A multi-stage methodology for ensuring appropriate security culture and governance

Abstract—The assessment of the adequacy and appropriateness of the security infrastructure in place within an organization poses a significant challenge to those responsible for security management, those responsible for corporate compliance, and senior management who seek a reasonable balance between robust security and ease of use for legitimate users. The process of assessment, validation and improvement is continuous and follows a number of clearly defined steps, each of which builds on the comfort obtained from the previous one and which confirms the consistency of the measures in place with the overall strategy and policies, all the while referring to the specific context and requirements of the organization. This paper describes a framework for the assessment of security governance that can be applied to organizations in the public and private sectors with differing security cultures, discusses the methods of implementing, tailoring the methodology and evaluating the results of the analysis, details a number of critical success factors, and concludes with a case study from the manufacturing sector.

Index Terms — information security governance, governance criteria, assessment methodology, organizational culture, security awareness, risk management, legal conformity, user compliance

I. SECURITY CULTURE AND GOVERNANCE – AN INTRODUCTION

The proposed assessment model aims to draw up a ICT security assessment frame of reference, based on a holistic and multidisciplinary view of ICT Security [1] specifications by considering the complex environment and the necessity of certain level of assurance to be provided by such an assessment process. The proposed model tries to fix the invariant features to be considered when assessing the ICT security posture of a given public or private sector organization. The proposed methodology has the objective to assist private and public organizations to draw their attention upon the most important elements to be considered when evaluating their current status of the ICT security. The final expected output of such a methodology is to produce a security strategy resulting from a pragmatic approach in order to reduce the potential gap between the current state

and the future one according to the specific needs of the organization. Conceptually it should involve:

1. The identification of their own requirements to enhance ICT security and to evaluate the protection level;

2. The elaboration of cybersecurity policies, procedures, norms to address the cybersecurity challenge;

3. The definition and the design of an organizational ICT security response plan to be implemented, in order to achieve security objectives specific to every organization’s needs

A. The Culture of Security ITU, in its GCA Report [2] recognizes the importance of the culture of cybersecurity by considering it as “the best guarantee” for cybersecurity itself. According to the Report, cybersecurity is about the norms and behaviors that user’s follow voluntarily. In this direction the cybersecurity culture becomes the essential purpose to be established and assessed by the organizations independently form their nature that could be private or public. There are two groups of element, which allow reaching a reliable culture of cybersecurity. These two groups include:

• The constitutive elements of an overall cybersecurity effort in order to enhance the protection level ;

• The related activities to promote such a culture. Regarding the constitutive elements of such a cybersecurity culture, international organisms such as UN, OCDE, ITU, has previously defined nine elements governing the cybersecurity culture. These nine elements can be placed into three principal groups regarding their concern.

• The first group is concerned by the weakest link of the security chain, which is the human being and proposes activities like awareness raising and responsibility delineation.

• The second group is mostly operational-centric by specifying baseline activities to be tackled in order to ensure that a protection level can be provided.

Solange GHERNOUTI-HÉLIE Faculty of Business and

Economics - University of Lausanne Lausanne, Switzerland

sgh@unil.ch

David SIMMS Faculty of Business and

Economics - University of Lausanne Lausanne, Switzerland David.Simms@unil.ch

Igli TASHI Faculty of Business and

Economics - University of Lausanne Lausanne, Switzerland

Igli.Tashi@unil.ch

2010 International Conference on Availability, Reliability and Security

978-0-7695-3965-2/10 $26.00 © 2010 IEEE

DOI 10.1109/ARES.2010.118

353

• The third group concerns conformance issues and is motivated by the evidence that security efforts should be run within some acceptable limits driven by fundamental ethical and democratic values.

Figure 1: A multi-stage ICT security effort

Schematically presented, reaching a security culture means to provide a holistic security strategy, which goes through certain stages and addresses certain topics, as presented in Figure 1.

B. Cybersecurity Protection Processes The ICT security processes presented in Figure 2, take a

quick look at the different elements to be addressed, when considering the establishment of an organizational-wide security strategy, in order to reach the central objective, which is the development and promotion of a the culture of security.

Figure 2: ICT Security Components and Relationships: a conceptual view

In order to be effective, a security strategy should include a number of processes and activities to be undertaken by following a logical path generally associating a given concern to an expected result. The concern and the expected result constitute the basis and the reference point for the assessment. Based on the schema proposed in Figure 2, the protection efforts starts from the identification of the so-called “Protection Targets”, including organizational strategic

values requiring particular attention, to wind up to a “Protection Level” that characterizes the secure state of the valuable asset. From this follows the identification of three main areas providing the safety conditions on the one hand and the attainability of the objectives on the other hand. The first block of processes concerns the environment wherein the valuable assets operate along with the dangers they could face. This includes the upper part of the Figure 2 and concerns the risk assessment activities as well as the identification and prioritization of the protection targets based on the categorization features like “critical”, “sensitive”, or “key assets”. To each protection target or a group of them, some security objectives are assigned describing the prevalent characteristics to be protected or the state of the safety the assets should be placed under. The second block of processes concerns the decision-making activities to govern and manage the security efforts. Within this block and based on the conclusions raising from the first one, some security policies are drawn giving a general overview of the security objectives to be reached and of the security requirements to be met. This is a crucial phase of the cybersecurity that will determine the direction and the posture the cybersecurity efforts will take. The third block of processes concerns the functional activities wherein some safeguards, processes, and procedures are harmoniously integrated into the overall cybersecurity program with the objective to effectively and efficiently implement them. The cybersecurity program will be the tool in the participant’s hands to decrease the likelihood that a risk will harm a valuable asset or in the worst case, to reduce as much as possible the extent of the losses. For this, the cybersecurity program should include and develop activities capable to provide all four stages of protection, that is to say, deterrence, prevention, detection and reaction [3].

C. The assurance level of the Assessment Process The assurance level will depend on the security related

properties and functionalities, as well as the operational and administrative procedures governing them. The assurance objective could be reached by using some well-known standards norms, best practices already used by multiple actors in the cybersecurity domain, like for example, the Common Criteria regarding the technical solutions [4, 5], the ISO 27000 family regarding managerial and governance related solutions [6, 7], and, Convention on Cybercrime for the legal dimension [8].

In order to provide an assurance level regarding the result such an assessment process provides, a particular attention should be paid on the following elements:

• A mere existence and documentation of necessary and mandatory security processes and procedures;

• Conformance between the processes and procedures in place and the established security objectives;

354

• Monitoring and tests, in order to evaluate the security mechanism, and the analysis of their results;

II. THE ASSESSMENT METHODOLOGY The assessment methodology is based on:

• The assessment criteria against which each cybersecurity element will be evaluated.

• The assessment structure composed of three main assessment axis specifying the cybersecurity elements to be assessed whose the structure allows to gain an assurance level regarding the assessment outputs.

A. Assessment Criteria As defined hereinbefore, the culture of cybersecurity comes in the form of the ultimate stage to be reached and consequently it should be the central aspect to be assessed from a high – level perspective. By considering the conceptual protection framework discussed through the previous section, the assessment methodology should look at a triple assessment criteria as presented in Figure 3.

Figure 3: The Assessment Criteria These assessment criteria will consider the cybersecurity from different points of view, as after-specified. ICT security has to be considered as a reliable construction for which the completeness will be the focal assessment criterion. By completeness it has to be understood the fact that the cybersecurity system in place or the system to be designed owns some baseline components that interact one to each other in a coherent manner. The absence of such an element is an important lack concerning the dependability of the cybersecurity system. ICT security has to be considered as an ensemble of useful services for which the effectiveness will be the focal assessment criterion. In fact, the effort to be undertaken and the resources to be employed within the cybersecurity program should obligatorily respond to some well-identified goals resulting from an in-depth analysis of the security needs. At last but not at least, ICT security has to be considered as an ensemble of processes for which excellence will be the main assessment criterion. By excellence is understood the

managerial capacities of the process owner to ensure a certain quality level regarding the process itself.

