Preparing for Cyber Threats with Information Security Policies

Preparing for Cyber Threats with Information Security Policies

Ilona Ilvonen (Tampere University of Technology, Tampere, Finland) and Pasi Virtanen (Tampere University of Technology, Tampere, Finland)
Copyright: © 2013 |Pages: 10
DOI: 10.4018/ijcwt.2013100103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Contemporary organisations in any industry are increasingly dependent on information systems. Today most organisations are online all the time, and their internal systems are used in environments that are already or easily connected to the internet. The paper analyses cyber threats and their potential effect on the operations of different organisations with the use of scenario analysis. The scenarios are built based on a literature review. One outcome of the analysis is that to an organisation it is irrelevant where a cyber threat originates from and who it is targeted for. If the threat is specifically targeted to the organisation or if the threat is collateral in nature is not important; preparing for the threat is important in both cases. The paper discusses the pressures that the cyber threats pose to information security policies, and what the role of the information security policy could be in preparing for the threats.
Article Preview

1. Introduction

Contemporary organisations in any industry are increasingly, and in most cases once and for all, dependent on information systems and connections between them. This dependence holds true both intra- and inter-organisationally. The used information systems may have legacy elements, sometimes even dating back to the time when an internet connection was not a common feature in organisations repertoire. Today most organisations are online all the time, and their internal systems are used in environments that are already or easily connected to the internet. The internet population is estimated to over two billion individuals at the moment (James, 2012). The amount of devices connected to the internet is approximated to grow fivefold by the end of the decade (Evans, 2012). Some of these users are there with no-good intentions. Not all users are there with purely good intentions.

According to a definition cyber threats are Internet-borne activities that may harm or have the potential to harm a computer or network and compromise the confidentiality, integrity, or availability of network data or systems (CCIP, 2013). In public cyber threats are often discussed from the national infrastructure’s and national safety’s perspectives. However, the operations of organisations do not always follow national borders even though their organisational infrastructures are subjected to one national infrastructure at a time. Organisations sometimes operate in a truly international or even global environment. Hence, the threats they face in their operations are not national, they are global. In the national cyber strategies it however seems, that the operation of, for example, companies is assumed to abide by national boundaries.

Organisations should use internally confirmed information security policies and procedures as tools to manage their information security. The policies usually address multiple threats that the information of the organisation is facing. Most of the threats addressed are direct threats. However, it is important to understand the complex nature of the cyber dimension and not to be short-sighted in this regard. The problem is to recognise also the possible indirect, second-hand, and collateral effects and to prepare for them as well. “If it runs on computers and computer networks, it's a potential target” says the chairman of the U. S. government’s subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Patrick Meehan (2013). The paranoia-arousing question is: what does not run on computers? Organisations are increasingly reliant on computer systems for all their activities.

The purpose of this paper is to explore the cyber threats that businesses may face and how they can prepare for the risk in advance in their information security policies. The research question in this paper is ‘What challenges does the cyber dimension of threats present for organisations and their information security policies?’ The paper presents theoretical background on information security policies and the cyber threat phenomenon in section two. In section three the paper analyses the threats and their potential effect on the operations of organisations with the use of scenario analysis. In the last section the paper assesses the possibilities to take the cyber threats into account in information security policies.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing