Cybersecurity as an Organizational Strategy: An Ethical and Legal Perspective Cybersecurity as Organizational Strategy

Across the board -- in business, society, and government -- the promise of cyber capabilities are matched by potential peril. The cyber environment is never static, but it is perhaps most agile in response to the continual stream of emerging cyber threats and realized cyber attacks ("PCAST," 2007). Cybersecurity must be agile. The challenges that must be met in order to secure the cyber realm for all of its legitimate constituents are enormous. Cybersecurity issues are organic, adapting to an evolving environment with the sensitivity and responsiveness of an invading microorganism. Though not to abuse the parallel to medical science, the best defenses against invading cyber threats are information and preparation. As such, cybersecurity can be characterized as technology plus network security plus information assurance ("Booz Allen Hamilton," 2011).

Strategic integration of cybersecurity efforts is measured by the degree to which it is integrated into enterprise risk management (ERM), overall mission assurance activities, and any associated internal and external security strategies (Bodeau, et al., 2010). The level of integration is typically expressed as follows: (a) No integration, in which each business process or program articulates its own security strategy; (b) consistency, in which the cybersecurity authorities with oversight for a different business units, missions, or risk domains work to ensure the implementation of cybersecurity strategy in their own arena and do not preclude implementation of cybersecurity strategy in any other arena; ( c) coordination, in which the authorities who are responsible for different cybersecurity strategies collaborate to execute the planning in order to more effectively leverage the resources of the enterprise; and, (d) full integration, in which there is an overarching and enterprise-wide mission assurance strategy that includes every domain of the enterprise mission, and is also effective across the larger critical infrastructure in the sector of which the enterprise may be a part (Bodeau, et al., 2010). As such, strategic integration refers specifically to the degree with which an enterprise's cybersecurity strategy aligns with, is informed by, or otherwise relates to other risk management strategies in the organization (Bodeau, et al., 2010). Typically, these cybersecurity strategies address the following: acquisition management, architecture, business continuity, mission assurance, and program management (Bodeau, et al., 2010). In the section of this paper entitled "Practical recommendations for cybersecurity strategy," integration is recommended as a key factor in effective cybersecurity strategy (Bodeau, et al., 2010).

Cybersecurity as an organizational strategy. The execution of cybersecurity is complex and multi-dimensional -- and, for many enterprises today, it is key to competitive strategy ("PCAST," 2007). Organizational cybersecurity solutions must be multi-faceted, capable of enhancing enterprise readiness and response while maintaining a robust focus on risk mitigation ("PCAST," 2007). The literature on cybersecurity spans a wide array of organizational types, including those in civil and commercial sectors of finance, energy, health, and technology, the defense industry, and national security agencies ("PCAST," 2007). This discussion will primarily present information related to cybersecurity as an organizational strategy.

Legal, ethical, and technical cybersecurity considerations. The legal aspects of cybersecurity are complex, so complex, in fact, that there are multiple categories that must be coordinated and eventually harmonized into a functioning legal framework (Schjolberg & Hubbard, 2005; Spinello, 2011). These categories include several types of governmental action: legislative efforts, judicial efforts, and criminal enforcement efforts. Under the legislative considerations of cybersecurity, there are additional legal categories, including substantive, procedural, mutual legal assistance, and protection of individual rights (Schjolberg & Hubbard, 2005; Spinello, 2011). The federal government and individual states may also enact laws that address cybercrime (Spinello, 2011).

At an international level, a number of official stakeholders have directed efforts to combating cybercrime through harmonizing and coordinating their efforts on a global scale (Schjolberg & Hubbard, 2005). The cybersecurity issue has become a focus for the following international organizations: United Nations (UN), International Telecommunications Union (ITU), Organization for Economic Co-operation and Development (OECD), European Union (EU) and Council of Europe (CoE) (Schjolberg & Hubbard, 2005).

Many professional organizations have codes of conduct for their members (Baase, 2008). ACM and IEEE-CS have developed the Software Engineering Code of Ethics (Baase, 2008). It is important to recognize that professional ethics are just part of the job (Baase, 2008). It is important to be honest when working with client -- or when conducting professional duties -- about capabilities, safety, and limitations of software (Baase, 2008).

While the cybersecurity industry is itself subject to innumerable laws and ethical considerations, research...

In fact, the legal environment constrains cybersecurity research by enacting specific and outright prohibitions and also ambiguous uncertainties that make the entire prospect seem too costly and scientific sharing of outcomes risky (Schjolberg & Hubbard, 2005). The laws dealing with communications privacy have established social barriers and sanctions against violating data confidentiality (Schjolberg & Hubbard, 2005). The fit between social expectations and network privacy in practice is not a good one, a problem that underscores the need of many network providers to avoid granting access to researchers -- the potential legal risk, reputational risk, and overall expense appear prohibitive (Schjolberg & Hubbard, 2005).
IT, cybersecurity, and organizational performance. Government agencies are not the only entities threatened by adversaries determined to disrupt operations or steal military intelligence. Business enterprises are also targets of competitors that seek to steal intellectual property, penetrate financial databases, and breakdown competitive advantage ("PCAST," 2007). The economic viability of business enterprises strongly depends on the ability to look beyond communications and information technology management and assume a broader view that, pointedly, indicates an ability to move beyond reacting to cyber attacks and effectively anticipate new threats ("Lynch, 2011). An effective cybersecurity effort will be characterized by the following: (a) Establishment of layered defense against threats; (b) Fostering a complete recognition of the enterprise's vulnerabilities; ( c) react to, constrain, and cripple cyber attacks that do get through; (d) evolve in response to compliance requirements; and (e) establish quick, deep learning from experience ("PCAST," 2007). The role of IT can be as essential as providing the support for an operational surge or providing the flexibility to rapidly deploy new technology (Lynch, 2011).

As with any continuous improvement initiative an enterprise might adopt, enterprises must prepare to evolve their learning through experience, but preferably through the best available intelligence in the industry. An enterprise must be positioned to effectively protect its assets, its competitiveness, its financial viability, and its competitiveness (Lowell, 2011). Enterprise stewardship requires the discipline to prioritize expenditures and investments, of which, cybersecurity must be carefully positioned in the list of considerations due to the enormity of its potential impact on the organization ("PCAST," 2007). Increasing dependence on communications and information technology (CIT) for ordinary enterprise activity points to a greater reliance on enterprise cybersecurity defenses. Certainly a degree of resources must be diverted from direct revenue production when an enterprise determines to invest in mature cyber diagnostics and to strengthen the organization's cybersecurity position and posture (Gordon, 2010). Yet, a proactive stance that enables anticipating and preparing for cyber events can avoid more costly and damaging post-cyber attack recovery (Gordon, 2010). The costs of insufficient preparation for inevitable cyber events and/or a lack of investment in cybersecurity can be devastating to an enterprise (Gordon, 2010). The impact of successful cyber attacks will vary depending largely on an organization's dependence on technology (Gordon, 2010). Essentially, this means that not all organizations will commit to the same degree of cybersecurity investment (Lowell, 2011). Nevertheless, an enterprise must determine how to integrate the elements of their cybersecurity initiative in order to: (a) Identify vulnerabilities; (b) provide quick and effective responses to mitigate cyber events; ( c) utilize cyber diagnostics that help to generate risk insights; (d) develop a cybersecurity plan that results in an evolved and enhanced organizational cybersecurity posture; and, (e) provide for the opportunity of evolutionary remediation strategies (Gordon, 2010).

It is essential for enterprises to think about cybersecurity spending in much the same manner that they assess other costs and benefits (Gordon, 2010). It is entirely appropriate to apply an economic framework to cybersecurity expenditures so that enterprises may arrive at spending levels that are within budget. To take this tack will essentially force business to consider and prioritize resource allocation for the greatest possible impact and efficiency (Gordon, 2010). It is unfortunate that most organizations do not take an economic tack to cybersecurity expenditures, driven as they are by the exigencies of the environment and marketing rhetoric (Gordon, 2010). It is difficult for enterprises to recognize that cybersecurity is not necessarily a special category and that normal economic principles do apply to cybersecurity decision making (Gordon, 2010). Businesses mistakenly assume that the benefits and drawbacks associated with cybersecurity expenditures cannot be quantified or monetized (Gordon, 2010). Gordon asserts that, "[w]hen it comes to national security, this 'nonquantifiable benefits argument' is especially deafening -- and flat-out wrong" and that while it is arguably "difficult to quantify the benefits…