Managing Risk, Introducing Resilience and Securing Layer 8 in an Increasingly Volatile, Uncertain and Ambiguous Cyber Environment
Abstract This paper traces the evolution of the modern computing […]
Share This Article:
Abstract
This paper traces the evolution of the modern computing landscape, exploring its historical developments and the concurrent rise of cyber security challenges. From its military origins in World War II to today’s interconnected digital era, the narrative highlights the enduring nature of cyber security issues, identified as early as the late 1960s.
The analysis spans decades, noting pivotal moments like the Trusted Computer Systems Evaluation Criteria (TCSEC) in the 1970s to the digital revolution of the 1990s, the Internet’s rise, and the current era dominated by cloud computing, digital transformation, A.I. and quantum computing.
Contemporary challenges, such as the digital-first approach, societal reliance on technology, physical security complications, and the volatile cyber landscape in a Volatile, Uncertain, Complex and Ambiguous (VUCA) world, are detailed. This paper scrutinises issues like data breaches, the limitations of security awareness training, and the evolving threat landscape.
The proposed solution builds on the approaches posited by (Zimmermann and Renaud, 2019) and (Bauer and Patrick, 2004) and places new emphasis on the role of the human as an integral part of the system as well as part of the cyber security infrastructure.
In conclusion, the paper acknowledges the complex nature of cyber security challenges and suggests forward-looking strategies that leverage human involvement, contributing to a more adaptive and resilient cyber security approach.
Introduction
“Because that is where the money is.” Willie Sutton
The modern computing environment has developed exponentially over the last few decades. It has been a transformative force of the last part of the 20th century and has an impact on all our lives to one degree or another. The benefits that this environment brings to society are significant and the critical and irreplaceable role that it plays is only becoming greater.
This paper will cover the following topics:
- How we arrived to where we are today. Taking a quick look backwards to see how the environment we are in today evolved.
- What is the environment. A review of today’s environment and elucidating the issues that we face.
- How this happened. Certainly, we started with the best of intentions along the way, but we still came to the problems of today.
- Change of approach: human in the system. It would be too much of a stretch to say that this paper presents a solution to the problems described, but it will highlight a seed of an idea which could be used to bring about positive change in what we have today.
How We Got Here
“The farther backward you can look, the farther forward you are likely to see.” Winston Churchill
As with any development that has changed society, it is usually arrived at by a mixture of planning, accidents, events at the time and organic growth. The cyber environment we see today is no exception to this. Before we look at where we are today and the challenges that exist, a review of where we started from will provide a little bit of insight into these issues. The following paragraphs will be an overview of the development of the environment that we see today. It is by no means complete but is included to illustrate broadly how we arrived to where we are today.
1940s
While the concept of a computing machine predates the 20th century, the beginning of the modern computing environment can trace back to World War 2 with the need to automate calculations needed for navigation and ballistic firing solutions. This produced an automated calculating machine funded by the US Army Ordinance Ballistic Research Laboratory called ENIAC (Levy, 2013). An ocean away, the UK were working on similar machines designed to attack the German ENIGMA machines in the form of Colossus (Williams, 2018).
Modern computing was born into an adversarial and martial period of history to perform a very specific role. The environment that these machines existed in was highly classified with no networking capability, and physical security was the primary form of security used to protect these devices.
1950-1960s
The end of World War 2 saw the recognition that computing devices would provide utility in a civilian content. At this point in time, the introduction of large mainframe devices such as the Univac 1 system, introduced in 1962 (Borgerson et al., 1978), was seen used in scientific research and used for complex insurance calculations.
Computing was now used outside of a military context (although their military application still continued with the advent of the Cold War) and in the business and general academic community. The use of these machines was on a time-sharing and batch processing basis. Networking was either non-existent or minimal and internal to a single site. The use of physical security was still the primary method of protecting these machines.
Late 1960s
The use of computers continued to expand both in private, public security and military applications. 1967 saw the publication of two seminal papers by the NSA and RAND which identified the need to secure these machines:
- In Security and Privacy in Computer Systems, Willis H. Ware started a discussion about the possibility that information in time-sharing systems could be leaked and exposed between different users (Ware, 1967)
- Bernard Peters in his paper Security Considerations in a Multi-Programmed Computers systems outlined nine security principles that are still relevant today. In the introduction to his paper, he opens with a statement that is still relevant today: “Security cannot be attained in the absolute sense. Every security system seeks to attain a probability of loss which is commensurate with the value returned by the operation being secured”.(Peters, 1967).
While the technology has moved on significantly from the time of both papers, anyone currently working within the cybersecurity industry will be able to acknowledge that these principles still underpin the work that we are trying to achieve. Cybersecurity is not a new problem.
1970s
Research commenced around the concept of high assurance systems and the development of a form of “evaluated system” where there is a level of assurance around the security of a computer system. This created the Trusted Computer Systems Evaluation Criteria (TCSEC) or “Orange Book” (Lipner, 2015) which ultimately led to the Evaluated Products List and Protection Profiles which we see today.
Late 1970s Early 1980s
The late 1970s and the early 1980s started to see the introduction of non-mainframe computing devices into offices, albeit still limited and prohibitively expensive except for the largest organisations. Around this period security controls were still very much reliant on physical security but commercial computer security products did start to appear in the form of IBMs Resource Access Control Facility (RACF) and SKK’s Access Control Facility 2 (ACF) (Yost, 2015).
1980s
The use of computers in offices started to become more common with the development of the Personal Computer. At this time, rudimentary networking capabilities started to be introduced and the first (of many) PC virus was developed (Kaspersky Labs, 2020). Physical security still key to protecting computers but with the increase in users at all levels within the organisation, security awareness training started to appear.
1990s
Networking has become ubiquitous along with the PC. Computer skills have become a requirement for many jobs. The Internet, while technically developed in 1962 (Leiner et al., 1997) commenced large scale commercialisation as a result of the development of the World Wide Web (Cohen-Almagor, 2013) which made the Internet more accessible outside specialised academic and business fields.
2000s to Today
From 2000s through to today we see the evolution of the environment that we currently exist in. This is identified by:
- Websites being standard for even the smallest of companies.
- Computing devices in many forms, not just the PC, have become universal.
- Connectivity is commonplace.
- Computer skills are mandatory for most occupations.
- Developed economies have become data driven.
- Businesses have developed that can only exist on the Internet
- Cloud computing common.
- Digital transformation moving all aspects of business and organisations to a digital first approach (Schneider and Kokshagina, 2021)
Key Takeaways
From this brief overview of how we got to where we are today with the modern computing environment, there are a couple of observations that can be made.
- Computing was originally developed in a high secure environment. It was born from an adversarial world and into an adversarial environment.
- Cyber security as the problem we see it today is not a new development. The fundamental problems we face were identified many decades ago.
- Computers started as a very technical and highly specialised field and a degree of skill or literacy is now a requirement to interact with everyday society
The final point is significant. If we look at the environment and measures that were put in place to protect computer systems during their developing years, security (for better or worse and as effective and ineffective as it may have been) was always a variable that was part of the equation of its use. While that is still the case to some degree, it could certainly be argued that the priority of utility, access and business function has changed this equation significantly to the detriment of securing systems and data.
What we have here
“There’s something happening here, but what it is ain’t exactly clear.” Buffalo Springfield
After taking a very quick history lesson of the development of the modern computer age, we can understand a little about how we got here. And now that we are here, these are some of the attributes of the environment we have created.
Digital First
Several initiatives over the last few years has seen greater emphasis place upon a digital first strategy for businesses and governments. This is the realisation of a theory of the paperless office that was originally discussed in the mid-1970s (Appleyard, 2005), saw some implementation in the 1980s (Milliken, 205) but ultimately never really was able to see anything more than partial implementation until the development of sophisticated document management systems capable of supporting the needs of all organisations which have only just started to become universally available in the last 10-15 years.
