“2010 was the year the Internet got scary. Get used to it.” – Arik Hesseldahl, technology writer

Business leaders recognise the enormous benefi ts of cyberspace and know that cyberspace increases innovation, collaboration, productivity, competitiveness and engagement with customers. Yet they are having diffi culty determining the risk versus the reward.

The benefi ts of cyberspace come with signifi cant risks, and the threat of cyber attack is fi rmly at the top of the board agenda. While organisations are exploiting the business benefi ts of cyberspace they may not realise that cyberspace confers the same benefi ts to those who attack our organisations. Hacker groups, criminal organisations and espionage units worldwide have access to powerful, evolving capabilities, which they use to identify, target, and attack. They even have well-developed marketplaces for buying and selling the tools and expertise used to target and execute attacks.

We call this Malspace.

It is critical that organisations understand Malspace and the increased threat it poses. Organisations should develop a business plan to exploit cyberspace that identifi es threats, considers the limitations of IT and information security, and develops cyber resilience.

Based on insights from the Information Security Forum’s global Membership and ISF Global Team, the ISF Cyber Resilience Framework identifi es the key capabilities that organisations should possess to increase their resilience to the threats from cyberspace.

Cyberspace is critical to most organisations today; disconnecting is not an option. By implementing the ISF Cyber Resilience Framework – supported by the wide range of ISF tools and materials – organisations can develop cyber resilience and be better able to withstand impacts from evolving cyber threats. Only then can organisations safely realise the benefi ts of cyberspace.

Cyber Security StrategiesAchieving cyber resilience

Where next?

About the ISFFounded in 1989, the Information Security Forum is an independent, not-for-profi t association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefi t from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work program.The ISF provides a confi dential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

ContactsFor more information on the ISF’s Cyber Security Strategies report, please contact:Michael de CrespignyTel: +44 (0)20 7213 1745Fax: +44(0)20 7213 4813Email: michael.de.crespigny@securityforum.orgWeb: www.securityforum.org

DisclaimerThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

Reference: ISF 11 CSS Marketing Copyright © 2011 Information Security Forum Limited.All rights reserved. Classifi cation: Public, no restrictions

resilience and be better able to withstand impacts from evolving cyber threats. Only then can organisations safely realise the benefi ts of cyberspace.

This document has been published to provide general information only. It is not intended to provide advice of any kind. Neither theInformation Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use y py y p y p y q yyou make of the information contained in this document.

Reference: ISF 11 CSS Marketing Copyright © 2011 Information Security Forum Limited.All rights reserved. Classifi cation: Public, no restrictions

AbAbAbAbAbAbououououtttttt ththththththeeee ISISISISISISFFFFFF

The full report Cyber Security Strategies: Achieving cyber resilience is available from the ISF website. It helps business leaders and information security professionals understand the serious threat presented by cyberspace, and it provides practical guidance on the organisational response needed to address this threat.

It does this by:

• explaining cyberspace, cyber security, the nature of the cyber threat and the concept of cyber resilience

• describing the similarities and connections between cyber security and information security

• introducing the ISF Cyber Resilience Framework, a vision of organisational cyber resilience • outlining practical steps organisations can take to customise and implement the

framework• providing clarity that can be used to communicate the issue, challenges and plan to

stakeholders.

Input for the report was gathered from workshops and online meetings with ISF Members around the world, interviews with ISF Member experts and other experts, Member case studies, previous ISF research and reports including Information Security Governance and Hacktivism, and thought leadership provided by the ISF Global Team.

The report is supported by an implementation and collaboration space on the ISF Member website, which contains a facilitated forum for Members to discuss cyber-related issues and solutions, along with a central pool of additional resources – including an ISF Cyber Resilience Framework Diagnostic Tool, webcast and presentations – to help ISF Members deal with this important challenge.

The ISF Cyber Security Strategies report is available free of charge to Members of the ISF. Non-Members are able to purchase a copy of the report by contacting Steve Durbin at steve.durbin@securityforum.org.

Developing cyber resilience is the only way to survive in cyberspace

Information Security Forum • Cyber Security Strategies Cyber Security Strategies • Information Security ForumInformation Security Forum • Cyber Security Strategies Cyber Security Strategies • Information Securityy Fororumum

KEY FINDINGS The benefi ts from cyberspace are immense, as are the risks

Organisations must embrace uncertainty and develop cyber risk resilience

Malspace is a global industry that has evolved to deliver cyber attacks

Impacts from cyber threats can have a very long and disproportionate risk tail

Hacktivism presents signifi cant threats to the organisation, not just information security

Cyber security is more than information security

Cyberspace vastly increases information security risk

Information security is fundamental and more important for security in cyberspace

The complexity of cyberspace enables threats to combine quickly in unpredictable and dangerous ways

It is essential to collaborate – to share intelligence and infl uence good practice across cyberspace

6

1

7

TTTThhee111

2

CCCyyyb77

8

TTThhee

OOOOrrg22

3

IIInfffo

CCCyyyb7

888

9

MMMaa

OOOOrgrg2

333

4

Itt t iisItt iisItt iiscccyyb

ddaann

Itt ii

TTTThheehd

99

10

CCCCCyyyb66 CCCCyyyb6

HHHHaac

IIImmmppIIImmmpp

MMaa

444

5

Malspace is a complex, highly-functional and developing industry. It includes sectors for all aspects of modern crime, including the development and sale of sophisticated attack tools, services to help plan and coordinate attacks, and large scale laundering of stolen assets. It operates at the scale and with the sophistication of other global industries.

r

$£€¥

$£€¥

$£€¥

DATA

LOSS

TATATAAT

¥¥¥

AAAAAAAAAA

MALSPACE

Key players

Services

Tools

Routes of attack

Manipulation

Disruption

Victims

Personal DevicesCritical

InfrastructureOrganisations

Home

CYBERSPACE

Reconnaissance

Extraction of data

Attack types

The organisation should effectively prevent, detect and respond to cyber incidents and minimise their impacts.

The organisation should have a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity.

The organisation should have a process for gathering, analysing and sharing of cyber intelligence.

Th i ti h ld

Cyber responsesD

Th i ti h ld h

Cyber resilience assessment

C

Th i ti h ld

Cyber situational awareness

B

A Cyber governance and partnering

The organisation should have an effective governance framework for monitoring cyber activities, including partner collaboration, and the risks and obligations in cyberspace.

New threats will appear overnight that can’t be predicted or easily prevented. Traditional risk management is insuffi ciently agile to deal with the potential impacts from activity in cyberspace. Enterprise risk management must be extended to organisational risk and cyber resilience.

The ISF Cyber Resilience Framework is a vision of organisational resilience that can be established to deal with cyberspace threats head-on – building on current information security arrangements.

ACTIONS1 Use the Cyber Security Strategies report to assess and determine the issues with senior

management and cyber stakeholders

2 Obtain support from senior management to consider the opportunities and address the threats of cyberspace

3 Create a Cyber Resilience Group to lead, drive and coordinate all cyber resilience activities

4 Adapt the ISF Cyber Resilience Framework to your organisation and use it to create your vision of cyber resilience; use the diagnostic tool to assess your current resilience, identify gaps, and prioritise your plan

5 Implement your cyber resilience plan, using other ISF deliverables to assist

6 Partner and collaborate with others, including your supply chain and customers, to share intelligence and infl uence adoption of good practice across cyberspace

“2010 was the year the Internet got scary. Get used to it.” – Arik Hesseldahl, technology writer

Business leaders recognise the enormous benefits of cyberspace and know that cyberspace increases innovation, collaboration, productivity, competitiveness and engagement with customers. Yet they are having difficulty determining the risk versus the reward.

The benefits of cyberspace come with significant risks, and the threat of cyber attack is firmly at the top of the board agenda. While organisations are exploiting the business benefits of cyberspace they may not realise that cyberspace confers the same benefits to those who attack our organisations. Hacker groups, criminal organisations and espionage units worldwide have access to powerful, evolving capabilities, which they use to identify, target, and attack. They even have well-developed marketplaces for buying and selling the tools and expertise used to target and execute attacks.

We call this Malspace.

It is critical that organisations understand Malspace and the increased threat it poses. Organisations should develop a business plan to exploit cyberspace that identifies threats, considers the limitations of IT and information security, and develops cyber resilience.

Based on insights from the Information Security Forum’s global Membership and ISF Global Team, the ISF Cyber Resilience Framework identifies the key capabilities that organisations should possess to increase their resilience to the threats from cyberspace.

Cyberspace is critical to most organisations today; disconnecting is not an option. By implementing the ISF Cyber Resilience Framework – supported by the wide range of ISF tools and materials – organisations can develop cyber resilience and be better able to withstand impacts from evolving cyber threats. Only then can organisations safely realise the benefits of cyberspace.

Cyber Security StrategiesAchieving cyber resilience

Where next?

About the ISFFounded in 1989, the Information Security Forum is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work program.The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

ContactsFor further information contact:Steve DurbinUK Tel: +44 (0)20 7213 1745US Tel: +1 (347) 767 6772Fax: +44(0)20 7213 4813Email: steve.durbin@securityforum.orgWeb: www.securityforum.org

DisclaimerThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

Reference: ISF 11 CSS Marketing Copyright © 2011 Information Security Forum Limited.All rights reserved. Classification: Public, no restrictions

The full report Cyber Security Strategies: Achieving cyber resilience is available from the ISF website. It helps business leaders and information security professionals understand the serious threat presented by cyberspace, and it provides practical guidance on the organisational response needed to address this threat.

It does this by:

• explaining cyberspace, cyber security, the nature of the cyber threat and the concept of cyber resilience

• describing the similarities and connections between cyber security and information security

• introducing the ISF Cyber Resilience Framework, a vision of organisational cyber resilience • outlining practical steps organisations can take to customise and implement the

framework• providing clarity that can be used to communicate the issue, challenges and plan to

stakeholders.

Input for the report was gathered from workshops and online meetings with ISF Members around the world, interviews with ISF Member experts and other experts, Member case studies, previous ISF research and reports including Information Security Governance and Hacktivism, and thought leadership provided by the ISF Global Team.

The report is supported by an implementation and collaboration space on the ISF Member website, which contains a facilitated forum for Members to discuss cyber-related issues and solutions, along with a central pool of additional resources – including an ISF Cyber Resilience Framework Diagnostic Tool, webcast and presentations – to help ISF Members deal with this important challenge.

The ISF Cyber Security Strategies report is available free of charge to Members of the ISF. Non-Members are able to purchase a copy of the report by contacting Steve Durbin at steve.durbin@securityforum.org.