Discussion
Cyber Resilience can be understood as the ability of an organization to continue its business normally despite cyber incidents. This involves the concepts of information security and organizational continuity. Here cyber incidents are those incidents that adversely affect the integrity, availability and confidentiality of information and networked information technology systems and can be intentional or unintentional (Rodriguez et al. 2015). The objective of cyber resilience if to ensure that an organization is able to continue its normal order of work even after incidents of cyber security incidents through the restoration of the normal IT mechanisms from backup or contingent systems. Cyber resilience is different from Cyber Security, which deals with the security of the information system, data and IT infrastructure (Björck et al. 2015). Cyber Security ensures availability, integrity and confidentiality of digital information and the IT infrastructure (such as networked computers, routing systems and servers). Good Cyber Security helps to protect against adverse cyber incidents and is therefore is high on the agenda list in all business and organizational sectors (Harrop and Matteson 2015).
Since the engagement of the World Economic Forum in cyber security, two main ideas have emerged: Cyber Resilience is an issue of leadership and the importance of going beyond cyber security to develop a more robust and effective cyber security and cyber resilience policy (Hathaway 2013; Johnson 2015; weforum.org 2017).
Several considerations have been outlined by the World Economic Forum that can support Cyber Resilience in an organization which includes Principles of cyber resilience, Cyber Principles Toolkit, Board Cyber Risk Framework and Board Insights on Emerging Technology Risks. This information can help to develop policies and practices that can develop cyber resilience and cyber security in an organization (weforum.org 2017). Discussed below are the considerations and how they can be used to develop best practices to initiate Cyber Resilience Policy at the Corporate Board level:
The main principles that should be considered by the Corporate Board include: responsibility for cyber security and resilience, knowledge of cyber resilience, accountability, integration, risk tolerance, risk assessment and reports, planning, collaboration, reviews and effectiveness. These principles dictate the responsibilities of the corporate board to ensure cyber security and cyber resilience (Ormrod and Turnbull 2018; weforum.org 2017). Discussed next is how such principles can influence the cyber resilience policies:
The principles identified above can be used to develop a cyber resilience policy that has the following implications: 1) Entire board should have the apex responsibility to oversee the cyber security and cyber resiliency in the organization and can delegate some of the tasks to risk committee or cyber resilience committee. 2) Orientation programs should be developed for the board to keep them up to date on the trends and risks in cyber security or cyber resilience therefore enhancing their knowledge and understanding of the subject. 3) Allocating an officer who would be accountable for monitoring and reporting cyber incidents, assess the ability of the organization to manage protocols or implement goals of cyber resilience. 4) Integrating the cyber resilience policies and practices into the business plan, including the organizational risk management practice and budgeting/allocation of resources. 5) Developing an understanding of the extent to which the organization can handle or tolerate adverse cyber events both for current and future risks. This can helps to set to setup a benchmark for organization. 6) The board can delegate the tasks of assessing and reporting cyber security and resilience incidents which can be discussed in the board meetings with the management. 7) Developing cyber resilience plan with the support of the management and having the cyber security officer to develop implement and test cyber security protocols and practices to improve cyber resilience. 8) The board should also collaborate with the stakeholders to systematize the process of cyber resilience and involve their perspectives and expectations into the process. 9) Involving an independent system for reviewing the cyber resilience of the organization, this can be conducted every year. 10) The Board also has the responsibility to review their own performances in the implementation of cyber security and cyber resilience practices and seeking advices from independent bodies as and when required to ensure continuous development in the practices (weforum.org 2017; George 2017; Wardekker et al. 2017).
Principles of the Board to ensure Cyber Resilience
The cyber principles toolkit are important to help the board members to implement better monitoring and oversight of cyber resilience responsibilities and help in a more effective implementation of those practices. The toolkit is developed on the bases of the 10 principles of resiliency that can be adopted by the corporate board (Linkov and Kott 2018). Discussed below on how the toolkit can be associated with each of the principle discussed above to monitor and manage cyber resilience of the organization:
1) To ensure responsibility of cyber resilience, the scope of the responsibilities should be discussed in detail during board meetings. This can help to determine whether the board should take the complete responsibilities of cyber resilience or if needs to be delegated to a specific committee. 2) Board member should go through an orientation program for cyber resilience when they join the organization, and should have a good knowledge on cyber security and its oversight practices. The orientation should focus on the risk perspectives of cyber security. Independent assessments can also be done to provide a benchmark to the organization. 3) To ensure accountability towards cyber resilience, the responsibilities and roles of cyber resilience practice should be clearly outlined, and officer accountable for cyber resilience should be given significant influence and authority and well as adequate resources to support their work. Cyber resilience awareness as well as review of resilience strategies should also be implemented. 4) Cyber Resilience policies can be integrated to the business practice by identifying strategies to manage and evaluate cyber risks, governance of the risks, determining the extent to which board needs to be involved in the process of reviewing and approving resilience strategies. 5) Risk Apetite can be analyzed through measurement of the costs or impact of cyber security incidents, and how these values can differ between organizations. Also, risk tolerance can be benchmarked through the measurement of the extent of disruption that can occur in case of different types of cyber incidents. 6) Assessment and Reporting of risks can be done for both current and future possible situations. Moreover, the culture of cyber security should be assessed and communication strategies developed to inform about the damage caused to the organization due to cyber incidents. 7) To develop resilience plans, organization needs to include business continuity practice, disaster recovery strategies and response plans for cyber incidents. KPI can be used to assess the current practices and the board needs to ensure that the practices are adopted at every level of the organization. 8) Collaboration can be ensured by involving with different entities (internal or external), identifying their responsibilities towards cyber resilience, developing strategies for collaboration, understanding how the collaboration can be beneficial to the organization as well as the potential liabilities due to it. 9) For reviewing the cyber resilience systems, board needs to decide how the independent reviewer would be selected, ensure the review is properly scoped and the process plan of the independent reviewer is checked by the board before implementation. 10) Effectiveness of the cyber resilience plan can be asses through periodical review, delegation of responsibilities and following a timeline for the review process. Also ensuring the quality of information in the review can enhance its effectiveness (weforum.org 2017; George 2017; Tanque and Foxwell 2018).
Toolkits for Cyber Resilience
The cyber risk framework helps the board to understand the extent an adverse cyber incident can affect the organization in terms of its cyber resiliency (Young et al. 2016). Some of the framework has been discussed below:
The risk portfolio helps to identify the common cyber security risks an organization can face, thereby helping the board to understand how each of these risks can take place and how it can adversely affect the organization and its processes. The portfolio can also include the costs associated with each of the identified adverse security incidents which should be updated on a regular basis. This portfolio can also be used to develop a residual portfolio of incidents that can still occur apart from the ones identified and incorporated to the normal expense of the company (Malhotra 2017; Feng et al. 2015).
Common standards that can be implemented by the organization to ensure cyber resiliency includes: ISO/IEC 27k, NIST Special Publication (SP) 800 Series, OCTAVE Allegro, Federal Information Processing Standards (FIPS) by NIST, Payment Card Industry Security Standards Council (PCISSC). These standards provide a system of monitoring and managing cyber security and cyber resilience systems within an organization (Sani et al. 2018; weforum.org 2018).
This strategy helps to assess the risks of cyber incidents in the organization, classifying the risks according to their probability of occurrence. This can help the board to identify incidents which are high risk compared to incidents which are medium or low risks (Ross et al. 2018; Mukhopadhyay et al. 2017).
Self assessment questionnaires are also useful for the board members as it can help to identify the action priorities and develop future objectives and action plans for continuous development. Self assessment also helps to assess current performance and future performance requirements of the board members (weforum.org 2018; George 2017).
Several emergent trends and risks can be identified in the domain of cyber security and cyber resilience. These factors influence the success of the cyber resilience of the organization. It is important therefore for any organization to implement these factors to enhance the cyber security and cyber resilience (Reetz et al. 2018). Discussed below are the key recommendations that can be used to such effect:
1) Increasing awareness of emerging risks in information technology. 2) Implement resiliency in the design of the IT infrastructure. 3) Determine an acceptable level of security that should be implemented based on the benchmarks of risk tolerance and appetite. 4) Developing vendor partnerships and using external technologies for the management of security risks in the organization for independent and neural reviews. 5) Developing a lifecycle of the cyber security practices and new technologies which can help to design the implementation, operation, maintenance and end of life of the system as well as determining its supply chain and support systems. 6) Ensuring privacy of data. 7) Developing strategies for continuous improvement of the control measures of cyber security. 8) Following ethical guidelines and public policies of data security. 9) Increasing adaptability to changing needs and technologies and maintain the level of cyber resilience (weforum.org 2018; George 2017).
It is not only important to implement cyber security successfully to ensure cyber resilience, but also have strategies that can be used to evaluate the performance of the system and implement continuous development to cope up with emerging threats and challenges in cyber security in order to maintain a resilient system in the organization. The important considerations are discussed next:
Continuous improvement tools helps to ensure that the security framework goes to continuous improvement which allows it to address the constantly changing and evolving nature of cyber risks and threats, preventing both existing and new types of incidents. This strategy helps to identify scopes for further development in a system and then implement plans to address those scopes followed by review of those upgrades to see if they are working properly (Rodriguez et al. 2015).
Partnerships with other organizations as well as independent bodies can help to develop a collaborated effort in the development of a robust and resilient system. This also ensures more allocation of resources and an independent system of monitoring the existing system thus helping to ensure its efficiency and efficacy (Björck et al. 2015).
This is another important aspect that needs to be considered by the board, since through effective leadership proper cyber resilience can be maintained. The board can act as the organizations leaders, leading the organization by examples which others can follow in their work to ensure a secure and safe system (Harrop and Matteson 2015).
Conclusion:
Cyber Resilience thus can be understood as the organizations ability to continue its work even after an adverse incident has taken place. A resilient system ensures that the organization is able to recover from the adverse cyber incident and prevent any major or significant losses. However, cyber resilience is significantly dependant on cyber security, which ensure the integrity, accountability and availability of all data and It systems in the organization. Thus in order to ensure a resilient cyber system, an effective cyber security must exist. The Board can play a pivotal role in ensuring the organization has a resilient cyber system. The cyber resilience policies can be developed around 10 key principles that can be used to develop tools and protocols for cyber resilience. These principles also are important to develop frameworks for cyber security and implement strategies to meet not only the current but also the future cyber security needs of the organization, thus developing a robust and resilient cyber system. These aspects thus need to be implemented in the security and resilience policy of the organization.
References:
Björck, F., Henkel, M., Stirna, J. and Zdravkovic, J., 2015. Cyber resilience–fundamentals for a definition. In New Contributions in Information Systems and Technologies (pp. 311-316). Springer, Cham.
Feng, M., Wächter, A. and Staum, J., 2015. Practical algorithms for value-at-risk portfolio optimization problems. Quantitative Finance Letters, 3(1), pp.1-9.
George, T., 2017. How to use the world economic forum’s cybersecurity principles. Risk Management, 64(6), p.33.
Harrop, W. and Matteson, A., 2015. Cyber resilience: A review of critical national infrastructure and cyber-security protection measures applied in the UK and USA. In Current and Emerging Trends in Cyber Operations (pp. 149-166). Palgrave Macmillan, London.
Hathaway, M., 2013. Cyber readiness index 1.0. Great Falls, VA: Hathaway Global Strategies LLC.
Johnson, T.A. ed., 2015. Cybersecurity: Protecting critical infrastructures from cyber attack and cyber warfare. CRC Press.
Linkov, I. and Kott, A., 2018. Fundamental Concepts of Cyber Resilience: Introduction and Overview. In Cyber Resilience of Systems and Networks (pp. 1-25). Springer, Cham.
Malhotra, Y., 2017. Advancing Cyber Risk Insurance Underwriting Model Risk Management beyond VaR to Pre-Empt and Prevent the Forthcoming Global Cyber Insurance Crisis.
Mukhopadhyay, A., Chatterjee, S., Bagchi, K.K., Kirs, P.J. and Shukla, G.K., 2017. Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance. Information Systems Frontiers, pp.1-22.
Ormrod, D. and Turnbull, B., 2018, June. Cyber Resilience as an Information Operations Action to Assure the Mission. In ECCWS 2018 17th European Conference on Cyber Warfare and Security (p. 343). Academic Conferences and publishing limited.
Reetz, M.A., Prunty, L.B., Mantych, G.S. and Hommel, D.J., 2018. Cyber Risks: Evolving Threats, Emerging Coverages, and Ensuing Case Law. Penn State Law Review, 122(3).
Rodriguez, L., Curtis, D., Choudhury, S., Oler, K., Nordquist, P., Chen, P.Y. and Ray, I., 2015, October. Action Recommendation for Cyber Resilience. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1620-1622). ACM.
Ross, D.M. and Edwards, C., Gemini Cyber Inc, 2018. Cyber risk assessment and management system and method. U.S. Patent Application 15/794,313.
Sani, A.S., Yuan, D., Jin, J., Gao, L., Yu, S. and Dong, Z.Y., 2018. Cyber security framework for Internet of Things-based Energy Internet. Future Generation Computer Systems.
Tanque, M. and Foxwell, H.J., 2018. Cyber Resilience for the Internet of Things. In Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution (pp. 304-335). IGI Global.
Wardekker, J.A., Wilk, B. and Brown, V., 2017. Assessing urban resilience in Rotterdam using resilience principles: Workshop report.
weforum.org, 2017. Future of Digital Economy and Society System Initiative, Advancing Cyber Resilience Principles and Tools for Boards. [online] Www3.weforum.org. Available at: https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles- Tools.pdf [Accessed 6 Sep. 2018].
Young, D., Lopez Jr, J., Rice, M., Ramsey, B. and McTasney, R., 2016. A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection, 14, pp.43-57.