European Cybersecurity

Implementation: Overview

Cybersecurity is emerging within the fields of information security and

traditional security to address sharp increases in cybercrime and, in some
instances, evidence of cyberwarfare. Three major factors are contributing
to the need for improved cybersecurity on a global basis: ubiquitous
broadband, IT-centric business and society, and social stratification of IT
skills. To address cybercrime and societal changes, many governments and
institutions launched cybersecurity initiatives, ranging from guidance, through
standardisation, to comprehensive legislation and regulation. ISACA has
released the European Cybersecurity Implementation Series primarily to
provide practical implementation guidance that is aligned with European
requirements and good practice. This paper provides a high-level overview
of implementing cybersecurity in line with existing laws, standards and other
guidance. This overview paper is complemented by three detailed papers
that focus on risk guidance, resilience and assurance in cybersecurity.

www.isaca.org/cyber Personal Copy of: Mr. Ivan Pajovic, CISM

European Cybersecurity Implementation: Overview
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback:
www.isaca.org/EU-cyber-implementation
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
https://twitter.com/ISACANews
Join ISACA on LinkedIn:
ISACA (Official),
http://linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
© 2014 ISACA. All Rights Reserved.
About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established
in 1969, ISACA is the trusted source of knowledge, standards, networking, and career
development for information systems audit, assurance, security, risk, privacy and governance
professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for
cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern
and manage their information and technology. ISACA also advances and validates business-
critical skills and knowledge through the globally respected Certified Information Systems
Auditor ® (CISA®), Certified Information Security Manager ® (CISM ®), Certified in the Governance
of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™)
credentials. The association has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created European Cybersecurity Implementation: Overview white paper (the ‘Work’) primarily
as an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of
any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining
the same results. In determining the propriety of any specific information, procedure or test, assurance, governance, risk
and security professionals should apply their own professional judgement to the specific circumstances presented by the
particular systems or information technology environment.
Personal Copy of: Mr. Ivan Pajovic, CISM 2
European Cybersecurity Implementation: Overview

ACKNOWLEDGEMENTS
Development Team Ramses Gallego Jamie Pasfield
CISM, CGEIT, CCSK, CISSP, SCPM, CGEIT, ITIL V3, MSP, PRINCE2,
Rolf M. von Roessing
Six Sigma Black Belt, Pfizer, UK
CISA, CISM, CGEIT, CISSP, FBCI,
Dell, Spain, Vice President Ivan Sanchez Lopez
Forfa AG, Switzerland, Lead Developer
Theresa Grafenstine CISA, CISM, ISO 27001 LA, CISSP,
Vilius Benetis Ph.D.
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, DHL Global Forwarding & Freight, Germany
CISA, CRISC,
US House of Representatives, USA, Vice President
NRDCS, Lithuania
Christos K. Dimitriadis Ph.D.
Vittal R. Raj Cybersecurity Task Force
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA,
CISA, CISM, CRISC, Eddie Schwartz
Kumar & Raj, India, Vice President
INTRALOT S.A., Greece CISA, CISM, CISSP, MCSE, PMP,
Tony Hayes USA, Chairman
Ivo Ivanovs
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
CISA, CISM, MCSE, Manuel Aceves
Queensland Government, Australia, Past International
Ernst & Young Baltic SIA, Latvia CISA, CISM, CGEIT, CRISC, CISSP, FCITSM,
President
Samuel Linares Cerberian Consulting, SA de CV, Mexico
Gregory T. Grocholski
CISA, CISM, CGEIT, CRISC, CISSP, GICSP, Sanjay Bahl
CISA,
Industrial Cybersecurity Center (CCI), Spain CISM, CIPP,
The Dow Chemical Co., USA, Past International President
Charlie McMurdie India
Debbie A. Lew
PricewaterhouseCoopers, UK Neil Patrick Barlow
CISA, CRISC,
Andreas Teuscher CISA, CISM, CRISC, CISSP,
Ernst & Young LLP, USA, Director
CISA, CGEIT, CRISC, IntercontinentalExchange, Inc. NYSE, UK
Frank K.M. Yam
Sick AG, Germany Brent Conran
CISA, CIA, FHKCS, FHKIoD,
CISA, CISM, CISSP,
Focus Strategic Group Inc., Hong Kong, Director
USA
Expert Reviewers
Alexander Zapata Lenis
Jesper Hansen Derek Grocke
CISA, CGEIT, CRISC, ITIL, PMP,
HAMBS, Australia
CISM, CRISC, CISSP, ESL, Grupo Cynthus S.A. de C.V., Mexico, Director
PFA Pension, Denmark Samuel Linares
CISA, CISM, CGEIT, CRISC, CISSP, GICSP,
Martins Kalkis Knowledge Board Industrial Cybersecurity Center (CCI), Spain
CISM,
Steven A. Babb
Latvian Mobile Telephone, Latvia Marc Sachs
CGEIT, CRISC, ITIL
Verizon, USA
Aare Reintam Vodafone, UK, Chairman
CISA,
Rosemary M. Amato
Estonian Information System Authority, Estonia
CISA, CMA, CPA,
Andrea Rigoni Deloitte Touche Tohmatsu Ltd., The Netherlands
Intellium Ltd., UK
Neil Patrick Barlow
Marc Vael Ph.D. CISA, CISM, CRISC, CISSP,
CISA, CISM, CGEIT, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Valuendo, Belgium
Charlie Blanchard
CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA,
ISACA Board of Directors Amgen Inc., USA
Robert E Stroud Sushil Chatterji
CGEIT, CRISC, CGEIT,
CA, USA, International President Edutech Enterprises, Singapore
Steven A. Babb Phil J. Lageschulte
CGEIT, CRISC, ITIL, CGEIT, CPA,
Vodafone, UK, Vice President KPMG LLP, USA
Garry J. Barnes Anthony P. Noble
CISA, CISM, CGEIT, CRISC, CISA,
BAE Systems Detica, Australia, Vice President Viacom, USA
Robert A. Clyde
CISM,
Adaptive Computing, USA, Vice President

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 3
European Cybersecurity Implementation: Overview

Introduction to the ISACA European

Cybersecurity Implementation Series
Cybersecurity is emerging within the fields of
information security and traditional security to FIGURE
Factors Impacting the Need for
address sharp increases in cybercrime and,
in some instances, evidence of cyberwarfare.
Cybersecurity includes the protection of
1 Improved Cybersecurity

information assets by addressing threats to

information that is processed, stored and
transported by internetworked information Ub
iqu ss
ne
systems. Figure 1 shows the three major factors
it i
that are contributing to the need for improved (Al ous B s
Bu ety
wa ro r i c i
cybersecurity on a global basis. ys adb
On an c e nt Soc
) d IT- an d
Ubiquitous broadband, IT-centric business and
society, and social stratification of IT skills are
changing the traditional centrally controlled
and managed IT environment towards an
open world in which everyone uses multiple
devices and boundaries are blurred between
Social Stratification
of In-depth IT Skills
business and private domains. At the same
time, many business transactions no longer
have a non-digital (paper or face-to-face)
alternative. This change is accompanied by the
entry of a new generation of device users into
the global marketplace. The new generation
has a vastly different perspective on security
and predominant trust and sharing ideas that
have been manifested in a multitude of social
Source: Transforming Cybersecurity, ISACA, USA, 2013, figure 6
networks, sharing platforms and innovative
service offerings.
To address cybercrime and societal changes,
many governments and institutions launched
cybersecurity initiatives, ranging from guidance,
through standardisation, to comprehensive
legislation and regulation.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 4
European Cybersecurity Implementation: Overview

This paper is the overview of the ISACA European existing laws, standards and other guidance. This overview
Cybersecurity Implementation Series of papers that paper is complemented by three detailed papers that focus
addresses cybersecurity implementation from a European on risk guidance, resilience and assurance in cybersecurity.
perspective, including the European Union (EU)1 and The series Assurance paper also is complemented by a
its associated countries.2 European Cybersecurity separate generic Audit Programme paper. Figure 2 shows
Implementation: Overview provides a high-level overview the structure of the series within the context of the ISACA
of implementing cybersecurity good practice in line with security publications.

