth, your
address, your cell phone, all this is personal data.

254
 Okay and personally identifiable data is data that is able to uniquely identify, okay. You
must have discussed this in databases, right. There are certain attributes that uniquely
identify, right not all attributes. Like your name is not a unique identifier, but your name,
when you actually combine certain attributes, it can become a unique identifier. So such
identifiers which are not uniquely identifiable are sometimes called quasi identifiers.

Your name is a quasi identifier but you give your age, give your address, okay when you
link all this, it can you know, almost distinctly, almost, not may not be 100 percent,
distinctly identify you. So there are algorithms to identify people from whatever data is
disclosed, you know by linking. So identifiable data, so email, cell phone etc are very
much identifiable data we have seen this right. So the data points or the attributes that has
the potential to uniquely identify you or partly identify you, they are identifiable data. So
some of the concepts regarding PII, we will discuss when we discuss GDPR as a regulatory
document.

255
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 10
Lecture: 29

Now there are some related concepts as I said - Anonymity, Secrecy, Confidentiality,
Security. These are sort of confused sometimes, so I have taken these concepts from my
research paper. So, anonymity is the ability to conceal a person's identity, individuals can
choose to be totally anonymous, pseudo anonymous or identifiable. Recently there was
a discussion about sharing Adhaar number with business entities and since if you share
your Adhaar number directly, business can actually misuse it or use it as your
identification. For example, go for a telephone, a cell phone service, you give yourself
Adhaar number, they can actually use it for, you know profiling you. So, to prevent that
Aadhaar came up with the idea that they can actually create a pseudo identifier or a number
which is not same as the Aadhaar number, but it should be issued by Aadhaar.

Aadhaar can link that number to your number, but a business entity cannot or somebody
else cannot. So that is pseudo anonymity, but pseudo anonymity is not pure anonymity
because an agency can reconstruct your identity. But in any case when you hide your
personally identifiable information and then that is called anonymization or anonymity.
For example, you are a student and I want to analyse how well the class is doing, in terms

256
of your academic performance.

Now the class says no. Suppose I am not the faculty, somebody else wants to do that. So,
you say no, I do not want to disclose my identity, you want to see how the course is doing
or how academics is doing, you can just look at the grades, but do not link it to the
individual. So, what I, somebody ask for with your permission I will say, I can give the
marks of all the students to you, but I will number it as 1 2 3 4 5, I will not give your
name, roll number, email id, anything that is personally identified, I just give the specific
data or the attribute that is of interest, ok. Your grade is not a personally identifiable data.

It is a fact you know, it is a measure or a fact you know. We discuss fact table measures,
right. Measure is something that you know organization wants to analyze and that is not
identifiable data. So, I can give the measure. I can anonymize you.

And now you can imagine how data mining or analytics, this concept is important, you
know a company needs to share individual data. It is important to anonymize individuals
to protect individuals identity, ok. So, there is, there are actually anonymization
techniques. I will discuss that in the next few slides. Secrecy is intentional concealment of
information, where you not only want to be anonymous, you do not want to disclose
anything to someone and you also can mislead people, ok.

Then there is confidentiality and security. In the next slide where I have a, I have a four
quadrants a 2 by 2, the x axis being accuracy of personal information and the y axis is
about amount of personal information externalized or shared, ok. So, based on that you
can understand this four concepts of secrecy, transparency, anonymity and confidentiality.
So, the fourth quadrant is the quadrant which is high on accuracy of personal information
and amount of personal information, ok. That is your 100 percent transparent, ok.

So, so we say public institutions should be transparent, there should be nothing concealed.
So, you share almost full information accurately, that is transparency. The opposite of that
is secrecy. You do not want to share like countries . So, they may actually share
information which is not correct or miss, it could be misleading also.

In order to protect your actual information and you do not share any extent or any volume.
So that is secrecy, ok. So, secret is a, is a problematic method or a status. We have personal
secrets. So, we may hide that somehow from others or we may try to mislead others as
well.

Anonymity you can see is the first quadrant where accuracy of personal information is
low, but you may share a lot of information. Like in data mining, it cannot be accurately

257
linked to you. You may be sharing all the information, all the facts about what is going
on like your grades, but personal information is very limited, it is not personally linked to
anyone. That is the anonymity part. The confidentiality is the other way.

You do not share. Certain information is confidential, ok. Therefore, you make the extent
of sharing limited, but when you share, you share the complete information with, you
know identity. That is one way of understanding these concepts. Confidentiality, secrecy,
anonymity and transparency, but keep in mind that confidentiality is typically used in the
organizational context.

Privacy is typically used at the individual level, generally in literature. So, let us
understand anonymity. There are some browsers which offers anonymity, you know in
browsing, incognito browsing. Each, each browser has its own terminology. Private
browsing, incognito etc.

But what is that mean actually? Does it ensure anonymity? Service provider knows ok,
but who does not know? Yeah, yeah, yeah, yeah, yeah the local machine that you use to
browse. If you do anonymous browsing, it does not keep a history. It does not keep the
passwords, it does not track the history. When you actually exit from that browsing, there
is no record in the machine, but as he rightly said, the service provider knows the sites
that you accessed, ok alright. So, it is sort of providing anonymity to some extent ok,
when some users want it.

So, as we said there is also privacy preserving data mining, which is an important topic
when it comes to analytics, data analytics. Because companies collect and store large
amount of personal information and this personal data, if it is shared with an external
entity or if when you outsource analytics ok, it is going to a data processor. And in order
to protect individuals, it is important to hide identity of individuals from external service
providers. When the data, the data collector or the data owner is conscious of the issue of
privacy. So, therefore, one needs to anonymize the data, ok.

So, there could be total totally anonymous data sharing, there could be pseudo
anonymous, we talked about it or identifiable, where you share the full information. So,
in privacy preserving data mining, there are four, three methods broadly. One is
randomization, second is anonymization and third is encryption. There are three main
techniques for privacy preserving data mining. Randomization is rather easy to
understand, ok.

So, the data provider or the one, the data collector, the one who is the, has collected and
stored the data, when it is shared with a external agency or data analyst or a data processor,

258
you, before you send the data to the data processor, you randomize the data. So, as given
in the last paragraph, if xi is the value of a sensitive attribute, you add a random term ei,
ok. So, what the data processor receive is not the same data, ok. It adds a random value
to that data, where ei is a random noise drawn from some distribution, ok. So, maybe the
data processor receives a distributional property of that data, but not the exact data.

That is randomization. So, randomization is one technique where data processor does not
receive the same data, but a randomized data with some pattern, ok. But what is more
interesting for us to see is anonymization, ok. Anonymization, I have taken this from a
research paper by Sweeney published, Sweeney is from Harvard Business School and this
paper discusses a concept called k-anonymity, ok. Just like you have k means clustering,
in cluster analysis, there is a k-anonymity and look carefully at the definition of k-
anonymity. K-anonymity is defined as each release of data must be such that every
combination of values of quasi identifiers can be indistinctly matched to at least k
individuals.

So, essentially saying that k has a value, ok. Suppose I ask you your name and your, your
roll number, give me your roll number, you are uniquely identified. That is distinct. You
are distinctly identified, but I do not ask your roll number. I ask you where is your place
of birth? Where is your place of birth? Maharashtra.

Maharashtra, he just said Maharashtra, Maharashtra. Which year you are born? 99. 99
sorry, ok. So, are there any people from Maharashtra here, any other person from
Maharashtra or no? You are uniquely identified and with 1991. Suppose there is one more,

259
one more person from Maharashtra here, who was also born in 99.

Since I am not distinctly identifying you, I have some quasi identifiers, but the problem
is with these two quasi identifiers, there are two people, ok. The k becomes 2. These two,
these two attributes together can be mapped to more than one person which is 2, k becomes
2. Suppose I make it even more blurred, then it may map to three people I just say where
are you born ? Maharashtra. There are, say it is a large class, there are eight people from
Maharashtra.

There is some identification still, but it has anonymized you to k extent. So, that k is the
extent of anonymization. Look at these two tables. They actually illustrate this concept.
In anonymization or in k anonymization there are two techniques.

First technique is called suppression, the second technique is called generalization,

suppression and generalization. So, compare table 1 and table 2. Can you figure out what
is suppression? Table 2 is the anonymized table, table 1 is the original table. So, it has
employed two techniques. Table 2 employs two techniques, suppression.

Suppression and generalization, can you figure out these two? Suppression, a column is
completely removed, right. You do not find the name column in table 2 at all. So,
suppression means completely removing a column.

It is suppressed. It is removed. Some, it has the potential to identify a person uniquely or

you know closely. Therefore, that column is removed, but it also applies generalization.
Can you compare the birth column in table 1 and the birth column in table 2? Yeah, yeah,
yeah, yeah, it has generalized the date of birth. It has removed the date and month it only
gives the year ok. So, it is an attempt towards anonymization, not complete
anonymization, but anonymization.

You also have to run this idea in mind well analytics, for analytics to be effective, you
need some characteristics of individual. So, it is trying to share, well this person was born
in this year, but we do not say the date of birth. That may actually lead to identifying the
person. So, it is trying to strike a balance between what value you can generate out of
analytics, at the same time it does not become identifiable. So, generalization is an effort
towards that, year is disclosed, but date and month are not disclosed.

That is generalization. You can see that in zip code also, right. Basically it is generalizing.
It may give a sense of which area one belong to or which county, I do not know, but the
last digit is removed, right. So, two techniques are used in separation and sorry two
techniques, separation and generalization for anonymizing.

260
 Now look at the first record in table 1. It pertains to an individual called Alice. Alice of
course, race is not disclosed, date of birth is given, sex is given, zip code is given. These
identifiers together makes a unique, there is a unique record for this person. And this
person's fact or measure is that the person has a disease called flu, ok.

So, person is sick and the sickness is flu. That is a sensitive data, but it can be identified
with the rest of the identifiable data, ok. Now when it comes to table 2, you see there are
two people. Blank the first two records. You know blank 1965 M 0214, blank 1965 M
0214, the identifiable data is the same. So, therefore it is, you will say who has flu, it can
be record 1 or record 2, ok.

The sickness flu can be attributed to two people. You look at the definition of k
anonymity. It can be indistinctly mapped to two people. k equals 2. Actually this table
anonymizes and it and makes it possibly linked to two people, not one person, ok You
can give the same interpretation to other records also.

So, the purpose of anonymization is to remove that unique identification of certain fact
with an individual and it tries to anonymize using anonymization techniques, suppression
and generalization. And in practice you see that, right. In anonymization is something that
you come across in your Aadhaar number, if you have a wallet, the last 4 digit, ok and
your credit card information 6709, ok. There are more data. Is it what type of
anonymization is this- is it generalization or suppression? When you remove, when you
show only 4 digits of an Aadhaar number or a credit card number, then you did not get it
right.

In suppression you remove a column as it is. You completely remove it. You look at the
zip code, ok. That zip code is generalization, you disclose it, but you remove part of it .
Or the date of birth, only the year in a similar way.

This is generalization This is generalization. You remove a part of it and disclose, only
a small part. But these techniques have limitations. When you have certain quasi
identifiers, you can also collect more data about those records and link multiple records
and create make you uniquely identified. That is known as linking and that is what
analytics does in many cases and there are algorithms for linking which can very
effectively create identities for individuals, especially in several context like medical or
for government. So linking is a, is a particular algorithm in data mining for reverse
tracking the identity of individual, when identity is anonymized.

From anonymity you can actually link more data and create identity and that is known

261
as linking. The last slide, risk versus the last, but one slide, risk versus utility of data,
known as R U maps . Risk and utility is a trade off. Privacy is a risk, there is a privacy
risk. When you disclose complete information, there is a disclosure risk and that risk is
very low when your disclosure is less, ok.

When you completely disclose, your risk goes up. But when your risk goes up, you can
see when you move towards this part of the graph you look the you can see, you can see
here the risk is going up here, ok or privacy is very low. But the utility from the data is
very high or analytics insights are very high ok, but if you actually anonymize data, you
move towards here , what suffers is the value of analytics. Especially you cannot profile
customers and you cannot recommend products because you do not know who the
customer is, at an individual personalization is not possible, ok. So there is a trade off
between risk and data utility and that is where you saw the generalization where it
generalizes to some extent, but it does not completely remove your identity. So you need
to act somewhere, operate somewhere here, so that the value of analytics is not completely
compromised or diluted.

At the same time, privacy is protected, ok. So this trade off is illustrated in this graph,
risk versus utility of data. Yeah, so our aim today is to understand given individuals and
organizations and concern for privacy and organizations need to deliver services
effectively, how this sort of need to balance two aspect, need to be done at the country
level at at the governance level and that is known as regulation, ok. So there are privacy
regulations that is still emerging in different parts of the [Link] OECD regulations
came, the FIPPS was the first. We discussed that yesterday in the United States, these
were guiding principles.

262
 This was not a regulation. These are principles, Fair Information Practice Principles, ok.
In a similar way, even in European Union there was no regulation till 2018. It was only a
directive, EU data protection directive, not a law, not a regulation. Regulation means it is
enforceable by law, but in 2018 it, the directive D got replaced by R, it became a
regulation, that is 2018. So you can note that the world is changing in terms of regulating
data, regulating data because of the, you know the huge digital data storage and flow that
is happening, it has become a necessity.

So in the United States as you will appreciate, there is no one regulation that is binding
or that is overarching for all exchanges of personal data, but they have domain specific
regulations, like the HIPAA for healthcare data, ok. So for several domains, you will find
different guidelines and regulations and this also vary from state to state. US is having,
the states have the right to have laws to their own state laws and that also brings an another
dimension of complexity, in the US. So, so you will, you will see this landscape is very
different but there are certain common attributes. Maybe GDPR would be a very broad,
very broad based and this is something most countries are trying to emulate, including
our country and some states in the United States also.

So we will actually focus on this in the next two sessions. Tomorrow, next discussion
will be on GDPR and subsequently we will look at the Indian context of privacy and
security and we will get more insights, along with certain case studies. So today we have
a case study which is from the US because we are focussing on America in today's class,
ok. So along with the case, you also see some of the limitations. because there is no
country wide regulation, alright.

So I will close here. Any questions? Ok. So I will hand over the session to the next group
to present the case and discuss the case. Of course, it is a fairly detailed case and it is
very challenging, but I am sure you are prepared, alright. Thank you.

263
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 10
Lecture: 30

So, a very good afternoon to one and all present here. So, we group two, are here to
present about the data breach at Equifax. So, Equifax is basically a credit reporting
company and it has all the information that we discussed today, has personal data collected
from customers. So, let us see how such a big company faced a data breach. So, brief
about the company, the company was founded in 1899. So, the business is basically credit
reporting.

It is located in the United States, but serves customers across the world. So, basically
like any credit reporting company, it collects customer data which includes their income,
information about their income, employment, etc and processes it and also gives results
regarding the credit worthiness and credit rating of the person or the institution. So, we
have heard about CIBIL, we have CIBIL scores. So, this is very similar to that and the
company goes by the slogan that 'Powering the world with knowledge', through the data
that it has.

264
 So, the company has a gross margin of about 90 percent and serves about 820 million
customers and 91 million businesses. So, the company is divided into three basic business
segments. One is the US information services. So, this segment is basically concerned
with collecting the customer data. So, it has online information services, mortgage
services, mortgage solutions and the revenue that is earned is through the sale of the
customer and credit reports of commercials.

The next segment is the workforce solution segment and this segment gets data from the
first segment that I mentioned, which is the US information services. So, the customer
data which is sold to organization, so they generate individual employment and income
history and they also provide other services such as handling unemployment claims,
employment tax credits, etc. The third segment is the global consumer solution segment
which provides credit monitoring and identity threat protection. Moving on. So, we know
that this company is like an information extensive company and it has personal data of
consumers.

So, it is very crucial for them to have a cyber security system in place. So, the company
has invested millions of dollars in cyber security measures right from 2005 and over 1
percent of their operating revenue is spent solely on cyber security measures, each year
from 2014 to 2017. Apart from this, they also had a cyber security expert as the CSO, the
chief security officer and he basically works to modernize the cyber security practices in
the company such as the cyber defenses and they also have a special squad. So, they have
a crisis management squad which they keep running, in rehearsing in case of any breaches.
So, with respect to the chain of command, they basically have two groups.

265
 One is the legal or the security group and the other is the technology group. The first
group that is the security group is headed by the chief legal officer and he supervises the
CSO, who is the chief security officer and under him there are about 180 to 190 employees
and the other group is headed by the CIO, that is the chief information officer and he
directly reports to the CEO. So, what is the relation between these two groups? So,
security group basically defines what has to be done and the technology group is
concerned with deploying the technology that the security team asks for and the security
group also has a security engineering function and they provide ability to configure the
software. So, apart from this, they have multiple teams which are specifically working for
cyber security. So, one is the GTVM which is the global threat and vulnerability
management team.

So, this team is concerned with tracking the threats in the IT system and they have
monthly meetings where they are notified with respect to any possible cyber threat that is
there. The second team is VAT which is the vulnerability assessment team and they
basically run scans with respect to the vulnerability in the IT system. The third is the
countermeasures. So, this team is with respect to implementation. So, they deploy the
code designed to obstruct the exploitation with the ongoing vulnerabilities which is
identified by the GTVM and the VAT team.

So, we have seen that the company has extensive cyber security measures in place, but
still they were exposed to a huge data breach. So, let us see what are the vulnerabilities
that they had. Moving on, Subisha will continue. So, we have till now seen how much
they have invested for cyber security and how many teams they have deployed for cyber
security measures. But still we have come across a breach in 2017, which was one of the
world's most massive breach that we have seen.

So, I have a question for you. If credit bureau's customer data is leaked, what is the
privacy risk as an individual you can face or what are the impact as an individual you can
face? Like what can be the motive behind the attack? There can be various uses of a
personal data that a hacker can use it for. It can be just to put someone into a ransom kind
of situation or it could be used for tracking purposes, it could be used, if it is health related
data, health expenses or credit related expenses. It can be used to bring certain kinds of
threats from a financial standpoint, from an insurance standpoint, from the banking
services standpoint. So, it is a variety of ways in which the personal data can be used.

You are absolutely right. So, you have... It can actually be used for, like identity theft.

So, if a person has a good credit score, another person can use the same details to take a
loan in the other person's name and then not repay the loan, commit loan fraud. So, the

266
original person will now get the indebted. You are right. And apart from the reasons
mentioned, it can also be directed for targeted ads because almost all your financial data
would be leaked if such a breach happens because when you go to Experian or Equifax
or TransUnion civil page, you go and enter all the data. For example, in Indian context,
you would be entering Aadhaar, passport, driving license, everything.

So, it poses such a grave risk. So, basically what happened is they had so many security
issues and vulnerabilities. For example, it didn't start in 2017. It started from 2013 when
many hackers could access the credit report data from Equifax. Then 2015, there was a
technical error which was caused by some software modifications which publicly exposed
so many consumer information.

And in 2016, almost like 4,31,000 employees salary and tax data was publicly exposed
and this was even brought out by independent researchers. So, in 2017, before this breach
happened, there was something called Equifax work solutions in which the employee tax
documents were being freely downloaded by the attackers. So, all this security
vulnerability was not brought into notice. It was known to them. Because there was a
cyber security firm called Mandiant which warned Equifax about its, how its systems were
unpatched and misconfigured.

And it had also hired Deloitte, to credit, to conduct a security audit which also said about
the several issues about its unpatched systems. Even cyber security firm called Cyence
also quantified the probability of Equifax encountering a breach which was about 50
percent. Another group called FICO that is Fair Isaac group also analyzed the corporate
cyber risk to be 550 out of 3 which was a range from 300 to 850. And BigSight
Technologies, it gave F grade, that is the worst for application security and D grade for
software patching. So, MSCI's research team also gave 0 for privacy and basically lower,
almost lowest rating of triple C for privacy and data security.

So, we will go into what caused the data breach of 2017. So, there was, this was caused
by Apache Struts vulnerability and basically Apache Struts is an open source software
which was used to build Java applications. It was widely used across banks and financial
institutions and it was access and Apache, they got to know that there was a publicly
available exploit in their system. So, once they got to know, they warned everybody who
were using this application. So, in this exploit, the attackers could add their own code to
the web pages, even disable firewalls, install malwares and even access servers etc.

So, about patching the vulnerability, since this was a grave issue and so many, so many
companies were using using this Apache Struts vulnerability, CERT of US department
had alerted all these vulnerable parties and one of them was Equifax. So, immediately

267
this GVTM team also got the message, but most of the monthly meetings were not even
attended by the senior officials or even the cyber security members of the Equifax itself.
So, they did not take this seriously and even the countermeasures team at Equifax delayed
their steps so much as we can see in this diagram, that is March 7th Apache Struts is you
know, telling about this vulnerability and it is having 5 months to take, it is taking 5
months to take corrective action by Equifax because that is when they come to know about
this breach. So, now we will look at the timeline of the data breach of from when it started.
So, it started on the March 8th.

So, that is when the other Cisco systems and other parties, they alert that there is a
vulnerability in the Apache Struts software, but in the March 29th, the very next day they
failed to patch the vulnerability on it is a system. And then in March 11th, that is when
the hackers they gain access to their systems and then again when they get to know then
the Equifax they failed to identify the vulnerability which is unpatched. So, that lead to
an major data leak and the hackers were able to collect the personally identified,
personally identifiable information of all the customer data. And then on July 31st, that is
when the chief information officer, he was informed about the data breach which is
currently happened. And before that, prior to that when they were able to shut down this
like, they were able to track the IP addresses from where the traffic was coming, but they
were not able to they blocked one, but they were not able to block the multiple thing.

So, they went to shut down the system and then they contact their law firm and the FBI
and they ask them to conduct an investigation into these issues. That is when they know
that they have been able to access the number of systems within the Equifax. Then the
Smith, he notified all the team members through their phone call and they would ask them

268
for an board meeting. So, when it comes then, that is when they come to an list, they say
that it is about 143 million consumers have been affected. So, all their personal data have
been stolen and it has been in the hands of the hackers and then they announce it publicly.

And that is when the Equifax, after these issues the CSO and the CIO, both resigned and
even the CEO also resigns after that. And then after, apart from this 143 million data, there
is an additional 2.5 million data also has been stolen, which they did not confirm it at the
earlier stage. And then the Smith, the CEO, he testifies before on the US government
committees and the last, the what about 10 million in the data driver license and is stolen
and about 7 million, about 7 lakh UK customers are being affected. And they had a
contract with Equifax, the IRs so it got suspended due to these issues.

So, now we will see at the breach, like what was the actual and how it has happened. So,
the hackers, that they created when they gained access to an Apache, through the Apache
Struts app software, they created an 30 backdoors using the web shells which nobody, the
Equifax failed to notice it. So, by doing so, they gained an increasing difficulty of finding
for the Equifax to identify where the breach or the door was open to it. And SSL security
certificate, that is the, it needs to be renewed between every 12 to 39 months, but the
Equifax they had always the expired, it was expired across the network. So, that is why
they were easily able to gain the access.

And then the ACIS reactivated, that is they blocked the IP address which caused the
traffic, but again and they gave the portal was open, the patch was unable to fix it. So,
again the hackers from the China they were able to gain access and that is when they went
on to shut down for the 11 days. And then the web, so he is the CEO of the Equifax. So,
he did not make clear that the PIE data has been breached at the earlier, it was around in
the month of May or earlier, like 2 years prior to that. And then that is when the Equifax
and the mandatory investigation, it happens.

So, they get to know that they have accessed the data table containing the large amount
of the consumer data. So, what kind of the information has been stolen? It is the names,
social security numbers, birth dates, addresses, email id, driver license, credit card
number, passport number, your tax identification number and the credit card dispute
documents. So, now we will see the sources of the vulnerability inside the Equifax which
lead to this data breach. First one is the internal controls and the patch management
process. The roles and the responsibilities in the patch management committee, the policy
were ambiguous.

So, the business owner, the software owner and the system owner were not uncertain,
about their roles and what each has to do in this kind of activities. And in the 2015 audit,

269
so which was conducted by the Deloitte and the other professionals, so it was said that
around 8500 unpatched vulnerabilities were there and until 2017 they were not able, it
was not a resolved or neither the systems were patched. And due to this lack of systems,
that is the comprehensive inventory of the IT systems which lead to it. So, Payne, he is a
CSO and the secretary were unaware that the ACS ran the Apache Struts. So, they were
not aware about their internal systems and the process which was happening at the
Equifax.

And in 2015 the patching was taken as an reactive measure rather than an proactive. So,
only when a system is gone down, so that is when they update the systems and make it,
like usable. So, it is more like, what is only on the request basis. So, it was not taken as
an a priority of measures. And the employees, they gave the reasons for the weakness at
the Equifax.

So, one is the technology systems were not well integrated. So, it has difficulty in
updating. So, they were, since there are lot of the systems, around 8500 unpatched
systems, they were finding it difficult to find the right patch, for the vulnerabilities for
that. And then they antiquated systems. So, update themselves, so which lead to an
operational risk.

For example, we will see that our Windows, it gets updated like, it goes for an automatic
update and your work has to be like shut down for some time until your system is back
on the screen. And they also, they did not have a personnel necessary to implement the
technologies and a process to meet the internal security goals. So, that again, it leads to
the accountability gap in the organization structure. So in, until 2005, the reporting
structure was that a CSO reports to the CIO and to the CEO. But due to an interpersonal
conflict at the, at the duration of 2005, the CSO and the CIO were independently reporting
to the CEO.

And then there was no clear communication between both the teams. Then the IT and
the security team were, there was no communication. So, it was an ineffective and
inconsistent communication between them. And that is when the Payne, he testified that
there are key vulnerabilities, but they have been not resolved until and also they did not
take any action to like, unload the Apache Struts software. And the only interaction
between the IT and the security were during the monthly meetings and the senior
leadership meeting.

270
 But those failed because they failed to identify their clear lines of accountability for
developing the IT policies and executing the policies. And the security concerns were
presented by the CLO that is the chief legal officer and none of the CSO or neither the
CIO, he has the, like authority to present all those. And the CLO, he had neither experience
nor the training in terms of the cyber security or the information security. And the third
barrier that is the technological barrier to an effective oversight. So, when the breach
happened they failed to identify and address the potentially malicious activity on the
servers.

So, they had an old, which is about 1970s that is an the only security they had, ACIS
which was in 1970s and they had not updated their systems to the current 20000s or 2015.
So, they lacked the, the ACIS system and lacked the file integrity monitoring process that
is for, it cannot scan for an unauthorization access and neither it can scan for the foreign
suspicious events which has happened in the systems and the configurations. And they
did not according to the NIST documents, the Equifax should have an log data for about
3 months, but they used to clear their log data within 30 days and they were not able to
track or analyze any of their breaches which could have happened in the past and so that
they could have taken an a priority measures. And neither they did not have a process for
an ensuring an SSL certificate were upto date throughout the organization. So, as we have
mentioned, so it was an outdated system and in January 2017, the internal audit addressed
that the concerns of the SSL devices were missing, but the problem went unaddressed and
then that is when there were 324 expired SSL certificates are on the organization and then
79 in the critical business domain.

So, all of these certificates were grouped together and the business segmentation was

271
not there within the organization. So, all were put into the same domain and that is when
the hackers got access to the systems. Now, we will look at the breach announcement
and the response. So, till now we have seen how many security vulnerabilities they had
before the breach. So, after the breach did they tackle correctly? That is what we are
going to see.

So, the PR announcement was that, was came in September 2017, but the breach started
in March itself. So, they announced the data breach publicly that 143 million American
data, people's data had been exposed and they also put out a website to help the customers
determine if they were actually attacked or not and they engaged many cyber security
firms like Mandiant to assess the risk. So, basically the steps they had taken is, they had
credit file monitoring, Equifax credit lock, identity theft insurance, then also dark web
scanning for one year. All these were provided free for one year after which, but they
these customers had to sign a controversial clause saying that they will not sue Equifax
for their data breach. So, their impact on stock prices was that it fell from 143 dollars to
93 dollars in a week which declined by 35 percent and other impacts were, as we have
already seen like driver license data, customer data etc and passport details were
compromised.

And in this the, there were some missteps, actually this controversial clause angered the
customers because they could not sue the company. Then they started charging customer
for credit freezes, then all these identity threat protection was only for one year after which
they had to start paying and the breach time was announced very delayed. And even the
Equifax twitter handle, it directed the customers to a fake website with somebody else
had started. So, even they were not very, you know did not take safety measures regarding
that. So, basically the, they had 11 member board of directors with 9.

3 year tenure and this was the only credit reporting company which had a separate
technology committee consisting of 5 members, even then this breach happened. This
technology company reviewed the company's technology investments and including all
these policies related to information security etc. So, having seen how severe the impact
has been, let us see what the fallout was. So, as mentioned earlier there was a steep decline
in the stock price of about 35 percent and the key executives- the CSO, the CIO and the
CEO as well as the chairman, they resigned from the company and lost their jobs. So,
there was also a consideration of clawing back of the compensation of two of the
employees and one of whose was the CEO himself.

So, they also had plans to bring in a new director, McGregor. So, he was a person who
was experienced in cyber security, information security and had extensive experience.
So, as we have seen in many other cases earlier, one of the key consequences of a data

272
breach is the legal implication. So, there were lawsuits and government inquiries by the
New York state attorneys as well as the Federal Trade Commission and all of them
conducted formal investigation which led to bad image of the company and apart from
this, they also had a act which was enacted, Freedom from Equifax Exploitation Act. So,
the purpose of this was to enhance the fraud alert procedures and providing free access to
credit freezes.

So, Subisha mentioned what credit freezes was. So, apart from this, there was a
investment group called Change to Win and so this was basically an investment advisor
and shareholder activism group and they provided six proposals to Equifax. So, they said
that if these proposals were not followed, then there would not be a re-election of the new
director, McGregor as I mentioned. So, what were the six proposals? So, the first one was
improving the governance and holding executives accountable. So, we have seen how
important governance and compliance is and the executives did not have proper
communication and this was one of the main reasons for the breach. The second was
removal of the chairman of audit and technology committees.

So, though they had a technology committee, they did not perform their duties diligently.
The next one was permanently separating the CEO and the chairman positions and last
one was considering legal settlements when you are creating the compensation for
executives. So, basically this committee, they threatened that if these six proposals were
not followed then they would not go about electing the new director. So, coming to the
disclosure. So, as she mentioned earlier, there was a huge gap about six weeks between
the discovery of the breach and the disclosure of the breach to the public.

So, actually US did not have a proper regulation in place for disclosure. So, one said that
it was 45 days and few others said, did not have any guidelines at all. So, what they did
was, there was a proposal of bill where they had a unified 30 day time frame for alerting
the consumers in case a data breach happened. And they also, the New York attorney also
held Equifax very strict disclosure requirements. So, they had to alert within 72 hours to
the state regulators in case a breach has happened.

So, now let us see what we learnt from this case which is one of the largest data breaches
after Enron. So, moving on to Subisha. So, moving on to the last part. So, how big is the
Equifax hack, that you can see from this diagram. So, it had compromised almost 143
million records, while in 2017 the adult population in US was 254 million.

So, almost half. So, and they had severe impact, that is profit fell by 27 percent, 90
million dollars breach related cost, 240 customer lawsuits and separate investigation by
many organizations. So, was Equifax alone while tackling this breach? Did other

273
company also face similar breaches? In 2017 alone, 3785 corporate companies had fallen
as a victim of cyber attack in the US and Cisco found that 55 percent of the surveyed
companies had a data breach in 2017. So, it was not Equifax alone and many large cap
corporations lost almost 500 million in the market capitalization for major cyber attacks
that happened on an average in this year. So, it is a question for you to ponder whether
Equifax was just negligent or just plain unlucky. Based on the details you pointed out, I
guess it was pure negligence from the Equifax too because as there were many security
lapses, like they were using outdated services and lots of even their Twitter handle was
not, it was directing to a different site.

So, I guess it was a negligence from such a big corporation and which is handling such
a sensitive data. You are absolutely correct. No technology system is 100 percent secure
that we know for sure, but there are certain basic measures which each company needs to
take to the extent possible to safeguard its data and especially if it is a company like
Equifax, which is dealing with highly confidential data, it needs to go the extra mile. But
there were gaps, like patches in the system were not put in place, security certificates had
expired, which could not detect the data packets which the hackers was taking out of the
system. From a governance and from the organizational structure standpoint, there were
various red flags that security issues were not even reaching the senior management, the
CEO had no clue because the reporting structure was such that the legal officer did not
have a background in that and the security came under the legal officer.

In 2013, there were many exits, the CSO had exited. There were a lot of exits in the
security department which was again a red flag, but no one really looked into it. So, there
were a series of issues which the organization did not address which would be classified
as negligence. Those measures should have been taken, but even then the attack would
have been there, but various measures on this front segmenting of database etc could have
helped minimize the impact. You are absolutely right. There were so many red flags, like
CERT had pointed out what the vulnerability was and they had to patch it within 48 hours,
but they had not taken any impact, any measure and also the meetings who had attended,
who had not attended, even they did not have a log of that.

Yeah, but I have a different view. See as you pointed out, Equifax was not the only
company which went through cyber attack. The point is we are doing this analysis post
hoc. Having all this happened, we have a lot of information, but when a company is on
its business, keep in mind that Equifax is not a technology company. Its main business is
data. Actually customers are the suppliers and also customers, in a business like this.

So customers bring the data and customers are given information. So that is their business
and you also see that they had several acquisitions and when you acquire companies, you

274
acquire their technology which may not well integrate with your system and some of them
may be outdated. So these are all problems that commonly organizations face and it is not
that you will upgrade all systems in one go and make it updated. So you all work with this
reality that there will be old and new systems and upgradation may take time and that may
be the case with other organizations too and that is how business function. So and they
had an organizational structure where there was a well defined CSO's role and then there
was a CIO role and they have put in place some structure.

Of course it was not perfectly functioning. So why do you find so much fault with Equifax
just because the case got documented and you have a lot of information, but that is all
post hoc. You can always find fault with the government after some decision goes wrong,
but when they are taking the decision, we have nothing to say. So I think that I would just
side with Equifax, well they were unlucky. But they could have updated the systems or
at least for smaller batches, so they could have reduced their risk. Apart from this, there
was one important reason which was regulations and after this breach, each one had
different regulations which were followed amongst credit reporting agencies as well.

So after this breach, they had unified credit reporting regulations which were imposed.
So I think the regulations which are not in place cost was one of the reasons why so many
breaches happened at that time. Also to address Sir's point, Equifax is not an ordinary
organization. It is obviously going to be a very valuable target for all attackers because it
hosts half the population of USA's information. Because it has likelihood of being attacked
is much higher, therefore the responsibility of defending it from such attacks is also higher.

They should have been more proactive in that sense. Cyber attacks happen to one
organization almost every day, but since it is not an ordinary organization, it should have
been more proactive in that sense. They cannot escape on the fact that it is a statistical
possibility that they will get attacked. And also before the breach itself, many firms had
pointed out that there are many security vulnerabilities and they had not taken so many
initiatives on that as well. We can see from 2013 to 2016, before the major attack of 2017,
they did face a lot of attacks based on the timeline. But still they were negligent from their
standpoint, I believe, in order to not update their regulations as well as the cyber security
system.

And being a credit bureau organization, I believe that they should have taken such
necessary standards. Even if they were late to the party, they should have been a forefront
in having such systems in their hands, I believe. Should we have been more like, it should
be classified as a critical infrastructure, like what we have in India, CIA designated
organization has to have high level of cyber security protection. So this is one of those
organizations. And also maybe out of the 3,785 organizations, like none of them might

275
not have this amount of data.

Maybe that business operations might have been different. So considering that maybe
the Equifax should have been more addressed, they should have addressed it at an earlier
stage, when the patch went unnoticed. So any other questions? Should we adapt this is
based on trust and faith of the customers? And in fact, once they came to know that the
breaches happened, then also they were not showing any kind of, you know, sincereness
or sincerity in their approach, delaying disclosure and all and again charging fees for their
freezing and all those things. So we cannot say that they are unlucky.

They were in fact to gross negligence after the incident also. Yes. So okay, assuming
that you win and you say that, well, they could have conducted their business better. So
if overall, if you look at it, well, there are many failures, but whom would you attribute
this to? Where lies the major problem? You see that the case talks about issues right from
regulation at the country level to board level to CEO level and to managers level, okay,
employees level. But where would you actually find a major issue? One or two things
which really caused this problem. Majorly the governance issues becomes so clear. So
they were, when they restructured it, they were not clearly mentioned about who the roles
and responsibilities were not clearly mentioned.

So they appointed a CLO, so who is supposed to give the reports of information security,
but he is an, neither he had any experience nor training in the information security. So
somebody listening to an inexperienced person, they might not take an immediate actions.
So they might just consider it as like an incident or like okay, it has happened, so it can
be handled later. The effect, the critical of the issue might have been not addressed very
well within the organization. Okay, so there is a structure in place which is two command
centers for IT and security and it is coordinated, of course at the CEO level and that is
how they structured it, but it was not functioning effectively.

But a board may not be getting into the day to day running of the organization. But if
you have to find fault with the board, did board have any information that they should
have acted on? I think in 2015 audit when they conducted, so they told that the system,
the eight key facts, all the systems went unpatched. So even after addressing, after two
years when the breach happened, still the patch was not fixed, neither there was not any
measures taken to update it. Okay. So that audit report was widely shared within the, like
board members. And also this vulnerability was very grievous that the US Department of
Homeland Security intervened and told all the vulnerable parties to immediately address
it.

So even after that, there was delay and among the employees of the Equifax, who were

276
had not updated the patch, there was not even a counter checking whether they had
updated or not. And in March this happened, in April meeting, April GTVM meeting they
did not even address this issue again. They did not ensure if the March breach was
addressed or not. So there was no proper implementation even though they had invested
so much for all these measures. So this case has become a case of corporate governance
basically, right, or enterprise risk management.

So as you say there was inputs from the government and also independent agencies which
rated the cyber security level of Equifax as very low, right, ACCC for cyber security. And
that is a publicly available document. So what is the role of independent directors?
Basically in a board meeting, our role is to ask questions to the management. Why is the
security rating so low? That is, of course a governance issue.

Governance, you need to monitor how systems are performing and ask questions. So
there is at least two things that I see as very striking as governance failure. One is that the
directors or the board did not even react, proactive, they did not even react to the scores,
the security scores that came after studying their security systems. And also the
management was not functioning effectively. So there is obviously a problem there which
is related to governance, corporate governance issue. So you can see for large
organizations like this, cyber security should be a important thing for the board to monitor
and be aware of.

That is one thing this case or this incident has taught corporations. And therefore when
you deploy technology, the failure of technology can actually lead to massive loss and

277
loss of reputation in the market. And not only financial loss, to make up for the, of course
you see how the stock prices fell. So it is huge impact and that is basically a governance
issue which ultimately if you analyze this case. So if the structures are not in place, so
then the system will respond accordingly.

So that is a very important point. Is there anything else? Alright, so we will conclude this
case. We see that cyber security is not a technical, it is not just a technical issue but it is
a corporate governance issue as well. So that is the way it escalates or you can see it
becomes for large organizations. And it also touches on need for regulation. For example
in how many days it should have been reported.

So if it is reported early as an individual, I can stop my cards. If my credit card

information has gone out, I can say, well I can inform the bank, I can take proactive action.
But if it is not informed to me, it is loss for me. So there should be a clear regulation from
the government. So that is what we see how different is GDPR in terms of making this as
part of regulation, making it mandatory for all countries in the EU.

278
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 11
Lecture: 31

Good morning, so we are starting the eleventh session of Cybersecurity and Privacy
course and we have been exploring the landscape of data protection regulations and we
generally looked at what is the need for regulation and we found that data privacy or
individual's need to protect one's private data from exploitation is a basic need. We also
saw that it is not just the individual and individual's data but there are other stakeholders
involved in the process of collecting, storing and processing individual data. And therefore
there are multiple interests, multiple stakeholders and multiple interests. For example,
data collectors want to use personal data for certain objectives. So it could be for business,
it could be for governments but they need your data. At the same time individuals have a
concern for their private data, concern for information privacy.

So this seems to be conflicting objectives and therefore there is a need for regulation to
balance, to bring a fair balance among the interest of multiple stakeholders. And in the
absence of regulation it can actually move towards the interest of certain dominant players
and we know that what, that is what happens in industry and that is where the and that is
where the government needs to come in. And cases after cases which we discussed showed
the need for tightening regulation in the, in the domain of data privacy and we also noticed

279
that data privacy and security are very much related. It is for organization, it is the
responsibility of organizations to ensure data is protected from breaches or unauthorized
access.

So therefore need for security, given the value of these data or the privacy associated
with this data. Today there is a separate virtual world that is coming up, you must be
aware of the Meta, the world of the Meta. So one interesting fact about the Meta is that
if you go to Meta, any of the Meta sites there are many, you do not need a real world
identity there. One of my PhD students did a short project on the Meta and in particular
about information privacy in the Meta. So what we found was that in the Meta, number
one you do not need a real world identity.

What that means is that, it is a separate world, it is a separate planet, it is like going to a
altogether different space where nothing in this world you have to carry there. So not your
name, not your email id, not your cell phone number, not your date of birth, it is like
whatever you want to be, you want, you aspire to be or whatever your aspirations are, you
can create that you, there in the Meta world. So there actually people hang around, you
create, you call your name whatever you want to call yourself and then you can hang
around the Meta world and meet with people, play games, have fun, engage in trade and
so many activities. Well, we just found that that world is not regulated yet. There is no
regulation, you can do anything there.

So it is still coming up, it is in the stage of early evolution, we have to watch and wait

280
what problems it may create in future. But we are concerned about data privacy in the real
world because there are real persons and real world identities, your data is associated with
a self, an individual, a human being. So the value of the self and autonomy of the self etc
are at the core when it comes to data privacy. If that does not matter in a virtual world it
is fine, we see that it is, you know, it is just open. But as of today in the real world we see
data protection is a real issue.

So, what we have done so far is we have discussed a few cases which actually took place
in the United States, for example the Target Corporation, We Googled You and Equifax
in the previous session. This all pertains to North America, in particular to the United
States and these cases showed at the end when a data breach happened, the law did not
have the teeth to deal with some of the specific issues. After a breach happens, there are
guidelines or there are laws, state wide laws and also nationwide laws as to how companies
should collect, store and process data. So those guidelines like the Federal Trade
Commission, FTC guidelines and for healthcare data you showed that there is something
called HIPAA which is basically to protect healthcare data and for children, you know, to
prevent child abuse there are specific regulations that pertains to children and their data.
So for different categories there are data protection laws in the United States but there is
no overarching regulation that actually provides for protection and safeguard from end to
end, not just for prevention but also post event, you know, what should be done.

For example, what is the duration within which a data breach should be reported? We
found that that was an issue because there was no specific rule regarding that. And what
should be the penalty on data collectors or data processors who would actually collect and
process your data? There is no specific guideline on what should be the penalty. So that
is what I said, the laws lack the teeth or law enforcement oftentimes is difficult and it also
varies between states. So that is the situation in the United States when we actually look
at data privacy regulation. So now, subsequently today we are going to see what is the
state of affairs in the European Union, predominantly in Europe, excepting of course UK.

And so we will explore the new, fairly new regulation which came into existence in May
2018 and till that time that was a directive or a guideline, just like the FIPS guideline,
Fair Information Practices guideline in the United States. There was a guideline in the
European Union but it became a law in 2018 and that is a landmark, that is a big change
in the world of data privacy. And all over the world there is an increasing concern about
the need for protecting private data and that is actually the theme of GDPR. Actually I
started this course also around the same time when privacy was becoming a global issue,
so in many parts of the world. So Cybersecurity and Privacy.

So it is in that context, so we will focus intently on GDPR today and subsequently I will

281
give a background and an introduction to a data protection initiative in our country, India
and that we will discuss in the next class in more detail. So I hand over the session to the
next group to present about GDPR and then we will take it from there. So good morning
everyone present, today we group 3, shall be giving an overview of the General Data
Protection Regulation which is a more stricter privacy law that has been implemented in
EU recently. So as we see that statistics as of January 2023 reveals that 4.76 billion global
users has been using social media, like it is 59.

4% of the entire global population and as we see that since 2016 it has been increasing at
a rampant rate. While in 2016 it was 2.31 billion, in 2021 it has reached 4.2 billion and
by the projection it is supposed to reach approximately 6 billion by 2027. So now why a
data privacy law like GDPR in this context becomes essential? It is because a rapid growth
of internet users all across the world, even in India we see that internet penetration has
been increasing at a rapid rate since 2020.

Now these digital media that the people are using, are processing a large amount of
sensitive personal data and also in the context of globalization, we see that the personal
data that is being collected or being shared across nation state. Also with the evolution
of digital marketing like email marketing, social media marketing and other variants of
marketing, we see that the firms are looking after, spending more and more bucks for
getting this personal data. So now what is GDPR? GDPR basically stands for General
Data Protection Regulation. Now earlier it was DPD that is which was implemented in
the year 1995, it was basically a directive, not a law. What used to happen that EU member
states could individually just refer this document and could individually implement their
own laws.

It was not uniformly enforced but what happened with the advent of digital media and
social media, with the advent of digitalization, it was felt that a comprehensive law was
necessary to be implemented. So in the year 2016 this data privacy law named GDPR
was implemented and it was enforced in the year 2018. Now where is GDPR applicable?
GDPR is applicable for all EU member states and all the establishments which are there
in EU member states or it is applicable to any organization which is processing data of
individuals who are residing in EU. Now GDPR is basically concerned with the storage,
processing and sharing of personal data. Personal data means any data which can identify
an individual on its own or in conjunction with other.

So apart from this name, physical address, email id which are simple data that can identify
an individual, apart from that indirect data like employee information, database, biometric
data, retina scan, fingerprint. These indirect kind of data also in conjunction with other
data can identify an individual so they also come under the purview of personal data.

282
Now the question is whether GDPR applied to organization who are indirectly processing
the data. As we will see later that there are two kind of organization, one is controller
which directly owns the personal data and another is processor who are not directly
owning but controllers are handing over that particular data for processing purpose.
Earlier under DPD, the controllers were only held responsible but now controllers and
processors are both responsible for the security of the data.

There are six underlying principles for GDPR. First comes lawfulness, fairness and
transparency. So the organizations which are coming under the purview of GDPR should
maintain the fairness and transparency while they are processing the data. So the
individuals must have a very clear idea how their data is being used. Purpose limitation,
so the data must be used for specified explicit and legitimate purpose, the purpose must
be limited and that should be known to the individual.

Minimizing the collection of personal data means only store that data which is adequate
and relevant for the processing purpose, not excess data. Then data accuracy, so the
organization has to maintain accurate data of the individuals. If it is not accurate then data
subjects have the right to get it modified, corrected or may be completely erased and if
that does not happen, the data subjects have right to restrict the processing of the data.
Limiting the data storage, so when the purpose is served, you do not need to store the data
anymore, you can delete it, you do not need to retain that anymore. Then again
confidentiality, security and integrity, it is basically the CIA compliance that we already
studied in our previous classes, maintaining the confidentiality of the data, security and

283
integrity.

Now I will hand over to Boya for other aspects of GDPR we discussed. Generally there
will be non-compliance of GDPR, sometimes it happens intentionally, sometimes it
happens unintentional. Means organization may not be knowing the clear policies of
GDPR means, how it is going, what are the requirements, still there are some of the
organization who does not know the clear policies of GDPR and sometimes it is due to the
external cyber threats. Whatever may be the reasons, there will be strict consequences for
the non-compliance of GDPR. If you see there is a fine of a maximum of 20 million euros
or 4 percent of total global annual revenue, so whichever is higher, they could go with
that.

And sometimes it will empower consumers to initiate a civil litigation against the
organization that breaches the GDPR. Here are some of the examples. Amazon was fined
around 780 million dollars for using the user's data without their consent and this is the
largest fine till date. And in case of WhatsApp, it is fine for unclear privacy policies and
Google, because Google here it is a means they did not provide the easy way of refusing
the cookies, so it was fine for that. And in case of British Airways, it is not because of
the, means they did not do intentionally, but due to some cyber attack, there is a breach
of around 4 lakhs of customer data.

Due to these reasons, British Airways was fined for that. And transparency, means
previously before the implementation of GDPR, organization used to process the data as
if they want it. But after the implementation of GDPR, they cannot do it. They have to
disclose the purpose of why they are processing such data of the users. And they need to
tell the users how long it will be stored and with whom it will be shared.

So, after the implementation of GDPR, transparency came into picture. And there is a
legal basis for processing the personal data. Means they cannot process the data because
they want it. There is some legal basis. For example, if you see there are six legal basis
for processing the personal data.

First one is consent. Means user has to provide the approval. For example, a user enters
into an online website and he will enable some check box to receive some management
notifications or marketing mails. Here the user is providing the approval for that particular
website in order to use their personal data to receive that mail notifications or marketing
mails, anything. And vital interest. Suppose if a car accident happens and this person has
been taken to the hospital.

284
 In that case, the doctors can use his personal medical records in order to save his life. This
is related to vital interest. And contract. Suppose if a user enters online and purchase
some goods and he enters a contract with the organization that these goods has to be
delivered to that particular place. So, in this context, the organization is a, means has the
legal right to process the personal data in order to deliver that particular goods to the user.

And next is public interest. Suppose if a crime happens and the user has witnessed that
particular crime, then the investigator authority can use that particular individual who has
witnessed the crime, his personal details for further investigation. And legal obligations.
Generally financial institutions like banks, any other institution used to perform KYC
verification for the anti-money laundering compliance. So in this case, they used to process
means, process the client data for the AML complaints. In such a case, processing of
client's data is not illegal.

It is totally legal. And legitimate interest. Suppose if a person wants to apply for a job
and he has uploaded a resume on a particular website and a recruitment agency used that
resume to send it to the clients. Means that this person is capable of doing this job. So, in
this context, it is legal for processing the user's data. And these are some of the key terms
with respect to GDPR.

First one is controller. Controller means it is a person or authority who will determine
the means and purposes of processing personal data. And the next one is processor, who
will act on behalf of the controller. And personal data is, as we already discussed, it is

285
totally related to a identified or identifiable person like name, age, gender, whatever may
be the details of a particular person. And processing. Processing means the kind of
operation that we perform on a user data.

And pseudonymization means, instead of using the original data, it is replaced with a
artificial data. This is nothing but pseudonymization. And security. With respect to
security, GDPR does not formulate any measures that have to be taken in order to protect
the data. It is up to the organization that they can use based on their severity of the data.

These are some of the security controls like identity and access management. Generally
in usual organizations, earlier it used to be like that all the people may be having access
to the important information systems. But as there is a lot of data breach, now they are
limiting that access to only particular users who require that job function to be done. And
data loss prevention. These are the measures that has been taken in order to prevent the
loss of data.

If there is any non-compliance, then the processor or controller will be held liable for that
non-compliance. Incident response plan means, it is a step by step processor for reporting
and mitigating data breaches. And security access service edge means, nowadays before
the pandemic, during the pandemic, usually we have completely shifted to work from
home option. During that time security, there is a more threat to security or a data breach.
In that case, handling this, complying to the GDPR is bit complex.

And after the pandemic also, now we are moving to the hybrid mode, means some days
we are working from home, some days we are going to office. In that case, meeting the
compliance of GDPR is bit hectic. So, during that situation we could employ these service
access, secure access service edge will deploy security protocols to the remote location.
And these are some of the requirements as we discussed that data subject rights, means,
user can ask for the correction or any changes into the data. Coming to limitations of
purpose, data and storage is, he could ask the organization to delete particular aspects of
data and consent is nothing but approval.

Data protection officer means, whenever now it is mandatory to employ data protection
officer in order to meet the compliance and take care of everything related to the GDPR,
awareness and training. There are some sessions usually organization conduct in order to
train and train the employees with respect to the requirements of the GDPR. And these
are the individual rights, apart from asking that organizations providing why they are
using their personal data, individuals also has certain rights that they could ask the
organization to delete their personal data or to stop browsing their personal data or to edit

286
the personal data. And they could also ask the organization to port the data to the some
other places, like that they individuals has some particular rights with respect to GDPR.

Next will be continued by Sam. Yeah, so, rights and requirements are already discussed,
but still like, we need to say what are the, we need to discuss what are the differences
between GDPR and the earlier law, that was earlier directive that was there. So what are
the key changes? First, the personal data has been redefined. Earlier personal data was
defined only those data which could directly identify that particular person, like name,
physical address, phone number, email, but now the scope has been broadened not only
like the direct data that identifies a particular person. If there is any data, that in
conjunction with another data can individual, can identify that particular individual, that
also comes under personal data. Now IP address, mobile device identifier, geolocation
data, fingerprints, they cannot directly identify a person, but if some other data is available
in conjunction with that, it can also identify that particular person.

So now under GDPR, these data also come under personal data. Earlier this, rights of
like opt-in and consent was not enforced in that way in DPD, but under GDPR, the
organizations are required to provide explanation of why they are using this data and also
by virtue of it, they are supposed to secure the opt-in and consent for the processing of
the personal data. And since GDPR empowers the individual, they have given some rights,
like right to access the data, right to know how the data is being used, right to get the data
erased and right to restrict the processing also. Earlier under DPD only the data controllers
organization that is directly, you know, accountable for the data, was held responsible if

287
data security breach used to happen, but now under GDPR the processor and controller,
actually this point we have already discussed. Now, the controller and processor are jointly
responsible and for this purpose the processors are now supposed to enter into a contract
with the data controllers where their responsibility pertaining to the data security will be
discussed and will be held, I mean, will be mentioned in the contract.

GDPR also mandates that you have to appoint a data protection officer. It can be an
independent, you know, executive or maybe the executive of a particular firm, will be
serving as a central point of contact, regarding, you know, regarding the implementation
and whether compliance of the personal data regarding security and all these are
maintained or not. This kind of contact will be, through this particular person, data
protection officer. Now, the data protection impact assessment or DPIA assessment has
been made mandatory for high risk project. Earlier it was not mandatory under DPD, but
under GDPR when you are taking up high risk project where you are working with
sensitive personal data or you are handling data on a large scale or you are trying to profile
a vulnerable section or vulnerable person.

So, in that case, this protection impact, data protection impact assessment has been made
mandatory. So, by DPIA we identify the probable risks and their mitigation plan. DPIA,
basically a project specific assessment. It is not an organization, it is not a generic
evaluation of an organization and basically it ensures that GDPR compliance is
maintained as well as data protection, data privacy by design is also implemented into the
new projects. Now the penalties and the data breach protocols has been more uniformly
implemented as compared to DPD in GDPR.

Earlier what used to happen, EU member countries, because it was a directive not an,
not a law, so it was not enforced properly and EU member countries were allowed to
adopt different protocols in case of data breach. But now, under GDPR all the member
countries are supposed to notify the data subjects that yes, a data breach has happened
and that has to be notified within a span of 72 hours. Also the fines have become more
heftier and, like you have to pay, a figure of 20 million euros or 4 percent of the global
turnover which is, whichever is higher. Now, the next, part will be explained by Vijay.

288
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 11
Lecture: 32

So, up till now we had a introduction to GDPR and perspectives and comparative
analysis. Now, I shall cover few other aspects of GDPR which will also touch upon what
was given in the article that is from Microsoft's perspective. So firstly, we should know
that who exactly started off with this GDPR. So this lady over there is Ann Cavoukian
and she was the former information and privacy commissioner for the Canadian province
of Ontario and she is the one who actually laid the foundation for GDPR and as she says
that privacy knows no borders, we have to protect privacy globally or we protect it
nowhere. She gave seven principles of, based on which the entire GDPR was laid with
the foundation. So which says that, the first principle says that it should have full
functionality.

Now there is no positive sum or net zero sum, there should be a positive sum and not net
zero sum. You can not say that we will take some or we will leave some. It should be
either, full privacy should be accorded and it should not be that we will not give full
privacy, we will give and take a little bit here and there. So it should have full
functionality, it should give the option to the individual user or he should have full control

289
over his data.

Then end to end security that is full from the beginning itself, from the starting from
where the technology or the software or the application starts off towards the full lifecycle
of that software or that application and end to end security should be given to the consumer.
There should be absolute visibility and transparency in that the customer or the person
who is any individual person, he should know what is being taken from. He should not be
in ambiguity. He should, there should be clear visibility and transparency from the
business, from the company, from the application to the person who is using it and he
should be fully aware of what is being taken from him, what is required from him and he
should be in control over it. And open respect for user privacy, keep it user centric.

