Preparing for Cyber Threats with Information Security ...

6 downloads 18967 Views 57KB Size Report
There are numerous applications using cloud services for data storage but also the .... Flooding the telephone lines of helpdesk and the information security ...
Preparing for Cyber Threats with Information Security Policies Ilona Ilvonen , Pasi Virtanen, Tampere University of Technology Special Edition of International Journal of Cyber Warfare and Terrorism (IJCWT) , 3(4) 2014

Abstract Contemporary organisations in any industry are increasingly dependent on information systems. Today most organisations are online all the time, and their internal systems are used in environments that are already or easily connected to the internet. The paper analyses cyber threats and their potential effect on the operations of different organisations with the use of scenario analysis. The scenarios are built based on a literature review. One outcome of the analysis is that to an organisation it is irrelevant where a cyber threat originates from and who it is targeted for. If the threat is specifically targeted to the organisation or if the threat is collateral in nature is not important; preparing for the threat is important in both cases. The paper discusses the pressures that the cyber threats pose to information security policies, and what the role of the information security policy could be in preparing for the threats. Keywords: security policy, cyber threats, organisations, information security policy, information security management tools 1. Introduction Contemporary organisations in any industry are increasingly, and in most cases once and for all, dependent on information systems and connections between them. This dependence holds true both intra- and inter-organisationally. The used information systems may have legacy elements, sometimes even dating back to the time when an internet connection was not a common feature in organisations repertoire. Today most organisations are online all the time, and their internal systems are used in environments that are already or easily connected to the internet. The internet population is estimated to over two billion individuals at the moment (James, 2012). The amount of devices connected to the internet is approximated to grow fivefold by the end of the decade (Evans, 2012). Some of these users are there with no-good intentions. Not all users are there with purely good intentions. According to a definition cyber threats are Internet-borne activities that may harm or have the potential to harm a computer or network and compromise the confidentiality, integrity, or availability of network data or systems (CCIP, 2013). In public cyber threats are often discussed from the national infrastructure’s and national safety’s perspectives. However, the operations of organisations do not always follow national borders even though their organisational infrastructures are subjected to one national infrastructure at a time. Organisations sometimes operate in a truly international or even global environment. Hence, the threats they face in their operations are not national, they are global. In the national cyber strategies it however seems, that the operation of, for example, companies is assumed to abide by national boundaries. Organisations should use internally confirmed information security policies and procedures as tools to manage their information security. The policies usually address multiple threats that the information of the organisation is facing. Most of the threats addressed are direct threats. However, it is important to understand the complex nature of the cyber dimension and not to be short-sighted in this regard. The problem is to recognise also the possible

indirect, second-hand, and collateral effects and to prepare for them as well. “If it runs on computers and computer networks, it's a potential target” says the chairman of the U. S. government’s subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Patrick Meehan (2013). The paranoia-arousing question is: what does not run on computers? Organisations are increasingly reliant on computer systems for all their activities. The purpose of this paper is to explore the cyber threats that businesses may face and how they can prepare for the risk in advance in their information security policies. The research question in this paper is ‘What challenges does the cyber dimension of threats present for organisations and their information security policies?’ The paper presents theoretical background on information security policies and the cyber threat phenomenon in section two. In section three the paper analyses the threats and their potential effect on the operations of organisations with the use of scenario analysis. In the last section the paper assesses the possibilities to take the cyber threats into account in information security policies. 2. Theoretical background on information security policy and cyber threats 2.1 Information security policy Information security policy is a document that organisations use for preparing for and fighting against information security threats (Tipton & Krause, 2004; Peltier et al., 2005; von Solms & von Solms, 2004b). In literature the policy has been analysed from the perspective of how it should be written (Peltier et al., 2005; Barman, 2001; Höne & Eloff, 2002), how to get employees to comply with the policy (von Solms & von Solms, 2004b; Boss et al., 2009; Bulcuru et al., 2010; Herath & Rao, 2009) and how the policy affects the information security culture of an organisation (von Solms & von Solms, 2004b; Lacey, 2010; Van Niekerk & Von Solms, 2010). The information security policy is considered an important tool for managing information security in organisations (Peltier et al., 2005; Ilvonen, 2009). The approach to documenting an information security policy can be technical or managerial (Baskerville & Siponen, 2002). The technical approach means that the information security policy is used for guiding the use of information systems, and the way the systems communicate securely with each other. The managerial approach to information security policy refers to the policy document being targeted to all employees, and the scope of the policy being not just on the use of information systems. (Baskerville & Siponen, 2002; Lopes & Sá-Soares, 2012) The managerial approach entails also the behaviour and the procedures of the personnel’s actions whenever there is organisational data or information involved. People can be an effective, or on the other hand a lousy, firewall for the information of an organisation (von Solms & Warren, 2011). In this paper the policy has to cover both these two approaches, technical and managerial, as these approaches are seen as complementary, and one approach cannot be chosen over the other. The information security policy is considered a key document directing both the information systems security and the secure behaviour of employees. Information security policy is defined in different ways by various authors (e.g. Ilvonen, 2009). In this context information security policy is considered a document that follows the guidelines introduced by international standards (Höne & Eloff, 2002), and thus it: § defines the scope and objective of information security in the organisation § states the purpose of the policy itself

