The document provides an overview of cyber risks and proposes a governance framework to manage those risks. It defines key concepts like cyber, security, threats and governance. It then presents a meta-model and framework with four core concepts: risks, response, reputation and resources that revolve around an organization's cyber ecosystem. The framework is intended to provide high-level guidance for executives on continuously governing cyber risks through a strategic approach.
2. Contents
Authors
Dr. A. Shahim RE
Atos Consulting Netherlands
VU University Amsterdam
Dr. R. S. Batenburg
Institute of Information and Computing Science
Utrecht University
J. Geusebroek MSc
Institute of Information and Computing Science
Utrecht University
Drs. R.J.A.C. Jansen RO
Atos Consulting Netherlands
1. Introduction
3
2. Cyber and accompanying risks
4
3. A governance framework for cyber risks
7
2.1 Security concepts
2.2 Cyber threats
2.3 Cyber governance & strategy
3.1
3.2
3.3
3.4
The meta-model
The framework
Practical use - Bring Your Own Device (BYOD)
Continuous approach
4. Concluding remarks
4
5
6
7
7
8
9
10
References 11
2
Cyber risks towards a governance framework
3. 1. Introduction1
All contemporary organizations face an
increasing dependency on Information
Technology (IT) systems for executing and
supporting their business processes. Emerging technologies are creating a rapidly evolving cyber landscape that results in rapidly
outdating solutions. Modern technologies
provide organizations with unprecedented
scalable and financially attractive capabilities, but the lack of knowledge regarding
these new and complex innovations poses
potential problems. Stakeholders (e.g.
employees, suppliers) can access data
whenever, wherever and however at their
personal convenience. Although this possibility is a likeable benefit for stakeholders,
it also creates a borderless and complicated
digital environment which is of a great
concern to organizations. These emerging
developments create new threats such as
theft of corporate and/or personal data and
malicious attacks, and enable peculiar ways
to commit organized crime (IT Governance
Institute, 2007).
Vulnerabilities in IT systems pave the road for
the intruders to gain access to information
without authorization. These adversaries are
nowadays characterized by covert and persistent attack vectors; they act anonymously, are
invisibly present and in worst case are detected
when it is too late and the damage is done. The
use of only a computer connected to the Internet anywhere in the world and the anonymity
provide an easy access platform for malicious
activities as a cornerstone for lucrative business
models. The usage of sophisticated malware,
Denial of Service (DoS) attacks, the always
present vulnerabilities of IT assets and careless
mistakes within organizations facilitate these
activities. Hackers tend to be creative and crafty
in exploiting this employing logic and innovation to stay ahead of their victims.
Security awareness in organizations is an important prerequisite for understanding potential
threats in their Cyber Ecosystem. However,
thorough cyber risk assessments do not seem
to be part of day-to-day business activities. It is
simply characterized as bothersome and difficult and not directly financially beneficial. Mostly
it is seen as requiring financial investments,
time and resources and is hence an attractive
first target for budget cuts in organizations. This
line of thinking often leads to complacency and
even negligence with all its potentially adverse
consequences.
Securing IT systems and information processing is a pervasive concern of organizations.
The confidentiality, integrity and availability
of data depend on important sources that
support business activities, often characterized as critical assets. In a growing number of
organizations information is the business (IT
Governance Institute, 2006). Breaches in cyber
security have resulted in misuse of information
that could harm organizations by affecting their
financial assets, reputation and other interests.
It is therefore vitally important to understand
current threats and to develop and maintain a
comprehensive overview of an organization’s
threat landscape. A focused cyber risk approach
as well as an integrated view to adequately
identify and mitigate potential cyber related
risks are essential elements of the organization’s
defensive capabilities.
1 This white paper is an extraction of a detailed report resulted from a research jointly conducted by Atos Consulting, VU University Amsterdam and Utrecht University.
