Exploring the New Era of Cybersecurity Governance [606965]

Exploring the New Era of Cybersecurity Governance

Eugen Petac
Faculty of Mathematics and Computer Science
“Ovidius” University of Constanța, Romania
epetac@univ -ovidius.ro
Petru ț Duma
Faculty of Electronics, Telecommunications and Information Technology
Technical University “Gh. Asachi” of Ia și, Romania
[anonimizat]

Abstract

In a digital world, cybersecurity has become very important for companies, government
agencies or or ganizations, as well as for end -users. With its components, Data Governance (DG)
and Information Technology Governance (ITG), Information Governance (IG) is a key element of
Corporate Governance (GC). The characteristics and the relationships between them are analyzed
in the first par t of the paper. The subject of c ybersecurity as part of Information Governance is
addressed in the second part of the paper, discussing issues such as attack types, the relationship
attack sophistication versus intruder technic al kno wledge and a security framework for
identification and prevention of cyber -attacks. In the third part, the best practices for
Cybersecurity Governance are synthesized. As cyber threats are scarcely diversifying and
becoming more and mo re sophisticated, affecting an increasingly number of users and
organizations, the solution is a unified and coordinated approach at the organizational, regional
and global level.

Key words: Cybersecurity, In formation Go vernance, CIA triad , CSIRT .
J.E.L. classification: L8, M1, M3

1. Introduction

In a dynamic Corporate Governance (CG) represents the area for achieving a company's goals
and in this sense it encompasses any management domain that can sustain the company's long -term
success. “Corporate governance can be accepted as an art of management, which provides a well
organized top -down communication between all abovementioned parti cipants in a company [1].”
Including the global policies and processes for optimizing and using the data, Information
Governance (IG) is a core element of the CG.
IG is defined by Gartner as “the specification of decision rights and an accountability
frame work to ensure appropriate behavior in the valuation, creation, storage, use, archiving and
deletion of information. It includes the processes, roles and policies, standards and metrics that
ensure the effective and efficient use of information in enabling an organization t o achieve its goals
[2].” Data Governance (DG) and Information Technology G overnance (ITG) constitute a global IG
program. Establishing the frameworks and the best practices for achieving the desired business
objectives based on informati on technology investments is the main focus of ITG. The DG
approach to governance focuses on processes, methods, tools, and techniques to ensure that data is
of high quality, reliable and unique. DG is the lower level at which to implement IG. However, DG
including elements of data quality, data management, IG policy development, business process
improvement, and compliance and risk management, DG will be the core of Data Stewardship
considering topics such as metadata management, data security and authent ication, setting of Data
Quality rules and policies and data integration. In an analysis regarding the Effective Data

Governance, Infosys shows the following statistics regarding the data [3]: “the size of global data
will reach 40 zettabytes by 2020; stru ctured data grows at a rate of 40% each year; the volume of
structured and unstructured data grows at a constant rate of about 80% per year; machine -generated
data will increase 15 times by 2020.” These statistics are meant to provide a new dimension for
DG, as well as for Data M anagement (DM), as processes of creating, obtaining, transforming,
sharing, protecting, documenting and preserving data.
The Information M anagement (IM) at an organization is completed by the IG with the
integration of ITG and DG, creating a balance between the usage and the security of information.
The data management is a subset of IM. The processes that enable organizations to systematise,
manage and understand all types of data, including integration of IP device discover y, data sharing,
infrastructure databases, events and alarms, third -party integration, automated patching, and
applications are attributes of Intelligent Information M anagement (IIM). The main objective of CG
is an effective and secure business performance .
By incorporating it into IG, information security is an integral part of CG. But is not IS a
relative term? Because IG includes “information security and protection, compliance, data
governance, electronic discovery, risk management, privacy, data stor age and archiving,
knowledge management, business operations and management, audit, analytics, IT management,
master data management, enterprise architecture, business intelligence, big data, data science, and
finance[4]”, we consider the term cybersecuri ty to be more appropriate.
We will refer to cyber environment and cybersecurity from the perspective provided by the
International Telecommunication Union in the document ITU -T X.1205 [5]:
– “Cyber environment includes users, networks, devices, all soft ware, processes, information
in storage or transit, applications, services, and systems that can be connected directly or indirectly
to networks.”
– “Cybersecurity is the collection of tools, policies, security concepts, security safeguards,
guidelines, ri sk management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and organization and user's assets.
Organization and user's assets include connected computing devices, personnel, inf rastructure,
applications, services, telecommunications systems, and the totality of transmitted and/or stored
information in the cyber environment. Cybersecurity strives to ensure the attainment and
maintenance of the security properties of the organizati on and user's assets against relevant security
risks in the cyber environment. The general security objectives comprise the following:
Availability, Integrity (which may include authenticity and non -repudiation) and, Confidentiality. ”
Defining risk postur e , balancing global and local requirements, managing data , responding to
change and applying relevant metrics are some reasons for which cybersecurity becomes an
integral part of CG and we c an discuss about a new era for Cybe rSecurity G overnance (CSG) .

2. Cybersecurity as part of Information Governance

Multi -Protocol Label Switching (MPLS) ISO/IEC 17799 [6] treats information security through
the prism of three important attributes, known as the CIA triad: Confidentiality – the information is
only accessible to authorized persons; Integrity – ensuring the accuracy and completeness of the
methods by which information is processed; and Availability – authorized users have access to
information and associated assets at opportune times
The Federal Information Security Management Act (FISMA) defines [7] CIA triad objectives
for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions
on information access and disclosure, including means for protecting personal privacy and
proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized
disclosure of information. INTEGRITY “Guarding against im proper information modification or
destruction, and includes ensuring information non -repudiation and authenticity…” [44 U.S.C.,
Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information.
AVAILABILITY “Ensuring timely an d reliable access to and use of information…” [44 U.S.C.,
SEC. 3542] A loss of availability is the disruption of access to or use of information or an
information system.
Confidentiality, integrity, availability, possession or control, authenticity and uti lity, also known

as the Parkerian hexad [8], is another model designed to guide policies for information security
within an organization.
Aa an in -depth analysis, developed by European Union Agency For Network And Information
Security (ENISA), the study “D efinition of Cybersecurity Gaps and overlaps in standardisation” [9]
provides an essential context needed to understanding the cybersecurity term and to use these in a
variety of fields. According to this study the different domains of Cybersecurity are:
communications security, operations security, information security, physical security,
public/national security. The CSG takes these domains into account. Organizing the activity of IG
bodies only from the perspective of information security is not enough. International Organization
for Standardization (ISO), International Telecommunication Union (ITU), National Institute of
Standards and Technology (NIST), Committee on National Security Systems (CNSS), National
Cybersecurity and Communications Integration C enter’s (NCCIC), NATO and ENISA are some of
the organizations that have adopted the term cybersecurity.
In addition to technology, cybersecurity also refers to the fact that people have access to data
and processes involved. The access may be authorized or unauthorized. Cyber -attackers are
individuals or groups who attempt to exploit vulnerability for personal or financial gain by
performing malicious activities. Grouped in amateurs, hackers (white, gray, or black hats) and
organized hackers (cyber criminal s, hacktivists, terrorists, and state sponsored hackers), depending
on their intentions of destruction, cyber -attackers target is both large and small businesses and
organisations. The threats can also come from within organizations, from privileged users or end –
users. The main objectives of cyber -attackers are manipulate, destroy, disrupt and steal. The
estimated Cyber attack fallout cost to Global Economy by 2020 is $3 Trillion [10].
As shown in the figure 1, the amount of knowledge required by the cybe r-atackers is decreasing
while the sophistication of cyber -attacks is increasing.

Figure no. 1. Attack Sophistication vs. Intruder technical knowledge

Source : [11]

Among the factors that contributed to this we can mention : corporate and social media security
breaches, explosive growth of computer, mobile systems and Internet availability, increase in
broadband availability, low priority of security for software developers, difficulty patching
vulnerabilities on all systems , graphical user interface based tools that exploit known software
vulnerabilities, tools that try to exploit multiple vulnerabilities, availability of malicious software
authoring and editing tools, spear phishing (hackers target employees through emails that appear to
be from colleagues within their own organizations, allowing cyber criminals to steal personal
information), advanced employee training (can form insider cyber -attackers), hacktivism, botnets
(as a number of computers set up to forward malici ous information to other computers).
Developed by Lockheed Martin as a security framework for identification and prevention of

cyber -attacks, Cyber Kill Chain [12] is an ordered list of seven stages of a cybernetic APT
(Advanced Persistent Threat) attack t hat allows cybersecurity experts to understand the type of
cyber -attack. The Cyber Kill Chain stages are: Reconnaissance – The attacker gathers information
about the target; Weaponization – The attacker creates an exploit and malicious payload to send to
the target; Delivery – The attacker sends the exploit and malicious payload to the target by email or
other method; Exploitation – The exploit is executed; Installation – Malware and backdoors are
installed on the target; Command and Control – Remote contro l of the target is gained through a
command and control channel or server; Action – The attacker performs malicious actions like
information theft, or executes additional attacks on other devices from within the network by
working through the Cyber Kill Ch ain stages again. This framework is purpose to provide insight
into an attack and great understanding the attacker’s strategy, mechanisms, methods and procedures
to decrease chances said adversary accomplish their desired outcome. But Cyber Kill Chain is not
infallible. Manny attack strategies are changing and follow their own rules. This is the case with
web application attacks: a good approach consists to take advantage of a vulnerability in the
application itself. The solution is the new security techno logy named Runtime application self –
protection (RASP) [13].

