Implementing a value based framework for cyber security
Ole Andre Braten
Specialist in Work and Organizational Psychology | Academic Author | Innovator | Security Expert | Keynote Speaker I oleandrebraten.no/booking
In today's interconnected world, the importance of cyber security is undeniable. Organizations face numerous threats that can compromise their operations and reputation. A value-based framework for cyber security is an effective approach to ensure that security measures align with an organization’s core values and objectives. This article by Ole Andre Br?ten outlines how to implement such a framework, using the Cyber Security Kill Chain - developed by Lockheed Martin, as a foundation.
Why a Value-based framework?
A value-based framework in cyber security emphasizes aligning security initiatives with the organization’s values, norms, and operational perspectives. This approach focuses on the human and organizational aspects of security, ensuring that measures in place not only protect but also enhance the organization’s mission and culture. Key components include:
Implementing a value-based framework redefines security as a core business function alongside HR, HSE, and IT.
Simply defining a CSO does not build a culture.
The Cyber Security Kill Chain
Lockheed Martin, a global aerospace, defense, and security company, developed the Cyber Kill Chain as part of its cybersecurity framework. This model provides a structured approach to understanding and combating sophisticated cyber threats.
In the late 2000s, facing increasingly sophisticated and targeted cyber attacks, Lockheed Martin's cybersecurity professionals needed a systematic way to understand and effectively counter these attacks. The term "kill chain" originates from military terminology, describing the steps to identify, track, and engage targets in warfare. This concept was adapted to describe the stages of a cyber attack, providing a structured methodology for defenders to analyze and disrupt these attacks.
Lockheed Martin's experts identified a series of steps attackers typically follow, distilled into a seven-stage model known as the Cyber Kill Chain:
Integrating a value based framework
Providing value in cyber security is about building knowledge on top of the strategies applied by our adversities - so that we can increase our proactive approach.
1. Reconnaissance
- Awareness training: Educate employees on recognizing social engineering attempts and phishing schemes. Training programs can help staff identify suspicious activities and understand the importance of protecting sensitive information.
- Communication protocols: Establish clear communication channels and protocols for reporting suspicious activities. Encourage a culture of vigilance and proactive reporting.
2. Weaponization
- Scenario-based training: Use role-playing and scenario-based training to prepare employees for potential security breaches. This helps them understand their roles and responsibilities in preventing attacks.
- Stress management: Provide stress management resources to employees. Stress can make individuals more susceptible to manipulation, so it’s crucial to promote a healthy work-life balance. It is vital security programs do not increases stress - as role-stress (responsible for both security and my own assignments) might increase if we are afraid we might do something wrong.
领英推荐
3. Delivery
- Phishing simulations: Conduct regular phishing simulations to test and reinforce employees' ability to recognize and report phishing attempts. Provide feedback and additional training based on simulation results. Make sure simulations are targeted. Set up tests with Advanced Social Engineering.
- Cultural integration: Foster a culture where security is seen as a shared responsibility. Encourage employees to support one another in maintaining security practices.
4. Exploitation
- Incident response drills: Conduct regular drills to ensure employees know how to respond to security incidents. These drills can help identify weaknesses in response plans and improve overall readiness. It will also decrease stress.
- Support systems: Establish support systems for employees who may feel overwhelmed by security responsibilities. Providing resources and assistance can help them manage their roles effectively.
5. Installation
- Clear policies and procedures: Develop and communicate clear policies and procedures for handling security incidents. Ensure that all employees understand these guidelines and know how to implement them.
- Team building: Promote team-building activities that emphasize trust and collaboration. A strong, cohesive team is better equipped to handle security challenges. Psychological safety is a key component.
6. Command and control
- Leadership Involvement: Ensure that leadership is actively involved in promoting and supporting cyber security initiatives. Leaders should set an example and reinforce the importance of security practices.
- Empowerment: Empower employees to take initiative and act when they suspect a security issue. Encourage a proactive approach to identifying and addressing potential threats.
7. Actions on objectives
- Post-incident reviews: Conduct thorough reviews after any security incident. Analyze what happened, why it happened, and how to prevent it in the future. Use these reviews as learning opportunities. Apply psychological techniques for debriefing after incidents that are deemed serious.
- Continuous improvement: Promote a culture of continuous improvement. Encourage employees to provide feedback and suggest improvements to security practices. Focus on building security as a value in the organization.
Summary
Implementing a value-based framework for cyber security using the Cyber Security Kill Chain provides a holistic approach that integrates organizational psychology and non-technical interventions. By focusing on the human element and aligning security measures with organizational values, businesses can build a resilient security culture that supports their overall mission and objectives.