Professional Documents
Culture Documents
Cybersecurity Governance How To Measure It
Cybersecurity Governance How To Measure It
Cybersecurity Governance:
How can we measure it?
Rossouw DE BRUIN, SH von SOLMS
University of Johannesburg, Johannesburg, 2109, South Africa
Tel: +27 72 455 7161, Email: debruin.rossouw@gmail.com; basievs@uj.ac.za
Abstract: Any Corporate Governance aspect involves numerous steps when it
comes to determining how efficient and effective an organization’s governance
implementations are. Cybersecurity Governance is not much different in this regard.
As Cybersecurity Governance is a relatively new and very important concept, the
idea of assessing the efficacy of Cybersecurity and Cybersecurity Governance
implementation is still highly debated and researched. In this article, we discuss
adaptations to a Cybersecurity Governance Maturity Model and we will also discuss
a second and important aspect related to the Cybersecurity Governance Maturity
assessment; reporting. We will discuss how the maturity model can be used to create
descriptive and understandable reports for the various roles within the Board of
Directors and Executive Management.
Keywords: Information Security, Information Security Governance, Cyber Security,
Cyber Security Governance, Information Technology, Maturity Model, Cyber
Security Maturity Model, Reporting Tool, ISO/IEC 27032:2012.
1. Introduction
“Cyber war has already begun. In anticipation of hostilities, nations are already preparing
the battlefield. They are hacking into each other’s networks and infrastructures, laying in
trapdoor and logic bombs—now, during peacetime. This ongoing nature of cyber war, the
blurring of peace and war, adds a dangerous new dimension of instability.” - Richard A.
Clarke and Robert K. Knake [1]
In recent times the concept of Cyberspace [2, 3] increased the interest in – and
importance of – Cybersecurity.
Cyberspace introduced numerous new threats; threats related to the inter-connectivity of
systems. These new threats stressed the importance of Cybersecurity Governance.
Numerous attempts to define Cybersecurity Governance and numerous attempts to
understand Cybersecurity Governance have been made [4, 5, 6, 7], but the concept is
probably not established widely enough to help specifically corporates to safeguard their
Internet-facing electronic assets.
Boards of Directors and Executive Management have however started to realise the
importance of Cybersecurity and Cybersecurity Governance, both because of the threats
posed to their companies, as well as the demands made by Corporate Governance [8, 9].
These governance requirements have demanded models and sets of management,
measurement and monitoring tools to aid boards in understanding the efficacy of their
Cybersecurity efforts – however, these tools are yet to be properly developed.
In this paper, we propose one such model to help to improve Cybersecurity
Governance.
It is important to note that this paper is not a reflection of what Boards of Directors and
Executive Management have already done with regards to Cybersecurity Governance, nor
is it a report of Cybersecurity Governance. Rather, this paper introduces and discusses a
6. Conclusion
Cybersecurity is an internet expansion that we could have expected much sooner. However,
it brought along with it much needed technological improvements, security risks and
security threats.
Fortunately, we have standards that place an expectation on our shoulders for the
creation of tools to assess our cybersecurity implementations. These standards however, do
not always clearly depict how the tools should be created nor do they define what the tools
should cater for.
This caused organisations to be confused about how Cybersecurity and Cybersecurity
Governance should be handled – and the confusion is not helped by the reports available.
In this article, we have discussed what Cybersecurity and Cybersecurity Governance is
and how it relates to Information Security.
We have also discussed the risks and threats introduced by Cybersecurity and how some
of these risks and threats have evolved from Information Security.
We have adapted a Cybersecurity Governance Maturity Model to focus on additional
organisational aspects to be measured and we have discussed the importance of a reporting
tool that can be interpreted by non-technical board members as well as by technical board
members.
There are numerous steps that should be taken when the proposed Cybersecurity
Governance Maturity Model is used and we will conclude this paper by introducing these
steps:
- Step 1: Assess the Model scope
The design purpose of the proposed model it that it is dynamic in the sense that
organizations can remove sections, arts of components that do not fit in with their
organization. They can also add sections, parts or components that are missing from
the model but are needed for their organization.
