Introduction

In cybersecurity, incidents occur from time to time. Some are consciously accepted according to risk proportionality, and some happen against one’s wishes  – among which a few examples were briefly discussed in the previous blog post. Incident management is therefore a required capability. However, being prepared for incident handling is not enough. Having the proper security control set is expected as there are preventive, detective, corrective, deterrent, and compensating security controls. If one focuses only on working with reactive controls, there can easily be unforeseen additional resource expenditure. In this post, these capabilities, strategies, and a few useful security control frameworks will briefly be reviewed.

Any organization will determine its cybersecurity goals, strategy, the portfolio that implements the strategy, and design security controls in an integrated fashion, based on business goals. Planning one’s security strategy is an unavoidable part of building a cybersecurity management system, which must reflect the attainment of the external and the internal requirements that have been set. According to Alfred D Chandler [1], a corporate strategy means defining long-term goals, the allocation of resources, and the directions of action to achieve the goals.

Nevertheless, to achieve such a set of goals according to the defined mission and objectives, one must clarify the current operational capabilities and circumstances. SWOT analysis is one of the essential tools for this, whereby both internal and external factors are examined. Internal factors are the parameters that an entity may influence, among which both Strengths and Weaknesses are distinguished. However, an entity cannot directly influence the external factors. This group comprises Opportunities and Threats.

The Balanced Scorecard (BSC) framework [2] of Kaplan and Norton is meanwhile a crucial tool for developing and monitoring the implementation of the strategy by means of a defined set of indicators, regardless of the strategic management theory that is applied [3]. The BSC guides the strategy’s development, covering the Financial Perspective, the Customer Perspective, Internal Business Processes, and Learning and Growth. As it may be applied iteratively, the framework can also be utilized in connection with other fields, such as IT BSC and IT and cybersecurity BSC. IT BSC [4] and security BSC [5] can both be compared to the Balanced Scorecard structure as originally conceived; however, the perspectives that they apply carry different names.

Yahoo!’s case study

Using the Yahoo! case study from the previous blog post, we will now attempt to recreate the company’s SWOT analysis for years 2015 and 2016 - a time when some significant cybersecurity incidents attracted public attention - and reproduce the company’s strategy, if there was any.

At that time, Yahoo!’s revenue was derived from ads. However, in addition to facing Google’s dominance, Yahoo! had steadily lost its market share, which was 5.91 per cent back in January 2009, compared to 2.96 per cent in December 2015. This tendency continued in 2016 as well, resulting in lower revenues. Consequently, in 2015 Yahoo!’s annual revenue was $4,968.301 million, while its total operating expenses were $9,716.795 million, resulting in a tremendous loss. The two cybersecurity incidents resulted in additional costs, amplified effects for market share loss, a reduced acquisition offer and shared responsibility with the seller for subsequent investigations and penalties [6].

The SWOT and strategy analysis focuses on the years of 2015 and 2016 as at that time, Yahoo! recognised the incidents, they notified the public, and stakeholders reacted to the information they got. Based on the obtained information, negative characteristics dominate the SWOT analysis.

‍

The following figure shows Yahoo!’s business strategy for the year 2015 and 2016, based on the relevant strategic objectives described in the annual report for Form-10K 2015 [8] and 2016 [9]. It is noticeable that already in 2016, Yahoo! deeply focused on the acquisition and did not emphasize achieving safe operation despite users’ mass involvement in the incidents. Hence, the company did not change its processes in order to decrease any cybersecurity risk.

What can we do?

Unfortunately, Yahoo!’s case is not unique. Still, many organizations view cybersecurity as unnecessary functionality that is imposed on them by legislators. As evidence of this, in 2019, Ernst & Young conducted a survey between August and October [10]. The respondents (N≈1300) were information security managers or had an equivalent position; of these,  only 36 per cent said that cybersecurity was part of the management-level decision-making process from the very beginning in the organization they represent.

However, such a lack of involvement, at least to a partial extent, in management-level decisions makes the tasks of cybersecurity functions much harder and their goals may be scarcely achievable. This is so because, according to the balanced operational constraints, security controls that hinder or even prevent achieving business goals are not acceptable [11]. On the other hand, the administrative, physical, and logical security controls must be well-designed and well-maintained according to the principles of defense in depth and diversity of defense, and the concept of Principles of Least Privilege and Separation of Duties. The appropriate combination of the deterrent, preventive, corrective, recovery, detective, and compensating controls should be used to manage the risks complying with internal standards. Properly implemented, these controls serve the confidentiality, integrity and availability of the data stored in the systems.

ISO/IEC 27001 and ISO/IEC 27002 standards

The ISO/IEC 27000 family of standards is a series of information security standards from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that can be combined to provide a framework supporting best practice in information security management. The ISO/IEC 27001:2013 standard [12] is probably the best well-known example, which provides requirements for an information security management system (ISMS), although it is currently undergoing revision. 

