European Cybersecurity Implementation Overview Res Eng 0814

European Cybersecurity
Implementation: Overview
Cybersecurity is emerging within the fields of information security and

traditional security to address sharp increases in cybercrime and, in some
instances, evidence of cyberwarfare. Three major factors are contributing
to the need for improved cybersecurity on a global basis: ubiquitous
broadband, IT-centric business and society, and social stratification of IT
skills. To address cybercrime and societal changes, many governments and
institutions launched cybersecurity initiatives, ranging from guidance, through
standardisation, to comprehensive legislation and regulation. ISACA has
released the European Cybersecurity Implementation Series primarily to
provide practical implementation guidance that is aligned with European
requirements and good practice. This paper provides a high-level overview
of implementing cybersecurity in line with existing laws, standards and other
guidance. This overview paper is complemented by three detailed papers
that focus on risk guidance, resilience and assurance in cybersecurity.
www.isaca.org/cyber
European Cybersecurity Implementation: Overview
3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
About ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business
and IT leaders build trust in, and value from, information and information systems. Established
in 1969, ISACA is the trusted source of knowledge, standards, networking, and career
Web site: www.isaca.org
development for information systems audit, assurance, security, risk, privacy and governance
Provide feedback:
www.isaca.org/EU-cyber-implementation
cybersecurity professionals, and COBIT, a business framework that helps enterprises govern
professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for
and manage their information and technology. ISACA also advances and validates business-
Participate in the ISACA

Knowledge Center:
www.isaca.org/knowledge-center
critical skills and knowledge through the globally respected Certified Information Systems
Follow ISACA on Twitter:

https://twitter.com/ISACANews
credentials. The association has more than 200 chapters worldwide.
Join ISACA on LinkedIn:

ISACA (Official),
http://linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
2014 ISACA. All Rights Reserved.
Auditor (CISA), Certified Information Security Manager (CISM ), Certified in the Governance
of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC)
Disclaimer
ISACA has designed and created European Cybersecurity Implementation: Overview white paper (the Work) primarily
as an educational resource for assurance, governance, risk and security professionals. ISACA makes no claim that use of
any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information,
procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining
the same results. In determining the propriety of any specific information, procedure or test, assurance, governance, risk
and security professionals should apply their own professional judgement to the specific circumstances presented by the
particular systems or information technology environment.
ACKNOWLEDGEMENTS
Development Team
Rolf M. von Roessing
CISA, CISM, CGEIT, CISSP, FBCI,

Forfa AG, Switzerland, Lead Developer
Vilius Benetis Ph.D.

CISA, CRISC,
NRDCS, Lithuania
Christos K. Dimitriadis Ph.D.

CISA, CISM, CRISC,
INTRALOT S.A., Greece
Ivo Ivanovs
CISA, CISM, MCSE,

Ernst & Young Baltic SIA, Latvia
Samuel Linares
CISA, CISM, CGEIT, CRISC, CISSP, GICSP,

Industrial Cybersecurity Center (CCI), Spain
Charlie McMurdie
PricewaterhouseCoopers, UK
Andreas Teuscher
CISA, CGEIT, CRISC,
Sick AG, Germany
Expert Reviewers
Jesper Hansen
CISM, CRISC, CISSP, ESL,

PFA Pension, Denmark
Martins Kalkis
CISM,
Latvian Mobile Telephone, Latvia
Aare Reintam
CISA,
Estonian Information System Authority, Estonia
Andrea Rigoni
Intellium Ltd., UK
Marc Vael Ph.D.
CISA, CISM, CGEIT, CRISC, CISSP,

Valuendo, Belgium
ISACA Board of Directors
Ramses Gallego
CISM, CGEIT, CCSK, CISSP, SCPM,

Six Sigma Black Belt,
Dell, Spain, Vice President
Theresa Grafenstine
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA,

US House of Representatives, USA, Vice President
Vittal R. Raj
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA,

Kumar & Raj, India, Vice President
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,

Queensland Government, Australia, Past International
President
Gregory T. Grocholski
CISA,
The Dow Chemical Co., USA, Past International President
Debbie A. Lew
CISA, CRISC,
Ernst & Young LLP, USA, Director
Frank K.M. Yam
CISA, CIA, FHKCS, FHKIoD,

Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis
CISA, CGEIT, CRISC, ITIL, PMP,

Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb
CGEIT, CRISC, ITIL

Vodafone, UK, Chairman
CISA, CISM, ISO 27001 LA, CISSP,

DHL Global Forwarding & Freight, Germany
Cybersecurity Task Force

Eddie Schwartz
CISA, CISM, CISSP, MCSE, PMP,

USA, Chairman
Manuel Aceves
CISA, CISM, CGEIT, CRISC, CISSP, FCITSM,

Cerberian Consulting, SA de CV, Mexico
Sanjay Bahl
CISM, CIPP,
India
Neil Patrick Barlow
CISA, CISM, CRISC, CISSP,

IntercontinentalExchange, Inc. NYSE, UK
Brent Conran
CISA, CISM, CISSP,

USA
Derek Grocke
HAMBS, Australia
Samuel Linares
CISA, CISM, CGEIT, CRISC, CISSP, GICSP,

Industrial Cybersecurity Center (CCI), Spain
Marc Sachs
Verizon, USA
Neil Patrick Barlow
CISA, CISM, CRISC, CISSP,

IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard
CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA,

Amgen Inc., USA
Steven A. Babb
Phil J. Lageschulte
Garry J. Barnes
Anthony P. Noble
CISA, CISM, CGEIT, CRISC,

BAE Systems Detica, Australia, Vice President
Ivan Sanchez Lopez
CISA, CMA, CPA,

Deloitte Touche Tohmatsu Ltd., The Netherlands
Sushil Chatterji
CGEIT, CRISC, ITIL,

Vodafone, UK, Vice President
CGEIT, ITIL V3, MSP, PRINCE2,

Pfizer, UK
Rosemary M. Amato
Robert E Stroud
CGEIT, CRISC,
CA, USA, International President
Jamie Pasfield
CGEIT,
Edutech Enterprises, Singapore
CGEIT, CPA,
KPMG LLP, USA
CISA,
Viacom, USA
Robert A. Clyde
CISM,
Adaptive Computing, USA, Vice President
Introduction to the ISACA European

Cybersecurity Implementation Series
Cybersecurity is emerging within the fields of
information security and traditional security to
address sharp increases in cybercrime and,
in some instances, evidence of cyberwarfare.
Cybersecurity includes the protection of
information assets by addressing threats to
information that is processed, stored and
transported by internetworked information
systems. Figure 1 shows the three major factors
that are contributing to the need for improved
cybersecurity on a global basis.
Factors Impacting the Need for

Improved Cybersecurity
Ub
ss
ne
i
s
Bu ety
c
i
i
r
nt Soc
e
c
d
IT- an
iqu
it
(Al ous B
wa ro
ys adb
On an
)
d
Social Stratification
of In-depth IT Skills
Ubiquitous broadband, IT-centric business and

society, and social stratification of IT skills are
changing the traditional centrally controlled
and managed IT environment towards an
open world in which everyone uses multiple
devices and boundaries are blurred between
business and private domains. At the same
time, many business transactions no longer
have a non-digital (paper or face-to-face)
alternative. This change is accompanied by the
entry of a new generation of device users into
the global marketplace. The new generation
has a vastly different perspective on security
and predominant trust and sharing ideas that
have been manifested in a multitude of social
networks, sharing platforms and innovative
service offerings.
FIGURE
Source: Transforming Cybersecurity, ISACA, USA, 2013, figure 6
To address cybercrime and societal changes,

many governments and institutions launched
cybersecurity initiatives, ranging from guidance,
through standardisation, to comprehensive
legislation and regulation.
This paper is the overview of the ISACA European

Cybersecurity Implementation Series of papers that
addresses cybersecurity implementation from a European
perspective, including the European Union (EU)1 and
its associated countries.2 European Cybersecurity
Implementation: Overview provides a high-level overview
of implementing cybersecurity good practice in line with
FIGURE
existing laws, standards and other guidance. This overview

paper is complemented by three detailed papers that focus
on risk guidance, resilience and assurance in cybersecurity.
The series Assurance paper also is complemented by a
separate generic Audit Programme paper. Figure 2 shows
the structure of the series within the context of the ISACA
security publications.
European Cybersecurity Implementation Series in Context
ISACA Security Publications

COBIT 5 for
Information Security
Securing Mobile Devices
Creating a Culture
of Security
Implementation Series
Advanced Persistent
Threats: How to Manage
the Risk to Your Business
Implementation: Overview
Transforming Cybersecurity
Responding to Targeted
Cyberattacks
Implementation:
Risk Guidance
Implementation: Resilience
Implementation: Assurance
Implementation: Audit
Programme
1
2
The European Union (EU) includes the 28 member states, e.g., France, The Netherlands and Spain, and any of their territories outside of Europe.
Associated countries are linked to the EU by treaties or other agreements. Therefore, part of their cybersecurity policy and strategy may be aligned with EU guidance.
Examples of associated countries include the British Channel Islands, Liechtenstein and Switzerland.
PURPOSE
The European Cybersecurity Implementation Series is
designed primarily to provide practical implementation
guidance that is aligned with European requirements and
good practice.
TARGET AUDIENCES
The European Cybersecurity Implementation Series is
organised to provide targeted insights to the various
FIGURE
enterprise stakeholders. For example, senior managers in

a business-related function may benefit from reading this
Overview paper. Cybersecurity experts may want to read
the more detailed papers in the series and follow up on
their references. Auditors and reviewers should include this
Overview and the Assurance paper in their reading and use
the information in the Audit Programme paper to indicate
their plans within the enterprise. Figure 3 shows the series
publications and suggested target audiences.
Target Audiences of European Cybersecurity Implementation Series
European
Cybersecurity
Implementation
Series Papers
Target Audience
CxO/Senior
Management
(Business)
Chief Information
Officer (CIO)/IT
Management
Information/
Cybersecurity
Practitioner
Auditor/
Reviewer
Overview
Risk Guidance
Resilience
Assurance
Audit Programme
The European cybersecurity laws and regulations are usually more stringent for industry sectors that are regulated
or classified as critical infrastructure than for unregulated industries. However, the presence of legal provisions or
regulations is not the only cybersecurity driver. Some industry sectors have experienced a higher rate of cybercrime,
cyberwarfare or industrial espionage than others.
Figure 4 shows some of the industry sectors that can benefit particularly from specific papers in the
European Cybersecurity Implementation Series. This list is by no means exhaustive, but provides
suggestions for recommended reading.
FIGURE
Industry Sectors and Target Audiences
Industry Sector
European Cybersecurity Implementation Series Publication
Overview
Risk Guidance/
Resilience/
Assurance3
Audit
Programme4
Public
Telecommunications
Finance and Insurance
Health care
Critical
Infrastructures
Automotive
IT service providers
Audit
Consulting
Use this guidance in collaboration with national institutions and their individual guidance on cybersecurity.
The Audit Programme paper is for practitioners or specialists tasked with performing reviews or audits.
Financial institutions and insurers should also refer to their specific industry sector regulation, e.g., Basel III.
6
IT service providers should review their client base for any inherited regulatory requirements. For the risk, resilience and assurance
requirements and potential audits, these providers should also refer to ISAE 3402 and national implementations. respectively.
3
4
5
The European Cybersecurity Landscape

In recent years, traditional information security has
been challenged by the emergence of cybercrime and
cyberwarfare, which are growing rapidly. Security breaches
have evolved from opportunistic attacks by individual
perpetrators to targeted attacks that are often attributed
to organised crime or hostile acts between nation states.
The EU and its member states have launched wide-ranging
programmes and initiatives to strengthen cybersecurity,
responding to the challenge with a defence of cybersecurity
initiatives, including the following:

The European Network and Information Security

Agency (ENISA) was formed in 2004 to provide
guidance and recommendations for information
security. Since then, ENISA broadened its area of
activity to cover cybersecurity issues.7
The European Commission issued a Cybersecurity

Strategy8 that has been mirrored by a number of
national strategies.9
A wide range of cybersecurity-related activities

in research and development, regulation and
governance are occurring in the EU and member
states. Following are some of these activities:
standards to provide targeted insight about implementing

cybersecurity.
CYBERSECURITY DEFINITIONS
The term cybersecurity addresses the governance,
management and assurance that go beyond standard
information security. Cybersecurity focuses on specific,
highly sophisticated forms of attack and covers the
technical and social aspects of the attack. Many definitions
exist for cybersecurity, and the term is often misunderstood.
The official EU definition follows:

ISACA defines cybersecurity as follows:

- Directive on Network and Information Security

- Horizon 2020 Research and Development
Programme
- Inter-organisational and international cooperation in politics and law enforcement
- Digital Agenda for Europe 14 cybersecurity
actions (see Appendix A)
To analyse, co-ordinate and apply all of these sources
of valuable information, enterprises need practical
implementation guidance for cybersecurity in the European
context. The European Cybersecurity Implementation
Series of papers uses recognised frameworks and
yber-security commonly refers to the safeguards and

C
actions that can be used to protect the cyber domain,
both in the civilian and military fields, from those
threats that are associated with or that may harm its
interdependent networks and information infrastructure.
Cyber-security strives to preserve the availability and
integrity of the networks and infrastructure and the
confidentiality of the information contained therein.10
he protection of information assets by addressing
T
threats to information that is processed, stored and
transported by internetworked information systems.11
In its Transforming Cybersecurity publication, ISACA further

describes cybersecurity as follows:

Cybersecurity encompasses all that protects
enterprises and individuals from intentional attacks,

breaches and incidents as well as the consequences.
In practice, cybersecurity addresses primarily those
types of attack, breach or incident that are targeted,
sophisticated and difficult to detect or manage. the
focus of cybersecurity is on what has become known as
advanced persistent threats (APTs), cyberwarfare and
their impact on enterprises and individuals.12
See http://www.enisa.europa.eu for details.

Available at http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667.
ENISA provides an overview of national strategies at https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world.
10
European Commission, Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the RegionsCybersecurity Strategy of
the European Union: An Open, Safe and Secure Cyberspace, Brussels, 2 July 2013, p. 3, http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667
11
ISACA, Cybersecurity Glossary, 2014, http://www.isaca.org/Knowledge-Center/Documents/Glossary/Cybersecurity_Fundamentals_glossary.pdf
12
ISACA, Transforming Cybersecurity, USA, 2013, p. 11, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx
7
8
9
Enterprises should distinguish between standard (lower-level) information security and cybersecurity; the difference is in
the scope, motive, opportunity and method of the attack (see figure 5). Cybersecurity should focus on APTs to enable a
clear and targeted set of cybersecurity measures and actions. This is shown in figure 5.
FIGURE
Cyberattack Taxonomy13
Unsophisticated Attackers
(Script Kiddies)
Corporate Espionage
(insiders)
Sophisticated Attackers
(Hackers)
You are attacked because you are on the

Internet and have a vulnerability.
Your current or former employee seeks

financial gain from seling your IP.
You are attacked because you are on the

Internet and have information of value.
State-sponsored Attacks
Advanced Persistent Threat (APT)
You are targeted because of who you are,
what you do, or the value of your IP.
Personal Gain
Intelligence
Gathering
Hackers
Script Kiddies
Risk
Insiders
APT
State-sponsored
Espionage and
Weaponization
Data
Exfiltration
Money
APT
Life Cycle
Privilege
Escalation
Amusement/
Experimentation/
Nuisance
Initial
Exploitation
Command
and Control
Attacker Resources/Sophistication
1980s/1990s
BrainBoot/Morris Worm
Polymorphic Viruses
Michelangelo
Concept Macro Virus

Melissa
I Love You
Anna Kournikova
Sircam
Code Red and Nimda
SQL Slammer
Blaster
Sobig
MyDoom
Netsky
Sasser
Storm botnet
Koobface
Conflicker
Aurora
Mariposa
Stuxnet
WikiLeaks
Anonymous
LulzSec
2012
SpyEye/Zeus
Duqu
Flame
Source: Responding to Targeted Cyberattacks, ISACA, USA, 2013, figure 2
FIGURE
For the ISACA European Cybersecurity

Implementation Series, the EU and ISACA
cybersecurity definitions are used jointly, to
integrate all relevant aspects of cybersecurity.
Environmental
Adding a multi-dimensional view, such as
PESTLE14, is useful to better understand the
potential impacts of cyber threats and risk.
Figure 6 shows the difference between the
areas covered by cybersecurity and the areas
covered by traditional information security.
Information Security and Cybersecurity Focus (PESTLE)

Political
Economic
14
Low to Medium
Level Attacks
(Infosec)
APT Attacks
(Cybersec)
Technical
13
Social
ISACA, Responding to Targeted Cyberattacks, USA, 2013, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Responding-to-Targeted-Cyberattacks.aspx

PESTLE analysis is a detailed view of an enterprises Political, Economic, Social, Technical, Legal and Environmental environment. For more information, see www.pestleanalysis.com.
In addition to the cybersecurity scope that is described

in the definitions and its focus on certain kinds of threats,
risk and attacks, cybersecurity should be placed within the
internationally agreed-upon threat levels that are declared
by nation states or supranational bodies. Figure 7 shows
these threat levels and the types of cyberattacks, based on
their required effort and sophistication. The red rectangle
denotes the type of attack and threat level usually covered
by cybersecurity, whereas, the remaining area is covered by
information security.
FIGURE
Regardless of any agreed-upon definition of cybersecurity,

the task remains unchanged: organisations should
delineate the boundaries between standard information
security and cybersecurity. The former is often subject
to budget and resource restrictions; the latter faces
highly intelligent attackers with motive, opportunity and
often formidable skills. These facts should be taken into
consideration when adopting an enterprise definition of
cybersecurity.
Attacks and Threat Levels15
HIGH
Cyberwarfare
EFFORT/SOPHISTICATION
Directed APT
LOW
Spear phishing
Zero-day/
complex
exploits
Complex malware attacks
Simple
malware attacks
Opportunistic probes and attacks
LOW
Cybersecurity
scope
15
GUARDED
Information
security scope
ELEVATED
HIGH
SEVERE
Op cit ISACA, Transforming Cybersecurity
10
GOAL AND OBJECTIVES

From a European perspective, cybersecurity requires
common definitions, frameworks and a sense of direction
throughout all member states and associated states.
Cybercrime and, in some instances, cyberwarfare have
grown to the level that requires both short-term and longterm action. The EU cybersecurity strategy addresses this
required action by formulating several goals and objectives
and inviting industry and the private sector to contribute, as
follows:16

Goal: Take the lead in investing in a high level of

cybersecurity and develop best practices and
information sharing at the sector level and with public
authorities, to ensure strong and effective protection
of assets and individuals, particularly through publicprivate partnerships like the European Public-Private
Partnership for Resilience (EP3R) and Trust in Digital
Life (TDL).
The Commission invites enterprises to: Promote

cybersecurity awareness at all levels, both in business
practices and in the interface with customers. In
particular, enterprises should reflect on ways to make
chief executive officers (CEOs) and boards of directors
more accountable for ensuring cybersecurity.
The Commission invites public and private

stakeholders to: Stimulate the development and
adoption of industry-led security standards, technical
norms and security-by-design and privacy-bydesign principles by information and communications
technologies (ICT) product manufacturers and service
providers, including cloud providers. New generations
of software and hardware should be equipped with
stronger, embedded and user-friendly security features.
Develop industry-led standards for enterprise

performance on cybersecurity, and improve
the information that is available to the public by
developing security labels or kite marks to help the
consumer navigate the market.

16
At the national level, many European countries have

implemented the EU strategy and its consequences by
formulating their own national strategies. These strategies
are adapted to the national situation and needs and offer
an additional sense of direction for enterprises in each
member state.
Many enterprises, regardless of size and location, are
still largely unaware of the threats and risk that exist in
cybercrime and cyberwarfare.17 Therefore, one of the
primary issues in European cybersecurity is to create
awareness among business and not-for-profit enterprises.
Recent cybercrime cases have shown that the size,
type of business and location of an enterprise do not
influence susceptibility to attack; where cybercrime does
take place, automated attack methods and a dragnet
approach often yield incidental results. In other words,
even small- and medium-sized enterprises (SMEs) may
become the victim of a cyberattack, regardless of being
uninteresting at first sight.
Enterprises should no
longer consider themselves
uninteresting, because new
automated attack methods
will perform global and
indiscriminate dragnet
sweeps for weaknesses and
vulnerabilities.
The mandate of ENISA should make it possible

to increase ENISAs links with EUROPOL and to
reinforce ENISAs links with industry stakeholders.
Op cit European Commission

For more information, see ISACAs Advanced Persistent Threat Awareness Study Results (2014) at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Advanced-PersistentThreats-Awareness-Study-Results.aspx.
17
11
Despite the fact that cybercrime is a known fact, many

European countries are only now beginning to undertake
national threat and risk assessments. Similarly, the
potential for cyberwarfare that is directed at nation states
in Europe has been recognised but rarely quantified. At
this point in time, much of the intelligence available in
the public domain has been contributed by industry18 or
independent associations and groupings.19 Although
European law enforcement has collected data and
information on crime and criminal acts, co-ordinated
efforts will take more time to reach the planned level.
CONSEQUENCES FOR CYBERSECURITY
To adequately address the risk and threats of
cybercrime, enterprises need to embed cybersecurity,
as an integral part, into their overall governance, risk
management and compliance (GRC) frameworks.
Embedding cybersecurity into GRC frameworks includes,
but is not limited to, the following:

Good governance that is in line with existing

principles of corporate governance
Comprehensive management of cybercrime and

cyberwarfare risk and threats that is aligned with
existing enterprise risk management (ERM) systems
Compliance with existing or planned EU-level and

national laws and regulations
Resilience for organisational infrastructures and

personnel
Assurance for information, processes and related

controls
An important starting point is the realisation that

statements about cyberattacks should begin with when
rather than if. The very real threats cannot be ignored,
nor can they be accepted, given the growing body of
knowledge and planned regulation. Enterprises should
work to integrate cybersecurity as a cross-functional
discipline that integrates with the following:

Information security
Traditional corporate security, including physical
ERM
IT service continuity management (ITSCM) and

business continuity management (BCM)
Organisational resilience
Information assurance
Cybersecurity should also define and maintain

appropriate interfaces with related disciplines, such as:

Critical infrastructure protection
National emergency management
Public incident management and disaster

management
In Europe, many scenarios involve multiple actors from

these disciplines. An example is conducting national
emergency exercises.20 Cyberattacks target the parts
of national infrastructures that are most vulnerable.
APT mitigation, therefore, addresses more than just
information or IT, because many critical infrastructures are
directly or indirectly accessible through control systems.
See information security, cybercrime and cybersecurity surveys that are published by international consulting firms and vendors, such as the following:
Special Eurobarometer 390 Cyber Security Report, July 2012, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf
Special Eurobarometer 404 Cyber Security Report, November 2013, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf
2013 Information Security Breaches Survey Technical Report, Department for Business Innovation & Skills, at www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/
bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf

Symantec, 2013 Cost of Data Breach Study: Global Analysis, May 2013, conducted by Ponemon Institute LLC, www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