These initiatives have had great benefits to organisations with advantages from simply being able to conveniently store all their essential business documents in a number of storage servers instead of rooms full of filing cabinets and compactus through to implementation of complex business intelligence systems that allow the integration of data at a scale that would not have been possible with paper-based systems.
One unintended consequence of these initiatives is that it has made these documents accessible to any location that can access the network storage. While this is also a benefit, it has also provided new threats that wouldn’t have otherwise existed if the documents were in a locked file cabinet in a storage room. The move to digitisation has produced an increase in the size of the attack surface.
A Requirement of Society
The ability to use and interact with information technology is considered a pre-requite of modern life (Selwyn, 2003). This has reached a point where there is a digital divide is starting to separate people and impacting the level of opportunity someone on the other side of the divide has to societal benefits such as health, education, and economic prospects.
While it is still possible to a degree to function without technology (and there is a popular movement of “digital detox” for people to become involved in), long term absence will be difficult to manage and have significant impact on the capability of an individual to function.
Physical Security
As identified earlier in this paper, physical security was the primary security mechanism for most computing systems as they developed through the middle of the 20th century. Today physical security is still present however for several organisations and functions is it essentially outsourced to someone else. Traditionally, data existed on a machine that was fully controlled by the organisation that owned the data. Physical security could be managed, checked, and applied to the level that the organisation deemed appropriate. The use of Cloud Computing and the distributed nature of the information ecosystem with different computers systems sharing and consuming data from multiple disparate sources has made this protection far more complicated. Physical security is still present in this situation of course, but it is not fully under the control of the organisation that relies on the data being protected.
A Volatile, Uncertain, Complex and Ambiguous (VUCA) World
More and more society is becoming a VUCA world. The term Volatile, Uncertain, Complex and Ambiguous (VUCA) was a term developed by the US Army War College in the 1990s (Lawrence, 2013) to describe the political and economic impact that was taking place with the end of the Cold War.
Looking backwards at society and the world we have today, this concept appears to be more applicable that ever. It can also be applied to the technology environment that underpins the organisation of business, society, economies, and political structures. Given the societal dependence on information technology discussed above and the overall cyber security issues this paper is discussing, this is a significant area of volatility that can be exploited to great impact.
Reliance on Security Awareness Training
As we have discussed earlier in this paper, the usage of computer technology in an organisation was initially limited to specially trained personnel and the need for security was addressed through physical means as well as instruction to those specially trained personnel (Al-Daeef et al., 2017, Yost, 2015). This reliance is still a primary control that is deployed in most organisations to protect computer systems and is the primary approach used to address the human factors element of cyber security.
This type of training has developed over the years and can take a number of different forms that make innovative use of different training tools and technologies such as the use of video games as a learning tool (Cone et al., 2007) and gamification of security awareness (Winkler and Manke, 2014). However, the efficacy of these approaches has yet to be formally examined and evidence available suggests that it may not solve the problem of the human factor in relation to cyber security. Recent surveys from different organisations on user cyber security identifies several problems:
- 45% of UK workers never lock their smartphone (Proofpoint, 2020)
- 94% of organisations had a data breach resulting from inside user action (Egress, 2021)
- 58% of employers reported that employees ignore cyber security policy and guidelines (Netrix, 2020)
- Users are not selecting strong passwords to protect their systems with the most common password ‘password’ being identified as being used (NordPass, 2022)
- 52% of users reuse the same password for multiple accounts with 13% of users reusing the same password on all accounts (Google and Harris Poll, 2019)
Data Breaches
Recent years have seen significant levels of data breaches both within Australia and overseas. The information economy trades on data and it is a commodity that is sought after by threat actors. The full extent of this problem is difficult to fully ascertain.