So as previously brought out, the privacy of the user needs to be respected and as Boya
had brought out that there are few situations, legitimate, legal, these sort of situations are
there wherein this data can be accessed, but then it has to be kept user centric and exact,
exactly what is required. So you should not delve right or left of it or you should not move
away from your ambit or whatever authority is given and the centricity of the user has to
be kept in mind. Whenever anything wrong happens as it was mentioned, like when the
COVID thing happened, it was previously mentioned, when the COVID was going on,
the businesses actually suffered a lot of cyber attacks. Why? Because majorly they moved
on to a hybrid mode, a home working mode. So when that happened, a lot of cyber attacks
happened, a lot of data got siphoned off or a lot of user data was jeopardized.

So in that manner, whenever that thing happens, we should not have a reactive approach
or rather we should have a proactive approach. Proactive means we should take adequate
security measures, antivirus or malware or reporting of the incident, it should be a
proactive measure. And rather than going for a remedial, once the action has already
happened, we should go for a preventative measure right from the inception stage of the
technology or the application or the software or the system which is there. It should
already, these preventative measures should be incorporated over it. These were the last
two points, privacy embedded into design and privacy default settings also brought up by,
as one of which form the basis of the GDPR.

And she says in that privacy should be by design and privacy should be the default setting
or should be by default, which basically says or summarizes the entire thing that when a
system is being mooted or conceptualized and when it moves, when you finally make it,
this privacy aspect should not be an afterthought. And what we, in one of the previous
projects also, we said that engineering aspect wherein critical systems need to be isolated
and that should, thing should be thought about by the engineers right at the conceptual
stage itself. The cyber preventive measure should be thought about in the conceptual

290
stage, not as an afterthought when the system has been brought online, but before that
only, it has to be incorporated right at the design stage. So, the same thing says that this
privacy protection aspect should be embedded right at the design stage as a default setting.
Henceforth, whatever is being made should cater to this privacy aspect wherein the
privacy of the person, the user is protected at all times.

So privacy by design and as a default. So this is what the Microsoft article also starts off
and this is the first point which they give is that there is a requirement as per GDPR to
have privacy by design and default. Every stage of the development and right from the
design services in the process, the system should be compliant or privacy enhancing. It
has to be embedded right at the beginning itself and this encompasses IT systems, business
practices, the physical design, the network architecture and whatever the strength, how
do we decide on the strength of those privacy measures and that will be decided by or
rather it should be commensurate to how sensitive your data is. Your data is really
sensitive, your medical data, your other data or your legal data or this thing.

So it should be commensurate with the sensitivity of the data whatever protection

measures you are incorporating right at the design stage itself. The objective would be
that privacy and personal control should be there over one's data by the individual user.
Record keeping requirements, that is the second requirement that Microsoft says as per
GDPR and we have touched upon this before also that organizations need to maintain a
very accurate and up to date record of their processing activities. They just can not be
casual about it after the GDPR comes into force and the record should give what is the
purpose of the processing, what are the categories of the data which is being processed
and the details of the third party who are likely to use it or access that data of the individual
person or the business. The organizations to keep records of the data breaches and
responses and it is not that you will just leave it at that.

You should also keep a record of any breaches or any attacks and what is the impact of
that. That also record has to be kept. Need and practice of data protection impact
assessment. This was touched upon before also. So DPI is basically an impact assessment
exercise.

Any new processing activity which is incorporated into the business practice will entail
a risk and the data protection impact assessment needs to be carried out whenever a new
practice or new processing activity is being introduced. So this is what it says. It basically
covers when that new activity is there, what is its nature, what is its concept, what is the
purpose of the processing which is being mooted right now and what is the likelihood and
severity of any potential harm, the threat perception has to be done. And what after a data
breach, so what should be as it was touched upon that once any data breach occurs they

291
are supposed to keep a record of it. But to go a little bit more in data, you have to identify
the authorities within 72 hours.

You have to inform the affected individuals also that your data has been compromised
and you can't just hide it from the person and adequate technical and organizational
measures should be there. They should be incorporated to detect, report and investigate
such personal breaches on the personal data. So that is what is action which is supposed
to be carried out in GDPR post data breach. And once this data, now EU is not isolated, it
is part of the overall global forum in business activities and other things also. And so data
transfer prerequisites outside the EU.

So if this data is being transmitted outside for any purpose, for business or industry any
activities or travel whichever way for medical. So for countries outside the EU, the
recipient country should provide or rather GDPR lays down that it should provide
protection in accordance with the GDPR. So lot of people, like last time also we
discussed, the outsourcing industry which is there and functioning from India. They do
have give lot of heat to the GDPR protocols and the GDPR requirement. And whenever
you transfer data to countries that do not provide adequate protection, so they might not
have that kind of privacy law, they might not be technologically that ahead.

So what should be done? They should implement appropriate safeguards such as

standard contractual clauses, binding corporate rules and all, in order to give at least some
semblance of or at par security. Things to know if business vendor processes personal
data. So as mentioned in the article and we have already touched upon this the personal,
what is an owner or the controller and who is the vendor becomes a processor in this case
there is always should be a written agreement and this written agreement should set out
the obligations, the responsibilities, what is to be done, what is not to be done and it should
comply with the GDPR and the data protection measures and that is what the article says
and that Microsoft says that it offers. So in the end Microsoft says that we are perfect for
GDPR and basically as far as service is concerned, we give the tools for data protection
impact assessment, data mapping, data protection is by design and by default which is the
foundation stone of this particular GDPR and they also give cloud data services which
have got data encryption and access control and basically goes on to say that they meet
all the requirements of GDPR. So once that part was concerned, let us now look at a little
bit ahead or outside of the purview of the GDPR.

So what impact basically will GDPR have on an organization? What will impact? So as
far as the GDPR is concerned, when we talk about the data protection through
technologies, one of the articles, it says that it should be as the foundation principle of
GDPR, that it should be as a standard approach as a default, like what was brought out,

292
pseudo-anonymizing the processing of personal data, basically it encrypts your personal
data, so that need to know basis the person or the business process of practice which is
using it only they should know what is their relevant data, they should be able to see, not
the everyone else who can access the data in case of a data breach or anything. So that
anonymization should be carried out. Heightened accountability should be there as per
one of their articles which basically is true that they should ensure and demonstrate
adherence to the regulations of GDPR and something like through a certification, that yes,
we are there to it. So this is, these are the requirements which will have to be complied
with by an organization. How it makes and how it manifests in an organization or a
business organization, how the GDPR will manifest, what will they have to do, so they
will also have to immediate notification requirement which we covered that within 72
hours they have to inform, not only that they have been breached but also that the
individual, you have been breached.

So that is one of the requirements Data protection officer has to be nominated, who will
basically be responsible for advising awareness training of the employees and monitoring
that all compliance is being monitored. So this particular officer has to be there in an
organization. This is one of the requirements as GDPR manifests itself in an organization
and DPIA, the impact assessment, any new thing which is being introduced into the
organization, any new process and impact assessment has to be carried out and this will
be under the purview of the data protection officer. He has to carry out and check it that

293
the impact of this, what all safeguards are there, is it is the design and default clause
already incorporated or not. Penalties and fines, has brought out very severe fines, more
severe fines and penalties are designed to deter companies and there are other profit like
other penalties like seizure of profits injunctions.

So it can do substantial harm which the company needs to be alive to or the organization
needs to be alive to. So as it was mentioned that Amazon had the largest penalty which
was there and Google had it and British Airways, as he brought out, so at that point of
time when GDPR came into force now I think it is 3 years, to in 2018, yeah, so once when
that thing came into force by 2020 when the figures which was given was that the
minimum penalty was 2000 euros and 306 fines were levied in 2020 which as the figure
shows in euros amounted to and about by the time it was 2021, it amounted to 429 and
the money as you can see, that it was substantial it was a seven fold increase. So this rise
in regulatory penalties linked to data protection due to COVID-19 was basically because
people were switching from, the organizations were not prepared to go into that hybrid
working mode. They and when they, when the people switched over to working from
home and the hybrid mode, so it was not the organization's fault also. It was the people's
fault also because when they started working from home, the home environment did not
have that kind of safeguards or data protection safeguards already there and that is where
number of breaches occurred because it was the time when there was substantial cyber
attacks which were also being carried out.

And naturally if you're working from home and that kind of data protection safeguards

294
are not there in your personal PC or personal computer or even in the public network when
you are using, so you're likely to have a lot of cyber attacks in which because it is business
there is a lot of business intelligence and counter intelligence and people want to siphon
of information. So that is how it happened. Now conclusions, about way forward for
GDPR. Now we know that, we should know that this privacy aspect, the people are going
very very sentimental and very concerned about it and it is here to stay. So privacy was
not the norm but going forward privacy is going to be the new normal.

Customers will expect it. Authorities will check it and finally the corporates will do it.
They are already at it. There will be more automation, the automation part is not going to
reduce. It is likely to grow only, the only thing is, what the aspect which we talked about
is, by that is privacy by design, privacy by default and not as an afterthought. For
organizations, they are likely, they will definitely mature and they are still in the early
stages or the initial stages or nascent stages of this regulation compliance and more and
more regulations are similarly privacy laws are likely to or already there almost hundred
and twenty countries have enacted their own privacy laws and it is likely to increase, the
severity is likely to increase, the penalties are likely to increase.

The privacy will actually become a brand differentiator and in terms of winning more
clients and as one of the study shows that 82% of organizations view privacy certifications
and privacy shield as a buying factor. People are concerned about that. People will go for
any product or any service, anything based on this privacy thing. It is going to be a one
of the key factors to corner a market in the days to come. In short like it or not, GDPR
such like and privacy laws are here to stay and we can keep debating that this is not there
and whether it is not fair, whether the penalties are not fair or hybrid home working but it
is better to take a more practical approach and comply and have a more long term
perspective on privacy laws.

Just to touch upon what I had told, almost hundred and twenty countries, I could not put
all the countries, some of the countries which are put. So Australia the privacy amendment
bill which was an amendment to the Australia Privacy Act came into effect February 2018
and if we look at Brazil, that also has this LGPD, which is modelled on GDPR with lesser,
less penalties the penalty degree is lesser but it is already there and definitely it will get
modified. Canada has also implemented a digital charter implementation act. The People's
Republic of China has passed a personal information protection law. India, our country
has already introduced this bill which is the personal data protection bill and companies
all over India, already they are starting gearing up to, they have started preparing for it.

Israel has a Japan's act on protection of personal information was amended and now
applies to both foreign and domestic companies and which process the data of Japanese

295
citizens. Companies located outside of Japan will also now be subject to strict guidelines
and other countries like Nigeria which are part of the African Union, they adopted a
resolution in 2014 and most of the African Union countries are going by that resolution
and they already started enacting their privacy law. So even in countries where their
technology is still at the nascent or a little bit more mature than nascent state, they are
also going in for this privacy laws and the reference for this data is already given down
below and with this we come to the end of our presentation. Actually all these rules,
regulation, directions, they are very good and very comprehensive and in detail but where
we are failing actually, that is the implementation part.

That is the real challenge. On one side, you know we have this, our rights and we take it
as absolute rights and no one actually speaks of the responsibilities. So again in the
implementation part, what are the real gaps at the organization level or the national level,
international level or the individual levels and how we do this uniformity and
standardization especially at the global level ? So like as different India also Sir, mentioned
that they are, you know they are preparing one law which is, you know which will take
care of these data security approaches. Israel, Japan all these nations are forming them. So
after that I feel that, yes it will take some time. But if these laws are being very strict and
you know they are imposing fine, heavy fine safety penalties.

So I guess it will be gradually implemented, like if these are very strict and all then the
organization have to be compliant with all of this. So Sir, actually that is a good question,
though slightly out of GDPR aspect but yes, it is a relevant question, in coming, in today's
day. What we have to focus on is that all countries are not the same, culture is not the
same, population is not the same, infrastructure is not the same. So what you, when we
say that the GDPR is based on two founding principles that is privacy by design and
privacy by default, to have such a thing you need to have that manufacturing capability
with you. If something is being manufacturing outside and you are just importing it, you
can't have your say on it.

So yes, stricter penalties and all those things, like we are also doing that. In fact we don't
have a 4% penalty, our penalty has been moved to almost 5% of the global turnover, that
is what is being moved. But you have to understand just like US, in which each state has
its own laws and they work independently or more or less independently from the federal
government, each state has been enacting laws over there also. So how it is implemented
will depend upon the demography, the culture of the country. For a country like, for a
player for some something, like EU where in number of countries are there, the population
is very less, the infrastructure is already developed, it is easy to or rather more or less
comparatively easy, to implement all these things and when majority of your exports are
going to EU, they have the say.

296
 Do this, do this, don't do this, but if you are a net importer of things you don't have that
kind of leverage on people. So it has got broad ramifications. It has got lot of other linkages
which has to be done. One thing which can be done to actually have a good private look.
In our country also, rampant use of Facebook and all that, how many people are actually
worried about cookies and all ? You just press okay, majority of us, at least the site will
open.

Now only these laws and things are coming into force and now only the younger
generation are getting more alive to these sort of things, malware, cyber attacks and all.
These people are now thinking about their private information going off. Now cyber
attacks are targeting the Indian personal data and all. So as you, as we continue to grow
to that level, once this rational, once this knowledge or enlightenment comes that privacy
laws are important, right from the school education stage and the younger generation,
naturally more the laws which are, which have been made will have more acceptability,
will have actually, will actually achieve what they are meant to and once I as I said, that
number, post this GDPR, number of countries have enacted this laws. Once all the
countries have some kind of law, every country will have different law but more or less
somewhere that common ground will be found and that would basically form the bulwark
of what, as what said how will be plug in the gaps.

So that would form the bulwark and of course, continued education and awareness of the
people who are actually the people, the main characters in this entire privacy laws and
this ignition game is, are the people who are, who will plug these loopholes, not
organization or businesses it is the people, an aware person.

297
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 11
Lecture: 33

Okay, so that was an excellent overview of GDPR. And of course, you refer to the basic
document of GDPR and gave us awareness about GDPR and its legal basis and its
implications for organizations based in EU and based outside of EU. And so GDPR was
implemented, keeping in mind the interest of individuals predominantly. And post GDPR,
you also showed some figures as to what is the impact of GDPR on particularly
organizations. And you have repeatedly showed how American firms have been fined.
And Europe has been making money by penalty from American companies who actually
use data.

So you highlighted Google, Facebook, Amazon, and even Microsoft, whose commentary
you presented have been repeatedly fined in EU post GDPR, although they claim they are
all set to go etc. So let us also look at the downside of GDPR. So is it bringing a regime
where it is against the business interest or business models of certain companies who do
business in Europe? Does it sort of affect or adversely affect the value of business that is
based on data? So for example, if you look at Google or Facebook, they are top companies
of the world today, technology companies, and their business model is based on data.

298
And if you have a very strict regulatory regime where collection, storage, processing and
transfer of data is strictly regulated, is it possible for them to function at all? Because they
all depend on advertising industry for their revenues.

And if advertisers do not get information about what people need, that is what they do.
That is a value they create for advertisers and that is the source of their revenue. Isn't it
going against the business model of certain companies? Isn't it actually against
entrepreneurship and innovation? That's my question against GDPR, if you actually make
the law so strict. Interestingly I would tell you, in GDPR there are certain countries to
which organizations in EU can freely transfer data. They call it expressly permitted
countries.

Interestingly, United States is not one of them. You expect USA to be there. USA is not
one country where they have said, you have express permission to transfer data. Even
India is not there in the list. So countries where there is strict data protection regulation,
they allow that.

So the point is, is it skewed towards certain or is it against certain business models? No
Sir, because generally a business means they could do in ' n' number of ways, not only
using the data, they could promote their business. It means they can not use the personal
data and make a call that do you need this product, do you need this service and
undermining the privacy of the individual. That can not be done to satisfy the business
needs. So that we… But that's a very simplistic argument, I believe. I agree to what your

299
point is there and yes, to some extent regulations and as they go stricter, they do stifle
business.

But then the counterpoint or the counter argument to that is, in case I will just give an
example, say there is a mining permit and environmental clearances which are given. If
you give it in a blanket manner that everyone has that, you have seen a particular case,
one sees a particular, okay here this is not like the lithium has been discovered. So if you
give environmental, I have been to that area and all, it is a totally forested area and all
those things and now you give that clearance, it will lead to whatever environmental effect
which is there. But if you give it a blanket sanction that everyone, anywhere in the country
can do the thing, what will it basically lead to? So that is the effect. When you give a
blanket sanction, what the GDPR is saying that you have to adhere to these regulations
and this should become a norm in the greater good.

Now what the businesses have to do is, they have to adapt to these regulations in the
greater good. Yes, it will be stifling to those organizations who don't want to adapt to it
or But the negative side of that is what we saw, the recent controversies which are going
on, the Facebook controversy. They were called in their own country, the Twitter
controversy which is going on, their own officials, those are the negative aspects to it
because in the absence of regulation, there will be blatant, there can be or there is likely
to be blatant misuse of your… Okay good, I take your argument. So in the Equifax case
we discussed, we found at the end, the major issue was accountability. So actually GDPR
brings some sort of accountability for the firms, not only those who collect data but also
who process data.

It is not that, you know, there is no clarity about what will happen if something goes
wrong and what is the penalty, when it has to be reported. Since there is no clear law,
people can play around and who is accountable. So there has to be accountability within
firms and that has to be established, etc. So in that sense, GDPR brings sort of
accountability for individual's data. The other extreme is also not good that it should also
encourage business and data privacy as we saw and as we are going to see also, is not an
absolute concept and therefore it has to be seen from both sides.

People are willing to share their data, at the same time they don't want data to be abused.
So both sides are there. My last point regarding GDPR is that it has certain innovative
aspects like privacy by design, privacy by default, suggesting that if you are signing into
an account, by default the radio button should be I disagree, not I agree. So if I agree,
you know, these are actually called nudges, these are called nudges, you know, so Richard
Taylor's idea of nudge. If you say I agree, you tend to agree with that.

300
 So if by default it is I disagree, then you know, it gives you a point to think whether I
should agree or not. So it serves as a nudge for, in the interest of the user, that is the point.
And by design of course, privacy has to be thought of prior, it should not be an
afterthought. So these are actually very innovative ideas in GDPR.

Excellent. But my one point is to comply with GDPR. So firms actually safeguard
themselves. Ever since 2018, I see this consent business. So any website particularly
associated with Europe, if you go, they immediately bring up the cookie policy. So this is
a recent phenomenon since GDPR.

So we use cookies. Can we, you agree with using all cookies or you decline? This is a
consent every time you have to give. Almost three options. What do you do actually with
them? You agree or you don't agree? Majority agree. You give manage also.

Over here, we are all agreed to because as I said, it is aware, we don't know. Actually
again, the difficulty is if you have to go to your settings and change cookies, you don't
have all that time. Right. When you are, again, it goes against the human need and gratify.
So you're trying to gratify some immediate need and we don't have the time.

So that I agree, again or use all cookies is not serving any purpose. It is only sort of
annoyance for individuals. And this topic was discussed in a conference on privacy also
in recent, recently. So it is not serving a purpose because consent at the end, we may say
every company should take consent from me before they act on my data. And if they start,
if so, if so many firms taking, start taking consent by, in this format, you don't have time
actually, to read the clauses and agree or disagree.

It doesn't practically work. The consent actually doesn't practically work. Actually Sir,
I remember there was a message which was floating in WhatsApp in which one person is
complaining to IRCTC. He has put it in their feedback and grievance that whenever I log
into your site, it starts showing me a lot of illegal site pictures and all those things. So
IRCTC actually replied, "Sorry sir.

" It depends upon which sites you have been constantly visiting and those sites are only
being, their ads are being displayed. So it has nothing to do with us. It is everything to
do with your surfing habits. So no, it basically brought out that whenever you are visiting
all these sites and all, earlier what used to happen was, it used to just take all your
information, your browsing habits and everything. Now it has started showing the cookies
or no cookies or manage cookies.

This is a difference which has come in. Okay. Yeah. Any other questions? GDPR is

301
something which has been rolled out for the whole of EU, which comprises various
countries, right? And each country may have a different, slightly different interpretation.
Some may be biased towards being strict while others may take a more lenient
interpretation of same law or wherever there is uncertainty in GDPR.

So how is, how is there an effort to harmonize some of that? GDPR is already
harmonized. Like earlier it was not harmonized, earlier like under DPD, the EU member
countries could individually interpret it and can have their own laws, could have their own
laws. It was only a directive. It was not enforced. But under GDPR it has to be complied.

Like it's uniformly applied across all member states. Unlike DPD which is earlier there,
where like member states can have different protocols. In case of breach, they can handle,
they can impose penalties in a different way. They can have their own implementation of
these things. But now it's uniform across all member states.

Like GDPR only mentions that. It's highly extensive and yeah, unanimously designed.
But some companies have a preference to go to Irish regulator than to a Dutch regulator
for the same GDPR. Sorry, come again. Some companies have a preference to go to an
Irish regulator than to a Dutch regulator for the same GDPR, to clarify interpretation or
to ensure that they are compliant. So there must, there would be some difference still there
which exists which would be leading to this.

But mostly like after Brexit what happened, UK formulated their own law. But that is
more or less compliant with the main existing thing. I mean the DPD or maybe the GDPR.
That is derived from mostly the earlier laws that were there. Like GDPR is also derived
from mostly DPD and other countries who are like, suppose I am telling about, like UK
after Brexit, they implemented their own law which is more or less, you know pretty
much similar to what is there in GDPR only.

So like, if countries independently formulate their own law, they have to comply with
certain principles. They have to be, you know, they have to resort to certain principles by
which they can maintain these privacy and all these things. And like Irish, I didn't like
research in detail about that whether there is any different laws in other countries. But as
far as UK is concerned, I checked their law. It is more or less similar to like GDPR only.

So that's very common knowledge. Anything else? Is your question about, does GDPR
discriminate against certain countries or is it more favourable towards some countries? Is
it for data transfer? Is it? It is applied to all member states. GDPR uniformly applies to
all member states. But they might be, we did not come across anything of this sort. It has
been unanimously adopted and all EU members are, it is not left to countries to decide

302
now. What is the laid regulations, they are laid? Yes.

There might be cases wherein Ireland might be specifically dealing in some specific
service with some specific company outside, that company might also be dealing in the
balance of EU countries. So how they are doing if such a case is there, we did not come
across that. And how they will, then as you were saying that they will have a slightly more
accepting view of breaches or infringement of these privacy laws, then how the Irish or
the government or their people are going to reply to, because it is not, when we say Irish
firms or this thing, they are ultimately the dealings, we are talking about digital traffic and
the regulations pertaining to that, not of manufacturing or thing, basically the digital part
of it. And that can be monitored from any point and there would be some central agency
or you would have GDPR compliance, that as I mentioned it, they are liable to have a data
protection officer in every firm and that is there, mandatory for Ireland also, unless they
do not keep such an officer who actually checks it. Then the company is actually taking a
very big risk if, even if Ireland is not reporting it.

Some of the other person because it is the European Union, somebody will report it,
somebody will bring out these things, It will be slightly far fledged in saying that that the
people are all in it and the government is also in it. So be it, let them be. But the company,
somebody will report it and they will go in for a very big penalty if such a thing will
happen. and actually that people are becoming more and more compliant, organisations.
What I heard was initially what this Amazon and all these things happened in the initial
time was only because there was a state of flux.

People were, you know traversing that path, wherein people were new to the hybrid mode
of working and at that point of time, it was not, Amazon did not do it deliberate, or either
Google did not do it deliberately. Before that they did not have such things. it was a open
market, open field and when these things came and then people started shifting, work had
to be done from home also, from the same people which actually bordered or went into
the domain or the realm of privacy of that individual as well as him working for a firm
and it was over a public network. So that time they did not have a choice. All these fines
and all it did not happen because of a deliberate thing, it was the way it is.

During the COVID pandemic time because that is when this GDPR came into being, into
effect. So now I think people are becoming more and more compliant if there are some
cases probably, they have already break down. I did not come across any case in our
research, any thing like this. In fact GDPR has become the basis or the precursor for many
countries, they say 120 countries have already enacted some kind of law and it has
become a precursor or the basis for many other countries to form their own regulations.
Even countries which are still, you know developing or rising from, as I told Nigeria,

303
African Union, those countries actually.

So you can take your chances initially with them but maybe once it is fully implemented,
I do not think so. So GDPR actually also mentions about third countries. So if you go to
the GDPR site and they have specific, you may see it as sort of discriminatory in one sense.
So 14 countries they have identified as secure countries to trade data with and other, so
these countries seemingly have strict data protection laws. So they have express
permission as I said earlier and other countries do not have and therefore it requires for
corporations to have contracts, specific contracts which will enable the third country
organisations to comply with GDPR.

So that is how this is implemented. So we are a third country in GDPR and we are not in
the list of 14, India. So last question, should IIT, Madras in any sense worry about GDPR?
The organisation I belong to. Of course you belong to now.

Privacy ? GDPR. That much of information regarding . Anyone can answer. Does it affect
us in any department? That's my question. Is there any rules already in place to protect?
If it is processing on behalf of any organization, then you come under the purview of
GDPR. But if that's not the case, then the pre-existing law that's there in India applies.
Unless you are handling data of new individuals or processing data on the other side.

So do we process, do we use or do we process data of individuals from the EU nations?

Exchange processes. That's the only thing you are trying to do. Maybe in the research
part, there would be collaborators now. What about the speakers who come over here?
Yeah, there are start-ups and more importantly, we have joint degree programs with
German universities. We have a huge inflow of students from Europe as exchange students
who study in IIT Madras say for six months, sometimes one year in joint doctoral
programs.

So we do collect, we do store and we do process data of EU citizens or citizens of EU

countries. And so, therefore, since we have that data, we should be aware of what GDPR
is. So GDPR is basically protect data of its citizens. Now, since we are a third country,
we are bound by memorandum of understanding. When we actually have a relationship
with another university, we have something called a contract and that contract is called
MOU.

So I have read MOUs where we don't have any specific clauses on the protection of
private data. So I would say at the moment our awareness is very low. So the point is so
long as there is no breach or there is no complaint, things are fine. So the day there is a
breach and somebody complains, then all this and somebody goes to court.

304
 How do we know, Sir? There has never been a breach. How do we know? Does it mean
that there will not be a breach? Sir, but, so does it mean that we have not had a breach of
till now? No, we should be aware. That's the only point I make. Have we had a breach?
Have we had a breach? I am not aware. A breach, breaches may have happened, but
formal breach, in the sense it became public and it was declared as a breach. As when we
were studying regarding the ransomware attack, one piece of information was that all IITs
have been breached once or somewhere.

Yeah, yeah, yeah. In the sense many of these databases are actually accessible by
students. You know, during our festival, students have access to Dean's students database.
I am saying it informally, I am not. So this does happen and we function differently.

But not so the case with Europeans. You know, when I go to teach there, I take a picture
with the class in the University of Passau. I have been teaching there for 12 years. I have
seen the change in their behaviour. Today, when I take a picture, I have to ask them, can
I upload this picture to the website? Only with consent.

If a student says you cannot, I cannot upload. So for, in universities in Germany, they
take the consent of every student before their picture goes to the website. These students
who are coming, sir, they would have given their consent. But whether we take explicit
consent and record it, I do not know. We are not familiar with those practices.

That is what I am trying to emphasise. It may come soon because of the PDP also. India
is going for a similar regulation. So we will discuss that in the next class. But we are
actually flipping in the sense. We want it to be very strict and when you become too strict,
we find that we are losing opportunities.

So, you know, yeah. We will discuss that in the next session. Today we are short of time.
So, but we got an awareness of what GDPR does and we will move on to the Indian
context in the next class. Thank you very much. .

305
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 12
Lecture: 34

Okay, good afternoon and welcome back. So we have started discussing regulation,
regulatory frameworks that prevail in different parts of the world. So that is something
that we are exploring along with case studies which actually give us a sense of what are
the issues in different parts of the world and how are they being addressed. So, we can
now appreciate that data privacy is something that operates in multiple levels or there are
different stakeholders when it comes to data. It is not you alone or it is not government
alone, but there are many layers of, many layers through which data passes or there are
many actors who are interested in data and particularly personal data and whenever
personal data or personally identifiable data is involved, there is a data privacy issue and
we discussed what is privacy and what are the concerns in privacy and why organizations
should worry, why countries should worry or government should worry and so on. So we
have seen that.

So today we move on and we land in India, to see how, what is the state of affairs in our
country and since we are part of the Indian society and in the Indian culture, I believe all
of you, we do not have foreign students in the class, otherwise we get to compare. So we
have a sense of our own understanding of what is privacy and that has been evolving. It
is not, it is quite dynamic and as the digital world has exploded, not just incrementally
expanded but it has sort of exploded in the last 20 to 30 years and you can see its
implications in the country and we can also see our administrative systems at different
levels including the country level are sort of responding to that changes. That is the most
interesting point that we will see, that we are not sleeping, We have to tap into the potential
of digital world but we also need to take care of the concerns of privacy and we can see
government is acting on it.

