Why you should care about the Target data breach

Data breaches are becoming more frequent and more damaging to the bottom line of many businesses. The Target data breach marked the beginning of increased scrutiny of cybersecurity practices. In the past, data breaches were seen as a cost of doing business, but Target's negligence and the scale of the data loss forced businesses and the courts to reevaluate current practices and regulatory frameworks. Businesses must make strategic use of their chief information officers, adopt cybersecurity best practices, and effectively train their employees to respond to growing security threats. They must also shape the cybersecurity narrative to influence regulatory responses to these threats.     

The emerging role of the CISO

Against a background of board-level concern for cybersecurity, organizations are seeking to ensure the protection of their information assets and minimize the risk of a cybersecurity attack. These objectives place two particular demands on organizations: to appoint a suitable official to head up their information security operations, a CISO; and to ensure that the executive and board are appropriately informed of the organization's security status. In exploring the challenges that confront organizations in selecting a CISO, we drew on data from the U.S., Canada, and New Zealand. Two main issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes that such an incumbent would need to possess. The CISO is a senior-level executive and rather than being a specialized technical expert, the CISO should be an excellent communicator. This will help address the second issue, which is how effectively the CISO can communicate with the board. Some suggestions are provided that serve to aid both effectiveness and efficiency. However, organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members.     

Systems theoretic process analysis of information security: the case of aadhaar

ABSTRACT

A new way of thinking about cybersecurity is much needed to deal with the complex and dynamic cyber-ecosystem. In this paper, we introduce a systems thinking based approach for solving problems related to cybersecurity. We adapt the powerful safety-hazard analysis method, Systems Theoretic Process Analysis (STPA) based on systems theory to analyze the cybersecurity related features of India’s massive digital identity program, Aadhaar. Our findings produce important insights. On one hand, it helps identify the security gaps of the Aadhaar system, and on the other hand, it provides controls using systems thinking to overcome these gaps. We contribute to understanding the world of cybersecurity practices and develop risk mitigation strategies that can benefit the Aadhaar.     

Muddling through cybersecurity: Insights from the U.S. healthcare industry

The U.S. healthcare sector is inadequately prepared to deal with the reality of cyber threats. The increasing use of smart medical equipment and mobile devices is making healthcare organizations more susceptible to ransomware and other types of malware. The size and complexity of operations, coupled with the presence of numerous legacy and incompatible systems, make it difficult to implement effective cybersecurity measures. The daunting nature of the problem often results in an if-it-ain’t-broke-don’t-fix-it stance among senior healthcare leaders. The preponderance of healthcare-related laws, compliance regulations, and security guidance frameworks serve to complicate the cybersecurity challenge further and too often results in senior leadership assuming a state of blissful ignorance. This study sheds light on the key factors contributing to the chaotic state of affairs and presents a roadmap to a more deliberate and proactive approach to cybersecurity risk management.     

Where is the Security Blanket? Developing Social Media Marketing Capability as a Shield from Perceived Cybersecurity Risk

Although cybersecurity is important for any organization, firms have little understanding of the ramifications of perceived cybersecurity risk and how marketers can avert its negative marketing outcomes. The inability of firms to prevent massive data breaches in the recent past has heightened cybersecurity risk perceptions of customers and cybersecurity-related marketing challenges and opportunities. This study links cybersecurity risk with firm risk through firm reputation by developing a conceptual framework grounded in perceived risk theory in conjunction with dynamic capabilities and social network theoretical perspectives. Our findings show that social media marketing capabilities enable firms in mitigating the adverse impact of cybersecurity risk in declining firm reputation and value. Thus, this study provides significant implications for marketing theory and practice.     

Exploring SME cybersecurity practices in developing countries

The continued use of information technology systems by small and medium enterprises (SMEs) in developing countries has the potential to bring significant benefits but, at the same time, expose them to online cybersecurity threats. Addressing these threats is, therefore, of paramount importance for developing countries, not only because SMEs are seen as the vehicle for employment and job creation, but because research on SMEs and cybersecurity in this context is limited. This study is a contribution toward addressing this gap.

The purpose of this study is, therefore, to explore SME cybersecurity practices and the challenges they face in developing countries. The goal is to sensitize practitioners and government institutions about the challenges and practices faced by SMEs, so that the various parties can work collaboratively in providing context-specific solutions to address these challenges and improve current cybersecurity practices. The study follows a qualitative enquiry approach to solicit information from three South African SMEs that had implemented cybersecurity practices. The findings show that an SME’s perception of cybersecurity is constrained by internal factors of budget, management support, and attitudes. Further findings show that SMEs’ cybersecurity practices are affected by the landscape of cybersecurity, as well as institutional pressures.     

Cybersecurity: Risk management framework and investment cost analysis

As organizations accelerate digital transformation with mobile devices, cloud services, social media, and Internet of Things services, cybersecurity has become a key priority in enterprise risk management. While improving cybersecurity leads to higher levels of customer trust and increased revenue opportunities, rapidly evolving data protection and privacy regulations have complicated cybersecurity management. Against the backdrop of rapidly rising cyberbreaches and the emergence of novel cybersecurity technologies such as machine learning and artificial intelligence, this article introduces a cyber risk management framework, discusses a cyber risk assessment process, and illustrates a continuous improvement of cybersecurity performance and cyberinvestment cost analysis with a real-world cybersecurity example.     

Should executives go to jail over cybersecurity breaches?

The Consumer Data Protection Act, a new bill introduced by Senator Ron Wyden, is proposing “jail time of up to 20 years for executives who knowingly sign off on incorrect or inaccurate annual certifications of their companies’ data-security practices.” The bill also recommends that companies be fined “up to 4 percent of their annual revenue.” While the critics consider the penalties too harsh and severe, the proposed legislation reflects two key realities – a) active involvement and commitment of senior management is essential to achieving a high level of cybersecurity preparedness; and b) legislation and fear of severe penalties (such as Sarbanes-Oxley Act of 2002 and European Union’s General Data Protection Regulation) is often necessary to motivate desired organizational behavior. In an increasingly digital ecosystem characterized by high levels of electronic connectivity, vulnerability to cyberattacks is growing. Organizations are in a perpetual state of breach with rapidly expanding attack surfaces and evolving threat vectors. Protecting confidential data and related digital assets is becoming critical to survival and success. Senior management must come to terms with this new business reality and give strategic priority to cybersecurity preparedness and investments. Research finds active involvement of top management in cyber risk mitigation initiatives to be a critical success factor and best practice. The onus is also on senior management to create a high-performance security culture founded on three key cornerstones – commitment, preparedness, and discipline. They also must lead the charge in establishing a cybersecurity governance structure characterized by joint ownership, responsibility, and accountability.     

Calculated risk? A cybersecurity evaluation tool for SMEs

Small and medium-sized enterprises (SMEs) are among the least mature and most vulnerable in terms of their cybersecurity risk and resilience. In this article, we describe a methodology developed using the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) as a starting point. The NIST CSF does not meet all the needs of the SME IT leader, but it offers a solid foundation for a useful evaluation and recommendation methodology. We propose an SME cybersecurity evaluation tool (CET) that consists of a 35-question online survey to be completed by IT leaders to self-rate their maturity within the five NIST framework categories: identify, protect, detect, respond, and recover. We outline this approach to cybersecurity risk management before discussing its effectiveness and implications for practitioners.     

A $10 million question and other cybersecurity-related ethical dilemmas amid the COVID-19 pandemic

Cybercrime and cybersecurity are like two sides of the same coin: They are opposites but cannot exist without each other. Their mutual relation generates a myriad of ethical issues, ranging from minor to vital. The rapid development of technology will surely involve even more ethical concerns, like the infamous example of a fitness tracking company allegedly paying $10 million worth of ransom. Every cybersecurity solution, tool, or practice has to be ethical by design if it is to protect people and their rights. To identify the ethical issues that cybersecurity/cybercrime might bring about in the future, we conducted the first broad and comprehensive horizon-scanning study since the COVID-19 pandemic arose. As we began this project, nobody had the slightest idea that the coming months would bring the COVID-19 pandemic, and that the reality we had known was about to change dramatically. As it soon became apparent, the deadly coronavirus brought completely new cybersecurity/cybercrime ethical dilemmas to light, and some of the ones known before were transformed or shifted. This article presents the results of our horizon-scanning study concerning the ethical dilemmas that emerged amid the COVID-19 pandemic.     

