what i is cyb yber resilienc ence e
play

What i is cyb yber resilienc ence? e? Aaron Clark-Ginsberg - PowerPoint PPT Presentation

Aug 30, 2022 •10 likes •360 views

What i is cyb yber resilienc ence? e? Aaron Clark-Ginsberg Center for International Security and Cooperation, Stanford University 2017 Frontiers in Resilience Symposium Word cloud created from texts analyzed for this study This material

  1. What i is cyb yber resilienc ence? e? Aaron Clark-Ginsberg Center for International Security and Cooperation, Stanford University 2017 Frontiers in Resilience Symposium Word cloud created from texts analyzed for this study This material is based upon work supported by the U.S. Department of Homeland Security. The views and conclusions contained in this material are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. The author would like to thank the U.S. Department of Homeland Security for its support.

  2. Resilience is everywhere

  3. Is resilience “the organizing principle in contemporary political life”? (Brasset et al ., 2013) • Resilience has been described as: • A useful method for managing risk in the face of complexity • A buzzword • A disastrous technique that normalizes insecurity and state withdrawal • Instead of a priori praising, damning, or dismissing resilience, we need empirically examine how resilience - like other forms of risk management - is practiced (Cutter, 2016; Douglas and Wildavsky, 1983) http://www.noladefender.com/content/dont-call-me-resilient

  4. Case study: cyber resilience • Cybersecurity is crucial for society: • Critical infrastructure (2003 Northeast blackout, 2015/16 Ukraine blackouts) • Economy (2014 Sony hacks) • Democracy (2016/17 US, France, Germany election hacks) • …and resilience is crucial for cybersecurity (Vugrin and Turgeon, 2014) • Thus, the cyber resilience turn is potentially a major shift in how we conceptualize and govern society • Research objective: systematically review how cyber resilience is understood

  5. Methods • Documentary and survey data: • 157 documents from Google Scholar (50) Web of Science (57) Google (50) • Semi-structured survey modified from Kelly and Kelly (2017) • Link: www.aaroncg.me/current-projects/ • Coding: origin, definitions, rationale, methods • Current progress: finalized initial analysis of documentary data, gathering survey responses

  6. Is it cybersecurity or cyber resilience? Cyber security Cyber resilience How are cyber systems Siloed and static technical component Dynamic sociotechnical processes conceptualized? of a broader system imbedded within a system Who is responsible for IT department Everyone managing cyber risks? How do you manage Prevention: harden systems using Improve governance structures to align cyber threats? new technologies incentives

  7. Cyber resilience: it’s the network Source: Clark-Ginsberg, A. (2017). Participatory risk network analysis: A tool for disaster reduction practitioners. International Journal of Disaster Risk Reduction, 21 , 430-437.

  8. Origins of cyber resilience • Cyber resilience originated after 2010, primarily in practitioner circles: • 154 of 157 surveyed documents were written after 2010 • World Economic Forum’s 2012 Cyber Resilience Initiative • Hurricane Katrina, September 11 th , Foot and Mouth Disease • Holling (1973). Minimal academic engagement (Bjorck et al ., 2015) • Similar time scale to resilience in other fields including: • Sustainable development and environmental policy (Evans and Reid, 2014) • International disaster management (Hilhorst, 2003; Manyena, 2006) • Security and civil protection (Bourcart, 2015).

  9. What’s in a definition? Definition: the ability of systems and organizations to withstand cyber events What’s in it: Who cyber resilience refers to How to determine/achieve resilience cyber resilience threats

  10. [the ability] to recover and resume operations within acceptable levels of service

  11. a cyber system’s ability to function properly and securely despite disruptions to that system

  12. a holistic view of cyber risk, which looks at culture, people and processes, as well as technology

  13. A system’s ability to withstand cyber attacks or failures and then quickly reestablish itself

  14. ability of systems and organizations to withstand cyber events

  15. ability to withstand and recover quickly from unknown and known threats

  16. an organization’s ability to respond to and recover from a cybersecurity incident

  17. Cyber resilience = cyber security + business resilience

  18. the persistence of service delivery that can be justifiably be trusted, when facing changes and mainly regarded as fault tolerance

  19. maintaining the system’s critical functionality by preparing for adverse events, absorbing stress, recovering the critical functionality, and adapting to future threats

  20. the ability of a system that is dependent on cyberspace in some manner to return to its original [or desired] state after being disturbed

  21. the ability of systems and organizations to withstand cyber events

  22. Similarities in definitions • Focus on managing rather than preventing threats, mainly because complexity and change made prevention impossible • Traditional security measures are “failing” and “less realistic” (Symantec, 2014) than cyber resilience, an approach that goes beyond the traditional security/insecurity “binary” (World Economic Forum, 2012) • Cyber systems framed as central to organizations and to society

  23. Differences in the threats • Cyber and non-cyber threats (24) or cyber specific threats (13) • ‘Cyber’ is foundational to cyber resilience, so generic definitions may be overly-broad • Cyber attacks and incidents (29) or cyber attacks (11) • Cyber attacks require different forms of risk management than cyber incidents (probabilistic non probabilistic) but have some commonalities. Limited definitions may be too narrow

  24. Differences in who cyber resilience refers to • Organizations (9), systems (8), businesses (4), nation (1), business process (1), substance or object (1) mission (1), not specified (19) • Cyber resilience is multi sector and stakeholder • Identifying a sector or stakeholder provides specificity • Focus on organizations and businesses

  25. Differences in core components required for resilience • Identify/anticipate (6), prepare (4), withstand (15), respond (4), recover (20), adapt (7) • Suggests different system views • Adaptive ecological (sociotechnical system) • Static engineering (technical system)

  26. Cyber resilience as a sociotechnical problem • Risk and risk management is considered product of interactions between multiple stakeholders and systems • Staff as “the greatest asset” and “the greatest liability” (Symantec, 2014). Executives key • Beyond organizations: cyber breaches affect everyone, and risks must be managed jointly • Responsibility is uncertain Word tree of sentences using the phrase ‘work together’ Source: author, created with NVivo

  27. Responsibility and cyber risk • Responsibility structures are not well established. Instead of regulations there is “an acute awareness that technological innovation and market potential should not be stifled” (de Goede, 2015) • Voluntary frameworks like NIST CSF, CERT RRM are promoted • Cyber resilience is a choice that requires executive support • Competing inter- and intra- organizational interests potentially stifle cyber resilience • Lack of regulations and changing technologies make responsibility difficult to assign • New role of the private sector and individuals in managing national security. Pragmatic necessity or governmental responsibility shirking?

  28. Industry: technical and organizational dimensions From World Economic Forum 2012 ‘Risk and Responsibility in https://www.mimecast.com/content/cyber-resilience/ a Hyperconnected World’

  29. Academia: primarily technically oriented • Problematic given the novel and debated organizational and institutional configurations cyber resilience presents

  30. Organizing for cyber resilience: what works?

  31. Analysis and conclusions • Cyber resilience conceptualizes the world as inherently insecure, and provides a new organizational orientation for managing insecurity • Cyber resilience makes managing cyber risks central to society • We lack knowledge on how to organize for cyber resilience • Some define cyber resilience from an engineering, not ecosystem, perspective

  32. Redefining cyber resilience • Current common definition: the ability to withstand and recover from threats • Proposed common definition: the ability to anticipate, withstand, prepare for, respond to, recover from, and adapt to cyber incidents and attacks

  33. Reorienting cyber resilience • Practice: • Engage with the adaptive elements of cyber resilience • Articulate cyber risk and resilience from a societal, not individual or organizational, risk perspective • Focus on organizing for resilience • Research: • Empirical studies on organizational and transboundary dimensions of risk management

  34. Questions/comments? Email: aaroncg@stanford.edu Cyber resilience survey: www.aaroncg.me/current-projects/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UC.yber; Meeting 25 Vulnerabilities and more! If Youre New! Join our Slack

UC.yber; Meeting 25 Vulnerabilities and more! If Youre New! Join our Slack

UC.yber; Meeting 25 Vulnerabilities and more! If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our

443 views • 15 slides
Prep eparing f for or the e Next Fi Fire: e: Ene Energy gy Resilienc nce in n As Aspe

Prep eparing f for or the e Next Fi Fire: e: Ene Energy gy Resilienc nce in n As Aspe

Prep eparing f for or the e Next Fi Fire: e: Ene Energy gy Resilienc nce in n As Aspe pen a and t nd the he Uppe pper R Roaring F g Fork Valley September 27, 2019 Kevin Brehm, RMI; Bryan Hannegan, Holy Cross Energy; Mona

494 views • 23 slides
UC.yber; Meeting 24 Meet New Leadership and Wireshark If Youre New! Join our Slack

UC.yber; Meeting 24 Meet New Leadership and Wireshark If Youre New! Join our Slack

UC.yber; Meeting 24 Meet New Leadership and Wireshark If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of

502 views • 19 slides
UC.yber Meeting 17 Dumping Windows Credentials, Threat Intel, and more If Youre New!

UC.yber Meeting 17 Dumping Windows Credentials, Threat Intel, and more If Youre New!

UC.yber Meeting 17 Dumping Windows Credentials, Threat Intel, and more If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get

487 views • 6 slides
UC.yber Meeting 18 If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter

UC.yber Meeting 18 If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter

UC.yber Meeting 18 If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our committees: Content/Events ,

436 views • 14 slides
TAEKWONDO Fundamental knowledge of physiology, biomechanics, dietetics coming together

TAEKWONDO Fundamental knowledge of physiology, biomechanics, dietetics coming together

WELCOME ! W ELCOME ELCOME TO TO THE THE H H WASHIN WASHIN C C YBER YBER U NIVERSITY NIVERSITY I I NTERNATIONAL NTERNATIONAL T T AEKWONDO AEKWONDO D EPARTMENT EPARTMENT ! Movie industry and widely media-covered combat sports events have spread

285 views • 15 slides
The Future of Cyber Experimentation and Testing T he U.S. NAT I O NAL C YBER RANG E

The Future of Cyber Experimentation and Testing T he U.S. NAT I O NAL C YBER RANG E

s The Future of Cyber Experimentation and Testing T he U.S. NAT I O NAL C YBER RANG E Michael VanPutte, Ph.D. Program Manager Distribution Statement A (Approved for Public Release, Distribution Unlimited #14014) DISCLAIMER: The

319 views • 11 slides
Da David Do d Doyle U.S. S. Envi vironmental P Protect ection A Agency ency Regi egion 7

Da David Do d Doyle U.S. S. Envi vironmental P Protect ection A Agency ency Regi egion 7

Da David Do d Doyle U.S. S. Envi vironmental P Protect ection A Agency ency Regi egion 7 7 doyle.david@epa.gov 913-551-7667 Toolkit is online at: www.epa.gov/smartgrowth/regional- resilience-toolkit Resilienc ence i e is about

303 views • 19 slides
UC.yber; Meeting 3 Last Week... Discussed lab space and equipment donations Talked

UC.yber; Meeting 3 Last Week... Discussed lab space and equipment donations Talked

UC.yber; Meeting 3 Last Week... Discussed lab space and equipment donations Talked about Hackathon Team (REGISTER) Went over basic enigma machine history Set in motion getting a banner for fundraising events For Newcomers

196 views • 8 slides
UC.yber; Meeting 20 Announcements Tomorrow UCRI will be hearing out our research ideas IEEE

UC.yber; Meeting 20 Announcements Tomorrow UCRI will be hearing out our research ideas IEEE

UC.yber; Meeting 20 Announcements Tomorrow UCRI will be hearing out our research ideas IEEE Secure Development Conference (at MIT) apply by Aug 11th RAPIDS 2 under discussion as State faces funding problems Focus on HS outreach

338 views • 14 slides
UC.yber; Meeting #2 Last Weeks Meeting We... Talked about our purpose and goals Explained

UC.yber; Meeting #2 Last Weeks Meeting We... Talked about our purpose and goals Explained

UC.yber; Meeting #2 Last Weeks Meeting We... Talked about our purpose and goals Explained OWASP Displayed our current leadership and filled open leadership roles Covered how to get involved Brainstormed fundraising

230 views • 9 slides
Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening

Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening

Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening Information rmation Operat rations ns Denni nis s Schmid idt Assistant Vice Chancellor for Information Security and Privacy and Chief Information

624 views • 38 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
UC.yber; News, Networking, Bash, and CTFs Announcements Robert Bathlter has reached out

UC.yber; News, Networking, Bash, and CTFs Announcements Robert Bathlter has reached out

UC.yber; News, Networking, Bash, and CTFs Announcements Robert Bathlter has reached out to Xavier High School we will be working to set up an event with them, THANKS! Alex reached out to Lakota East, THANKS! We now have lab

403 views • 14 slides
UC.yber Meeting 12 WARGAMES! Last Week Discussed National Collegiate Cyber Defense

UC.yber Meeting 12 WARGAMES! Last Week Discussed National Collegiate Cyber Defense

