CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING

Chapter 5
Introduction to Cyber Security
I. Introduction
The Committee on National Security Systems (CNSS-4009) defines cybersecurity as the
ability to protect or defend an enterprise’s use of cyberspace from an attack, conducted via
cyberspace, for the purpose of: disrupting, disabling, destroying, or maliciously controlling a
computing environment/infrastructure; or, destroying the integrity of the data or stealing
controlled information.
The National Institute of Standards and Technology defines cybersecurity as "the process of
protecting information by preventing, detecting, and responding to attacks." Similar to
financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive
up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and
maintain customers.
The International Organization for Standardization defines cybersecurity or cyberspace
security as the preservation of confidentiality, integrity and availability of information in the
Cyberspace. In turn, “the Cyberspace” is defined as “the complex environment resulting from
the interaction of people, software and services on the Internet by means of technology
devices and networks connected to it, which does not exist in any physical form.”
z At its core, cybersecurity seeks to protect your enterprise from those who wish to do
harm to your business, steal your information or your money, or use your systems to
target peers in the market.

What is Cyber Security?

One way to think about it
z Cyber security = security of cyberspace
What is cyberspace?
z Information Systems and Networks.
One way to think about it
z Cyber security = security of information systems and networks.
z Cyber security = security of information systems and networks with the goal of
protecting operations and assets.
z Cyber security = security of information systems and networks in the face of attacks,
accidents and failures with the goal of protecting operations and assets.

1 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
Cyber Security Conceptual Framework

The Framework provides a conceptual framework upon which to understand all aspects of
cybersecurity, including discussions, solutions, and services.
z The industry is guided by both Government Policies that shape cyber-defences, and
the Regulatory Environment that sets standards for conduct.
z Business Requirements drive the specific cybersecurity elements that are necessary to
achieve business objectives.
z Threat Intelligence gleaned from newspapers, governments, industry partners, security
vendors, internal efforts, or a combination of all these sources, establishes the
landscape that security measures must be ready to respond to, both today and in the
future.
z Corporate Security activities related to cybersecurity, physical security, and personnel
security, collectively provide the integrated elements of an effective protective
solution.
z Finally, Cybersecurity Technology underpins but does not drive an effective
cybersecurity policy. Too often, technology is viewed as the solution rather than
merely a component of a broader strategy.

2 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING

Impacts of cyber security

Case 1: Internet Under Siege
z February 7 - 9, 2000 Yahoo!, Amazon, Buy.com, CNN.com, eBay, E*Trade, ZDNet
websites hit with massive DOS.
z Attacks received the attention of president Clinton and Attorney General Janet Reno.
z “A 15-year-old kid could launch these attacks, it doesn’t take a great deal of
sophistication to do” – Ron Dick, Director NIPC, February 9.
z U.S. Federal Bureau of Investigation (FBI) officials have estimated the attacks caused
$1.7 billion in damage

Case 2: Slammer Worm

z January 2003, Infects 90% of vulnerable computers within 10 minutes.
z Effect of the Worm- Interference with elections; Cancelled airline flights; 911
emergency systems affected in Seattle; 13,000 Bank of America ATMs failed.
z Estimated ~$1 Billion in productivity loss

Case 3: WorldCom
z July 2002, WorldCom declares bankruptcy
z Problem WorldCom carries 13% - 50% of global internet traffic. About 40% of
Internet traffic uses WorldCom’s network at some point
z October 2002, Outage affecting only 20% of WorldCom users snarls traffic around the
globe.

Case 4: September 11
z Wireless Tower on Top of Trade Center Destroyed
z Rescue efforts hampered

Case 5: It’s a Jungle Out There

z The Internet is highly, globally connected.
z Viruses/worms are legion on the Internet and continue to scan for vulnerable hosts.
z Hackers scan looking for easy targets to attack.

Case 6: Wannacry Ransomware

z May 2017 almost 200,000 peoples were victims.
z One of the most severe attack in the world.

3 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
Cyber Security Policy
The cyber security policy is a developing mission that caters to the entire field of Information
and Communication Technology (ICT) users and providers. It includes:
z Home users
z Small, medium, and large Enterprises
z Government and non-government entities
It serves as an authority framework that defines and guides the activities associated with the
security of cyberspace. It allows all sectors and organizations in designing suitable
cybersecurity policies to meet their requirements. The policy provides an outline to effectively
protect information, information systems and networks.
It gives an understanding into the Government’s approach and strategy for security of cyber
space in the country. It also sketches some pointers to allow collaborative working across the
public and private sectors to safeguard information and information systems. Therefore, the
aim of this policy is to create a cybersecurity framework, which leads to detailed actions and
programs to increase the security carriage of cyberspace.

Organization Policy
A well-thought-out cyber security policy outlines which systems should be in place to guard
critical data against attacks.
These systems, or the infrastructure, tell IT and other administrative staff how they will
protect the company’s data (which controls will be used) and who will be responsible for
protecting it.
Your cyber security policy should include information on controls such as:
z Which security programs will be implemented (Example: In a layered security
environment, endpoints will be protected with antivirus, firewall, anti-malware, and
anti-exploit software.)
z How updates and patches will be applied in order to limit the attack surface and plug
up application vulnerabilities (Example: Set frequency for browser, OS, and other
Internet-facing application updates.)
z How data will be backed up (Example: Automated backup to an encrypted cloud
server with multi-factor authentication.)
In addition, your policy should clearly identify roles and responsibilities. That includes:
z Who issued the policy and who is responsible for its maintenance
z Who is responsible for enforcing the policy
z Who will train users on security awareness
z Who responds to and resolves security incidents and how
z Which users have which admin rights and controls

4 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING

Employees Policy
The most critical step in establishing a successful cyber security policy is documenting and
distributing the acceptable use conditions for employees.
Why? No matter how strong defenses are, users can introduce threats to your company’s
networks by falling for phishing scams, posting secure information on social media, or giving
away credentials.
According to the 2014 IBM Cyber Security Intelligence Index, over 95% of all threat
incidents investigated involved human error.
Your cyber security policy should clearly communicate best practices for users in order to
limit the potential for attacks and ameliorate damage.
They should also allow employees the appropriate degree of freedom they need to be
productive.
Banning all Internet and social media usage, for example, would certainly help keep your
company safe from online attacks but would (obviously) be counterproductive.
Acceptable use guidelines might include:
z How to detect social engineering tactics and other scams
z What is acceptable Internet usage
z How remote workers should access the network
z How social media use will be regulated
z What password management systems might be utilized
z How to report security incidents
z In addition, the employee policy should also cover what happens when users fail to
comply with guidelines. For example, an employee found to be responsible for a
breach might be required to repeat training if it was due to negligence, or terminated if
the breach was an inside job.

II. The Economics of Cyber Security

In this topic, we focus on decisions involved in allocating scarce financial resources to cybersecurity.
That is, as a practitioner, you must decide in what kinds of security controls to invest, based on need,
cost, and the tradeoffs with other investments (that may not be security related). For example, the
chief executive officer may announce that because the company has done well, there is a sum of
money to invest for the benefit of the company. She solicits proposal that describe not only the way in
which the money can be used but also the likely benefits to be received (and by whom) as a result.
You prepare a proposal that suggests installation of a firewall, a spam filter, an encryption scheme to
create a virtual private network, and the use of secure identification tokens for remote network access.
You describe the threats addressed by these products and the degree (in terms of cost and company
profit) to which the proposed actions will benefit the company. The choices, and the tradeoffs among
them, can be analyzed by understanding the economics of cybersecurity.

5 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
Once we have good data, we can build models and make projections. We examine several ways to
model the impact of a cybersecurity investment. Building and using a model involve understanding
key factors and relationships; we discuss examples of each. Finally, we explore the possibilities for
future research in this rich, interdisciplinary area.

III. Making an Economic case for security

Making a Business Case
There are many reasons why companies look carefully at their investments in cybersecurity. Table 1
shows the results of a series of in-depth interviews with organizations in the U.S. manufacturing
industry, health care companies, universities, Internet service providers, electric utilities, nonprofit
research institutions, and small businesses. It shows that various pressures, both internal and external,
drive organizations to scrutinize the amount and effectiveness of their cybersecurity practices and
products.

But how do companies decide how much to invest in cybersecurity, and in what ways?. Typically,
they use some kind of benchmarking, in which they learn what other, similar companies are spending;
then they allocate similar amounts of resources. For example, if Mammoth Manufacturing is
assessing the sufficiency of its cybersecurity investments, it may determine (through surveys or
consultants) that other manufacturing companies usually spend x percent of their information
technology budgets on security. If Mammoth's investment is very different, then Mammoth's
executives may question what is different about Mammoth's needs, practices, or risk tolerance. It may

6 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
be that Mammoth has a more capable support staff, or simply that Mammoth has a higher tolerance
for risk. Such analysis helps Mammoth
executives to decide if investments should increase, decrease, or stay the same.

Requests for cybersecurity resources usually have to compete with other types of requests, and the
final decisions are made based on what is best for the business. Thus, there has always been keen
interest in how to make a convincing argument that security is good for business. When companies
have to balance investments in security with other business investments, it is difficult to find data to
support such decision-making. Because of the many demands on an organization's finite resources,
any request for those resources must be accompanied by a good business case. A business case for a
given expenditure is a proposal that justifies the use of resources.
It usually includes the following items:
™ a description of the problem or need to be addressed by the expenditure.
™ a list of possible solutions.
™ constraints on solving the problem.
™ a list of underlying assumptions.
™ analysis of each alternative, including risks, costs, and benefits.
™ a summary of why the proposed investment is good for the organization

Determining Economic Value

Favaro and Pfleeger [FAV98] suggest that economic value can be a unifying principle in considering
any business opportunity. That is, we can look at each investment alternative in terms of its potential
economic value to the company or organization as a whole. In fact, maximizing economic value can
very well lead to increases in quality, customer satisfaction, and market leadership.

However, there are many different ways to capture economic value. For example, Gordon and Loeb
[GOR06a] present several ways of thinking about the economic benefit of cybersecurity, including
net present value, internal rate of return, and return on investment. We must decide which investment
analysis approach is most appropriate for security-related investment decision-making based on
economic value.

Net Present Value

Taking the perspective of a financial analyst, Favaro and Pfleeger [FAV98] look critically at the most
commonly used approaches: net present value, payback, average return on book value, internal rate of
return, and profitability index. Favaro and Pfleeger explain why net present value (NPV) makes the
most sense for evaluating software-related investments. For this reason, we explore NPV in some
detail here.
When proposing technology, you must be sure to consider all costs. For example, to invest in a new
security tool, a company may spend money for training and learning time, as well as for the tool
itself. The NPV calculation subtracts these initial investment costs from the projected benefits.

7 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
More formally, the net present value is the present value of the benefits minus the value of the initial
investment. That is, NPV compares the value of a dollar (or euro or yuen) today to the value of that
same dollar (or euro or yuen) in the future, taking into account the effects of inflation and returns on
investment. NPV expresses economic value in terms of total project life, regardless of scale or time
frame. Since investment planning involves spending money in the future, we can think of the present
value of an investment as the value today of a predicted future cash flow.

Suppose, for example, that the rationale for spending 100 units today on a proposed project suggests
that the project might yield a benefit (profit) of 200 units five years from now. To assess the overall
project benefit to the company, we must adjust the 200 units both for inflation and for the interest or
growth the firm would otherwise gain on the 100 units over five years if it were instead to invest the
money in a traditional financial vehicle, such as a bank account. Suppose 100 units invested
traditionally (and wisely) today might yield 170 units in five years. Then the present value of the
proposed project is only 30 units (200 - 170), although the 30 units of profit represent a net benefit for
the company.

Adjusting Future Earnings against Investment Income

As noted before, if a company has disposable or uncommitted money on hand today that it wants to
invest, it has several choices: it can spend it now or save it for the future. If the company decides to
save it, the earnings compound so that the value of that money in the future is greater than it is today
(not considering inflation). Suppose corporate savings generate a 5 percent annual return; then by
investing today's 100 units, the firm can expect to have almost 128 units in five years. Calculations of
this kind suggest a threshold that must be met if a proposed project is considered by the company to
be worthwhile. Thus, if a proposed cybersecurity (or any other) project requires an up-front
investment of 100 units, its profit by the fifth year has to be at least 128 units to be economically
viable. In this way, net present value calculations give companies a way to compare and contrast
several investment strategies and pick the most economically desirable one(s).

