Login Signup
Verified Document

Cybersecurity As An Organizational Strategy An Ethical And Legal Perspective Research Paper

Related Topics:
Cyber Security Competitive Strategies Information Assurance Cyber Crime
Open Document Cite Document

Cybersecurity as an Organizational Strategy: An Ethical and Legal Perspective Cybersecurity as Organizational Strategy

Across the board -- in business, society, and government -- the promise of cyber capabilities are matched by potential peril. The cyber environment is never static, but it is perhaps most agile in response to the continual stream of emerging cyber threats and realized cyber attacks ("PCAST," 2007). Cybersecurity must be agile. The challenges that must be met in order to secure the cyber realm for all of its legitimate constituents are enormous. Cybersecurity issues are organic, adapting to an evolving environment with the sensitivity and responsiveness of an invading microorganism. Though not to abuse the parallel to medical science, the best defenses against invading cyber threats are information and preparation. As such, cybersecurity can be characterized as technology plus network security plus information assurance ("Booz Allen Hamilton," 2011).

Strategic integration of cybersecurity efforts is measured by the degree to which it is integrated into enterprise risk management (ERM), overall mission assurance activities, and any associated internal and external security strategies (Bodeau, et al., 2010). The level of integration is typically expressed as follows: (a) No integration, in which each business process or program articulates its own security strategy; (b) consistency, in which the cybersecurity authorities with oversight for a different business units, missions, or risk domains work to ensure the implementation of cybersecurity strategy in their own arena and do not preclude implementation of cybersecurity strategy in any other arena; ( c) coordination, in which the authorities who are responsible for different cybersecurity strategies collaborate to execute the planning in order to more effectively leverage the resources of the enterprise; and, (d) full integration, in which there is an overarching and enterprise-wide mission assurance strategy that includes every domain of the enterprise mission, and is also effective across the larger critical infrastructure in the sector of which the enterprise may be a part (Bodeau, et al., 2010). As such, strategic integration refers specifically to the degree with which an enterprise's cybersecurity strategy aligns with, is informed by, or otherwise relates to other risk management strategies in the organization (Bodeau, et al., 2010). Typically, these cybersecurity strategies address the following: acquisition management, architecture, business continuity, mission assurance, and program management (Bodeau, et al., 2010). In the section of this paper entitled "Practical recommendations for cybersecurity strategy," integration is recommended as a key factor in effective cybersecurity strategy (Bodeau, et al., 2010).

Cybersecurity as an organizational strategy. The execution of cybersecurity is complex and multi-dimensional -- and, for many enterprises today, it is key to competitive strategy ("PCAST," 2007). Organizational cybersecurity solutions must be multi-faceted, capable of enhancing enterprise readiness and response while maintaining a robust focus on risk mitigation ("PCAST," 2007). The literature on cybersecurity spans a wide array of organizational types, including those in civil and commercial sectors of finance, energy, health, and technology, the defense industry, and national security agencies ("PCAST," 2007). This discussion will primarily present information related to cybersecurity as an organizational strategy.

Legal, ethical, and technical cybersecurity considerations. The legal aspects of cybersecurity are complex, so complex, in fact, that there are multiple categories that must be coordinated and eventually harmonized into a functioning legal framework (Schjolberg & Hubbard, 2005; Spinello, 2011). These categories include several types of governmental action: legislative efforts, judicial efforts, and criminal enforcement efforts. Under the legislative considerations of cybersecurity, there are additional legal categories, including substantive, procedural, mutual legal assistance, and protection of individual rights (Schjolberg & Hubbard, 2005; Spinello, 2011). The federal government and individual states may also enact laws that address cybercrime (Spinello, 2011).

At an international level, a number of official stakeholders have directed efforts to combating cybercrime through harmonizing and coordinating their efforts on a global scale (Schjolberg & Hubbard, 2005). The cybersecurity issue has become a focus for the following international organizations: United Nations (UN), International Telecommunications Union (ITU), Organization for Economic Co-operation and Development (OECD), European Union (EU) and Council of Europe (CoE) (Schjolberg & Hubbard, 2005).

Many professional organizations have codes of conduct for their members (Baase, 2008). ACM and IEEE-CS have developed the Software Engineering Code of Ethics (Baase, 2008). It is important to recognize that professional ethics are just part of the job (Baase, 2008). It is important to be honest when working with client -- or when conducting professional duties -- about capabilities, safety, and limitations of software (Baase, 2008).