- Step 2: Use the model as part of an audit session
When the organization is satisfied with the scope of the model, they should use the
model as part of their auditing sessions. If the organization does not have auditing
sessions, the model would be descriptive and detailed enough in order for it to act as
an auditing session.
- Step 3: Evaluate results
Once the auditing sessions has been completed and the model has been filled in, the
head of the auditing session or person that conducted the audit should finalize the
model by creating a dashboard for the model as discussed in [12].
- Step 4: Create Reports
Once the dashboard has been created, reports as discussed in section 5 should be
created. These reports should ae use of any recommendations made by the Maturity
model for steps that need improvement.
- Step 5: Present and Reassess
References
[1] Clarke RA, Knake RK. Cyber War - The Next Threat to National Security And What to Do About It.
New York. 2010.
[2] Importance of Cyber Security; 2012. Available from: http://worldjusticeproject.org/blog/importance-
cyber-security.
[3] Cyberspace: What is it, where is it and who cares?; 2014. Available from:
http://www.armedforcesjournal.com/cyberspace-what-is-it-where-is-it-and-who-cares/.
[4] Explore Terms: A Glossary of Common Cybersecurity Terminology; n.d. Available from:
https://niccs.us-cert.gov/glossary#letter_c.
[5] Cybersecurity; n.d. Available from: http://www.merriam-webster.com/dictionary/cybersecurity.
[6] Definition of cybersecurity; n.d. Available from: http://www.itu.int/en/ITU-
T/studygroups/com17/Pages/cybersecurity.aspx.
[7] A brief introduction to cyber security for students who are new to the field; n.d. Available from:
http://www.umuc.edu/cybersecurity/about/cybersecurity-basics.cfm.
[8] Board and cybersecurity, a story of dangerous liaisons!; 2015. Available from: https://business-digital-
security.com/.
[9] 4 Steps to Integrate IT and Corporate Governance; 2014. Available from:
http://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-Focus-4-Steps-to-Integrate-IT-
and-Corporate-Governance_nlt_Eng_1214.pdf.
[10] Introduction to National Response Center for Cyber Crime; n.d.. Available from:
http://www.fia.gov.pk/en/NR3C.php.
[11] Consultant’s Tool: What is a maturity model?; 2012. Available from:
http://consultantsmind.com/2012/07/01/maturity-model/.
[12] de Bruin R, von Solms SH. Modelling Cyber Security Governance Maturity. 2015 IEEE International
Symposium on Technology in Society (ISTAS); IEEE; 2015.
[13] One Big Threat to Cyber Security: IT Geeks Can’t Talk to Management; 2104. Available from:
http://www.tripwire.com/state-of-security/featured/one-big-threat-to-cyber-security-it-geeks-cant-talk-
to-management/.
[14] Do boards of directors actually care about cybersecurity?; 2015. Available from:
http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-
about-cybersecurity.html.
[15] Cybersecurity: legal trends for a major business concern; 2014. Available from:
http://www.financierworldwide.com/cybersecurity-legal-trends-for-a-major-business-
concern/#.VlgvknYrJhE.
[16] Who is really accountable for Cyber Security? CISO? Think again...; 2015. Available from:
https://www.linkedin.com/pulse/who-really-accountable-cyber-security-ciso-think-umesh.
[17] The sad stats on state of cybersecurity: 70% attack go unchecked; 2015. Available from:
http://www.welivesecurity.com/2015/09/09/cybercrime-growing-concern-americans/.
[18] Cybersecurity Threats a Growing Concern for Small Business; n.d. Available from:
http://informationassurance.regis.edu/ia-programs/resources/ia-update/cybersecurity-threats-a-growing-
concern-for-small-business.
[19] SABS. ISO/IEC 20732:2012, Information Technology - Security techniques - Guidelines for
cybersecurity. 2015.