CERT Division of the Software Engineering Institute (SEI) studies at www.cert.org/cybersecurity-engineering/publications/index.cfm
19
Examples include ISACA and other industry associations.
20
For example, see the LKEX exercise in Germany, which was the scenario of a widespread cyberattack on selected critical infrastructures, www.bbk.bund.de/SharedDocs/Pressemitteilungen/BBK/
DE/2011/PM_Luekex_2011_IT_Sicherheit_auf_Pruefstand.html (in German).
18
12
Preparing the Business Case for

Cybersecurity Implementation
Cybersecurity requires business decisions, planning and strategic guidance for implementation. Enterprises should
develop a comprehensive business case that outlines risk and rewards, cost and benefit, and the long-term perspective
on maintaining cybersecurity as a concept and process. The following subsections provide practical guidance on defining
and presenting this business case.
TRANSLATING EUROPEAN CYBERSECURITY
REQUIREMENTS
In the European context, legislative and regulatory
requirements for cybersecurity apply to many enterprises.
These requirements need to be included in the compliance
framework by applying a goals cascade in a top-down
manner, as shown in figure 8. The top levelstakeholder
driversincludes strategic imperatives, such as those
expressed in the Digital Agenda for Europe 14 cybersecurity
actions, and any subsequent legislation or regulation.
Enterprises need to adopt these rules and translate them into
elements of the business case.
European requirements further influence the enterprise by
addressing one of the three dimensions depicted in the goals
cascade: benefits realisation, risk optimisation or resource
optimisation. In practice, cybersecurity most often addresses
risk. However, many cybersecurity requirements have a value
dimension (e.g., reputation) and a resource implication (e.g.,
skills and specialisations).
For example, the implementation of a national cybersecurity
law may appear to be a purely compliance-driven exercise at
first sight. When analysing the enterprise, senior management
will likely realise the benefits of implementing the new
requirements in terms of customer confidence, reputation
andmost importantlya more favourable position with
regard to cyberattacks and threats.
Enterprises translate stakeholder-driven requirements into
enterprise goals, and then drill down into the corresponding
IT goals. The Enabler Goals in figure 8 refer to the seven
categories of enablers, which are the practical tool set
provided in the COBIT 5 framework and broadly defined
as anything that can help to achieve the objectives of the
enterprise.
21
FIGURE
Goals Cascade21
Stakeholders Drivers
(Environment, Technology Evolution, ...)
Influence
Stakeholders Needs
Benefits
Realisation
Risk
Optimisation
Resource
Optimisation
Cascade to
Enterprise Goals
Cascade to
IT-related Goals
Cascade to
Enablers Goals
Source: COBIT 5, ISACA, USA, 2012, figure 4
Typically, external requirements address the compliance

and risk dimensions of the GRC triad. They invariably
represent must have items on the senior management
agenda and provide a compelling business case.
The goals cascade is from COBIT 5, an internationally recognised framework for governance, risk management and compliance (GRC) in IT and related technologies.
It is freely available at www.isaca.org/cobit.
13
At the lower levels of the goals cascade, demonstrating

the business case often requires additional tools. At these
levels, technical interpretation and implementation of
enterprise goals is an important task that supports the
business case, and many enterprises choose to adopt and
implement recognised standards.22 In most instances,
these standards tend to be harmonised and aligned with
the overarching goals and objectives that are presented by
national and international strategies.
EMPIRICAL DATA
The business case for cybersecurity should be based on
available data, particularly if the national situation has not
been formally assessed or analysed. Enterprises should
refer to official sources and academic and industry surveys
that provide relevant data. Examples include the following:
Eurobarometer
23
EUROPOL24
United Nations cybercrime statistics25
National statistics offices or agencies
Incidental information drawn from various sources26
Industry surveys conducted by commercial firms27
Most of the extant information emphasises the fact that
cyberattacks are becoming more frequent and tend to have
a more significant and protracted impact on enterprises.
Further empirical data are often available in incidental
newspaper articles that report on individual cyberattacks or
cybersecurity failures.
In practice, the business case requires data about the
business impact of successful (or attempted) cyberattacks.
Enterprises can leverage many publicly available sources
to provide a well-founded picture, sometimes by sector or
size, including the following:
Ponemon Cost of Data Breach Study28 (annual)

Commercial information security breaches studies29
(annual to infrequent)
Commercial information security surveys (usually annual)
CERT studies30
Although recent survey results for Europe indicate that the
costs of single incidents have decreased, the number of
incidents with very high impact is rising. The average cost
of cyberattacks may be less, but the risk of experiencing a
big one is becoming higher at the same time. Therefore,
enterprises should carefully consider how to define their
business case regarding a major cybersecurity incident
that has wide-ranging media coverage and a prolonged
reputational impact.
European sources indicate that cybercrime and
cyberwarfare are increasing to a level where any
organisationregardless of size or type of businesscan
be affected. Obscurity is no longer protection, and even
SMEs can be the target of an incidental or casual attack.
In contrast to other world regions, the relative diversity of
European laws and jurisdictions further contributes to the
active threats that exist today. Therefore, empirical data
deliver a comparatively strong case for cybersecurity as an
indispensable defence.
Official sources and industry reporting

strongly suggest that cybercrime
and related attacks are on the rise.
This information coincides with more
frequent media coverage of major
cyberattacks.
n example standard is ISO 27032, which provides informal guidance on cybersecurity. Likewise, the lead standards ISO 27001 and ISO 22301 provide specifications on information security
A
management systems and business continuity management systems, respectively.
23
For examples, see Special Eurobarometer 390 Cyber Security Report, July 2012, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_390_en.pdf, and Special Eurobarometer 404 Cyber Security
Report, November 2013, at http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf.
24
For information about the EUROPOL European Cybercrime Centre, see https://www.europol.europa.eu/ec3.
25
For an example, see UNDOC Comprehensive Study on Cybercrime, February 2013, at www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf.
26
For an example, see Cyber Crime Originates in Europe: Statistics and Trend Report, 4 August 2013, at http://www.pymnts.com/uncategorized/2013/cyber-crime-originates-in-europe-statistics-and-
trends-report/.
27
Some of these surveys are commissioned by government agencies. For an example, see 2013 Information Security Breaches Survey Technical Report, Department for Business Innovation & Skills,
at www.gov.uk/government/uploads/system/uploads/attachment_data/file/200455/bis-13-p184-2013-information-security-breaches-survey-technical-report.pdf.
28
Symantec, 2013 Cost of Data Breach Study: Global Analysis, May 2013, conducted by Ponemon Institute LLC, at www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf.
29
For an example, see 2013 Information Security Breaches Survey Executive Summary, Department for Business Innovation & Skills, at www.pwc.co.uk/assets/pdf/cyber-security-2013-exec-summary.
pdf.
30
Many CERT studies are available at www.cert.org/cybersecurity-engineering/publications/index.cfm.
22
14
COST-BENEFIT CONSIDERATIONS
The cost of cybersecurity can appear high when
compared to standard information security. For many
years, budgetsboth capital expenditure and operational
expenditurehave been under pressure. The cost of
information security is featured almost always in surveys
as a limiting factor to achieving innovation or higher levels
of protection.
Much of this has changed in line with the current risk and
threat landscape. The business case now addresses a
changed scenario, in which targeted attacks are directed
against the enterprise by well-organised individuals
or groups. Therefore, security is no longer a cost item
with an uncertain return. It is a necessary precaution
to prevent or mitigate clearly foreseeable events.
Enterprises should regard cyberattacks as a certainty
rather than a probability.
When formulating the business case for cybersecurity,
enterprises should include all dimensions of cost
(particularly the cost of shortcomings or accepting too
much risk) and benefits, such as preserving corporate
reputation and integrity, including the following:

Single cyberattack impact (maximum, high-profile

incident),31 as opposed to average (low-profile
incident) impact
Non-financial implications of cyberattacks, such as

reputational damage, adverse media coverage or
loss of market share/stock exchange value32
Direct and indirect liability, particularly for directors

and officers of the enterprise
Insurance premiums and other costs that are

indirectly associated with cybersecurity breaches
Post-incident cost and investment items, for

example, those for recovery, specialised technical/
consulting services and working the backlog
Protecting the enterprise is a legally binding part of

directors and officers fiduciary duties. In the European
context, good stewardship and the early recognition of
risk that can endanger the enterprise are set down often
as statutory or regulatory requirements, which, in turn,
31
32
influence the view on business-driven benefits and the

level of risk tolerated by senior management. In Europe,
cybersecurity is a part of directors and officers fiduciary
duties, and should be treated as such.
Historically, a large part of the security context has been
based on traditional information security, which can
distort the view on cybersecurity. Budgets and operating
costs for information security have always been under
pressure, and the return on security investment has
been an ongoing issue of debate. The business case for
cybersecurity should be seen from a different perspective
because cyberattacks are a certainty rather than a potential
occurrence.
While preparing the business case, enterprises should be
aware that cybersecurity is as much of a management
exercise as it is technology. The key success factors usually
include enterprise measures (e.g., appropriate governance
and risk management) and analysing and steering
behaviour patterns. Technology supports cybersecurity, but
it is a tool set that should not be an end in itself.
PRESENTING THE BUSINESS CASE
The cybersecurity business case requires translation
into business language to have the necessary degree of
credibility and plausibility. Presenting the business case
means bridging the gap between technical language
(which is often used to explain instances of cybercrime and
attacks) and managerial interpretation. Bridging this gap
can be a major issue, particularly where complex attack
patterns and audit trails must be simplified to be accessible
for non-IT management.
Cybersecurity should always focus on outcomes that
are a function of the direct investment and subsequent
running cost. As shown in figure 8, the benefits of good
cybersecurity are often expressed as risk optimisation
and resource optimisation. Therefore, the case for
strengthening security is the avoidance of (otherwise
inevitable) damage and impact and the fact that spending
beforehand is less expensive than reactively investing after
an attack or criminal act.
As examples, consider the Zurich Insurance Group (2011) and Swisscom (2013) incidents, which both relate to lost or stolen backup tapes containing sensitive data.
As an example, consider the Snapchat vulnerability (2013), which was discovered on iPhones, and the subsequent drop in market value that Snapchat experienced.
15
The COBIT 5 framework offers useful insights on substantiating and demonstrating business value as part of good
governance and management, and enterprises can use the goals cascade to demonstrate the benefits of cybersecurity.
Other frameworks33 and standards provide additional guidance on how to demonstrate the business value of
cybersecurity. When presenting the business case, experts and cybersecurity practitioners should ensure that they
address all aspects of the GRC triad and the goals cascade and possibly include the consequences for having the
balanced scorecard (BSC) and other measurement instruments in place.
It should further be noted that cybersecurity is not just about defending the enterprise and its information assets. In many
cases, restructuring parts or all of an enterprise IT environment in the course of strengthening cybersecurity is also an
opportunity for streamlining and optimising IT.
Cybersecurity Governance
Governance over cybersecurity has a much wider scope
than governance over information security, due to the
multiple facets of cybercrime and cyberwarfare. The
cybersecurity governance framework covers enterprise
security, social elements and technology.
Enterprises should first assess and review their existing

governance arrangements, starting from the top of the
house enterprise, i.e., corporate governance, and moving
through IT and related technologies to any existing
governance arrangements in security. This step often
reveals that a significant part of the enterprise is already
regulated by binding provisions in legal, regulatory or
compliance requirements. In many European states,
governance is subject to binding external requirements in
a number of areas, for example:
Data protection and privacy

Financial controls and the related internal control
system, including financial reporting
Government or state provisions on sensitive
information (e.g., official secrets)
Data custody and third-party processing
Enterprises that are aligning their cybersecurity

governance with national and international arrangements
should also mirror the following three pillar approach34
that is being implemented across Europe:
First pillarDefinition and categorisation of critical

infrastructures, and critical infrastructure protection
plans and measures
Second pillarDigital Agenda for Europe and
associated initiatives, including legislation and
regulation
Third pillarEuropean cybercrime centre, similar
national institutions, and support for enterprises
DETERMINE THE BUSINESS IMPACT

The potential financial and non-financial impact and
consequences of cybercrime and cyberwarfare should
be the basis for cybersecurity governance provisions and
arrangements. This impact determines the objectives and
the extent of governance that is needed for the enterprise.
In practice, larger enterprises are more likely to establish
fairly detailed governance, whereas SMEs might choose to
be more informal in defining and describing governance.
In most European countries, cybersecurity is closely related
to BCM35 and ITSCM.36 Both of these disciplines are
named in official sources37 as being associated with good
cybersecurity. Practitioners should adopt these disciplines
to ensure alignment with emerging political and market
trends.
Analysing and substantiating the potential business impact
is dependent on tried and tested practical methods and
techniques, which are described in more detail in the
Managing Cybersecurity Risk section in this paper.
any organisations in Europe use ITIL (IT Infrastructure Library) V3 to design, maintain and control their IT service management processes, including those relating to security. If ITIL, COBIT 5 or
M
both are used, further details are available in the Val IT framework, a legacy ISACA product now included in the overall COBIT series.
34
For an example outline of this approach, see Houdart, Jean-Baptiste, EU Cybersecurity Policy: A Model for Global Governance, atlantic-community.org, 6 February 2013, http://www.atlanticcommunity.org/-/eu-cybersecurity-policy-a-model-for-global-governance.
35
Formally described in ISO 22301 and ISO 22313 standards, with informal guidance in the Business Continuity Institute Good Practice Guidelines 2013 Global Edition: A Guide to Global Good
Practice in Business Continuity
36
Formally described in ISO 27031 and ISO 24762 standards (for disaster recovery service providers)
37
The concepts of continuity, resilience and related standards are integrated in many EU-level and national recommendations or draft statutes.
33
16
ANALYSE THREATS AND VULNERABILITIES

After the potential impact of cybersecurity-related
incidents is known, enterprises need to identify the
threats and vulnerabilities that may require generic or
targeted governance provisions. In Europe, many of
these governance provisions are stipulated as laws or
regulations that cover a wide range of detail across
industries and countries.
For good governance, all threats and incidents (including
those deemed only remotely likely) should be identified
and analysed. Cybersecurity governance arrangements
should reflect the likely possibility that cybercriminals
will avoid the most obvious attack angle and will look for
the less likely or weakest link in the chain rather than
the most likely point of entry.
More details on analysing threats and vulnerabilities are
given in the Managing Cybersecurity Risk section in this
paper.
ESTABLISH TARGET-STATE CONSEQUENCES AND
IMPROVEMENTS
After the enterprise determines the business impact
and the existing threats and vulnerabilities, it should
establish and formulate a target state for cybersecurity
governance that includes consequences and
improvements. The target state should adequately
reflect the overarching enterprise goals and any binding
external or internal requirements, in line with the
business case submitted beforehand.
In the European context, most of the consequences and
improvements that form the target state of governance
are comparatively formal. Typically, additional policies,
guidelines and key operating procedures are in place
to describe, govern and control cybersecurity. Many
enterprises use software-based tools to administer
the multiple guiding documents and procedures that
are in force. Governance that is based on principles
and enablers, on the other hand, is a fairly recent
development that is likely to change the approach
towards cybersecurity.
38
IMPLEMENT PRINCIPLE- AND ENABLER-BASED

