© The Author(s) 2019

Ganna Pogrebna and Mark SkiltonNavigating New Cyber Riskshttps://doi.org/10.1007/978-3-030-13527-0_11

11. The Next-Generation Cybersecurity

Ganna Pogrebna^{1, 2}   and Mark Skilton³  

(1)

University of Birmingham, Birmingham, UK

(2)

The Alan Turing Institute, London, UK

(3)

Warwick Business School, University of Warwick, Coventry, UK

 

 

Ganna Pogrebna (Corresponding author)

Email: g.pogrebna@bham.ac.uk

Email: gpogrebna@turing.ac.uk

 

Mark Skilton

Email: mark.skilton@wbs.ac.uk

Dealing with Uncertainty

Uncertainty is the most difficult problem when we think about cybersecurity of the future. The fact that we often do not have historical data about various types of threats, vulnerabilities, and risks puts us in a situation of having to design measures without knowing much about the type and nature of the cybersecurity risks we are facing. In many ways, considering the level of uncertainty, this situation is similar to the VIP security problem. Imagine that you are a celebrity or a VIP facing various risks, from being caught in an unguarded moment by the paparazzi to being assassinated. How can you deal with all these risks?

First of all, you understand that the risk of being photographed by the paparazzi is higher than, say, the risk of being shot. However, paparazzi are easier to deal with than assassins. To address the paparazzi problem, it is probably enough to build a high fence in front of your property and make your estate a no-flight zone to avoid being caught on camera from a helicopter or a drone. However, no matter how high your fence is, it is unlikely to stop a highly motivated assassin. So what do you do in this case? It is clear that no technical solution will help here. Therefore, you will seek a human-centered solution—i.e., you will recruit a security detail and train your staff to be on the lookout for strangers and things which seem out of the ordinary. There is, of course, no guarantee that an attempt on your life will be discouraged by these measures. However, a combination of fences, bodyguards, and trained staff is probably the best you can do to decrease the risk of assassination.

Likewise, cybersecurity of the future should combine technical and human solutions. Technological solutions will help your business in stopping highly probable but relatively minor threats, while humans will be able to tackle the more sophisticated and high-impact threats, which are not easily detectable by algorithms.

The Samurai Approach

It is believed that Alexander the Great once said: “Conquer your fear and you will conquer death”. By this he meant that if you are not afraid of a particular negative event or consequence, you will be more effective in avoiding it or in making sure that it does not happen to you. You may wonder how could this be done? In this regard, the Japanese culture offers us many useful references. Specifically, the code of samurai implies that the samurai is always prepared to die because he conquers his fear of death through training and, importantly, considers the consequences of his death prior to undertaking a risky activity. Notice, it does not mean that the samurai wants to die—on the contrary, life is very valuable to a samurai warrior. Yet, he understands that his life, as a life of any human being, is short and uncertain. It can end at any point in time. So, the important thing is to be prepared for death by considering it consequences. Many pragmatic VIPs and celebrities have put in place contingency plans for various types of unexpected risks by considering the consequences of adverse effects. They consider the consequences of the publication of compromising materials or photos, and, equally, think of what will happen to their family, business, or community if there is an unsuccessful or successful attempt on their life.

Similarly, in order to tackle cybersecurity risks, it is useful to apply the Samurai approach to risk assessment and think through all the possible (even catastrophic) consequences which may result from adversarial actions. If your business holds large amounts of customer personal data, what is the worst-case scenario of this data being stolen? It is important not to jump into the fatalist mode when conducting this exercise and stay pragmatic while considering such scenarios. For these purposes, business canvas methodology provides a good template. In practice, understanding how business canvas is related to cybersecurity issues is very important as it allows you to map how cybersecurity fits your business model, where it saves you money and where it generates revenue. One approach was proposed by Boris Taratine in 2015 [1]. Taratine proposed, that cybersecurity should not be considered as an organizational fixed cost, but needs to be understood within the context of the entire organizational operations. Extending this approach, we have overlaid cybersecurity risk considerations with a business canvas to create a tool which will provide you with a starting point for thinking about the various risks in cyberspace.

Our Cybersecurity Business Canvas Risk Assessment Tool is presented on Fig. 11.1. The tool outlines a set of questions which should be asked to understand how various cybersecurity issues affect your business model. Following the business canvas methodology, the questions are split into 11 major business model categories: Key Partners, Key Activities, Key Resources, Value Proposition, Customer Relationships (Distribution and Impact) Channels, Customer Segmentation, Cost Structure, Revenue Streams, as well as Reputational, Social, and Environmental Costs and Benefits.

Fig. 11.1

Cybersecurity business canvas risk assessment tool

Whereas our tool provides a nice starting point for risk assessment and allows you to map major cybersecurity risks important for your business model, it offers little guidance on what to do next. For this, the Cybersecurity Risk Navigation Matrix could be used.

Navigating New Cybersecurity Risks: Cost Versus Measures Considerations

As humans, we are constantly trying to decrease uncertainty [2–6]. However, it might not always be possible [5]. Under these circumstances, the following navigation matrix approach might be useful. The Cybersecurity Business Canvas approach (described above) will provide an organization with a list of possible risks so that, for each risk, you will be able to identify a potential threat as well as assess what amount of information you have about this threat. In other words, by using the Cybersecurity Business Canvas Risk Assessment Tool you will map a set of potential threats and you will have a good idea about the amount of data you have to diagnoze and approximate the risk for each of these threats. For example, for some potential threats (such as e.g., phishing) you might have a lot of data as your organization is likely to face phishing threats on a regular basis; whereas for other potential threats (such as zero-day) you will have no data at all. In general, all threats which your business might be facing could be roughly divided into four types (see Fig. 11.2).

Fig. 11.2

Cybersecurity risk navigation matrix

• Those of which you know and have data (Mitigation threats).

• Those of which you know and do not have data (State of Fear threats).

• Those of which you don’t know and have no data (Blissful Ignorance threats).

• Those of which you don’t know but have data (Under Your Nose threats).

Now all these threats relate to the corresponding risks, where: Mitigation threats relate to risks which you can manage using a set of traditional quantitative risk assessment and risk management tools; State of Fear threats refer to risks which you can insure against (i.e., you can purchase insurance if you know of those risks but it is hard or impossible to understand how big or grave those risks are); there is not much you can do about risks related to Blissful Ignorance threats apart from discovering them and, equally, about risks related to Under Your Nose threats apart from detecting them.

Nevertheless, the goal is to translate all types of risks into those which you can manage. This can be achieved in the following way. In order to turn Insurable risks into Manageable risks, you simply need to collect more data about them (via organizational communication or information sharing). Risks which are Discoverable need to be better understood to become Insurable and then translated into Manageable. Risks which are Detectable could be assessed using available data to become Manageable.

In order to decrease this underlying uncertainty about cybersecurity risks, planning, building, and managing techniques are useful. In what follows, we provide a set of principles which will help you navigate new cybersecurity risks through planning, building, and managing safe and secure digital spaces.

References

1. 1.
   Taratine, B. (2015). Cybersecurity and business canvas: How to put cybersecurity risk into business models. Limited audience talk materials.
2. 2.
   Loomes, G., & Pogrebna, G. (2017). Do preference reversals disappear when we allow for probabilistic choice? Management Science, 63(1), 166–184.Crossref
3. 3.
   Loomes, G., & Pogrebna, G. (2014). Testing for independence while allowing for probabilistic choice. Journal of Risk and Uncertainty, 49(3), 189–211.Crossref
4. 4.
   Loomes, G., & Pogrebna, G. (2014). Measuring individual risk attitudes when preferences are imprecise. Economic Journal, 124(576), 569–593.Crossref
5. 5.
   Blavatskyy, P., & Pogrebna, G. (2010). Models of stochastic choice and decision theories: Why both are important for analyzing decisions. Journal of Applied Econometrics, 25(6), 963–986.Crossref
6. 6.
   Li, Z., Loomes, G., & Pogrebna, G. (2017). Attitudes to uncertainty in a strategic setting. Economic Journal, 127(601), 809–826.Crossref