The formal equation for calculating NPV is

where Bt and Ct are the benefits and costs anticipated from the investment in each time period t. C0 is
the initial investment, the discount rate (expected rate of return on investment) is k, and n is the
number of time periods over which the investment's costs and benefits are considered.

8 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING

IV. Measuring and Quantifying Economic Value

Cybersecurity threats and risks are notoriously hard to quantify and estimate. Some vulnerabilities,
such as buffer overflows, are well understood, and we can scrutinize our systems to find and fix them.
But other vulnerabilities are less understood or not yet apparent. For example, how do you predict the
likelihood that a hacker will attack a network, and how do you know the precise value of the assets
the hacker will compromise? Even for events that have happened (such as widespread virus attacks)
estimates of the damage vary widely, so how can we be expected to estimate the costs of events that
have not happened? Unfortunately, quantification and estimation are exactly what security officers
must do to justify spending on security. Every security officer can describe a worst-case scenario
under which losses are horrific. But such arguments tend to have a diminishing impact: After
management has spent money to counter one possible serious threat that did not occur, it is reluctant
to spend again to cover another possible serious threat.

The Economic Impact of Cybersecurity

Understanding the economic impact of cybersecurity issues prevention, detection, mitigation, and
recovery requires models of economic relationships that support good decision-making. However,
realistic models must be based on data derived both from the realities of investment in cybersecurity
and consequences of actual attacks. In this section, we describe the nature of the data needed, the
actual data available for use by modelers and decision makers, and the gap between ideal and real.

For any organization, understanding the nature of the cybersecurity threat requires knowing at least
the following elements:
™ number and types of assets needing protection.
™ number and types of vulnerabilities that exist in a system.
™ number and types of likely threats to a system.

Data to Justify Security Action

Interest in society's reliance on information technology has spawned a related interest in cyber
security's ability to protect our information assets. However, we lack high quality descriptive data.

Data are needed to support cybersecurity decision-making at several levels.

™ National and global data address national and international concerns by helping users assess
how industry sectors interact within their country's economy and how cybersecurity affects
the overall economy.
™ Enterprise data enable us to examine how firms and enterprises apply security technologies to
prevent attacks and to deal with the effects of security breaches. In particular, the data capture
information about how enterprises balance their security costs with other economic demands.
™ Technology data describe threats against core infrastructure technologies, enabling modelers
to develop a set of least-cost responses.

9 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING

Data to support economic decision-making must have the following characteristics:

™ Accuracy. Data are accurate when reported values are equal or acceptably close to actual
values. For example, if a company reports that it has experienced 100 attempted intrusions per
month, then the actual number of attempted intrusions should equal or be very close to 100.
™ Consistency. Consistent reporting requires that the same counting rules be used by all
reporting organizations and that the data be gathered under the same conditions. For example,
the counting rules should specify what is meant by an "intrusion" and whether multiple
intrusion attempts by a single malicious actor should be reported once per actor or each time
an attempt is made. Similarly, if a system consists of 50 computers and an intrusion is
attempted simultaneously by the same actor in the same way, the counting rules should
indicate whether the intrusion is counted once or 50 times.
™ Timeliness. Reported data should be current enough to reflect an existing situation. Some
surveys indicate that the nature of attacks has been changing over time. For instance,
Symantec's periodic threat reports [SYM06] indicate that attack behavior at the companies it
surveys has changed from mischievous hacking to serious criminal behavior. Reliance on old
data might lead security personnel to be solving yesterday's problem.
™ Reliability. Reliable data come from credible sources with a common understanding of
terminology. Good data sources define terms consistently, so data collected in one year are
comparable with data collected in other years.

Comparability of Categories
There are no standards in defining, tracking, and reporting security incidents and attacks. For
example, information is solicited about
™ "electronic attacks" (Australian Computer Crime and Security Survey) "total number of
electronic crimes or network, system, or data intrusions" and "unauthorized use of computer
systems" (CSI/FBI).
™ "security incidents," "accidental security incidents," "malicious security incidents," and
"serious security incidents" (Information Security Breaches Survey)
™ "any form of security breach" (Deloitte Global Security Survey) "incidents that resulted in
an unexpected or unscheduled outage of critical business systems" (Ernst and Young Global
Information Security Survey).
Sources of Attack
Even the sources of attack are problematic. The Australian survey notes that the rate of insider attacks
has remained constant, but the Deloitte survey suggests that the rate is rising within its population of
financial institutions. There is some convergence of findings, however. Viruses, Trojan horses,
worms, and malicious code pose consistent and serious threats, and most business sectors fear insider
attacks and abuse of access. Most studies indicate that phishing is a new and growing threat.