基于生物燃料发展的中国粮食安全风险与对策

基于生物燃料发展对中国粮食安全风险的影响分析,提出降低中国粮食安全风险的财政成本优化对策。研究认为:生物燃料发展引起的粮能价格传导联系,加剧了粮食价格和产量波动,可能加大粮食安全风险。然而,国内生物燃料的发展有利于粮食生产结构与效率的优化,也可能成为粮食安全的稳定因素。因此,中国可以通过适度发展生物燃料,促进粮食安全财政成本优化,提高粮食市场和生产的效率,有效降低粮食安全风险。     

Business and cyber peace: We need you!

Rarely does a day seem to go by without another front page story about a firm being breached by cyber-attackers. Even experts in the field are far from immune from the unsustainable status quo. For example, Jim Lewis of the Center for Strategic and International Studies has said: “We have a faith-based approach [to cybersecurity], in that we pray every night nothing bad will happen.” This is a difficult starting point to consider an appropriate end game. Still, it is something that firms must do since infinite investment cannot breed infinite security. This article takes lessons from the burgeoning field of cyber peace studies and applies them to private sector cyber risk mitigation strategies. With members of the C-suite on down to mailroom clerks worrying about the next attack and looking over their shoulder after a breach occurs, who wouldn’t welcome some peace of mind?     

论供应链的安全风险及防范措施

随着世界经济的全球化和一体化,企业的生存环境变得更加不确定,以致于供应链在运作过程中,面临着越来越多的安全风险。尤其是“9.11”事件之后,恐怖分子利用和破坏全球供应链已经成为一种新的威胁。本文分析了供应链的安全风险及其产生的原因和后果,提出了预防风险的对策,目的是规避风险及降低风险产生的损失。     

世界证券监管体制比较与中国的模式选择

证券市场是最富魅力的经济领域之一,但在快速发展的同时,也存在着较大的风险,一旦风险得不到有效地控制,很容易引起连锁反应,从而引发全局性的、系统性的金融危机,并殃及整个经济生活,甚至导致经济秩序混乱与政治危机。因此,如何加强监管、控制风险具有重要的理论和现实意义。从证券监管体制这一角度出发,在比较了世界证券监管三种主要体制的基础上,对中国证券监管体制的演变进行了分析。     

基于信息熵的WLAN安全风险评价模型

无线网络的飞速发展使得WLAN安全风险的评价日益重要。本文分析了无线局域网面临的安全风险因素,构建了一种WLAN安全风险评价模型。该模型根据WLAN中安全风险存在的差异性,分别采用信息熵算法、信息熵与模糊综合评价法相结合的算法,求出WLAN总体安全风险状况,实例仿真结果表明该模型提出的风险分析算法,能较客观公正的反映WLAN安全风险状况。     

网上银行的风险与防范

网上银行的出现给人类社会带来了深刻的变化,同时也带来许多新问题。随着网上银行业的发展,网上信息安全风险也随之而来。如:技术和产品选择风险、系统安全风险、技术支持风险等。控制和防范风险要从行业整体管理和企业具体技术安全两方面进行。     

社会保障基金运行中的道德风险及防范

随着我国社会保障基金规模的扩大,在其运行中存在着的道德风险问题也日益凸显,主要表现为政府挤占挪用,保障机构违规操作,冒领、骗领社会保障基金等行为增多。为有效防范社保基金运行中的道德风险,应加速构建以自治为核心,监治为约束,法制为保障的高效风险的抗衡体系,以此遏止社会保障基金运行中道德风险的滋生与蔓延。     

社会保障财政风险与危机管理战略

我国正处于各种风险的频发期,给社会保障带来的影响不断加深,政府社会保障管理的难度也在不断扩大。在社会保障的常规性管理中贯穿风险意识、忧患意识、可持续发展意识,建立社会保障财政危机管理的核心价值观,是引领社会保障管理走向理性化、科学化的必要之路。以中国国情作为研究背景,探讨应对各种社会经济风险、自然灾害下的社会保障功能与政府职能问题,也从长期发展考虑,研究社会保障的战略发展模式,促使社会保障事业健康地发展。