Rees, L. P., Deane, J. K., Rakes, T. R., &Baker, W. H. (2011). Decision support for Cybersecurity risk planning. Decision Support Systems, 51(3), 493-505. doi:10.1016/j.dss.2011.02.013 [full text in ScienceDirect database]
“Security countermeasures help ensure the confidentiality, availability, and integrity of information systems by preventing or mitigating asset losses from Cybersecurity attacks. Due to uncertainty, the financial impact of threats attacking assets is often difficult to measure quantitatively, and thus it is difficult to prescribe which countermeasures to employ. In this research, we describe a decision support system for calculating the uncertain risk faced by an organization under cyber attack as a function of uncertain threat rates, countermeasure costs, and impacts on its assets. The system uses a genetic algorithm to search for the best combination of countermeasures, allowing the user to determine the preferred tradeoff between the cost of the portfolio and resulting risk. Data collected from manufacturing firms provide an example of results under realistic input conditions.”
United States. Department of Commerce. Internet Policy Task Force. (2011, June). Cybersecurity, innovation and Internet economy. Retrieved from
http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf
“The following report – or green paper – recommends consideration of a new framework for addressing internet security issues for companies outside the orbit of critical infrastructure or key resources. While securing energy, financial, health and other resources remain vital, the future of the innovation and the economy will depend on the success of Internet companies and ensuring that these companies are trusted and secure is essential. This is the area of our focus.”
United States. Department of Commerce. National Institute of Standards and Technology. (2011, July). Security and privacy controls for federal information systems and organizations: Draft Appendix J (Special Publication 800-53). Retrieved from http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
“The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-53, Appendix J, Privacy Control Catalog. With the increasing dependency on information systems, dramatic advances in information technologies, and significant growth in new applications of those technologies in such areas as cloud computing, smart grid, and mobile computing, information security and privacy are taking on new levels of importance in the public and private sectors. Privacy, with respect to personally identifiable information, is a core value that can be achieved only with appropriate legislation, policies, and associated controls to ensure compliance with requirements….Appendix J, Privacy Control Catalog, is a new addition to NIST’s family of standards and guidelines that will be incorporated into the 2011 update to Special Publication 800-53, Revision 4, projected for release in December 2011. Due to the importance and special nature of the material in this Appendix, it is being publicly vetted separately from the other changes to the publication which will be released later this year. The objectives of the Privacy Appendix are fourfold:
• Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance;
• Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations;
• Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy controls deployed in federal information systems, programs, and organizations; and
• Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.
The public comment period for NIST Special Publication 800-53, Appendix J, is July 19 through September 2, 2011.Please send comments to sec-cert@nist.gov.”
United States. Department of Defense. (2011, July). Department of Defense strategy for operating in cyberspace. Retrieved from http://www.defense.gov/news/d20110714cyber.pdf
“The Department and the nation have vulnerabilities in cyberspace. Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity – the security of the technologies that we use each day. Moreover, the continuing growth of networked systems, devices, and platforms means that cyberspace is embedded into an increasing number of capabilities upon which DoD relies to complete its mission. Today, many foreign nations are working to exploit DoD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DoD’s information infrastructure. Moreover, non-state actors increasingly threaten to penetrate and disrupt DoD networks and systems. We recognize that there may be malicious activities on DoD networks and systems that we have not yet detected.”
