**3. Visualizing the cyber-landscape**

The first step in better understanding cyber-attacks is to become aware of how intricately connected information systems and technology have become. A system should not be thought of as a series of devices connected by wires, but rather a combination of people, technology and networks that function within defined parameters to achieve a specified objective. As organizations begin to view their systems from this perspective, it becomes obvious why few technical measures, even if expensive and state-of-the-art, may be ineffective in ensuring their protection from a cyber-attack.

Some academics have claimed that cyberspace is defined more by social interactions than technical implementation. Morningstar and Farmer argue that the computational medium in cyberspace is an augmentation of the communications channel between real people (Morningstar & Farmer, 2003). This concept of a socially interconnected system of systems was further visualized in an IBM video published on YouTube in 2010 ("Smarter Leaders vPanel: Tackling Urban Traffic with Social Computing", YouTube, 2010; http://www.youtube.com/watch?v=-thvI-IjwgY). These interconnections between social computing and cyber-security are perhaps the most overlooked aspects in providing effective security. From a defensive standpoint, we should treat cyberspace as the nexus that allows for the potential and very real connections among international organized crime, terrorists, hackers, foreign intelligence agencies, military and civilians.

Consider the owner of an expensive luxury vehicle who, each day outside his workplace, leaves his doors unlocked, with the keys in the ignition. The foolhardiness of the owner is apparent, and some readers may go so far as to suggest he would deserve to have his vehicle stolen. Yet in our modern information-driven organizations, corporations and agencies that depend on their information and data in their day-to-day operations often omit security entirely from consideration. At best it is an afterthought, akin to putting a 'do not steal' sign on the aforementioned vehicle and hoping this will deter all potential

In 2010, for the first time, the worldwide cost of information and electronic data theft (excluding piracy) rose 9.3% from 2009 to surpass all other theft (Kroll, 2010). In the UK alone, the cost of cyber-crime to businesses, individuals and government cost \$43 billion US dollars (2010). In the 2011 series of cyber-attacks against Sony, some analysts believe the long-term costs to be in excess of \$24 billion (Sebastien, 2011). Staggering as these figures are, the truth remains that most of these breaches could have been prevented had security

It may be hard to understand why cyber-attack costs can reach such staggering figures. It can often come as a surprise to a victim that the true cost of an attack can far exceed the cost of hardware technology assets, or an annual IT budget. Indeed, the failure to comprehend the true risk of attacks and associated costs is in part what has led to such a prevalence of successful breaches. To be secure requires more than a retrofitted firewall installed merely as an afterthought. Organizations must understand the true cost, impact and consequences of cyber-attacks in order to identify what steps should be taken to protect their most

The first step in better understanding cyber-attacks is to become aware of how intricately connected information systems and technology have become. A system should not be thought of as a series of devices connected by wires, but rather a combination of people, technology and networks that function within defined parameters to achieve a specified objective. As organizations begin to view their systems from this perspective, it becomes obvious why few technical measures, even if expensive and state-of-the-art, may be

Some academics have claimed that cyberspace is defined more by social interactions than technical implementation. Morningstar and Farmer argue that the computational medium in cyberspace is an augmentation of the communications channel between real people (Morningstar & Farmer, 2003). This concept of a socially interconnected system of systems was further visualized in an IBM video published on YouTube in 2010 ("Smarter Leaders vPanel: Tackling Urban Traffic with Social Computing", YouTube, 2010; http://www.youtube.com/watch?v=-thvI-IjwgY). These interconnections between social computing and cyber-security are perhaps the most overlooked aspects in providing effective security. From a defensive standpoint, we should treat cyberspace as the nexus that allows for the potential and very real connections among international organized crime,

been integrated into the victim's plans and policies.

**3. Visualizing the cyber-landscape** 

ineffective in ensuring their protection from a cyber-attack.

terrorists, hackers, foreign intelligence agencies, military and civilians.

criminals.

valuable assets.

The balance between usability and security is a fundamental concept that encourages security professionals to be mindful of the user needs. Even so, the visualization of social interactions using technology presents a new challenge for those responsible for cybersecurity planning. Understanding the possible motivations and means behind a cyber-attack can better equip enterprises to prepare for and respond to an attack. Research has shown that on average, the cost of cyber-crime is reduced by 38% by companies which implement Governance, Risk Management and Compliance (GRC) measures across their enterprise (Ponemon Institute, 2011).

The mistake of assuming security is someone else's problem often comes with tragic consequences. It is not the responsibility of engineers, consultants, IT professionals or even management to undertake alone, but is the responsibility of every user. Granted, there are many specific roles required in security planning, but if the plan does not include each and every user as a member of the security team, it will be doomed before it has even been implemented.

The domain of cyber-security is highly subject to external pressures. These definitional forces include the following (Agresti, 2010): 1) *Rebranding exercise* – the former term "information assurance and security" is being replaced by "cyber-security", as the term "cyber" creeps further into many technologies of our era; 2) *organizational imperative* – the Internet has become essential for most modern companies; 3) *cyberspace domain* – this portion of our lives is now ubiquitous and pervasive and must be understood from that perspective; and 4) *national defense priority* – our potential vulnerability to cyber attacks is of increasing importance.

Focusing further on the last of these definitional forces – *national defense priority*, Agresti states:

"Progress in cybersecurity depends on attaining a richer, more quantitative, and more visually rendered understanding of cyberspace's size, scope, contours, composition, architecture, properties, traffic patterns, oversight, end points, and – ultimately – its vulnerabilities to malicious activities.

"The national defense sector faces the entire spectrum of security challenges: defects and malicious code in software on individual workstations, insider threats, vulnerabilities in networks, malicious intent, and attribution." (Agresti, p. 103)
