Cybersecurity Concerns Research Articles

Cybersecurity Concerns and Medical Devices

Cybersecurity Concerns and Medical Devices

The emerging role of the CISO

Against a background of board-level concern for cybersecurity, organizations are seeking to ensure the protection of their information assets and minimize the risk of a cybersecurity attack. These objectives place two particular demands on organizations: to appoint a suitable official to head up their information security operations, a CISO; and to ensure that the executive and board are appropriately informed of the organization's security status. In exploring the challenges that confront organizations in selecting a CISO, we drew on data from the U.S., Canada, and New Zealand. Two main issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes that such an incumbent would need to possess. The CISO is a senior-level executive and rather than being a specialized technical expert, the CISO should be an excellent communicator. This will help address the second issue, which is how effectively the CISO can communicate with the board. Some suggestions are provided that serve to aid both effectiveness and efficiency. However, organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members.

Physical security and IT convergence: Managing the cyber-related risks

The convergence of physical security devices into the corporate network is increasing, due to the perceived economic benefits and efficiencies gained from using one enterprise network. Bringing these two networks together is not without risk. Physical devices like closed circuit television cameras (CCTV), card access readers, and heating, ventilation and air conditioning controllers (HVAC) are typically not secured to the standards we expect for corporate computer networks. These devices can pose significant risks to the corporate network by creating new avenues to exploit vulnerabilities in less-than-secure implementations of physical systems. The ASIS Information Technology Security Council (ITSC) developed a white paper describing steps organisations can take to reduce the risks this convergence can pose, and presented these concepts at the 2015 ASIS/ISC2 Congress in Anaheim, California.1 This paper expands upon the six characteristics described by ITSC, and provides business continuity planners with information on how to apply these recommendations to physical security devices that use the corporate network. 1Thayer, R., Martin, R., D’Agostino, S. and McCreight, T. Information Technology Security Council Series: Addressing Cyber Security Concerns in Physical Security, ASIS/ISC2 Annual Seminar and Congress, Anaheim California, Session 3209, 29 September 2015.

Game theoretic modeling of security and trust relationship in cyberspace

SummaryToday, online network services have evolved as the highest‐emergent medium, enabling various online activities to be lucrative. However, these lucrative activities also bring new forms of privacy threats to the community. In a reliable e‐business service, users should be able to trust the providers of the service to protect their customers' privacy. The service providers should not risk the personal and private information about their customers in cyberspace. There is an economic gain for a business provider when users trust the service provider. Despite those benefits, cyber security concern is the main reason some large organization may go bankrupted. Unfortunately, attackers may attempt to breach a provider's database and expose customers' private information. Therefore, in this paper, we propose a game theoretic framework for security and trust relationship in cyberspace for users, service providers, and attackers. Mathematical proofs and evaluations support our model. Service providers may use the model to see how important and dissuasive against attackers is when investing in cybersecurity. Copyright © 2016 John Wiley & Sons, Ltd.

Securing the Information and Communications Technology Global Supply Chain from Exploitation: Developing a Strategy for Education, Training, and Awareness

Introduction critical chains of government and industry are no longer simple and visible sets of links from raw materials to manufacturers to acquirers immune to outside threats. Supply chains for information and communications technologies (ICT)-enabled components, like other critical chains, have become more complex and dynamic, making it imperative to assure that the products delivered for the component, system, and mission do what they are intended to do, and nothing else. U.S. Department of Defense (DoD) and others in the federal government view this growing threat to the critical ICT as an emerging national security issue that deserves more attention across the enterprise. Global ICT risk is a new aspect of cybersecurity identified as a priority in the Comprehensive National Cybersecurity Initiative (2009) as Initiative 11: Develop a multi-pronged approach to global risk management. Additionally, Initiative 8: Expand cyber education led to the creation of the National Initiative for Cybersecurity Education (NICE) (2009) and its National Cybersecurity Workforce Framework (2012) that defines specialty areas; knowledges, skills, and abilities (KSAs); and competencies. Global ICT risk cuts across many of the framework's specialty areas and the workforce requirements for ICT risk are found in the tasks, KSAs, and competencies of each specialty area. This paper frames the key elements of global ICT security and its importance to government as well as private sector companies. It also discusses the foundations of an education, training, and awareness (ETA) effort for the DoD workforce, where none currently exist. A is defined as the set of suppliers that contribute to the content of a product or system (both hardware and software) or that have the opportunity to modify its content (Ellison & Woody, 2010). Supply risk is the process for managing risk by identifying critical systems, processes, and components; vulnerabilities; and threats throughout the chain, and developing mitigation strategies to combat those threats. According to the U.S. National Strategy for Global Supply Chain Security (January 2012), global systems rely upon an interconnected web of transportation infrastructure and pathways, information technology, and cyber and energy networks (p. 2). The is now recognized as a major cyber threat affecting development and operation of computer systems and not just a threat to the transportation of material and goods from supplier to purchaser (Filsinger, Fast, Wolf, Payne, & Anderson, 2012, p. 9). Private sector companies are increasingly concerned about malicious tampering of software and hardware and counterfeits that lead to loss of their intellectual property, interfere with the successful performance of their products, and potentially damage their brands and reputations. term supply risk management was selected by policy makers to describe this new aspect of cybersecurity; however, the term has different meanings in other communities. term commonly applies to the efficiency and logistical aspects of the chain, not the integrity of ICT or the risks associated with its exploitation. For this new national cyber security concern, the ETA effort, and this paper, the topic is managing the taking of risks associated with global ICT exploitation with a focus on product integrity and its significance to the design, systems engineering, and sustainment phases of the system life cycle. Statement of the Problem: Responding to the Global ICT Supply Chain Security Threats Federal IT systems are increasingly at risk of both intentional and unintentional compromise due to the growing sophistication of information and communications technologies (ICT) and the growing speed and scale of a complex, distributed global chain (Boyens, Paulsen, Bartol, Moorthy, & Shankles, 2012, p. …