See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/370631533

Introduction to Cybersecurity Governance for Business Technology Management

Chapter 1: Basic concepts of cybersecurity

Preprint · May 2023

DOI: 10.13140/RG.2.2.36109.41444

CITATIONS READS

0 207

1 author:

Marc-André Léger
Concordia University Montreal
12 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Cybersecurity View project

Information security View project

All content following this page was uploaded by Marc-André Léger on 09 May 2023.

The user has requested enhancement of the downloaded file.

 Introduction to Cybersecurity Governance for Business Technology Management

Chapter 1: Basic concepts of cybersecurity

This chapter presents an introduction to cybersecurity from a strategic, or business, point of view. It
is geared towards future managers, to give them an outlook on the me of the concepts of
cybersecurity that they need to be aware of, many of them being non-IT practitioners, but who will
obviously be involved in dealing with information technology and the security aspects related to
these. As part of the new reality of the business landscape, managers need to understand the basic
tenants of information security and cybersecurity. Cybersecurity being information security applied
to cyberspace, the connected world that organizations all live in.

Cybersecurity is a critical concern for organizations of all sizes across all industries. Fundamentally, it
refers to the protection of information and systems from unauthorized access, use, disclosure,
disruption, modification, or destruction. Today, with the increasing use of information technology
(IT) and the overwhelming reliance on the digital world, cybersecurity has become an essential
component of modern business operations. From personal information of employees and
customers, financial data, trade secrets and critical infrastructure, organizations need to take
proactive measures to safeguard their sensitive information and the information systems that
manipulation this information from cyber threats.

Cybersecurity involves a combination of technologies, practices, and policies aimed at preventing,

detecting, and responding to cyber-attacks. It requires organizations to stay informed about
emerging cyber threats, implement robust security measures, and have a well-planned response in
place in the event of a breach. By investing in cybersecurity at an appropriate level, considering their
risk appetite but also available human and finance resources, organizations can reduce the risk of
financial loss, damage to their reputation, and the compromise of sensitive information.
Organizations need to minimize, or ideally eliminate, unacceptable risks.

The CIA triangle

The first thig that organizations must define is their cybersecurity objectives. They must determine
their requirements in relation to the assets that they are trying to protect. These assets can be data,
also called information when it has structure and context, business technologies, business processes
and other related assets. For this book, we prefer talking about business technologies, which we
define as information technologies used in a business environment, combining business processes,
information used in the business processes, and software, hardware, and networks. Business
technologies contribute to create value to the organization, more today than ever before. But from a
 Introduction to Cybersecurity Governance for Business Technology Management

cybersecurity point of view, organizations measure this value in terms of the CIA triangle, presented
in figure 1. The CIA triangle is a fundamental concept in the field of cybersecurity that refers to the
three key aspects of information security: confidentiality, integrity, and availability.

• Confidentiality refers to the protection of sensitive information from unauthorized

disclosure. It is concerned with ensuring that sensitive information is only accessible to
authorized individuals in an authorized context. Should information that should be
confidential be disclosed, its value creation contribution could be significant reduced. As
well, it could lead to penalties, fines or other losses.
• Integrity refers to the protection of information from unauthorized or accidental
modification or destruction. It is concerned with ensuring that information remains accurate
and unaltered, even if it is in transit or stored on a system. Inaccurate information will most
likely contribute less to value creation or could event result in a reduction of value.
• Availability refers to the ability of authorized individuals to access information when they
need to. It is concerned with ensuring that information and systems are always accessible
and functioning as intended so that they can contribute to the value creation.

The CIA triangle is used as a framework for evaluating and prioritizing the security measures that
organizations need to implement. For example, organizations might need to prioritize the protection
of confidential information over the protection of information availability in some cases, while in
other cases they might need to prioritize the availability of information over its confidentiality. By
understanding and balancing the three aspects of the CIA triangle, organizations can create a
comprehensive and effective cybersecurity program that protects their information and systems
from cyber threats.

In an organizational setting, information has value because it is available at the opportune time to
authorized users to do their job to fulfill their role in the organization, which contributes to the
creation of value for customers and other stakeholders, perhaps by creating or maintaining a
competitive advantage. Users in organizations need data to be available at the appropriate time. But
data can be unavailable, destroyed, or even encrypted, maybe because of a ransomware attack,
therefore becoming unavailable. That unavailability is a problem in relation to security objectives.
 Introduction to Cybersecurity Governance for Business Technology Management

Figure 1: the CIA triangle

Organizations need the data to stay confidential, because there is value to control who has access to
the information. Maybe there are privacy issues that, contractually or legally, requires an
organization to keep the information confidential. If the private information is divulged without
authorization, leaked to people who are not authorized to access it, or stolen by a cybercriminal,
then a violation of confidentiality occurs because of the privacy requirement. Organizations need
data to stay the way that it is to be usable, the information needs to be correct to be valuable. If
there's an accidental or a voluntary alteration of this information or of the data, this is a violation of
integrity. These are the three basic security objectives, from a cybersecurity point of view. Of course,
there may be other sources of security objectives, depending on the context of a specific
organization.

The fraud triangle

Another concept that organizations must be aware of in cybersecurity is the fraud triangle.
Cybersecurity decision makers need to understand why otherwise good people sometimes do bad
things. Why do people commit crimes? Why do people commit a fraud? The fraud triangle is a
theoretical model that explains the three key elements that are present in most frauds. The three
elements of the fraud triangle are: opportunity, rationalization, and need.

The fraud triangle is used in the field of forensic accounting and fraud examination and is a useful
framework for understanding the motivations and circumstances that lead individuals to commit
fraud. In cybersecurity this is important because, as we will discuss later, humans are a critical
element. Individuals, such as our staff, and our customers, as well as cybercriminals are potentially
our biggest cybersecurity problem. They are much more difficult to control that technology. This we
need some tools to help us understand how they affect cybersecurity.
 Introduction to Cybersecurity Governance for Business Technology Management

In looking to this model, keep in mind that fraud is something different than an accident. The main
difference between a fraud and an accident or an incident is the criminal intent. Hence the
importance of the concept of Mens Rea, Latin for criminal intent. If I make a mistake that's not
fraudulent, but if I purposely do a bad thing to cause damages or to unduly acquire money, there is
criminal intent, potentially there is fraud. Obviously, if I'm trying to steal your money, more
specifically purposefully trying to steal your money, there is a clear criminal intent. Of course, as
there should always be a presumption of innocence, proving the intent beyond a reasonable doubt
will always be a challenge. For fraud to happen, there needs to be a combination of these three
elements, which brings us to another triangle to helps us understand fraud, presented in figure 2.

Figure 2: the fraud triangle

The first component of the fraud triangle is the opportunity. Opportunity refers to the presence of a
situation in which a person has access to valuable information or resources and the ability to use
that access for personal gain. This is about the opportunity to commit a crime, to commit a fraud,
which may be caused by a lack of control or lack of internal control, lack of surveillance, lack of
adequate security mechanisms or processes that are in place. There is this opportunity to do
something nefarious, and the eventual perpetrator is aware of this opportunity.

The second component is need or pressure. Pressure refers to the existence of some form of
pressure, such as financial difficulties or job dissatisfaction, that drives a person to commit fraud. It
concerns what makes it tempting to take advantage of the opportunity. Perhaps I owe people
money, have a debt, or really hate this company and want to get my revenge on them. Maybe I have
addiction or other issues that push me towards a criminal behaviour.
 Introduction to Cybersecurity Governance for Business Technology Management

The third and final component of the fraud triangle is rationalization. Rationalization refers to the
justification that a person uses to convince themselves that their actions are acceptable. This may
involve minimizing the harm caused by their actions or convincing themselves that they are entitled
to what they are taking. It is the idea that somehow, in my mind, I can find it morally acceptable
justification for my actions. This makes it OK for me to commit this act, to do this thing. Maybe it is
because I'm a cybercriminal, a criminal that uses computers to commit crimes. Then it is OK because
this is how I make a living, how I feed my family. Maybe I just hate a particular company and
consider that they are bad people. For me then it is OK to attack them or to steal from them.

The presence of all three elements of the fraud triangle is believed to be necessary for fraud to
occur. By reducing the opportunities for fraud, addressing the underlying pressures that drive fraud,
and challenging the rationalizations that individuals use to justify their actions, organizations can
reduce the risk of fraud.

Perhaps I’m a former employee and I know how that I can take advantage of me of their weaknesses
or me of a lack of something that they have. And I know how to do it and you know, and I think it's
OK. I've got a good reason because they really didn't treat me very well and they didn't pay me what
I deserved. Then, to me, it is OK to do it. Maybe it's a family pressure, maybe you know, or I owe
somebody a favor, or I owe somebody money. To pay them back they have me do something and I
feel like I do not have a choice. There are just too many examples on different TV shows and movies
where you can see this happening to mention them all. As a manager making cybersecurity
decisions, understanding how normal individuals can become cybercriminals may help you make
better decisions when considering cybersecurity risks and how to best manage them.