While the cybersecurity industry is itself subject to innumerable laws and ethical considerations, research...

In fact, the legal environment constrains cybersecurity research by enacting specific and outright prohibitions and also ambiguous uncertainties that make the entire prospect seem too costly and scientific sharing of outcomes risky (Schjolberg & Hubbard, 2005). The laws dealing with communications privacy have established social barriers and sanctions against violating data confidentiality (Schjolberg & Hubbard, 2005). The fit between social expectations and network privacy in practice is not a good one, a problem that underscores the need of many network providers to avoid granting access to researchers -- the potential legal risk, reputational risk, and overall expense appear prohibitive (Schjolberg & Hubbard, 2005).
IT, cybersecurity, and organizational performance. Government agencies are not the only entities threatened by adversaries determined to disrupt operations or steal military intelligence. Business enterprises are also targets of competitors that seek to steal intellectual property, penetrate financial databases, and breakdown competitive advantage ("PCAST," 2007). The economic viability of business enterprises strongly depends on the ability to look beyond communications and information technology management and assume a broader view that, pointedly, indicates an ability to move beyond reacting to cyber attacks and effectively anticipate new threats ("Lynch, 2011). An effective cybersecurity effort will be characterized by the following: (a) Establishment of layered defense against threats; (b) Fostering a complete recognition of the enterprise's vulnerabilities; ( c) react to, constrain, and cripple cyber attacks that do get through; (d) evolve in response to compliance requirements; and (e) establish quick, deep learning from experience ("PCAST," 2007). The role of IT can be as essential as providing the support for an operational surge or providing the flexibility to rapidly deploy new technology (Lynch, 2011).

As with any continuous improvement initiative an enterprise might adopt, enterprises must prepare to evolve their learning through experience, but preferably through the best available intelligence in the industry. An enterprise must be positioned to effectively protect its assets, its competitiveness, its financial viability, and its competitiveness (Lowell, 2011). Enterprise stewardship requires the discipline to prioritize expenditures and investments, of which, cybersecurity must be carefully positioned in the list of considerations due to the enormity of its potential impact on the organization ("PCAST," 2007). Increasing dependence on communications and information technology (CIT) for ordinary enterprise activity points to a greater reliance on enterprise cybersecurity defenses. Certainly a degree of resources must be diverted from direct revenue production when an enterprise determines to invest in mature cyber diagnostics and to strengthen the organization's cybersecurity position and posture (Gordon, 2010). Yet, a proactive stance that enables anticipating and preparing for cyber events can avoid more costly and damaging post-cyber attack recovery (Gordon, 2010). The costs of insufficient preparation for inevitable cyber events and/or a lack of investment in cybersecurity can be devastating to an enterprise (Gordon, 2010). The impact of successful cyber attacks will vary depending largely on an organization's dependence on technology (Gordon, 2010). Essentially, this means that not all organizations will commit to the same degree of cybersecurity investment (Lowell, 2011). Nevertheless, an enterprise must determine how to integrate the elements of their cybersecurity initiative in order to: (a) Identify vulnerabilities; (b) provide quick and effective responses to mitigate cyber events; ( c) utilize cyber diagnostics that help to generate risk insights; (d) develop a cybersecurity plan that results in an evolved and enhanced organizational cybersecurity posture; and, (e) provide for the opportunity of evolutionary remediation strategies (Gordon, 2010).

It is essential for enterprises to think about cybersecurity spending in much the same manner that they assess other costs and benefits (Gordon, 2010). It is entirely appropriate to apply an economic framework to cybersecurity expenditures so that enterprises may arrive at spending levels that are within budget. To take this tack will essentially force business to consider and prioritize resource allocation for the greatest possible impact and efficiency (Gordon, 2010). It is unfortunate that most organizations do not take an economic tack to cybersecurity expenditures, driven as they are by the exigencies of the environment and marketing rhetoric (Gordon, 2010). It is difficult for enterprises to recognize that cybersecurity is not necessarily a special category and that normal economic principles do apply to cybersecurity decision making (Gordon, 2010). Businesses mistakenly assume that the benefits and drawbacks associated with cybersecurity expenditures cannot be quantified or monetized (Gordon, 2010). Gordon asserts that, "[w]hen it comes to national security, this 'nonquantifiable benefits argument' is especially deafening -- and flat-out wrong" and that while it is arguably "difficult to quantify the benefits…

Continue Reading...
Sources used in this document:
References

Baase, S. (2008) . Gift of fire: Social, legal, and ethical issues for computing and the Internet, (3rd ed.). Upper Saddle River, NY: Pearson / Prentice Hall.

