ECE 738 Cognitive Risk Control for Physical Systems – Assignment 1 1

An account on cybersecurity failure on the last 20 Years.

Shkelzen Goxhaj

McMaster University
ECE 738 Cognitive Risk Control for Physical Systems 2

1. How worldwide companies are failing on cybersecurity and some human inherited

difficulties.

Based on a survey made by Thycotic – a provider of privileged account management (PAM) was

shown that more than half of the companies (58%) failed to evaluate their efforts to measure

their cybersecurity investments and performance against best practices. This means that

worldwide companies and governments are investing blindly in cybersecurity defenses, while the

total spending’s exceed $100 billion a year.

After about 20 years and billions of dollar invested, the organizations still are struggling with

cybersecurity and the problem is deteriorating instead of getting better. The issues seem to be not

only technical. There other challenges which lay on our difficulty to understand cyberspace

which is quite different from our physical world and make this field very counterintuitive. Since

the cyberspace is made by nodes and light speed communication, concepts like distance,

proximity and borders are very different. It is difficult to define which entity is on charge of

security of certain parts of the network. In our physical world, border security is maintained by

federal government, but this approach won’t work on cyberspace. The routes that are used from

businesses to communicate internally and with their customers are also used from the attackers to

steal or invade business digital property. The government can’t get in the way of the later

without getting on the way of the former. Generally speaking, using out physical world as a

model for cyberspace is a recipe for failure.

Furthermore, the cybersecurity policies, law and practices are not fully developed. From this

prospective, this realm is fairly young considering that internet exist only on the last 25 years and

its frequently changing. Therefore, we haven’t been able to developed the framework we need.
ECE 738 Cognitive Risk Control for Physical Systems 3

Here is some question which we don’t know how to clearly answer yet:

 What is the right division of responsibility between governments and the private sector in

terms of defense?

 What standard of care should we expect companies to exercise in handling our data?

 How should regulators approach cybersecurity in their industries?

 What actions are acceptable for governments, companies, and individuals to take and

which actions are not?

 Who is responsible for software flaws?

 How do we hold individuals and organizations accountable across international

boundaries?

When we have a better understanding of these questions, we would be able to developed the

proper law and framework to face cyber-attacks.

2. Other challenges

An often approach used to unsure cybersecurity is by chasing the hackers, which has become

a never ending arm race and where the organizations are on rush to catch-up. This approach

requires enormous resources and doesn’t ensure 100% success.

A promising technology such as AI which have been seen as weapon which can be used

against cyber-attacks, however the rise of AI will enable cyberattacks and it’s expected to cause

an explosion of network breaches. It is very likely to lead to an AI arms race, not very different

of what we have today on traditional technologies.

Moreover, there is a human aspect on this war to ensure cyber safety. A lost laptop or

opening a phishing email is something we could not prevent; however, this is not as harmful as
ECE 738 Cognitive Risk Control for Physical Systems 4

when criminals break into organizations network. For example, when a criminal is involved, the

cost for a breach is typically $170.00 per capita per breach, compare to a human error which is

about $140.00 a breach. Other than the most obvious mistakes that employees do, such as

phishing emails, or exposing their passwords, there are other mistakes such as uploading

information on third parties and collaborative platforms without taking the necessary protection

measures.

3. Overview

Today reality is that no matter how careful we are, no matter how well we design our

strategies or how well we educate employees and users, we’re never 100% safe against a cyber-

attack. Organizations best defense reaming extra cautious and putting in place strategies in case

of attacks to reduces costs of a war which is already lost.