A Framework for Cybersecurity Strategy Formation

A Framework for Cybersecurity Strategy Formation

Jim Q. Chen (DoD National Defense University, Washington, DC, USA)
Copyright: © 2014 |Pages: 10
DOI: 10.4018/ijcwt.2014070101
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

A good cybersecurity strategy consists of the most effective and the most optimal course of actions available at the moment of operation in order to ensure the success of a cyber operation. How to form such a strategy is always a challenge. The current literature does not have much discussion about this topic. This paper intends to explore this process, which supports decision-makers in the cyber domain. It applies the Cybersecurity Formation Framework proposed in Chen and Duvall (2014), and shows how it can integrate varied actions into a systematic and consolidated course of actions to guarantee the success in a mission. This paper also suggests areas for future studies.
Article Preview

Introduction

Cyber is a new domain added into the list of the traditional four domains: land, sea, air, and space. Unlike the other four domains, the cyber domain was created by humans, not by nature. It is built on the information and communications technology (ICT). It is mainly used for computation and human communications. Various applications have been developed to support education, research, critical infrastructure, business, industry, agriculture, medical science, military operations, social activities, entertainment, and other fields of human society. From this perspective, cyber is an extension of human society. In this domain, there are two major components: (1) humans and (2) computer and telecommunications systems, including software and information on these systems. However, these two major components are not compatible with each other. Computer and telecommunications systems are not action-initiators as they perform actions based on instructions provided by humans. They are discrete in nature so that they are not good at dealing with anything ambiguous or fuzzy. However, humans are action-initiators as they provide computer and telecommunications systems with instructions. Humans are relative in nature as they always use heuristic approaches, or simply shortcuts and intuition. Hacking is an activity that is initiated by humans and that exploits and takes advantage of vulnerabilities in computer and telecommunications systems as well as software running on these systems. In a more complex environment, it also takes advantages of people, as evidenced by social engineering attacks.

Ideally, integrated solutions should exist that address both vulnerabilities in computing and telecommunications systems and vulnerabilities in humans at strategic, operational, and tactical levels. The reality is that although grand strategic plans and policies exist at high levels, such an integrated approach does not exist now.

Following Howard (1979), Hooker (2014) states that “grand strategy can be understood simply as the use of power to secure the state”. He further argues that “it exists at a level above particular strategies intended to secure particular ends and above the use of military power alone to achieve political objectives”, and it is reflected via “long-term state behavior as defined by enduring, core security interests and how the state secures and advances them over time”. From this perspective, it “shows great persistence over time”. Gray (2013) expresses the similar view in a discussion about the general theory of strategy by stating that strategy is “the permanent structure and functioning of the whole of its subject”.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing