security: definition by authors

If a thirdorder theme network were to have a graph density of 0, each of the definitions could contain a single thirdorder theme that was unique to each definition, that is, no shared understanding. The percentage of interview participants definitions that contained each vocabulary term was calculated for cyber security (N = 25) and cyber security risk (N = 27) and compared against the frequency of occurrence (represented as a percentage; N = 9) calculated by Oltramari and Kott (2018). 6 and sectorparsed: Figs. If a thirdorder theme network were to have a graph density of 1, all of the definitions would have contained all of the identified thirdorder themes. In effect, the result is a notional definition that is grounded in objectivity (e.g., an intrusion-detection system) versus supposition (e.g., the intentions of a hacker). . The Stemmed Vocabulary Terms Are the Stem (i.e., base) Form of the Word without Any Adjective. We also wish to thank the participants in the multidisciplinary group for their informed engagement.. Boulder, CO: Lynne Rienner Publishers. However, the definitions focus on "human intentional actions" was viewed as being overly restrictive. To expand the discussion and create additional scholarly dialogue, we posited an original "seed" definition for discussion and further refinement during two three-hour engagements with a multidisciplinary group of cybersecurity practitioners, academics, industry experts from the VENUS Cybersecurity Institute, and graduate students in the Technology Innovation Management (TIM) program at Carleton University in Ottawa, Canada. Thirdorder themes from responses to What is your definition of cyber security risk?. , Network analysis and visualization examines the relationship (e.g., coexistence) between entities (e.g., interviewees definition themes). Overview of Cybersecurity. A number of terms used in ontologies to describe cyber security risk were not included in the definitions of cyber security and cyber security risk generated during the expert elicitation (TableVI); however, both groups focused on attack as a key term. (2006). Also, the number of edges in the academic cyber security risk network is 68, which is nearly twice that of the ARL cyber security risk network with 35 edges. The results of the expert elicitation were analyzed using datadriven thematic analysis and content analysis and the results were compared to current national and international standards and best practices. 9) visualizes the crosstabulation of interviewees per discipline per cyber security (left) and cyber security risk (right) thirdorder theme. Framework for improving critical infrastructure cybersecurity, Expert knowledge elicitation: Subjective but scientific, Towards a reconceptualisation of cyber risk: An empirical and ontological study. The more inclusive, unifying definition presented in this article aims to facilitate interdisciplinary approaches to cybersecurity. She has served as Parliamentary Advisor to Members of Parliament and held an Order-in-Council appointment to the Province of Ontario's Advocacy Commission. She is also an adjunct faculty member in the Department of Computer Science and Engineering at North Carolina State University in the United States. The two entries for interviewee B illustrate how multiple codes and themes can be identified in a single definition. When 'thingamajig' and 'thingamabob' just won't do, A simple way to keep them apart. This article examines the definitions of cyber security and cyber security risk, as defined by principal investigators, researchers, and practitioners who are a part of the Army Research Laboratory funded Cyber Security Collaborative Research Alliance (CSec CRA). , 5, themes A, C, and D are all green because they were expressed together in the same or multiple definitions, while B (purple) was only expressed with A in one definition, and E (gray) is an isolated node and represents a definition with one theme. Each discipline, each disciplinary language has inherently unique biases and assumptions. The results of this analysis suggest ontology developers and cyber experts (researchers and practitioners) do not use the same terms to operationalize cyber security risk. 2, Table SVI), the interviewees composite definition of cyber security risk. The fact of going on or being carried on, as an action or series of actions; progress, course.in (the) process of (doing something): in the course of; in the act of carrying out (a particular task, etc. Eckmaier, R. The thematic butterfly diagrams (Figs. Supporting inclusiveness demonstrated through the relationship to the five dominant cybersecurity themes and mapping to previous definitions. (2015). The output of the thematic analysis was visualized using butterfly diagrams and network analysis. Secondorder themes from responses to What is your definition of cyber security risk?, Table SVI. However, when the expert elicitations were evaluated for the nonadjectival stem forms of the vocabulary term, the top terms for cyber security were network, attack (stemmed from cyber attack), and identi (stemmed from risk identification); the top terms for cyber security risk were risk, attack (stemmed from cyber attack), and vulnerab (stemmed from cyber vulnerability) (TableV). The content analysis comparison determines whether the expert elicitation participants used the same language as cyber ontology developers when defining cyber security and cyber security risk. Stolfo, S. Oxford Online Dictionary. Cybersecurity is the state in which power over the execution of computers (sensu lato) and over information in thecontrolof computers is where it should be.. Stallard, K. Despite the aforementioned challenges of qualitative data and thematic analysis, the present research is the first known effort to determine a crossdisciplinary working definition of cyber security and cyber security risk. The absence of a concise, broadly acceptable definition that captures the multidimensionality of cybersecurity potentially impedes technological and scientific advances by reinforcing the predominantly technical view of cybersecurity while separating disciplines that should be acting in concert to resolve complex cybersecurity challenges. A review of cyber security risk assessment methods for SCADA systems. Publicly traded securities are listed on stock exchanges. An abbreviation for the organization and combination of resources, processes, and structures. The outermost themes (far left for ARL and far right for academia) are firstorder themes. The authors perception of national security is in a subjective mode as an evolutionary concept that has time to shape into an objective of national governance in The potential benefits associated with standardizing terminology (in this case cyberrelated vocabulary) include effective laws and policies, repeatable, mutually intelligible, comparable, and interdisciplinary research and improved data management that facilitates searchability and usability of cyberrelated research (Ramirez, 2017). It has become increasingly apparent that cybersecurity is interdisciplinary. Our engagement with the multidisciplinary group primarily consisted of providing selected readings from the literature, an initial presentation and discussion of our own work to date, followed by a syndicate activity related to distinguishing aspects and defining cybersecurity. 2014. WebThe author evaluates the claims of rival theo-ries realism, neorealism, liberal institutionalism, classical economic Security is a complex and contested notion heavily laden with emotion and deeply held values. , The themes identified and refined from the academic expert elicitations suggest defenders are able to mitigate risks associated with system functionality; the themes derived from the ARL expert elicitations suggest cyber security is dependent on the human factor as an attacker, but the defender is not specifically addressed as a risk mitigator. Disagreements based on undefined and unspoken vocabulary meanings can result from otherwise unclarified underlying disciplinary assumptions. 9 votes have been cast, with an average score of 4.66 stars. . Therefore, a more stateoftheart definition would expand security objectives beyond CIA to include time control. D. Nicholson Characterizing and measuring maliciousness for cybersecurity risk assessment, Li, X. The results of the refined thematic butterfly diagrams are useful in distilling and relating commonly held perceptions of cyber security and cyber security risk across diverse issues and stakeholder groups. . The content analysis compared the cyber security and cyber security risk terms used by CSec CRA expert elicitation participants (from this study) versus the cyber security and cyber security risk terms used in cyber ontologies (Oltramari & Kott, 2018). So, in addition to the critical traditional fields of computer science, electrical engineering, and mathematics, perspectives from other fields are needed.. We use cookies to help provide and enhance our service and tailor content and ads. . This shift in the field has left several of the classic texts with a strongly dated feel. The 80 firstorder themes were refined into 36 secondorder themes, which were further refined into 26 thirdorder themes (Fig. The terms/concepts that appear in cyber security risk ontologies but were not found in the expert elicitation are listed in TableVI. Fewer themes were identified within any given ARL definition as compared to the multiple themes identified within a majority of the academic definitions. Cybersecurity is a collection of interacting processes intended to protect cyberspace and cyberspace-enabled systems (collectively resources) from intentional actions designed to misalign actual resource property rights from the resource owner perceived property rights.. Fig. In this article, we propose a resulting new definition: "Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights." INTRODUCTION The newly emerging situation in Eu While each state has its own securities laws and regulations, there are differences in those regulations, and some states are more aggressive than others in enforcement. 2009. European options can be exercised any time before the expiration date of the option, but only on the expiration date or the exercise date. 7 and8) have one main cohesive network structure (i.e., component), with the exception of two isolated nodes in the ARL cyber security risk network (Fig. Consider a spherical cow: A course in environmental problem solving. The thematic analysis suggests that although both ARL and academia experts consider the scope and context of cyber security risk, they approach cyber security risk in a different manner. , often used before another noun. Braun, V. Researchers have also investigated the process of identifying specific risks for various systems. (Eds. Quigley, K. Cybersecurity. Organization and user's assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Liberation vs. Control: The Future of Cyberspace. MW, 2020: MerriamWebster Dictionary; FISMA: United States Federal Information Security Modernization Act of 2014 (U.S. Congress); ISO, 2012: International Organization for Standardization; ITU: International Telecommunication Union, 2008, 2011; NICCS, 2020: National Initiative for Cybersecurity Careers and Studies; NIST, 2018: United States National Institute of Standards and Technology; CNSS, 2015: United States Committee on National Security Systems; WEF, 2012: World Economic Forum. Other top terms used by ontology developers to describe cyber security risk include vulnerability and target. Other top terms used by expert elicitation interviewees include network and threat. The results from the final analysis indicates that there is reason to believe that experts in different disciplines and sectors, each working in some aspect of cyber security, focus on different aspects of the complex cyber risk universe or use different terms to describe similar concepts (Stemler, 2001). The definition is important, because if the instrument is a security, then the federal and state securities laws apply to the purchase and sale of that instrument. BlumenthalBarby, J. S. For this comparison, the interview participants were not separated into ARL and academia subgroups. (2016). Fair, J. M. (Ed. Hybrid securities, as the name suggests, combine some of the characteristics of both debt and equity securities. Cherdantseva, Y. . Friedman, A. In order to communicate in a true cross disciplinary way, the team members have to get out of their own heads and away from their hardbuilt disciplinary heuristics (cf. This analysis helps to demonstrate that our new definition is inclusive of key components from a sample of extant and participant definitions. Developing Expertise for Network Intrusion Detection.Information Technology & People,22(2): 92-108.http://dx.doi.org/10.1108/09593840910962186, ITU. The datadriven method of thematic analysis draws on the practice of developing theory from trends arising from the data via systematic investigation, while the theorydriven method examines the data for predetermined trends or theories (Clarke & Braun, 2014). We must insure our national security. Probability of outcomes is the most influential node in the cyber security risk ARL network with nine connections. The latter includes cyber-physical systems and control systems. You currently dont have access to this book, however you Information technology Security techniques Guidelines for cybersecurity: 4 terms and definitions. Purse, R. Eightytwo firstorder cyber security themes were identified across the 25 cyber security definitions provided by the CSec CRA expert elicitation participants. Cognitive biases also create ineffective risk communication. The edge color denotes the interviewees sector, Academia (gold; left network) and U.S. Army Research Laboratory (ARL; blue, right network). (2008). Examples of cybersecurity definitions and related analysis of the proposed definition, Analysis (Key Terms Corresponding Terms in Proposed Definition), "The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this." His research interests include the human dimensions of security and collective and transformative learning in the workplace. , Cyber Risk Vocabulary Terms and Concepts from Semantic Analysis of Ontologies (Oltramari & Kott, 2018) Not Used by Expert Elicitation Participants to Define Cyber Security or Cyber Security Risk. The firstorder themes were then compared to the interviewees original definitions answers to ensure the theme was representative of the response. O'Rourke et al, 2013). De Maeyer, P. Sha, Y. , Webestablish a state of security (as a positive act). Dan Craigen is a Science Advisor at the Communications Security Establishment in Canada. , The theme refining process in thematic analysis is visualized in the thematic butterfly diagrams below (Figs. The price is set by the market at the time the option is written. , Thematic map of first, second, and thirdorder themes from thematic analysis of the answers to What is your definition of cyber security risk? Green themes were expressed by both sectors (U.S. Army Research Laboratory [ARL] and academia), blue themes were expressed by only one sector, and yellow themes represent differing first or secondorder themes that consolidate into the same second and thirdorder themes, respectively. Three syndicates were formed from the group and they were asked to develop their own definitions. (2018). The thickness of the edge connecting a representative discipline and thirdorder theme is proportional to the number of interviewees from the discipline whose definition contain the connected theme. While similarities can be drawn between the composite definitions above and the National Initiative for Cybersecurity Careers and Studies definitions (DHS, 2020) for cyber security and risk, visual analysis of the thematic maps (see Figs. Gigerenzer, G. This definitional process included: a review of the literature, the identification of dominant themes and distinguishing aspects, and the development of a working definition. Nadia Diakun-Thibault is Senior Science and Analytics Advisor at the Communications Security Establishment in Canada. This article addresses the challenges of cybersecurity and ultimately the provision of a stable and resilient information-technology infrastructure for Canada and, more broadly, the world. Her research interests include neurophilosophy, semiotics, linguistics, and public policy. The most influential node is the node connected to the most nodes, that is the thirdorder theme that was identified within the most definitions and definitions from which more than one thirdorder theme was identified. Several cyber risk vocabulary terms and concepts were modified by the adjectives cyber or risk and consequently, the full term, for example cyber attack, rarely, if ever, appeared in the expert elicitations. Impacts of CIA vulnerabilities is the most influential node in the cyber security risk corpus and academia network with 28 and 23 connections, respectively. The thirdorder themes used to build the composite definitions of cyber security (CS) and cyber security risk (CSR) were compared against a selection of national and international standards and best practices (TableVII). Interpreting sectorbased networks: The nodes (i.e., circles) are the representative thirdorder themes derived from interviewees respective definitions, and the size of the node corresponds to the number of degrees (i.e., connections) to other nodes. Heard, N. A. Network analysis was used to understand the relationship between the identified themes and across the two sectors (e.g., academia and governmentmilitary) and the interviewee disciplines. Bashroush, R. O'Neill School of Public and Environmental Affairs, The various definitions of cyber security and the lack of explicit definitions of cyber security risk demonstrate that these key terms are not standardized, although two research teams have recently presented integrated definitions (Craigen etal., 2014; Ramirez & Choucri, 2016). Buzan, B., Wver, O., & De Wilde, J. Thematic analysis is qualitative and vulnerable to analyst subjectivity (Usher & Strachan. , Minimum and Maximum Number of Degrees, with Respective Node (i.e., ThirdTheme) for Each Parent Networks and Parsed Sector Networks. For example, the new definition and associated perspectives could lead to changes in public policy and inform legislative actions. Network analysis was performed to understand the relationships between the definitionderived thirdorder themes analyzed by interviewee sector and discipline. , , & (2013). The study consisted of a rhetorical analysis on 10 writing samples to determine how cyber securityrelated topics are portrayed by management gurus, which consisted of journalists as well as professionals in academia and consulting fields. The Cyber Security Expert Elicitation (CS EE; N = 25) and Cyber Security Risk Expert Elicitation (CSR EE; N = 27) Columns are Percentage of Experts Who Used the Term Within Their Definition of Cyber Security and Cyber Security Risk, Respectively. (2013). Burns, C. However, human factors contribute to many cyber risks via the creation and deployment of maliciousacting software, increased attacker use of social engineering, and the lack of protective behaviors, such as password encryption or the use of antivirus software. Baldwin, D. A. The number of edges in the academic cyber security network is 94, more than twice that of the ARL cyber security network with 42 edges. , Isolated nodes represent definitions that contained one thirdorder theme that was not identified in any other interviewee definition. Humans play a role in the creation, exacerbation, propagation, and mitigation of cyber security risk as users, defenders, and attackers (Henshel, Cains, Hoffman, & Kelley, 2015; Henshel, Sample, Cains, & Hoffman, 2016; King et al., 2018). The gap analysis evaluated the use and definition, or lack thereof, of cyber security as defined by the Oxford dictionary, the MerriamWebster dictionary, European Telecommunications Standards Institute (ESTI), ISO, ITU, NIST, North Atlantic Treaty Organization (NATO), and CNSS. To build the composite cyber security and cyber security risk definitions, the identified thirdorder themes were reexamined within the context of the interviewees stated definitions from the interviews and the greater the context of the CSec CRA mission. As a response to international differences, the RussianUS bilateral working group of the East West Institute and Lomonosov Moscow State University created a terminology framework in which they defined cyber security as a property of cyber space that is an ability to resist intentional and unintentional threats and respond and recover (ISI, 2014). HHS Vulnerability Disclosure, Help (2014). It is also a field that has changed in the last decade from a largely theory-based discipline to an experience-based discipline. ), Risk as an interdisciplinary research area, http://creativecommons.org/licenses/by-nc-nd/4.0/, ITU: International Telecommunication Union, 2008, https://www.aaai.org/ocs/index.php/ICWSM/09/paper/view/154/1009, https://github.com/gephi/gephi/wiki/Graph-Density, https://ieeexplore.ieee.org/document/6107876, https://www.enisa.europa.eu/publications/definition-of-cybersecurity, https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=91013, https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf, https://www.ibm.com/downloads/cas/ZBZLY7KL?_ga=2.147493559.1631301142.1592590885-1159380929.1592590885, https://www.files.ethz.ch/isn/178418/terminology2.pdf, https://www.iso.org/obp/ui/#iso:sTd:iSo-iec:27032:eD-1:v1:en, https://www.itu.int/rec/T-REC-X.1205-200804-I, https://www.itu.int/ITU-D/cyb/cybersecurity/docs/ITUNationalCybersecurityStrategyGuide.pdf, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5807417/#B26, https://www.merriam-webster.com/dictionary/cybersecurity, https://www.aaai.org/ocs/index.php/SSS/SSS15/paper/view/10248/10054, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, http://ceur-ws.org/Vol-1523/STIDS_2015_T04_Oltramari_etal.pdf, http://cip.management.dal.ca/wp-content/uploads/2013/04/Quigley-Burns-Stallard-Cyber-Security-Paper-Final-1.pdf, https://www.arl.army.mil/www/default.cfm?page=1417, https://www.congress.gov/113/plaws/publ283/PLAW113publ283.pdf, https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf, http://www3.weforum.org/docs/WEF_IT_PartneringCyberResilience_Guidelines_2012.pdf, Security Monitoring and Intrusion Detection, To me, it is the humans that are the biggest risk., Uncertainties introduced by human factors, humans will be hard such as insider threat., attackers don't follow rules in reality, Risk in terms of machine may be easier to quantify., machine risk is easier to quantify than human, Accurate intrusion detection; Comprehensive system awareness; Resource management; Systemic solutions, Goal dependent; Multiple realms of threats; Sociotechnical exploitation, Absolute and relative resource valuation; Scope of risk perception. Derivatives are complex products, and can in some instances have a high degree of risk. Federal government websites often end in .gov or .mil. Hershey, PA: IGI Global.http://dx.doi.org/10.4018/978-1-4666-4707-7.ch003, Cavelty, M. D. 2008. (2014). Bastian, M. Grimm, N. B. Cyber-TerrorLooming Threat or Phantom Menace? This article aims to investigate the conceptual and scientific demarcation of security in contrast to safety, and discuss the status of security as an independent science. However, audio recording was not permitted in Army Research Laboratory buildings, so the interviews were transcribed in situ by the same scribe for all interviews. ITU national cybersecurity strategy guide. TableII presents verbatim excerpts from three interviewees (marked A, B, and C). from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; (C) availability, which means ensuring timely and reliable access to and use of information. The Framing of the US Cyber-Threat