From Cyber War to Cyber Peace

Emerging smart manufacturing technologies combine physical production networks with digital IT systems, resulting in complex smart factory networks, which are especially vulnerable to IT security risks, such as IT component non-availabilities. Companies must employ extensive IT security measures to secure their production facilities. However, complex network structures and inherent dependencies of smart factory networks complicate corresponding investment decisions and increase the need for appropriate decision support. We develop a risk assessment model that supports companies in the investment decision-making process regarding IT security measures by identifying and evaluating the most critical areas of the information network while considering the underlying production network. For this purpose, IT availability risks are quantified by means of graph theory, matrix notation, and value-at-risk. Our model provides a structured approach and considers network structures and interdependencies. The insights gained by our model present a profound economic basis for investment decisions on IT security measures. By applying our model in an exemplary real-world setting, we analyze various IT security measures and their risk reduction effect.

Technological and scientific progress, especially the rapid development in information technology (IT), plays a crucial role regarding questions of peace and security. This textbook addresses the significance, potentials and challenges of IT for peace and security. For this purpose, the book offers an introduction to peace, conflict, and security research, thereby focusing on natural science, technical and computer science perspectives. In the following, it sheds light on fundamentals (e.g. IT in peace, conflict and security, naturalscience/ technical peace research), cyber conflicts and war (e.g. information warfare, cyber espionage, cyber defence, Darknet), cyber peace (e.g. dual-use, technology assessment, confidence and security building measures), cyber arms control (e.g. arms control in the cyberspace, unmanned systems, verification), cyber attribution and infrastructures (e.g. attribution of cyber attacks, resilient infrastructures, secure critical information infrastructures), culture and interaction (e.g. safety and security, cultural violence, social media), before an outlook is given. This chapter provides an overview of all chapters in this book.

Information Technology (IT) security is an issue which cannot be wished away by organizations and particularly Small and Medium Enterprises (SMEs). SMEs should embrace IT security in order to realize the benefits of IT without compromising the IT security status. Much like any other business asset, information is an asset that needs to be strategically managed and protected. It is therefore imperative that SMEs understand the value of information contained within their business systems and have a framework for assessing and implementing IT security. To address challenges faced by SMEs especially in Kenya, this research establishes an Information Technology (IT) framework that can allow Kenyan SMEs implement cost effective security measures. Particularly this work considers IT security requirements and appropriate metrics. There is evidence from the research to suggest that despite having some IT security measures in place, Kenyan SMEs still face some serious IT security challenges. In the light of the challenges faced by Kenyan SMEs, this work recommends a framework which is supposed among other things provide metrics of evaluating the effectiveness of implemented security measures. The framework is likely to assist SME stakeholders measure the effectiveness of their security enhancing mechanisms.

This paper presents an innovative Soft Design Science Methodology for improving information systems security using multi-layered security approach. The study applied Soft Design Science Methodology to address the problematic situation on how information systems security can be improved. In addition, Soft Design Science Methodology was compounded with mixed research methodology. This holistic approach helped for research methodology triangulation. The study assessed security requirements and developed a framework for improving information systems security. The study carried out maturity level assessment to determine security status quo in the education sector in Tanzania. The study identified security requirements gap (IT security controls, IT security measures) using ISO/IEC 21827: Systems Security Engineering-Capability Maturity Model (SSE-CMM) with a rating scale of 0 - 5. The results of this study show that maturity level across security domain is 0.44 out of 5. The finding shows that the implementation of IT security controls and security measures for ensuring security goals are lacking or conducted in ad-hoc. Thus, for improving the security of information systems, organisations should implement security controls and security measures in each security domain (multi-layer security). This research provides a framework for enhancing information systems security during capturing, processing, storage and transmission of information. This research has several practical contributions. Firstly, it contributes to the body of knowledge of information systems security by providing a set of security requirements for ensuring information systems security. Secondly, it contributes empirical evidence on how information systems security can be improved. Thirdly, it contributes on the applicability of Soft Design Science Methodology on addressing the problematic situation in information systems security. The research findings can be used by decision makers and lawmakers to improve existing cyber security laws, and enact laws for data privacy and sharing of open data.

Exports of technology and items containing technical information are regulated by the United States government. United States export control regulations exist to help protect national security, economic, and political interests. United States defense industry companies manufacture products and develop technologies and information that the United States has a particular interest in protecting. Therefore, defense industry companies must comply with United States export control regulations when exporting items and information to their international partners and customers. An “export” not only includes shipments of hardware or other tangible assets to foreign end-users but also includes the sharing of certain types of information with foreign recipients in the form of phone conversations, emails, meetings, conferences, presentations, and so on. Many employees of defense industry companies travel internationally with company issued laptops and cellphones containing company information that could be viewed by foreign persons. All of these activities are considered exports and may require prior authorization from the United States government under export control regulations. Failure to follow export regulations could result in a violation requiring a report to the United States government that may result in civil penalties or criminal charges. Additionally, intentional as well as unintentional releases of information to certain foreign persons could be detrimental to a defense industry company’s business and reputation and may even result in security concerns for the United States. Although the government has an interest in regulating defense industry companies’ technology and information, critics argue that strong export control regulations may result in invasions of privacy, violations of free speech, and a displacement of the United States as a leader in a world of technological advancement. However, despite current regulations, defense industry information is still at risk of cyberattacks and inadvertent data releases, creating potential threats to national security and the security of company technology and information. In an effort to secure company and sensitive information while exporting, defense industry companies utilize encryption and other cybersecurity measures. Advancing technologies in cybersecurity can help the government and defense industry companies by bolstering the security of their information. These same advancements can also aid attackers in breaking through cybersecurity defenses. Some advances in technology are even preventing law enforcement from gathering necessary information to conduct investigations when cyber-attacks occur, making it difficult to identify criminal actors and seek justice.The United States government faces challenges in creating and up- dating regulations to keep up with consistently advancing technology. Likewise, defense industry companies must adhere to government regulations by creating robust compliance programs, but they should also implement security and compliance measures above and beyond what the government requires to ensure more effective security for their technology and information. This Article discusses the effect of advancing cyber technology; United States export regulations; reporting requirements related to the export of encrypted items; and encryption technology in the defense industry. First, the Article defines encryption and encrypted items. Second, the Article explains United States regulations of ex- ports and specifically, regulations related to encryption and encrypted items. Third, the Article explains the need for defense industry companies to export and to use encrypted items. Fourth, the Article analyzes criticisms of export regulations and the differing views on United States controls. Fifth, the Article will discuss the complexities of com- plying with export regulations and defense industry compliance pro- grams. Sixth, the Article examines the outlook for encryption technology, the future of regulations related to cybersecurity, and the outlook for defense industry security measures and compliance with regulations. The United States government is beginning to recognize the need for more advanced security measures to protect domestically produced technology and information, especially information that puts national security at risk. Specifically, the technology and information produced by United States defense industry companies should be protected from getting into the hands of our foreign adversaries at all costs. In response to the growing need for security measures, the United States government has implemented new programs, commissions, agencies, and projects to create more robust security systems and regulations. The United States should employ the most talented and experienced cybersecurity professionals to innovate and produce security systems that protect our nation’s most sensitive information. The government should then provide these systems to its defense industry companies at minimal cost and should require companies to use the best technology in its security measures. With or without the government’s assistance, defense industry companies within the United States must also implement their own measures of protection. Current policies offer little protection of sensitive and export controlled information including encrypted items and in- formation. In addition, the government should also provide the defense industry companies better guidance and access to resources in order to assist them in protecting the important information and encrypted items.207 For example, any new systems or software purchased by the United States should be made available to defense industry companies as the standard. If the government truly wishes to protect its most important technology and information, it should provide the new systems at minimal cost to the defense industry. Advancements in security programs should be shared with defense industry companies as soon as they are available and ready for use. Nevertheless, the government may not want to provide defense industry companies with the best security technology because in the event that the government needs to conduct an investigation, a company utilizing strong cyber- security and encryption software is much more difficult to investigate. Alternatively, the United States could update current regulations to require that defense industry companies must utilize specific security measures or face a penalty for failing to do so. Such regulation could require defense companies to implement more robust security pro- grams with updated security software. This is a less effective solution as the advancement in cyberattack technology increases so rapidly, and reformed regulations will likely be outdated as soon as they are implemented. It makes more sense to require that defense companies must implement the most updated software and programs determined by government security experts and cyber-security experts. Also, by allowing defense companies to decide which security companies it will work with, the defense companies obtain the option to shop for the best and most expensive program, or the company could choose the cheapest option, resulting in less efficient security. Cybersecurity regulations that are too specific run the risk of being outdated quickly, whereas broad requirements leave the option for companies to implement the lowest of security measures. Even if the government declines these suggested measures, defense industry companies should make the protection of their sensitive in- formation and encrypted items top priority. This method would re- quire complete buy-in from the senior management within the company and a thorough flow-down of cultural beliefs among its employees. A change in norms must be implemented, and defense industry personnel should be inundated with reminders on the importance of information security. Companies should provide employees with easy access to guidance, training, and assistance in handling, sharing, protecting, and exporting sensitive and export controlled information. Changing company culture takes time, and failure to change personnel beliefs will result in a lack of understanding and potential violations of export control regulations. In the worst cases, data spills and cyberattacks could result in the loss of sensitive or even classified in- formation that could jeopardize national security. Huge unauthorized data releases of sensitive information will negatively affect a company’s reputation thus affecting its ability to generate revenue. The risks in using and exporting encryption technology and sensitive information should be a major concern for defense industry companies. This concern should motivate the government to invest significant resources into compliance programs. Resources such as dedicated and qualified personnel can create policy and procedure to ensure compliance with United States government regulations, and the procedures will provide guidance and training to all employees. In addition, companies should employ IT security, data security, and counterintelligence personnel to work with the compliance team in innovating preventive measures and in addressing any potential data releases and export violations. Immediate actions and counter measures should be prioritized not just among the compliance and security teams but should be a known, expected response from all employees. In other words, cybersecurity norms should be instilled company-wide and thoroughly policed from within the company. How a company chooses to implement such measures remains discretionary, but a better resourced compliance department dedicated to implementing effective policies and responding quickly to potential issues will prevent export control violations and data releases of important information. Defense industry companies transfer export controlle