Highlighted in Figure 1, since the beginning of this century a direction is emerging (Center for Strategic & International Studies, 2023). Looking at a graph of significant2 cyber security incidents worldwide (Figure 1), as compiled by the Centre for Strategic & International Studies, there is a small increase in incidents from 2009 with a larger increase occurring from 2016 onwards. This trend of increases in incidents over this time is also reflected in other indicators identified in different reports from the same period. This includes:
- An increase in the average cost of a data breach by 10% since 2014 (IBM Corporation, 2020)
- An increase in average cost of a data breach by 23% in 2017 (Kaspersky Labs, 2018)
- An increase in the average cost of a data breach by 15.3% in 2023 compared to 2020 (IBM Corporation, 2023)
While each of these reports point towards a similar increasing direction, it is not possible to establish that this direction is empirical. There is no consistent methodology underpinning these reports and each report has influence by corporations that sponsor the research.
Figure 1 Graph of significant cyber events from 2003 to 2022. (Center for Strategic & International Studies, 2023).
It can be observed that data represented by Figure 1 identifies that a sharp increase in growth of these incidents started to occur around 2014. This correlates to the development of the trend of “consumerisation of IT” into organisations (Stagliano et al., 2013) which represents a change in the role of the both the organisation and user in regards to the use and selection of information technology. A level of control and management of user computing devices was initially ceded to the user with the introduction of Bring Your Own Devices (BYOD) and ubiquitous computing platforms that expanded beyond the desktop to the table, phone, and Internet of Things (IoT) devices This required groups and organisations to go beyond the existing models of security and introduce additional measures to address this introduction (Eslahi et al., 2014).
The exact cause of a number of these incidents will not be immediately known outside of the organisation impacted due to a number of different factors including legal, human resources, and business process sensitivities (Davidson, 2023). However, once the extent of these incidents is known and resolved analysis of the causes, outcomes and methods of mitigation is undertaken and published by security researchers and journalists and made available to the cyber security community for review.
An example of this can be seen with the following examination of major cyber incidents such as:
- The RSA supply chain attack that took place in 2011. In this example, personnel involved internally were bound by 10 year Non-Disclosure Agreements (NDAs) (Greenberg, 2021) and have only in the last 2 years been able to talk about the cause of the attack which was a user clicking on a malicious email attachment titled “2011 Recruitment Plan” (Greenberg, 2021).
- The breach of data from the US retailed Target in 2013. This resulted in the loss of 110 million customer records containing personal data and credit card information (Kassner, 2015). Analysis was conducted and released by the US Government Committee on Commerce, Science, and Transportation in 2014 which identified in the Majority Staff Report for Chairman Rockefeller that the cause of the breach was a HVAC contractor with access to the target network being attacked (Committee on Commerce Science and Transportation, 2014). Later analysis further expanded on this to reveal Target did maintain a secure network that utilised sophisticated cyber security protection involving both technology from FireEye3 and monitoring 24/7 by a team of security specialists (Hartzog and Solove, 2022). This protection was bypassed by the attack on the third-party HVAC Contractor (identified as Fazio Mechanical). Fazio Mechanical had legitimate access to the Target network as part of their contract. The attack on Fazio Mechanical consisted of a phishing email sent to one of their employees which contained the Citadel Trojan Horse. With this access to Fazio Mechanical networks the attacker was able to gain access to the Target network credentials and was able to perform the attack (Hartzog and Solove, 2022)
Both the statistics identified in the report above and the detailed review of the cyber incidents experienced by RSA and Target indicate that the problem of data breaches is here, does not have a current resolution and is getting worse.
The Solution
“It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change” Charles Darwin
So far, we have discussed how we got to where we are today and now that we are here, what we are seeing. Several complex problems have developed into the environment. Efforts have been made to address those problems, but it does appear that this effort might not be enough.
Cybersecurity has the following strong and well matured controls that protect it:
- Technology. There has been constant development in security technology since the 1970s through to today (Fidler, 2017, Warner, 2012, Yost, 2015) in an attempt to address the fundamental lack of security that was built into the underlying TCP/IP protocol layers of the Internet (Bellovin, 2004)
- Process. Cyber security policy and procedures that govern all aspects of related to the protection of systems and their data (Mishra et al., 2022) as well as robust security frameworks that have been adopted by different organisations both private and public (Brenner, 2007, Australian Government, 2023)
There is certainly no suggestion that these measures are to be removed or changed in any significant manner. They provide a vital baseline of protection that we have today. The one area that is to be addressed and will see new development as well as some modification to the existing controls is the integration of human factors into the protection of cyber security systems beyond simply the use of security awareness training.
This approach is proposed in two different forms:
- Integrate the role of the human in the system
- Development of the Human as a Solution mindset
Integrating the Human into the System
Although sounding a little dystopian and cyberpunk, integration of the human into the system is simply a methodology that treats the human as part of the system rather than just a user. As all levels of system design have controls and attributes that need to be addressed, looking at addressing those attributes specifically for the human will introduce changes into the design.
The OSI Model
The Open System Interconnection (OSI) Framework model was developed by the International Organisation for Standards as a way of standardising the description and specifications of networking protocols at a time where there was a number of diverse standards in use (Kumar et al., 2014).
Layer Number | Layer Name | Cyber Attack | Mitigation |
7 | Application | Exploit | Secure coding practices |
6 | Presentation | Phishing | SPF/DMARC/Spam Filtering |
5 | Session | Hijacking | Encryption |
4 | Transport | Reconnaissance/DoS | Encryption/DoS Protection |
3 | Network | Man-in-the-Middle | Encryption/Digital signing |
2 | Data-Link | Spoofing | Encryption/Port locking |
1 | Physical | Sniffing | Encryption/ steel conduit |
Table 1 The OSI Model including cyber attacks and mitigations relevant at each layer
While network protocols have long been standardised, the model is still relevant today particularly for troubleshooting network issues as well as aiding in analysis of cyber attacks that can occur at the different layers (see Table 1 for a simple example).
The HCI Extension to the OSI Model
The OSI model solidly speaks about the implementation of technology. The Human Computer Interaction (HCI) Extension to the model (Bauer and Patrick, 2004) proposes additional layers that incorporate the human factors into the system. These layers consist of the following additional layers:
- Layer 10 – Human Needs
- Layer 9 – Human Performance
- Layer 8 – Display
These layers acknowledge the importance of the user in protecting the system more than just as a user but as a part of the system which enables the system to achieve its objectives. This extension looks to aspects of the human factor and how it can help protect the system and involves a cross-discipline approach to implementation taking in aspects of organisational behaviour and psychology.
Layer 10 – Human Needs
At this layer the focus is on addressing the human need provided by the system. The system is used to achieve a particular need of the human and by extension the organisation the human works for. Identifying the need of the human such as communication, education, acquisition, security, accessibility, or entertainment, will allow this need to be integrated into the system.
Layer 9 – Human Performance
Layer 9 looks to how the human user will interact with the system and takes into consideration of attributes such as perception, cognition, memory, motor control and social.
Layer 8 – Display
This layer is the interchange layer between the HCI and OSI models and considers how information is displayed and entered by the human user. Aspects of this layer include input devices, GUI/CLI design, printing and other feedback mechanisms that the system employs to communicate and obtain input from the user.
Implementing the HCI
Unlike the OSI model, the implementation of the HCI is a little less standardised. How each of these layers are addressed will depend upon several factors some of which will exist outside of the technical system implementation. Consideration for implementation can include:
- Environment the system operates in. Considerations for Layer 8 will have a dependency upon where the system operates. Considerations for display for example will differ if the system is designed to operate within a secure office environment versus in a publicly accessible area.
- The people using the system. A key aspect of consideration for Layer 10 will be the human need that the system meets. The needs of the user for a communication system will differ from a system designed to provide entertainment or security.
- Feedback to and from the system. The amount of information that needs to enter the system or be produced by the system needs to be appropriate for the capabilities of the user and ensure that the Layer 9 design provides adequate comprehension.
As with the OSI model in Table 1, Table 2 presents a simplified view of cyber attacks and mitigations that exist at each layer.
Layer Number | Layer Name | Cyber Attack | Mitigation |
10 | Human Needs | Phishing/Social Engineering/Influence | Authenticity/integrity checks |
9 | Human Performance | Deep Fakes/Dark Patterns/DoS (limitation of service) | Authenticity/integrity checks Redundancy |
8 | Display | DoS/Disruption of hardware | Redundancy |
Table 2 The HCI Model including cyber attacks and mitigations relevant at each layer
Human as a Solution Mindset
For anyone who has worked within the information technology industry for any time will at least be able to relate (in whole or in part) to the following: “managing this system would be great if we didn’t have users”. This is often seen as particularly relevant to the cyber security industry where despite best efforts and intentions, user actions are generally the major cause of breaches.
While we have discussed incorporating the human factor into system design, a second approach is to flip the script and look at how the human factor can be modified to participate as a solution to the problem rather than the cause.
The Current Cyber Security Model
At a very high-level cyber security is implemented in most organisations with the following fundamental principles:
- Prevent Errors. Errors in the system, either accidental or deliberated, must be prevented with considerable resources being allocated for this task.
- Exclude, Train, Control & Constrain. The environment is such that we need to stop access to resources, train user how to use resources (although indoctrination is a more accurate description in reality) and provide constraints around usage to ensure security.
- Policy Adequacy. Control of the environment is exercised by strong policy, procedure, and effective governance.
- Resistance Stance. The environment must be setup with the view to ensuring resistance to attack and misuse is the primary focus.
All these principles work together as the basis of how cyber security is managed today. Based upon the how we arrived at this environment as discussed earlier in this paper, these principles do seem rationale and appropriate.
However, as also identified in this paper, this approach was developed from the adversarial environment that computer technology was born into. Evidence does suggests that this approach, while still playing a vital role, is no longer providing the effective results that it once did.
A New Approach
A new approach proposed is to look at these principles differently (Zimmermann and Renaud, 2019) and attempt to use the role that the human user plays in the system as a positive cyber security attribute:
- Human as a Solution. The user is the part of the system that facilitates access and enables the system to undertake its function. As with any other component of the system, the user must be used to help facilitate the cyber security of the system.
- Focus on Successes. A common activity at the end of any data breach or other cyber security event is to undertake an After Action Report in an attempt to provide lessons learned from the event which can then be fed back into the incident procedures to improve them. While this is an important activity, it does lack the focus on successes. We are only looking at part of the equation with this activity. Benefit could be obtained by analysis of activities that worked and prevented cyber security incidents or data breaches. Looking at this information would provide the opportunity to enhance and strengthen activities that have proven to be effective.
- Collaborate and Communicate. If we are integrating the human into the system, there will be some activities that the human will do better than the system and some activities that the system will always do better than the human. This approach examines the concept of HABA-MABA (Humans are Better At – Machines are Better At). Modern systems require automation for several tasks, but an examination of the most appropriate tasks to automate versus those that require a human in the loops needs to be undertaken.
- Balance Resistance and Resilience. In a world defined by a VUCA environment, cyber security threats are a constant and their form and nature will continue to be irregular and continually adapting to defences. The attributes of resistance that are in the traditional model are still vital, but these need to be balanced against resilience attributes that include the ability to anticipate, monitor, respond and learn.
- Defer to Expertise. Monitoring the environment and the system is a vital tool to provide protection to systems. Cyber security professional are (and always will be) the necessary expertise to provide this level of oversight. Traditional approaches do tend to ignore the expertise that the system user will potentially bring to this process. The system user has a level of expertise in the use of the system that the cyber security professional does not possess. Appropriately educated with what to look for, the user could provide valuable insight to indications that problems, potentially linked to cyber security incidents are occurring.
- Encourage Learning. Users do, and always will, make mistakes which will have the potential to lead to cyber security incidents. The nature of integrating the human into the system will always produce this result. While measures will always need to be in place to prevent this where possible ensuring that when it does occur will provide opportunities for improvement and further education. A system user will want to achieve the goals of their role and use the system to the best of their abilities (putting aside the issue of malicious insiders of course). When this doesn’t occur, it will generally be a result of lack of understanding in some form. Developing an environment of risk-free reporting when this occur will provide additional information that can be further incorporated into lessons learned and analysis activities.
Conclusion
“The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards – and even then I have my doubts.” – Gene Spafford
The problems that we are facing in the field of cyber security are many and varied and have become worse over recent years. This paper is proposing two different approaches, Human Computer Interaction Model and Cyber Security Differently, that could be applied to the current environment to better use the human elements that are part of the system. Both methods are at a theoretical level of development and need to be adapted to the environment they are to be implemented into. They also need to be looked at as complimentary to existing system development methodologies and cyber security practice and procedures rather than a replacement.
These two approaches look to maximise the use of the resources that exist within all organisations and systems and take advantage of the system user to enhance the cyber security approach.
Contact Anchoram Consulting today!
_______________________________________________________________________
References:
AL-DAEEF, M. M., BASIR, N. & SAUDI, M. M. 2017. Security awareness training: A review. Lecture Notes in Engineering and Computer Science.
APPLEYARD, R. 2005. Whatever happened to the paperless office? Available from: https://idm.net.au/blog/002622whatever-happened-paperless-office [Accessed 2 December 2023].
AUSTRALIAN GOVERNMENT. 2023. Protective Security Policy Framework [Online]. Australian Government. Available: https://www.protectivesecurity.gov.au/ [Accessed 7 May 2023].
BAUER, B. & PATRICK, A. S. 2004. A human factors extension to the seven-layer OSI reference model [Online]. 6 January 2004. Available: https://www.andrewpatrick.ca/OSI/10layer.html [Accessed 15 July 2023].
BELLOVIN, S. M. A look back at” security problems in the tcp/ip protocol suite. 20th Annual Computer Security Applications Conference, 2004. IEEE, 229-249.
BORGERSON, B. R., HANSON, M. L. & HARTLEY, P. 1978. The evolution of the Sperry Univac 1100 series: a history, analysis, and projection. Communications of the ACM, 21, 25-43.
BRENNER, J. 2007. ISO 27001 risk management and compliance. Risk management, 54, 24-29.
CENTER FOR STRATEGIC & INTERNATIONAL STUDIES. 2023. Signficant Cyber Incidents [Online]. CSIS Center for Strategic & International Studies. Available: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents [Accessed 29 May 2023].
COHEN-ALMAGOR, R. 2013. Internet history. Moral, ethical, and social dilemmas in the age of technology: Theories and practice. IGI Global.
COMMITTEE ON COMMERCE SCIENCE AND TRANSPORTATION 2014. A “Kill Chain” Analysis of the 2013 Target Data Breach. In: SENATE, U. S. (ed.).
CONE, B. D., IRVINE, C. E., THOMPSON, M. F. & NGUYEN, T. D. 2007. A video game for cyber security training and awareness. Computers and Security, 26, 63-72.
DAVIDSON, J. 2023. Inside Optus’s secret cyberattack briefings. Financial Review, 5/09/2023.
EGRESS 2021. Insider Data Breach Ssurvey 2021.
ESLAHI, M., NASERI, M. V., HASHIM, H., TAHIR, N. & SAAD, E. H. M. BYOD: Current state and security challenges. 2014 IEEE Symposium on Computer Applications and Industrial Electronics (ISCAIE), 2014. IEEE, 189-192.
FIDLER, B. 2017. Cybersecurity governance: A prehistory and its implications. Digital Policy, Regulation and Governance.
GOOGLE & HARRIS POLL 2019. Online Security Survey Google/Harris Poll.
GREENBERG, A. 2021. The Full Story of the Stunning RSA Hack Can Finally Be Told. Wired. Conde Nast.
HARTZOG, W. & SOLOVE, D. J. 2022. We Still Haven’t Learned the Major Lesson of the 2013 Target Hack [Online]. Slate. Available: https://slate.com/technology/2022/04/breached-excerpt-hartzog-solove-target.html [Accessed 16 September 2023].
