Article Preview
TopIntroduction
The benefits of embedding Information and Communications Technologies (ICT), also known as “cyberspace”, into core business processes are well understood as a means to increase operational efficiency, improve decision quality, and reduce costs. As a consequence, cyber security continues to grow in importance within the military community as modern military operations have become more dependent upon ICT. Given the enormous challenges facing cyber security, it has been considered that a more focused problem is to secure computing resources in the context of the missions that they support rather than just treat them as a collection of disjoint system focused security objectives (Hale, 2010). Within the military community, there has been a disconnection between the personnel who are responsible for securing the ICT and the personnel who are responsible for performing mission activities (Grimaila, 2008). Personnel on the mission side of operations are rarely aware of how cyber resources contribute to the success of their mission activities and people on the ICT side rarely understand which cyber resources support which missions or mission activities (Hale et al., 2010).
One of the fundamental goals of any organization is to assure the success of its mission objectives. Organizations typically address this risk through enterprise-wide risk management activities that focus on the explicit identification of risks so that control measures can be selected to mitigate mission risk to an acceptable level given budgetary constraints (ISO 31000, 2009; Whitman & Mattord, 2010). This type of focused planning is most successful in static business process environments, when all stakeholders participate, resources critical to the success of the organizational operations can be enumerated, and the projected scenarios are representative of the possible futures experienced by the organization. In contrast, military missions often involve dynamically changing, time-sensitive, complex, cooperative, and coordinated ventures between multiple organizations (e.g., units, services, agencies, coalition partners) who may not share in a complete view of their role within the overall mission (Alberts & Hayes, 2006). Since each participating organizational unit is resourced and managed as a separate entity, the enterprise-wide approach to assuring the mission is significantly more complex.
Recently, there has been an intense focus to formalize the concept of “Mission Assurance” (MA) within the United States (US) Department of Defense (DoD). Surprisingly, very little research has focused on the fundamental problem of how to describe and relate military mission requirements to cyber dependencies. Existing MA analysis rely on implicit assumptions that relate cyber and mission (i.e. it is usually safe to say that more resilient, less vulnerable cyber resources will tend to lead to more resilient mission systems). However, decision quality MA analysis requires a more formal, explicit description of missions, systems, resources and dependencies. In this paper, we examine the concept of Mission Assurance and present challenges of attaining it in military environments.