UC.yber Meeting 12 WARGAMES! Last Week Discussed National Collegiate Cyber Defense Competition Planned out what we need for becoming an official chapter Planned out our visit to Loveland HS Received a donation! Thanks to

1.11k views • 9 slides
Pr Prom omot oting ing Gr Gree een n Job obs: s: Experi perience ence in In India dia

Pr Prom omot oting ing Gr Gree een n Job obs: s: Experi perience ence in In India dia

Pr Prom omot oting ing Gr Gree een n Job obs: s: Experi perience ence in In India dia on policy licy and d project oject support pport Nation onal al Confer ference ence on Climat mate e Chang ange e & G Green een

665 views • 44 slides
The Value Proposition for Cyber Security: Does it exist and how can we create it? Larry Clinton,

The Value Proposition for Cyber Security: Does it exist and how can we create it? Larry Clinton,

The Value Proposition for Cyber Security: Does it exist and how can we create it? Larry Clinton, ISAlliance Chief Operating Officer Who o We Are What we believe n The World has Changed n Globalization n Digitalization n Terrorism

252 views • 24 slides
Building an International Governance for Peace and Security in Cyberspace Presentation by Dr.

Building an International Governance for Peace and Security in Cyberspace Presentation by Dr.

Building an International Governance for Peace and Security in Cyberspace Presentation by Dr. Daniel Stauffacher Founder and President, ICT4Peace Foundation www.ict4peace.org University of St. Gallen 8 December 2017 First Norm on ICT4Peace:

889 views • 59 slides
Governance Challenges at the Intersection of Space and Cyber Security 18 th Asian Security

Governance Challenges at the Intersection of Space and Cyber Security 18 th Asian Security

Governance Challenges at the Intersection of Space and Cyber Security 18 th Asian Security Conference Securing Cyberspace: Asian and International Perspectives New Delhi, 10 February 2016 Jana Robinson Space Security Program Director Prague

599 views • 11 slides
Walk hands in hands toward an information era: Shaping a peaceful, secure, open and cooperative

Walk hands in hands toward an information era: Shaping a peaceful, secure, open and cooperative

Walk hands in hands toward an information era: Shaping a peaceful, secure, open and cooperative cyberspace LI Chijiang Director of Office for Cyber Affairs Ministry of Foreign Affairs, China Roles of les of Sta States in Cyber es in

54 views • 4 slides
National Information & Communication Security Taskforce, Executive Yuan, Taiwan R.O.C.

National Information & Communication Security Taskforce, Executive Yuan, Taiwan R.O.C.

National Information & Communication Security Taskforce, Executive Yuan, Taiwan R.O.C. Organization Chart NICST Department of Convener: Vice Premier Information Security Cyber Security Deputy Convener: Minister Without Portfolio and one

480 views • 14 slides
Virginia Cyber Security Commission Isaac Janak C OMMONWEALTH OF V IRGINIA 1 O FFICE OF THE S

Virginia Cyber Security Commission Isaac Janak C OMMONWEALTH OF V IRGINIA 1 O FFICE OF THE S

O FFICE OF THE S ECRETARY O FFICE OF THE S ECRETARY P UBLIC S AFETY & H OMELAND S ECURITY P UBLIC S AFETY & H OMELAND S ECURITY Virginia Cyber Security Commission Isaac Janak C OMMONWEALTH OF V IRGINIA 1 O FFICE OF THE S ECRETARY P UBLIC

69 views • 6 slides
CYBER RISKS TO GOLF CLUBS PRESENTED BY: LEE NORIEGA MITCH FENTON 22.9 2018 Billion 3.5

CYBER RISKS TO GOLF CLUBS PRESENTED BY: LEE NORIEGA MITCH FENTON 22.9 2018 Billion 3.5

CYBER RISKS TO GOLF CLUBS PRESENTED BY: LEE NORIEGA MITCH FENTON 22.9 2018 Billion 3.5 TECHNOLOGY TRENDING Billion 2016 14.4 2.9 Billion Global Billion Social M Media Global Cybercrime 2014 Population Established 2004

130 views • 12 slides
I t is often said that Washington, D.C. is 69 square miles sur rounded by reality.

I t is often said that Washington, D.C. is 69 square miles sur rounded by reality.

Cyber Security Regulation is Coming Here! Presentation delivered to the 12 th Annual RSA Security Conference April 15, 2003 by Bruce J. Heiman I t is often said that Washington, D.C. is 69 square miles sur rounded by reality. Unfortunately,

713 views • 3 slides

More recommend