§ § § § §

communicates management commitment and approval states the information security principles communicates the roles and responsibilities of employees regarding information security states how information security is monitored and reviewed is directly connected with other policies, procedures and strategies of the organisation.

This list presented by Höne and Eloff (2002) is an exhaustive set of requirements for the policy document. Other requirements for the content of the policy are that it must be based on a risk analysis conducted in the organisation (von Solms & von Solms, 2004a) and that it is written in a short and clear manner (Barman, 2001). It is worth noting that the various definitions comprise a certain level of case-specific freedom of movement and free will in determining the scope and the affected parties of the policy itself. The information security policy should thus most importantly be designed to suit the purposes of the organisation it is written for. Identification of various threats and risks including the cyber threats and the assessment of the probabilities of their realisation are important features to include in the preparation of an information security policy. Information security, as presented above, should by definition be based on identified risks. Identifying threats is the first step of risk analysis (Peltier et al., 2005). Although many cyber threats are unknown until they are realised, there are many threats that have already been identified and that can be used as a basis for formulating the policy. 2.2 Cyber threats According to a definition cyber threats are Internet-borne activities that may harm or have the potential to harm a computer or network and compromise the confidentiality, integrity, or availability of network data or systems (CCIP, 2013). According to another definition “Cyber threats to a control system refer to persons who attempt unauthorized access to a control system device and/or network using a data communications pathway.” (ICS-CERT, 2013). Again, some leeway is seen appropriate to be fit into the definitions. However, the use of electronic media of some sort is the overarching factor. The realisation of the threats introduced proceeds by using the electronic channels to the target factor (van Heerden et al., 2012). The threat is not necessarily just harm done upon a computer or a network. It may also be harm introduced through the computers and networks to other kind of infrastructure. For example a self-extracting malware may come from internet or via a physically inserted USBstick and contaminate pre-existing software and further cause physical malfunctions in a power plant or water supply having further effects onto another type of infrastructure. Some sort of access to the target’s network is required in order for the intrusion to take place. This paper argues that the threats need not be internet-borne. The term cyber threat may include features that are pre-programmed and introduced to a system from external physical media, thus not necessitating the use of the internet. Still they are featured by their nature of being originating from and affecting in the information and communications technology (ICT). However, a network on some level is needed to the malware to take the full effect. It needs a way to its goal. Thus, cyber threat in this paper refers to activity affecting computer system(s), or disseminating themselves via computer systems to other systems in order to do harm to another party.

The actual activities that are regarded as cyber threats include a large variety of operations. Their unifying factor is their medium: the ICT. Weapons are there to inflict harm or damage (MOT Oxford Dictionary of English, 2013). According to this definition all the threats fall under this category, at least indirectly. However, in literature the cyber dimension is further divided into cyber weapons and non-weapons (Rid & McBurney, 2012). The weapon-like approach is defined to mean the situation in which the means, computer code, is used or designed to be used to cause “physical, functional, or mental harm to structures, systems or living beings” (ibid.) or used to threatening to do so. A counterpart for the weaponized class of cyber threats is logically the non-weapons. These are not used to cause direct harm or to damage but most often to gather information, to spy (Choo, 2011; Malgeri, 2009; Rid and McBurney, 2012). This means that their effects are less severe and thus, in many cases, less punishable. The legislation in many countries is having hard time coping with this phenomenon (Foggetti, 2008; Jahankhani, 2007; Jie-miao, 2008; Marion, 2010). To draw the line separating the weapons and non-weapons might prove to be extremely difficult. However, both weapons and non-weapons are to be dealt with in one’s information security policy as their methods of operation resemble one another. The true functionality and significance of the malware cannot be fathomed before they take action. One of the upcoming cyber threats according to one of information security company Kaspersky’s senior researchers is malicious software introduced to mobile appliances (Emm in Waters, 2012). What these malicious programs aim at remains unknown. They may be just data gathering or they may be pure malice with some kind of earning logic attached to them. (Choo, 2011; Dunham, 2009; Hypponen, 2006). Obviously the previously mentioned features apply in this context as well: the ultimate and real goals of the malware are known only to its creator. Whether the actual effects of the realisation of the risk, or indeed the actions caused by the mere discovery of the malware, are in accordance with the thoughts and plans of the malefactor is impossible to judge. Another type of cyber threat that the experts expect to emerge is the accessing to large data repositories and stealing data from these for various purposes (Schneider and Levin in Waters, 2012). The increasing number of offshoring offers in this regard is also responsible for new risks (Kshetri, 2010). There are numerous applications using cloud services for data storage but also the more traditional data bases (such as medical records) are high-risk areas in the sense of possible target for cybercrime (Armbrust et al., 2010; Pearson and Benameur, 2010; Pearson, 2009). Also the number of more targeted cyber threats are expected to grow (Kshetri, 2005). This may be partly due to the openness of organisations and the ease of finding information of the possible targets and partly to the grown capability of the aggressors (Ottis, 2008). A newer angle to mischief is ‘datnapping’. The data thefts are used for demanding ransom payments for returning the data (Keizer, 2011). It is done either by encrypting the data or locking the computer, both ways making the data inaccessible for the rightful user. Both obstacles are to be removed against payment, a ransom. One of the main features of a cyber threat is that the actual perpetrator, or the pursued effects, cannot be guaranteed to be successfully identified. The intruder or the actual objectives of the intrusion or attempts of intrusion remain more or less blurred. The parties involved as listed by the U.S. homeland security (ICS-CERT, 2013) include: § hackers § hacktivists § industrial spies

§ § §

organised crime groups terrorists national governments

When the possible actions of these groups are considered, one may intuitively come to a conclusion that their objectives vary greatly from one another (see e.g. van Heerden et al. 2012). Hackers are thought to be intruding unauthorized domain almost for the fun of it. The mischief may be even left on the level of gaining access. They may break into networks for the thrill of the challenge and boast for their peers about their skills for doing so. Tools and advice for prospective hackers are readily available in the internet. Hacktivists as a category appeared first in 2008. They have some sort of political or social agenda in their hacker actions (Waters, 2012). The agenda may be directed against a government, its policies, a public sector operator or equivalent, or a private enterprise. A hacktivist’s goal may be also just to draw attention to a point they are trying to make. The activity of hacktivists is estimated to grow with the time (Waters, 2012). Industrial spies and organised crime groups operate with profit-based objectives. Their function is based on making money by using illegal activities of some sort (intrusion related information and knowledge gathering and theft, extortion related to the previous, etc.). Their secondary objectives may include aggressions against the target organisation’s infrastructure to make profit to competitors or other groups listed here. However odd it may seem, national governments and terrorists form a group of their own based on their motivation and interests. National governments aim to further their political agenda and support their nations state against and compared to its neighbours and in some way competing other nations. Thus the motivation is different by nature, somewhat more elevated to a certain audience if one will. Terrorists are individuals or groups that carry a deep-rooted grudge against their target. Terrorism means by definition the “unofficial or unauthorized use of violence and intimidation in the pursuit of political aims” (MOT Oxford Dictionary of English, 2013). Terrorists may be supported by national governments hostile towards the target, and with similar objectives with the terrorists. The goals of their actions (from espionage to cyber-attacks) may be to gain technological advances from the target, or disrupt the functions of the infrastructure of the target in order to attack the economy and everyday life thus creating disturbance. 3. Cyber threat scenarios In the previous section different kinds of threats and threat sources are mentioned as causing cyber threats. In this section three more specific scenarios are built based on the abovementioned theoretical perspectives. The point in introducing these scenarios is to analyse what kind of challenges they pose for the information security policy, and how organisations could prepare for these kinds of threat scenarios with their information security policies. Scenario analysis is a method not uncommon in information security field. Especially in business continuity planning (BCP) this method is used to find out the possible effects a realization of a threat has for the business of an organisation (Lam, 2002). Within the length limitations of this paper we will conduct a small-scale typical-scenario analysis. In an organisational context the analysis should include discussions on how to react to the threat

scenarios and the actual recovery plans from the realization of the treat (the BCP). In the scope of this paper we concentrate on introducing the threats and the consequences of them to the operations of an organisation. We then discuss in the last section how the organisations could use their information security policies to prepare for the threats. The scenarios could be built from the perspective of origin, or from the perspective of end result. In this paper the scenarios are described from the perspectives of the end result, i.e. what the cause or the threat is to the organisation. Two of the scenarios are caused by malware. Malware can penetrate the network of an organisation either through downloads from a malicious source by an unaware employee, or by the careless use of portable storage media. Thus scenarios 2 and 3 can be caused by different ways of malware entering the internal systems of the organisation.

Scenario 1: Unavailability of web services The denial of service (DoS) attack has been used lately as one way to harm the operations of not only organisations, but entire nations (Czosseck et al., 2011). The logic of the attack is simple: the webservers of the target are flooded with traffic, and consequently they crash. The DoS attack may be a way to seek access to the systems of an organisation, or a way to simply cause harm. From the point of view of the organisation, however, the reason for the attack is not important. Countering the attack and recovering from the situation quickly is. The reason why DoS attacks or more generally the threat of losing availability of the webservices of an organisation can be devastating is that many organisations rely on their webpages for business operations. One case is that the services of the organisation are directly distributed via internet, such as in media companies or companies that sell products directly from their web-stores. If the web services are not available, customers cannot buy the products of the company, and thus revenue is stopped. This seize of revenue can also be caused indirectly if revenue is reliant on the amount of page loads, i.e. amount of viewers for advertisements. Along with short term consequences of directly lost revenue the crash of web services can also have long-term impact on the reputation of the organisation as a reliable service provider. If the customer does not know the reason for the crash, it may blame the organisation for it, and choose to buy from somewhere else in the future. On the other hand: even if the customer knows that the crash was caused by malicious activity, falling prey to such an attack may cause the customer to not trust the ability of the organisation to provide a secure and reliable service in the future. Also the mere fact that an organisation is a target for someone may act as a deterrent for a customer. Even if the operation of the organisation is not directly reliant on the web services it offers, it may rely on the web services for internal communications and operations. If the web domain of an organisation is crashed due to excess inbound traffic, the outbound traffic is often also interrupted. Disruption of internal communications may sound trivial at first thought, but when given some deeper thought, it may prove to be a substantial threat. Many organisations rely almost solely on email and web-based applications for internal communications. If these are down, the operations can grind to a halt or at least substantially slow down very quickly. At the very least it will cause distress and uncertainty among the employees. To recover from the crash of web services the excess traffic has to be stopped somehow, and the web-service re-launched as soon as possible. For this, technical knowledge is of course needed, in order to actually block the attack and recover from it. Good planning for recovery,

however is needed, so that the technical staff can concentrate on doing their job, and count on somebody else telling all stakeholders in an organised manner that the situation is under control, and the service will be restored as quickly as possible. The information security policy states the roles and responsibilities of different groups of employees. In this scenario the main purpose of the policy is to clarify what each employee is to do in a situation that disrupts operations. Flooding the telephone lines of helpdesk and the information security manager will not help them in recovering from the attack. Thus the policy helps by establishing a communications plan on how to communicate about disruptions, and whose responsibility this communication is. Scenario 2: “Datnapping” In the case of malware “datnapping” data of the organisation, making data, or possibly the use of ICT tools all together, impossible causes the harm for the organisation. Recovery from the situation in the worst case requires both time and money, if the organisation cannot survive the situation without outside help. In a better case it requires just time and effort to reinstall computers and databases from backups. The logic of datnapping data and computers is that the alternative solution to recover the data back can be so time-consuming that the victim may choose to pay the “ransom” for the datnapper, since it may be cheaper than taking the effort of recovery. Sometimes full recovery would not be possible due to bad management of backups, and thus paying the ransom is the only way to get the data back. An indirect harm of datnapping is the distress it may cause in the organisation. It disrupts normal operations in any case, and will cause a lot of speculation among employees on what needs to be done and what should be done. Uncertainty and blame are not on the wishlist of any manager that needs to have their staff ready to face a problem and quickly resume normal operations. Good planning, clear documentation of responsibilities and roles, and routinised backup will be valuable in recovering from datnapping. The information security policy in this scenario serves the role of communicating the responsibilities of employees. First of all, if everyone follows the policy, the probability of falling victim to datnapping will be reduced. If, however, this happens, the policy clarifies the people that are responsible for recovery, and establishes a communication scheme about the situation. Scenario 3: Information leaks In the case malware works for example by keylogging or somehow otherwise sending confidential information outside the organisation, the harm for the organisation can be both, direct or indirect. Immediate harm may be caused by the information leaking outside the organisation, and the organisation suffering from reputation damage. If the organisation loses the trust of customers, this may prove very costly. Indirectly the loss of information may harm the operations of the organisation by loss of competitive advantage, if its competitors are able to close the gap between them and the organisation. Loss of sensitive research and development information may reveal the plans of a new product to a competitor early, which could turn out devastating for the launch of that product. Sometimes malware may be introduced into an organisation without anyone noticing, and without any damage. The Stuxnet virus is one example of this kind of malware that was widely spread, but it only did damage for a limited number of targets (Rid & McBurney, 2012). This kind of malware may wait for a long time to activate, but if it is targeted for the

operations of an organisation, it may potentially do physical damage in addition to intangible damage. This is why computer systems that are used for overseeing physical processes should be very carefully isolated; one carelessly used, innocent looking USB-memory stick may be all it takes to destroy the vital physical equipment of an organisation. Information leaks can thus happen in both directions: inside and outside the organisation. In both cases the impact is not only the immediate results of the leak described above. Another result may be the unrest and uncertainty of employees, which affects productivity in both short and long term. Information security policy works in this scenario first of all in countering the threat of information leaks. When employees are aware of the threat of information leaks and how these leaks are accomplished, they can prevent those leaks from happening with alert behaviour. Following all security instructions is the beginning of prevention of these threats. Again, if the threat is realised despite the policy is followed, the policy helps in recovery, and establishes a scheme of communication about the situation. 4. Discussion and conclusions The described scenarios are of general nature, but we can argue that they also are typical. Organisations have announced that they have fallen victim to such scenarios (Waters 2012), and intuitively we may assume that many more have experienced the same but failed to report of the happenings. In the future even more of this kind of mischief is bound to happen (Waters 2012). How can the scenarios then be avoided, and what challenges to they pose for the information security policy? The information security policy should define the roles and responsibilities of people, which helps the organisation in scenario 1. The unavailability of web services may cause havoc inside and outside the organisation, and in such a situation it is vital that everyone knows their role and responsibility in the event. Technical information security policies should be in place to limit the consequences of a DoS attack or a similar event, so that recovery of it is achieved fast, if the event cannot be avoided altogether. The role of a policy here is thus to prepare the organisation to face the cyber threat and react in an organised manner to it. A concrete example of the counter measures, or rather the damage control, is to plan ahead a communication ring to form a chain of command to ensure the communications in the case of network breakdown. In scenarios 2 and 3 the directions given in the information security policy are the key to avoid the events. If all employees § avoid opening untrusted links § scan their email for viruses § refrain from using alien and/or unauthorised USB devices § do not use USB-storage devices for moving files between computers unless absolutely necessary and under strict precautions i.e. comply with information security regulations, the scenarios can be avoided to a large extent. With wider and wider use of ICT tools for both work and leisure this becomes difficult: links are not always what they seem to be, and a seemingly innocuous file may turn out to be something completely else (e.g. Hypponen 2006). Also the fact, that work and leisure converge increasingly in today’s organisations when it comes to using ICT (e. g. the

