Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Growing Importance of the Non-Code Aspects of Cybersecurity

Published byBrice Melton Modified over 5 years ago

Similar presentations

Presentation on theme: "The Growing Importance of the Non-Code Aspects of Cybersecurity"— Presentation transcript:

1 The Growing Importance of the Non-Code Aspects of Cybersecurity
Professor Peter Swire Scheller College of Business DePaul Hosier Lecture February 7, 2019

2 The Challenge Cybersecurity management, law, and policy have a confusing, overwhelming jumble of issues to cover How can we teach that jumble? Is there a way to organize the material to bring clarity to the field? Can that lead to better responses to overall cybersecurity threats? “Real” cybersecurity, for computer scientists “Real” cybersecurity is about writing code and doing technical work The “soft” issues have not been central to the task of “real” cybersecurity Vague approval of “inter-disciplinary” studies for cybersecurity But, with a lower priority than “real” cybersecurity

3 Published 9/26/18

4 The Non-Code Aspects of Cybersecurity
CACM paper and this project proposes a new conceptual framework Organizes numerous, important, & non-technical cyber-issues Presents the curriculum and issues in ways that make sense to both technical and non-technical audiences in cybersecurity

5 Theme of New Article: Growth in Non-Code Cybersecurity
“Real” cybersecurity today devotes enormous effort to non-code vulnerabilities and responses. The Cybersecurity Workforce Framework of the National Initiative for Cybersecurity Education lists 33 specialty areas for cybersecurity jobs. Ten of the specialty areas primarily involve code, but more than half primarily involve non-code work (15 areas, in my estimate) or are mixed (eight areas, per my assessment).

6 The Genesis of this Project
MGMT/CoC/PubPol 4726/6726 “Information Security Strategies and Policy” I am now teaching this course for the sixth time Required for Masters in Information Security How do all the pieces of this course fit together? Now – 3 parts of the course Corporate cybersecurity policies and governance – e.g., draft ransomware policy for a hospital group Government laws/regulations – e.g., proposed state legislation to require corporate cybersecurity minimums Nation state and international – draft National Security Council memo on cyberthreats from Russia and policy options to respond

7

8 Seven Layers of the OSI “Stack”
In my experience, these seven layers are well known to knowledgeable computer people who work on cybersecurity. Intuitively, they also know that cyber-attacks can happen at any of these 7 levels.

9

10 Layers 8, 9, and 10: Natural Language
International Natural language Diplomacy Layer 9 Governmental Law Layer 8 Organizational Contracts Layers 1-7 OSI stack Computer Code Various protocols

11 Layer 8: Cyber within Organizations: Management & Business Schools
Within the Organization Relations with Other Actors Other Limits on Private Sector Examples of cyber law and policy Incident response plans & other internal policies Training Cyber hygiene Roles, such as CISO Users’ precautions Vendor & other contracts & management Cyber-insurance Private-sector information sharing (ISACs) PCI-DSS and other industry standards Technical standards such as IETF

12 Layer 9: Government Layer: Law Schools & Public Policy Schools
Within the Organization Relations with Other Actors Limits on Government Examples of cyber law and policy HIPAA, GLBA, and other cyber rules (80+ countries) Data breach laws spreading Rules limiting strong encryption What counts as computer hacking crime? Public-private partnerships and information sharing Constitutional and statutory limits on what the state can do, such as illegal surveillance

13 Layer 10: International Layer: International Relations Schools
Within the Nation Relations with Other Nations Other Limits on Nations Examples of cyber law and policy Unilateral cyber actions, on spectrum from war to “cyber-peace” Deterrence against aggressive cyberattacks Formal treaties & less formal agreements, such as US/China trade secrets Cooperation with other nations on attacks and defense Possible supra-national rules, such as by UN or ITU (China and Russia favor this)

14 Where do Users fit? A user is not a government or an international actor I suggest part of Layer 8 Private sector actors range from individual users/sole proprietorship to modest size to large organizations Users lack an IT department, a general counsel, and face lots of risks 8A: “Within the household” – how individual/family manages 8B: “Relations with other actors” – Terms of service, identity theft insurance, hire Geek Squad Users likely a big concern at 9A (government regulation of business), such as HIPAA, GLBA, and consumer protection

15 Potential for the Cyber Curriculum
Helps describe what topics are done in which course: Mostly international relations and cyber norms, and course covers 10A, 10B, and 10C, with some layer 9 Mostly corporate governance for CISOs, lots of 8A and 8B, with a little bit of the others An overall curriculum could determine how full the coverage is of the 3x3 matrix Can also shift from a project course (reacting to new developments) to a lecture course or treatise/manual : Module on each cell of the 3x3 matrix, with typical vulnerability and governance issues for each cell For instance, 9A and compare market approaches to HIPAA or GLBA; if govern badly, then sensitive data is breached