IBM CORPORATION 2020. Cost of a Data Breach Report. Ponemon Institute.
IBM CORPORATION 2023. Cost of a Data Breach Report 2023. Ponemon Institute.
KASPERSKY LABS. 2018. Kaspersky Lab Report: The Cost of a Data Breach Continues to Grow Worldwide [Online]. Available: https://usa.kaspersky.com/about/press-releases/2018_kaspersky-lab-report-the-cost-of-a-data-breach-continues-to-grow-worldwide [Accessed 10 September 2023].
KASPERSKY LABS. 2020. A Brief History of Computer Viruses & What the Future Holds [Online]. Available: https://www.kaspersky.com/resource-center/threats/a-brief-history-of-computer-viruses-and-what-the-future-holds [Accessed 1 December 2023].
KASSNER, M. 2015. Anatomy of the Target data breach: Missed opportunities and lessons learned [Online]. ZDNET. Available: https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/ [Accessed 16 September 2023].
KUMAR, S., DALAL, S. & DIXIT, V. 2014. The OSI model: Overview on the seven layers of computer networks. International Journal of Computer Science and Information Technology Research, 2, 461-466.
LAWRENCE, K. 2013. Developing leaders in a VUCA environment. UNC Executive Development, 2013, 1-15.
LEINER, B. M., CERF, V. G., CLARK, D. D., KAHN, R. E., KLEINROCK, L., LYNCH, D. C., POSTEL, J., ROBERTS, L. G. & WOLFF, S. S. 1997. The past and future history of the Internet. Communications of the ACM, 40, 102-108.
LEVY, S. 2013. The Brief History of the ENIAC Computer [Online]. Smithsonian Magazine. Available: https://www.smithsonianmag.com/history/the-brief-history-of-the-eniac-computer-3889120/ [Accessed 30 November 2023].
LIPNER, S. B. 2015. The birth and death of the orange book. IEEE Annals of the History of Computing, 37, 19-31.
MILLIKEN, G. 205. The Paperless Office: 30-Year Old Pipe-Dream? Wired.
MISHRA, A., ALZOUBI, Y. I., GILL, A. Q. & ANWAR, M. J. 2022. Cybersecurity enterprises policies: a Comparative study. Sensors, 22, 538.
NETRIX 2020. 2020 Cyber Threats Report.
NORDPASS. 2022. Top 200 most common passwords [Online]. Available: https://nordpass.com/most-common-passwords-list/ [Accessed 19 September 2023].
PETERS, B. Security considerations in a multi-programmed computer system. Proceedings of the April 18-20, 1967, spring joint computer conference, 1967. 283-286.
PROOFPOINT 2020. 2020 User Risk Report.
SCHNEIDER, S. & KOKSHAGINA, O. 2021. Digital transformation: What we have learned (thus far) and what is next. Creativity and innovation management, 30, 384-411.
SELWYN, N. 2003. Apart from technology: understanding people’s non-use of information and communication technologies in everyday life. Technology in society, 25, 99-116.
STAGLIANO, T., DIPOALO, A. & COONELLY, P. 2013. Consumerization of IT.
WARE, W. H. Security and privacy in computer systems. Proceedings of the April 18-20, 1967, spring joint computer conference, 1967. 279-282.
WARNER, M. 2012. Cybersecurity: A Pre-History. Intelligence and National Security, 27, 781-799.
WILLIAMS, M. 2018. The First Public Discussion of the Secret Colossus Project. IEEE Annals of the History of Computing, 40, 84-87.
WINKLER, I. & MANKE, S. 2014. Gamifying Security Awareness. RSA Conference 2014. Moscone Centre, San Francisco.
YOST, J. R. 2015. The Origin and Early History of the Computer Security Software Products Industry. IEEE Annals of the History of Computer, 15, 1058-6180.
ZIMMERMANN, V. & RENAUD, K. 2019. Moving from a ‘human-as-aproblem’ to a ‘human-as-solution’ cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169-187.
Abstract This paper traces the evolution of the modern computing […]
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.