work e-mail is used for personal matters), does not make the policy-makers and over-seers task any easier. The training of employees so that they are aware of the threats is thus as important as instructing them with the information security policy. The scenarios may prove to be helpful as eye-openers for management: they induce the identification of various threats as well as their origins. The policy and training, however, need to be in line with each other (Bulcuru et al., 2010). Of course, there is only so much that the policy can do: some studies have shown that the policy does not help at all in reducing information security incidents (Doherty & Fulford, 2005). We argue that by using realistic examples, scenarios, in the training the motivation to abide by the set rules and regulations increases as the threat becomes more tangible and thus understandable. The challenge with all the threats is the global nature of many organisations. Although different countries have different legislation, the organisations that operate across borders should both comply with the legislation and protect their information at the same time. If they can track excessive logs of their network communications in one country and not do the same in another country, they have a dilemma: The policy should be the same across the organisation, but the legislative grounds for implementing the policy are different. A threat that could be tackled in one country may be left unaddressed in another, for example because the organisation cannot log and monitor email-communications. Building the kind of scenarios presented in the previous section may help an organisation find these challenges, which is the first step toward solving them. The scenarios may also be used to perform a risk analysis on the threats thinkable and plausible at a given time. The cyber threat perspective to information security policy raises a question that could be asked about information security policies in general: Are the policies addressing identified threats? And most importantly, are the employees of organisations aware of the threats that the information security policy is supposed to address? Today the challenges to information security are changing fast, and the information security processes of an organisation should answer to this change. Approaching the policy from the point of view of threats and scenarios might help organisation to reconceptualise their information security policy, and formulate the policies from a threat perspective. This way they could more effectively be used in managing the information security of the organisation. References Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., and Stoica, I. (2010) A view of cloud computing, Communications of the ACM, Vol. 53, No. 4, pp. 50–58. Barman, S. (2001) Writing Information Security Policies. New Riders, Indianapolis. 216 p. Baskerville, R. & Siponen, M. (2002) An information security meta-policy for emergent organizations. Logistics Information Management. Vol. 15, No. 5. pp. 337-346. Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A. & Boss, R.W. (2009) If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security. European Journal of Information Systems. Vol. 18, No. 2 Special Issue: Behavioral and Policy Issues in Information. pp. 151-164. Bulcuru, B., Cavusoglu, H. & Benbasat, I. (2010) Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs An Information Security Awareness. MIS Quarterly. Vol. 34, No. 3. pp. 523-548.

Czosseck, C., Ottis, R., & Talihärm, A. (2011). Estonia after the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security. International Journal of Cyber Warfare and Terrorism (IJCWT), Vol. 1, No. 1, pp. 24-34. Choo, K.-K. R. 2011. Cyber threat landscape faced by financial and insurance industry, Australian Institute of Criminology. Doherty,N.F. & Fulford,H. (2005) Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. IGI Global. Dunham, K. (2009) Mobile malware attacks and defense, Syngress Publishing. Foggetti, N. (2008) Transnation Cyber Crime, Differences between National Laws and Development of European Legislation: By Repression, Masaryk UJL & Tech. Vol.2, pp. 31. Evans, B. (2012) Big Data Set to Explode as 40 billion New Devices Connect to the Internet. [http://www.forbes.com/sites/oracle/2012/11/06/big-data-set-to-explode-as-40-billion-newdevices-connect-to-internet/] Accessed 20.12.2012 Herath, T. & Rao, H.R. (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems. Vol. 18, No. 2 Special Issue: Behavioral and Policy Issues in Information. pp. 106-125. Hypponen, M. (2006) Malware goes mobile, Scientific American Vol. 295, pp. 70–77. Höne, K. & Eloff, J.H.P. (2002) Information security policy — what do international information security standards say?. Computers & Security. Vol. 21, No. 5. pp. 402-409. Ilvonen, I. (2009) Information security policies in small Finnish companies, Proceedings of the 8th European Conference on Information Warfare and Security, Lisbon, Portugal, 6-7 July 2009. Information Services and Technology (IST) (2013). Viruses, Spyware, and Malware. Massachusetts Institute of Technology. [http://ist.mit.edu/security/malware]. 20.02.2013 Jahankhani, H. (2007) Evaluation of cyber legislations: trading in the global cyber village, International Journal of Electronic Security and Digital Forensics Vol.1, No.1, pp. 1–11. James, J. (2012) How much data is created every minute? A DOMO infographic. [http://www.domo.com/blog/2012/06/how-much-data-is-created-every-minute/?dkw=socf3] Accessed 20.12.2012. Jie-miao, C. (2008) China’s Legislation on Criminal Jurisdiction over Cyber Crimes, Modern Law Science Vol. 3, pp. 012. Keizer, G. (2011). Ransomware squeezes users with bogus Windows activation demand But F-Secure sniffed out unlock code to stymie extortion scheme. ComputerWorld. Apr 11th, 2011. [http://www.computerworld.com/s/article/9215711/Ransomware_squeezes_users_with_bogu s_Windows_activation_demand] 20.02.2013 Kshetri, N. (2005) Pattern of global cyber war and crime: A conceptual framework, Journal of International Management, Vol.11, No.4, pp. 541–562. Kshetri, N. (2010) Cloud computing in developing economies, Computer Vol.43, No.10, pp. 47–55. Lacey, D. (2010) Understanding and transforming organizational security culture. Information Management & Computer Security. Vol. 18, No. 1. pp. 4-13. Lam, W. (2002) Ensuring business continuity. IT Professional. Vol. 4, No. 3. pp. 19-25. Lopes, I. & Sá-Soares, F. 2012, Information security policies: a content analysis, PACIS The Pacific Asia Conference on Information Systems. Hochiminh, Vietnam. Malgeri, J. 2009. Cyber security: a national effort to improve, In 2009 Information Security Curriculum Development Conference, pp. 107–113. Marion, N. E. 2010. The council of Europe’s cyber crime treaty: An exercise in symbolic legislation, International Journal of Cyber Criminology Vol.4, No.1&2.