So let us move on, the first plan is to give you a summary of data privacy or a historical
perspective of data privacy or privacy in the Indian context and then we would get into
more details of how this has actually become an issue in the recent times. So maybe for
several decades post-independence the government did not have to worry much, but
currently it has become a national issue. So we will focus more on the current times after
giving a perspective, so that is how we are going to go. So first things first, we belong to
India. So when you live in India, India is sort of, you know the reference document what

306
defines India is the constitution, we have a constitution and that is binding for all states
of India, all states and union territories.

So it applies and touches upon each of us and see what the constitution assures us or in
more glorified language, this is enshrined, what is enshrined in the constitution of India,
is a right to freedom. No person in the country may be deprived of his, sorry about the
gender bias, his or her or her or his life or personal liberty except according to procedure
established by law. So nobody, no individual, no institution, no government can deprive
an individual of personal liberty. So, but there is an except or there is an exception even
in article 21, except according to procedure established by law. So that is what article 21
is, but we must read the whole of article 21, just do not read the first part and leave the
second part.

So the constitution is a well drafted or carefully drafted document that addresses the
concerns of all stakeholders. So let us move on, so freedom, personal freedom is assured
in the constitution. So now let us look, let us go back a bit in time and let us also advance
or go forward from the time the constitution became effective, we all know that the
Republic Day or 1950. So let us look at India before that, let us look India after that. So
one of the landmark legislations in the, in the ancient India or India before independence
goes back to 1885 and you must have read about this in newspapers in recent times also
because we often refer to this legislation, enacted by the British in 1885 and that is known
as the Indian Telegraph Act.

307
 So telegraph was used by institutions particularly the British government for, for
communication in the, in the 19th century. So in, particularly after British got established
in India, you know the Plassey war in 1775 I believe, though they sort of, you know they
actually conquered the land and they actually established their own systems and laws and
so on and they found it essential to have a telegraph act because there was this so called
mutiny or the first independence war, in between 1857 and 59 and the British government
extensively used telegraph or tapped telegraph and they found it essential to have
interceptive powers. So this is, particular act gives powers to intercept telegraph
communication of any communication that happens in the country. So it gives access or
interceptive right to government to rule the country. That is the, that is the essential
message in the telegraph act.

Government can intercept messages and that is a right by law from 1885 onwards. And
post-independence this law did not change but what Indian government did was, it brought
the post and telegraph, the P&T department as some of you may be aware, you know. We
used to go often to the post office in our, in my early life but no more but the P&T is, was
like Indian Railways, was part of our, you know regular life and it was under, it has always
been under government's control because government could actually have control on
communications. So essentially that is the message. So it remains a department under the
control of the government.

So what we can see is, article 21 we have already seen, it gives right to freedom and we
also see telegraph act. So both this, both this, both these references or both these facts
work together in our country. They go together. Government has certain rights. At the

308
same time, you also have your personal right.

And essentially what we can conclude here is, you know these are, this may be, you
know sometimes in conflict. So let us move on and telegraph act got amended in 1972.
Let me not name any individuals but there was a government in power in the 70s and it is
a bit notorious in the history of India because it is known for, sort of government taking
control on individuals freedom, particularly the emergency period and that is when this
law was further amended to make it, to make wiretapping possible, especially on to what
opposition leaders were talking to each other. The government could gain access and it
was made legal. That is what you see in 72.

But the landmark judgment or the declaration came in 2018. There are events before,
between that but in 2018 Supreme Court of India, the judiciary okay. So of course, you
see the legislative and the executive, it is one government. So part of the same government.
So they make laws for their convenience to rule but the Supreme Court actually intervenes
and declared privacy as a fundamental right and I am sure all of you are aware of this and
that was a landmark judgment.

And before that itself in certain judgments, I think in Madras High Court, there was a
judgment which the judge almost said the article 21 in fact assures that privacy is a
fundamental right, although it does not say it explicitly. So in 2018, the Supreme Court
explicitly said privacy is a fundamental right and it also was in the context of the Aadhaar
Act and the deployment of Aadhaar extensively in the country. So government was going
extensively or almost exhaustively to collect biomedical data of citizens and store that
personal data, personally identifiable data in a database in a digital form. So that is when
this concern for privacy came up at a national level. So government actually became a
data controller, a major data fiduciary of the country today is not organizations, but the
government.

Having in its custody digital data pertaining to about 1.3 billion people, the largest
database in the world. So that is the context in which the Supreme Court made this
declaration, well you are in possession of individual data but it is somebody's fundamental
right. It is the fundamental right of citizens that you are actually becoming a guardian of.
So that is actually a very critical responsibility for the government.

So then subsequently you can see that when a GDPR was enacted in the European Union
in 2018, you presented that already. You can see the Indian government has been very
responsive, very positive thing that you can see is in 2016 if you read the background, in
2016 itself when GDPR was actually being discussed and was an open draft, Government
of India also started working on a similar regulation for data privacy. And in 2016, 2014

309
I guess, if I am sorry a bit confused about when Justice Srikrishna Commission got the
project from the Government of India to draft a regulation, a draft, a bill for a regulation
in the country for data privacy. So Justice Srikrishna Commission, actually it is a
commission. So it made extensive consultations with different stakeholders and of course,
it also was very much aware of the GDPR development in the European Union.

So it actually presented its final draft in 2018, that is known as the Personal Data
Protection bill, PDP. But of course what happens is when an independent committee
works on a bill, you know it of course it is like a conceptual document, you know so it
goes to the government and then the bill is prepared by the government. The particular
draft was developed by the Justice Srikrishna Commission but the bill was, it was
converted into a bill and of course, government made certain changes in the draft. And
that is why it went for a long time in the parliament and it was not approved by the
parliament. It was referred to a parliamentary committee and of course, a committee
consists of people from opposition and the ruling party and they never agreed.

Finally the government dropped this PDP bill and it actually now has proposed something
called DPDT, digital data protection, digital PDP. DPDP, sorry I have written it, there is
a spelling error there DPDP, Digital Personal Data Protection, DPDP, it is called DPDP.
DPDP 22 is a bill now and we have to watch it, keep watching and waiting what happens
to it next. So that is a broad historical overview of the privacy journey of the country and
we can see that of late we are very very responsive to what is happening around the world
and we have a very, you may disagree with specific clauses of the bill, you know that that
is where the debate is but we can be very proud that we are very much at par with the
developed countries to have a separate bill or a separate law for personal data protection,
PDP. Now let us move on, let me give you some more insights from recent times.

Are you familiar with this person? K.S. Puttaswamy, nobody may actually care such an
old man he is, I guess he must be 97 now, and he is a retired High Court Judge of
Karnataka and in 2012 he filed a public interest litigation in Supreme Court and that is
when the Aadhaar debate was very active, okay and actually if you have to remember a
single person for data privacy, as a father of data privacy in India, I will call Justice
Puttaswamy because it is against his, against his writ petition that the Supreme Court
judged privacy as a fundamental right, you know it just Supreme Court just does not make
a statement but it is actually Puttaswamy's writ petition that actually Supreme Court
considered and finally in 2018 made the landmark judgment that privacy is a fundamental
right. So Puttaswamy was concerned when he looked at what Aadhaar is doing. So every
individual needs to go to a data collection center, provide the biomedical identities, you
know including your iris, your retina, your all your fingerprints, you know everything
about you is taken by government and as someone who is privacy aware looked at it, well

310
government is getting too much powers and what the government would do tomorrow
with this kind of data is a matter of concern.

So and also the other important aspect is that, making governments, for getting
government services, making Aadhaar mandatory, was another concern. For example, if
I am concerned about my privacy, I do not trust government. I do not want to give away
all my personally identifiable data to the government. Then what happens is, I am deprived
of a lot of government services, including the PDP, my ration or my right to vote. So a lot
of services became possible only if you have an Aadhaar card.

That is what he challenged. This is not fair because it is my private data. I do not want to
give this much, this extent of private data to the government, okay and so that is when,
sorry so I said probably 2018. So I was wrong. The Supreme Court in, on August 24, 2017
said the right to privacy is a fundamental right, you know. This particular judgment is
there in the open, you can read the whole long judgment but the essentially, the key part
of the judgment is the right to privacy is a fundamental right.

It is a right which protects the inner sphere of an individual from interference from both
state and non-state actors and allows the individuals to make autonomous life choices. So
autonomy, we discussed this. So Supreme Court upheld the right to be autonomous, the
right to be oneself, the right to decide, the right to choose for oneself where one can be
or you know, with whom to share data, with whom not to share data etc. okay. So the
point is, if privacy is a fundamental right, then how can the government ask you or me to
share my biometric data to receive government, to government benefits or government

311
services? I want my privacy to be protected.

So government is intruding into my private space by asking for personal data, particularly
biometric data. So what do you think about it? Isn't it a sort of conflict, if I choose not to
disclose my data? It says I am autonomous. Now I say don't disclose this data. If
fundamental if privacy is fundamental right, government should not deny services to me.

That Is my choice, correct. Should not deny? P3 odd cases, in case you don't want to do
anything about it, like absolute privacy, no benefits also required, there are people like
that also. I know that is a point. If you are, if the government says for getting benefits you
should share data, all your data, then that is not fair. That Is the question because on the
one hand I have the right to decide whether to share my data or not, I am autonomous, on
the other hand government says that, that is fine you have a fundamental right but you
will not get the services if you actually exercise your fundamental right. You cannot vote,
you cannot get your ration and so on.

Some kind of balance will have to be maintained. So you see the need for, somewhere
there has to be, it is a grey area. Okay, okay, okay, that's a different topic. Celebrities
actually don't want privacy, okay, yeah.

Okay, okay. Information should be classified and protected. One thing is like why is the
government asking for the biometric data? What is the end use of the data should also be
seen. For example, the Aadhaar. So after implementation of the Aadhaar system, a lot of
fraudulent data was removed from the system, lot of, where especially for rationing of
ration goods. So a lot of fraudulent entries were there, which lot of people were siphoning
off Instead of the benefits reaching the actual beneficiaries, it was siphoned off and only
by using the Aadhaar data where was the government able to identify that this is a
fraudulent data and this is the actual beneficiary.

So especially in Assam, there is a huge case where over 22000 crores of corruption was
unearthed by using the Aadhaar which is in two years of implementation. So the end use
should also be seen. So and it is not as if in though, we are implementing it now such
social security systems based on a unique identifier already there in the West. So there of
course, the citizens are more active and force their governments to protect their data much
more but so for this particular question the right, the end use should also be seen, that's
what I am saying. So essentially we are reaching the point that government.

Yeah I just want to answer is the government taking any ultimate guarantee that the data
will not be compromised. There is no guarantee from the government. Well, that is what
the PDP is trying to do. That is what the regulation, that is why we see this conflict or you

312
know, really conflict. You know two parallel lines and that is where you need regulation
you know, to protect the both the interests, to ensure that it does not skew towards one but
bring some sort of balance.

That is what always regulation does So it is quite obvious that the country requires a
regulation when these parallel lines exist. But there is one important aspect. Yeah. Where
is the concern of the upwardly mobile and the educated only, the lesser educated are not
so much bothered and that is what the majority of the country in our, in our country is,
that the majority.

Yeah that has been the case for several. They want the benefits. Yeah. They said privacy
you can keep. We talked about it that is a privacy paradox and you know unaware of
privacy etc. But what you see is the migration towards the urban and education growing,
western access growing so people are becoming more and more aware.

Otherwise this debate was not there in our country, we talked about it. So currently with
digital, in the digital space when people are increasingly becoming privacy conscious,
upholding privacy as a fundamental right was very important. So you can see in article
21 itself, we just saw that statement, no person in the country may be deprived of his life
or personal liberty except according to the procedure established by law. So an invasion
of privacy or personal liberty must meet threefold requirements. So it is very clearly
specified that if the government, for example has to access or intercept private
communication, there should be three requirements- legality which postulates the
existence of law, need defined in terms of legitimate state aim and proportionality which
ensures a rational extent of data collection.

313
 So for example, in India if any government agency including the Income Tax, I think
Income Tax is exempt, but see the Narcotics Control Bureau. We discussed a small piece
of case in one session. So they were able to access the private communication between
two individuals. But for any agency to do that in the country, there is an agency called
Enforcement Directorate. So the ED's permission is generally required, I think Income
Tax is exempted from that, that is what you know, it is not confirmed but that is what I
believe.

But many agencies, about ten agencies can actually tap into private communication based
on the 1885 British law. Government has actually the right to access that in the Indian
Telegraph Act. So what you see here is privacy is a fundamental right but it is not a
absolute right. Privacy is not a absolute right. You cannot say, always in all conditions
your privacy should be protected.

Suppose you are a criminal, so you commit a crime and then you say, I will not disclose
who I am, it is just not possible. So it depends on the context but I am just including a
clip, not the detailed judgment. That is very recent. It also, a Supreme Court judge also
said, no absolute power for state to snoop into sacred private space of individuals. You
can see that even for the state to snoop or to intercept there are conditions.

That is what is given in the second clause, legality, need and proportionality. So there is
no absolute power for government as well. So privacy is not an absolute right and
government also does not have absolute power to intercept. So there are many grey areas

314
there in terms of interpretation, that is where actually the whole debate comes. What, in
what situation, what context can government tap, wiretap and to what extent and can that
be made public etc. are still grey areas.

315
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 12
Lecture: 35

So, one thing that we should discuss is, no person in the country may be deprived of his
life for personal liberty except according to procedure established by law. So, Aadhaar as
a government initiative, as a government established entity, you need Unique
Identification Authority of India, right. That is the particular entity, government agency
which is in charge of the Aadhaar database or Aadhaar data collection and Aadhaar
database. So is it according to the procedure established by the law? The answer is yes,
we do not have to debate because there was an Aadhaar Act before Aadhaar actually came
into existence, government actually had to pass an act in the parliament called Aadhaar
Act. So, it is actually legal, government can collect this data. So now as you said what
is the context in which government actually, so government's role is to govern and
government's role is welfare of people.

Government is the guardian of the assets of the country and therefore government needs
to do its job and at the same time it has to protect privacy also. So in India, as India was
becoming increasingly digital or e-government initiatives began, so it actually, whether it
was the current government or government ruled by another political party, it does not
matter. All governments actually started exploring the potential of information
technology. You can see the IRCTC today, right, the making the railways, railway
reservation online was a major initiative by the Indian Government.

So from government to government, the government tapped into the potential of digital
technologies and that benefited people and a huge reduction in information asymmetry
and corruption. Often corruption stems from asymmetry of information between two
agents. The information that you have, if you go to a clerk, you know whether there is a
seat available or not, we are just dependent on what the clerk says because we cannot
access that information. There is an asymmetry of information, that is what actually digital
technologies actually address, you know it removes the asymmetry between actors. So
because of that, so in almost in line with that, there is an identity problem and corruption
was prevalent in India because an Indian citizen could have multiple identities and there
is no unique identity.

And therefore since you can actually get these identities, multiple identities in different
places, for example you can have a ration card potentially in Tamil Nadu, one in Kerala

316
and one in Uttar Pradesh or Bihar. So it is, today it may not be possible as unique
identification actually is referred to but if you go back to, say 15 years ago, it is quite
possible. Similarly voter IDs. So that actually was identified or assessed as a major issue.
So to the extent that if government gives 1 rupee, only 70 paise was reaching the actual
targeted recipient, intended recipient and that is called leakage by economists.

So government wanted to address this problem by creating a unique ID which is a very

valid, very rational approach to addressing this problem. So the country is facing a major
issue in terms of corruption, in terms of not able to deliver its services effectively and
efficiently. Both effectiveness as well as efficiency comes into picture here and therefore,
the Aadhaar initiative from government to government. So we do not have to say it is the
idea of one government, one political party or the other but country as a whole understood
that there is a need for this. So you know who actually headed this initiative.

This is actually headed by the, one of the well-known IT gurus of our country, Nandan
Nilekani who came from Infosys and was given the charge of leading the Aadhaar
initiative and he has written two books on this. I read one of the books and I am just
giving some excerpts from this book and it is a really good collection of experiences
leading a mega project, a big project like Aadhaar in our country. And one has to function
cutting across political parties, across the ruling party and the opposition to get something
of this scale done and at the same time, technology has to be very robust and very reliable
to collect and store data pertaining to more than a billion people. Amidst the oppositions
and concerns and privacy as a fundamental right and all this but the Aadhaar project had

317
to move on. So you all know that the 12 digit Aadhaar is a unique identification for every
individual and it is world's largest ID system and it makes every Aadhaar record unique
because it, if you go second time to get one more Aadhaar, you know it is simply not
possible because of the, because of the way the application is built and the comparisons
it makes before it accepts a ID and it is built as a platform you know.

So if you read the book, you will understand the concept of platform here. So it is
basically a database and it is so, this is a database on which applications could be built or
other participants could actually connect and build more. So the concept of platform, you
know you call Facebook a platform because it is not just one player, it is not just one
category of participants, there are multiple categories of participants. So platform is a base
on which different types of people can connect and give inputs and also take benefits. So
like the Google, right, the advertisers and the users and the Google as a platform provider.

So their interests are very different but the platform unites them. So Aadhaar is a database,
is a platform which unite the interest or which synchronizes or orchestrates in other word,
in the language of music. So he would assert that minimum data should be collected, not
the demographic data of individuals, only the basic identification data that is required. So
at the collection itself, it is following a very minimalist approach. Yeah, just I referred
Machiavellian, I am sure some of you have read, The Prince.

I suggest this book for all managers because to appreciate the complexity of politics, the
real world. So there are good kings and bad kings but all are kings. So you rule based on
whatever principles you follow. And then ultimately if you have to survive and be a king,
you have to follow certain rational guidelines in political science. So Machiavellian is
one, of course we are more familiar with Chanakya of our country.

But it is a small book. You can actually read when you are traveling, The Prince. So I
was giving the context of Aadhaar because it is very much tied to our privacy. So why
privacy became an issue? Because government needed to collect data, personal data of
citizens and store it in a single database. And that is required by the government.

Now the questions are, can it be made mandatory for government services? Well, that is
where actually the Aadhaar was challenged in the court and the debate was public and
finally Supreme Court actually restricted where Aadhaar can be used and where Aadhaar
should not be made mandatory. I do not have that list with me but you can see that certain
fundamental services you do not need to have Aadhaar, you can provide other identities
as well. Taking into consideration, well nothing should be made so absolute to get basic
services of the government. But if you have to get a cell phone or the wireless service
today, you need an Aadhaar. So that is, sort of you know, a service if you need, you can

318
provide your data if you do not need, you can sit at home.

And similarly for many services, private services like banking, insurance, in so many
areas, Aadhaar actually becomes a unique identifier and as soon as you share your Aadhaar
ID as privacy aware people, we also know that we are sharing a unique ID with them. So
potential for misuse does exist. And so the other debate which engaged our country over
the past few years, I would say from 2015 and it is still going on because it has the PDP
has not, DPDP has not become a law yet. So if the debate is still on how safe or how
secure is the Aadhar database? What is the guarantee that the data will not pass or data
will not be leaked in the system or in the architecture that is built for Aadhaar database?
So when this question was asked to Gulshan Rai, India's Cybersecurity Chief, he sometime
back answered that Aadhaar biometric data is 100 percent secure and there is a 10 foot
wall. I think the data center is in Haryana, that is what I read.

So in terms of the infrastructure, it is very well secured, that was the claim made by the
government or the government agency. But is that okay? The 10 foot wall will protect
the data. That looks like a little trivial but there should be some reason why he made that
statement. He is a techie, he is a technical person. Yeah, it is about building a 11 foot
ladder, good answer, yeah.

But that is not the, that is not the real point but it was so, he made a statement about the
physical security. And this is a cartoon that subsequently appeared in the Hindu, Keshav's
cartoon. So it is very secure from the front but seems to be, the back door seems to be
open. So you have heard that saying - No chain is stronger than its weakest link. No chain
is stronger than its weakest link.

319
 So a chain, if there are 100 chains, 99 maybe very strong but one weak link is enough to
break the chain. So that is why I shared that paper, research paper written by, I guess three
scholars from IIT Delhi, Computer Science department. So they published this paper and
I was very heartened to see that Justice Sri Krishna commission referred this research
paper in the draft bill. If I am a researcher I will, that will be one of the finest moments
for me because a policy, a policy refers my research. So my research had policy
implications.

So you can see that paper in the footnotes. When I was reading the document, I found
this paper. So that is why it is giving, given us a reading reference. So it, they actually
discusses the the weaknesses in the Aadhar system. But I am not sure if Aadhar data ever
got leaked from the database.

But the architecture is like this. You can see how it is depicted in the paper, Aadhar data
architecture. So you can actually see there are, it basically has three constituents. So this
is the central identities data repository or the Aadhar database.

Aadhar data resides here. This is the data center around which there is a 10 foot wall.
So that is the database in a data center. But how can access be made? Even if you jump
into the data center, you cannot actually collect anything and go because it is digital. So
that makes, the whole thing does not make any sense. But the point is, there are, the access
to this database is through a layered architecture.

So there are multiple layers. You can see that there is an ASA layer which is called
authentication service agency. The second layer below the database is the AUA layer
which is the authentication user agency. And then comes the authentication devices. It
could be the fingerprint readers or any device that is used to sort of collect data about the
user. Finally it is a user here who actually wants a service.

Suppose you go for your passport renewal or you go for a new SIM card. So you are the
user here. Whom you go to? You go to and you go to a service provider. It could be a Jio
or a Airtel or Idea service center that you go.

And then you want a service. So the service center possesses, of course the authentication
device. So what they want is that, they want to authenticate. We discussed what is
authentication. You claim that you are someone. And what is that claim? How you make
that claim? Of course, you have to disclose your ID.

In the case of Aadhaar identification, the ID is your 12 digit number. The 3 into 4, 12

320
digit number. You have to disclose, then you claim this is my ID. You have made a claim
and they have to authenticate you are the one whom you claim to be.

So place your fingertip, fingerprints. So that is the authentication device. And in this
case the telecom service provider is the AUA, authentication user agency. So using the
device, using the fingerprint reader this device can access the Aadhaar database through
another layer called ASA repository. ASA repository is having the direct link, digital link.
It could be through a wired link with the database.

So this particular agent actually is between the AUA, the service provider, the user
service provider, be it a bank, be it a telecom service provider or passport service. That
is where the service actually gets provided to the user. But if the access is made through
an ASA repository which is actually at the technical part of it. So there are ASA vendors
also with, which are enlisted with, enlisted and approved. If you claim to be someone with
an ASA expertise, being able to connect data access services then you have to actually
provide your credentials and get enlisted with UIDAI.

And the UIDAI or the Aadhaar has disclosed in public domain who are the ASA
providers. All telecom service providers are also ASA providers. They have the network
to connect with the, with the Aadhaar database. BSNL is of course one and NIC is one.
So they are all approved service providers for providing connectivity to the Aadhaar
database.

And then the core database. That is how the architecture of Aadhaar is. Now looking at
this architecture, this is of course 10 feet, huge infrastructure and maybe they have the
secured database, very secured database. We discussed security, security by encryption.
So it is maybe very difficult to actually tap into this database by interception. But what
would you think are the weak links in the chain, seeing it as a chain? Who? Some rogue
or malicious service entity.

But where would they get access to the data? All that you do, the biometric data is in
the custody of the Aadhaar, the UIDAI. They are the custodians of that data. You provide
your fingerprints, they do the authentication service. But you cannot get that data of the
individual.

The device, service delivery point. They get to know your Aadhaar number because you
disclose your ID. To that extent fine. So now there is a debate on where you should
disclose your, you should not give your Aadhaar card, you should give your pseudo
number. That is one aspect of the challenge or the issue, security issue.

321
 Your Aadhaar number gets known. In the weak links, we can say that the authentication
device, like he said, they can only collect the data of those people who are authenticating.
But accessing the internal data like UIDs, it will be very difficult because they are just
giving yes no response, they are not releasing the data. So the weak point will be very
difficult to find here. It will be only regarding the authentication device, they will collect
the data of those who are authenticating. But you may have read newspaper reports about
Aadhaar data open in public.

So where did it get leaked? So how did it reach there? There have been particularly
enquiries into this. Like many organizations collect Aadhaar numbers. So maybe that is
how they reach the open internet. They did not fetch it from the UIDs data but from the
websites and organization.

Let me summarize the criticisms of Aadhaar. There are several limitations and
weaknesses of the Aadhaar system that was highlighted in the news in recent times. I
actually collected all that but I am giving a summary of it. One is actually the agencies
which collect Aadhaar as an ID and they can aggregate it and then actually link. There is
something called linking, we discussed this, you know, link other data with the ID or a
unique ID and then use that to profile the customer. So that is one potential leakage which
now they, the Aadhaar actually provides you a pseudo ID if you want.

So this can be prevented. So this is one way of preventing. So you decide whether you
want to give your Aadhaar card or not and you should be very careful because there is a
potential that somebody is getting your ID. So that is one point. The other is, who actually
creates this database.

322
 One is that once database is created it is safe. We believe that it is safe. Nobody can tap
in there. But who actually collects the data? Is it Nandan Nilekani who comes and who
is very credible and reliable, who comes directly and collect the data? When you went to
a particular center for giving your ID details, it was an agency which did this exercise.
So actually Aadhaar enlisted thousands of vendors, thousands of vendors across India for
Aadhaar data collection. And there was an inquiry, a journalistic inquiry into the Aadhaar
data leakages and which was published and in a short time Aadhaar, actually the UIDAI
fired about thousand vendors.

There is a, this actually happened. So if there was no case of Aadhaar data leakage, why
this vendor should be fired? So there was, it appears that actually lot of leakages of
Aadhaar data happened through the vendors. And vendors, the government is finally
dependent on a vendor to collect this data. And vendors are people. So it was quite possible
for data to leak through those agencies at the time of collection. And then there are many
pitfalls but over a period of time government became aware and it has been correcting its
course.

323
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 12
Lecture: 36

Okay and now we come to the important discussion which is about the need for privacy
and the need for unique identity. So both are actually important and therefore there is a
need for regulation and as I said government initiated this well in time and a bill was
available by 2017 and they did excellent job I would say, in drafting the first data
protection bill, personal data protection bill of India. And the terms of reference, if you
read what the government asked the Justice Sri Krishna Commission to do, you know it
is a very difficult order, to unlock the data economy while keeping data of citizens secure
and protected. You see what comes first, to unlock the data economy. So for digital India
being digital is important, do not ask to stop being digital or as we discussed in some of
the cases, go back to the manual controls and do not give internet connectivity or protect
the privacy of people and then nothing more. That is not what the government did.

So you should not actually deter or destroy business models or businesses that run
successfully on data and create a lot of value for citizens. And so by the time this, this
TOR was given, Facebook is already in India, Uber is in India. What does Uber work on?
Is it on anything, any assets? Just data, purely data. So data based business actually has
became huge success across the world.

So Google is right there and they are making car. So that is a new economy and do not
destroy it but at the same time take care of citizens' privacy. That is the order. So
government recognizes, recognize the transformative potential of the digital economy to
improve lives of Indian citizens. At the same time upholding the privacy of individuals
was also important and therefore there comes this regulatory, initiative for regulation.

Government recognize the need. And of course, this PDP was presented by the Union
Cabinet in the parliament in December 2019. And but, of course there was opposition
because what happened was that the PDP as drafted by Justice Srikrishna Commission
was not presented as it is. Government made amendments to it. The amendment was
basically to give more power to the government or government's right to access personal
data.

And particularly there is a clause which actually provided this, you can call it undue
powers but government sees that certain powers they need to access, to have access to

324
personal data. So this amendment made by the government was not acceptable and
therefore it did not conclude and government finally dropped this in the last year and then
they said they will go for an alternate bill. So if you look at the PDP which is the base
document, the current DPDP is building on it or it is making it more concise and it is
making it, I would say more inclusive. We will come to that. So you can draw the parallel
between the GDPR and the PDP by looking at this sketch.

So there are three actors or three major stakeholders in data. One is the data subject. So
in PDP and DPDP the data subject is termed as data principle. Data principle is you and
me, the individuals, persons whose data is collected. So that is a data principle and data
controller is called data fiduciary in the PDP language or in our bill, the data controller.

Data controller could consist of multiple entities but essentially the best example is
Aadhaar. Aadhaar is a data controller. What are the functions of the data controller? It
will collect data, it will store data and it will also take decisions about the data. For
example, with whom that data will be shared or what kind of analysis or processing will
be done on the data, who will do that processing, would this be by the controller itself or
by an external entity. So there are lot of decisions that actually is vested with the controller.

So therefore GDPR calls that entity a controller and in our language, it is a data fiduciary,
the one who actually is the guardian, fiduciary in the sense who is a sort of someone who
can be trusted with data. And the third entity is the data processor. So same in GDPR as
well as in PDP. So GDPR, sorry a data processor only processes data that is shared by the
data controller. So if you outsource analytics, so the processing agency is the analytics

325
company.

But analytics company is not the data controller, the data is collected and decided on by
a data controller. And when we discussed GDPR, we saw that since data passes hands
and the data principle loses control on with whose custody my data is and who is analyzing
my data. The GDPR made data controllers responsible for their contracts with the data
processors. There has to be clear contract between data processor and data controller and
penalties would apply to data processors as well in the GDPR. Before GDPR that was not
the case, the data processors are not liable.

In certain company, in certain contracts there may be liability clause, in certain contracts
it may not be there. But GDPR made this domain aware that there has to be clear contracts
and financial implications. Well, I will move on, this is a bit political. When government
actually brought the PDP to the parliament, Justice Sri Krishna said this is not the draft I
drafted. This will result in an Orwellian state, George Orwell, we referred before.

So, because government actually amended it and more sort of, so brought more controls
on it. So I am not politicizing this, so it is about the government, it is not about a party
because government needs, feels that it needs more control for governance. We saw the
history of privacy in India, so it cut across political parties. So now we are actually
discussing a bill called the DPDP bill. Data sorry, Digital Personal Data Protection, PDP
with the digital added.

Personal Data Protection, it has changed to Digital Personal Data Protection bill, DPDP
in short. So this is under discussion and it is open for public comments. You can just go
DPDP bill, you will actually get this in public. It is a document that is available in public
domain. And one interesting point here is this DPDP 2022 has 22 clauses and experts
notes.

So lot of things that I am going to present now is based on expert views. I am not a expert
in law, I am a teacher of information systems. So interpreting these bills also require legal
expertise. So I am not getting into that domain, so I am making some general observations
and also referring to opinion pieces that came in business newspapers. So that is my
reference here because there is no journal article or there is no very highly sort of unbiased
opinion available.

So it depends on which newspaper you read also, you get two sides of it, so that also
exists. So the one point is the, out of the 22 clauses, the central government has been
provided with rule making power in around 14 clauses. What does this imply? Is this
okay? Government can actually make rules about 14 clauses in the regulation. So a

326
regulatory body is supposed to be independent, free from the influence of government.
RBI is supposed to be an independent institution and it should take decisions for that
particular domain not dictated by, even by government, that is the point.

So you see what is called conflict of interest. I am not suggesting that any government
would just let data go without a control on it because then it will actually lose ability to
do its function of knowing people or investigating about people etc. So government has a
legitimate need but there is also a conflict of interest here. That government itself is the
fiduciary or the data controller in several cases. Look at Aadhaar and today you have
GST, of course GST does not come under personal data but government is in possession
of huge amount of public data and then government also becomes a decision maker or
government can decide on the regulation.

So it is like, I make the law and I execute it, so both are not correct. An independent
judiciary, now we say the judiciary should be independent of the legislative and the
executive, that is to make this, the estates independent. So that there is no conflict of
interest. So there is a arguably a conflict of interest situation here but that is not a final
opinion, it is an opinion by an expert.

I am just quoting it. So if you make a comparison which I tried based on expert opinions
available in public who are lawyers of course. So this is sort of tertiary data. So I am
actually compiling what is said by somebody else. So the first point is my observation,
PDP is very detailed, there are 14 chapters, it is publicly available and 56 pages and the
DPDP is 6 chapters and 24 pages. So it is made very concise, it is half in size, very very
concise.

327
 And DPDP addresses only personally identifiable data, it does not deal with all kinds of
data where PDP was trying to regulate data as a whole. So the purview is slightly different
and there are some minor issues like the Right to be Forgotten was a clause in PDP but
now it is brought under the Right to Erase, it is called the Right to Erasure, but both may
not be the same, that is what the legal opinion. Right to be Forgotten also would apply to
data sharing among entities but the right to be, try to erase data may not ensure that, this
is one minor issue. And penalties are much higher in DPDP, the new bill has higher
penalties for breaches. It is capped at 500 crore, that is the maximum that would be
chargeable for data breaches.

And interestingly in DPDP penalty applies to data principals also, that is if you actually
make a wrong claim, you may actually end up in paying penalty, which was not the case
with PDP. So you can see there is a bit more influence of the other stakeholders, not just
the individual's perspective, it also actually looks at the regulation from the corporations
point of view or the business entities point of view. So they do not want this irritation of
complaints all the time coming. So this will actually probably reduce the number of
complaints. But the last point is very critical point, so we will close with that.

In PDP there was a three-tier classification of data, the PDP classified data as personal
data, critical personal data and sensitive personal data. So let us go from the other end,
sensitive personal data or SPD means data that is very sensitive, it could be your financial
data, it could be your, data about your what you call, personal preferences like your
matrimonial data. So a lot of data that is very much linked to your individual space and it

328
is very also sensitive. Passwords, that is SPD, health data, that health data, financial data,
passwords, all these are highly sensitive and PDP brought this under a category called
SPD, sensitive personal data. Then it had the second classification which is critical
personal data and it is not defined in PDP but it gave the rights to the government to decide
what could be critical personal data for the country and government did not define it.

But if government wants to tell organizations, well this data, this category of individuals
data should reside within the country and you know, other data can be passed or stored
elsewhere etc. Government had that control possible. The rest which was not critical or
sensitive is personal data. But in DPDP there is no such three-tier classification of personal
data. It only says personally identifiable data.

So this classification is done with. But in PDP, so that is where actually the politics or
the debate actually comes in. In PDP the last two categories, critical personal data and
sensitive personal data, PDP recommended it should be stored within the country. Cross-
border transfer of SPD and CPD was not allowed. And that is called data localization. So
you must have heard about this issue of data localization.

Data localization is proposed in GDPR. You can see cross-border transfer of data is
expressly permitted with only a few countries. And for rest of the countries, it has to be
based on contract. So therefore this particular aspect of data transfer when it was
considered in the regulation in India, they made data localization a clause. But data
localization also known as data residency, data sovereignty in some literature basically
requires that citizens data, citizens that belong to a country, their data should be stored in
data records or archival within the country.

It should not go outside of the country. And you can see that after PDP, government
started arm wrestling with WhatsApp, Facebook, Google, payment banks, all of them.
Citizens data should be within the country. Now, is it good or bad? What do you think
about? Data localization is a highly debated topic. So on one side government which is or
a regulation which is trying to protect personal data wants data to be stored within the
country. But what is wrong with it? That is the, that is data sovereignty.

DPDP amends that. But what is the problem here? So one issue is that the data actually
has value. So we can analyze the data to get some, identify business patterns and so forth.
So if in case there is no data localization, multinational companies could take this data to
their home countries, analyze the data and develop products for the Indian market from
abroad. So potential source of jobs in our country will be lost. Like you can, they can
build customized solutions, say customized apps on the Play Store from the US using
data which was acquired from India.

329
 So you want data trade or data to be taken out of country for analysis. That is what you
are saying. For analytics, analytics. An analytics could happen in India and the results of
analytics could be used to develop apps and other digital services within this country. So
that value is being transferred, being taken out of this country through, without data
localization.

That is what I think. But don't, foreign corporations actually outsource analytics to India.
We are actually a place where we have the competence to do data analytics in the country.
So in one sense the country is saying that, well do analytics within India. It is actually a
boost to the Indian analytics as well.

Don't transfer the data outside of the country. But you are talking about scenarios which
we do not know where data analysis in other country would bring more insights. Okay.
Any other reason? Mostly it is related to technical trade. When data is stored in other
countries, if any, as per law, if the data is stored in US data center, if the law forces them
to the company, for example, Azure or anyone, to share the data, it is their liability to
share it. So if the data is stored inside India, the government has protection over it and it
is not liable to share with any other countries, until it is the concern of India.

Okay. So essentially you are saying if Indian citizens data go to a country X. So it comes
under the jurisdiction of that country X. And if data sharing is permitted within that
country, like many countries, if a data trade is free, so this data which is residing in their
jurisdiction can be shared because it is no more within the jurisdiction of India. So

330
basically the PDP or any data regulation to be effective, data has to be within the country.
Once it goes out, it is in another location, the same laws cannot apply.

So that is a valid point. So data localization is essentially trying to ensure citizens data
are protected within the law of the country. Agreed. But this is like skewed, this is over
protecting individuals. Why corporations should worry? So there are multiple
stakeholders, there are data subject is one but then there are data controllers, they are
collecting data for some purpose. What is their concern? One is potentially if they are
analyzing data elsewhere in another country, so they have to actually change the contract.

So there could be complications, so that is one. But is there any other major issue? This
actually if you look at DPDP, this clause has changed, data localization is diluted. So post
PDP government actually was trying to have complete control and suggested data
localization but now it is not. DPDP does not have a strong clause for data localization.
That is actually by corporate power. But what could be other concerns that corporations
have in data localization? Actually this may be right or wrong but I remember reading
few years back that security is a major concern where if the data warehouses, like multiple,
some MNCs data warehouse when their data centers present in India are not that secure
and whereas there are some specialized data sources in some islands or something where
the data can be secured more safer or something but they belong to some multinational
organizations.

So they are willing to come forward but if in case we are, like the Indian government is
in, to go to, like you know if they are to go in for contract with those organizations they
will be obviously losing some control over the data. So I remember reading that it was,
you know the trade off between security and control. Security and control. So what are
you arguing? Suppose data goes outside of the country.

We will have, the data might be more secure. It might be, I have read somewhere, I am
not too sure of the context but yeah. It might be more secure because of the data center.
Depending on which country. Not which country but organization I remember. Some
specific organization had its data center in some island and they were about to, some talks
are going to exchange data with that particular organization but again control was some
issue which they were discussing about.

Okay. So let me write down. So plus side is government's control, the minus side is
corporations losing potential value. Are there any other pluses and minuses you can think
of? What is the, what is a major loss because corporations actually arm twisted the
government to change the law.

331
 You see. There could be other potential reason. Okay. So let me give you clues. What do
you think about the data center economics? One potential negative is like it will increase
the costs of operations. So earlier they used to have clouds where the actual warehouse is
not actually within the home country. It will be in some other country. Now they have to
build dedicated data centers within each country.

Yeah. Yeah. That is a major issue because all corporations or large corporations like the
Google you search for where are the data centers of Google located. They have actually
rationalized that across the world and they have, particularly Google has built their data
centers close to hydroelectric projects basically for saving costs, saving on energy. So this
is something they have already invested in. So data localization will require these
companies to build data centers within India. So on the plus side, a data center business,
data center and analytics business will prosper within the country, the plus side.

But cost of data center or cost of data storage would definitely go up. They do not have
the scale and they enjoy scale advantages when they actually store data within certain
premises, within certain areas. And that is something they have rationalized. The cost
goes up for them, if they have to build domestic data centers.

For India, this becomes a new business. It becomes new prospects for the IT industry
because data center business comes to India. So government has that rationale but not
corporations. And you can see the corporate interest actually, because if corporations
become non competitive then they would not like to do business or it is not possible. So
therefore you can see this particular balance. It was actually skewed towards the
government or privacy but now with the DPDP, government is also permitting cross-
border transfer of data.

The sensitive personal data, critical personal data, this kind of classification was also
dropped because if that exists, the argument becomes strong but now there is only
personally identifiable data and data localization is not now very strict in the DPDP,
thanks to corporate interest. But we should not see this as a, you know as simply negative.
It does not make economic sense for corporations. But if you talk to consultants, they will
also say that well, is data center a huge business potential for India? Many disagree
because data centers do not create many jobs but they use up a lot of domestic resources.
For example, if Amazon, actually there was a negotiation with Amazon in Hyderabad to
set up a data center.

So Amazon's conditions were that they want, say 100 acres of land and they want full
security given by the government around that particular infrastructure and they want no
taxes. So it should be all favourable for them to establish a data center here free and they

332
may employ, say 50 to 100 people from India. So this is one insight I got. So it shows
that data center as such, IT services is different but just having a storage facility does not
really create a large number of jobs but it actually take away our resources. So probably
these are reasons why government also relax this sort of strict condition on data
localization.

Okay. That is about Indian regulation. So it is on debate, so you can continue to watch
this. Any questions? Yeah, so beware of newspaper articles if you have to balance between
news, expert opinions because they can only look at certain, some overly would be critical
of government or very much in favour of government but there are pluses and minuses
and government has to balance these different forces. Corporate interests are also
important, you know, you cannot just neglect that but at the same time, privacy is also
important. So let us see where it reaches and that is it for today. So next class we will
discuss the economics of privacy because we touched on that today, There are different
players or stakeholders in data and therefore we cannot neglect any stakeholder from this.

And we also say that data is the new oil. If oil becomes very expensive then you cannot
do business with data. Manufacturing business will not be competitive, oil is very
expensive and so is many corporations. If the privacy laws becomes very tight and data
becomes very expensive then those businesses cannot survive or be profitable. So we
have to look at that side, data is the oil. So it has to be protected but at the same time
should not become very expensive to do business with. Okay, we will meet in the next
class.

333
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 13
Lecture: 37

Good morning, welcome back to Cybersecurity and Privacy course. So today's topic is
Information Privacy, the Economics and Strategy of Information Privacy. So, is there an
economic value to privacy and if so, is it important and where it is important? And
subsequently, we will explore the strategic value of Information Privacy, if not today but
this will move to the session tomorrow where you will appreciate that privacy or
Information Privacy is at the core of business models of some organizations. So how you
use it strategically or to differentiate your business etc. So that is the topic of discussion
today and tomorrow, economics and strategy related to Information Privacy. So from a
business perspective, these two are very important.

If privacy does not have economic implication, or strategic implication, it is not worth
spending much time because business is about these aspects. So let us move on. So you
know there are platforms that are built on data or individual's data and we enjoy being
there because this is our social life and social presence and this gives us lot of happiness.
It can also take away our happiness.

It can actually bring a lot of pain in different forms. So valuation of privacy, so when it
comes to privacy as an economic good, so there has to be some value assigned to it. Only
then we can, say speak in economic terms. So the value of privacy is practically important
because in contracts between organizations which we explored is mandatory in the
regulated world. When a data controller and a data processor, they actually exchange data
and information, it is important to have a contract between them.

For example, GDPR insists that there be specific contract and also there be penalties or
in the case of breaches, the losses be shared between the two partners. So therefore it is
important to have a contract and in contract if you have to have a clause on what is the
penalty if in case there is a breach. So how do you ascertain that value? So that becomes
a topic that is related to the value of privacy because it is about private data. It is the asset
or the good that is exchanged or shared here in this case, is the database. So how do you
actually attribute a value to a database which is about personally identifiable data of
individuals? So this becomes a very important topic.

Although it is an important topic, is there a method, well established method for valuation

334
of privacy, still remains a question or an open topic for researchers to jump in. So I see
some publications coming in that line but valuation of privacy is by and large an open
topic for research. So in contracts, particularly involving cloud contracts, although
regulation requires firms to have contracts, writing these contracts is not easy. The first
difficulty is in ascertaining the value of privacy. So since this topic is important but
research is very limited, one of my MS scholars worked on this topic, on the valuation of
privacy and we did an exploratory study to understand how organizations in different
domains are actually managing their contracts.

So what does their contract document say? What is the value of privacy or how they do
it? So we interviewed CIOs of certain leading organizations into this research. I do not
mention the name but say, one example is where I was also present because I was curious
to know. So this was a leading healthcare provider in our country and the CIO said, well
we do store healthcare data in the cloud and the cloud service is provided by an IT service
provider and then that data is actually healthcare data in Indian, of Indian customers. Then
we asked how do you determine or how do you specify the clauses on data breach. He
said, of course there are standard legal terms related to data breach but ascertaining the
value is not easy, we do not do any valuation.

The typical clause is 5 percent, the penalty is 5 percent of the contract value. So that is
like a thumb rule, so there is no actual valuation done if they go by a thumb rule and actual
cost can be much more than the 5 percent, it could be less than the 5 percent but at the
moment they agreed that there is no model available to determine what should be the

335
value and then actually contract based on that specific model, there is not clear model. So
in the absence of that, they go by thumb rules. That is how the industry is working now.
So 5 percent of the contract value.

So you can see that this can actually lead to major losses for a client or service provider
if the valuation of privacy or the actual losses due to the data breach is very high and you
can also see that what the DPDP or GDPR does is to give certain specific guidelines as
to, you know you just saw that in DPDP which is proposed now in India, the cap for
penalty is 500 crores. So you know there is a specific number out there based on which
you can actually take a decision. So in the absence of a model, there are certain guidelines
available. So that is the latest that we see post regulation but these are all related to the
data privacy issue. Now when, if as a researcher you start exploring this field, well I am
going to develop a model to determine the value of a database and suppose the database
has, say a million records and I am going to determine how much this is worth, what
privacy is worth as economists ask.

Then you will actually see difficulties because the issue of privacy is not very
straightforward. If you ask an individual about how much an individual values one's
privacy, that is a question I am going to ask you now. But so, you will find that it is not
a very straightforward question to answer because say privacy scholars have seen or have
written is context specific, it depends on context. So what do you feel today about privacy
in a particular setting may not be what you feel about privacy in a different context. So I
have a small quiz for you.

So and this is a small number, so if I will get the right response, I do not know, that is a
disclaimer. But nevertheless we will do that. So you have to take your cell phones, get
your cell phones and be ready to take the quiz. Now, so you can see there is a code, you
have to go to [Link] and the code is 33966832.

33966832, 3396 yeah, now I am going to present it, not presented yet. So let me actually
give you the background. All of you know that, all of you use emails, it is there on the
board the top one, 33966832, yeah it is on the top. Do not respond now. Let me actually
give you the background.

See all of us use or most of us use Gmail or an email online and you do not pay for it,
you do not pay for a Gmail account. There is no subscription there, right. It is free. And
you also know that your Gmail's are read, your emails are read, Google says that it is not
read by a human being but it is read by a software and they use it for advertising and that
is their revenue model and we accept that. Now we are, as users we are also concerned
about our privacy.

336
 So our emails are read by someone. Sometimes it can be humans too. Google admins
that. So it is a matter of concern for us as far as we as individuals are concerned. So here
is a proposal.

Suppose this is a hypothetical proposal from Google. Google announces that if you are
willing to pay a price per month, then not even software will scan your Gmail. How much
will you be willing to pay per month for availing this service? This is a premium service.
The first question, this is the first question you are getting.

Really? No, no, no. This is the question that, you did not get this question yet? Are all
of you getting the same question? Yes. Are you getting this question now? Yes. Now I
have gone to the same. All of you get the same question? Yes.

Okay thank you. Just respond to this question. Yeah, yeah all of you. Hello, so you can
sign into menti and the code is 33966832. Okay, I think most responses have come. So
now I am changing the question.

So what does it show? So I would say you are going one side, so you have seen. Let us
move to the next question. Now Google makes an order. Next announcement,
announcement is that if you let humans read your Gmail, they will pay you. How much
will you be willing to accept? Say Google says, well we want to scan your mail and since
we are scanning your private mail, we will give you some money per month.

They are willing to pay you. How much will you be willing to accept? To scan. No but

337
you give, no, no. These are the options out of which you have to choose. So I was a bit
concerned if the class will follow this expected pattern but you have, you have followed
that pattern.

Yeah, yeah. So this is known as privacy paradox. What do you have actually, your
response is what privacy paradox is. We all talk about privacy and we want to protect our
privacy. We are, you know, so we are advocates of privacy but when it comes to
protecting your privacy, how much you are willing to pay? You see 100 rupees or you
want a 0 option, probably it is not there.

Right, right. Yeah, yeah and if you are going to get some money out of it, you want to
get the maximum money. The maximum that you can make out of your privacy, you want
to make but if you have to protect it, how much are you willing to pay? Sorry there is no
0 option. Correct. So this dichotomy or this difference between what you know, what you
call the willingness to pay and the willingness to accept in economic literature, WTA and
WTP. This is nothing but willingness to pay.

How much are you willing to pay to protect privacy? It tends towards the lowest value.
If you take the average, the average of WTA is lower than the average of WTP. How
much, sorry WTA, this is willingness to accept. I am sorry, maybe I said it differently.

This is WTA, willingness to accept. The willingness to accept is higher than the
willingness to pay or willingness to pay is lower than the willingness to accept. That is
human behavior. So this claim for a very high value of privacy and you will protect it any
cost etc is actually a talk but when it comes to the economic man in you, you are actually
differentiating between the willingness to pay and the willingness to accept. And there is
a sort of paradox there, among humans which is quite obvious. Even in a small sample
you can see that is reflected and there has been several experiments conducted by
economists to study the privacy behavior of individuals.

I just designed this experiment and this has been working. So now the important question
is, what explains this? What is the theory that explains this? See when behaviour is
explained by certain theories, can you imagine why are you not attaching a very high
value to protection but when it comes to acceptance you are asking for higher value? There
is no other choice. Actually you are just going for the best choice. No. Why that
preference? What explains that preference? In the first context if you see it all depends
upon how much value you are assigning to that particular medium.

You spoke specifically about Gmail. Now Gmail or email communication in the context
of our country, in the context of the domain we are in, might be totally different from, in

338
the context of say somewhere in, where we are in our country. No, no, no. As an
individual, the question is to you as an individual. What explains your behaviour, that is
the point. Sir, as an individual only I am saying, if Gmail would have been my primary
mode of communication, whatever my work or all my things, what I have assigned would,
I have assigned even 100 rupees I would have said this is nothing is acceptable, I do not
want to share it.

It is just that I am willing to take that gamble because probably I do not assign that much
of priority to it. Value to the privacy and. If I assigned it, I would have said 500 rupees I
will give. Nothing should scan my this thing because I have that kind of, I assign that
kind of value. Yeah, but Gmail is for private communications and there is private
information there but when it comes to paying for it, you do not actually feel like it is
worth that much.

Right. Yeah. Sir, actually it depends as an individual how much priority I am giving to
you know my cyber digital privacy and it also depends on the kind of data, whether that
is email or normal chat or of a confidential something and it also depends on culture to
culture. Yeah, of course, of course. Depending on the awareness. Yeah, yeah, the question
is yeah, culture to culture definitely but here the question is about individual behavior and
of course we live in a particular culture which is sort of homogeneous for all of us. So
within that culture yeah, yeah, yeah, yeah, yeah, yeah.

So yeah, actually theoretically this behaviour is a bit of irrational behavior, okay.

Because in economic man is considered to be very rational, you know maximizing profit,
okay. And so also not carried away by emotions but here actually emotions play a role.
So which shows that it does not go with the neoclassical economics and it falls under the
purview of behavioural economics. And behavioral economics would say that economic
man is not very rational and decisions are also carried away by whether there is a pain or
a loss and human beings are loss averse, okay.

Or the pain gets a higher priority than gain, okay. For a same decision if there are, there
is an option of both pain and gain, the focus will be on gain, sorry on pain. You do not
want a pain, okay. So if you read Daniel Kahneman and others, you will get more
understanding about these concepts. So in privacy calculus or the calculus that runs in
your mind, when you take decisions about privacy, you apply certain principles or certain
things are running in your mind.

339
 So which can be drawn as two concepts here, one is loss aversion and the second is
endowment effect. Both are actually from behavioural economics. And the loss aversion
is something that you can understand from the graph. How much, how the loss is more
significant than gain? So a typical example they gave in their literature is 100 percent
chance to gain a 450 dollars, 50 percent chance to gain 1000 dollars, which one would
you, which one would you opt for? So, the expected value is higher for the second option,
right. But it is a gamble, right, it is a chance but there is a definite or there is certainty in
the first one.

So people prefer typically that. I am not putting it as a experiment but people prefer
where there is certainty. Because there is a chance of loss in the other one which you want
to avoid, although the expected value is higher. And that is known as loss aversion. So
we are very averse towards loss because loss is a pain, essentially it is psychology. It
involves a pain, embarrassment is a pain as I used to assert.

So we always try to avoid that. And that is known as loss aversion in prospect theory.
The next is endowment effect. Endowment effect is a subtle idea that we all carry. Let
me give a different example, this is Google example which I have given on the slide.
Suppose you have a trophy which you got for some performance when we are in the fourth
standard.

It is a small trophy and it is kept in your living room and you often see it. And somebody
comes and says, well that may be made of steel or silver or a mixed some alloy. Somebody

340
says I like this trophy, how much do you want for this? So he will try to weigh, so suppose
it is an akri guy, so he comes and weighs it. So this is say 300 grams, so I pay you 500
rupees. So are you willing to take a money proportional to the cost of that metal? No, it
is not a metal, it is not a metal, there is something else in it and that is the endowment.

This is your trophy. Even if you give instead of 500 rupees you get 50,000, you may not
sometimes part with it. So there is a parting pain. The parting pain is a part of many
products and services or it is created like that. And then it is not, the price is not the cost
of the material or cost of production or margin, that is not the way to determine the price
of certain products and services because endowment effect is built in. So when something
is yours, that is what is shown in the slide and you have to part with it, there is a parting
pain and there is a cost to it and that cost is difficult to assert.

Now in the small experiment that we did now, both the effects are involved in to some
extent. For example, if you are a Gmail user, if you are a Gmail user and take my case, I
have been using Gmail say for the last 15 years, a lot of my information and I do enjoy
certain amount of, say certain service, certain benefit from it. And if you are taking that
away from me or I do expect that my privacy is protected to some extent and if you take
away that privacy from me, you know, it is like something I enjoyed and you are taking
it away. So I feel a pain and that pain is what is involved in the willingness to accept sort
of a thing. So you want a higher price because you are taking away something which I
already own and there is a loss involved in it because it is your private data.

So all these are playing up and it is also could be opportunism in this case, I did not know
because it is a small sample, you are going to get some money, get the maximum money.
But subtle elements could be, if you are enjoying certain benefit from something and if it
has to be parted with, then always the endowment effect comes in and if there is loss
involved and potential, loss in the form of potential embarrassment or potential social cost
etc, loss of face in front of society etc, these are pains. And when you imagine that, you
know, your, the perception of cost or the perception of value would go up. So what I try
to outline here is that privacy is a very personal product.

It is a very personal, personal area. So anything that is related to such a, it is not a physical
tangible product. It is about you and what you feel about yourself, what you feel about
your data. So since it is closely tied to yourself and that is where the behavioural aspect
and pricing based on the behavioural aspect comes in. So therefore valuing such goods,
private goods or a private data becomes a challenge because WTA and WTP itself will be
good. So you will actually assign different values to it depending on what is the question,
whether you want to protect it or whether you want to sell it.

341
 So how do you actually value it ultimately? So valuation is, therefore that makes it hard
for assigning one value to privacy at all times independent of context. So privacy is context
specific. Nevertheless there has been attempts in literature or by scholars to determine the
value of privacy in terms of WTA and WTP and using other method, that you know some
people use survey but all this may be subject to variations depending on the context. So
that is the end of the discussion on economics of privacy because economics is an
economic value of privacy, particularly databases and that is important and its valuation
is also important and models are still evolving but some fundamental concepts or theories
that can guide this valuation is the behavioural economics theories, particularly concepts
like WTA and WTP which we just explored. And yeah, the point I did not touched is the
stated preferences versus revealed preferences.

Economists use a tool known as contingent evaluation technique for privacy and related
evaluations. So there are two concepts there. One is stated preference and the other is
revealed preference. Stated preference is what you would state in public. So if you, if I
ask a general question in a survey, like I administer a survey and the question is, how
important is privacy to you? It is 1 to 5.

Answer is 5, right. It is very important. That is your stated preference. Then when it
comes to revealed preference, you cannot actually administer a survey and get it. You
actually try to observe or you change the questions and give games like this and find out
how you actually really value privacy and then you find that although the 1 to 5 option
was available, you went for option 1 instead of opting for 5, that is the revealed preference.
So there is a difference between stated preference and revealed preference or actually what
people think and what people actually behave are different when it comes to privacy and
privacy evaluation.

342
 So with that I close. So we take up the next case for discussion which is related to
Information Privacy, but the discussion is at the organizational level, at the aggregate
level and we will see what are the factors that influence the trade of private data.