Annex A of ISO27001:2013 provides the following categories for controls that may be used for high-level categorization: A5 Security Policy, A6 Organization of information Security, A7 Asset Management, A8 Human Resources, A9 Physical and environmental security, A10 Communications and operations management, A11 Access Control, A12 Information systems acquisition, development and maintenance, A13 Information security incident management, A14 Business continuity management, and A15 Compliance.

However, the control set has been already revised, based on ISO/IEC 27002:2022, which provides guidance on how to apply the controls listed in Annex A of ISO/IEC 27001. At a high level, ISO 27002:2013 lists 114 security controls. Meanwhile, ISO/IEC 27002:2022 contains 93 controls. This indicates that some controls have been removed or merged, but there are a few entirely new controls, such as Threat intelligence, or Information security for use of cloud services. These controls are grouped according to 4 ‘themes’: People (8 controls), Organizational (37 controls), Technological (34 controls), and Physical (14 controls), and have altogether five attributes: 

• Control type (preventive, detective, corrective)

• Information security properties (confidentiality, integrity, availability)

• Cybersecurity concepts (identify, protect, detect, respond, recover)

• Operational capabilities (such as governance, asset management)

• Security domains (governance and ecosystem, protection, defense, resilience) 

NIST SP 800-53

US NIST SP 800-53 is the collection of security and privacy controls for Federal Organizations in the USA which must be applied to their information systems, from which currently Rev. 5 is the actual version [13], providing the basis for other requirement specifications in other nations or any company-level entities. For example, the security controls specified by Decree 41/2015 of the Ministry of the Interior implementing the Act on the Electronic Information Security of Central and Local Government Agencies (Act L of 2013/Information Security Act) [14], in Hungary, comply with NIST SP 800-53.

NIST SP 800-53 provides a set of controls that may be applied - as it were - in parallel with ISO/IEC 27002:2022. Previously, the security controls of Revision 4 [15] were organized into eighteen families with a unique two-character identifier. Each family contains security controls related to the main topic: (AC) Access Control, (MP) Media Protection, (AT) Awareness and Training, (PE) Physical and Environmental Protection, (AU) Audit and Accountability, (PL) Planning, (CA) Security Assessment and Authorization, (PS) Personnel Security, (CM) Configuration Management, (RA) Risk Assessment, (CP) Contingency Planning, (SA) System and Services Acquisition, (IA) Identification and Authentication, (SC) System and Communications Protection, (IR) Incident Response, (SI) System and Information Integrity, (MA) Maintenance, and (PM) Program Management.

However, Revision 5 (1) consolidates the security control catalog by integrating security and privacy controls, (2) provides a new supply chain risk management control family, (3) incorporates new controls that support resiliency, secure design, and governance based on threat intelligence and attack data, and (4) separates the control selection process from the controls.

Continuing this thread, the next blog post will discuss some essential frameworks and security controls for application security.

‍

References

[1] A. D. Chandler, “Strategy and Structure: Chapters in the History of the American,” MIT Press. 1962.

[2] R. S. Kaplan and D. P. Norton, “Norton (1992),The Balanced Scorecard--Measures That Drive Performance,” Harvard Business Review, 1992.

[3] M. A. Omalaja, O. A. Eruola, and I. College, “Strategic Management Theory : Concepts , Analysis and Critiques in Relation to Corporate Competitive Advantage from the Resource ‐ based Philosophy,” Economic Analysis, 2011.

[4] W. Van Grembergen, “The balanced scorecard and IT governance,” ISACA Journal, 2000.

[5] T. Herath, H. Herath, and W. G. Bremser, “Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management,” Information Systems Management, vol. 27, no. 1, pp. 72–81, 2010, doi: 10.1080/10580530903455247.

[6] Techcrunch, “Verizon buys Yahoo for $4.83 billion,” Jul. 25, 2016.

[7] Z. Bederna, Z. Rajnai, and T. Szadeczky, “Further Strategy Analysis of Cybersecurity Incidents,” Land Forces Academy Review, vol. 26, no. 3, pp. 251–260, Sep. 2021, doi: 10.2478/raft-2021-0032.

[8] Yahoo!, “Form 10-K 2015,” 2016. http://www.sec.gov/edgar.shtml (accessed Jan. 07, 2021).

[9] Yahoo!, “Form 10-K 2016,” 2017. http://www.sec.gov/edgar.shtml (accessed Jan. 07, 2021).

[10] Ernst&Young, “How does security evolve from bolted on to built-in?,” 2020. https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/advisory/ey-global-information-security-survey-2020-report-single-pages.pdf (accessed Sep. 26, 2020).

[11] E. Wheeler, Security Risk Management. Syngress, 2011.

[12] ISO/IEC, “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements,” 2013.

[13] National Institute of Standards and Technology, “NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations,” Gaithersburg, MD, Sep. 2020. doi: 10.6028/NIST.SP.800-53r5.

[14] K. G. Horváth, “Leveraging Information Security Standards to Comply with Hungarian L Act 2013,” NATIONAL SECURITY REVIEW, vol. 1, pp. 55–65, 2016.

[15] NIST, “NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations,” NIST SP-800-53 Ar4, 2013, doi: 10.6028/NIST.SP.800-53Ar4.