The risk triangle

The third triangle that is presented in this book is the risk triangle, shown in figure 3. This model can
help you understand risk. To better understand risk, it must be put in context. In a general sense,
security can be defined as the absence of unacceptable risks. This signifies that there is a
relationship between security and risk. Basically, security is the opposite of risk. The more risk is
there, the less security and the more security there is, the less risk there is. Seems straightforward as
a general principle. As mentioned, those two concepts of security and risk are closely related. As
well, the fraud triangle and the CIA triangle, the security objectives that were mentioned previously,
are all connecting to the risk triangle, as is described further in the next paragraph.
 Introduction to Cybersecurity Governance for Business Technology Management

The risk triangle can be used to help organizations identify, assess, and prioritize risks, and to make
informed decisions about how to manage those risks. By understanding the relationship between
likelihood, impact, and risk, organizations can allocate their resources to the areas that are most
important and have the greatest potential to reduce the overall level of risk. The risk triangle is often
used in combination with other risk management tools and techniques, such as SWOT analysis, root
cause analysis, and scenario planning, to provide a comprehensive understanding of risks facing an
organization.

Figure 3: the risk triangle

Let’s look at the risk triangle. On one side of the triangle there is the presence of a potential threat.
These are the hazards, accidents, attackers, viruses, cybercriminals, and other threats agents. These
are the potentially bad things that might happen or bad people that may cause problems, such as in
the case of a cybercriminals seeking to attack your business technologies. This is where you can find
disgruntled employee who contribute to creating risk, as per what was presented in the fraud
triangle. The fraud triangle helps understands how a disgruntled employee can self-justify what they
are able to do and become a threat.

On the other side of the risk triangle there is the vulnerability, or vulnerabilities, as it is often more
than just one isolated thing. Vulnerabilities are weaknesses, such as the different bug, configuration
errors, and other things that may be found and eventually be exploited by a threat. In the fraud
triangle, the knowledge that vulnerabilities are there, contribute to creating an opportunity for the
cybercriminal or the disgruntled employee.
 Introduction to Cybersecurity Governance for Business Technology Management

Finally, on the third side of the risk triangle you will find risk exposure. This refers to how an
organization is exposed to a potential risk. It has to do with the potential impacts or potential
damages that could occur, should the risk materialize. The impacts are connected to the CIA triangle,
as the impacts relate to the security objectives, expressed in reference to confidentiality, integrity,
and availability. This is connected because the impact is basically a negation of these security
objectives. If information needs to stay confidential, then if it becomes known, there is an impact on
confidentiality. In the same manner, integrity and availability can be impacted. Of course, there's
another potential impact as well that often needs to be considered, the potential of financial loss
should the risk materialize.

The washing machine is shown in figure 3 to illustrate the connection between cybercrime, fraud,
and money laundering. Once a fraud is done, the cybercriminal will want to extract money or
convert somehow what he's stolen to into a form of fiat currency, which then the cybercriminal will
launder funds and then try to make it into clean money, perhaps by using multiple transactions and
use cryptocurrency. For example, confidential data could be stolen, then be resold on the dark web
for bitcoin, which this is how the cybercriminal make their money in this example. The cybercriminal
may then launder this bitcoin by transferring it around the globe to hide the true origin of funds,
before converting them back to legitimate fiat currency. All these all connected and many
organizations, particularly in the financial sector, should see this as a continuum. Managers must
keep in mind that it is not always about money. It is often about money, but not always. Sometimes
the link to money is a distant one. As an example, a disgruntled employee might want to get revenge
and would want to create havoc, without a financial gain. The same can be said about hacktivists,
terrorists, or state sponsored agents motivated by ideals that are legitimate to them. It may be an
oversimplification to say that it's always money. It's not always money, but most of the time the goal
is to steal money, or to steal something that can be converted into money.

As mentioned previously, risk happens through the exploitation of the vulnerability by a threat
agent. This is where the threat will exploit, or take advantage, of a vulnerability, resulting in the
potential risk exposure becoming an actual, materialized, negative outcomes, such as a financial
losses or material damages. Risk is achieved through this process of exploitation, where something
bad happens. In Cybercrime it is linked the Mens Rea. The criminal intent must play a role in taking
advantage of a vulnerability. When the exploitation of the vulnerability by the threat agent occurs,
the result is risk.
 Introduction to Cybersecurity Governance for Business Technology Management

When risk is being managed, what is being done is illustrated by the big red arrows in figure 4. In
managing cybersecurity risks, managers are fundamentally trying to do two things:

1. Reduce the probability that the threat will exploit the vulnerability, or

2. Reduce the impact, should the exploitation happen.

Figure 4: managing risk

Those are the two main areas that cybersecurity professionals and managers are going to be looking
into to manage risk. In later chapters, this book will present some of the tools, techniques, and
processes that organizations can use to help them manage risks.

Managers must always keep in mind that in many cases, about 71% of the time according to studies,
cybercrimes are motivated by money. It's not always money, as was discussed, but most of the time
cybercriminals attack technology and business technology in two different ways:

1. In some cases, technology is the target, threat agents are attacking an IT infrastructure or an
organizations business technology. They're attacking an organizations hardware or software,
and that's their principal objective. Maybe they want to stop the organization from doing
business, but more often the criminals want to use the IT infrastructure as part of a larger
tactical goal, such as a staging ground for a distributed denial of service or even for
cryptocurrency mining.
 Introduction to Cybersecurity Governance for Business Technology Management

2. In other cases, technology is an instrument that is used as part of a crime. For example, in
cyber bullying on social media. In this example, technology is the instrument, just another
tool that criminals use to commit their crime. Another example is data theft. This use of
technology in cybercrime is the most common of the two different categories of cybercrime.

Cyber Kill Chain

Again, most cybercrime is about making money, but it may also have other motivations, such as
affecting the reputation of an organization, which can also often be a secondary effect of the actual
financial crime that is taking place. While this book about cybersecurity governance focuses more on
fraud and cyber-related crimes than other potential threats, understanding how cybercrimes occur is
useful. Here a model is used, called the cyber kill chain, to help us. There are other excellent models
out there, such as the MITRE ATT&CK model, a choice was made by the authors to use this model,
but other models are presented and used in other chapters.

The cyber kill chain is a seven-step model that describes the stages of a typical cyber-attack. Some
versions of this model may have a different number of steps. The model provides a framework for
understanding the different stages of a cyber-attack and helps organizations to identify and respond
to cyber threats more effectively. It is presented in figure 5 below.

Figure 5: cyber kill chain

The cyber kill chain model is an adaptation of something the military has been using, which is known
as the kill chain. It serves as a reference model to help understand how an attack occurs in a military
scenario. This military model was transposed to cybercrime by the defense industry firm Lockheed-
Martin. What the kill chain mode shows is that a cybercriminal will start with the Recon phase, short
 Introduction to Cybersecurity Governance for Business Technology Management

for reconnaissance, or information gathering, when the future attacker gathers information about
the target, such as its network topology, systems, and vulnerabilities. In this phase of an attack, a
cybercriminal will go through social media, web sites and Google search to find out as much as they
can about the target company. Going through online records, public filings, web hosting data,
Internet domain name records, and any other information they can find will provide useful. This is
done to get as much information as they can about a potential target. This will be gradually
expanded to try to find information about the technical environment, servers, infrastructure, or
forward-facing services. It is typically a pretty long process. It can be short, but it would be typically
long, often the longest of the whole chain. Once this is done cybercriminals and potential attackers
should have identified potential weaknesses, vulnerabilities that they can take advantage of, or
potential ways that they can get into the network. Then they are going to get ready to go to war.
However, they may decide not to attack and move on to a more vulnerable target. This is mentioned
to remind managers that, everything else being equal, if little information is available, their
organizations will be less vulnerable, at least to external threat agents.

Preparing for battle is what the Weaponization phase is about, at this phase, the attacker creates a
means of delivering the attack, such as a malware payload or an exploit. It could be a Trojan horse, a
virus, an e-mail for a phishing attack, or social engineering through phone calls or phishing attack.
Whatever is the most appropriate weapon that can be made, found online, stolen, or acquired is
what would be used, based on what was identified in Recon. The next step is to deliver that payload
to the target system, the Delivery phase. This is when the attacker delivers the weaponized attack to
the target, such as by sending an email with a malicious attachment or by exploiting a vulnerability
in a website. Once the weapon is delivered, then the Exploitation phase may be triggered once an
opportune time to start the actual attack has been reached. This is when the attacker leverages the
weaponized attack to gain access to the target's systems or data.

Maybe somebody inside the target organization was convinced, or tricked, to click on an e-mail or an
attachment, which allowed the attacker to install nefarious software, also called a malware, inside
the network, on the other side of the firewall. This is the Installation phase, when the attack payload
can get ready to start doing its thing, installing what it needs to install, malware, backdoors, or other
malicious software on the target's systems. Once this is done, the attacker can take control and
execute the planned attack in the Command and control phase. In this phase, the attacker
establishes a means of communicating with the malware or other malicious software that was
installed on the target's systems. Once control has been established, the actual attack occurs, and
the weapon does its thing. The attacker carries out their desired actions, such as stealing data,
 Introduction to Cybersecurity Governance for Business Technology Management

disrupting systems, or altering information. There are many possible scenarios here, such as to take
control of the computer network, transfer confidential data, encrypt, or destroy data, and many
others. Once the mission is completed to an acceptable level of success, the last phase is
Exfiltration, getting out or ending the attack. In many cases this would be done in a manner that
would minimize any footprint of what was done, unless making a big splash is part of the tactical
objectives.

As mentioned, the cyber kill chain, is a tool that organizations can use to help them understand, in
the case of an attack, how is it done, what is the process. Managers are going to want to try to
understand this process and try to see what they can do to prevent attacks or minimize their impact.

By understanding the different stages of a cyber-attack and the methods that attackers use to carry
out each stage, organizations can identify potential threats and implement appropriate
countermeasures to mitigate the risk of a successful attack. For example, organizations can
implement network segmentation, access controls, and intrusion detection systems to prevent
attackers from moving laterally within their networks and can implement incident response
procedures to quickly detect and respond to successful attacks.

The cyber kill chain is a useful tool for organizations to understand the different stages of a cyber-
attack and to help them prioritize their security efforts. However, it is important to note that the
cyber kill chain is not a one-size-fits-all model, and that different types of attacks may have different
stages or proceed in a different order. Nevertheless, the cyber kill chain provides a useful starting
point for organizations to understand the different stages of a typical cyber-attack and to develop a
comprehensive security strategy to mitigate the risk of a successful attack.

The human factor

The human factor has a significant impact on cybersecurity. People are the weakest link in an
organization's security chain, both through intentional malicious acts and through unintentional
actions, such as mistakes. The following are some examples of how the human factor can influence
cybersecurity:

• Social engineering: Attackers can manipulate individuals into disclosing sensitive

information or providing access to systems. For example, an attacker might send an email
that appears to be from a trusted source, asking the recipient to enter their password or
click on a link that leads to a malware-infected website.
 Introduction to Cybersecurity Governance for Business Technology Management

• Phishing attacks: Phishing attacks rely on social engineering tactics to trick individuals into
disclosing sensitive information or installing malware. For example, an attacker might send
an email that appears to be from a legitimate company, asking the recipient to update their
account information.
• Poor security practices: Individuals can inadvertently put an organization's security at risk by
using weak passwords, leaving confidential information unsecured, or neglecting to follow
security policies and procedures.
• Insider threats: Insider threats can come from employees, contractors, or other individuals
who have access to an organization's systems and data. Insiders may act maliciously, such as
by stealing sensitive information or disrupting systems, or may act inadvertently, such as by
falling for a phishing attack or exposing sensitive information.
• Lack of training: Individuals who are not trained in cybersecurity best practices may be more
likely to make mistakes that put an organization's security at risk.

To mitigate the impact of the human factor on cybersecurity, organizations can implement
employee training programs that educate employees on the importance of cybersecurity and best
practices for keeping systems and data secure. Organizations can also implement technical controls,
such as multi-factor authentication and encryption, to reduce the risk of unauthorized access to
systems and data. Additionally, organizations can implement policies and procedures that outline
acceptable use of systems and data and establish clear guidelines for responding to security
incidents. By addressing the human factor in cybersecurity, organizations can reduce the risk of
successful attacks and ensure the security of their systems and data.

At a high level, when managers are looking to prevent attacks, there are really two areas that they
can investigate, the human factor and the technical arena. The first one, the human factor, is where
organizations need to start because it is most likely the bigger problem area of the two. Not to say
that technical challenges are simple, but in many aspects, managers are probably better at dealing
with it. The biggest weakness and the most difficult variable to control is the human factor. Not that
the technical issues are without challenges, but the more objective nature of technology makes it
less chaotic than human nature. How can organizations best deal with the human factor? Hopefully,
the next few pages can provide some general guidance and recommendations in this section of the
book that will be expanded on in later chapters.

1. Implementing human-centred security policies. Cybersecurity teams need to be writing

and enforcing security policies that makes sense to actual, living, intelligent people working
 Introduction to Cybersecurity Governance for Business Technology Management

in our organizations. Organizations want to put in place something that makes sense to our
stakeholders. That is, a security policy that is usable at a human level, not a 100-page
security policy full of legal mumbo-jumbo. What is needed is a short, well-written, easy to
understand security policy that normal people can understand and abide by. A long,
unintelligible policy with not be usable and will increase risks rather that help control it.

2. Making sure that key management are leading by example. Individual at the top of the
pyramid, the highest-level management of the organization must take ownership and be
seen actively taking ownership of cybersecurity. This, including the CEO, CFO, and a role
called the CISO or Chief Information Security Officer, who is the top cybersecurity executive.

3. Have a Chief Information Security Officer with real authority and powers. The CISO must
have real power and real influence in the organization, and this must be known and seen.
You don't want to have a puppet figure in that position, just because you need to have
somebody in charge of information security. It can't be the same person as your head of
Information Technology, because then you have the fox in charge of guarding the chicken
coop. You want to have separate responsibilities here. There is a technical side and a
business side to information technology, and this is also very true in cybersecurity. But you
don't want to have the technical IT people in control, at the top level of managing your
cybersecurity.

4. Operate a cybersecurity awareness program. This is a continuous education, ongoing,

awareness program. You need to put in place a formal process throughout your organization
that includes cybersecurity training activities from when people first get hired and
throughout their whole passage in the organization, as well as when they leave.

5. Do phishing and penetration testing. Phishing, Vishing (on the phone) and many other
techniques must be part of an actual program to test your cybersecurity actively and
continuously. It’s much better to identify a potential weakness and have an opportunity to
better train our users or improve our risk mitigation portfolio then to have to deal with the
aftermath of an incident.

6. Have a zero-trust mindset. In all information system related activities, through your
business processes or access management and all other related activities, segregation of
networks and organization boundaries of your networks need to be guarded. The Zero-trust
 Introduction to Cybersecurity Governance for Business Technology Management

architecture or Zero-Trust mindset is about having gates and border controls in place, not
just from a technical point of view, but as a mindset, to become part of the overall IT culture.

7. Make sure that users have minimal privileges. Along the lines of the zero-trust mindset is
making sure that access privileges you assign are just what people need to do their
legitimate job and nothing more. Also, all the duties must be segregated. You don't want
somebody to be able to print checks, sign them and handle your books. Because you know
that when you do something like that you are creating an opportunity. Remember the fraud
triangle. You don't want to create that opportunity. If people to know that they can do it,
then they might, if the develop a need which they can somehow rationalize.

8. Continuously increase the organizational cybersecurity maturity and create a culture of

security. The organization wants to create and nurture this culture of security in general,
including a strong culture of cybersecurity. They want to gradually improve the level of
understanding of the value of cybersecurity by all. This is done by raising the level of
maturity of all the different stakeholders of the organization in matters of cybersecurity.

Defense in depth

Although we insisted on the importance of the human aspects of cybersecurity, organizations must
not minimize the importance of the technical components, both are important and need to be
managed coherently. From the more technical point of view, one approach that works is to
implement something called defence in depth. Defense in depth is a security strategy that involves
implementing multiple layers of security controls to protect against cyber threats. The idea behind
defense in depth is to create a multilayered security architecture that provides multiple lines of
defense against cyber-attacks, reducing the risk of a successful breach. The following are some
examples of security controls that can be used as part of a defense in depth strategy:

• Firewalls: Firewalls are devices that control incoming and outgoing network traffic based on
predetermined security rules. Firewalls can be used to prevent unauthorized access to an
organization's systems and data, as well as to restrict the flow of sensitive data.
• Intrusion detection and prevention systems: Intrusion detection and prevention systems
(IDPS) monitor network traffic for signs of attack and can take automated actions to prevent
or block attacks.
• Access controls: Access controls are security measures that are used to regulate who has
access to specific systems, data, or applications, and what actions they can perform. Access
 Introduction to Cybersecurity Governance for Business Technology Management

controls can be implemented through technologies such as passwords, biometrics, and

smart cards.
• Encryption: Encryption is the process of transforming sensitive data into a coded form to
prevent unauthorized access or tampering. Encryption can be used to protect data at rest, in
transit, and in use.
• Network segmentation: Network segmentation is the process of dividing an organization's
network into smaller, separate segments, each of which has different security requirements.
Network segmentation can be used to restrict the spread of malware, reduce the risk of
unauthorized access, and improve the overall security of an organization's network.

By implementing multiple layers of security controls, organizations can create a defense in depth
security architecture that provides multiple lines of defense against cyber-attacks. This approach can
help organizations to detect and respond to attacks more effectively, and to reduce the risk of a
successful breach. However, it is important to remember that no single security control can provide
complete protection against cyber threats, and that defense in depth should be used in conjunction
with other security strategies, such as incident response planning and employee training, to ensure
the overall security of an organization's systems and data.

This is a concept where basically we have multiple layers. A series of layers that an attacker would
need to get through to be able to get
to the to our data and to our systems.
This strategy makes use of several
layers of safeguards. These layers may
vary in number and name, but we
propose a list that includes things like
physical security verification,
password controls, antivirus software,
firewalls, DMZ, demilitarized zones,
intrusion detection systems, intrusion
prevention systems, packet filters,
access control lists in the routers and
switches, proxy servers segregating

Figure 6: defense-in-depth model your networks, virtual private

networks, logging and auditing controls and
many others. The general idea is to have, as illustrated on figure 6, multiple layers that the
 Introduction to Cybersecurity Governance for Business Technology Management

cybercriminals or the people attempting to commit cybercrime would need to go through. A threat
to your organization would have to go through all these layers, just like you know in the movie Die
Hard, when the criminals are trying to drill through the eight different levels of protection before
reaching the safe, as John McClane is trying to stop them. Having all these layers gives you me time
to react and opportunities to stop the attack. You have time to react and implement your incident
management plan to prevent the risk from materializing.

Framework to spur cybersecurity success.

A cybersecurity framework is needed to help organizations implement best practices for

cybersecurity management. What is proposed is to start by working on three elements, which are
described in this section:

1. Set your intent with a cybersecurity governance strategy.

2. Position your cybersecurity leadership to have real influence.
3. Get the right cybersecurity leader for your organization.

One of the tools that organizations can use to manage information security is cybersecurity
governance. From a strategic point of view, cybersecurity governance starts with setting the intent
and putting in place a reliable framework that can help them. Organizations need to create a
security mindset. It is really a big issue, relating the governance of cybersecurity to the overall
business goals of the organization. To this goal, organizations need to make sure there is somebody
in charge who has the influence to positively affect change in the organization while maintaining
credibility and respect. What leaders are going to be talking about and what organizations are going
to be doing will have an impact on users. It is the individual actions of users that will affect the
quality of cybersecurity. An example is multi factor authentication (MFA). While it is an excellent
solution, MFA is a big change to how users connect to information systems. However, this means
that there's an extra step to do their work. A few extra minutes of work that is required every time
they want to login. It is pretty much assured that users are going to resist. If anything, they will resist
just because people resist. But if you have an influential leader who will influence the stakeholders
to go along with the proposed change, then real change can occur. Then organizations will be able to
do things or propose measures that will be implementable in your organization. This can be achieved
by looking at the mindset and prioritizing the mindset over the technical skills. It is not that the
technical component is not important, but the framework help to frame the intent and the
governance. It supports how risk is assessed and then how cybersecurity decisions are made.
 Introduction to Cybersecurity Governance for Business Technology Management

On the foundations that have been laid down, the technical side puts in place the mechanisms and
operate the technologies that are required to mitigate risks. The mitigation measures need to work
together with the business and governance. Governance, risks, and compliance (GRC) is about
providing direction to the technical cybersecurity teams so they can manage the real-world aspects
of security, configuring, operating, and supporting all the different technologies that are needed in
organizations. Perhaps this is oversimplifying things from the point of view of those in technical
roles, but here we are focussing on the strategic aspects of governance and risk, so the choice to put
more weight on this aspect is voluntary. Of course, one side is not more important than the other.
They're both as important. It's just that, the strategic needs to happen first. That is why it is
prioritized here.

Very often, the level of maturity of organizations, how ready they are to do security, is much lower
that it should be and much lower than they think it is. Getting organizations ready to face
cybersecurity challenges must start with the business side. It must be driven by the business side.
Only then can cybersecurity teams execute the plan and put in place, manage, and operate the
technical solutions. Cybersecurity governance and technical solutions both need to work together.
However, one must happen before the other.

Threats hunters, vulnerabilities analysts, penetration testers all have an important cybersecurity
role. But what about accountants and auditors? Maybe they measure the impact of incidents, but
the impact affects the whole organization that affects everyone. And typically assessing the impact
you're going to have somebody who has the equivalent role of an actuary in insurance. there's
somebody who's going to rt of determine. The What are the actual impacts? no, it wouldn't be.
Network and Operation Engineers see threat hunters are there to identify threats. And pen testers
are identifying potential vulnerabilities mostly, right? But well, impact is really a more of a business
aspect, the impact for the business. you'd be doing something like a risk assessment or a business
impact assessment. That's really a business activity, identify the potential impacts would be more of
a business slash management level type of discussion. Well, who will act is everyone? Right, but the
people acting may be in the IT department, maybe in network operations, maybe in in physical
security, maybe in many other branches of the organization, and not necessarily all connected to 1
branch, they’ll. Be all over the place. we have me recommendations for you, right?

Final recommendations

As was already mentioned several times, leading by example, and making sure that security is
understood as being everyone's responsibility are the top priorities of any cybersecurity manager. In
 Introduction to Cybersecurity Governance for Business Technology Management

doing this, managers need to acknowledge, understand, and accept the fact that organization’s
biggest problem and biggest vulnerability is humans, it's all the people in organization but also
outside that we interact with during our activities. This said, there are additional recommendations
for cybersecurity manager from a governance point of view:

• Have a balanced approach.

• Manage risk appropriately.
• Develop metrics and scorecards and use them.
• Work towards increasing the organizations cybersecurity maturity.

Organizations don't want to do too much, often looking at the costs, and technical people are often
perceived as wanting to do too much. They don't want to do too much, they want to do just enough,
and that's this whole idea of balance. The goal is to try to find the sweet spot where we are
allocating just enough resources to cybersecurity. But to do a balanced approach, we need to
develop metrics. We need scorecards, we need measurements, and we do.

These measurements need to be objective, and that's a problem. Most of the ways that we measure
risk is subjective, not objective. That's an issue that I have been thinking about for about 30 years
now for which there are no simple solutions. Organizations need to assess risk and need to use
recognized methodologies to do this. But sometimes they end up using an approach that a
consultant came up with in their garage, not something that came out of scientific inquiry that has
been validated by peers. Managers need to be very attentive to how metrics and scorecards are
selected and used in their organizations. If they select the wrong tools, then everything they build
afterwards will be based on a weak and unreliable foundation. This book will be expanding, in a later
section, on the requirements for risk assessment, but at this point, we propose to end the chapter
with one last thing, organizations need to figure out what is their appetite for risk. They need to
answer to answer a simple question:

As an organization, how much risk are we willing to take?

It is a simple question that is a big deal. Managers need to know what the real answer to this is. The
answer to this question will set the tone for every cybersecurity decision that need to be made. To
illustrate the importance of this point, we present a short story:

I need to get insurance for your car because I might get into an accident. Where I live, which is
downtown Montreal, there are a lot of bad drivers. This is most likely true of any large city. Of
 Introduction to Cybersecurity Governance for Business Technology Management

course, I think I’m a pretty good driver, as most of us probably think of themselves, even if it is
probably not true. If I’m going to drive around town every day, I am going to have an accident. It’s
100%. It is sure I will eventually have an accident, it’s only a matter of time. And I’m going to lose
your car. Worst case scenario, it might be a total loss. It could be even worse. I can accidentally kill
people and then get sued for millions of dollars. But let's say let's say that I just damage my car. We
know a nice car can easily cost 50,000. At least one nice enough for a fancy professor like me. So
potentially am I willing to lose $50,000? I know that in my case the answer is NO. Because of this I’m
going to get insurance. But then, how much am I willing to pay for insurance, how much risk am I
willing to take? Let’s say I want 100% insurance. I contact an insurance company that then look at
my risk profile. They come back and they say OK, if you want to insure this car for total loss you will
have to pay a $10,000 a year insurance premium. In my case, I would refuse, it would be too much
for me on compared to the value of the car. So here, I have some idea that I am willing to take some
risks, but how much. Another solution maybe gets less insurance, maybe just sell the car, and get
another one. In my case, 3000$ per year with a 1000$ deductible and a 2M$ cap on damages would
be a number that I can live with. It is my answer. That's really the difference between what I think
my risk appetite is and what it is.

What we are concerned about in cybersecurity risk management is reality, not what people say.
People always say they're not willing to take any risk for their business or for their cybersecurity.
They say they are risk averse. But then when you come up with a price it is often a different story,
just like for the car insurance story. As cybersecurity managers, we want to minimize risk to an
acceptable level. But if we're going to need to spend 100 million Dollars a year well, most companies
are going to say that they are willing to take a little bit more risk. Eventually, we will be able to
identify a good balance between the risk we are willing to take and how much money, and other
resources, we are willing to allocate to this goal. There is no magic formula, to figure out what is the
answer to this.

The amount a company should spend on cybersecurity depends on several factors, such as the size
of the company, the industry it operates in, the value of its assets, and the potential cost of a breach.
There is no one-size-fits-all answer, but as a rule of thumb, it is recommended that companies
allocate between 3-5% of their overall IT budget for cybersecurity. Industry best practices suggest
that organizations should be spending 4% to 12% of their IT budget. The median value being 7.8%.
What this tells us is that if we are willing to take a lot of risk, we have what is called a risk seeking
behavior, we will spend less. In this case, for us, maybe 6%, maybe less. If we are risk averse than we
should be spending more, maybe 8% or 9%. Some experts suggest that companies should allocate an
 Introduction to Cybersecurity Governance for Business Technology Management

amount proportional to the potential damage that could result from a successful attack. Ultimately,
the right amount to spend on cybersecurity is the amount that adequately protects the company's
assets and data. Organizations have an IT budget that can be used as a baseline to determine what a
good answer might be.

Thus, organizations must determine their real risk appetite is. In the next chapters, we are going to
be looking at best practices, methodologies and frameworks that can help organizations to manage
risk. We will try to give managers tools to help them spend money wisely and prepare their
organizations. Keep in mind that if we want peace, we need to prepare for war. We will worst case
scenarios, but we're going to hope things work out right.

View publication stats