The Latest from A Holistic Approach to Cybersecurity Risk Management

Jan 11, 2019 | Charles Harry

As Americans increasingly buy and install smart devices in their homes, all those cheap interconnected devices create new security problems for individuals and society as a whole. The problem is compounded by businesses radically expanding the number of sensors and remote monitors it uses to manage overhead lights in corporate offices and detailed manufacturing processes in factories. Governments, too, are getting into the act – cities, especially, want to use new technologies to improve energy efficiency, reduce traffic congestion and...

Dec 17, 2018 | Nancy Gallagher, Charles Harry

An earlier version of this paper was published as a CISSM Working Paper.


Immature classification methods for cyber events prevent technical staff, organisational leaders, and policy makers from engaging in meaningful and nuanced conversations about the threats they face. This paper provides a new taxonomy of cyber effects that is used to analyse over 2,431 publicised cyber events from 2014 to 2016. Industry sectors vary in the scale of events they are subjected to, the distribution between...

Mar 31, 2018 | Nancy Gallagher, Theresa Hitchens

As use of the Internet has become critical to global economic development and international security, there is near-unanimous agreement on the need for more international cooperation to increase stability and security in cyberspace. Several multilateral initiatives over the last five years have begun to spell out cooperative measures, norms of behavior, and transparency and confidence-building measures (TCBMs) that could help improve mutual cybersecurity.

These efforts have been painstakingly slow, and some have stalled due to competing interests. Nonetheless, a United...

Feb 28, 2018 | Nancy Gallagher, Charles Harry

Publicity surrounding the threat of cyber-attacks continues to grow, yet immature classification methods for these events prevent technical staff, organizational leaders, and policy makers from engaging in meaningful and nuanced conversations about the risk to their organizations or critical infrastructure. This paper provides a taxonomy of cyber events that is used to analyze over 2,431 publicized cyber events from 2014-2016 by industrial sector. Industrial sectors vary in the scale of events they are subjected to, the distribution between exploitive and...

Oct 20, 2017 | Nilsu Goren, Theresa Hitchens

Cybersecurity transcends national boundaries in many ways: The internet’s technical infrastructure is global in scope; threat actors based in one country can disguise their identities by taking control of computers in other countries; global businesses sell software, hardware, and security services that may introduce or combat vulnerabilities; and the consequences from a disruptive attack can spread far beyond the initial victim. Even the most cyber-savvy country cannot protect itself completely unless it wants to disconnect from the global internet and...

Aug 10, 2017 | Charles Harry

The Mirai botnet attack on the DYN network in October 2016 highlighted to many policymakers the potential problems associated with IoT devices. The compromise and concerted use of thousands of webcams and DVRs to disrupt key Internet services focused attention on the poor implementation of security controls on millions of devices newly connected to the Internet.

The introduction of the IoT Cybersecurity Improvement Act of 2017 by a bipartisan group of US senators seeks to address the inherent threat IoT...

Jul 3, 2017 | David Mussington

Bill C-59 – the National Security Act 2017 – outlines a new vision for Canadian national security. Reading between the lines of this “anti-terror” bill, there is a clear attempt here to comprehensively rework decision-making mechanisms to enhance oversight and ministerial control over counter terrorism, surveillance and cyberspace operations.

While it’s new measures demonstrate a clarity of vision as to where this administration would like its counter-terror efforts to go, the document reveals something else that is much more interesting....

Apr 11, 2017 | Nancy Gallagher, Charles Harry

Faced with a rapidly growing volume and range of cyber attacks, policymakers and organizational leaders have had difficulty setting priorities, allocating resources, and responding effectively without a standard way to categorize cyber events and estimate their consequences. Presidential Policy Directive 41 laid out the Obama administration’s principles for executive branch responses to significant cyber incidents in the public or private sector. But it neither drew important distinctions between different types of cyber incidents, nor gave a standard way to determine...

Jan 10, 2017 | David Mussington

January is typically the month of new beginnings. However, the first portion of 2017 has offered everything but a break from the tumultuous wreckage seen in the past year. This past week the U.S. intelligence community released its first public assessment of Russian interference in the US elections.

The results of this assessment leave the United States and Western nations with a choice on how they will respond to Russian actions designed to disrupt and undermine the integrity of democratic...

Aug 4, 2015 | Charles Harry
While significant media attention has been given to the volume and range of cyber attacks, the inability to measure and categorize disruptive events has complicated efforts of policy makers to push comprehensive responses that address the range of cyber activity. While organizations and public officials have spent significant time and resources attempting to grapple with the complex nature of these threats, a systematic and comprehensive approach to categorize and measure disruptive attacks remains elusive. This paper addresses this issue by...