343
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 13
Lecture: 38

Hi everyone, good morning. We are from group 5, Manu and Bhuvan here to present on
the article, The Dark Side of Custom Analytics, by Thomas Davenport and Jeanne Harries.
This article, to give you an overview discuss about the privacy matter of how supermarket
deals with their customer data which is collected to a loyalty program in a business, in a
business perspective while they are trying to share this data or trying to deal with a
business, with an insurance company. And we will just give, we will see over the expert
opinion on how this discussion, how this business between the supermarket and an
insurance company data sharing is available. Yes, so to the 2 companies here we are
considered in HRB case studies. One is a ShopSense, which is a Dallas based supermarket
retail chain in USA which has a more number of customers who just avail their loyalty
program where they collect certain personal information and in certain cases also related
medical information where they can suggest a products for them and provide discounts
for the customers based on their preferences.

344
 And they, they also have a in house analytics through which they collect the data and
with the data they are collected through the loyalty program, they also have a pattern
based approach to issue coupons. For example, if a customer is specifically buying some
milk based products or any health related products, they were able to create a pattern
through their data analysis or the purchases they made and able to issue coupons
specifically for that to attract more, to attract them more to purchase. And as I mentioned,
it is they basically collect this data through the loyalty program. The second company is
a IFA insurance company which is founded in 1972 and it is one of the largest life and
health insurance company in USA.

They are based among the industry where they also collect data's related to customers
from multiple agencies or multiple points and they able to have an analysis to set the
premium level for the customers. If for a, they specifically collect an data space with
respect to health related issues. For example, if a customer is purchasing meat or relate a
more of an alcohol, they were able to come to an conclusion and have an analysis that the
chances of him having the health issues related to cholesterol or BP is higher. So, they
wanted to charge more premium for it. So, this is where the purpose of collecting the data
was helpful to the insurance company.

So, the four experts opinion who were given on the topic of how this companies leverage
the customer data responsibly was to start with, George Ljones who is the president and
CEO of Borders Groups, Michigan. The second person is Katherine Lemon who is
associate professor at Boston College of Management and David Norton who is the vice
president of Relationship Marketing from Harrah's Entertaining, Las Vegas and the last
person is Michael McCallister is a president and CEO of Humana which is a benefit based
company from Louisville. To introduce with this article, this is a discussion and also
between two companies where they were a primary point of contact from IFA personnel
is Laura Brickman who projects, showcase a scenario of how the customer data while you
are performing a shopping. We will just come to it during the second slide. So, the persons
involved or the characters involved in this article for, from the IFA perspective is Laura
Brickman who is a Regional Manager for West Coast operations, Archie Stetter which is
a senior analyst, Geneva Hendrickson who is a senior vice president of ethics and
corporate responsibilities, O.

[Link] who is a general counsel and the CEO who is Jason Walter. From shop clues
management personnel's involved in this discussion are Steve Worthington which is a
chief analyst and Alan Atkins who is a Chief Operating Officer, Denise Baldwin who is
a head of human resource and Donna Greer who is a Chief Executive Officer. The scenario
happens where, when Laura Brickman who is a regional manager of IFA performs a
shopping and thinks about the accusation happened 14 months earlier where IFA and

345
Shop Clues come to, comes into an agreement for sharing the data. He thinks about how
the customer data's are collected while making an shopping and she also goes to the
receipts and coupons. For example, when he goes to a, once he comes to the checkout he
was, he was thinking about whether we need to have, buy sunscreen or not and it was also
a sunny time.

So, when she goes for a checkout, when she gets a receipt, at the back of a receipt, there
was a benefit mentioned about the you, sunscreen diseases and also just given an discount,
also coupon code. So, she thinks about that due to the scenarios or depends on the climate
or the current scenario, they were able to analyze, the supermarket were able to analyze
and bring out a receipt, bring a receipt coupon where they bring a print at the end of the,
back of the receipt and give it to the customer. So, that they will come to know, this is the
product and this is required right now and they meant used to the coupon also. And they
and Laura thinks that so, with this customer data he were able to identify which customers
are buying how many products for their household related to food materials and also
related to the health issues. So, that she thinks if this data would be useful for a insurance
company to assign the premium for the customers.

So, she thinks to, she flies away to discuss with Steve and tries to collect the data and
also they get the data, where 10 years worth of data from Shop Clues from, it is specific
to the people of Michigan. The discussion happens in such way, when with IFA
management view and then ShopSense management view. When IFA management view
Laura Brickman explains that, during the discussion points out that it is worth that we get

346
a health related or customer related data from the loyalty program of ShopSense. So, the
Archie Stetter who is also on senior analytics posted, give a additional support that
ShopSense information could be rich source of insight where we can collect the data's,
household information whoever is purchasing more house product and other details which
is useful for them to identify which will be the upcoming diseases or to reduce the impact
of a premium. With this also the senior analyst, Rusty Ware explains that apart from
ShopSense, IFA is also collecting multiple credits informations, financial information
also from other multiple sources which also deals with drugs and products.

Where the [Link] positions that if IFA can get more information developed using
ShopSense, he asked whether if customers pay higher premium, that is may lead to a legal
problem with perspective of a ShopSense. He also asked a question whereas, the Jason
Walter who is a CEO disclosed that if IFA comes up with a proprietary health indicators,
that will be a huge hurdle for competing with, the competing with the other insurance
companies. And moving on with the ShopSense management view, Steve Worthington
who is an analyst and who had a discussion with Laura, tells our management that if we
can share the data with IFA and we can gain more in economical output or economic
output for which there was some discussion between them and this is how it goes, where
the Alan Atkins he spells out that who is a senior analyst, spells out that if customer finds
out we are just selling the data to the insurance company, they may start using the loyalty
card program which will stop the ShopSense from collecting the information.

And also who is a CFO states that company is currently making more money out of
selling the data, instead of selling more meat. Where he makes an statement that this is
what the current scenario is also and the Denise Baldwin who is an HR, he said that if
IFA use the data will it identify individual customers as employees for particular
companies also. He from a human resource and privacy standpoint, he also requested how
IFA will use the data. And finally, with the shop management Donna Greer states that
should we be charging more for the data which is they are sharing with the IFA because
selling the information may dilute the customer relationship, what ShopSense has and
also insurance premium can get priced more accurately depends on the data what they
have with, what these ShopSense are collected with. And this is the discussion which has
been going on and also ShopSense has however, shared 10 years worth of data to IFA for
the specific state of Michigan and this is about the article and as I mentioned that there
were 4 expert opinion on it.

So, let us go on to move in. Thank you Manu. So, sorry let us go back. So, we have seen
that this is a proposed deal. The ShopSense is a, is a supermarket retail chain which has
been collecting a lot of data, has made a lot of investments into developing its analytical
ability and in the past it has been using it to, to personalize the marketing campaign or the

347
coupons or the discounts that they offer.

And they have also been sharing some of the scanner information without the knowledge
of the customers and that is what the CFO refers to, that they have been getting more
revenue from it. And similarly on the IFA side, it is an insurance company which is
looking for more data to try and do the risk analysis of the customers or potential
customers who take the insurance products. So that they are able to price and arrive at a
premium more accurately. So, now let us look at the situation, look at this deal from both
companies perspective. From ShopSense perspective which, which as I mentioned is a
supermarket retail chain.

It has this excellent database of customers. It has made a lot of investments. It can
monetize it by selling it to different companies. Should it go ahead with this deal? What
is the, what is your opinion? It is the revenue generating model for them, but without
customer knowledge they should not, otherwise you know, they can land in obviously
legal and obviously ethical problems. Ethical issues and legal issues will be there.

Ok, any other point to add to that? So, if we look at look at it from the ShopSense
perspective, of course you know the pros, some of which also have been mentioned. It is,
it is an absolutely legal deal in all the states where the company is operating. It can lead
to 1 billion dollar of additional annual profit because there is no cost involved in getting
this. They basically share the data and they get 1 billion dollar additional revenue and
profit. And the data which they share could also be used by the insurance company to
develop some of the wellness programs by personalizing the offerings that the insurance
may have.

So, that is also approved. It is the company management is considering as well, but on
the con side as you mentioned that there could be customer relationships which are
harmed. All of this is being done without the knowledge of the customers and they may
even opt out of the loyalty program. So that basically stops the inflow of data and inhibits
its own ability to customize the products. So, the expert opinion also has been that it is a
high risk, probably a short sighted approach which the company seems to be taking.

It is not keeping customers at the core of the decision making, customer may lose trust.
So, transparency is very important and also that the company in this case would lose
control of how the data is being used. So, one suggestion also is that they can have a
combined program along with transparency and then this may be taken forward. Yeah, so
this is difficult to understand. You say there is no legal problem, right in sharing the data,
but then you are saying there is a customer trust problem or customer relationship problem.

348
 So how is that possible? If legally they are safe or it is legal to share customer data in
the United States by law and if they are complying, you know legally they are safe. Then
why should there be a problem with the customers because they are not doing anything
illegal. The deal would be legal. There is no law which would stop them from doing this,
but they are thinking of doing this without informing the customers or from a customer
standpoint, once they share the data, there is an inherent trust that the data would be used
only for the purposes of how the company is providing various discounts or different
schemes. Now if it is being shared with an external customer, especially with an insurance
company where the customer may be buying the product from and that is being done
without the knowledge of the customer.

So it becomes more of an ethical issue though it is legal, but it is more of a breaking trust
which may lead to bad publicity for the company and the customer, the trust which is the
basis of in this industry would get lost. Again legally your data, I doubt because you are
just looking at the two parties. The first party and the second party, but obviously the third
party itself that is, you know customers, they are the third party and how can they be
neglected because data actually belongs to them. Yes. So legally also it can be challenged
always.

Yes. So from a legal perspective why we say that they stand good in the sense, even
though it is a ShopSense supermarket before, while the customers enrolled to a loyalty
program, there is always an acknowledgement which is given by the customer. So, whether
they, where the privacy point is started, where they were given, a consent is that, every

349
loyalty program collects the data and they give a consent that this is used for an analytic
purposes. So, they do understand and they give an acknowledgement there while enrolling
to an loyalty program, for which they get an additional discount. This gives a ShopSense
an legal perspective of sharing the data with the legal entities whom, it is not ShopSense
is sharing the data with everyone. They have a contractual agreement with IFA where the
specific datas related to the financials, what IFA required is alone shared.

So this from a legal perspective. Where we point out the con, that customer relationship
may be harmed is that, when we share this with an insurance company, when for example,
if the customer is specifically buying health related issue. For example, if he is buying
products, if he have cholesterol and if you buy more meat products, this receipts data may
affect the premium of it. When the customer comes to know that there is a high in
premium, he may enquire IFA and he may try comes to know that the purchase if, what I
have made with the supermarket may affect the premium. So this may give him, even
though he will is to pay the life insurance premium, but it may gives a harm to perspective
that the purchase if what he has made may affect the premium, with even though you are
given a consent for analytics which has been done, but the increase in premium
economically affect him which gives a hard relationship, so that he may choose not to go
for this company or go for another shop.

So that is a con we come up. So is there like the deal is legal in United States or something
when we walk into any kind of supermarket or store like that, there is no agreement or
anything we sign, the mode of payment is our own choice, whether we pay in cash or card
or loyalty card or whichever way that is. So firstly is there something, some legally
binding thing existing and how does it come into effect because nobody knows what is
your mode of payment, Google pay or online payment. That is the first question. The
second question would be as I make out ShopSense would be some kind of a super mart
or a supermarket kind of a store. So what is the customer segment they would be targeting?
And how far would they be and how much would they be concerned about the privacy
aspects because all these shops and supermarkets, they are running on the cost leadership
kind of concept, daily low prices, discounts, coupons.

As in US the coupon system is quite prevalent. So would that have a more overbearing
effect on this overall privacy thing? Or would privacy assume a more superior position
vis-a-vis those discounts and the cost leadership aspect. As to your first question on how
they are getting the data, right from. The question is, is it legally binding, are we, as a
customer when we go into any retail shop for that matter here also, you sign some
agreement. When we take up a loyalty program, that signing up for the loyalty program
comes with certain terms and conditions which clearly states that everything is ok.

350
 Which would state that is what my point is, there is no legally binding thing with, I am
asking is there over and above, other than loyalty program, as you go into any kind of mart
or anywhere, in this case also, is there anything like, top from the government side or
something, is there anything that is legally binding? So the terms and conditions will be
legally binding themselves. So before I share from the company side, so there is nothing
overall. US has state wise regulations. So the states in which, for example California has
stricter privacy law where it would restrict from sharing with anyone. But some of the
other states, like where it is operating, it's data space, there the, laws governing
supermarket, stores, retail stores, all organisations whoever is collecting personal data has
to abide by certain laws.

So that is governed by the state laws. Also at the time of writing the case you can read that
none of the states that IFA did business in, had laws prohibiting the sort of data exchange
ShopSense and the insurer were proposing. So if you read the case carefully it says there
is no legal issue in the sharing of data or data trade in the United States. It is very specific.
It is very clear they will not face, should not be facing any issue but, so what you are
highlighting is what is legal need not be ethical.

That is what you are saying. Yes, you could be legal but you may not be ethical, okay.
So the consequence of data sharing is what you are highlighting. So data sharing is legal
but when data is shared with an insurance company because my individual data is with
the insurance company, not with ShopSense and insurance company can charge me more
premium, if I consume certain food items which they are actually monitoring, what you
are eating. So your insurance premium depends on what you are eating and drinking which
is monitored by a insurance company through a grocery retail.

That is a ethical problem. This is a new model they are trying. The case also refers to
another insurance company in the automobile sector, The Progressive. Progressive already
has it. So when i was in the US long back, Progressive used to advertise, if you drive safe,
you get money back.

That is the advertisement. The model is different. You drive safe and get money back.
So everyone pays the same premium and what Progressive does is, in your car they will
put a data logger, a sensor which constantly monitors how well you drive, in terms of how
much you accelerate and what is your speed over a period of time and from that data they
can make out whether you are a safe driver or a rash driver. If you are a safe driver, your
premium is low because your risk is less. So basically money back means they charge less
premium for safe driving and they charge higher for rash driving.

So it is about differentiated premium or what you call personalised insurance. This is

351
personalised insurance. With individual data you are able to actually offer a product for
everyone individually. That is the idea that Laura is pursuing here, create personalised
insurance products. It came to my mind that this Googlepay and phonepay and paytm
which we are doing Sir, they do not charge us anything.

So how are they basically making the, what about the data what we are buying, are they
sharing this? See if you do not pay, data is what they actually use. Absolutely, so what
this case highlights is how they make money through data which we do not know as
customers. We do not know. This case brings or throws light on this particular issue of
data trade and how it can affect [Link] can be so many different contexts where
our data is shared and we may be paying for it or we may be adversely affected sometimes
which we do not know.

So from a Shop Sense perspective, we are seeing that because it is in a retail segment,
the business runs on customer relationships. So, if that gets harmed, there may be a big
risk to the company. But what about from insurance perspective, from IFA perspective?
Insurance companies are known to try and collect data from various sources to do the risk
assessment. Do you think from their perspective it is a good deal? What is your view?
From their perspective, it is a very good deal actually.

That kind of data is so valuable. Sir also brought out that just by virtue of your habits or
what are you buying and that data itself can be used to determine your premium and what
kind of insurance policy or risk factor the company can determine very quickly and they
can also determine what is required in the market, what should be trending, what are the
new products. Lot of things will depend on it. Definitely it is beneficial for them.
Obviously they will be too happy to get this data because actually it is very very valuable
to them and they can customize the products also whatever they are offering, products
and services.

Okay. Any other view? So the points that you mentioned are absolutely valid that these
data points could provide very valuable insights for each customer and they would be able
to personalize the premium calculations. As we discussed, the deal is legal and the public
also understands that an insurance company has to do some kind of analysis to arrive at
the premium and it could, some management personnel also mentioned that there could
be a positive spin to it that further wellness programs or discounts or like Sir mentioned
based on the driving data how certain discounts are given, that can be done by the insurance
company. But at the same time there are some cons also to consider, that accuracy of data
may not be very high. Especially when a person goes to a supermarket, person may be
buying for other people also or for example a father in the family would be buying for
children as well, may not be consuming himself but does that mean that if the person is

352
buying a lot of let's say sweet or carbohydrates based products should the premium for
the person go up? That Is a question to ask. The other factor could be that there could be
a battered customer syndrome.

That is once you are able to profile different customers there would be top 10-15% where
the company would focus and automatically that means that the remaining 85 or 90%,
they are not being given the same kind of service and then it becomes a question how long
they would stick with the company. In that also, you know we can have a model like
bundleization of services for a family like insurance for the family. Yeah, obviously
insurance for the individuals can be there but for a family also in case, you know you said
that errors might be there. Yeah, that's a good point. So the expert opinion on the point is
also that it could be a good deal for the customer but there are certain points to take into
consideration.

One is, of course if as much as possible the transparency with the customer should be
there. It should be drafted as a win-win product for the customer whose data is being taken
because even for an insurance company, the customer might think that if this insurance
company is trying to get my data from different sources and I am not even aware of it. I
would be a little inhibited in going and taking more products from them. So there could
be risk of their public backlash and one point that has been highlighted by the experts of
both of these companies is that management is trying to think of what will be disclosed
to the, to the customer and this take decisions based on that. So that is also a point which
needs to be changed, more ethical behaviour needs to be inculcated across the organization
and irrespective of the industry, that could have a major bearing on how decisions are

353
made going forward as well.

I have a point here, from justifying this deal, you know of course, IFA is going to pay
ShopSense to get data. So this has to be justified, economically justified. So one
homework that Laura and, Laura has done along with the analytics team in ShopSense is
that they ran a pilot program. So they, before formalizing the deal they tested whether this
is something that is going to work and the pilot program was successful. Isn't it? For
example, they found a correlation between consumption or purchase.

We do not know consumption. Purchase of certain products like the trans fat products,
food products with trans fats and insurance claims, there is a correlation. So that is already
established from data. So there may be, as you said, there may be issues in terms of not
buying for myself but somebody else. So there will be outliers in the data or data can have
noise but these patterns nevertheless exist in the data, despite the noise.

So there is evidence. This proposal is evidence based. It is not just hypothetical. So that
is one strong argument they can have. We have already demonstrated that this is useful.
That is one argument in favor of the deal. The other, I think from IFA's perspective is the
potential for building a competitive strategy.

I think that is a very important point in the case that we are also discussing data for
business strategy. See this is something that can differentiate their business. They are
offering products which competitors are not able to because of data. Personalized
insurance is a new product, personalized health insurance is a new product in the market,
which they are, they will be able to roll out in the market first time.

So it gives them a competitive advantage. I think it is coming up subtle, in a subtle way

in the case discussion. But it is a, it is a, it is also a competitive strategy with a data partner.
Here is a new product which competitors do not have. So data is also for strategy, that is
a point I wanted to add.

ShopSense is ready to sell the data which is available. If IFA did not buy it, if it may be
anyone competitors can buy it. Because ShopSense is ready to make a economical profit
out of the data which they readily have. So if IFA is not able to purchase, any competitors
would have. In fact the CEO of IFA mentions that point also, that if they get an exclusive
right to this data set, it will be a hurdle which will be difficult for all the competitors to
get over.

So that is an important consideration from the IFA perspective as well. Thank you.

354
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 13
Lecture: 39

So, if we look at how the perception of different industries is from a privacy perspective
and this is a survey done by McKinsey in 2019. You see that healthcare and financial
services. So where IFA in the financial services sector tend to have a better image of how
they handle the data compared to all the other sector. Especially if you look at the
consumer package goods and automotive, public sector government. They have as low as
10 percent respondents saying that they have confidence on the retailer which is handling
the data. So if, so that is where the trust with the customer becomes even more important.

If a retail company is able to establish that trust with the customer that the data will be
handled responsibly that can become a competitive advantage from a strategy perspective
for the retail company as well. So some pointers on how ethics can be brought into the
decision making from management perspective. GDPR is one set of law which talks in
detail about this and places high standards and same is being copied or sort of
implemented in different countries as well. So the three pointers that may help us in
making decisions on how we handle data in an organization.

355
 would be that the purpose limitation should be there, that the personal data may be
processed only for the purpose for which it is collected and the purpose is disclosed to the
customer. There is transparency and the customers can be given a say on whether they
want to, want their data to be shared with an external partner or not. And the last point is
the data minimization that especially in this age of big data, only what is necessary for
the requirement, could be for personalizing the marketing programs or offering coupons
or discounts. Only relevant data is collected and it is stored in such a way that it can be,
also in future if an option is to be given for the customer to delete this data it is possible
for the organization to have one place from where it can be deleted. So with these
principles we can ensure that from an organization perspective we take a responsible
approach to managing customer data and also thereby build trust with them.

Actually we just discussed about this transparency requirement, that is you mentioned
about this disclosure but I don't think it is a full and you know, transparent 100% transfer
disclosure. It is more of a selective disclosure which is suiting the organization. They you
know, they are just carrying out the selective disclosure. And yes, that is a practice that
we have seen with a lot of organizations and I think that is what plays into the survey that
we just saw. People have low confidence on companies because they are selectively
disclosing what they are using it for or how they are using the data and how they are
sharing.

If you know, there can be more strictness around it, I think the confidence level will also
go up. Any other points or comments? Also in case of purpose limitation, the customers
do not have any control over how the data will be processed or where will it be used. So
that is also one point to consider. Yeah, absolutely. So right now, probably when we sign
up for a loyalty program, we may either assume that it is being used for a specific purpose
or we may not fully understand how all the data is being shared.

So if an organization were to disclose that to me, that would increase my trust as a user
as well. So that is where this point becomes even more important. The case also refers to
Amazon indirectly, did you notice that? In loyalty programs, In the past they had to. It
just refers to it as, a company but actually the company that is referred is Amazon, wherein
Amazon charges customers differently or their prices are differentiated among customers.
For the same product, the price that is offered to you and me can be different.

[Link], the products which, so in our country Amazon is more a marketplace.

Who pays more? They actually charge loyal customers more. Loyal customers typically
may be paying more than new customers and that is why they were sued in the court.
Loyalty program. If you are a loyal customer, perhaps Amazon knows that you are locked
in.

356
 You would come back again. So they can actually charge more. Very opportunistic. So
you can see that in the, because you are not going to leave.

No. It is at some point in time they did that and they were sued in the court. So what is
important, note here is that how companies can be opportunistic in actually making you
loyal and then sign in for loyalty program and track you for some time and then see that
you always come back. That is an opportunity to charge you more. They have all the data
about you. I think Bezos says we do not throw away any data.

That is a classic statement. So the data trade can be very good or profitable for the
organizations but it can hurt individuals directly and indirectly. So this case highlights
how one can end up paying more premium or one can pay more prices for the same
product, if your data is shared. So the customer can be a victim and customer can actually
agree for data sharing without knowing the consequences and perhaps that is why GDPR
or regulation like this has come where all these agreements or legal, law is protecting the
data trade but not the customers. So that is why new law or new regulation is coming in
this form and that is very, you have highlighted it very correctly.

So for example limiting the purpose of data. So you collect the data for some purpose, it
should be used only for that purpose, not for determining the insurance premiums but for
giving me products and services more effectively. I have one more point here. From a
strategy point of view. Because in the next class we are going to discuss privacy as a
strategy and this case is also moving towards that, from the economics to the strategy.

357
 So for a company like IFA, so ability to offer new product based on analytics can be a
differentiation strategy. That is what you see here. But are there any flaws or any
challenges the company may face in this new strategy as they go? Or is it a good idea to
develop a business strategy based on analytics using customer's data? What could be
potential future challenges? Future challenges, one I can think of is new regulations and
laws just like GDPR, it affected many marketing agencies. So if there are any new
regulations that might come, the companies might face challenges. Some of the challenges
like the government, surveillance agencies, authorities and all, they can affect, especially
we will be seeing in the next case, actually that Snowden case, you know how that
revelation affected the entire industry, not only in USA but in other countries also.

There is also an issue with dependence. This is a strategy based on a certain resource.
You must have studied Resource Based View in business strategy as a lesson. So here the
strategy is based on a resource. A resource is the data.

But how much control they have on the data? You know valuable, rare and inimitable
resources we say. So data is a valuable resource. Data is a rare resource. They are building
a strategy.

But data is not there. Is the data always in their control? IFA's control? Data is not their
own. Data is bought from somebody else. They are dependent on another entity for data.
And in future, if ShopSense finds that IFA is having a very successful business strategy
based on their data. You can always charge more.

Dependence. This is called dependence and opportunism in business. Every company

can become opportunistic. So opportunism can actually set in here because they are going
with a strategy, a new strategy to differentiate, to bring out a differentiated product in the
market. So competitors do not have and ShopSense has. That is the case of the VRA, the
resource based view of competitive strategy.

But the resource is not in their control. Where an Amazon could actually build strategy
based recommender systems based on data and differentiate themselves is because they
have the historical data, complete control on a resource which is very rare and valuable
and inimitable because somebody else do not have the historical data, they have it. That
aspect is also questionable. Tomorrow ShopSense says IFA is not willing to pay enough
or there is somebody else in the market who will pay more, they may actually sell the data
to that insurance company or to the competitor of IFA. So in terms of sustaining the
strategy they are dependent on a third party or a data vendor.

358
 So that makes it a difficult proposition or the future challenges would exist in this case
because the resource is not owned by them. They do not possess a resource. They have to
actually buy it from outside. Sir, actually financial institutions already have your spend
analysis. For example, what kind of products you buy, they have.

So if they develop the insurance products, then they can become more successful than
this because they own the resources. Banks giving out insurance products. Yeah, that is
true but are you looking at this particular thing? No, I am just telling it generally. Yeah,
those who have access to data, as far as this case is concerned. Sir, you actually mentioned
about this RBV, Resource Based View and data is a resource and it has got all that vital
characteristics but again that is not owned you said.

But again what I actually had to carry, the other view that is KBV, Knowledge Based
View versus the RBV. So in knowledge based view also, this data that is not owned but
again that is upgraded to knowledge and knowledge is maybe owned by the company. So
that can also be a good business model. Yeah, absolutely but in this case if you have to
continue this, in your actual knowledge is used from the insights from the other side. But
for that the raw material is the data for which the dependence is used.

But the broader question is, in the first slide you highlighted, see it is customer's data that
is exchanged and customer is the affected party but customer is not in the scene. So that
is an ethical problem. It is my data but two parties are actually selling me, you and me,
the two of you are standing there and selling me and making money out of it or creating
strategy out of it but I am not involved. That is an ethical problem. And if, so of course
GDPR, you are highlighting all that, but if these companies have to address, recognize it
as a problem and address the problem, what is a better solution that tomorrow if customers
come to know about it and you have, at the time of writing this case the social media is
not so prevalent but this can actually become public and it can affect the image of, say
ShopSense because ShopSense shared the data.

So what is a method or way in which both the companies can get what they want?
ShopSense gets money, IFA brings out new products or build new strategy and customer
is also not affected. So can we have some sort of solution where all these are taken into
consideration? Let us say, there could be an option given to the customers as in what
product or benefits that will come, if they share the data and then they are given an option
to opt for that program or not. So if they opt for sharing their data, then both the companies
can work out a program such that based on the pattern of purchase, insurance, either they
get a lower premium or they get discounts on that. So by highlighting the benefits, they
can be given an option to go for it or not. Just to add Sir actually, what you just mentioned
actually, in case you compare with that example once you go for the car insurance, annual

359
insurance you know, the first party insurance is not mandatory, the second party insurance
is also not mandatory but the third party insurance is mandatory.

But here in this case, this data it is actually opposite, the third party is actually the affected
party and their concerns are not being highlighted. So what you suggested is take the
consent of customer again, to opt in for the and draft it as a program. For what? For the
product? For the joint product between the retail company and the insurance. So what
you are proposing is let not IFA offer the product but let it be a joint product. So where it
is clear that both the companies are jointly offering a product, wherein it is fine.

Then it becomes sort of you know, it is a joint product, so you can actually expect that
they will share resources or they will, yeah. But then that requires both the companies to
agree on this. So that is actually a major decision. So the ShopSense, since it is a loyalty
program, as I mentioned they are the loyal customers, it is their responsibility also to make
sure that they are avail, they should also inform that there is an IFA insurance company
where the data has been shared with and they should give a positive approach also. Even
though it is economical, they can give a positive approach that you may be getting better
benefits from the insurance company through this data sharing.

And they make sure that ShopSense inform the customers that they are aware that data
has been shared. So then you are suggesting, so there are two things here, one is to inform
the customers that their data would be shared with an insurance company. But if consent
is taken, how many will give consent? Consent in the sense, during the loyalty program.
Taking consent is also difficult. People actually do not have time to give consent to all.

It is not working anyway. Yes, from the loyalty program initially they get a consent for
collecting the data. But they should be informed that, they should be getting notified
whether this data has been shared. Some, out of 100 people, not everyone wishes to opt
out. Maybe 10 persons who are not willing to share the data that has been shared with the
insurance company may opt out. So they should be notified that there has been a data
sharing and whether it is a profit or benefit from the customer side, they will be notified
and they should be given an option to opt out if they are not willing to do.

Yes, the challenge with that proposal is companies are already doing it. They have taken
consent for data sharing, there is no legal issue. And giving notice is difficult because if
notice is made mandatory, we are already seeing that so many notices come and we do
not pay attention. Especially from a grocer or any such retail company, notices come, we
do not pay attention. So actually the deals must be happening and although we are given
notice since we do not pay attention, there is a problem of attention.

360
 This again actually is not effective. Legally right, but ethical issues continue because of
these issues. So that is where probably the proposal of a joint product, saying that it is not
IFA product, but it is an IFA ShopSense insurance product, is a clear communication. It
is one entity as far as this product is concerned. So then you do not question data sharing
there. Maybe a better, smarter solution if it works out between them.

So otherwise the issue of ethics continues, legally right, ethically wrong. Okay, any other
thoughts?

361
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 14
Lecture: 40

Good morning and welcome back. Today is our last day and we had a long journey
through Cyber Security and Privacy. We looked at fundamental concepts related to Cyber
Security and Privacy, starting from the CIA triangle and what are management frameworks
and standards available for cyber security management and also cyber security governance
and we looked at some of the recent examples of managing cyber security and data
protection, we found could also be a problem of governance or corporate governance. So
since the extent of use, storage and processing of data is growing in the digital universe,
it is all the more important to have systems to manage this dynamic complex challenge
that organization face. So cyber security is not a static topic, the challenges are ever
increasing and that is critical to run business. So these are some of the basic things we
understood and as we move to privacy, we looked at privacy at different levels, privacy at
an individual level, individuals concern for privacy and we also looked at it, not as a
concern but also from an economic perspective.

What is the value of privacy for individuals and we found that valuation is difficult
because it is context specific and people behave differently in different context. We

362
advocate privacy sometimes but we are not willing to pay much for it. So we seem to be
having a very contradictory or paradoxical behavior with regard to privacy and that makes
it difficult to assess privacy value in economic terms or quantify it. So we saw that there
are concepts from behavioural economics that can be used to analyze individuals' privacy
behaviour.

For example, if you are used to privacy, if you enjoy certain amount of privacy and then
if there is a proposal to remove that privacy, then you have a higher degree of pain, loss
aversion and also we saw the concept of endowment effect, the difficulty to part with
privacy because somebody is asking we will stop giving you this privacy but you have
to pay for it but you will be rewarded. So you see that you ask for a higher reward to part
with privacy. So we also saw behaviour and economics are related and it is also linked to
emotion. It is not just a rational behaviour because the pain and gain are not just rational
but it is emotional also. We can be very irrational when we ask for money, when we are
in pain.

So those are the aspects we saw with respect to economic behaviour, with respect to
privacy at individual level. We also looked at how trading of data is common at aggregate
level, you know how organizations actually value or not value privacy but try to do free
trade of private data for strategic benefits, for profiling and for positioning of products,
data pertaining to individuals. So private data is very valuable but at the same time we
also saw the ethical challenges there when private data is traded but the individuals to
which the data belong are not actually in the negotiation or in the picture and therefore
that raises different set of challenges. So that we see the topic of privacy is pervasive. It
cuts across individuals and organizations, it has personal concerns, it has economic and
strategic value and today as we conclude we see a case that is like a capstone, it actually
summarizes the entire concept of privacy and security and it is also linked to safety,
privacy versus safety is the topic that we see.

So we see many complex ideas or concepts there, as to organizations, business models

which are related to privacy and government as an entity which thinks that they must have
full control on privacy and no laws should actually prevent them from access to data or
intercepting data and so on and so we see major incidents in the decade that you live in
when there was espionage charges when the kind of data that government collected and it
became public. So government as an entity which is the big brother, that image of the big
brother is something that we can actually see because no laws applies to government. They
can do anything to get data, aggregate it, analyze it and profile individuals. So we see it is
a complex phenomenon and the elements of this, that is what we are going to see in today's
two cases. So I am sure you are ready with the cases, there is lot of background information
and it pertains basically to Apple which, a company which has risen to the top in terms of

363
market valuation and market capitalization.

You see the company has grown phenomenally during these days and you see, we also
get to analyze what is the company's business strategy and what drives certain positions
that a company takes etc. So we look like the company is all out to protect your privacy
like God or like what government should be doing, the company seems to be doing but the
government seems to be taking the opposite view, you know privacy is not very important.
So very interesting arguments and our role is to analyze as to why certain positions are
being taken. So good, so I leave it to you. So my role is over.

So I invite the team to come, present the case and lead the discussion, case A and case B.
Thank you. Good morning everyone, today our group number 4 comprising of myself
Colonel Jagvir, Prasad Deshmukh and Sanjay, we are going to present the case study
Apple - Privacy versus Safety, part A and then its sequential part B. So we all know about
Apple. It is the largest multinational company of America with the headquarter located in
California.

It was founded on 1st of April 1976 by three person Steve Jobs, Steve Wozniak and
Ronald Wayne. And then Apple they offer various kind of products right from iPad,
iPhone, Apple watches, ear pods and many cloud based services. So this case is actually
all about, on one side we have right to privacy and we know that is a fundamental right,
although that is not absolute right and on the other side we know all the surveillance
government agencies and they look for SS basically on the name of national security and
they look for front door entry and back door entry and we also know and we have studied
that is the privacy paradox, we also look for privacy and on the other side we also want
to share our information on the social media post and all. Then we have also studied the
prospect theory and the endowment effect and the willingness to pay and the willingness
to accept, that is all part of our individual behaviour characteristics. So as we can see
actually this man is the Tim Cook, the CEO of Apple and on 9th of September 2015 he is
addressing the media, that is public and Apple they have actually launched a newmodel
iPhone 6S which is a upgraded version of iPhone 6 and it is having the enhanced security
features the default encryption system and on the top we can see the statement by the CEO
Tim Cook and that reflect the concern that, that is having about the fundamental right to
privacy for the customers and the users and the down below actually we have got a
statement by Cyrus who is a district attorney, the law enforcement agency and again he
shows the concern about, you know the national security and bringing justice to the victim
and their families and the concern for all these national security agencies and all.

So that is there. So again the question arises actually, why this debate? What was the
reason for this and why was the reason for upgrading this default encryption system in

364
the new model? So the reason was actually we can see on the right side this man, he is
contractor Edward Snowden. He was one of the contractor in National Security Agency,
NSA and on actually on 5th June 2013, he revealed and leaked in the media about one of
the clandestine US surveillance program by the name of PRISM. So he revealed in the
media how this NSA, they were collecting all types of information data about the customer,
about the users from the companies whether they were emails or the chats or other social
media posts and the phone tapping. So obviously it led to all the customers, users and the
company they were in a mood of, you know shocked, really shocked and at the same time
many foreign leaders, they were outraged that how their phones were being tapped without
their knowledge and their email, chats and official as well as personal data.

But again on the other side all these government agencies, they defended and justified
this surveillance program. They said it is basically a key weapon in a fight against crime
and that has to be done. So again on the down below we can see this man, director of FBI,
Federal Bureau of Investigation, James Comey. So he gave a statement. He said basically
all these companies, the internet companies and the telecom companies, they take it as a
business strategic advantage to protect their users and the customers on the, for their
privacy and security.

So that is there. But again he said that when these encryption models are there, it is
equivalent of a closet that can not be opened or safe that can not be cracked and he says
at what cost. So here we can discuss actually a hypothetical situation. Suppose there is a
victim of a crime, say murder and that victim dies and the government agency, they knows
they can crack the case and all the proof and evidence there lies in the emails or in the
mobile but again that can not be opened because it is encrypted. So how to give justice to

365
their family? So that is actually just one of a very general hypothetical situation.

So coming on to this case that is Operating System 9, the new version, model that was
launched, it had actually two factor authentication. The upgraded encryption feature and
the length of passcode. That was also increased from the earlier four digit to six digits.
Again all these surveillance agencies they were obviously not happy. They were very very
displeased because they are making it more difficult to crack and open the system that
was there and they are concerned about the national security.

Now as a CEO, actually Tim Cook, he had three issues that we can see here. Firstly both
the agency, that is the customers, users they had a right to privacy and on the other side
all these law enforcement agencies they look for, you know the national security and
cracking the cases. So how to find a balance midway so that both the requirements can be
justified and both the requirement can be met because both are actually right. And
secondly, the second issue was basically in case they give limited access to the US
authorities. So obviously similar requests are going to come from other governments.

So how to handle that and especially the request from the notorious governments having
records of the human rights violations, that is the second issue. And thirdly, in case the
Apple, they works with the law enforcement agency, they cooperate with them, then
would that mean that the company is going to lose the customer trust and faith and that
may result in the, you know decline or market share falling down. So just to ponder about
it, think about it. Anyone having any comments or views about it? See one thing regarding
the second issue which you have pointed. So if Apple, I mean obviously if Apple provides

366
the access to one country, let us not say US, one country and then does not give the same
access to other countries then means Apple is now deciding which country is a good
country.

So a company is now deciding, is playing moral judge here. So that will not be acceptable.
Yeah, basically because they are having business globally all over, all the countries, so
obviously they cannot discriminate and then they will have to agree the comply with the
demands of the other countries also. For that issue I would say that they would have to
have only one policy for all countries. What about the third issue? But I think although
Tim Cook is highlighting Apple's privacy policy and showing himself as an evangelist,
as a great ideal that the company is trying to protect.

It looks like an ideological statement. But didn't the same company let Chinese
government do audit on its data center which concerned with the data of Chinese
individuals? So it had a, when Chinese government wanted access to the data apparently
they have given access to it. So how can they say in the US, we will not allow backdoor
because they have already done it in China. What do you think about it? Yes Sir, you have
rightly in fact pointed out they cannot have different, you know policies for themselves
and for the others, rightly brought out. So we will be going all three actually these issues
as we progress the case.

So what happened actually this Edward Snowden, he was one of the contractor in NSA
and on 5th of June 2013, he revealed all the government, revealed all the files and the
secret files and how this government, NSA they were carrying out this, you know data
collection on the name of national security and this program PRISM that was there. So
NSA was collecting all sort of data records whether that was phone calls or data
transmission not only within USA but also USA and other countries and all the telecom
providers such as AT&T and Verizon and all and they also, you know compelled internet
companies, in fact nine companies to share the data legally that was there. Then after that
actually Yahoo and many other companies they went to court and they challenged NSA
and the government agencies and not only NSA, in fact they had a joint operation with
UK also by the name of MUSCULAR and they were sharing and carrying out a joint
operation and we can see that all sorts of data was collected and then what happened
actually there was mixed reaction from the public and from other agencies. Snowden, he
was you know hailed as a hero by some fighting for their right to privacy and some called
him and labeled him as a traitor also.

So that was there. Again the US government, they filed criminal charges against Snowden
for the theft of the government property, the secret files and sharing them and also he was
booked under the Espionage Act. That was there, that is spying against the government.

367
And then this guy Snowden, he actually tried with many countries and finally he was
successful and none other than Russia. They provided him temporary asylum and actually
today latest he has got actually the permanent residency from Russia as of now, that is
there. So what happened after this Snowden effect, obviously the industry and the
response.

They were all affected. The Cisco, they you know, they witnessed a lot of, you know
drop in their customers in the sale in China, the Qualcomm and the HP, their sales declined
and the Chinese media and the government, they actually accused Apple of sharing all
their secret data with the US agencies, that was there. Brazil, they carried out some kind
of localization of data that we studied in the class. So they shifted from Microsoft Outlook
to a domestic company for their email and similar things. And again the American cloud
company, cloud based company, they suffered a lot of losses because most of the other
companies, they shifted from that. And then we are actually surprised that some of the
non-US companies, they exploited the situation and it was a, you know business
opportunity for them, as they offered to its customer the NSA resistant services and they
also claimed that they will not be sharing data with other companies or the government.

Some of the survey results. Some of the surveys which were carried out in 2015 that
reflects and shows that majority of the Americans, they were actually not confident about
the security, about regarding their communication or landline or cell phones or the emails,
that was there. And 25 percent of the respondents, they said that after this incident they
had changed their technology, either mobiles or the other services and all. Then 74 percent
believed that obviously they give more priority to their privacy and freedom in exchange
for the national safety. And only the 55 percent of the users, they were actually happy lot.
They were still satisfied with the security features and the safety features of their mobiles
and emails and other things.

And again as we have already, you know discussed in the class also, the prospect theory
and the endowment effect and willingness to pay and willingness to accept. So you know,
we were actually, some of the people, they were too willingly to disclose all their data for
the financial rewards or better improved services but they were still concerned how the
government and that companies, they can exploit their data. And again there was, you
know many differences between the behaviour pattern in Asian countries versus some of
the European countries or even Canada. The Asian countries, they were too willing to
trade their data for the improved services or the financial rewards whereas the German
and Canadian, they were not that willing. So these are some of the graphical representation
of the survey.

So we can see that basically, here we can see the dark shade that pertains to slightly or

368
not private and the latter is moderately or very private. So here is USA then European,
China, India and Brazil and on this we can see various aspect financial, children health,
call history, location, web visits, purchases, social network, name, age or sex and brand
preferences. So under financial we can see basically, you know very very less percentage,
they consider slightly or not private, where majority of them in USA, they consider it as
moderately or very private. But similarly in case we compare it with India then the
percentage of people, you know which are considered as slightly or not private is more as
compared to USA. Similarly in case we see, you know the age or sex, like this age or sex
in USA majority of them, you know they consider it slightly or not private whereas in
India or the other country it varies.

Similarly the case of the web visits, there is a different kind of pattern among USA,
China, India and Brazil, that is there. The other kind of survey that was basically how
much do you care that only you and whosoever you authorize, should have access to this
kind of information. Again we see the pictorial graphical representation. It basically have
three classes.

That is very important. The darker shade and the middle one is somewhat important and
the lighter is not too important. So in case of content of your email, basically the 68%,
they think that it is very important whereas only 13%, they think it is somewhat important
and 15% are, they think that it is not too important. Whereas once we come to, like this
place you are located when you use internet, then only 54% are there which considered it
a very important aspect and 16% are there, they think that it is somewhat lesser important
and 26%, they think that is not too important, that is there. Again in case we comes to
this, like something called a times of day, in the down times of day you are online, then
only 33% are there, which they think it is very important, it should only be visible to
yourself or whosoever is having that authorization to see and not to others, whereas 45%
think that it is not that important. So what happened actually is still 50% of the respondent,
they actually claimed they have been a victim of data breach at some point of time in their
life.

But it was again surprising that most of the, you know respondent they think that it is
only the responsibility of the government or the companies to basically ensure the safety
and security of their data, that was there. And surprisingly 62% were still who never
change, who did not change their password that regularly and 39% were there who did not
use a password at all to protect their mobile devices. That was just some of the results of
the survey. And down below also we can see actually this, you know some of this.

We summarize all these things. So what happened after that in December 2013, the
senior executives of the many of the telecom companies and the internet companies, they

369
had a meeting with the then US President Barack Obama and they discussed with the
consequences of this NSA surveillance program. And after that actually all these internet
companies they started to invest more in their privacy controls and encryption models and
all. And then Google, they planned to encrypt the traffic exchange between their data
centers. IBM, they announced for building data center outside USA, shifting outside USA,
so that the US government cannot carry out this monitoring and surveillance. And then
Apple, they also planned to go out of USA, in Europe.

And many companies, you know they started sharing with the users, with the customer
how the government and when the government is asking for the data and when they are
sharing data, that disclosure and all. Now we will see the technical details about what
Apple as a company did for encryption. So we already know that recent this websites we
visit often are secured now. But in the previous days we just used HTTP, which was an
unsecured protocol. So which means that anyone who can intercept in between can snoop
through the data.

So after the encryption, we already know the symmetric encryption which is also not
very secure in the, not very secure. So next came the public and private encryption which
is basically, here we use two sets of keys to encrypt the data. We use a the public key to
lock the data and the data gets transferred. So which means that nobody in between can
decrypt the data and see it. So for decryption of data we use private key to decrypt which
will be in the possession of the recipient.

So Apple is the one of the few companies that initially developed both encrypted
hardware and software services. So as we can see beginning with iOS 3 and iPhone 3GS,
they have implemented full disk encryption, short form is FDE, from all the way back in
2009. But the problem with this early encryption tools were if hackers or some adversaries
or even government agencies can break, if they get physical access to the device. And
also what Apple did was the, before iOS 8 it was not default like the user has to intervene
and choose this option.

Also it was as we see, it was easily breakable. So from iOS 8 which was compatible with
iOS iPhone 4S or later, it was made default. So all the users can enjoy, even non techie
people can enjoy the privileges of full disk encryption, in case the data leaks. So after that
Apple made a very drastic change in regards to encryption. It made end to end encryption
in the form of 5 messages. It made Apple very popular due to its nature of the data not
being visible to, even to Apple or any other third party in between.

370
 So in this encryption scheme, what it does is the keys were generated and stored on both
is end user of devices which is the sender and the recipient. So even the Apple cannot
have the master key. So even if Apple, if Apple wants to decrypt it, it cannot do so by
technical means. So these are the things I just said and the master, like the internal
encryption what it does is, when the user creates pass code what it does is the pass code
is combined with a unique key. So it will be, so it will be made unique to each user and
each device.

So it would not be common, like Apple cannot have a master key which will unlock any
iPhone model. So the like, we can say this is as a not a problem, but this is a inherent
feature like the hacker could attempt to find a bug in the encryption algorithm, but the
encryption algorithms are already, you know very robust and very reliable and secure. So
what it essentially made is, it absolved Apple of its liability in the, like if government
agencies wanted Apple to, even if somehow government agencies force Apple to do, like
decrypt the device it cannot do so, because they do not have any means of decrypting the
device which was explained by Tim Cook. So these are the data's which Apple and iPhone
as, and operating system can see. As we can see, the iPhone can access email, calendars
or contacts from outside providers and it also sees, like health data and usage access which
will be health data and what the next category, we can see the categories of data which is,
which Apple can see, but it is made anonymous.

So it will be more private, so that people would not worry of searching sensitive or
personal things and the next thing we can see that similar to, like the revenue generating

371
streams like iTunes or Apple music which will increase the personalization and
recommendations which will generate their revenue. The last one, it is although, it is
technically Apple can read it, but it promises not to read which are, which are emails,
calendars, contacts, photos, bookmarks and passwords and backups and after Apple's
introduction of internal encryptions and default privacy protections, Google made the
decision of encrypting their Gmail services in 2010 and it is email service and in 2011
even it extended to Google searches and in 2013 it also extended to cloud storage and it
also made the introduction of FDE in Android 2 with the start of Android Lollipop, but
the problem with Google's implementation was, generally Android is, Android's consist
of various demography categories of devices which include low hard, low capability
hardware. So which made the penalty, like it impacted, the low performance, impacted
the devices with low performance hardware. So Google what it did, it added the encryption
feature in its operating system by default, but it gave the user a choice.

It did, it did not make it as a default, like default option. The users have to enable them
by their own choice. So in general even though encryption tools exist, and various methods
available, it is in, you know in general public, like very few people are aware of encryption
tools and they, even if they want to use them, it is generally, like reserved for techie
people, like who those who know how it works or what its limitations are. So it is not
user friendly as one would expect them to be and also as I said using this on low
commodity devices which will have a performance penalty. So it is generally avoided by
most people. So in the case of government looking for backdoors, we can see as already
discussed by Sir, many countries all around the world have reason with tech, big tech
companies to have some sort of back door access, to enable them to solve criminal

372
investigation or other terrorism, to prevent counter terrorism activities.

So in US they, what they wanted was they wanted a technology that was embedded in
the product itself which would enable them to get back door access anytime. So due to
that people were, you know people were very reluctant and very private about their data
but what government did, government argued was that they had previous laws which
already set a precedence which they argued that it was already existing why cannot be
amended, why cannot we have a back door instead which is a CALEA Act, it was enacted
in 1994. It is a communication assistance for law enforcement which basically granted
them powers to intercept or wire tap any communication between any people and also
recently it has been amended to such that it also includes the VOIP, voice over internet
protocol calls too. And UK, they are similar in stance, like the PM David Cameron said
that if we are using in extreme situations like in case of any terrorist attacks, we are already
using means to access or intercept communication. So why cannot we do that and also,
like what is the need for full privacy when there is lives involved.

So in China they made, they mandated back door access in 2015 to see, like combat
counter terrorism but then in contrast all these countries we can observe that EU block
countries have different stance of, on encryption or looking for back door access. In case,
in this case we, they have even promoted and supported the use of companies or firms and
they in even in their government services to, for to use encryption and to use encryption.
So government, there is, like these are the types of encryption and back door access like
the first, the first two columns you see that these are the types of encryption currently in
use. So, in one case we cannot, like we have an option of using no encryption at all but
the problem with that is, anyone can access the data, from bad guys like even we can
deliberately accidentally leak our own data's.

So, it is not protected by default. So it is, even if government agencies or any firms or
users can access we can see that all the three stakeholders can access the data. So, in the
case of end encryption we just saw, like if Apple encrypts with a single key, the issue is
that the other, the third parties other than the users are locked out of it. So only the user
have access to the data's which they possess. So it does not align with the views of the
government which they, which they argue that it protects the criminals. So, in case of
back door access what governments wanted was that they wanted encryption in the form
of two techniques.

373
 The first one is called key escrow. So what they are doing is that, they are essentially
creating a set of multiple keys. So, one key is held by them. So whenever they want access,
they can use that key to unlock or decrypt the data. But the problem with this usage is,
like you still have to secure that key somehow because if the key gets stolen or leaked,
the entire data, entire data that were encrypted by the key will be compromised. And in
this case we can see that since the Apple is providing the key to them like Apple is also
locked out and it is used by generally the hostile government agencies now defaultly user
has access to it.

And the second option was encryption using split keys or secret sharing. In this case we
are, what you are doing is essentially creating a lock which has multiple keys, multiple
keys, but the issue is that we have to use both the keys to unlock the device. So, the
presence of multiple keys to sequentially unlock, sequentially unlock the lock. So this
provides a greater degree of protection. So that even if one key leaks the, still the data is
somewhat secure, but the issue with this creating this with collaboration of various
government entities, firms and various devices it will be a problem or a challenge. So this
is Star Wars reference, you are able to understand.

374
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 14
Lecture: 41

And, and the reason for government mandating this back door access, we can why where
you know why is government so forceful or why they are in such hurry or. So as we see
in the criminal investigation they have, like in the modern times we can already know that
compared to previous era, like we store data which, in which we store data in form of
letters or hot copies in cabinet, cabinets, closets or if you want to protect it, we would
have secret place in somewhere else. Like in this modern era of explosion of devices we
are storing each and every day of our life in a digital device. So what in, like recently
what they as you can, as you can see on screen like in the period of October 2014 to June
2015, the Manhattan district attorney's office could not access potential evidence from 74
of the 92 cases involved iPhone iOS 8 in which we just saw. It was the first iOS which
had a default, a full disk encryption. So which it essentially prevented law enforcement
officials to prevent, essentially carry out investigations.

So as we can see from the below, this is a quote said by former director Comey. So they
had essentially argued that it hinders law enforcement's ability to solve or enforce, solve
the problems. So which they argued that it is shielding criminals from getting convicted.
It is, it is the one way of convicting or letting them go, like it the only way the digital
device was the only key evidence in difference between conviction and letting them go.

375
 So this is a question, like the politicians have argued that you know technology
preventing the government access to information should not exist. So what they are
seeking is essentially that the company should, whatever innovation or software, like they
are providing, like they are asking for a default solution such that the back door, a back
door should exist. So do you agree with this limit on personal privacy, why or why not?
So my take on this would be that here actually there is also one another point of innovation.
So once you say for example, if the company says, in the government says that this should
be a you should give me the encryption keys or should give me on back door. So that will
actually stifle innovation because as innovation happens the nature of back door might
also change, but the government will not be able to.

So there is a mismatch between the government's capability of keeping up with the

technology and these companies pursuing innovation. This might actually stifle
innovation then. Yes, as you rightly said there are multiple stakeholders in generating or
creating technology which was, which is used by all people. So it is difficult to coordinate
in, coordinate the developments or the technical analysis of how the back door should be
implemented. So it is difficult for the government as well as tech companies to follow this
method.

I feel that they actually, if you see this access thing what Sir had also brought out, this
Apple, this has been going on for a very long time. Whatever I have read about it Sir, there
is hardly any system or technology which has not got back doors incorporated into because
such is the world of geopolitics. And if US is leading and it uses, frequently uses all these
companies because one of the major revelations of the Edward Snowden case was that
the US organizations which they have got branches of their NSA which actively involves
itself in actual cyber warfare across states. They had infiltrated Huawei servers, they had
deliberately done that, it was the only thing was he brought out all these things in the open
that they have been doing it. Now, now it is a misnomer, personal privacy is a fallacy for
the public, for us to fight it out on it.

I will give this, yes to some extent in the open domain, in the corporate domain we can
live in that, under that assumption that we have some, you know privacy and at least in
the open domain within the companies and the corporate it should not be shared. But in
all other things, there is nothing which is and it every country does it including ours. Any
person for, the moment he comes into media, the IB starts off its file dossier on it. So, it
is a misnomer this privacy. So the only thing is for a normal day to day lives, how can we
limit our information not spreading in, for that purpose yes, there should be some degree.

Otherwise geopolitics will always demand that privacy or, you know government access
to information will always be there. And all these companies whatever they are saying in
back door, they have to stay in that country in their country, they have to cooperate and
in this thing, there is one particular thing where this, in this Snowden episode was the,
there is an organization called the 5 I. The foundation was did in 1941. So, there are 5
country which are signatories to it and they are supposed to cooperate on all signals
intelligence. That is why UK is part of it US and New Zealand, Australia, and Canada and
they have been doing it for a long time.

376
 The Stuxnet virus, which once Sir had also mentioned, in Iran, was actually developed
by this TAO. It is part of NSA, Tailored Access Organization which indulges in deliberate
cyber espionage. It has also done the same in our country also, but these are all hush -
hush things. It is, the internet itself was developed from the defence, from the CIA side
only and frequently in the dark web, they deliberately placed what Sir was mentioning
one day was RAS, ransomware as a service. They deliberately placed those programs over
there, the malware then all that.

So that it goes into each and every system of ours, whether it is One Plus or iPhone and
all this. So it is a misnomer, but yes for the public perception, for normal day to day use
like the supermarket case, which we were discussing yesterday in, at least in to some
degree some semblance of security needs to be there, medical records and all, but
otherwise in the larger world of the government. So believes that in the larger interest of
the geopolitics of their particular interest countries, their personal privacy needs
limitations. So that is their perspective and our perspective will have to live with it, that
yes, we want at least to some degree in the day to day life. Yeah, actually rightly brought
out by Colonel Vijay, now a days actually we can say that 100 percent privacy is a that
cannot be ensured whether you can say right to privacy is a fundamental right or whatever
and again most of these countries actually, they are those countries, they exploit this as a,
you know warfare tool actually, which is more actually damage causing actually to the
other country, but again the question and the main aspect is the users and the customer.

They should be made actually aware that these things are happening and they should not
be kept in the dark. That is the main thing actually. I think there are two sides to it, one is
in response to an incident, if government wants to or FBI wants to conduct an investigation
and so key information is in a phone and what they argued is if a militant or a criminal
died, so the password has died with that person, so password does not exist. So in that
specific case, if law enforcement agency is not given access, say by Apple to decrypt the
message, they are actually not able to do justice because they are protecting criminals in
that case or you know this incident can happen again, so from a safety point of view, you
know most of the safety argument for national safety or individual safety, it is also
important to have access to the information in the phone, but what you are actually now
showing is a very different phenomenon. It is not in response to an incident or it is not for
investigation, but for monitoring.