Cyber risks towards a governance framework
3
4. 2. Cyber and accompanying risks
In the past decade the concept ‘cyber’ has been used frequently to describe almost anything
in relation with networks and computers (Ottis & Lorents, 2010). It is a common prefix for
new terms such as cyber warfare, cyber-attacks or cyber terrorism. The concept ‘cyber’ has
an early history and originates from the term ‘cybernetics’ by Wiener (1948). Later on it transformed to the term ‘cyberspace’, which is nowadays more widely and common used.
In this white paper the concept of cyber is an abbreviation for the term cyberspace. As there is still
much debate on the exact description of this term (Information Security Forum, 2011), an overview
of different definitions is provided in table 1 to establish a common body of knowledge:
Table 1. Various definitions of cyberspace
Literature source
Definition
Ottis & Lorents (2010)
“Cyberspace is a time-dependent set of interconnected information
systems and the human users that interact with these systems.”
Bodeau, Boyle, FabiusGreene, & Graubart
(2010)
“The collection of information and communications technology (ICT)
infrastructures, applications, and devices on which the organization, enterprise, or mission depends, typically including the Internet,
telecommunications networks, computer systems, personal devices,
and (when networked with other ICT) embedded sensors, processors, and controllers.”
Department of Homeland Security (2011)
“The interdependent network of information and communications
technology infrastructures, including the Internet, telecommunications networks, computer systems and networks, and embedded
processors and controllers in facilities and industries.”
Information Security
Forum (2011)
“Cyberspace is the always-on, technologically interconnected world; it
consists of people, organizations, information and technology.”
Risks related to cyber evolved quickly over the past decades. Security breaches can be mentioned
as common examples that potentially cause unprecedented damage to vital assets of organizations. Figure 1 illustrates a holistic and integrated governance view on the cyber landscape, based
upon a model provided by Betz (2011). It includes three pillars each of which reflects a part of this
challenging and ever changing environment. The processes pillar (i.e. the first one) defines the logic
layer which represents the way of thinking and reasoning of activities. These processes highly rely
on IT by which they are also connected to large networks of organizations.
The information (i.e. the second pillar) is generated by the processes and is further handled by
applications of different nature. This crucial asset
in fact acts as the blood running through the
veins (processes) of organizations to keep them
alive. IT infrastructure (i.e. the third and last pillar)
serves as a foundation for these capabilities
and amongst other things facilitates the flow of
information enabled by applications supporting
business processes.
Figure 1. Integrated cyber governance view
2.1 Security concepts
Different concepts regarding security as schematized in figure 2 are congregating in cyber:
information security, cyber security and cyber
resilience. The Information Security Forum (ISF)
distinguishes between these concepts by using
confidentiality, integrity and availability (CIA)
of organizational assets. Threats in cyber are
directly influencing these three main objectives
of information security. With securing cyber one
should also address additional threats which are
far beyond CIA, the so-called non-CIA. Examples
are reputational damage due to a breakdown
of IT assets or an unintended impact from data
leakage. Cyber resilience stands for preparing
for the unknown, unpredictable, uncertain and
unexpected. The complexity of cyber enables
threats to develop quickly in unpredictable
and dangerous ways. Uncertainty cannot be
prevented and should indeed be embraced
through cyber resilient business operations.
Organizations increasingly understand that the
rapid evolution of cyber is outpacing risk management practices in organizations. Managing
security risks is a comprehensive task at hand
and requires agility and flexibility.
CYBER GOVERNANCE
PROCESSES
INFORMATION
TECHNOLOGY
LOGIC
4
Vulnerabilities in one or in a combination of
these interconnected pillars can be targeted by
malicious attacks possibly leading to harm or
damage. In general, technology is usually the
premise in each of the definitions with respect
to cyber, however, it is not limited to it. Cyber
possesses unique characteristics with pivotal
elements such as humans. These features
together make it challenging, complex and
constantly changing that plainly creates an unpredictable environment. Cyber is the reality of
our modern life and is increasingly woven into
the everyday life across the globe. It is certainly
there to stay.
APPLICATION
INFRASTRUCTURE
Cyber risks towards a governance framework
5. ICTABLE, UNCER
RED
TA
NP
IN,
,U
UN
N
EX
OW
N
OWN NON-CIA
KN
Table 2 - Cyber threat overview
Threat
INFORMATION SECURITY
CYBER SECURITY
CYBER RESILIENCE
2.2 Cyber Threats
Threats in cyber can be found practically
everywhere and are somehow always present.
Threats can originate internally, for instance
from personnel due to accidents or poor
practice, or externally from unwanted adversaries. In general, a threat is a category of objects,
persons, or other entities that presents a danger
to an asset. A cyber threat is a potential event
that may cause undesired outcomes resulting in harm to organizational assets. It should
be noted that there is a difference between
purposeful and undirected threats. A purposeful
threat is a preconceived goal such as extracting
valuable information by a hacker from an organization. An undirected threat is, for example,
a (natural) disaster such as fire threatening to
affect physical components of IT infrastructures.
This distinction of threats can unconsciously be
extended by vulnerabilities of an organization itself. Due to improperly managed practices, careless mistakes or by human failure or accidents,
cyber threats are more likely to materialize.
Table 2 provides a global overview of possible
threats to organizations that are categorized
based on figure 1.
Cyber risks towards a governance framework
Technology
For instance mistakes or accidents made by employees regarding their duties.
Usage of outdated software, bugs or code problems.
Espionage
Unauthorized data collection and/or access compromising Intellectual Property.
Blackmailing an organization to gather information.
Natural disasters
Natural threats which directly threaten the physical
components of the IT infrastructure (e.g. floods, fire,
earthquakes or lightning).
Force majeure
Information
Human failure
Extortion of information
OWN CIA
KN
Description
Negligent errors
Processes
ED
CT
PE
UN
K
Figure 2. Positioning concepts based upon ISF (2011)
Dependency on third parties such as Internet Service
Providers (ISP’s) which can possibly affect the availability of concerned technology.
There are obviously many types of threats. When focusing on purposeful threats, the World Economic Forum (2012) categorized four different types of cyber-attacks. The first category is reconnaissance, gaining information from victims to plan a further attack. The second category is disruption
for breakdown of business, system or service. Third category is extraction for extracting data from
the victim. The fourth and last category is manipulation or mutation of data or systems. CACI (2011)
defines a cyber-attack as: “Generally an act that uses computer code to disrupt computer processing or steal data, often by exploiting software or hardware vulnerability or a weakness in security
practices. Results include disrupting the reliability of equipment, the integrity of data, and the confidentiality of communications”.
5
6. The covert nature of threats brings possible
underestimation of the risks faced.
The prediction and understanding of cyberspace in the future is difficult due to the rate
of new innovations and changes.
New risks and vulnerabilities emerge suddenly.
Responses and defenses look slow and inadequate due to the pace of events.
Cyberspace is a complex environment; global
in nature, largely commercially owned and
consisting of many different components,
suppliers and sub-contractors.
Supporting the primary tasks of organizations
and governments by creating a safe and secure
cyberspace is a clear and well defined integrated strategy. IT nowadays is an indispensable
part of many organizations and has hence been
integrated with Enterprise Risk Management
(ERM) or larger security strategies within and
beyond organizations (Bodeau et al., 2010). As
cyber security is more than information security,
achieving an enterprise-wide cyber risk strategy
consists of different concepts. They should
be taken into consideration while defining the
strategy, which is logically specific for most
organizations. They face different threats and
have their own culture upon which the strategy
should be constructed and executed.
6
CT
STRATEGIC
L
RO
NT
CO
The growing use, adoption and dependency
on (new and continuously evolving) IT assets
contribute to a dynamic and complex environment, introducing a variety of challenges. Some
examples of these issues and concerns are
listed below (The Cabinet Office, 2011):
Figure 3. Corporate governance view (Von Solms & Von Solms, 2006)
DI
RE
2.3 Cyber Governance &
Strategy
TACTICAL
DIRECTIVES
POLICIES/
COMPANY STANDARDS
OPERATIONAL
PROCEDURES
EXECUTION
The Department of Homeland Security (2011)
for example used a multi-staged methodology
to develop a cyber security strategy. Below, the
main phases of this methodology are mentioned:
1. Assessment – of the current and future
strategic environment through analysis of
key trends associated with cyber and cyber
security;
2. Examination – of current policy, strategy, programs and resources across cyber security
activities;
3. Identification – of key assumptions (including associated policy implications);
4. Consideration – of alternative strategic concepts (achieve desired end states efficiently
and effectively).
