Stewart Hayes has been
involved in risk management
and security practices for
more than 25 years, providing
specialist consultancy services
in the Americas, Asia Pacific,
Europe and the Middle East.
Hayes can be reached at
The Changing Face of Cybersecurity
Malcolm Shore has an
extensive IT background
with more than 20 years of
experience in security and
risk management. He can be
reached at malcolm.shore@
Miles Jakeman, Ph.D., is
a business management
specialist. As the Citadel
Group Limited’s managing
director, Jakeman has advised
senior business leaders and
government officials on a
number of occasions, including
representing countries in
Do you have something
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
In today’s environment, it is commonplace
for business transactions—everything from
home shopping to multibillion-dollar deals—to
take place over the Internet. But, while the
Internet has developed rapidly as a channel for
business, security on the Internet has lagged.
The Internet has a well-earned reputation as a
hostile environment, and the growth of organised
cybercrime is evidence that there is not enough
being done to manage the risk. In 2004, Butler
After thirty years of work on computer
security, why are almost all the systems
in service today extremely vulnerable to
attack? The main reason is that security
is expensive to set up and a nuisance
to run, so people judge from experience
how little of it they can get away with.
Since there’s been little damage, people
decide that they don’t need much
security. In addition, setting it up is so
complicated that it’s hardly ever done
right. While we await a catastrophe,
simpler setup is the most important step
toward better security.
In a distributed system with no central
management like the Internet, security
requires a clear story about who is
trusted for each step in establishing it,
and why. The basic tool for telling this
story is the ‘speaks for’ relation between
principals that describes how authority
is delegated, that is, who trusts whom.
The idea is simple, and it explains
what’s going on in any system I know.
The many different ways of encoding
this relation often make it hard to see
the underlying order. 1
Over the last 20 years, there has been immense
growth in the number of computing and network
services, enabling transactions to be undertaken by
the smallest businesses across a global marketplace.
At the same time, there has been a growing
community of individuals who have sought to
exploit the vulnerabilities of network devices,
computer systems and applications.