Meehan, P. (2013). Cyber threats hit close to home. Philly.com, the Inquirerer on Feb. 4th, 2013. [http://www.philly.com/philly/opinion/inquirer/20130204_Cyber_threats_hit_close_to_home. html].Read 06.02.2013 MOT Oxford Dictionary of English (2013). Ottis, R. (2008) Analysis of the 2007 cyber attacks against Estonia from the information warfare perspective, In Proceedings of the 7th European Conference on Information Warfare and Security. Pearson, S. (2009) Taking account of privacy when designing cloud computing services, In Software Engineering Challenges of Cloud Computing, 2009. CLOUD’09. ICSE Workshop on, pp. 44–52. Pearson, S., and Benameur, A. (2010) Privacy, security and trust issues arising from cloud computing, In Cloud Computing Technology and Science (CloudCom), 2010 IEEE Second International Conference on, pp. 693–702. Peltier, T.R., Peltier, J. & Blackley, J. (2005) Information security fundamentals. Auerbach Publications, Boca Raton, Fla. Rid, T., and McBurney, P. 2012. Cyber-Weapons, The RUSI Journal Vol. 157, No.1, pp. 6– 13. The Centre for Critical Infrastructure Protection (CCIP). What Are the Cyber Threats?(2013). New Zealand’s Government Communications Security Bureau (GCSB). [http://www.ccip.govt.nz/] 20.02.2013 The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). (2013). Cyber Threat Source Descriptions. Department of Homeland Security. Found: [http://icscert.us-cert.gov/csthreats.html], 20.02.2013 Tipton, H. & Krause, M. (eds) 2004, Information security management handbook, 5th edn, CRC Press, Boca Raton. van Heerden, R. P., Irwin, B., Burke, I. D., & Leenen, L. (2012). A Computer Network Attack Taxonomy and Ontology. International Journal of Cyber Warfare and Terrorism (IJCWT), Vol. 2, No.3, pp. 12-25. Van Niekerk, J.F. & Von Solms, R. (2010) Information security culture: A management perspective. Computers & Security. Vol. 29, No. 4. pp. 476-486. von Solms, B. & von Solms, R. (2004a) The 10 deadly sins of information security management. Computers & Security. Vol. 23, No. 5. pp. 371-376. von Solms, R. & von Solms, B. (2004b) From policies to culture. Computers & Security. Vol. 23, No. 4. pp. 275-279. von Solms, R., & Warren, M. (2011). Towards the Human Information Security Firewall. International Journal of Cyber Warfare and Terrorism (IJCWT), Vol. 1, No, 2, pp. 10-17. Waters, J. (2012) The New Year's Biggest Cyberthreats. The Wall Street Journal. Europe Edition, on Dec. 29th 2012. [http://online.wsj.com/article/SB10001424127887323277504578193833434470690.html], Read 20.02.2013