Cyber Security Through A Social Value Lens

Introduction

If you were to look at any organisation, small or large, you would expect to see some degree of Cyber Defence or Cyber Security capability – whether that be Malware prevention on a collection of laptops for a small business or a fully-fledged 24×7 Cyber Operation for a multi-site Enterprise business.

If you were to look at whether Social Value were adopted into those mechanisms, however, you may not find any reference at all.

So, what is Social Value?  It’s a way for organisations of any size to measure and demonstrate their social impact – their social conscience or ethics, if you like; the planet within which we all live and operate; the people they hire and extended lives and families they support; the prosperity of the company and those extended stakeholders.

Examples of Social Value impacts can include:

• Looking at the percentage of IT equipment used that is made from recyclable material
• How much raw and renewable energy is used to power server rooms
• What was the measure of money / hours / business lost due to a cyber-attack; did the loss in revenue mean redundancies, and if so, how many?

Making The Link Between Cyber Security and Social Value

Delving into Cyber Security a little further the overall objective is to protect assets, which includes data, technology, people and processes, from cyber-attack.  A cyber-attack could be a simple breach of a network, gaining control of large amounts of data using ransomware, and the illegal downloading / exfiltration of data (Data Loss).

Generally, protecting assets is achieved by assessing the risks and impacts of cyber-attacks, then implementing security controls, processes and user training to reduce / mitigate those risks and impacts.

The assessments of risks and impacts are carried out at different stages during lifecycles of organisations and their programmes:

• When a new network is to be launched
• The refresh / upgrade to Infrastructure and Applications
• An Acquisition / Merger and interconnecting an external Data Centre into a network
• Migration to Cloud technology

The risks and impacts that are identified typically arise from the CIA Triad:

• Confidentiality – controlling who has access to data and how it is reported
• Integrity – ensuring data is stored and transmitted in the correct protective manner
• Availability – keeping the service / asset / data available at the required times

If any of the above areas are compromised, the impacts could be various and significant.  This is where there is room to expand the impact assessment to include Social Value aspects.

Let us put a Social Value Impact Lens on the CIA Triad, with some examples of impact areas we could consider:

• Confidentiality – if an attacker gained unauthorised access to a customer or user’s financial data and used it to make illegal purchases which resulted in that customer being investigated or arrested for illegal activity, what would be the impact to that customer’s life and family? Could it affect that person or organisation’s credit rating?  What could be the impact of a breach containing sensitive information?
• Integrity – if an organisation was transmitting data across borders and it became compromised and publicly available, what would happen to the reputation of that company and how much financial value would they lose as a result?
• Availability – if a web service was compromised and encrypted by ransomware the service owner may be in breach of their Operating Level Agreements and Service Level Agreements; what financial penalties would they have to pay? What could be the impact to customer-facing services?

The Social Value Impact Lens and Specific Use Case Examples

Using our CIA Triad examples, we can take a step further and map these to a few common, everyday use case examples:

• Action: Making a Firewall Change to allow 3^rd Party access to customer log files
• Possible Attack: An attacker spoofs the 3^rd party to gain access to those log files and extract credit card data
• Social Value Impact: The log files contained the PII data from 5000 customers – those customers now need to cancel their credit cards and take action to reclaim potentially high financial losses

• Action: Launching a web service hosted in one location
• Possible Attack: An attacker executes a Denial-of-Service (DoS) attack resulting in the web service not being available for 24 hours, with 100% loss of user access
• Social Value Impact: The service owner may be contracted to pay service penalties in the form of refunds to all users, resulting in the owner’s share value falling and damage to brand reputation

Why This Is Important Now

Organisations are investing more time and money into assessing, delivering and reporting the elements and priorities of Social Value.  Here in the UK, this is partly driven by Central Government mandating that public sector organisations need to report on the Social Value benefits and impacts when investment decisions are made.

Globally, organisations and people are becoming more conscious of the decisions they make and the impact these choices have on the environment, people they work and interact with and company performance.

For Cyber Security, this is no different.  With CISOs having accountability for ensuring the confidentiality, integrity and availability of their organisation’s assets; the impacts of any of these being compromised will tie into the wider Social Value context.

How We Can Help

We understand the importance of safeguarding all aspects of business, and Social Value is at the core of what we do.  We can help with people and tools to understand the Social Value impacts of decisions that need to be made, and help you gain confidence in Cyber Security frameworks, in a fast-paced and ever-changing world.