B. The Assessment Process In order to evaluate the achievement of the assessment criteria, the assessment methodology dissects the structure of the cybersecurity system on three assessment axis, namely:

1. Inputs; 2. Functional Activities; 3. Outputs.

Each one of these axes embodies an assessment target and is composed of some cybersecurity activities to be tackled with. In addition, each axes determines a resultant to be delivered linking the different axes and materializing thus, the holistic concept of the cybersecurity culture, see Figure 4

Figure 4: An holistic ICT Security Assessment Framework The first axis, called “Inputs” is about the prerequisites activities concerning the “Needs assessment”. Those activities strives to identify the security inherent variables, namely, risk, protection targets and security measures in order to determine what is at stake regarding the safety of the valuable organizational assets. Through this phase the security needs, according to the risk situation, are identified. This allows to private or public organizations defining a ICT security policy at highest hierarchical levels. The second axis, called “Functional activities”, is about the operational activities, ensuring to provide an appropriate protection level. This axis constitutes the building blocks of the organizational security posture. Through this phase a security program is established, according to the security needs and security objectives specified within the first axe. The third axis concerns the assessment of the cybersecurity processes side and strives to constitute three “Preparedness levels” of the current security situation based on three stages, “Exploited”, “Managed” and “Well-contained” As aforementioned the ICT security generally is a shared responsibility of participants coming from various background: the government, business, other organizations, and individual users who develop, own, provide, manage, service and use these information systems and networks. If the full range of security responsibilities is to be addressed,

355

all participants must have a common understanding of the problem and each participant must have an appropriate understanding of the actions to undertake corresponding to the cybersecurity challenges.

1) Preparedness Level Assessment This section will consider the cybersecurity system under assessment as a resultant of a number of processes running inside the system and making use of the aforementioned processes to provide the required level of the protection. The output of such an assessment phase, called “The Preparedness Assessment”, will be the degree of excellence of the processes running inside the cybersecurity infrastructure. In fine, a “Preparedness Level” can be determined, called the “assessment value”, representing the current state of process’ quality. First of all the “Preparedness” concept articulates the idea of a threshold of profitability a government, or any other stakeholder interested in the assessment’s results, can reach by using a given item of a given structural activity. Figure 5 illustrates the assessment approach to be adopted in order to determine the Preparedness Level and the assessment value.

Figure 5: The Assessment approach of the Cybersecuirty Preparedness Level (Adapted from [9] ) As it can be noticed, the preparedness assessment approach takes as an input the two previous cybersecurity blocks of activities and assess them by focusing into three assessment criteria, namely:

• The protection resources implying that the resources or the capacities needed to undertake the activity are or could be available within the organization or the country. The notion of resources here concerns not only the tangible resources (like financial or technical resources) but also the intangible ones (like administrative or expertise resources). In addition the functional activities described within II.B are effectively performed.

• The reviewing and improvement activities are about the dedicated efforts made by the top management (regarding the private sectir organization) or the governments (in the case of the public organizations) or interested stakeholders (in

both situations) to continually be up to date regarding:

o The current status of the ICT security; o The gap analysis between the current

status and the required status according to the strategy and the policy;

o The initiatives to be undertaken in order fulfill the gap by the identification of some corrective and preventive actions.

For that executive levels, governments, or interested stakeholders should recurrently plan in regular intervals reviewing activities such as audits, feedback reporting, or other activities providing updated information.

• The related metrics, which represent the formal interpretation of the results to be obtained regarding the protection level, by the introduction of a given functional activity or security measure.

These assessment criteria lead to a preparedness level that constitutes the basis of the continual improvement efforts. All the cybersecurity issues regarding the Capacities and Preparedness Assessment discussed through II, lead to the “Capacities and Preparedness Assessment Path” as it will be presented IV.

III. CASE STUDY – PRIVATE SECTOR A large manufacturing group with operations in more than twenty countries found itself obliged to restructure and formalise its cybersecurity strategy and policies in order to comply more easily and consistently with regulatory requirements. Successive reports by both internal and external auditors at the head office and at affiliates had highlighted the absence of a consistent approach to cybersecurity, and changes in the regulatory environment, together with a general change in corporate culture towards greater consistency and transparency, provided the impetus needed to address the issue in an effective and efficient manner. The exercise was managed as a formal internal project with a board-level sponsor, an experienced and technically-aware project manager, and a project team consisting of members of the key business units, IT, internal audit, and the corporate legal and compliance function. Although the area of cybersecurity is commonly seen in business circles as primarily concerning IT, the group recognised that an effective strategy involved all areas of the business and so treated the project as a standard, business-wide initiative with IT input. Following the methodology outlined above, the group commenced with the Needs Assessment. The first stage of this was the identification of the assets to be protected, a task made more difficult by the presence within the group of a large number of independent, locally managed applications, data stores and infrastructure elements. The

356

project manager used a semi-automated surveying tool to send a questionnaire (the means of evaluation) to the manager of each group entity and each business unit at headquarters and recover and process the responses: the questionnaire required each manager to document the systems, infrastructure and data stores in place and to evaluate their strategic importance, sensitivity and criticality to the business, according to a framework developed by the project team. This phase took longer than had been anticipated, partly because of the effort involved in identifying and classifying all the relevant systems, and also because there were more exchanges of communication between the project team and remote sites than expected in order to clarify issues and provide specific guidance. For each group entity and each system identified, the stakeholders were then identified. This was a straightforward exercise as the management of each entity were able to leverage a similar exercise that had been performed in the context of the statutory financial audit, in which the key users of, and staff responsible for, each system had been defined, as well as the flow of information between systems. The central team then worked with local management to identify which systems were of sufficient importance to need to be included in the global security framework. This exercise was based on a fixed set of criteria: systems which were considered as primary points of capture of data necessary for financial reporting or significant operational activities were included by default, while systems of particular significance to the business such as payroll and human resource applications, manufacturing control applications and legal and compliance databases were also included without further discussion. An interesting point arose around a number of automated and semi-automated interfaces used to transfer data between applications: effectively these were critical to the business and required careful management because of the potential impact of errors in operation or of modifications to data made before or during transfer, but in many cases these had not been systematically identified during the identification phase nor been historically well managed. Once this information gathering and assessment phase had been completed, the project team began the second phase of the project, which concentrated on the existing security infrastructure and management environment. In a similar way to the first phase, the central functions and local entities submitted information on the security structures they already had in place, the resources that existed to implement and manage security and to identify and respond to issues, the workflows and chains of responsibility in place to handle issues or changing requirements, and any specific legal or technical constraints in place around their systems or operating environment. Again, the results were reviewed

by the project team and comparisons made between entities and regions in respect of their structures, procedures, organisations and resources. As a result of this analysis, it became clear that some entities placed far greater importance on effective cybersecurity than others and that there were significant differences in the amount of resources directed towards questions of security. Overall it was noted that there were few examples of a systematic approach to security management: in particular security procedures tended to have grown organically as the entities had developed, without reference to a standard approach, leaving entities with a range of ad hoc policies and procedures at a system level but no consistency across platforms. The bulk of controls in place were preventive (before the event) rather than detective (after the event) and as a consequence there were many operational weaknesses in the framework of controls: one common example was related to the maintenance of user accounts, where reasonable controls were often in place over the creation of user profiles and access rights but there was no subsequent periodic review of the continued validity of these rights. Generally it was noted that there was an absence of a systematic approach for identifying and handling issues: most entities relied upon ad hoc procedures to deal with concerns once problems had been brought to their attention. After the completion of this phase, the project team was able to perform the final phase, which was to assess the preparedness of each entity and establish a framework for the establishment and implementation of a groupwide cybersecurity plan. This drew upon the requirements identified by the entities and by core functions, upon the requirements and best practices specified by the relevant items of legislation and business and security standards, and upon the opportunities identified during the assessment process for effective collaboration between units across the group. In particular, three regional IT security functions were created with the resources, authority and expertise to monitor activities at entities in their region, advise and provide solutions. Other outputs from the process included a standard awareness training programme that was tied into human resource policies and professional development programmes for staff, clearly specified timeframes and detailed requirements for entity management to bring their IT environments into compliance with the group standards, with fixed objectives relating to this documented in the relevant managers' development plans and overall performance objectives, and a structured security policy describing parameters and control activities for each system or group of systems.