3. Best practices for Cybesecurity Governance

Cybersecurity best practices and ways to protect data are found in lists of professional
organizations. Some of the best practices are: employ a risk -based approach to security; create a
hierarchical cybersecurity policy; maintain security patches and updates; accomplish and test
backups; use the principle of least privi lege; use two -factor authentication; handle passwords
securely; change default passwords for the IoT devices; physical security measures; human
resource security measures; educate users; encrypt data; employ access controls regularly test
incident response ; implement a network monitoring, analytics and management tool; implement
network security devices; implement a comprehensive endpoint security solution.
In the CSG, cybersecurity best practices list setting is one of the objectives of a Computer
Security Incident Response Team (CSIRT), especially established at an organization level, such as
a corporation, institution, educational or government network, region or country. The main
objectives of a CSIRT are: define the incident response policies, procedure s and services provided
by identifying the risks; create an incident reporting capability; identify, contain and eradicate the
incident; recover from the incident; investigate the incident; assist in the prevention of a
reoccurrence of the incident; integr ating lessons learned. CSIRT services generally grouped into
three categories: reactive (e.g. vulnerability alerts, incident handling); proactive (e.g. intrusion
detection, auditing and information dissemination) and security quality management (e.g. risk
analysis, disaster recovery planning, and education and training).

Figure no. 2 . CSIRTs relationships

Source : [ ]

Forum of Inc ident Response and Security Teams (FIRST – www.first.org) as a global association
of CSIRTs (421 Teams in 86 different countries) enables incident response teams to more
effectively respond to security incidents reactive as well as proactive and brings toge ther a variety
of computer security incident response teams from government. With similar activities, there are
the following organizations as a regional association of CSIRTs: ENISA -European Network and
Information Security Agency (Regional Europe Union), TF-CSIRT – Task Force Collaboration of
Computer Security – Incident Response Team in Europe, APCERT –Asia Pacific Computer
Emergency Response Team (Regional Asia Pacific), OIC -CERT – Organization of Islamic
Conference – Computer Emergency Response Team, ANS AC-ASEAN Network Security Action
Council.
Originally used by the Carnegie Mellon University (CMU), the term Computer Emergency
Response Team (CERT) is used [15] by some large organizations as well to CSIRT, as it is about
the same objectives and functions . The National Cybersecurity and Communications Integration
Center (NCCIC – https://www.us -cert.gov) is the USA’s flagship cyber defense, incident response,
and operational integration center, with the mission to reduce the USA’s risk of systemic
cybersecu rity and communications challenges. NCCIC share information for industrial control
systems owners, operators, and vendors (control system users), resources for information sharing
and collaboration among government agencies (government users) and informati on for system
administrators and technical users about latest threats (home and business). The EU Institutions
have decided to set up a permanent Computer Emergency Response Team (CERT -EU –
https://cert.europa.eu) for the EU institutions, agencies and bodi es and has good cooperation with
other CERTs in the Member States and beyond as well as with IT security companies and
professionals.

4. Conclusion s

The compromise of information security may affect the ability of an organization to provide
services, and may lead to fraud or destruction of data, non -contractual clauses, disclosure of
confidential information, impairment of credibility, etc. The cyber t hreats are scarcely diversifying
and becoming more and more sophisticated, affecting an increasingly number of users and
organizations. A coordinated approach at the organizational, regional and global level allows the
prevention of cyber risks and threats . Our work provides a comprehensive overview of existing
definitions for cybersecurity. Communication security, operation security, information security,
physical security, and public/national securit y are identified areas by ENISA [9] for cybersecurity.
Any security system must ensure confidentiality, integrity and availability of information. Changes
in paradigm and technology evolution have brought new concepts such as: security without
frontiers, cloud computing, fog computing, big data, mobile computing, etc. The information is
perishable, volatile and often uncertified by multiple sources, which is why the processing power
for filtering and analyzing large volumes of data is steadily increasing. Cybersecurity becomes an
integral part of the corporate gov ernance and we are discussing a new era for cybersecurity
governance.
The structure of cyber -attacks is analyzed in the current work through the intrusion framework
Cyber Kill Chain[12 ]. The framework provides an insight into the attack and allows a very go od
understanding of the attacker's strategy, mechanisms, methods and procedures to reduce the
attacker's chances. Proper prevention and security against cyber -attacks is no longer an option but a
necessity. The consequences of computer security incidents can be disastrous, but they can be
avoided. The paper mentions best practices that provide protection against most of all security
threats.
National authorities established at an organization level, such as a corporation, institution,
educational or government network, region or country, CSIRTs provides consistent support to the
end users, companies, government agencie s or organizations in the fight with cyber enemies.
CSIRTs stand out through efficiency, competence and efficiency. The weaknesses of not having a
CSIRT structure within an organization are obvious. The incapacity to contain an incident can lead
to repeate d incidents, in a continuous cycle that can only lead to disaster. The protection of critical
national infrastructures in financial, banking, transport, medical, education, energy, eGovernment

and intelligent public administration, education and cyber secu rity culture are some of the
cybersecurity governance challenges.

5. References

[1] Melih Sonmez, Suat Yi ldırım , A Theoretical Aspect on Corporate Governance and Its Fundamental
Problems: Is It a Cure or Another Problem in the Financial M arkets? , Journal of Business Law and Ethics,
June – December 2015, Vol. 3, No. 1 & 2, pp. 20 -35, http://jblenet.com/journals/ jble/Vol_ 3_No_1_June_
2015/2.pdf , [Accessed 28 April 2018 ].
[2] PROENÇA, Diogo; VIEIRA, Ricardo; BORBINHA, José. A maturity model for information governance.
In: International Conference on Theory and Practice of Digital Libraries. Springer, Cham, 2016. p. 15 -26.
[3] Effective Data Governance , https://www.infosys.com/data -analytics/insights/Documents/effective -data-
governan ce.pdf , [Accessed 28 April 2018 ].
[4] IGI PUBLISHES 2014 ANNUAL REPORT – Information Governance Initiative , http://iginitiative.com/
igi-publishes -2014 -annual -report/ , [Accessed 28 April 2018 ].
[5] Overview of cybersecurity, ITU-T X.1205 (04/2008) , https://www.itu.int/rec/T -REC -X.1205 -200804 –
I/en, [Accessed 28 April 2018 ].
[6] Information technology – Security techniques – Code of practice for information security management ,
ISO/IEC 17799:2005 , https://www.iso.org/standard/39612. html, [Accessed 28 April 2018 ].
[7] Laura P. Taylor, FISMA Compliance Handbook: Second Edition, Elsevier, 2013.
[8] Parker, Donn B., Fighting Computer Crime. New York, NY: John Wiley & Sons, 1998.
[9] ENISA, Definition of Cybersecurity Gaps and overlaps in standardization V1.0 DECEMBER 2015,
https://www.enisa.europa.eu/publications/definition -of-cybersecurity , [Accessed 28 April 2018 ].
[10] David Chinn, James Kaplan, and Allen Weinberg, Risk and responsibility in a hyperconnected world:
Implications for enterprises, Report – January 2014, https://www.mckinsey.com/business -functions/digital –
mckinsey/our -insights/risk -and-responsibility -in-a-hyperconnected -world -implications -for-enterprises ,
[Accessed 28 April 2018 ].
[11] T. Takebe, “Trends in Industrial Standards and International Standards for Industrial Automation
Control System Security,” Yokogawa Technical Report English Edition Vol.57 No.2, 2014.
[12] Lockheed Martin, the Cyber Kill Chain® framework, https://www.lockheedmartin.com/en –
us/capabilities/cyber/cyber -kill-chain.html , [Accessed 28 April 2018 ].
[13] Gartner IT Glossary, Runtime Application Self -Protection (RASP), https://www.gartner.com/it –
glossary/runtime -application -self-protection -rasp,[Accessed 28 April 2018 ].
[14] K. Clark, D. Stikvoort, E. Stofbergen and E. van den Heuvel, "A Dutch Approach to Cybersecurity
through Participation," in IEEE Security & Privacy, vol. 12, no. 5, pp. 27 -34, 2014.
[15]Carnegie Mellon University, The CERT Division, https://www.sei.cmu.edu/about/divisions/cert/ index.
cfm, [Accessed 28 April 2018 ].