Bodeau, D., Boyle, S., Fabius-Greene, J., and Graubart-R. (2010, September). Cyber security governance: A component of MITRE's Cyber Prep Methodology. MITRE Technical Report. The MITRE Corporation. {Paper presented at the ITS Montreal 2008.

Burstein, A.J. (2008, April). Conducting cybersecurity research legally and ethically. Berkeley School of Law, 18, 42. [Post]. University of California, Berkeley, CA. Retreived http://static.usenix.org/event/leet08/tech/full_papers/burstein/burstein_html/

Goodman, M. (2011, November). What business can learn from organized crime. Harvard Business Review, [Web page]. Cambridge, MA: Harvard Business Review. Retrieved http://hbr.org/2011/11/what-business-can-learn-from-organized-crime/ar/1
Gordon, L.A. (2010, December 3) Cybersecurity: How much is too much? Retrieved http://www.bizjournals.com/washington/print-edition/2010/12/03/cybersecurity-how-much-is-too-much.html?page=all
Lynch, J. (2012, October). Hogan Lovells hosts Law Review's cybersecurity symposium in Washington, D.C. [Post]. Chronicle of Data Protection. Washington, D.C.: Hogan Lovells. Retreived http://www.hldataprotection.com/2012/10/
____. (2007, August) PCAST Report, Leadership Under Challenge: Information Technology R&D in a Competitive World. Retrieved http://search.whitehouse.gov/search?affiliate=wh&query=cybersecurity++literature&submit.x=41&submit.y=13&form_id=usasearch_box
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Security Privacy and Ethics in the Surveillance State
Words: 6863 Length: 23 Document Type: Research Paper

Physical Security in Public AreasAbstract/SummaryThis paper examines the effectiveness of physical security measures in public areas, by looking at spaces such as schools, airports, stadiums, and malls. It discusses current strategies, including surveillance cameras, metal detectors, and access control systems. It also examines the need customized approaches since all spaces are different. Schools require security that balances safety with an open, welcoming environment, whereas airports can use stricter, more invasive

Read More
Essay
How Public Sector Information Managers Respond to Threats and Challenges...
Words: 2117 Length: 7 Document Type: Research Paper

CHALLENGES AND BIBLICAL PRINCIPLES IN MANAGING INFORMATIONToday, public sector information managers are responsible for the collection, organization, maintenance, and dissemination of information by their respective government agencies and other public organizations. This role has assumed new importance and relevance in recent years as the flow of information continues to intensify. The purpose of this paper is to provide a review of the scholarly literature concerning the ethical and legal issues

Read More
Essay
How Isps Code Has Impacted Maritime Security
Words: 2170 Length: 8 Document Type: Essay

ISPS Code on Maritime Security Shipping is a business that has experienced rapid development in the past five decades as reflected in its increase by more than 450% during this period. The increase in shipping activities implies that nearly 90% of the global trade volumes are carried out by sea since a huge number of ships have to transport cargo between different ports. The increased use of ships to transport

Read More
Essay
Small Business Taking a Small Clothing Store
Words: 1339 Length: 4 Document Type: SWOT

Small Business Taking a small clothing store to the online world is a bold proposition. There are a few strengths that this store can draw upon to help it succeed. The first is the name recognition of the Jersey Shore -- people actually know where it is now and that will help the store by putting it into some context. (We will assume that the context is good, at least for

Read More
Essay
Cyber-Citizen, USA Cyber-Citizen USA the
Words: 5130 Length: 20 Document Type: Research Paper

The fact that industrial control systems may be vulnerable to infiltration by other citizens, or international parties puts laws pertaining to intersection of systems transmission at the forefront of priorities for us all. At present, telecommunications interference of private citizens holds an up to a five-year prison sentence by U.S. federal law. How cyberterrorism is addressed, when the stakes are heightened, leaves a whole host of opportunities for citizens, and

Read More
Essay
Cyber Espionage
Words: 4895 Length: 16 Document Type: Case Study

Abstract Cyber espionage has become a critical component of modern cyber warfare as nation-states increasingly rely on cyberspace. However, cyber espionage had generated concerns regarding its acceptability given its potential threats to national security. This qualitative case study research explores the proposition that cyber security should be deemed an acceptable state behavior while cyber attack is unacceptable. This study seeks to answer the question, “How is cyber espionage an acceptable state

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now