FIGURE

2 European Cybersecurity Implementation Series in Context

ISACA Security Publications

COBIT® 5 for Responding to Targeted
Information Security Securing Mobile Devices Transforming Cybersecurity
Cyberattacks

Creating a Culture European Cybersecurity

of Security Implementation Series

Advanced Persistent European Cybersecurity

European Cybersecurity European Cybersecurity European Cybersecurity
Threats: How to Manage Implementation:
Implementation: Overview Implementation: Resilience Implementation: Assurance
the Risk to Your Business Risk Guidance

European Cybersecurity
Implementation: Audit
Programme

1
The European Union (EU) includes the 28 member states, e.g., France, The Netherlands and Spain, and any of their territories outside of Europe.
2
Associated countries are linked to the EU by treaties or other agreements. Therefore, part of their cybersecurity policy and strategy may be aligned with EU guidance.
Examples of associated countries include the British Channel Islands, Liechtenstein and Switzerland.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 5
European Cybersecurity Implementation: Overview

PURPOSE enterprise stakeholders. For example, senior managers in

The European Cybersecurity Implementation Series is
designed primarily to provide practical implementation
guidance that is aligned with European requirements and
good practice.
TARGET AUDIENCES
The European Cybersecurity Implementation Series is
organised to provide targeted insights to the various
a business-related function may benefit from reading this
Overview paper. Cybersecurity experts may want to read
the more detailed papers in the series and follow up on
their references. Auditors and reviewers should include this
Overview and the Assurance paper in their reading and use
the information in the Audit Programme paper to indicate
their plans within the enterprise. Figure 3 shows the series
publications and suggested target audiences.

FIGURE

3 Target Audiences of European Cybersecurity Implementation Series

European
Target Audience
Cybersecurity
Implementation CxO/Senior Chief Information Information/
Management Officer (CIO)/IT Cybersecurity Auditor/
Series Papers
(Business) Management Practitioner Reviewer

Overview

Risk Guidance
Resilience

Assurance
Audit Programme

The European cybersecurity laws and regulations are usually more stringent for industry sectors that are regulated
or classified as critical infrastructure than for unregulated industries. However, the presence of legal provisions or
regulations is not the only cybersecurity driver. Some industry sectors have experienced a higher rate of cybercrime,
cyberwarfare or industrial espionage than others.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 6
European Cybersecurity Implementation: Overview

Figure 4 shows some of the industry sectors that can benefit particularly from specific papers in the
European Cybersecurity Implementation Series. This list is by no means exhaustive, but provides
suggestions for recommended reading.

FIGURE

4 Industry Sectors and Target Audiences

Industry Sector European Cybersecurity Implementation Series Publication

Risk Guidance/
Resilience/ Audit
Overview Assurance3 Programme4

Public

Telecommunications
5
Finance and Insurance

Health care
Critical
Infrastructures
Automotive
IT service providers 6

Audit

Consulting

3
Use this guidance in collaboration with national institutions and their individual guidance on cybersecurity.
4
The Audit Programme paper is for practitioners or specialists tasked with performing reviews or audits.
5
Financial institutions and insurers should also refer to their specific industry sector regulation, e.g., Basel III.
6
IT service providers should review their client base for any inherited regulatory requirements. For the risk, resilience and assurance
requirements and potential audits, these providers should also refer to ISAE 3402 and national implementations. respectively.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 7
European Cybersecurity Implementation: Overview

The European Cybersecurity Landscape

In recent years, traditional information security has standards to provide targeted insight about implementing
been challenged by the emergence of cybercrime and cybersecurity.
cyberwarfare, which are growing rapidly. Security breaches
have evolved from opportunistic attacks by individual
CYBERSECURITY DEFINITIONS
perpetrators to targeted attacks that are often attributed
to organised crime or hostile acts between nation states. The term ‘cybersecurity’ addresses the governance,
The EU and its member states have launched wide-ranging management and assurance that go beyond standard
programmes and initiatives to strengthen cybersecurity, information security. Cybersecurity focuses on specific,
responding to the challenge with a defence of cybersecurity highly sophisticated forms of attack and covers the
initiatives, including the following: technical and social aspects of the attack. Many definitions
exist for cybersecurity, and the term is often misunderstood.
• The European Network and Information Security
The official EU definition follows:
Agency (ENISA) was formed in 2004 to provide
guidance and recommendations for information  yber-security commonly refers to the safeguards and
C
security. Since then, ENISA broadened its area of actions that can be used to protect the cyber domain,
activity to cover cybersecurity issues.7 both in the civilian and military fields, from those
threats that are associated with or that may harm its
• The European Commission issued a Cybersecurity
interdependent networks and information infrastructure.
Strategy8 that has been mirrored by a number of
Cyber-security strives to preserve the availability and
national strategies.9
integrity of the networks and infrastructure and the
• A wide range of cybersecurity-related activities confidentiality of the information contained therein.10
in research and development, regulation and
ISACA defines cybersecurity as follows:
governance are occurring in the EU and member
states. Following are some of these activities:  he protection of information assets by addressing
T
threats to information that is processed, stored and
- Directive on Network and Information Security
transported by internetworked information systems.11
- Horizon 2020 Research and Development
In its Transforming Cybersecurity publication, ISACA further
Programme
describes cybersecurity as follows:
- Inter-organisational and international co-
 Cybersecurity encompasses all that protects
…
operation in politics and law enforcement
enterprises and individuals from intentional attacks,
- Digital Agenda for Europe 14 cybersecurity breaches and incidents as well as the consequences.
actions (see Appendix A) In practice, cybersecurity addresses primarily those
types of attack, breach or incident that are targeted,
To analyse, co-ordinate and apply all of these sources sophisticated and difficult to detect or manage. … the
of valuable information, enterprises need practical focus of cybersecurity is on what has become known as
implementation guidance for cybersecurity in the European advanced persistent threats (APTs), cyberwarfare and
context. The European Cybersecurity Implementation their impact on enterprises and individuals.12
Series of papers uses recognised frameworks and

7
See http://www.enisa.europa.eu for details.
8
Available at http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667.
9
ENISA provides an overview of national strategies at https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world.
10
European Commission, “Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions—Cybersecurity Strategy of
the European Union: An Open, Safe and Secure Cyberspace,” Brussels, 2 July 2013, p. 3, http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667
11
ISACA, “Cybersecurity Glossary,” 2014, http://www.isaca.org/Knowledge-Center/Documents/Glossary/Cybersecurity_Fundamentals_glossary.pdf
12
ISACA, Transforming Cybersecurity, USA, 2013, p. 11, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 8
European Cybersecurity Implementation: Overview

Enterprises should distinguish between standard (lower-level) information security and cybersecurity; the difference is in
the scope, motive, opportunity and method of the attack (see figure 5). Cybersecurity should focus on APTs to enable a
clear and targeted set of cybersecurity measures and actions. This is shown in figure 5.

FIGURE

5 Cyberattack Taxonomy13

Unsophisticated Attackers Sophisticated Attackers Corporate Espionage State-sponsored Attacks

(Script Kiddies) (Hackers) (insiders) Advanced Persistent Threat (APT)
You are attacked because you are on the You are attacked because you are on the Your current or former employee seeks You are targeted because of who you are,
Internet and have a vulnerability. Internet and have information of value. financial gain from seling your IP. what you do, or the value of your IP.