Dealing with cyber risks seems self-explanatory
as they affect all levels of an organization.
Mitigating activities should thus be governed
continuously, consistently and correctly. Governance is in general a set of responsibilities and
practices exercised by top executives providing
strategic direction. This crucial task should be
done in such a way that the set objectives are
reached, verifying that organizational resources
are used responsibly and risks are managed
appropriately. Figure 3 (model based upon
the Direct-Control cycle by Von Solms & Von
Solms, 2006) provides a governance overview
showing that the layers of an organization
(strategic, tactical and operational) are involved
in governing the strategic goals and directives.
Cyber risk governance accordingly requires an
integrated approach and should be a transparent part of the corporate governance structure
of an organization.
Cyber risks towards a governance framework
7. 3. A governance framework
for cyber risks
The previous section described challenges
and risks which call for an adequate governance. They can be perceived as focus areas
applied as input for constructing a framework useful for top executives. It contains a
meta-model and includes a structure with
multiple components for organizational
activities and explanatory content. The
framework is an auxiliary instrument which
provides high level guidelines for any organization dealing with Cyber risks.
This chapter discusses the designed framework
in a top down fashion by starting with the metamodel which provides a high level overview of
this structure to support governing risks. It is
subsequently presented in combination with a
strategic approach.
3.1 The meta-model
A meta-model including a set of interlinked topics is developed with the aim to provide simplicity and overview of the cyber risk governance
framework. The directives (strategy) encapsulate four main concepts: risks, reputation,
response and resources. They are supported by
policies and processes, to protect the organization in its cyber ecosystem which is positioned
in the center of the model.
Another characteristic depicted at the top of
the meta-model displayed in figure 4 is the
possibility of multiple governance structures
beyond the concerned organizational context.
IT outsourcing for instance implies the adaption
of (multiple) governance structures of third
parties which are beyond (direct) control of
the organization. Depending on (parts of) the
governance of other organizations, a combined
governance structure along the supply chain
can be enabled. When this possible situation
occurs, it is clear that organizations should
then conduct a dependency analysis with all
stakeholders to comprehensively manage risks,
given these interdependencies.
They influence or determine an organization’s
risk profile in its cyber ecosystem. Risks and
response are positioned on the opposite side of
each other. Risks directly influence an organization’s posture as well does the response mitigating possible unwanted consequences of risks.
A secure cyber ecosystem and an effective
response against cyber related risks depend on
sufficient funding and resources. The response
to cyber risks and the establishment of a secure
cyber ecosystem contribute to an organization’s
ability to secure its reputation and assets.
Table 3 shows an overview of all the individual
characteristics related to the core concepts of
the framework.
3.2 The framework
The meta-model (figure 4) serves as the foundation for the governance framework. Figure 5
depicts the designed framework where the
indicated core concepts (i.e. risks, resources,
response and reputation) continuously revolve
around cyber and its interrelated governance
aspects.
Figure 5. The framework
TINUOUS STRATEGY
CON
RISKS
Figure 4. The meta-model
DIRECTIVES
Threats
Vulnerabilities
RISKS
CYBER
DIRECTIVES
RISKS
CYBER
PR
O C ESSES
RESPONSE
DIRECTIVES
D IR E C TI V E S
REPUTATION
RESOURCES
C
POLI IES
CYBER
Processes
Information
Technology
a
orm
Inf T sabotage
I
RESPONSE
D IR E C TI V E S
Fundin
g
IT resour
ces
O CESSES
RESOUR
CES
PR
SSETS
ION & A
TAT
PU
RE
tion theft
REPUTATION
RESOURCES
C
POLI IES
RISKS
CYBER
PR
REPUTATION
RESOURCES
POLICIES
Ap
g
t
A
e c ri n
pr ware
D et ne
oa
c h - n e s s - A s s e s s - - Pa r t
Responsibilities
R E S P O NSE
O CESSES
RESPONSE
CON
TINUOUS STRATEGY
DI R E C T I V E S
Cyber risks towards a governance framework
7
8. Table 3 - Cyber risk governance framework description
Core concepts
Sub concepts
Description
Risks
Threats
Threats emerging from the cyber risk landscape which threaten business reputation and assets.