IV. THE CASE FOR A NATIONAL CYBERSECURITY STRATEGY

The conceptual view presented in Figure 2, takes into account the protection framework resulting from ITU’s

357

Global Cybersecurity Agenda Report [6] that defines Cybersecurity as a multidisciplinary domain based on five pillars, see Figure 6.

Figure 6: The five pillars of the ITU's Global Cybersecurity Agenda Based on this multidisciplinary view of the cybersecurity as shown in Figure 6 as well as on the assessment model presented below, the implementation of the model with a specific focus to the public sector and to the national cybersecurity issues will be discussed. The three assessment axis previously discussed are the subject of the next sections. Each one of leads to an “Assessment Path” and is composed of:

• The place and the role it takes on the overall national cybersecurity effort;

• Constitutive elements and respective requirements; • The expected result and added value to the overall

national cybersecurity effort.

A. Axe of Inputs – Needs Assessment Role: Identification of national specific needs and conditions to devise an effective and efficient national cybersecuirty program. Constitutive elements: Protection target identification, Stakeholder’s identification, Problem framing. Expected result: A cybersecurity policy specifying the cybersecurity objectives, goals, procedures and resources to protect the national strategic informational values

1) Needs Assessment Path Assessment objectives:

• Provide a realistic panorama of the current risk and cybersecurity situation

• Provide an effective protection framework commensurate with risk and protection needs (problem framing)

Assessment Procedure: 1. Valuation of national assets and establishment of

interdependencies between them a. Prioritization approach b. Prioritization criteria

2. Identification of stakeholders and participants on cybersecurity

a. Governmental ministry or agencies b. Assets owner or concerned by c. Other participants (industry, civil society,

academia etc) d. The national point of contact

3. Risk scenarios, threat and vulnerability identification, risk mitigation strategies

a. Threat agents b. Vulnerability sources c. Exposure level d. Protection resources

4. Security vision, objectives settings and security practices selection

Assessment output: A National Cybersecurity Policy

• Goals and general rules • Requirements • Implementation issues • Communication and information means • Policy’s endorsement • Relationship to regional and international activities

B. Axe of the Functional Activities – Capacities Assessment

Role: Implementation of the cyberscurity measures, safeguards procedures to reduce the risk to acceptable levels. Constitutive elements: Operational infrastructure, Legal infrastructure, Incident Management, Accountability raising, Collaborative efforts. Expected result: A national cybersecurity program capable to protect national strategic informational values based on the national policy’s requirements and objectives

1) Capacities and Preparedness level Assessment path Assessment objective:

• Provide a snapshot of the available functional activities enhancing cybersecurity

• Devise or evaluate the cybersecurity program in place Assessment Procedure:

1. Operational Infrastructure Assessment a. Organizational Structure: Design a lead

government agency as well as identify the representatives, their role within such a structure. Establish a governance system specifying the activities to be undertaken in terms of control, evaluation, validation and optimization as well as the respective actors

b. Technical Capacities: Technological resources and managerial skillfulness assessment. Establish a systemic approach specifying the chain of cause and effect between: one side the security threats, risks and on the other side tools, mechanisms and procedures to mitigate them.