16 New definition of cybersecurity “policy”
Computer scientist definition of “policy” = everything that is not code Public policy, business school, law and policy schools, international relations Multiple parts of the university, so vague term “policy” does not match the intellectual disciplines that cybersecurity now requires Hopefully, bring a sense of order and understanding to the current jumble Which, in turn, would lead to better cybersecurity

17 Research agenda for cybersecurity
Each cell in the 3x3 matrix has characteristic research questions 8B – uses and limits of cybersecurity insurance (contracts among companies) 9A – law and political science questions of mix of markets and regulation to achieve cybersecurity 10C – role of supranational institutions

18 Practitioner implications
Cybersecurity team is used to thinking about layers 1 to 7 With the expanded OSI stack: Spot the risks and mitigations for each part of layers 8 to 10 Define the skill sets needed for your team Draw on the relevant expertise in organizational behavior, law, and international relations as needed

19 Conclusion: Contributions of the 10-layer stack
Parsimonious structure to organize the jumble of issues now crowding into cyber law, policy, and business courses In my class, we discuss every issue in 3 charts For students, teachers, and practitioners, a way to keep the many issues straight Attacks can happen at layers 8, 9, and 10, if the company has bad policies, the nation has bad laws, or the international community does not prevent attacks Vulnerabilities at layers 8, 9, and 10 thus fundamentally similar to vulnerabilities at layers 1 to 7 Computing & business students, by end of the course, agree that a large part of the current cyber threat is at these layers In short, we need this new theory of the non-code aspects of cybersecurity, to help students, teachers, researchers, practitioners, and policy-makers

Download ppt "The Growing Importance of the Non-Code Aspects of Cybersecurity"

Similar presentations

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
School of Business University of Bridgeport Admissions Presentation Robert Gilmore, Ph.D. Associate Dean School of Business.

School of Business University of Bridgeport Admissions Presentation Robert Gilmore, Ph.D. Associate Dean School of Business.
Secure Software Development Security Operations Chapter 9 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development Security Operations Chapter 9 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
National CIRT - Montenegro “Regional Development Forum” Bucharest, April 2015 Ministry for Information Society and Telecommunications.

National CIRT - Montenegro “Regional Development Forum” Bucharest, April 2015 Ministry for Information Society and Telecommunications.
James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.

James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.
Marketing BY: CHEREESE LANGLEY. Nature of work Formulate, direct and coordinate marketing activities and policies to promote products and services, working.

Marketing BY: CHEREESE LANGLEY. Nature of work Formulate, direct and coordinate marketing activities and policies to promote products and services, working.
Resources to Support Training Programs for CSIRTs.

Resources to Support Training Programs for CSIRTs.
BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT

BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT
Cyber Security Nevada Businesses Overview June, 2014.

Cyber Security Nevada Businesses Overview June, 2014.
IAPP KnowledgeNet Los Angeles “Thinking Outside the Cookie Jar” The Second Wave of Global Privacy Protection: Why This Year Is Different Peter Swire, Senior.

IAPP KnowledgeNet Los Angeles “Thinking Outside the Cookie Jar” The Second Wave of Global Privacy Protection: Why This Year Is Different Peter Swire, Senior.
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.

13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
Environmental Management System Definitions

Environmental Management System Definitions
National Quality Infrastructure TRTA3 Approach

National Quality Infrastructure TRTA3 Approach
International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.
UNSICAR The practical role for meeting professional knowledge requirements in insurance distribution - October 2015 -

UNSICAR The practical role for meeting professional knowledge requirements in insurance distribution - October
Of XX Cybersecurity in Government Contracting, Acquisition and Procurement Nicholas R. Schacht ©2015 PubKLearning. All rights reserved.1 KnowCyber improves.

Of XX Cybersecurity in Government Contracting, Acquisition and Procurement Nicholas R. Schacht ©2015 PubKLearning. All rights reserved.1 KnowCyber improves.
Information Warfare Playgrounds to Battlegrounds.

Information Warfare Playgrounds to Battlegrounds.
Global Geospatial Information Management (GGIM) A UN-DESA Initiative in collaboration with Cartographic Section, DFS Stefan Schweinfest UNSD.

Global Geospatial Information Management (GGIM) A UN-DESA Initiative in collaboration with Cartographic Section, DFS Stefan Schweinfest UNSD.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Similar presentations

Ads by Google