State-sponsored
APT

Espionage and
Weaponization
Insiders

Personal Gain
Intelligence
Gathering
Risk
Hackers

Data Initial
Money Exfiltration Exploitation
APT
Life Cycle
Script Kiddies

Privilege Command
Escalation and Control
Amusement/
Experimentation/
Nuisance

Attacker Resources/Sophistication
1980s/1990s 2012
➢ BrainBoot/Morris Worm ➢ Concept Macro Virus ➢ Anna Kournikova ➢ SQL Slammer ➢ MyDoom ➢ Storm botnet ➢ Aurora ➢ WikiLeaks ➢ SpyEye/Zeus
➢ Polymorphic Viruses ➢ Melissa ➢ Sircam ➢ Blaster ➢ Netsky ➢ Koobface ➢ Mariposa ➢ Anonymous ➢ Duqu
➢ Michelangelo ➢ “I Love You” ➢ Code Red and Nimda ➢ Sobig ➢ Sasser ➢ Conflicker ➢ Stuxnet ➢ LulzSec ➢ Flame

Source: Responding to Targeted Cyberattacks, ISACA, USA, 2013, figure 2

FIGURE

6 Information Security and Cybersecurity Focus (PESTLE)

Political
For the ISACA European Cybersecurity
Implementation Series, the EU and ISACA
cybersecurity definitions are used jointly, to
integrate all relevant aspects of cybersecurity.
Adding a multi-dimensional view, such as Environmental Economic
PESTLE14, is useful to better understand the
potential impacts of cyber threats and risk. Low to Medium
1 Level Attacks
2
Figure 6 shows the difference between the 3 (Infosec)
4
areas covered by cybersecurity and the areas 5
covered by traditional information security.
APT Attacks
(Cybersec)
Technical Social

13
ISACA, Responding to Targeted Cyberattacks, USA, 2013, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Responding-to-Targeted-Cyberattacks.aspx
14
PESTLE analysis is a detailed view of an enterprise‘s Political, Economic, Social, Technical, Legal and Environmental environment. For more information, see www.pestleanalysis.com.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 9
European Cybersecurity Implementation: Overview

In addition to the cybersecurity scope that is described
in the definitions and its focus on certain kinds of threats,
risk and attacks, cybersecurity should be placed within the
internationally agreed-upon threat levels that are declared
by nation states or supranational bodies. Figure 7 shows
these threat levels and the types of cyberattacks, based on
their required effort and sophistication. The red rectangle
denotes the type of attack and threat level usually covered
by cybersecurity, whereas, the remaining area is covered by
information security.
Regardless of any agreed-upon definition of cybersecurity,
the task remains unchanged: organisations should
delineate the boundaries between standard information
security and cybersecurity. The former is often subject
to budget and resource restrictions; the latter faces
highly intelligent attackers with motive, opportunity and
often formidable skills. These facts should be taken into
consideration when adopting an enterprise definition of
cybersecurity.

FIGURE

7 Attacks and Threat Levels15

HIGH Cyberwarfare

Directed APT
EFFORT/SOPHISTICATION

Spear phishing

Zero-day/
complex
exploits

Complex malware attacks

Simple
malware attacks

Opportunistic probes and attacks

LOW

LOW GUARDED ELEVATED HIGH SEVERE

Cybersecurity Information Source: Transforming Cybersecurity, ISACA, USA, 2013, figure 10

scope security scope

15
Op cit ISACA, Transforming Cybersecurity

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 10
European Cybersecurity Implementation: Overview

GOAL AND OBJECTIVES

From a European perspective, cybersecurity requires
common definitions, frameworks and a sense of direction
throughout all member states and associated states.
Cybercrime and, in some instances, cyberwarfare have
grown to the level that requires both short-term and long-
term action. The EU cybersecurity strategy addresses this
required action by formulating several goals and objectives
and inviting industry and the private sector to contribute, as
follows:16
• Goal: Take the lead in investing in a high level of
cybersecurity and develop best practices and
information sharing at the sector level and with public
authorities, to ensure strong and effective protection
of assets and individuals, particularly through public-
private partnerships like the European Public-Private
Partnership for Resilience (EP3R) and Trust in Digital
Life (TDL).
• The Commission invites enterprises to: Promote
cybersecurity awareness at all levels, both in business
practices and in the interface with customers. In
particular, enterprises should reflect on ways to make
chief executive officers (CEOs) and boards of directors
more accountable for ensuring cybersecurity.
• The Commission invites public and private
stakeholders to: Stimulate the development and
adoption of industry-led security standards, technical
norms and security-by-design and privacy-by-
design principles by information and communications
technologies (ICT) product manufacturers and service
providers, including cloud providers. New generations
of software and hardware should be equipped with
stronger, embedded and user-friendly security features.
• Develop industry-led standards for enterprise
performance on cybersecurity, and improve
the information that is available to the public by
developing security labels or kite marks to help the
consumer navigate the market.
• The mandate of ENISA should make it possible
to increase ENISA’s links with EUROPOL and to
reinforce ENISA’s links with industry stakeholders.
At the national level, many European countries have
implemented the EU strategy and its consequences by
formulating their own national strategies. These strategies
are adapted to the national situation and needs and offer
an additional sense of direction for enterprises in each
member state.
Many enterprises, regardless of size and location, are
still largely unaware of the threats and risk that exist in
cybercrime and cyberwarfare.17 Therefore, one of the
primary issues in European cybersecurity is to create
awareness among business and not-for-profit enterprises.
Recent cybercrime cases have shown that the size,
type of business and location of an enterprise do not
influence susceptibility to attack; where cybercrime does
take place, automated attack methods and a ‘dragnet’
approach often yield incidental results. In other words,
even small- and medium-sized enterprises (SMEs) may
become the victim of a cyberattack, regardless of being
‘uninteresting’ at first sight.
Enterprises should no
longer consider themselves
‘uninteresting’, because new
automated attack methods
will perform global and
indiscriminate ‘dragnet’
sweeps for weaknesses and
vulnerabilities.

16
Op cit European Commission
17 
For more information, see ISACA´s Advanced Persistent Threat Awareness Study Results (2014) at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Advanced-Persistent-
Threats-Awareness-Study-Results.aspx.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 11
European Cybersecurity Implementation: Overview

Despite the fact that cybercrime is a known fact, many
European countries are only now beginning to undertake
national threat and risk assessments. Similarly, the
potential for cyberwarfare that is directed at nation states
in Europe has been recognised but rarely quantified. At
this point in time, much of the intelligence available in
the public domain has been contributed by industry18 or
independent associations and groupings.19 Although
European law enforcement has collected data and
information on crime and criminal acts, co-ordinated
efforts will take more time to reach the planned level.
CONSEQUENCES FOR CYBERSECURITY
An important starting point is the realisation that
statements about cyberattacks should begin with ‘when’
rather than ‘if’. The very real threats cannot be ignored,
nor can they be accepted, given the growing body of
knowledge and planned regulation. Enterprises should
work to integrate cybersecurity as a cross-functional
discipline that integrates with the following:
• Information security
• Traditional corporate security, including physical
• ERM
• IT service continuity management (ITSCM) and
business continuity management (BCM)

To adequately address the risk and threats of • Organisational resilience

cybercrime, enterprises need to embed cybersecurity,
as an integral part, into their overall governance, risk
management and compliance (GRC) frameworks.
Embedding cybersecurity into GRC frameworks includes,
but is not limited to, the following:
• Good governance that is in line with existing
principles of corporate governance
• Comprehensive management of cybercrime and
cyberwarfare risk and threats that is aligned with
existing enterprise risk management (ERM) systems
• Compliance with existing or planned EU-level and
national laws and regulations
• Resilience for organisational infrastructures and
personnel
• Assurance for information, processes and related
controls
• Information assurance
Cybersecurity should also define and maintain
appropriate interfaces with related disciplines, such as:
• Critical infrastructure protection
• National emergency management
• Public incident management and disaster
management
In Europe, many scenarios involve multiple actors from
these disciplines. An example is conducting national
emergency exercises.20 Cyberattacks target the parts
of national infrastructures that are most vulnerable.
APT mitigation, therefore, addresses more than just
information or IT, because many critical infrastructures are
directly or indirectly accessible through control systems.