2. Legal Infrastructure Assessment a. Legal infrastructure by enacting and

promulgating laws related to the cyberspace

358

concerns comprising three domains, namely Criminal, Procedural, and Civil Law.

b. Identify requirements regarding the legal operational activities determining the impact of the legal infrastructure, like investigation, prosecution and law enforcement capacities.

3. Accountability Raising Assessment a. Awareness-Raising by identify target groups

and objectives, identify awareness activities (News, Discussions Activities Internal Incidents Report) and continually asses the awareness added value and as well as the return on investment of the awareness processes

b. Capacity-building by ensure that national knowledge and response capacities are up to date, provide necessary resources by prioritizing and identifying them and identification of the level of action.

4. Incident Management Assessment a. Identify agency to provide the incident

management capability function for watch, warning, response and recovery, cooperating government agencies and points of contact for each cooperating participants (industry, CII, and civil society partners) and points of contact for each arrangements for cooperation and information sharing between the incident management capability and its cooperating partners, international cooperating partners, points of contact and arrangements for cooperation.

b. Ensure availability of CIRT services by Identifying available and/or contracting with existing CIRTs, establishing a CIRT with national responsibility.

c. Develop tools and procedures for the protection of the cyber resources of government entities as well as for the dissemination of incident management information.

d. Develop an integrated risk management process for identifying and prioritizing protective efforts regarding cybersecurity/CIIP.

e. Assess and periodically reassess the current state of cybersecurity/CIIP efforts and develop program priorities.

f. The way incident management capability and cybersecurity/CIIP effort are funded and staffed

5. Collaboration Efforts Assessment a. National Collaborative effort identify

objectives and structures for government/private sector collaboration identify the national partners and their points of contacts

b. International collaborative effort identify international collaborative structure (a focal point to be devised) identify a structure of topics to be discussed on an international level, specify the granularity of the international collaborative effort

6. Preparedness level assessment a. Assessment of the Availability of the

protection resources b. Assessment of the supervising activities c. Assessment of the measurement systems to

measure the effectiveness and efficiency level of the cybersecurity program components

Assessment output: An assessment value, which is function of:

• The structural design of the cyber security program The way the cybersecurity program is managed.

IV. REFERENCES [1] International_Telecommunications_Union_(ITU),

"Cybersecurity Guide for Developing Countries (English), Revised 2009," International Telecommunications Union (ITU), Geneva, Switzerland 2008. [Online] Available at http://www.itu.int/ITU-D/cyb/publications/2009/cgdc-2009-e.pdf

[2] International_Telecommunications_Union_(ITU), "Global Cybersecurity Agenda Report," ITU, Geneva, Switzerland 2008. [Online] Available at http://www.itu.int/cybersecurity/gca/.

[3] S. Ghernaouti-Hélie, "Information Security for Economic and Social Development " ESCAP-United Nations, Bangkok 2008. [Online] Available at http://www.unescap.org/icstd/policy/publications/Information-Security-for-Economic-and-Social-Development/

[4] ISO-Std. ISO/IEC 15408:2005, Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model, International Organization for Standardization (ISO), Switzerland, 2006.

[5] M. Merkow and J. Breithaupt, Computer Security Assurance Using the Common Criteria. New York, USA Thomson Delmar Learning 2005.

[6] ISO-Std. ISO/IEC 27001:2005 (E), Information Techology - Security Techniques - Information Security Management Systems - Requirements, International Organization for Standardization (ISO), Switzerland, 2005.

[7] ISO-Std. ISO/IEC 17799:2005, Information technology - Security techniques - Code of practice for information security management, International Organization for Standardization (ISO), Switzerland, 2005.

[8] "Convention on Cybercrime." vol. ETS n° 185, Council_of_Europe, Ed. Budapest, Hungary, 2001.

[9] I. Tashi, "A Security Management Assurance Model to Holistically Assess the Information Security Posture," in Proceedings of the Fourth International Conference on Availability,

359

Reliability and Security (ARES 2009), Fukuoka, Japan, 2009, pp. 756-761.

360