A Fresh Re-assessment of Cyber Security Expectations
ABSTRACT
There is no accepted unified theory of Cyber Security. Consequently, there is no Cyber safe harbor. As a result an organization with data and information it cannot afford to lose should not put it on the Internet. Empirical evidence is revealed in a Cyber Insurance industry with escalating premiums and a mounting backlog of litigation. Without an accepted unified theory of Cyber Security, there can be no actuarial soundness to the Cyber Security marketplace. Without an accepted unified theory of Cyber Security, vendors resort to selling the problem not the solution.
EXPLORING STAKEHOLDER EXPECTATIONS FOR SHARED VISION, OPPORTUNITY VALUE PROPOSITION, REQUIREMENTS, AND ARCHITECTURE
As the twig is bent so grows the tree. So, to get your project off on the right foot, Cyber Security expectations should be set and evidence should be sought on the following expectations, assertions, and principles associated with stakeholder shared vision, opportunity value proposition, requirements, and architecture.
1. Stakeholders are in agreement and share a vision for the project.
-- There is no unified theory of Cyber Security.
-- Without a unified theory there can be no experts, no predictability, and no certainty.
2. An opportunity value proposition has been established, and there is stakeholder shared vision for achieving it.
-- Without an accepted unified theory of Cyber security, there can be no actuarial soundness to the Cyber Security insurance marketplace.
--The Cyber risk mitigation insurance market is threatened by Cyber Insurance premium increases.
-- For example, there was a 32% jump in Cyber Security premiums in the health care industry in 2015.
-- The Cyber risk mitigation insurance market is faced with an expected increase in lawsuits to collect Cyber damages.
-- For example, with no unified theory of Cyber Security, there is a lack of standard data for statistical analysis.
-- The lack of standard data for statistical analysis will fuel Cyber Security insurance litigation.
-- Indemnifying industry partners is necessary to ensure information sharing.
3. Requirements or user stories are coherent and acceptable, and there is stakeholder shared vision for them.
-- The state of Cyber Security is dire.
-- Cyber Security is a problem without a solution.
-- Cyber Security cannot be approached as business as usual.
-- Hope is not a strategy in using the Internet.
-- There is no safe harbor in using the Internet.
-- In Cyber Security, the only safe harbor lies in not using the Internet.
-- In Cyber Security, selling the problem has become the preferred approach because there is no convincing Cyber solution to sell.
4. The software system architecture is selected and comprises a domain specific architecture to guide software system implementation, and the software system implementation is made ready and operational with no technical debt.
-- Don’t use the Internet for data and information you cannot afford to lose.
-- In using the Internet, the prescription for use is three factor authentication and encryption.
-- On three factor authentication, consider what you are (fingerprint or iris), what you know (password or question), and what you have (badge).
-- There is a cost for each factor, one that must be paid each time a user is being authenticated.
-- Expect to add a margin of effectiveness assurance for each factor, for example, 50%, 75%, and 90%.
-- In constructing a Cyber Security risk cause and effect chain, unauthorized access is a predicate for loss of data and tampering with data.
-- Neglecting authorized access delivers a clear threat to privacy.
-- The cost of strengthening authorized access is offset by avoiding costs associated with loss of data and tampering with data.
Consistent with the "Keep It Real" message, the Trump Cyber Executive Order describes the state of Cyber Security as follows: "The executive department and agencies tasked with protecting civilian government networks and critical infrastructure are not currently organized to act collectively/collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions."