ISACA Journal - 2012 Volume 6

Stewart Hayes has been involved in risk management and security practices for more than 25 years, providing specialist consultancy services in the Americas, Asia Pacific, Europe and the Middle East. Hayes can be reached at stewart.hayes@jakeman. com.au.

The Changing Face of Cybersecurity

Malcolm Shore has an extensive IT background with more than 20 years of experience in security and risk management. He can be reached at malcolm.shore@ stratsec.com.au.

Miles Jakeman, Ph.D., is a business management specialist. As the Citadel Group Limited’s managing director, Jakeman has advised senior business leaders and government officials on a number of occasions, including representing countries in ministerial forums.

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

In today’s environment, it is commonplace for business transactions—everything from home shopping to multibillion-dollar deals—to take place over the Internet. But, while the Internet has developed rapidly as a channel for business, security on the Internet has lagged. The Internet has a well-earned reputation as a hostile environment, and the growth of organised cybercrime is evidence that there is not enough being done to manage the risk. In 2004, Butler Lampson noted:

After thirty years of work on computer security, why are almost all the systems in service today extremely vulnerable to attack? The main reason is that security is expensive to set up and a nuisance to run, so people judge from experience how little of it they can get away with. Since there’s been little damage, people decide that they don’t need much security. In addition, setting it up is so complicated that it’s hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security.

In a distributed system with no central management like the Internet, security requires a clear story about who is trusted for each step in establishing it, and why. The basic tool for telling this story is the ‘speaks for’ relation between principals that describes how authority is delegated, that is, who trusts whom. The idea is simple, and it explains what’s going on in any system I know. The many different ways of encoding this relation often make it hard to see the underlying order. 1

Over the last 20 years, there has been immense
growth in the number of computing and network
services, enabling transactions to be undertaken by
the smallest businesses across a global marketplace.
At the same time, there has been a growing
community of individuals who have sought to
exploit the vulnerabilities of network devices,
computer systems and applications.