The CISO Role: a Mediator between Cybersecurity and Top Management

As organizations increasingly rely on digital solutions, they also become more exposed to cybersecurity threats. Thus, cybersecurity is becoming a strategic concern for the organizations rather than merely a technological issue. However, many organizations are still not sufficiently aware of the cybersecurity risks and their mitigation. This article studies how to engage the top management more in cybersecurity in order to mitigate the risk of cybersecurity threats. In particular, we focus on the role of the Chief Information Security Officer (CISO) as part of the organization’s cybersecurity strategy. We conducted qualitative interviews with nine cybersecurity professionals, including four CISOs, two CEOs, one information security leader and two information security ex-perts. Our study shows that the CISO role is acknowledged as important for facilitating communication between the technical staff and the top management, and for making top management understand the importance of their involvement in cybersecurity. In this sense, the CISO may serve the role as a mediator related to security aspects of the organization. Further, our findings support previous research on the importance for top management to engage actively in cybersecurity matters, including operational risk management, identifying critical assets and data, and defining necessary cybersecurity controls (physical, technical and administrative)

Cybersecurity Maturity in the Pacific Islands – Informing a Regional CERT Framework

Cybersecurity acts as a strong influence on national governments’ security, economic, physical and social interests. A common policy goal of governments is to protect their respective interests by supporting cybersecurity threat and attack response capabilities. Contemporary research addresses the use of multi-national CERT frameworks to improve national cybersecurity capability maturity and resilience, however little research has been conducted into the efficacy of such frameworks with Pacific Island nations. This research employs a qualitative interview technique to develop an inductive model for a regional Pacific Islands CERT framework. The research proposes a Pacific Islands regional model based on a network of affiliated national CERTs that operate independently and reflect their respective national interests, while collaborating on matters of shared interest, supported by regional partners providing targeted assistance to build national and regional cybersecurity capability maturity and resilience

Cyber maturity in the Asia-Pacific Region 2014

Summary: To make considered, evidence-based cyber policy judgements in the Asia-Pacific there’s a need for better tools to assess the existing ‘cyber maturity’ of nations in the region. Over the past twelve months the Australian Strategic Policy Institute’s International Cyber Policy Centre has developed a Maturity Metric which provides an assessment of the regional cyber landscape. This measurement encompasses an evaluation of whole-of-government policy and legislative structures, military organisation, business and digital economic strength and levels of cyber social awareness. This information is distilled into an accessible format, using metrics to provide a snapshot by which government, business, and the public alike can garner an understanding of the cyber profile of regional actors

Task Force Report on Streamlining and Consolidating Congressional Oversight of the U.S. Department of Homeland Security

Nearly a decade after the 9/11 Commission issued its report on the greatest act of terrorismon U.S. soil, one of its most significant recommendations has not been acted upon. The call for consolidated Congressionaloversight of the U.S. Department of Homeland Security (DHS) is, in the words of Commission co-chair Thomas H. Kean, "maybe the toughest recommendation" because Congress does not usually reform itself. To underscore the importance of this reform, The Annenberg Foundation Trust at Sunnylands and the Aspen Institute's Justice and Society Program convened a task force in April 2013, including 9/11 Commission cochairs Kean and Lee H. Hamilton, former DHS officials under Presidents Barack Obama and George W. Bush, and members of Congress (Appendix). While the failure to reform DHS oversight may be invisible to the public, it is not without consequence or risk.Fragmented jurisdiction impedes DHS' ability to deal with three major vulnerabilities: thethreats posed by small aircraft and boats; cyberattacks; and biological weapons."I think we've been distinctly less securefrom a biological or chemical attack than wewould have been had we had a more rationaland targeted program of identifying the most serious threats," said former Sen. BobGraham (D., Fla.). As the 9/11 Commission Report noted: "So long as oversight is governed by current Congressional rules and resolutions, we believe that the American people will not get the security they want and need."Earlier work by policy groups such as the Heritage Foundation and Brookings Institution attests to the consensus that consolidated oversight of DHS is needed. Among the concerns: More than 100 Congressional committees and subcommittees claim jurisdiction over it. In 2009, the department spent the equivalent of 66 worky ears responding to Congressional inquiries.Moreover, the messages regarding homeland security that come out of Congress sometimes appear to conflict or are drowned outaltogether. As former DHS Secretary Michael Chertoff noted, "When many voices speak, it's like no voice speaks."The task force recommends that:DHS should have an oversight structure that resembles the one governing other critical departments, such as Defenseand Justice.Committees claiming jurisdiction over DHS should have overlapping membership. Since a new committee structure cannot be implemented until the 114th Congress is seated in 2015, the task force also recommends these interim steps toward more focused oversight:Time-limiting subcommittee referrals to expedite matters of national security.Passing, for the first time since formation of the department in 2002, an authorization bill for DHS, giving the department clear direction from Congress

Technological Change in the Retirement Transition and the Implications for Cybersecurity Vulnerability in Older Adults

Retirement is a major life transition, which leads to substantial changes across almost all aspects of day-to-day life. Although this transition has previously been seen as the normative marker for entry into older adulthood, its influence on later life has remained relatively unstudied in terms of technology use and cybersecurity behaviours. This is problematic as older adults are at particular risk of becoming victims of cyber-crime. This study aimed to investigate which factors associated with the retirement transition were likely to increase vulnerability to cyber-attack in a sample of 12 United Kingdom based older adults, all of whom had retired within the past 5 years. Semi-structured, one to one interviews were conducted and subsequently analysed using thematic analysis. Six themes were identified referring to areas of loss in: social interaction, finances, day-to-day routine, feelings of competence, sense of purpose, and technology support structures. We discuss the implications of these losses for building cyber-resilience in retirees, with suggestions for future research

Mobile Privacy and Business-to-Platform Dependencies: An Analysis of SEC Disclosures

This Article systematically examines the dependence of mobile apps on mobile platforms for the collection and use of personal information through an analysis of Securities and Exchange Commission (SEC) filings of mobile app companies. The Article uses these disclosures to find systematic evidence of how app business models are shaped by the governance of user data by mobile platforms, in order to reflect on the role of platforms in privacy regulation more generally. The analysis of SEC filings documented in the Article produces new and unique insights into the data practices and data-related aspects of the business models of popular mobile apps and shows the value of SEC filings for privacy law and policy research more generally. The discussion of SEC filings and privacy builds on regulatory developments in SEC disclosures and cybersecurity of the last decade. The Article also connects to recent regulatory developments in the U.S. and Europe, including the General Data Protection Regulation, the proposals for a new ePrivacy Regulation and a Regulation of fairness in business-to-platform relations