GOVERNANCE
Practical cybersecurity governance should be subdivided
into its objectives and the organisational functions that
are affected by each objective. As a cross-functional
discipline, cybersecurity always requires a co-operative
approach that breaks down the silos of the business and
IT. A useful starting point for linking this co-operative
approach to existing frameworks and standards is
provided through the enabler model in the COBIT 5
framework,38 shown in figure 9.
FIGURE
COBIT 5 Enablers
2. Processes
3. Organisational
Stuctures
4. Culture, Ethics
and Behaviour
1. Principles, Policies and Frameworks
5. Information
6. Services,
Infrastructure
and Applications
7. People
Skills and
Competencies
Resources
Source: COBIT 5, ISACA, USA, 2012, figure 12
The seven enablers represent all aspects of

cybersecurity; the enabler model integrates the technical,
social and structural components of cybersecurity
governance. As an example, the Principles, Policies
and Frameworks enabler represents EU and national
requirements that need to be included in any practical
cybersecurity governance. Likewise, the Culture, Ethics
and Behaviour enabler represents human resources
good practices, end-user behaviour patterns and the use
of social interaction in cybersecurity.
More detail about how to implement cybersecurity governance based on the enabler model is given in ISACAs Transforming Cybersecurity (2013) publication.
17
The other enablers can help enterprises in implementing practical governance steps rather than just providing written
guidance, which still needs to be reflected in daily business. Using the enabler-based approach ensures that the
underlying ideas and objectives of good cybersecurity governance are fully implemented and that no disconnect exists
between senior management thinking and the day-to-day business.
In enabler-based governance, enterprises should look for the potential manifestations of cybersecurity riskwhether it is
through events, near misses or unusual systems behaviourbefore implementing a solution. Existing security solutions
should be systematically analysed and categorised to determine their effectiveness and value.
Managing Cybersecurity Risk

Within the GRC triad, risk management forms an important part of
good practice in cybersecurity. The ISACA European Cybersecurity
Implementation Series includes a paper about managing risk. A high-level
overview of the Risk Guidance paper, including the cybersecurity risk
management steps, is provided here.
Summary publications39 and the ENISA comprehensive glossary on
risk40 contain many European concepts and terms that are related to
the risk-based approach and risk management. In broad terms, the EU
cybersecurity guidance concentrates on a risk-based review and analysis
of cybersecurity risk that is targeted at critical infrastructures and other
sectors. Specific emphasis is placed on national risk assessments that
should provide the framework and context for assessing and determining
actual cybercrime and cyberwarfare risk. The European perspective on risk
in cybersecurity implies four steps that enterprises should perform when
implementing cybersecurity steps and measures:

1. Analyse impact (with a view to business impacts and other, nonfinancial impacts).
2. Identify and analyse risk.42
3. Determine risk treatment.
4. Determine cybersecurity strategy options based on risk profile.
Assess all risk that

affects the critical
assets, prioritise risk
according to its impact
and calculate the
probability of being
realised.41
Practical guidance and tools for analysing risk in this manner are available
from a number of recognised standards and frameworks, e.g., ISACA
COBIT 5 for Risk and BCI Good Practice Guidelines.43
ee the ENISA guidebook on national cybersecurity strategies: European Network and Information Security Agency (ENISA), National Cyber Security Strategies Practical Guide on Development
S
and Execution, Greece, December 2012.
See http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/glossary.
41
See European Network and Information Security Agency (ENISA), National Cyber Security Strategies Practical Guide on Development and Execution, Greece, December 2012.
42
An overview from a European point of view is given in the ENISA Threat Landscape 2013,at http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threatlandscape-2013-overview-of-current-and-emerging-cyber-threats.
43
Business Continuity Institute, Good Practice Guidelines 2013 Global Edition: A Guide to Global Good Practice in Business Continuity, England, 2013, www.thebci.org/index.php/resources/thegood-practice-guidelines
39
40
18
ANALYSE BUSINESS IMPACT

Analysing the business, people and operational impact of
cybercrime and cyberwarfare is an important prerequisite
to identifying, analysing and treating risk. In Europe,
various national approaches towards impact analysis
exist. Enterprises should base their impact analysis on
tested methodologies and techniques that have been
developed at the international level.44
Risk treatment is further dependent on the local

context in EU jurisdictions. If operational risk or security
risk is subject to direct or indirect legal or regulatory
requirements, typical risk treatment options, such as
formal acceptance, might not be available. Therefore,
enterprises should examine the wider risk management
context for potential indirect influences that mandate
certain cybersecurity measures.
Enterprises should also include and consider the national

context(s) in which they are conducting business. Impacts
may vary widely across member states of the EU, which
is reflected in the national cybersecurity strategies.
For practical implementation purposes, further detail is

provided in the European Cybersecurity Implementation:
Risk Guidance paper in this series and in additional
recognised sources.45
ASSESS RISK
DETERMINE CYBERSECURITY STRATEGY OPTIONS
The risk that is associated with various kinds of

cybercrime and cyberwarfare is often seen as an
extension of general information security risk. Practical
implementation steps include risk identification, in-depth
analysis and an assessment of the potential impact. In
Europe, scenario-based approaches are sometimes
preferred over pure risk catalogues. However, most EU
governments begin with an all-hazards approach and
provide specific scenarios for the most likely types of
attack or acts of war.
MinimalistReduce cybersecurity actions and

investment to a minimum while tolerating a
comparatively high level of residual risk.
BalancedOpt for a more comprehensive

cybersecurity investment and a moderate level of
residual risk.
ConservativeAim for a precautionary,

comparatively high, cybersecurity investment with
little or no tolerance for residual risk.
In terms of practical cybersecurity implementation,

this means that enterprises should adapt their own
risk identification and analysis process to the national
approach, including the all-hazards assessment (if
available) and the specific scenarios provided by each
government.
RISK TREATMENT
All cybersecurity-related risk that was identified in the
previous step should be categorised by possible risk
treatment, which includes prevention, partial or full
transfer, mitigation or formal risk acceptance. In many
instances, cybersecurity will need to be event-driven, i.e.,
based on mitigation rather than full prevention.
44
45
Based on the risk profile and available treatment options,

the residual risk should be assessed for financial
and non-financial consequences of cybercrime and
cyberwarfare. Enterprises should include the business
case and available information on the investment and
operational expenditure that is associated with various
options in a cybersecurity strategy. Typically, this
information will lead to a number of available options that
vary in cost, complexity and residual risk:
In most European states, several areas of risk are

governed by law or by regulation, for example, data
privacy, specific protection of mail traffic (traditional
and electronic), and data/identity theft. Enterprises that
are implementing cybersecurity in the European context
should be conscious of the fact that risk relating to these
and other regulated areas should not be accepted as part
of residual risk.
pecifically, the business impace analysis (BIA) approach recommended in ISO 22301 and ISO 22313. Details on practical BIA implementation are available through secondary literature (see the
S
Risk Guidance paper in this series).
For examples, see COBIT 5 for Risk, ISO 31000 on generic risk management and ISO 27005 on information security risk assessment.
19
Managing Cybersecurity Resilience

Establishing and maintaining cybersecurity arrangements is an ongoing process containing governance, management
and assurance components. As cybercrime and cyberwarfare evolve, existing security arrangements require
continuous adjustment and improvement, often more than once a year.
The concept of resilience is a central element of the European view on cybersecurity. Resilience and critical
information infrastructure protection (CIIP) form the background and context for all cybersecurity initiatives.46 In the
traditional sense, resilience means the ability of a material to revert to its original shape after it has been deformed.
In cybersecurity (and in business continuity), resilience describes the ability of an enterprise to recover and absorb
external shocks or events and their internal impacts.
Achieving cybersecurity resilience is described in more detail in the European Cybersecurity Implementation:
Resilience paper that is part of this series. In broad terms, resilience consists of a strategic and a systemic aspect.
Enterprises should consider their long-term strategy and a systemic security model to establish resilient cybersecurity.
This ensures that both the strategic ideas and the ability to change are embedded in enterprise cybersecurity thinking
and action.
SETTING CYBERSECURITY STRATEGY
The cybersecurity strategy that is adopted by an
enterprise should include the work products and
outcomes of previous phases of the security life cycle
and any national and European input that is available
through public sources, including, but not limited to, the
following:

Results of business impact analysis (BIA) and risk

assessmentclustered (aggregated) risk, potential
impacts and strategic options (with residual risk)
National cybersecurity strategy contextspecific

risk, specific scenarios, threats and vulnerabilities
analysis, etc.
Key technologiescloud, network

interconnections, supervisory control and data
acquisition (SCADA) and other industrial control
systems,48 etc.
Incident reportingpolicies, reporting lines,

authorities, etc.
Participation in/integration with exercisesnational

and transnational cybersecurity exercises in Europe
are conducted annually
47
Enterprises should further define the level of cybersecurity

that is to be achieved by the strategy with an explicit
reference to the level of tolerance and acceptance of
potential cybersecurity incidents. In practice, some
enterprises opt for a zero-tolerance approach while others
favour a fatalist view (it will happen anyway).49 Both
extremes are unlikely to be feasible or permitted in a reallife situation. Cybersecurity strategies acknowledge and
address the presence of cybercrime and cyberattacks,
achieving a balance between zero tolerance and fatalist
acceptance.
The cybersecurity strategy should always leverage
the existing or emerging public structures50 that
support cybersecurity in the private sector and/or law
enforcement. In Europe, the institutional framework for
cybersecurity has grown considerably over the past few
years, forming an integrated and co-operative network
across member states and associated countries.
Enterprises should make use of these links, because many
are designed as public services.51
For example, see the ENISA portal on CIIP and resilience at http://www.enisa.europa.eu/activities/Resilience-and-CIIP.
A vast amount of publicly available information from a European perspective is available. See, for example, www.enisa.europa.eu/activities/Resilience-and-CIIP/networks-and-services-resilience/
cloud-computinghttp://en.wikipedia.org/wiki/Cloud_Security_Alliance.
48
See the portal at www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems. Further information is available from ISACA at www.
isaca.org
49
See ISACAs Transforming Cybersecurity publication for an in-depth discussion on management views and motivations, at www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/
Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx.
50
See, for esample, Baud et al. (2014), at www.lexology.com/library/detail.aspx?g=1f872876-3d23-44e7-a8f1-92a9be8d080b, for an overview of selected EU member states.
46
47
20
ESTABLISHING SYSTEMIC SECURITY

Systemic security is an important concept that enterprises should apply to support their cybersecurity strategy. Any
strategy is by definition static because it projects management objectives into the near future. In practice, more agile
instruments are needed to constantly adapt and evolve cybersecurity, particularly due to rapidly emerging threats and new
types of cybercrime.
The word systemic implies a dynamic and flexible model52 that provides adequate information about the existing level of
security and indicators of improvements and evolution. Figure 10 shows the typical system dynamics of cyberattacks. The
key factor in adapting and fine-tuning cybersecurity is the attractiveness of the target, which is in itself a result of many
influencing factors.
Whether a cybersecurity strategy works is often a direct result of system dynamics and systemic thinking: cybercrime
and cyberwarfare exploit the weakest link in the chain, so the entire chain requires constant examination. A static
strategy cannot achieve thisthe strategy needs to be strengthened by monitoring and assessing the influence factors
that determine target attractiveness, and, ultimately, the probability of an attack.
FIGURE
10
Cybersecurity System Dynamics
Exploit
Total
Employees Availability
Attack
Probability
Attractiveness
of Target
TOTAL
CHANGE IN
ATTACKS ATTRACTIVENESS
Decreased
Attractiveness
Number of
Internal
Attackers
Increased
Attractiveness
Detected
Attacks
Identified
Vulnerability
Source: The Business Model for Information Security, ISACA, USA, 2010, figure 37
In Europe, systemic concepts in cybersecurity are often found in management systems or life cycle concepts. Examples
include the traditional plan-do-check-act (PDCA) cycle53 and the life cycle around BCM and ITSCM. Enterprises that are
implementing cybersecurity should embed their related programmes into existing management systems. It is particularly
important to align the cybersecurity system of processes, actions and controls with the surrounding (or underlying)
information security management system (ISMS).
52
53
he underlying thoughts are outlined in ISACAs Business Model for Information Security (BMIS) at www.isaca.org/bmis. Enterprises should note that the legacy BMIS has been incorporated into
T
COBIT 5.
The plan-do-check-act (PDCA) (or Deming) cycle is present in most major standards and series of standards, such as ISO 27000 and ISO 22301. The business continuity and IT service continuity
21
Cybersecurity Assurance
Enterprises should establish and maintain reasonable assurance over their cybersecurity activities and initiatives for
GRC. Providing cybersecurity assurance involves the system of enterprise internal controls and the organisational and
logical structures that support the functioning of these controls. Enterprises should implement the following three pillars
of assurance for cybersecurity:

Organise and structure cybersecurity assurance along three lines of defence
Define and evolve the cybersecurity control system
Provide assessments, audits and forensic/investigative capabilities
Further details are given in the European Cybersecurity Implementation: Assurance paper in this series.
THREE LINES OF DEFENCE
The first step for implementing
cybersecurity assurance is to determine
and define cybersecurity activities
and controls through the three lines
of defence that are common to most
European and global concepts of control
systems. Figure 11 shows an overview
of these three lines and their assurance
contribution.
In cybersecurity, the first line of defence
managementis often extended to
include customers, business partners,
the general public and the media. The
second linerisk managementis usually
distributed across various ERM functions,
covering non-IT aspects of cybersecurity
and technology. Within the third line
internal auditinvestigative and forensic
activities are often extended to include
external experts or law enforcement.
In the European context, the concept of
three lines of defence is well established
and implemented in most national and EUlevel concepts of cybersecurity.
FIGURE
11
Assurance - Three Lines of Defence
Internal controls testing

Cybersecurity compliance
Formal risk acceptances
Investigation/forensics
Threats, vulnerailities, risk

Formal risk evaluation
Business impact analysis (BIA)
Emerging risk
Control self-assessments (CSAs)

Attack/breach penetration testing
Functional/technical testing
Social/behavioral testing
Regular management review
Third lineInternal Audit
Second lineRisk Management
First lineManagement
22
CYBERSECURITY CONTROL SYSTEM
ASSESSMENT, AUDIT AND FORENSICS
The internal control system supporting cybersecurity

assurance should be designed and implemented
in a top-down manner, mirroring the enterprise
approach towards GRC in an enterprise. Existing
information security controls should be integrated and
delineated from specific cybersecurity controls to avoid
duplication or contradictory control sets.
As part of all levels and functions within cybersecurity,

reviews and assessments form an important component
in establishing the facts and measuring the current level
of protection against the desired (or prescribed) level of
cybersecurity. Enterprises should adopt an approach
that is aligned with the lines of defence and specifically
includes:
Typical cybersecurity control systems address the

various assurance aspects, including the following:
Management control self-assessments (CSAs)

and informal reviews
Principles, policies, frameworks54
Processes and procedures
Risk-related controls and indicators
Independent internal control reviews (ICR)

often performed by a different function or risk
management
Organisational readiness
Organisational and technical assessment
Integration of cybersecurity assurance with the

internal audit programme56
Reporting, approvals and awareness
Investigative and forensic capability
The architecture of any controls should follow a uniform

model, such as the control model used in COBIT 5.55
From a European perspective, external influences should

be taken into account when addressing investigative
or forensic work. In many cases, national laws or
regulations stipulate that law enforcement or supervisory
authorities should be involved57 in any forensic work
following acts of cybercrime.
Principles, policies and frameworks link directly to the first enabler in the COBIT 5 assurance model. See figure 9.
See COBIT 5 for Assurance for details on control architecture and control design.
An example of a cybersecurity audit programme is provided in the European Cybersecurity Implementation: Audit Programme paper in this series, which can be found at www.isaca.org/EUcyber-implementation
57
There is an ongoing debate on mandatory incident reporting and intervention by public authorities in many European countries.
54
55
56
23
Appendix AEuropean Union 14

Cybersecurity Actions
The European Union (EU) has defined a set of 14 actions to strengthen cybersecurity across the member states.58 These
have been implemented or are being implemented at the time of publishing this paper. The actions are part of a larger
overall programme that is titled Digital Agenda for Europe.59
Action 28: Reinforced Network and Information Security Policy
Action 29: Combat cyber-attacks against information systems
Action 30: Establish a European cybercrime platform
Action 31: Analyse the usefulness of creating a European cybercrime centre
A
ction 32: Strengthen the fight against cybercrime and cyber-attacks at international level
Action 33: Support EU-wide cyber-security preparedness
Action 34: Explore the extension of security breach notification provisions
Action 35: Guidance on implementation of Telecoms rules on privacy
A
ction 36: Support reporting of illegal content online and awareness campaigns on online
safety for children
Action 37: Foster self-regulation in the use of online services
A
ction 38: Member States to establish pan-European Computer Emergency Response Teams
Action 39: Member States to carry out cyber-attack simulations
Action 40: Member States to implement harmful content alert hotlines
Action 41: Member States to set up national alert platforms
Action 123: Proposal for Directive on network and information security
Action 124: EU Cyber-security strategy
Action 125: Expand the Global Alliance against Child Sexual Abuse Online
58
59
Details for each of these actions can be found at http://ec.europa.eu/digital-agenda/en/pillar-iii-trust-security/ or by following the link attached to each listed action.
Digital Agenda for Europe is at http://ec.europa.eu/digital-agenda/en/
24
Appendix BReferences for

Additional Reading
Business Continuity Institute, Good Practice Guidelines 2013, Global Edition: A Guide to
Global Good Practice in Business Continuity, England, 2013,
www.thebci.org/index.php/resources/the-good-practice-guidelines
European Commission, Joint Communication to the European Parliament, the Council, the
European Economic and Social Committee and the Committee of the RegionsCybersecurity
Strategy of the European Union: An Open, Safe and Secure Cyberspace, Brussels, 2 July
2013,
http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=1667
European Network and Information Security Agency (ENISA), National Cyber Security
Strategies Practical Guide on Development and Execution, Greece, December 2012
ENISA, Threat Landscape 2013Overview of current and emerging cyber-threats, Greece,
11 December 2013,
www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013overview-of-current-and-emerging-cyber-threats
International Auditing and Assurance Standards Board, ISAE 3402 Standard for Reporting
on Controls at Service Organizations
International Organisation for Standardisation (ISO), ISO/IEC 20000-2:2012 Information
technologyService managementPart 2: Guidance on the application of service
management systems
ISO, ISO/IEC 22301:2012 Societal securityBusiness continuity management systems
Requirements
ISO, ISO/IEC 22313:2012 Societal securityBusiness continuity management systems
Guidance
ISO, ISO/IEC 24762:2008 Information technologySecurity techniquesGuidelines for
information and communications technology disaster recovery services
ISO, ISO/IEC 27001:2013 Information technologySecurity techniquesInformation security
management systemsRequirements
ISO, ISO/IEC 27005:2011 Information technologySecurity techniquesInformation security
risk management.
information and communication technology readiness for business continuity.
25

cybersecurity.
ISO, ISO/IEC 31000:2009 Risk managementPrinciples and guidelines.
ISACA, Advanced Persistent Threat Awareness Study Results, USA, 2014,
www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Advanced-Persistent-ThreatsAwareness-Study-Results.aspx
ISACA, COBIT 5, USA, 2012,
www.isaca.org/COBIT/Pages/COBIT-5-Framework-product-page.aspx
ISACA, COBIT 5 for Assurance, USA, 2013,
www.isaca.org/COBIT/Pages/Assurance-product-page.aspx
ISACA, COBIT 5 for Information Security, USA, 2013,
www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx
ISACA, COBIT 5 for Risk, USA, 2013,
www.isaca.org/COBIT/Pages/Risk-product-page.aspx
ISACA, European Cybersecurity Implementation: Assurance, USA, 2014

ISACA, European Cybersecurity Implementation: Audit Programme, USA, 2014
ISACA, European Cybersecurity Implementation: Resilience, USA, 2014
ISACA, European Cybersecurity Implementation: Risk Guidance, USA, 2014
ISACA, Responding to Targeted Cyberattacks, USA, 2013,
www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Responding-to-Targeted-Cyberattacks.
aspx
ISACA, Transforming Cybersecurity, USA, 2013,
www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-UsingCOBIT-5.aspx
26

European Cybersecurity Implementation Overview Res Eng 0814

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

European Cybersecurity Implementation Overview Res Eng 0814

Uploaded by

Copyright:

Available Formats

European Cybersecurity

Cybersecurity is emerging within the fields of information security and

European Cybersecurity Implementation: Overview

3701 Algonquin Road, Suite 1010

Web site: www.isaca.org

Participate in the ISACA

Follow ISACA on Twitter:

credentials. The association has more than 200 chapters worldwide.

Join ISACA on LinkedIn:

2014 ISACA. All Rights Reserved.

European Cybersecurity Implementation: Overview

CISA, CISM, CGEIT, CISSP, FBCI,

Vilius Benetis Ph.D.

Christos K. Dimitriadis Ph.D.

CISA, CISM, MCSE,

CISA, CISM, CGEIT, CRISC, CISSP, GICSP,

CISM, CRISC, CISSP, ESL,

Marc Vael Ph.D.

CISA, CISM, CGEIT, CRISC, CISSP,

ISACA Board of Directors

CISM, CGEIT, CCSK, CISSP, SCPM,

CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA,

CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA,

CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,

Frank K.M. Yam

CISA, CIA, FHKCS, FHKIoD,

Alexander Zapata Lenis

CISA, CGEIT, CRISC, ITIL, PMP,

CGEIT, CRISC, ITIL

CISA, CISM, ISO 27001 LA, CISSP,

Cybersecurity Task Force

CISA, CISM, CISSP, MCSE, PMP,

CISA, CISM, CGEIT, CRISC, CISSP, FCITSM,

Neil Patrick Barlow

CISA, CISM, CRISC, CISSP,

CISA, CISM, CISSP,

CISA, CISM, CGEIT, CRISC, CISSP, GICSP,

Neil Patrick Barlow

CISA, CISM, CRISC, CISSP,

CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA,

CISA, CISM, CGEIT, CRISC,

Ivan Sanchez Lopez

CISA, CMA, CPA,

CGEIT, CRISC, ITIL,

CGEIT, ITIL V3, MSP, PRINCE2,

2014 ISACA. All Rights Reserved.

European Cybersecurity Implementation: Overview

Introduction to the ISACA European

Factors Impacting the Need for

Ubiquitous broadband, IT-centric business and

Source: Transforming Cybersecurity, ISACA, USA, 2013, figure 6

To address cybercrime and societal changes,

2014 ISACA. All Rights Reserved.

European Cybersecurity Implementation: Overview

This paper is the overview of the ISACA European

existing laws, standards and other guidance. This overview

European Cybersecurity Implementation Series in Context

ISACA Security Publications

Securing Mobile Devices

2014 ISACA. All Rights Reserved.

European Cybersecurity Implementation: Overview

enterprise stakeholders. For example, senior managers in

Target Audiences of European Cybersecurity Implementation Series

2014 ISACA. All Rights Reserved.

The European Network and Information Security

The European Commission issued a Cybersecurity

A wide range of cybersecurity-related activities

- Directive on Network and Information Security

yber-security commonly refers to the safeguards and

Cybersecurity encompasses all that protects

Goal: Take the lead in investing in a high level of

The Commission invites enterprises to: Promote

The Commission invites public and private

Develop industry-led standards for enterprise

The mandate of ENISA should make it possible

Good governance that is in line with existing

Comprehensive management of cybercrime and

Compliance with existing or planned EU-level and

Resilience for organisational infrastructures and

Assurance for information, processes and related

IT service continuity management (ITSCM) and

Public incident management and disaster