18
See information security, cybercrime and cybersecurity surveys that are published by international consulting firms and vendors, such as the following:
• “Special Eurobarometer 390 Cyber Security Report,” July 2012, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf
• “Special Eurobarometer 404 Cyber Security Report,” November 2013, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf
• “2013 Information Security Breaches Survey Technical Report,” Department for Business Innovation & Skills, at www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/
bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf
• Symantec, “2013 Cost of Data Breach Study: Global Analysis,” May 2013, conducted by Ponemon Institute LLC, www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-
2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
• CERT Division of the Software Engineering Institute (SEI) studies at www.cert.org/cybersecurity-engineering/publications/index.cfm
19
Examples include ISACA and other industry associations.
20
For example, see the LÜKEX exercise in Germany, which was the scenario of a widespread cyberattack on selected critical infrastructures, www.bbk.bund.de/SharedDocs/Pressemitteilungen/BBK/
DE/2011/PM_Luekex_2011_IT_Sicherheit_auf_Pruefstand.html (in German).

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 12
European Cybersecurity Implementation: Overview

Preparing the Business Case for

Cybersecurity Implementation
Cybersecurity requires business decisions, planning and strategic guidance for implementation. Enterprises should
develop a comprehensive business case that outlines risk and rewards, cost and benefit, and the long-term perspective
on maintaining cybersecurity as a concept and process. The following subsections provide practical guidance on defining
and presenting this business case.

TRANSLATING EUROPEAN CYBERSECURITY FIGURE

8
REQUIREMENTS Goals Cascade21
In the European context, legislative and regulatory
requirements for cybersecurity apply to many enterprises.
These requirements need to be included in the compliance
framework by applying a goals cascade in a top-down Stakeholders Drivers
(Environment, Technology Evolution, ...)
manner, as shown in figure 8. The top level—stakeholder
drivers—includes strategic imperatives, such as those
Influence
expressed in the Digital Agenda for Europe 14 cybersecurity
actions, and any subsequent legislation or regulation. Stakeholders Needs
Enterprises need to adopt these rules and translate them into
Benefits Risk Resource
elements of the business case. Realisation Optimisation Optimisation
European requirements further influence the enterprise by
addressing one of the three dimensions depicted in the goals Cascade to
cascade: benefits realisation, risk optimisation or resource
optimisation. In practice, cybersecurity most often addresses Enterprise Goals
risk. However, many cybersecurity requirements have a value
dimension (e.g., reputation) and a resource implication (e.g., Cascade to
skills and specialisations).
For example, the implementation of a national cybersecurity IT-related Goals
law may appear to be a purely compliance-driven exercise at
first sight. When analysing the enterprise, senior management
Cascade to
will likely realise the benefits of implementing the new
requirements in terms of customer confidence, reputation
and—most importantly—a more favourable position with Enablers Goals
regard to cyberattacks and threats.
Source: COBIT 5, ISACA, USA, 2012, figure 4
Enterprises translate stakeholder-driven requirements into
enterprise goals, and then drill down into the corresponding
IT goals. The Enabler Goals in figure 8 refer to the seven
categories of enablers, which are the practical tool set Typically, external requirements address the compliance
provided in the COBIT 5® framework and broadly defined and risk dimensions of the GRC triad. They invariably
as anything that can help to achieve the objectives of the represent ‘must have’ items on the senior management
enterprise. agenda and provide a compelling business case.

21
The goals cascade is from COBIT® 5, an internationally recognised framework for governance, risk management and compliance (GRC) in IT and related technologies.
It is freely available at www.isaca.org/cobit.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 13
European Cybersecurity Implementation: Overview

At the lower levels of the goals cascade, demonstrating

the business case often requires additional tools. At these
levels, technical interpretation and implementation of
enterprise goals is an important task that supports the
business case, and many enterprises choose to adopt and
implement recognised standards.22 In most instances,
these standards tend to be harmonised and aligned with
the overarching goals and objectives that are presented by
national and international strategies.
EMPIRICAL DATA
The business case for cybersecurity should be based on
available data, particularly if the national situation has not
been formally assessed or analysed. Enterprises should
refer to official sources and academic and industry surveys
that provide relevant data. Examples include the following:
• Eurobarometer 23
• EUROPOL24
• United Nations cybercrime statistics25
• National statistics offices or agencies
• Incidental information drawn from various sources26
• Industry surveys conducted by commercial firms27
Most of the extant information emphasises the fact that
cyberattacks are becoming more frequent and tend to have
a more significant and protracted impact on enterprises.
Further empirical data are often available in incidental
newspaper articles that report on individual cyberattacks or
cybersecurity failures.
In practice, the business case requires data about the
business impact of successful (or attempted) cyberattacks.
Enterprises can leverage many publicly available sources
to provide a well-founded picture, sometimes by sector or
size, including the following:
• Ponemon Cost of Data Breach Study28 (annual)
• Commercial information security breaches studies29
(annual to infrequent)
• Commercial information security surveys (usually annual)
• CERT studies30
Although recent survey results for Europe indicate that the
costs of single incidents have decreased, the number of
incidents with very high impact is rising. The average cost
of cyberattacks may be less, but the risk of experiencing a
‘big one’ is becoming higher at the same time. Therefore,
enterprises should carefully consider how to define their
business case regarding a major cybersecurity incident
that has wide-ranging media coverage and a prolonged
reputational impact.
European sources indicate that cybercrime and
cyberwarfare are increasing to a level where any
organisation—regardless of size or type of business—can
be affected. Obscurity is no longer protection, and even
SMEs can be the target of an incidental or casual attack.
In contrast to other world regions, the relative diversity of
European laws and jurisdictions further contributes to the
active threats that exist today. Therefore, empirical data
deliver a comparatively strong case for cybersecurity as an
indispensable defence.
Official sources and industry reporting
strongly suggest that cybercrime
and related attacks are on the rise.
This information coincides with more
frequent media coverage of major
cyberattacks.

22
 n example standard is ISO 27032, which provides informal guidance on cybersecurity. Likewise, the lead standards ISO 27001 and ISO 22301 provide specifications on information security
A
management systems and business continuity management systems, respectively.
23
For examples, see “Special Eurobarometer 390 Cyber Security Report,” July 2012, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf, and “Special Eurobarometer 404 Cyber Security
Report,” November 2013, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf.
24
For information about the EUROPOL European Cybercrime Centre, see https://www.europol.europa.eu/ec3.
25
For an example, see “UNDOC Comprehensive Study on Cybercrime,” February 2013, at www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf.
26
For an example, see “Cyber Crime Originates in Europe: Statistics and Trend Report,” 4 August 2013, at http://www.pymnts.com/uncategorized/2013/cyber-crime-originates-in-europe-statistics-and-
trends-report/.
27
Some of these surveys are commissioned by government agencies. For an example, see “2013 Information Security Breaches Survey Technical Report,” Department for Business Innovation & Skills,
at www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf.
28
Symantec, “2013 Cost of Data Breach Study: Global Analysis,” May 2013, conducted by Ponemon Institute LLC, at www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-
Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf.
29
For an example, see “2013 Information Security Breaches Survey Executive Summary,” Department for Business Innovation & Skills, at www.pwc.co.uk/assets/pdf/cyber-security-2013-exec-summary.
pdf.
30
Many CERT studies are available at www.cert.org/cybersecurity-engineering/publications/index.cfm.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 14
European Cybersecurity Implementation: Overview

COST-BENEFIT CONSIDERATIONS influence the view on business-driven benefits and the

The cost of cybersecurity can appear high when level of risk tolerated by senior management. In Europe,
compared to standard information security. For many cybersecurity is a part of directors’ and officers’ fiduciary
years, budgets—both capital expenditure and operational duties, and should be treated as such.
expenditure—have been under pressure. The cost of Historically, a large part of the security context has been
information security is featured almost always in surveys based on traditional information security, which can
as a limiting factor to achieving innovation or higher levels distort the view on cybersecurity. Budgets and operating
of protection. costs for information security have always been under
Much of this has changed in line with the current risk and pressure, and the return on security investment has
threat landscape. The business case now addresses a been an ongoing issue of debate. The business case for
changed scenario, in which targeted attacks are directed cybersecurity should be seen from a different perspective
against the enterprise by well-organised individuals because cyberattacks are a certainty rather than a potential
or groups. Therefore, security is no longer a cost item occurrence.
with an uncertain return. It is a necessary precaution While preparing the business case, enterprises should be
to prevent or mitigate clearly foreseeable events. aware that cybersecurity is as much of a management
Enterprises should regard cyberattacks as a certainty exercise as it is technology. The key success factors usually
rather than a probability. include enterprise measures (e.g., appropriate governance
When formulating the business case for cybersecurity, and risk management) and analysing and steering
enterprises should include all dimensions of cost behaviour patterns. Technology supports cybersecurity, but
(particularly the cost of shortcomings or accepting too it is a tool set that should not be an end in itself.
much risk) and benefits, such as preserving corporate
reputation and integrity, including the following: PRESENTING THE BUSINESS CASE
• Single cyberattack impact (maximum, high-profile The cybersecurity business case requires translation
incident),31 as opposed to average (low-profile into business language to have the necessary degree of
incident) impact credibility and plausibility. Presenting the business case
• Non-financial implications of cyberattacks, such as means bridging the gap between technical language
reputational damage, adverse media coverage or (which is often used to explain instances of cybercrime and
loss of market share/stock exchange value32 attacks) and managerial interpretation. Bridging this gap
• Direct and indirect liability, particularly for directors can be a major issue, particularly where complex attack
and officers of the enterprise patterns and audit trails must be simplified to be accessible
for non-IT management.
• Insurance premiums and other costs that are
indirectly associated with cybersecurity breaches Cybersecurity should always focus on outcomes that
are a function of the direct investment and subsequent
• Post-incident cost and investment items, for running cost. As shown in figure 8, the benefits of good
example, those for recovery, specialised technical/ cybersecurity are often expressed as risk optimisation
consulting services and working the backlog and resource optimisation. Therefore, the case for
Protecting the enterprise is a legally binding part of strengthening security is the avoidance of (otherwise
directors´ and officers´ fiduciary duties. In the European inevitable) damage and impact and the fact that spending
context, good stewardship and the early recognition of beforehand is less expensive than reactively investing after
risk that can endanger the enterprise are set down often an attack or criminal act.
as statutory or regulatory requirements, which, in turn,

31
As examples, consider the Zurich Insurance Group (2011) and Swisscom (2013) incidents, which both relate to lost or stolen backup tapes containing sensitive data.
32
As an example, consider the Snapchat vulnerability (2013), which was discovered on iPhones, and the subsequent drop in market value that Snapchat experienced.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 15
European Cybersecurity Implementation: Overview

The COBIT 5 framework offers useful insights on substantiating and demonstrating business value as part of good
governance and management, and enterprises can use the goals cascade to demonstrate the benefits of cybersecurity.
Other frameworks33 and standards provide additional guidance on how to demonstrate the business value of
cybersecurity. When presenting the business case, experts and cybersecurity practitioners should ensure that they
address all aspects of the GRC triad and the goals cascade and possibly include the consequences for having the
balanced scorecard (BSC) and other measurement instruments in place.
It should further be noted that cybersecurity is not just about defending the enterprise and its information assets. In many
cases, restructuring parts or all of an enterprise IT environment in the course of strengthening cybersecurity is also an
opportunity for streamlining and optimising IT.

Cybersecurity Governance
Governance over cybersecurity has a much wider scope • First pillar—Definition and categorisation of critical
than governance over information security, due to the infrastructures, and critical infrastructure protection
multiple facets of cybercrime and cyberwarfare. The plans and measures
cybersecurity governance framework covers enterprise • Second pillar—Digital Agenda for Europe and
security, social elements and technology. associated initiatives, including legislation and
regulation
Enterprises should first assess and review their existing • Third pillar—European cybercrime centre, similar
governance arrangements, starting from the top of the national institutions, and support for enterprises
house enterprise, i.e., corporate governance, and moving
through IT and related technologies to any existing DETERMINE THE BUSINESS IMPACT
governance arrangements in security. This step often The potential financial and non-financial impact and
reveals that a significant part of the enterprise is already consequences of cybercrime and cyberwarfare should
regulated by binding provisions in legal, regulatory or be the basis for cybersecurity governance provisions and
compliance requirements. In many European states, arrangements. This impact determines the objectives and
governance is subject to binding external requirements in the extent of governance that is needed for the enterprise.
a number of areas, for example: In practice, larger enterprises are more likely to establish
fairly detailed governance, whereas SMEs might choose to
• Data protection and privacy be more informal in defining and describing governance.
• Financial controls and the related internal control
system, including financial reporting In most European countries, cybersecurity is closely related
• Government or state provisions on sensitive to BCM35 and ITSCM.36 Both of these disciplines are
information (e.g., official secrets) named in official sources37 as being associated with good
• Data custody and third-party processing cybersecurity. Practitioners should adopt these disciplines
to ensure alignment with emerging political and market
Enterprises that are aligning their cybersecurity trends.
governance with national and international arrangements
should also mirror the following three pillar approach34 Analysing and substantiating the potential business impact
that is being implemented across Europe: is dependent on tried and tested practical methods and
techniques, which are described in more detail in the
Managing Cybersecurity Risk section in this paper.
33
 any organisations in Europe use ITIL® (IT Infrastructure Library) V3 to design, maintain and control their IT service management processes, including those relating to security. If ITIL, COBIT 5 or
M
both are used, further details are available in the Val IT framework, a legacy ISACA product now included in the overall COBIT series.
34
For an example outline of this approach, see Houdart, Jean-Baptiste, “EU Cybersecurity Policy: A Model for Global Governance,” atlantic-community.org, 6 February 2013, http://www.atlantic-
community.org/-/eu-cybersecurity-policy-a-model-for-global-governance.
35
Formally described in ISO 22301 and ISO 22313 standards, with informal guidance in the Business Continuity Institute Good Practice Guidelines 2013 Global Edition: A Guide to Global Good
Practice in Business Continuity
36
Formally described in ISO 27031 and ISO 24762 standards (for disaster recovery service providers)
37
The concepts of continuity, resilience and related standards are integrated in many EU-level and national recommendations or draft statutes.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 16
European Cybersecurity Implementation: Overview

ANALYSE THREATS AND VULNERABILITIES IMPLEMENT PRINCIPLE- AND ENABLER-BASED

After the potential impact of cybersecurity-related GOVERNANCE
incidents is known, enterprises need to identify the Practical cybersecurity governance should be subdivided
threats and vulnerabilities that may require generic or into its objectives and the organisational functions that
targeted governance provisions. In Europe, many of are affected by each objective. As a cross-functional
these governance provisions are stipulated as laws or discipline, cybersecurity always requires a co-operative
regulations that cover a wide range of detail across approach that breaks down the silos of the business and
industries and countries. IT. A useful starting point for linking this co-operative
For good governance, all threats and incidents (including approach to existing frameworks and standards is
those deemed only remotely likely) should be identified provided through the enabler model in the COBIT 5
and analysed. Cybersecurity governance arrangements framework,38 shown in figure 9.
should reflect the likely possibility that cybercriminals
will avoid the most obvious attack angle and will look for
the ‘less likely’ or weakest link in the chain rather than
the most likely point of entry. FIGURE

More details on analysing threats and vulnerabilities are

given in the Managing Cybersecurity Risk section in this
paper.
9 COBIT 5 Enablers

ESTABLISH TARGET-STATE CONSEQUENCES AND 3. Organisational 4. Culture, Ethics

2. Processes
IMPROVEMENTS Stuctures and Behaviour

After the enterprise determines the business impact

and the existing threats and vulnerabilities, it should 1. Principles, Policies and Frameworks
establish and formulate a target state for cybersecurity
governance that includes consequences and
improvements. The target state should adequately 6. Services, 7. People
5. Information Infrastructure Skills and
reflect the overarching enterprise goals and any binding and Applications Competencies
external or internal requirements, in line with the
Resources
business case submitted beforehand.
In the European context, most of the consequences and
improvements that form the target state of governance Source: COBIT® 5, ISACA, USA, 2012, figure 12

are comparatively formal. Typically, additional policies,

guidelines and key operating procedures are in place The seven enablers represent all aspects of
to describe, govern and control cybersecurity. Many cybersecurity; the enabler model integrates the technical,
enterprises use software-based tools to administer social and structural components of cybersecurity
the multiple guiding documents and procedures that governance. As an example, the Principles, Policies
are in force. Governance that is based on principles and Frameworks enabler represents EU and national
and enablers, on the other hand, is a fairly recent requirements that need to be included in any practical
development that is likely to change the approach cybersecurity governance. Likewise, the Culture, Ethics
towards cybersecurity. and Behaviour enabler represents human resources
good practices, end-user behaviour patterns and the use
of social interaction in cybersecurity.

38
More detail about how to implement cybersecurity governance based on the enabler model is given in ISACA’s Transforming Cybersecurity (2013) publication.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 17
European Cybersecurity Implementation: Overview

The other enablers can help enterprises in implementing practical governance steps rather than just providing written
guidance, which still needs to be reflected in daily business. Using the enabler-based approach ensures that the
underlying ideas and objectives of good cybersecurity governance are fully implemented and that no disconnect exists
between senior management thinking and the day-to-day business.
In enabler-based governance, enterprises should look for the potential manifestations of cybersecurity risk—whether it is
through events, near misses or unusual systems behaviour—before implementing a solution. Existing security solutions
should be systematically analysed and categorised to determine their effectiveness and value.

Managing Cybersecurity Risk

Within the GRC triad, risk management forms an important part of
good practice in cybersecurity. The ISACA European Cybersecurity
Implementation Series includes a paper about managing risk. A high-level
overview of the Risk Guidance paper, including the cybersecurity risk Assess all risk that
management steps, is provided here.
affects the critical
Summary publications39 and the ENISA comprehensive glossary on
risk40 contain many European concepts and terms that are related to
assets, prioritise risk
the risk-based approach and risk management. In broad terms, the EU according to its impact
cybersecurity guidance concentrates on a risk-based review and analysis and calculate the
of cybersecurity risk that is targeted at critical infrastructures and other
sectors. Specific emphasis is placed on national risk assessments that probability of being
should provide the framework and context for assessing and determining realised.41
actual cybercrime and cyberwarfare risk. The European perspective on risk
in cybersecurity implies four steps that enterprises should perform when
implementing cybersecurity steps and measures:
1. Analyse impact (with a view to business impacts and other, non-
financial impacts).
2. Identify and analyse risk.42
3. Determine risk treatment.
4. Determine cybersecurity strategy options based on risk profile.
Practical guidance and tools for analysing risk in this manner are available
from a number of recognised standards and frameworks, e.g., ISACA
COBIT® 5 for Risk and BCI Good Practice Guidelines.43

39
 ee the ENISA guidebook on national cybersecurity strategies: European Network and Information Security Agency (ENISA), National Cyber Security Strategies Practical Guide on Development
S
and Execution, Greece, December 2012.
40
See http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/glossary.
41
See European Network and Information Security Agency (ENISA), National Cyber Security Strategies Practical Guide on Development and Execution, Greece, December 2012.
42
An overview from a European point of view is given in the “ENISA Threat Landscape 2013,“at http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-
landscape-2013-overview-of-current-and-emerging-cyber-threats.
43
Business Continuity Institute, Good Practice Guidelines 2013 Global Edition: A Guide to Global Good Practice in Business Continuity, England, 2013, www.thebci.org/index.php/resources/the-
good-practice-guidelines

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 18
European Cybersecurity Implementation: Overview
ANALYSE BUSINESS IMPACT
Analysing the business, people and operational impact of
cybercrime and cyberwarfare is an important prerequisite
to identifying, analysing and treating risk. In Europe,
various national approaches towards impact analysis
exist. Enterprises should base their impact analysis on
tested methodologies and techniques that have been
developed at the international level.44
Enterprises should also include and consider the national
context(s) in which they are conducting business. Impacts
may vary widely across member states of the EU, which
is reflected in the national cybersecurity strategies.
ASSESS RISK
The risk that is associated with various kinds of
cybercrime and cyberwarfare is often seen as an
extension of general information security risk. Practical
implementation steps include risk identification, in-depth
analysis and an assessment of the potential impact. In
Europe, scenario-based approaches are sometimes
preferred over ‘pure’ risk catalogues. However, most EU
governments begin with an all-hazards approach and
provide specific scenarios for the most likely types of
attack or acts of war.
In terms of practical cybersecurity implementation,
this means that enterprises should adapt their own
risk identification and analysis process to the national
approach, including the all-hazards assessment (if
available) and the specific scenarios provided by each
government.
RISK TREATMENT
All cybersecurity-related risk that was identified in the
previous step should be categorised by possible risk
treatment, which includes prevention, partial or full
transfer, mitigation or formal risk acceptance. In many
instances, cybersecurity will need to be event-driven, i.e.,
based on mitigation rather than full prevention.
44
 pecifically, the business impace analysis (BIA) approach recommended in ISO 22301 and ISO 22313. Details on practical BIA implementation are available through secondary literature (see the
S
Risk Guidance paper in this series).
45
For examples, see COBIT® 5 for Risk, ISO 31000 on generic risk management and ISO 27005 on information security risk assessment.
© 2014 ISACA. All Rights Reserved.
Risk treatment is further dependent on the local
context in EU jurisdictions. If operational risk or security
risk is subject to direct or indirect legal or regulatory
requirements, typical risk treatment options, such as
formal acceptance, might not be available. Therefore,
enterprises should examine the wider risk management
context for potential indirect influences that mandate
certain cybersecurity measures.
For practical implementation purposes, further detail is
provided in the European Cybersecurity Implementation:
Risk Guidance paper in this series and in additional
recognised sources.45
DETERMINE CYBERSECURITY STRATEGY OPTIONS
Based on the risk profile and available treatment options,
the residual risk should be assessed for financial
and non-financial consequences of cybercrime and
cyberwarfare. Enterprises should include the business
case and available information on the investment and
operational expenditure that is associated with various
options in a cybersecurity strategy. Typically, this
information will lead to a number of available options that
vary in cost, complexity and residual risk:
• Minimalist—Reduce cybersecurity actions and
investment to a minimum while tolerating a
comparatively high level of residual risk.
• Balanced—Opt for a more comprehensive
cybersecurity investment and a moderate level of
residual risk.
• Conservative—Aim for a precautionary,
comparatively high, cybersecurity investment with
little or no tolerance for residual risk.
In most European states, several areas of risk are
governed by law or by regulation, for example, data
privacy, specific protection of mail traffic (traditional
and electronic), and data/identity theft. Enterprises that
are implementing cybersecurity in the European context
should be conscious of the fact that risk relating to these
and other regulated areas should not be accepted as part
of residual risk.
Personal Copy of: Mr. Ivan Pajovic, CISM 19
European Cybersecurity Implementation: Overview

Managing Cybersecurity Resilience

Establishing and maintaining cybersecurity arrangements is an ongoing process containing governance, management
and assurance components. As cybercrime and cyberwarfare evolve, existing security arrangements require
continuous adjustment and improvement, often more than once a year.
The concept of resilience is a central element of the European view on cybersecurity. Resilience and critical
information infrastructure protection (CIIP) form the background and context for all cybersecurity initiatives.46 In the
traditional sense, ‘resilience’ means the ability of a material to revert to its original shape after it has been deformed.
In cybersecurity (and in business continuity), resilience describes the ability of an enterprise to recover and absorb
external shocks or events and their internal impacts.
Achieving cybersecurity resilience is described in more detail in the European Cybersecurity Implementation:
Resilience paper that is part of this series. In broad terms, resilience consists of a strategic and a systemic aspect.
Enterprises should consider their long-term strategy and a systemic security model to establish resilient cybersecurity.
This ensures that both the strategic ideas and the ability to change are embedded in enterprise cybersecurity thinking
and action.

SETTING CYBERSECURITY STRATEGY

The cybersecurity strategy that is adopted by an Enterprises should further define the level of cybersecurity
enterprise should include the work products and that is to be achieved by the strategy with an explicit
outcomes of previous phases of the security life cycle reference to the level of tolerance and acceptance of
and any national and European input that is available potential cybersecurity incidents. In practice, some
through public sources, including, but not limited to, the enterprises opt for a zero-tolerance approach while others
following: favour a fatalist view (‘it will happen anyway’).49 Both
• Results of business impact analysis (BIA) and risk extremes are unlikely to be feasible or permitted in a real-
assessment—clustered (aggregated) risk, potential life situation. Cybersecurity strategies acknowledge and
impacts and strategic options (with residual risk) address the presence of cybercrime and cyberattacks,
• National cybersecurity strategy context—specific achieving a balance between zero tolerance and fatalist
risk, specific scenarios, threats and vulnerabilities acceptance.
analysis, etc. The cybersecurity strategy should always leverage
• Key technologies—cloud, network 47 the existing or emerging public structures50 that
interconnections, supervisory control and data support cybersecurity in the private sector and/or law
acquisition (SCADA) and other industrial control enforcement. In Europe, the institutional framework for
systems,48 etc. cybersecurity has grown considerably over the past few
• Incident reporting—policies, reporting lines, years, forming an integrated and co-operative network
authorities, etc. across member states and associated countries.
• Participation in/integration with exercises—national Enterprises should make use of these links, because many
and transnational cybersecurity exercises in Europe are designed as public services.51
are conducted annually

46
For example, see the ENISA portal on CIIP and resilience at http://www.enisa.europa.eu/activities/Resilience-and-CIIP.
47
A vast amount of publicly available information from a European perspective is available. See, for example, www.enisa.europa.eu/activities/Resilience-and-CIIP/networks-and-services-resilience/
cloud-computinghttp://en.wikipedia.org/wiki/Cloud_Security_Alliance.
48
See the portal at www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems. Further information is available from ISACA at www.
isaca.org
49
See ISACA‘s Transforming Cybersecurity publication for an in-depth discussion on management views and motivations, at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/
Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx.
50
See, for esample, Baud et al. (2014), at www.lexology.com/library/detail.aspx?g=1f872876-3d23-44e7-a8f1-92a9be8d080b, for an overview of selected EU member states.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 20
European Cybersecurity Implementation: Overview

ESTABLISHING SYSTEMIC SECURITY

Systemic security is an important concept that enterprises should apply to support their cybersecurity strategy. Any
strategy is by definition static because it projects management objectives into the near future. In practice, more agile
instruments are needed to constantly adapt and evolve cybersecurity, particularly due to rapidly emerging threats and new
types of cybercrime.
The word ‘systemic’ implies a dynamic and flexible model52 that provides adequate information about the existing level of
security and indicators of improvements and evolution. Figure 10 shows the typical system dynamics of cyberattacks. The
key factor in adapting and fine-tuning cybersecurity is the attractiveness of the target, which is in itself a result of many
influencing factors.
Whether a cybersecurity strategy works is often a direct result of system dynamics and systemic thinking: cybercrime
and cyberwarfare exploit the weakest link in the chain, so the entire chain requires constant examination. A static
strategy cannot achieve this—the strategy needs to be strengthened by monitoring and assessing the influence factors
that determine target attractiveness, and, ultimately, the probability of an attack.

FIGURE

10 Cybersecurity System Dynamics

Total Exploit
Employees Availability Attack
Probability
Attractiveness
of Target

TOTAL CHANGE IN Decreased

ATTACKS ATTRACTIVENESS Attractiveness
Number of
Internal
Attackers
Increased
Detected Attractiveness
Attacks
Identified
Vulnerability
Source: The Business Model for Information Security, ISACA, USA, 2010, figure 37

In Europe, systemic concepts in cybersecurity are often found in management systems or life cycle concepts. Examples
include the traditional plan-do-check-act (PDCA) cycle53 and the life cycle around BCM and ITSCM. Enterprises that are
implementing cybersecurity should embed their related programmes into existing management systems. It is particularly
important to align the cybersecurity system of processes, actions and controls with the surrounding (or underlying)
information security management system (ISMS).

52
 he underlying thoughts are outlined in ISACA’s Business Model for Information Security (BMIS) at www.isaca.org/bmis. Enterprises should note that the legacy BMIS has been incorporated into
T
COBIT 5.
53
The plan-do-check-act (PDCA) (or Deming) cycle is present in most major standards and series of standards, such as ISO 27000 and ISO 22301. The business continuity and IT service continuity

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 21
European Cybersecurity Implementation: Overview

Cybersecurity Assurance
Enterprises should establish and maintain reasonable assurance over their cybersecurity activities and initiatives for
GRC. Providing cybersecurity assurance involves the system of enterprise internal controls and the organisational and
logical structures that support the functioning of these controls. Enterprises should implement the following three pillars
of assurance for cybersecurity:
• Organise and structure cybersecurity assurance along three lines of defence
• Define and evolve the cybersecurity control system
• Provide assessments, audits and forensic/investigative capabilities
Further details are given in the European Cybersecurity Implementation: Assurance paper in this series.

