Improving resilience to cyber-attacks by analysing system output impacts and costs

Cyber-attacks cost businesses millions of dollars every year, a key component of which is the cost of business disruption from system downtime. As cyber-attacks cannot all be prevented, there is a need to consider the cyber resilience of systems, i.e. the ability to withstand cyber-attacks and recover from them. Previous works discussing system cyber resilience typically either offer generic high-level guidance on best practices, provide limited attack modelling, or apply to systems with special characteristics. There is a lack of an approach to system cyber resilience evaluation that is generally applicable yet provides a detailed consideration for the system-level impacts of cyber-attacks and defences. We propose a methodology for evaluating the effectiveness of actions intended to improve resilience to cyber-attacks, considering their impacts on system output performance, and monetary costs. It is intended for analysing attacks that can disrupt the system function, and involves modelling attack progression, system output production, response to attacks, and costs from cyber-attacks and defensive actions. Studies of three use cases demonstrate the implementation and usefulness of our methodology. First, in our redundancy planning study, we considered the effect of redundancy additions on mitigating the impacts of cyber-attacks on system output performance. We found that redundancy with diversity can be effective in increasing resilience, although the reduction in attack-related costs must be balanced against added maintenance costs. Second, our work on attack countermeasure selection shows that by considering system output impacts across the duration of an attack, one can find more cost-effective attack responses than without such considerations. Third, we propose an approach to mission viability analysis for multi-UAV deployments facing cyber-attacks, which can aid resource planning and determining if the mission can conclude successfully despite an attack. We provide different implementations of our model components, based on use case requirements.Open Acces

Information Security Requirements for B2B SaaS Providers

To gain a competitive advantage, companies are continuously more willing to collaborate with other companies and share information between them (Karlsson et al. 2015). Outsourcing is a viable option for many companies offering cost savings and improving efficiency, however, it does not come without risks to information security (Khidzir et al. 2010). Due to the current business environment of interorganisational collaboration, new threats are emerging in the space of information security. Collaborating with other companies introduces new threats by creating possibilities for non-compliant behaviour, intrusion, and exposure. (Goodman and Ramer 2014.) Therefore, organisations must now rely on partners to ensure information security is upheld on an interorganisational level (Karlsson et al. 2015). Within the field of information technology, cloud computing has grown to become one of the most dominant computing paradigms in recent years. According to some estimations, by 2024, more than 45 percent of companies’ IT spending will consist of cloud computing solutions. (Gartner, 2019.) The reason for cloud computing’s rapid increase in popularity is due to its promise of bringing down costs while delivering the same, and potentially more, functionalities as traditional information technology (Marston et al. 2011). However, information security concerns can be seen as one of the biggest challenges that the cloud computing paradigm must overcome for it to reach its full potential (Tipton et al. 2012). Therefore, in this increasingly connected and digital business environment, a fundamental challenge for companies is to meet information security requirements (Gordon et al. 2010). Organisations must adhere to both standard and organisation-specific information security guidelines to meet these requirements (Thalmann et al. 2012). Managing security in companies both providing and consuming services is no longer limited to internal services, systems, and infrastructure. Furthermore, companies providing services to other parties must also consider the requirements of their customers. (Currie et al. 2001.) I am conducting this research for a SaaS company, SoftCo, which operates in the enterprise software industry. The aim of this research was to understand what the most common information security requirements are for SaaS companies by analysing the customer questionnaires regarding information security of the subject organisation SoftCo. These findings are gathered into an artifact which includes the most important information security themes and questions from the analysed companies. This study was conducted as a qualitative study using document analysis to gather the data for identifying the information security themes. Additionally, I have evaluated the produced artifact according to the design science research method process by Peffers et al. (2007) where I compared the information security themes with the ISO/IEC 27001 standard for information security management. In this study I was able to determine 24 different information security themes that were important to customers of SoftCo and also show which of these themes were of most importance according to the questionnaires. Based on these three themes, I identified three areas of information security which were highlighted in the questionnaires: the shift of administrative control from the customer to the service provider, ensuring business continuity and protection against external threats, and concerns regarding auditability and compliance of the service provided

Information Technology Service Continuity Practices in Disadvantaged Business Enterprises

Disadvantaged business enterprises (DBEs) not using cloud solutions to ensure information technology (IT) service continuity may not withstand the impacts of IT disruption caused by human-made and natural disasters. The loss of critical IT resources leads to business closure and a resource loss for the community, employees, and families. Grounded in the technology acceptance model, the purpose of this qualitative multiple case study was to explore strategies IT leaders in DBEs use to implement cloud solutions to minimize IT disruption. Participants included 16 IT leaders in DBEs in the U.S. state of Maryland. Data were generated through semi-structured interviews and reviews of 10 organizational documents. Data were analyzed using inductive analysis, and three themes were identified: alignment with business requirements, sustaining business growth, and trust in cloud services. One recommendation is for IT leaders in DBEs to ensure cloud-based IT service continuity practices are built into all aspects of small business operation. The implications for positive social change include the potential for economic stability for families and environments that rely on the DBEs for continuing business and employment

Cloud technology options towards Free Flow of Data

This whitepaper collects the technology solutions that the projects in the Data Protection, Security and Privacy Cluster propose to address the challenges raised by the working areas of the Free Flow of Data initiative. The document describes the technologies, methodologies, models, and tools researched and developed by the clustered projects mapped to the ten areas of work of the Free Flow of Data initiative. The aim is to facilitate the identification of the state-of-the-art of technology options towards solving the data security and privacy challenges posed by the Free Flow of Data initiative in Europe. The document gives reference to the Cluster, the individual projects and the technologies produced by them

A cloud business intelligence security evaluation framework for small and medium enterprises

Cloud business intelligence has practical importance in data management and decision-making, but the adoption and use among South African small and medium enterprises remain relatively low compared to large business enterprises. The low uptake persists irrespective of the awareness and acceptance of the benefits of Cloud business intelligence in the business domain. Cloud business intelligence depends on the cloud computing paradigm, which is susceptible to security threats and risks that decision-makers must consider when selecting what applications to use. The major objective of this study was to propose a security evaluation framework for Cloud business intelligence suitable for use by small and medium enterprises in small South African towns. The study utilised the exploratory sequential mixed-method research methodology with decision-makers from five towns in the Limpopo Province. Both qualitative and quantitative methods were used to analyse the data. The findings show that the level of adoption of Cloud business intelligence in the five selected towns was lower than reported in the literature, and decision-makers were eager to adopt and use safe Cloud business intelligence, but this was hindered by their inability to evaluate security in these applications. Factors preventing the adoption of Cloud business intelligence were decision-makers’ limited knowledge of the applications and security evaluation, the inability to use industry security frameworks and standards due to their complexities, mistrust of cloud service providers in meeting their obligations when providing agreed services, and lack of security specialists to assist in the evaluation process. Small and medium enterprises used unapproved security evaluation methods, such as relying on friends who were not information technology security specialists. A security evaluation framework and checklists were proposed based on the findings of the study and the best practices of the existing industry frameworks and standards. The proposed security evaluation framework was validated for relevance by information technology security specialists and acceptance by small and medium enterprise decision-makers. The study concluded that the adoption and use of Cloud business intelligence were hindered by the lack of a user-friendly security evaluation framework and limited security evaluation knowledge among decision-makers. Furthermore, the study concluded that the proposed framework and checklists were a relevant solution as they were accepted as useful to assist decision-makers to select appropriate Cloud business intelligence for their enterprises. The main contribution of this study is the proposed security evaluation framework and the checklists for Cloud business intelligence, for use by decision-makers in small and medium enterprises in small South African towns in the Limpopo Province.School of ComputingPh. D. (Information Systems

An investigation into business continuity plan (BCP) failure during a disaster event

Magister Commercii (Information Management) - MCom(IM)This thesis examines what a Business Continuity Plan (BCP) should comprise off, as well as the difference between a BCP and a Disaster Recovery Plan (DRP) and the key elements of an effective BCP as well as the different types of disasters. It also investigates why companies that have BCP in place and conducts testing of their plan on a regular basis, either quarterly or bi-annually, still experience prolonged downtime during a disaster resulting in Service Level Agreements (SLA) not being met or major financial loses. It also inspects acceptable processes within a BCP to determine whether there are ways of improving these processes to prevent companies from experiencing prolonged downtime. The objective of this research is to determine and understand: • Why organisations within the Western Cape experience prolonged downtimes during a disaster event • The potential deficiencies in a BCP and how they can be amended

An investigation into Business Continuity Plan (BCP) failure during a disaster event

Magister Commercii (Information Management) - MCom(IM)This thesis examines what a Business Continuity Plan (BCP) should comprise off, as well as the difference between a BCP and a Disaster Recovery Plan (DRP) and the key elements of an effective BCP as well as the different types of disasters. It also investigates why companies that have BCP in place and conducts testing of their plan on a regular basis, either quarterly or bi-annually, still experience prolonged downtime during a disaster resulting in Service Level Agreements (SLA) not being met or major financial loses. It also inspects acceptable processes within a BCP to determine whether there are ways of improving these processes to prevent companies from experiencing prolonged downtime. The objective of this research is to determine and understand: Why organisations within the Western Cape experience prolonged downtimes during a disaster event. The potential deficiencies in a BCP and how they can be amended. A case study of four companies based in the Western Cape was conducted. These companies were chosen because each of them has a BCP in place and each have experienced prolonged downtime during a disaster. Qualitative interviews with the aid of an open-ended questionnaire were used to interview the BCP or Risk Manager of each company. The data was analysed to determine what the causes of their prolonged downtime were during a disaster. In the analysis and findings process each company is presented as a separate case study. The intension with this research study is to add an additional concept to the Common BCP Process that was identified within this study and that formed the basis for the Conceptual Framework, thereby reducing the downtime during a disaster for the companies that formed part of the research

Forced Migration review Latin Americaand the Caribbeanbuilding on a tradition of protection

Forced Migration Review (FMR) provides a forum for the regular exchange of practical experience, information and ideas between researchers, refugees and internally displaced people, and those who work with them. It is published in English, Arabic, Spanish and French by the Refugee Studies Centre of the Oxford Department of International Development, University of Oxford

Data Privacy and Trust in Cloud Computing

This open access book brings together perspectives from multiple disciplines including psychology, law, IS, and computer science on data privacy and trust in the cloud. Cloud technology has fueled rapid, dramatic technological change, enabling a level of connectivity that has never been seen before in human history. However, this brave new world comes with problems. Several high-profile cases over the last few years have demonstrated cloud computing's uneasy relationship with data security and trust. This volume explores the numerous technological, process and regulatory solutions presented in academic literature as mechanisms for building trust in the cloud, including GDPR in Europe. The massive acceleration of digital adoption resulting from the COVID-19 pandemic is introducing new and significant security and privacy threats and concerns. Against this backdrop, this book provides a timely reference and organising framework for considering how we will assure privacy and build trust in such a hyper-connected digitally dependent world. This book presents a framework for assurance and accountability in the cloud and reviews the literature on trust, data privacy and protection, and ethics in cloud computing