Although cost-benefit analyses are an important aspect of information technology (IT) security (ITS) management, previous research focuses largely on the customer perspective and neglects the supplier side. However, since ensuring a high level of ITS in modern IT products is typically associated with a large investment, customers' willingness to pay is essential for decision making in the context of IT product development. We draw on Kano's theory of attractive quality to analyze how customers generally evaluate implemented ITS safeguards. Based on expert interviews and a large-scale empirical study involving customer company decision makers, this paper demonstrates that different customer evaluations of ITS safeguards are associated with different levels of willingness to pay. Therefore, our results will enable IT suppliers not only to understand their customers' ITS needs but also to derive optimal ITS strategies, which may provide both economic and competitive advantages. Further theoretical and practical implications are also discussed.

Information technology (IT) security, which is concerned about protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of risk, some known and some unknown. IT security risk management has gained considerable attention over the past decade due to the collapsing of some large organisations in the world. Previous investigative research in the field of IT security have indicated that despite the efforts that organisations employ to reduce IT security risks, the trend of IT security attacks are still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologist who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. Employing a formal risk based approach in managing IT security risk assist in ensuring that risks that matter to an organisation are accounted for and as a result, receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task, which is the basis of this research. The objective of this paper is to propose an approach for identifying, assessing and treating IT security risk which incorporates a robust risk analysis and assessment process. The risk analysis process aims to make use of a comprehensive IT security risk universe which caters for the complex and dynamic nature of IT security. The research will contribute to the field of IT security by using a consolidated approach that utilises coherent characteristics of the available qualitative risk management frameworks to provide a stronger approach that will enable organisations to treat IT security risk better.