Debate.Journal of Information Technology & Politics,4(1): 19-36.http://dx.doi.org/10.1300/J516v04n01_03. October 1, 2014:http://www.oxforddictionaries.com/definition/english/Cybersecurity. The 82 firstorder themes were refined into 33 second order themes, which were further refined into 19 thirdorder themes (Fig. Cognitive biases can be exacerbated in multidisciplinary work as different disciplines have different approaches to risk management (Zinn, 2006). WebA new, condensed de lineation of contemporary security is presented by the author. . While some researchers have investigated trends within the current definitions and uses of risk within cyber security, few have presented formalized definitions of cyber security risk. It is an inwardly looking definition, providing a shell of protection around information assets, but does not include reference to attackers or any form of malware or bad actorshuman or not. Charles Leslie Stevenson (19081979)Analytic philosopher. Technological, sociological, and organizational challenges associated with risk communication are due to the unfamiliar nature and severity of crises (Kellens, Terpstra, & De Maeyer, 2012; Slovic, Fischhoff, & Lichtenstein, 1982) and lack of established mutually agreed upon terms, which diminishes the ability for information to be efficiently and effectively disseminated (Manoj & Baker, 2007). , & Exercising the option means utilizing the right to buy or sell the underlying security. The researchers then coded the responses to the definitions questions to identify the core concepts of each answer (e.g., TableII: Code column). Oxford: Oxford University Press. 5: BACDA). The thematic butterfly diagrams below provide a comparison of the first, second, and thirdorder cyber security and cyber security risk themes identified from interviews across the disciplines of ARL practice and academic research. C. Wang , & , & , & 1; Tables SISIII). Furthermore, three of the dominant themes technological solutions; strategies, processes, and methods; and human engagement are all refinements of the the organization and collection of resources, processes, andstructures used to protect component of our definition. The NICCS cyber security definition was the most complete definition of the nine definitions analyzed. IN, New York: Oxford University Press. An isolated node has no connections to another node, versus a network component that is connected by least one path of edges (e.g., Fig. At the start of the interview, the interviewer described the need for the interview and how it fit into the overall risk assessment process. 2023 ISSN: 1927-0321 Formerly the. , Jones, K. FOIA Image best viewed in color and enlarged via online journal. ARL [Army Research Laboratory] envisions the alliance bringing together government, industry and academia through this basic research program to develop and advance the state of the art of Cyber Security. Content Analysis of Expert Elicitation for Cyber Risk Vocabulary Without Adjectives and Using Stem Form of Vocabulary Terms. McPhillips etal. We deconstruct this definition as follows: As discussed earlier, our definition should engender greater interdisciplinary and collaborative efforts on cybersecurity. Cyber experts from different sectors across multiple disciplines and research areas were asked via expert elicitation to define cyber security and cyber security risk. (2015). Ramirez and Choucri (2016) argue that a standardized cyber security vocabulary starts with increased research efforts focusing on identifying trends in terminology standards. Tangible and intangible assets [firms] use to conceive of and implement [their] strategies (Kozlenkova et al., 2013). In our literature review, we identified five dominant themes of cybersecurity: i) technological solutions; ii) events; iii) strategies, processes, and methods; iv) human engagement; and v) referent objects (of security). For example, Public Safety Canada (2010) defines cyberspace as the electronic world created by interconnected networks of information technology and the information on those networks. The sectorbased network analysis resulted in two undirected parent networks, one for cyber security thirdorder themes and one for cyber security risk thirdorder themes (see Fig. (2014). The Degree is the Number of Edges (i.e., connections) Connecting to Other Nodes. The graph density of the cyber security sectorparsed network is 0.4 for ARL and 0.614 for academia; the cyber security risk sectorparsed network is 0.435 for ARL and 0.294 for academia. , Thirdorder themes from responses to What is your definition of cyber security?, Table SIV. Of the 45 cyber risk vocabulary terms and concepts identified by Oltramari and Kott, only 19 terms/concepts were used during the expert elicitation to define cyber security and cyber security risk.