10 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
V. Modeling the Economics of Cybersecurity
Cybersecurity economics is a nascent field, bringing together elements of cybersecurity and
economics to help decision-makers understand how people and organizations invest constrained
resources in protecting their computer systems, networks, and data. Among the many questions to ask
about cybersecurity investments are these:
™ How much should an organization invest in cybersecurity to protect assets of a given value?
™ What is the likely impact of a security breach?
™ What are the costs and benefits of sharing information?

The Role of Organizational Culture

Trust and interpersonal relations are solidly linked to economic behavior. Because interpersonal
interactions are usually embedded in the organizations in which we work and live, it is instructive to
examine the variation in organizational cultures to see how they may affect economic decision-
making, particularly about investments in cybersecurity.

We can tell that two cultures are different because they exhibit different characteristics:
™ symbols, heroes, rituals, and values.
™ Symbols are the words, gestures, pictures and objects that carry specific meanings for a group
of people using them to communicate [HOF05]. For example, a corporate security group's
culture may be manifested in jargon about PKI, IPSEC, and cryptographic algorithms.

Heroes of a culture are those people whose behaviors are highly prized, serving as role models for the
others in the group. We often laud our heroes as ACM or IEEE Fellows, as recipients of medals or
prizes, or as honored speakers at conferences and workshops.
™ Rituals are activities performed by all the group's members that are socially essential but not
necessary to the business. For example, group meetings to introduce new members are often
ways of teaching the language and symbols to newcomers but are not always essential for
getting work done.

Normative Pragmatic Rule-based versus job-driven

™ Process versus results. An organization that is process oriented reflects the value that if good
practices are enacted properly, the desired results will follow. That is, the means will lead to
acceptable ends. However, others insist that the proof of the pudding is in the eating; even if
you follow a good recipe, you still have to evaluate the result directly to verify its quality.
Security organizations that emphasize process are often focused on "best practices," training
members to develop, evaluate, and use software in prescribed ways. On the other hand,
organizations that emphasize results are focused on testing and evaluation, to ensure that
products work as advertised.
™ Employee versus job. An organization that values its employees is concerned about employee
satisfaction and job motivation. At the other extreme, an organization focused on the job
usually uses measures such as milestones toward completion to determine if progress is being
made.

11 | COMPILED BY: DR. AZATH HUSSAIN 

 
CHAPTER 5 SECURITY IMPLEMENTATION & PLANNING
™ Parochial versus professional. A parochial organization rewards its employees for meeting
goals set internally, by the organization, division, or company. A professional organization
looks outside the company to professional awards and certification authorities for ways of
rewarding its employees. For example, a professional organization would value CISSP
certification, while a parochial organization prefers in-house rewards, such as promotion.
™ Open versus closed. When an organization is open, it welcomes new talent from outside,
having no qualms about investing in training to help newcomers understand the symbols,
heroes, and rituals. A closed organization prefers to hire from within so that cultural values
and practices are preserved and reinforced.
™ Loose versus tight control. A loosely controlled organization usually allows teams to form by
themselves; employees have some flexibility in deciding with whom they want to work, and
there are few reporting requirements. In a tightly controlled organization, the managers create
the teams and impose significant reporting requirements to ensure that project progress is
being made.
™ Normative versus pragmatic. Normative organizations are usually focused on best practices.
They often have a standard or recommended life-cycle methodology that is imposed on all
development and maintenance projects, with supporting measures and reviews to ensure that
the methodology is being applied. By contrast, pragmatic organizations are more job-driven,
doing what it takes to get the job done, even if that means using unorthodox or untested
approaches to solving the problem. Pragmatic organizations are usually the ones that use
small groups applying "agile methods."

************************************************************************** 

12 | COMPILED BY: DR. AZATH HUSSAIN