23 - IT security and IT auditing between 1960 and 2000

On using contextual correlation to detect multi-stage cyber attacks in smart grids

BackgroundTraditionally, health information has been mainly kept in paper-based records. This has deeply changed throughout approximately the last three decades with the widespread use of multiple health information technologies. The digitization of health care systems contributes to improving health care delivery. However, it also exposes health records to security and privacy breaches inherently related to information technology (IT). Thus, health care organizations willing to leverage IT for improved health care delivery need to put in place IT security and privacy measures consistent with their use of IT resources.ObjectiveIn this study, 2 main objectives are pursued: (1) to assess the state of the implementation of IT security and privacy practices in European hospitals and (2) to assess to what extent these hospitals enhance their IT security and privacy practices as they move from paper-based systems toward fully electronic-based systems.MethodsDrawing on data from the European Commission electronic health survey, we performed a cluster analysis based on IT security and privacy practices implemented in 1723 European hospitals. We also developed an IT security index, a compounded measure of implemented IT security and privacy practices, and compared it with the hospitals’ level in their transition from a paper-based system toward a fully electronic-based system.ResultsA total of 3 clearly distinct patterns of health IT–related security and privacy practices were unveiled. These patterns, as well as the IT security index, indicate that most of the sampled hospitals (70.2%) failed to implement basic security and privacy measures consistent with their digitization level.ConclusionsEven though, on average, the most electronically advanced hospitals display a higher IT security index than hospitals where the paper system still dominates, surprisingly, it appears that the enhancement of IT security and privacy practices as the health information digitization advances in European hospitals is neither systematic nor strong enough regarding the IT-security requirements. This study will contribute to raising awareness among hospitals’ managers as to the importance of enhancing their IT security and privacy measures so that they can keep up with the security threats inherently related to the digitization of health care organizations.

The study aims to explore and analyze the reliability and security of information technology (IT) in local government financial reporting in Indonesia. IT reliability and security are important factors in financial management, as reliable and secure information supports decision-making, attracts investment and builds public trust. However, threats to IT reliability and security can lead to negative consequences, such as data inaccuracies or the risk of information leakage. This research uses a qualitative approach with case studies on two local governments that have adopted IT in the financial reporting process. Data were obtained through in-depth interviews, observations and document reviews. The analysis focused on the impact of IT reliability and security on financial administration performance. The results show that improving IT reliability and security has a significant positive impact on local government financial management. Concrete impacts include increased public trust, operational efficiency and financial accountability. IT system reliability enables fast and accurate data processing, while IT security protects sensitive information from cyber threats. This research makes an important contribution by supporting previous research and expanding the discussion on the relationship between IT security and public trust, which has previously been less explored. The practical implications include recommendations for strengthening regulations and budget allocations for better IT infrastructure, as well as guidance on effective IT implementation strategies. The findings confirm that IT reliability and security are key elements in building a transparent and efficient local government administration system.