THREE LINES OF DEFENCE

The first step for implementing FIGURE
cybersecurity assurance is to determine
and define cybersecurity activities
and controls through the three lines
11 Assurance - Three Lines of Defence

of defence that are common to most

European and global concepts of control
• Internal controls testing
systems. Figure 11 shows an overview • Cybersecurity compliance
• Formal risk acceptances Third line—Internal Audit
of these three lines and their assurance
• Investigation/forensics
contribution.
In cybersecurity, the first line of defence—
management—is often extended to
• Threats, vulnerailities, risk
include customers, business partners, • Formal risk evaluation
• Business impact analysis (BIA)
Second line—Risk Management
the general public and the media. The
• Emerging risk
second line—risk management—is usually
distributed across various ERM functions,
covering non-IT aspects of cybersecurity
and technology. Within the third line— • Control self-assessments (CSAs)
• Attack/breach penetration testing
internal audit—investigative and forensic • Functional/technical testing First line—Management
activities are often extended to include • Social/behavioral testing
• Regular management review
external experts or law enforcement.
In the European context, the concept of
three lines of defence is well established Source: Transforming Cybersecurity, ISACA, USA, 2013, figure 45

and implemented in most national and EU-

level concepts of cybersecurity.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 22
European Cybersecurity Implementation: Overview

CYBERSECURITY CONTROL SYSTEM ASSESSMENT, AUDIT AND FORENSICS

The internal control system supporting cybersecurity As part of all levels and functions within cybersecurity,
assurance should be designed and implemented reviews and assessments form an important component
in a top-down manner, mirroring the enterprise in establishing the facts and measuring the current level
approach towards GRC in an enterprise. Existing of protection against the desired (or prescribed) level of
information security controls should be integrated and cybersecurity. Enterprises should adopt an approach
delineated from specific cybersecurity controls to avoid that is aligned with the lines of defence and specifically
duplication or contradictory control sets. includes:
Typical cybersecurity control systems address the • Management control self-assessments (CSAs)
various assurance aspects, including the following: and informal reviews
• Principles, policies, frameworks54 • Independent internal control reviews (ICR)—
• Processes and procedures often performed by a different function or risk
management
• Risk-related controls and indicators
• Integration of cybersecurity assurance with the
• Organisational readiness internal audit programme56
• Organisational and technical assessment • Investigative and forensic capability
• Reporting, approvals and awareness From a European perspective, external influences should
The architecture of any controls should follow a uniform be taken into account when addressing investigative
model, such as the control model used in COBIT 5.55 or forensic work. In many cases, national laws or
regulations stipulate that law enforcement or supervisory
authorities should be involved57 in any forensic work
following acts of cybercrime.

54
Principles, policies and frameworks link directly to the first enabler in the COBIT 5 assurance model. See figure 9.
55
See COBIT® 5 for Assurance for details on control architecture and control design.
56
An example of a cybersecurity audit programme is provided in the European Cybersecurity Implementation: Audit Programme paper in this series, which can be found at www.isaca.org/EU-
cyber-implementation
57
There is an ongoing debate on mandatory incident reporting and intervention by public authorities in many European countries.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 23
European Cybersecurity Implementation: Overview

Appendix A—European Union 14

Cybersecurity Actions
The European Union (EU) has defined a set of 14 actions to strengthen cybersecurity across the member states.58 These
have been implemented or are being implemented at the time of publishing this paper. The actions are part of a larger
overall programme that is titled Digital Agenda for Europe.59

• Action 28: Reinforced Network and Information Security Policy

• Action 29: Combat cyber-attacks against information systems
• Action 30: Establish a European cybercrime platform
• Action 31: Analyse the usefulness of creating a European cybercrime centre
•A
 ction 32: Strengthen the fight against cybercrime and cyber-attacks at international level
• Action 33: Support EU-wide cyber-security preparedness
• Action 34: Explore the extension of security breach notification provisions
• Action 35: Guidance on implementation of Telecoms rules on privacy
•A
 ction 36: Support reporting of illegal content online and awareness campaigns on online
safety for children
• Action 37: Foster self-regulation in the use of online services
•A
 ction 38: Member States to establish pan-European Computer Emergency Response Teams
• Action 39: Member States to carry out cyber-attack simulations
• Action 40: Member States to implement harmful content alert hotlines
• Action 41: Member States to set up national alert platforms
• Action 123: Proposal for Directive on network and information security
• Action 124: EU Cyber-security strategy
• Action 125: Expand the Global Alliance against Child Sexual Abuse Online

58
Details for each of these actions can be found at http://ec.europa.eu/digital-agenda/en/pillar-iii-trust-security/ or by following the link attached to each listed action.
59
Digital Agenda for Europe is at http://ec.europa.eu/digital-agenda/en/

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 24
European Cybersecurity Implementation: Overview

Appendix B—References for

Additional Reading
Business Continuity Institute, Good Practice Guidelines 2013, Global Edition: A Guide to
Global Good Practice in Business Continuity, England, 2013,
www.thebci.org/index.php/resources/the-good-practice-guidelines

European Commission, “Joint Communication to the European Parliament, the Council, the
European Economic and Social Committee and the Committee of the Regions—Cybersecurity
Strategy of the European Union: An Open, Safe and Secure Cyberspace,” Brussels, 2 July
2013,
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667

European Network and Information Security Agency (ENISA), National Cyber Security
Strategies Practical Guide on Development and Execution, Greece, December 2012

ENISA, “Threat Landscape 2013—Overview of current and emerging cyber-threats,” Greece,

11 December 2013,
www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-
overview-of-current-and-emerging-cyber-threats

International Auditing and Assurance Standards Board, ISAE 3402 Standard for Reporting
on Controls at Service Organizations

International Organisation for Standardisation (ISO), ISO/IEC 20000-2:2012 Information

technology—Service management—Part 2: Guidance on the application of service
management systems

ISO, ISO/IEC 22301:2012 Societal security—Business continuity management systems—

Requirements

ISO, ISO/IEC 22313:2012 Societal security—Business continuity management systems—

Guidance

ISO, ISO/IEC 24762:2008 Information technology—Security techniques—Guidelines for

information and communications technology disaster recovery services

ISO, ISO/IEC 27001:2013 Information technology—Security techniques—Information security

management systems—Requirements

ISO, ISO/IEC 27005:2011 Information technology—Security techniques—Information security

risk management.

ISO, ISO/IEC 27031:2011 Information technology—Security techniques—Guidelines for

information and communication technology readiness for business continuity.

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 25
European Cybersecurity Implementation: Overview

ISO, ISO/IEC 27032:2012 Information technology—Security techniques—Guidelines for

cybersecurity.

ISO, ISO/IEC 31000:2009 Risk management—Principles and guidelines.

ISACA, Advanced Persistent Threat Awareness Study Results, USA, 2014,

www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Advanced-Persistent-Threats-
Awareness-Study-Results.aspx

ISACA, COBIT® 5, USA, 2012,

www.isaca.org/COBIT/Pages/COBIT-5-Framework-product-page.aspx

ISACA, COBIT® 5 for Assurance, USA, 2013,

www.isaca.org/COBIT/Pages/Assurance-product-page.aspx

ISACA, COBIT® 5 for Information Security, USA, 2013,

www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx

ISACA, COBIT® 5 for Risk, USA, 2013,

www.isaca.org/COBIT/Pages/Risk-product-page.aspx

ISACA, European Cybersecurity Implementation: Assurance, USA, 2014

ISACA, European Cybersecurity Implementation: Audit Programme, USA, 2014

ISACA, European Cybersecurity Implementation: Resilience, USA, 2014

ISACA, European Cybersecurity Implementation: Risk Guidance, USA, 2014

ISACA, Responding to Targeted Cyberattacks, USA, 2013,

www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Responding-to-Targeted-Cyberattacks.
aspx

ISACA, Transforming Cybersecurity, USA, 2013,

www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-Using-
COBIT-5.aspx

© 2014 ISACA. All Rights Reserved. Personal Copy of: Mr. Ivan Pajovic, CISM 26