Government seems to be continuously monitoring individual's personal data and

collecting that data extensively from within the country and outside the country and
profiling people. So that is not for criminal investigation, but it is for monitoring, in which
case a backdoor is continuously opened, the government in that case is saying we need
backdoor not for investigation but for monitoring. That actually makes the case very
different in the sense, privacy should be there, but government should be completely
watching what you see and when you say or use the term government, it looks like God
or it is some extraterrestrial agent, but we also have to know that government consists of
people, individuals and they belong to political parties. So there are interests that can
actually be guided by individual interest or political interest and so on. So, we are entering

377
a territory which is very sensitive in that sense.

So as a continuation of that, like since Apple did not give access or you know comply
with the law enforcement, what they argue is that, you know you can have data's, various
data's already, which already you have within various organizations like telecom
companies. We just saw like AT&T, Verizon, like they had the access, like they had
collected various meta data's related to phones or backup computers on the cloud. So as
Sir just mentioned, so in serious threatening cases or you know, the only key like the
evidence, smoking gun evidence. So what happens when a victim dies, like it essentially,
it is unsolvable case, like there is no further justice or investigation possible. So in US
what makes this difference is that, you know in US law enforcement cannot make a person
witness to himself, like they cannot force a person to self-incriminate him.

So there are also key disclosure laws like, it cannot come force a person to disclose their
password voluntarily. So only if they are voluntary, they can do so. Also this is only
present in US, if you compare to other countries like UK, Australia they could legally
comply, legally force a person to divulge with their password or encryption key. Similarly,
in India if we look at section 69 or of IT Act 2000, it was amended in 2008. So it included
a clause such that if you do not provide or comply with law enforcement officials, to
decrypt your device, you could be sentenced up to 7 years in prison.

So the other argument was regarding national security. So as we just saw, like in major
significant evidences now reside in a phone or any digital device. So as I mentioned
before, it is the difference between an offender getting convicted or acquitted. So also
since the inception of internet, encryption of Apple and its technology, like various
terrorist organizations are using this to essentially hide themselves between, hide
themselves behind the technology. So what they are, like here in this case, they have
recruited and people so, it was in enabling them to kill people.

378
 So in this case, like due to end to end encryption, it was not possible even for governments
or any method to intercept the data so, to prevent any attacks. So next we will see an
implication of a backdoor. So if Apple or any other tech company, this you know, it
designs a backdoor from the start by design. So what it essentially makes it, it just now it
is not only providing a backdoor for the government. So as we saw Sir just mentioned
before mentioned, like there are repressive regimes which will use that power to monitor
citizens or monitor dissidents.

So who they, who will not agree with their ideologies. So it may use them to prosecute
them and do harm. So we have to understand, also there is a presence of hackers. So they
will also try so, if they are, if they have knowledge about presence of backdoor they will
obviously, try to gain access or exploit that backdoor to gain their financial or any other
active intention. So another argument for the government in relation to backdoor is
regarding cyber security.

So even though Apple as a company or any company which develops its own product, it
does, it is not significant, not say not, significant like. It has, it would not be difficult to
create a backdoor, but as previously mentioned protecting that key, this, it will be very
difficult. It will have a higher cost, it will have various risk factors or threat vectors. So
as you can see, like if we have some sort of master key, like it has to be stored very safe,
like it has, like it has to be transferred, it has to be stored and it has to be accessed. So it
has various threat vectors within, from which we have to protect.

Also this comes at a very high cost and if you are continuing this for a long time, you
would have amassed such a huge data, like one incident is enough to leak all the data. So
the stakes are also very high. So the concern is, if any of the, like we said, if any of the
private escrowing keys are ever compromised, then all the data which were created by
that key is permanently compromised. Also this was an incident, it was lawful interception
of backdoor in Greece's national switches, telephone switches that let someone, they did
not actually find it, but they, what they did is, they listened to the Greek parliament and

379
to the prime minister's conversation during a sensitive part of the Olympic bid. So you
can understand the impact of creating a intentional backbone even to the governments.

So from the business perspective it is, you know difficult to, for technology companies
to coordinate with themselves and create a standard use. So even if, like in the case it
mentions that after the incident of Snowden, like companies have even had the choice of
creating a, like alternate products which one had a deliberate backbone and other another
thing, it was catered to without a backbone. So as a business perspective it also made,
even if they complied it, even if they complied it would made decisions in the companies
very difficult to coordinate these activities and it will obviously raise cost. So as we
mentioned previously, it will, like the foreign customers will obviously not want to use
their services or try to go for alternate services which will advertise their features as
privacy protected. So also in case of terrorist attack where there is a victim or it causes a,
whether chaos in the country, it also could been, like the Apple could be sued in court.

So that it, even though after repeated warnings, it did not comply. So it makes them a lie,
makes them and makes them reason through which the terrorist attack happened. So in
July 2015, the US senator proposed that the crime victims should be able to sue a company,
if the encrypted devices allowed the user to commit a crime. So next we will see the
various incidents and the rules and regarding what Apple did in relation to privacy. So
hello everyone, we just now saw how many incidents have unfolded which created a trend
among of privacy, among the tech giants and Apple as you can see, it is one of the
advertisement of Apple and they have used privacy as one of the USP and they have used
it for their marketing purpose as well.

380
 Apple received, there were many incidents which showed why Apple is focusing on
privacy. One of the reason, some positive factors were there at Apple received top rating
in 2015 by an independent organization which fights for digital privacy and it is a very
surprising fact that only 9 tech giants were received these ratings out of 24. And also
there were, many experts said that the reason why Apple is more focused on privacy or
less data tracking is that their business models. Apple in previous case yesterday, we saw
that how ShopSense uses data by customer to earn the money or how their profits were
there most from the customer data. Apple does not rely on customer data for its profit.

We will understand their business model also. That is, we will also compare how Google
and Apple differ in the privacy, customer data and business models. So if you look at the
business model of Apple, the major revenue is come, comes from the iPhones

381
manufacturing and selling them and rest were from services and other devices like iPads
and Macs and another thing is that, it is a, it has a global audience and global customers,
like it is spread across America, Europe, Greater China and rest of the Asia. And as you
can see none of here, none of the revenue is generated from data analytics or user, by
selling the user data or it does not rely on the user data, but does that mean that Apple
does not store any data. For example, there are around 400 millions iTunes accounts which
means that the iTunes accounts are used for all the purchases on the app stores.

So it also means that Apple has a credit card data of around 400 millions customer and
with that it also, while registering for the Apple id you also have to give your name or the
demographic info. So Apple does have user data, but it does not use it for generating of
the revenue. Contrary to it, we look at the Google or Alphabets business model. If you
look over here, that then major of the chunk of the revenue comes from marketing and
same for the Youtube ads and all the other networks. So we can see that how Google is
reliable, reliant on the user data it generates.

So that is why companies like Apple do not need to, do not track their data or user data
and that is why it received top ratings from all these firms. Moving on to next case here,
Apple as we saw it is a, it has a global customer base and in 2014, it had more sale in
China than its US counterparts and that is the reason due to many lawsuits and regulations,
Apple had to store, create or store their user data of Chinese citizens in the, in the China
itself. They agreed to store the data in third largest data center in China. The reason was
that Chinese government did not allow Apple to transfer its citizens data outside of the
China. In 2015, China accused Apple that it might be using backdoors and not, it might
be your tracking its citizens, by your US government.

So China, so Chinese government asked a security audit from the Apple. Initially Apple
was very, Apple did not agree for it, since they, the officials might also seek a backdoor
from it but some, many people have said that in the end Apple did agree to China for the
audit and they might have also shared the code, it create a lot of criticism for Apple but
in the end, Tim Cook released a press release and said that we have never compromised
with the privacy and have never allowed for backdoor entry for any government. So there
are many instances, not only with China it and with also the US government where privacy
was compromised for safety or for law and regulations.

382
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 14
Lecture: 42

So it created a very big position of responsibility for Apple whether and the citizens of
US were divided in their opinion. Many people who were concerned of their privacy said
that, supported Apple in its stance that they should never compromise the user's data and
privacy with the government. But there were also many people that, they wanted Apple
to comply with the government for their own safety. Their point was that Apple should,
they wanted their safety or their family's safety more than the privacy. So this raises a
question, like does Apple have a moral, not only Apple does any organization have a
moral obligation to help the government or to protect its customer privacy. So what will
be your opinion, like any organization or with the devices you use will you be comfortable,
like sharing the data with your government for the safety or will you value privacy more
than safety? So for this point it is, there is a lot of the cultural aspect which comes into
play and there are certain cultures which put more emphasis on the collective good than
the individual good and that tend to be more okay with sharing data versus an
individualistic society which tends to, which focuses on prioritizing personal data privacy
even if it comes at a certain cost.

383
 So that is why we are seeing that in, for an organization like Apple which functions in
different countries, that taking an extreme position and holding on to it becomes tough
especially when it is using it as a strategic motive that it wants to highlight the company
as somewhat, a company which holds privacy as a top priority irrespective of the countries
but when it goes to China, there are certain things which the company gives away on the
same aspect. So it is basically looking at it from, Apple is looking at it from a business
perspective and it is trying to differentiate itself but at the same time in China when it
sees that profits can get take a hit, it modifies its strategy a little bit. So whether a company
has a moral obligation to help the government, it is you consider a lot driven by the law
of the land itself and the law would be driven, is influenced by the culture, right. So, so
that is where an absolute answer to this question may be tough.

Yes, you are correct even my batchmate also explained how different, using the previous
survey how different countries have different view about privacy of data. So that is a
point to be noted, how culture, if culture has a influence on this, such questions. There
has to be a trade-off between privacy and security. For example, government continuously
snooping on all the people whether they have any links to terrorists or you know
continuous snooping just mere to, mere for data collection would not be the way forward.
Instead if there is any terrorist link or in the previous case video that you showed, there
Apple should have a way to share the information.

For that the three key methods that you showed, like they are having shared keys, Apple
and government, that could be a way forward and for that Apple will have to bear the cost.
I would feel that first of all, Apple has a moral obligation to its customer and it has to
protect the customer's safety and one part of safety is privacy, other part of safety is bodily
harm. So, since Apple cannot protect a person from harm, it needs to help the government
which in turn will protect the person from harm. So tomorrow if a bomb goes off in an
Apple store by a terrorist, who used an Apple phone, so it has lost more customers in
order to save one customer. So keeping this in mind, Apple should perhaps help the
government in doing what it cannot, it is out of scope for Apple to do.

So, that is my. Yes. So in this, is the same point which I saw in many forums, like online
debates that helping the government is a, indirectly you are helping your customers, that
is one point. I think what Apple says here is that we manufacture a locker and the locker
has keys and we sell the locker with the keys to the customer. Now the keys is, key is
with the customer, we do not hold the key because the locker belongs to the customer.

So if the government comes and ask Apple for what is stored in the locker, Apple says,
no, we do not have the keys. We already sold it to the customer. So ask the user, that is
the position, but the, I think the weakness of that argument is in instances where a person

384
dies and the password as a key is not existent in which case, there should be a way to
enter the locker, open the locker. That is I think, that is a, in my opinion, that is a fair
argument for national safety, security. Otherwise how do you actually catch criminals and
bring them to, you know ensure justice to the country? So that is one aspect, but the other
is to say that, well you have a house or you have a locker and there should be a separate
key which is created for government and the government should always be keeping that
key and it can come and open your locker anytime.

And that is the permanent back door which actually governments want, anytime access
to locker or phones owned by citizens. I think these two aspects are mixed in the case as
you go, the what kind of access is what government is looking for, FBI is looking for, is
it case to case or is it continuous? So it is about creating a back door permanently. So,
which is a matter of concern. So moving to a similar case, here in the previous case we
saw how it was all about national security, but there is a recent case. It is about tracking
the data for safety of the, to counter such a major pandemic.

So you all must have used Aarogya Setu. It was a, it was a encouraged by Government
of India to track the users for the health adversary, but there was a similar app developed
by Google and Apple together. It was same. It was a used for contact tracing. So let us
look at some technical details how it was.

Okay. Battling COVID-19 is an unprecedented global challenge. To get communities

around the world back up and running as quickly and safely as possible, public health
authorities are building smart phone apps to help with contact tracing. Contact tracing is
one of the best ways to stop a virus from spreading. It can take thousands of disease
investigators to alert everyone who's been in contact with people who've tested positive.
But even if disease investigators do their jobs perfectly, alerting the people a COVID
patient does not know or can not remember is incredibly difficult.

Smart phone apps that the public health authorities built can help people at risk of
infection get notified much more quickly. But a contact tracing app works best when
more people download it. And being asked to download an app without knowing how it
will handle your personal information might cause people to worry about their privacy
and they may not feel safe participating. That is why engineers at Apple and Google have
been working together to make public health technology that protects individual privacy,
so that people never have to choose between their privacy and the health and safety of
their community. You are probably wondering what that means and how that all works.

And we are going to walk you through it in a second. But first, let us be really clear
about a couple things. First, apps using this system cannot track your location. And

385
second, this system does not share your identity with Google, Apple, or other users. Here
is how that works.

For every phone that is opted in, our technology disguises your identity by generating a
random sequence of numbers that change every few minutes. Then using Bluetooth, any
time your phone detects another phone close by that is also opted in, the two exchange
those random numbers. If in the future someone is positive for COVID-19, they can report
that positive result in our app. Any phones that had exchanged random numbers in the
last 14 days will receive a notification that they may have been exposed to COVID-19
without revealing their identity. Public health authorities can then help anyone at risk get
testing and treatment.

But it is up to all of us to help with contact tracing. Do your part and look through your
public health authority app that uses this exposure notification system. The more people
who participate, the sooner we can beat COVID-19 and get our communities back on their
feet. Okay, so this was the solution proposed by Apple and Google together to counter
the COVID-19 and worked as a contact tracing solution. But there were, just like the
previous case study, there were many controversies surrounding it with government and
with the people.

So first controversy was the government wanted more control as you can, as you have
seen in the video that no user data and location was tracked by the both Apple and Google.
So government wanted a more controlled app or a more controlled solution, like they can
track the user who have been contacted and also their locations. But Apple and Google
refused for it. There was a major backlash from the French government and even the
health minister quoted that the companies like Apple who have never been in a good
situation of economy are not helping the government to counter the crisis. Instead they
developed their own app, Stop COVID just like Aarogya Setu in India.

But there are also other countries like Germany, Italy and Saudi Arabia who use this
model. So the major issue was with the data collection and tracking. Apple and Google
wanted to keep the efforts private that they were not focused on the location and other
data. They wanted it to be more private to the user itself. But the government and other
health organization were more focused on getting, understanding the locations of the
contacted patients.

And also there were many loopholes with the proposed model is that the first one was
that in the, in search app the user has to notify to the app that I am, I have been

386
contracted with the virus. But there were many reports of fake reporting also and which
might cause chaos among the people and imagine a group of people, they just to cause
chaos in the country, they do it for together and cause a chaos among the people of the
contracting of the COVID. So that was a big debate in the contact testing, how data needs
to be handled in such situation. So as a result of all these incidents of privacy, also safety
there were also one incidents where the companies which are dependent on the
organization like Google and Apple, who collect the data, they and the Facebook
organization is reliable on the Apple and Google for collecting the data, they face many
problem due to change of regulation and policy by Apple. One such incidents was when
in iOS 11, in iOS 14 Apple change its policies in iOS 14 the user had access to what an
app, a particular app is tracking what kind of data and it also had a option to simply opt
out of the tracking which was heavily criticized by the Facebook because it, as you can
see it suffered around 10 billions of revenue hit because of this feature and not only, it
was not only Facebook but there were around 16 marketing agencies that wrote to the
Apple for the displeasure for this feature.

But there was also positive impact. This, such incidents of hailing privacy over other
aspects created a trend among other companies too. Similarly Android, Google also gives
similar feature in Android OS 11 and it was followed by other organization too, like Zoom
also gave into an encryption for their video calling and there were also many organization
that emerged which considers security as their main criteria or their main feature, similar
there is a similar organization will have a comparison is like a DuckDuckGo which is a
privacy focused search engine as opposed to the Google. They promise the user that there
would not be any tracking or any data collection from their side which is a, which is what

387
Google does to give a better user experience and apart from DuckDuckGo there are also
many other apps like Signal, Brave browser which are more focused on user privacy. So
it gives a, it brings us to a question, like such developments or such incidents have
increased valuation of privacy among the user.

So I would like to ask the same question to you, like are you more focused on the privacy
rather than services, like are you using such apps like DuckDuckGo, Brave browser or
Apple devices just for the privacy? Anyone of you? Are you using any DuckDuckGo,
Brave browser or Signal? You are using so. I am using DuckDuckGo, Tor on Android as
well as laptops. So is privacy your main concern for using it? Yes, especially transactional
this thing but there is a problem with Tor when it comes to commercial or like financial
transaction issue because even all apps, even banking apps they need access to your
locations and all. So does not work very well but yes to gain information and all, yes that
is a, it is a good idea, it works with that. Anyone else? Okay so to shed more light on this
question, we will look at a recent survey which said that, like these days around 89% care
more about their data privacy and 40% were willing to spend time and money to protect
the data and also 29% people switched their apps or services that were, that they were
using just because of privacy concern, just like in the recent incident, was that WhatsApp
had updated their privacy policy after acquisition by Facebook and like, they were going
to use the user data for marketing and many people had, not many, small fraction of people
had migrated to Signal messenger for the same reason and there are also 90% of
consumers are somewhat too very concerned about the privacy.

So it shows that such incident which have happened in past have given a more concern,
have increased the concerns of privacy among the users. So I will just hand over to Sanjay.
And now we will see a very recent development of Apple in relation to privacy. So as
you can see, this is basically called CSAM detection. It is, abbreviation is Child Sexual

388
Abuse Materials.

It essentially what it does is, people have, generally have photos in the phone, like before
uploading the phones to either go, like drives or any cloud storage, like here what Apple
wanted to do is to find a middle ground in maintaining privacy as well as protecting the
threats. So what it does is essentially it scans for CSAM content in the respective iPhones
but without compromising their user's privacy. So what it essentially, how it works is, like
it initially generates a neural hash. So what is this, hash is like, it creates a, it is called a
neural hashing algorithm what it creates, it creates a hash which is very context specific.
It is not similar to the file hashing we do on computers which, even if we change one bit
of data, the hash value changes.

So here it is context specific, what so? So if you see, so if you see these images, the first
two images are, so as humans can see it, these images are basically same without the
colour. So if you, if you take the very file hashing, so what computer thinks, it, these two
are very different files. So in neural hashing what it does is, it creates a hashing but as we
can observe it creates the same hash for both these images but if you see, compare it to
the last one, it is entirely completely different image. So it creates a different hash for
different images but if it is very similar as observed by humans, it creates the same hash.
So CSAM detection provides these privacy and security assurances to users.

So before uploading also, we have to note that this neural hashing occurs in device itself,
not, it does not happen in the servers of Apple. So what they do is they create the hash in
the device. So if the hash values, like the CSAM, they the government or NCMEC, it is
the National Center for Missing and Exploited Children database. Also there are other
independent data services which provide these CSAM contents from various location, like
dark web, like they provide the database. So when a photo is being uploaded to the iCloud
it, like it compares the hashes to the hashes of the existing database.

So it is powered by two technologies, the one is called private set intersection. So what
it does is, it essentially matches it is, essentially checks whether the images are matching
with the database. So here Apple what to prevent the, to protect the privacy, it prevent, it
created such created a technology such that it is encrypted double. So it protects the
privacy of the people. So it also assured that the meta data is, you know if it, you know in
case it detects one like CSAM content, it is does not immediately report to the law
enforcement.

So it has a certain threshold before it is being reported. Now also, even if it finds after
the threshold, it is manually reviewed before reporting it to the law enforcement officials.
Also for, like there would be multiple photos of random contents, so it does not, like if it

389
does not find any CSAM content it is, like the Apple would not learn anything from it,
like also does not report the entire usage, entire data to the Apple or either governments.
So this is how it works. So first it essentially creates a image hash, then it, like it, the it,
like it is as I mentioned it is in the device, so it creates a safety voucher.

So then it uploads these pictures to iCloud. So as I mentioned before, so the private

intersection, private set intersection what it does, it essentially compares if there is a match.
So if there is a match, so it will decrypt. So also I said, like Apple does not you know
violate the privacy of the person. So there is a second encryption which is done by
technology called threshold secret sharing.

So there is a threshold, like if it has one, so it does not report. It has a certain threshold,
like it has to flag this, like certain number of CSAM content to flag this, flag the alarm.
So only if both of these matches, so both layers are decrypted and then only there is images
being revealed and then also it, then also after the collection of data, it is the manual
process of reviewing is undergone before reporting it to the law enforcement officials. So
there are multiple checks and steps to prevent, to protect the privacy of individuals. But
as we can see in this news clipping, it is the, this is the case of Google using a similar kind
of technology, like but in this case as we can see it, it falsely triggered an alarm for
genuine case.

So father took his picture of his younger toddler son. So what it does, it detected as a
CSAM content and it reported to the law enforcement directly, without any checks or
manual review process. So it caused major embarrassment on the consequences for him
but finally, but the police did not file any charges due to its legitimate case. But it caused,

390
it also caused him huge embarrassment and cost in a society. So also what Google did is,
they did not, they locked the account and did not restore it back.

So the entire history and collection of photos and all were destroyed. Okay just to, sorry
to interrupt you here, to bring the discussion back to the case because we need to be within
the scope of the case. So there may be recent developments which are related, before as
the time is ending, so I just want to give couple of observations. One is in the case A
which you discussed, there is a specific culmination of this case which is the San
Bernardino incident where militants actually killed 14 people and the FBI was doing the
investigation and that is the point when Apple refused to create a back door for FBI and
that actually blew, that incident blew up because government and government agencies
believed that Apple is not cooperating with an investigation which is having national
safety implications and FBI also blamed that encryption is being used as a marketing pitch
by Apple. So there are several indications in the case that it is not genuinely in the interest
of people's privacy that, Apple is taking that position but it is for the marketing purpose.

To position their product as highly privacy preserving and in order to protect that position
or in order to strengthen that position they were taking a stance. Although if you take a
larger view anyone would say that in that particular case, you know a company should
cooperate with the investigation. Only for that case. It is not that you create a permanent
back door but the case was very serious. Do you know what happened further because the
FBI, government has to do investigation they have to actually, they will go out anywhere
to get information and track down the criminals.

If you read what actually happened in that case. They cracked it. FBI cracked it. They
went to Israel and they were able to crack it. Although Apple did not disclose. What do
you think about that condition? How it would have affected Apple? Plus see, whatever
Apple claimed that their products are very secure and you know nobody can actually
access, Israeli hackers actually proved it wrong.

If they want, they can actually crack even Apple.. So, yeah, so there is a lot of evidence
that Apple is actually doing. So that also made the vulnerability of Apple devices open.
So it became rather an embarrassment for the company claiming that nobody can, not
even the government can but actually a hacker can. So I think that ending of the incident
was not very much in the favour of Apple and therefore this particular hard stance of
privacy versus safety, when it comes to extreme cases like this, perhaps was not justified.

This is what I think. That is one take away from the first case and we also clearly see
there is, it is a marketing pitch. Apple versus, Apple which, whose revenues, as you rightly
showed comes from selling high end products, not from databases or online advertising.

391
So there are other companies like Google and Facebook, whose revenues actually majorly
come from online advertising. And advertising industry requires data. So that is a business
model and if it is privacy completely protect, no access to personal data then that industry
cannot exist.

So that is a hard reality. So it is also sales pitch or marketing pitch that is going on in all
these cases which is quite visible. And the second case that you discussed as you are
wrapping it up, of course, you are going to other developments. But again the case writers
are bringing a situation where it was about health of people. Pandemic, it was a pandemic
condition and so there were solutions developed by individual governments for contact
tracing.

For example, Indian government developed Aarogya Setu. But Aarogya Setu you must
have read, it was not very successful. And immediately the opposition actually brought
out the government is doing surveillance and the government is collecting this data but it
may be solved, it may be abused and so on. So that is what opposition will do. But
somewhere if you check the government stance also, there was actually a workshop on
this in IIM, Bangalore on Aarogya Setu's transparency. Government finally said well,
Aarogya Setu is built on open source platform.

So the user end is open, the code is open. But the server side code was not open. So once
the data goes to the server that part of the whole software that they built was not made on
open source. So that again brought some sort of lack of clarity or transparency for users
to share data. So in these cases the real debate is between governments outright back door
access to all devices for the purpose of governance and citizens concerns that their private
data can be abused by government.

That is an issue which is difficult to resolve. Continuous monitoring versus case to case
investigation and back door entry as a permanent need for governments. So that is an
ongoing debate and we have to watch and wait what is going to happen in this sphere.
And there are companies which thrive on privacy as a business strategy and they would
like these cases to be highlighted in public or in media and that actually of course, brings
lot of publicity or marketing or it is in the favour of those companies like Apple. Okay,
latest what do you think that particular incident, you know Apple changed its policy in
2017. I guess, you know they actually gave an option to the iPhone user called ATT, App
Tracking Transparency.

I think app tracking transparency, in the sense other apps in your iPhone can track, one
app in your iPhone can track your activity with the other apps, perhaps what pages you
browse etc. So that access of apps to other apps is a feature that the user can decide now

392
in iPhone. You can switch it off which actually affects the advertising potential of
companies. And that is what you showed, the advertising revenues of Facebook and
Google substantially got affected. But what is Apple trying to do through this? They want
to bring more transparency to the user, what is happening on their phone.

Okay, so it seems to be advocating privacy and used to be protecting the privacy concerns
of individuals but it is hugely affecting the other businesses revenues. But is there a
competition between Apple and Google? Because Google is basically, its most revenues
comes from advertising.

Advertising. That is their revenue. Apple sells products. So they are not competitors per
se. So how should, why should Apple create a feature that will kill a company which is
not a direct competitor? Which is not a direct competitor, because one is selling, one's
business model is based on advertising, other's is based on selling products.

That is operating system, that is open. Okay. Okay. So how do you? So it is iOS versus
Android. Okay. What about Facebook? There is no competition on operating system. That
is my question. Why Apple should actually hurt, why should Apple hurt Facebook's
revenues? Yeah, they showed 10 billion loss of revenues after Apple changed its policy.

The ATT, user can divide, decide. But there have been reports that, no, that is possible.
We could be the millennials now, Sir. As iPhone user, one may be using apps from
Facebook or Google Chrome etc. So in that sense if Google or Facebook has more
bargaining power than Apple, then it becomes a disadvantageous position for the company.
So it would try to increase its own bargaining power by trying to limit Facebook or this.

What is the Apple versus Facebook experience? For that ATT policy, it is not about only
the ATT policy, even though the iPhone is created in an operating system level and secure,
the apps which is created by the other users and it has been downloaded by the user who
is willing to download and use it, the apps may be malicious also. So the ATT policy is
created, so that there are some, even in India, the government has banned some more apps
which is not to be used in Android. So the people may be aware of that, whether the app
is tracking it or not. So Apple gave a chance to know that if you are not willing to use an
app, you can make sure what it has been tracking or not. There were a lot of cases where
the Apple users were using apps and were testing it for their platform and their Android
apps are not protected.

So the app which iOS has specifically developed for their platform, who will be able to
work on this ATT? Where are they collecting it and now if you do it, they will not collect
it. Do we have some information to that? What is the ratio of Android users to Apple

393
users? Which will be, you know, Android and Apple users being in the platform. Yeah,
I think they may not have data because this is instantly coming but the point is, Apple is
also into advertising. So it is trying to kill its advertising competitors.

Because with ATT, Apple advertises differently. So the digital advertising market has
grown. If you look at the advertising trend, you know, so in recent times the online
advertisements or the digital advertisements exceeded the traditional advertisements. So
therefore the advertising industry is moving largely towards digital advertising and Apple
wants to have its share there. So when it introduced ATT, Apple is actually encouraging
advertisements through apps, not through search engine or Facebook platforms, through
apps, Apple apps which is in the iPhone. So basically by hurting Facebook and Google,
it is actually trying to increase its share of advertising revenues.

So you see how smartly these policies can be communicated. One is we are trying to
protect your privacy. The other is we are actually trying to increase our advertising
revenues. So this is actually the smart positioning this tech giants do. So for users it
sounds like, you know, they are our Gods.

They are so much interested in our welfare. But these are carefully crafted business
strategies. Recently we have to pay, use only through Apple Pay. Earlier it was card and
other payment option was there.

Now it has been disconnected, only through Apple Pay. People may think it is privacy.
But for every transaction, the other banks has to pay a commission to make a transaction.

394
 THIS BOOK
IS NOT FOR
SALE
NOR COMMERCIAL USE

(044) 2257 5905/08

[Link]
[Link]