Digital transformation has established itself as an omnipresent term in the new millennium. Often considered synonymous with the so-called Fourth Industrial Revolution, the term describes the convergence of information technology and the ubiquity of data in private life as well as in business and social lives. Inherent to the term "revolution" is radical change and the upheaval of existing processes and relationships. Translated into a business context, revolution leads to the transformation of business models and established work processes as well as the increasing dependence on data and new technologies. In times of digital transformation, managers and organizational decision-makers are faced with constant, potentially business-critical, decisions regarding these new technologies and the maintenance of information and data security. The analysis of management decisions, therefore, plays a crucial role in comprehending and researching digital transformation. This dissertation, therefore, seeks to improve our understanding of decision-making processes regarding the adoption of cloud computing solutions and data protection measures as well as investments in information technology (IT) security in primarily small and medium-sized enterprises. Article A examines the influence of status quo bias and reference dependency in the decision to adopt cloud computing solutions. Based on the tenets of prospect theory, findings suggest that rather inexperienced decision-makers are taking their evaluation of the existing technology more into account when assessing a cloud-based replacement technology. As a consequence, status quo thinking leads to a more negative assessment of the new technology, which hinders its potentially beneficial introduction to the organizational IT service architecture. Article B investigates decision-making processes related to end-user data protection measures and the impact of psychological ownership on the motivation to protect data. In a questionnaire study and based on the protection motivation theory, the influence of psychological ownership on the decision-making behavior of individuals in both private and work contexts is analyzed. The results demonstrate that psychological ownership exerts a stronger impact on the protection motivation of participants in a private context. The analysis further indicates that employees partly relinquish their responsibility regarding security responses to protect data in their work context. Fostering feelings of psychological ownership could possibly counteract such detrimental effects and improve the adoption of data protection measures in a work context. In Article C, the previously demonstrated cognitive and behavioral aspects of decision-making are contextualized into a holistic conceptual framework. Based on a comprehensive literature analysis and an interview study, this study finds that decisions regarding IT security in companies are influenced by organizational, economic, environmental, cognitive, and behavioral aspects. The literature analysis further demonstrates that existing research still emphasizes economic aspects based on the assumption of purely rational decision-makers. Studies that shed light on IT security decisions from a behavioral, environmental or organizational perspective are significantly less frequent, although the analysis of the expert interviews emphasizes the influence of these aspects. Article D validates that decision-makers in companies are influenced by a variety of aspects when making investment decisions in IT security. The studies of both Article D and Article E aim at decision-makers from small and medium-sized enterprises (SMEs), since an in-depth literature review of existing research in the area of organizational IT security indicates that organizational IT security in SMEs has been largely neglected. The analysis of expert interviews conducted with SME decision-makers, however, indicates that implications of existing research can be transferred only to a limited extent due to unique constraints and their influence on decisions in the SME context. The studies, therefore, investigate and validate the impact of these SME-specific constraints regarding IT security decisions. The findings imply that invest-ment decisions with regard to organizational IT security are strongly influenced by SME-specific characteristics such as insufficient IT budget planning, undocumented processes, or multiple roles due to lack of resources. Consequently, this dissertation provides valuable insights for both practice and research regarding typical and frequent decision-making processes in the context of digital transformation. In particular, this study examines the influence of biases and non-rational aspects in the decision-making process regarding new technologies or measures to ensure their security as well as the effects of SME-specific constraints demonstrate and emphasizes the need for further behavioral research in technology adoption and IT security.

PurposeThe aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value.Design/methodology/approachThe study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches.FindingsThe results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer.Research limitations/implicationsThe findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities.Originality/valueThe need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.

Firms have increasingly invested in information technology (IT) security to protect their information resources. Nevertheless, deciding when to invest in IT security is rather difficult for executives because of the irreversibility of spending and uncertainty of IT security investments performance. A review of the literature on IT security investments reveals that previous studies largely neglected the strategy and timing of investments. Basing on real options theory, this research examines IT security investments for the commercial exploitation strategy versus the IT security improvement strategy in terms of proactive and reactive investments. An event methodology is used to estimate the effect of IT security investment timing on the stock performance of the investments. Our results show that reactive investments for IT security improvement and proactive investments for commercial exploitation earn positive abnormal returns. Moreover, the market reacts more positively to aligned than misaligned IT security investments. The implications of the research findings are presented and discussed.

The introduction of new, innovative business models for in-vehicle m-commerce requires the application of advanced IT security measures and has strong economic implications. In this article, the authors analyze the most important IT security and economic implications and use the practical example of an innovative business system for navigation systems and location-based services. This in-vehicle m-commerce business system has been introduced by one of the leading suppliers of aftermarket navigation systems. The analysis shows that when innovative in-vehicle services are introduced, the revenue generation may shift from hardware devices to service revenues and new competitors are becoming relevant. They offer, for example, user-centric services with the help of mobile devices. Basic requirements of sketched developments are applications of advanced IT security measures such as Digital Rights Management systems.