**2. Guarding our information**

Most businesses today would recognize the need to follow the most economical path to maximum profit. Frequently an organization's profit margins form the primary indicators as to their success. Even government agencies must admit to being somewhat cost-driven. With the recent economic downturn and increased competition to stay one foot ahead, businesses may be tempted to consider security as an afterthought, rather than an integral part of their business models and practices. In this Chapter we will look at some of the devastating implications of this error and why every genre of organization must place security at the forefront of business planning and practice.

Cyber Security 21

The balance between usability and security is a fundamental concept that encourages security professionals to be mindful of the user needs. Even so, the visualization of social interactions using technology presents a new challenge for those responsible for cybersecurity planning. Understanding the possible motivations and means behind a cyber-attack can better equip enterprises to prepare for and respond to an attack. Research has shown that on average, the cost of cyber-crime is reduced by 38% by companies which implement Governance, Risk Management and Compliance (GRC) measures across their enterprise

The mistake of assuming security is someone else's problem often comes with tragic consequences. It is not the responsibility of engineers, consultants, IT professionals or even management to undertake alone, but is the responsibility of every user. Granted, there are many specific roles required in security planning, but if the plan does not include each and every user as a member of the security team, it will be doomed before it has even been

The domain of cyber-security is highly subject to external pressures. These definitional forces include the following (Agresti, 2010): 1) *Rebranding exercise* – the former term "information assurance and security" is being replaced by "cyber-security", as the term "cyber" creeps further into many technologies of our era; 2) *organizational imperative* – the Internet has become essential for most modern companies; 3) *cyberspace domain* – this portion of our lives is now ubiquitous and pervasive and must be understood from that perspective; and 4) *national defense priority* – our potential vulnerability to cyber attacks is of increasing

Focusing further on the last of these definitional forces – *national defense priority*, Agresti

"Progress in cybersecurity depends on attaining a richer, more quantitative, and more visually rendered understanding of cyberspace's size, scope, contours, composition, architecture, properties, traffic patterns, oversight, end points, and – ultimately – its

"The national defense sector faces the entire spectrum of security challenges: defects and malicious code in software on individual workstations, insider threats, vulnerabilities in

In 2010, the US government received on average, 60 million attempted cyber-attacks per day. This problem is not limited to government; Facebook recently announced that it receives over 600,000 attempted cyber-attacks per day (Enzer, 2011) although this is small compared to their one billion daily logins. Staggering as these numbers are, they show the volume of attacks that companies and even individuals now face while connected to the Internet. Managers, IT professionals, and IT security professionals must take a holistic view of security in their planning. This is crucial if a company is to survive amidst today's

The cyber-security arena has expanded dramatically. Cyber-security now includes mobile phones, embedded computers (widely employed in our infrastructure), cloud computing,

(Ponemon Institute, 2011).

implemented.

importance.

vulnerabilities to malicious activities.

**4. The cyber-security arena** 

onslaught of cyber-attacks.

networks, malicious intent, and attribution." (Agresti, p. 103)

states:

Consider the owner of an expensive luxury vehicle who, each day outside his workplace, leaves his doors unlocked, with the keys in the ignition. The foolhardiness of the owner is apparent, and some readers may go so far as to suggest he would deserve to have his vehicle stolen. Yet in our modern information-driven organizations, corporations and agencies that depend on their information and data in their day-to-day operations often omit security entirely from consideration. At best it is an afterthought, akin to putting a 'do not steal' sign on the aforementioned vehicle and hoping this will deter all potential criminals.

In 2010, for the first time, the worldwide cost of information and electronic data theft (excluding piracy) rose 9.3% from 2009 to surpass all other theft (Kroll, 2010). In the UK alone, the cost of cyber-crime to businesses, individuals and government cost \$43 billion US dollars (2010). In the 2011 series of cyber-attacks against Sony, some analysts believe the long-term costs to be in excess of \$24 billion (Sebastien, 2011). Staggering as these figures are, the truth remains that most of these breaches could have been prevented had security been integrated into the victim's plans and policies.

It may be hard to understand why cyber-attack costs can reach such staggering figures. It can often come as a surprise to a victim that the true cost of an attack can far exceed the cost of hardware technology assets, or an annual IT budget. Indeed, the failure to comprehend the true risk of attacks and associated costs is in part what has led to such a prevalence of successful breaches. To be secure requires more than a retrofitted firewall installed merely as an afterthought. Organizations must understand the true cost, impact and consequences of cyber-attacks in order to identify what steps should be taken to protect their most valuable assets.