Vulnerabilities
Possible vulnerabilities of an organization reinforcing and nurturing threat potential.
Information theft
The organization provides an adequate response to reduce the possibility of information theft.
IT Sabotage
Organizational assets might be targeted by adversaries able to perform different forms of
deliberate destruction.
Awareness
The organization is aware of the potential risks that it faces in correlation with possible painful
consequences.
Assess
Assessment of the governance strategy is continuously executed to ensure the adequate
protection of the organization against cyber risks.
Detect
Risks are adequately detected which is followed by an effective approach for countering them.
Approach
Organizational approach for mitigation and minimizing the consequences of a direct threat.
Responsibilities
Cyber risk governance strategy tasks are delegated to the designated employees as a result of
which they are formally responsible for this crucially defined piece of work.
Partnering
Sharing information with partners to jointly mitigate the risk of cyber threats.
Funding
Employees possess the right skills and proper knowledge to prevent incidents or possible
wrong performance. They are supported by organizational resources to receive time and
space for carrying out their operational tasks.
The organization invests in its cyber risk governance programme by creating organizational
awareness, welcoming suitable knowledge and supplying sufficient resources to execute the
necessary activities.
IT Resources
Technical resources needed to build and maintain a safe and secure cyber ecosystem.
Reputation & Assets
Response
Resources
3.3 Practical use – Bring Your Own Device (BYOD)
The meta-model (figure 4) and the framework (figure 5) illustrate an executive auxiliary tool for top executives to enable a cyber risk governance strategy in the organization. This model provides guidelines which support organizations in assessing the situation and incorporating the right strategy and
necessary processes. They are naturally free to establish their own strategy, policies, procedures and processes given the framework for governing their
cyber risk landscape and implementing their own organizational structure and culture.
BYOD is one of the recent developments with which organizations allow employees to user their own laptop and smart-phone to connect to the business IT domain. It is a concept that contributes to an adaptive and mobile workplace. Nonetheless, BYOD enables a new way of working and also introduces IT related risks which should seriously be dealt with. If an organization decides to apply this concept, the framework can be helpful to fabricate a
top down view. It starts with the construction of a strategic plan for implementing BYOD in the organization. Defining clear objectives (e.g. only peripherals can have access after a secured authentication process, followed by an encrypted and secured connection) followed by an assessment (what
are the possibilities for employees in the current state and what in the desired state?) lead to an approach for implementing the strategy within the
organization. In this case for example: which employees are involved and what are the responsibilities for reaching this goal? If the strategy is defined
and incorporated in the business processes, its actual implementation on lower levels in the organization can be started. This act initiates the use of the
risk governance framework depicted in figure 5.
8
Cyber risks towards a governance framework
9. The strategy is translated into organizational policies and processes which support the activities on
operational level for the core concepts as defined: risks, resources, response and reputation. Table
4 provides an overview for translating the different concepts to the implementation of BYOD in the
organization.
Table 4- Example case BYOD
BYOD implementation – Risk governance framework (high level overview)
Core concepts
Sub concepts
Description
Risks
Threats
Identify the threats directly related to the use of BYOD.
Vulnerabilities
Identify the vulnerabilities which are introduced with
BYOD. Organizations have less control over the devices,
thus also over the vulnerabilities.
Information
theft
What kind of company confidential information is at
risk because of the introduction of BYOD? What if an
employee lost his device?
IT Sabotage
How could adversaries affect the organization by sabotaging BYOD devices in use by employees?
Awareness
The organization should be aware of the risks related
to BYOD. Complete security cannot be guaranteed so
continuous awareness should be ensured.
Assess
Continuously assess the situation. Is a necessary security baseline in place for BYOD? Are there new developments?
Detect
If there is something wrong with any device in use,
detection should display any illegal access or strange
behavior.
Approach
3.4 Continuous approach
Maintaining a continuous approach is an
important component of cyber risk governance
as it is surely not a one time achievement. A top
down approach implies developing a strategy
that translates into policies and processes for
the guidelines set in the framework (figure 5).
These parts are interrelated and cover an equal
motion of turning gears (figure 6). The turning
speed on operational level is considerably
higher in comparison with the strategic and
tactical level. A strategy could evidently have a
longer expiration date in comparison with activities on operational level.
If there is an incident an effective approach needs to
be in place and effectuated (e.g. if an employee loses a
smartphone or laptop it should be remotely blocked).
Reputation &
Assets
Response
Responsibilities
Partnering
Resources
Employees are responsible for the secure use of their
peripherals on the network. The IT department is responsible for a secure and well organized environment.
How are BYOD responsibilities assigned in case third
parties are involved?
Use available best practices for implementing BYOD,
what are lessons learned which can be reused?
Funding
Figure 6. The framework in motion
STRATEGIC
TACTICAL
OPERATIONAL
Employees should be professionally trained and educated to gain the right knowledge and skills to securely
work with BYOD.
IT Resources
Figure 6 visualizes a top-down motion starting from strategy downwards via the different
levels. However, sudden developments on an
operational level can initiate a reversed motion
in the framework. New threats can emerge or
existing policies may not be sufficient to define
an effective response against risk which is incurred at operational level. This new knowledge
could possibly influence the existing policies
and strategy of an organization. The knowledge
gained on operational level can possibly initiate
a bottom-up approach as well that in turn affects the existing policies and strategy.
Sufficient technical resources are needed to protect the
devices in use against possible risks.
Cyber risks towards a governance framework
9
10. 4. Concluding remarks
The development of this governance framework once more demonstrated the insight
that the cyber risk landscape is a complex,
dynamic and unpredictable environment.
We hence deliberately chose not to focus on
developing a ‘one size fits all’ solution, but a
governance framework that contains a set of
guidelines for organizations to govern their
cyber risk strategy. Establishing a cohesive
governance approach for protecting organizational assets asks for a comprehensive
and integrated approach with specific and
customized protective measures, which are
possible to incorporate in the different aspects of the framework. One of the benefits
of the chosen set-up is that organizations
do not have to adopt new methodologies or
approaches to their risk governance practices. Instead, this configuration provides
an additional aid in creating a future-proof
and robust approach which copes with the
continuously changing nature of cyber risks.
Additionally it is important to stress the importance of the collaboration with partners in your
organization’s cyber ecosystem. These (public
and private) organizations also deal with the
specifics of their cyber threat landscape, but
creating a cyber resilient posture throughout
the complete ecosystem requires extensive
as well as measurable communication and
collaboration. Alignment of cyber risk management practices and sharing lessons learned is
an important prerequisite for building a secure
industrial digital environment. This is the reason
we specifically incorporated this aspect into
the governance framework, so organizations
actually stretch out to their ecosystem to realize
collaborative cyber situational awareness.
10
Last but not least we gladly emphasize one
final cornerstone for a successful cyber risk
governance implementation: an organization’s
benevolence to invest and attention for the
human factor. For decades security and risk
management practitioners have dealt with
difficulties showing the contribution to business value and caught in discussions around
the business case and investment incentives.
Hopefully nowadays organizations realize that
the implementation of a governance framework
for cyber risks is an absolute must, given the ‘always on’ nature of our digital society. In addition
to such a framework it is important to realize
the critical contribution of the professionals with
the specific knowledge to perform this daunting
task. It is well known that skilled resources are
hard to find, and university programmes across
the globe are investing in cyber security programmes to keep up with the market demand.
This cyber workforce might in fact be the most
important success factor, combined with executive management support for these activities of
course.
Cyber risks towards a governance framework
11. References
Betz, C. T. (2011). Architecture and Patterns for IT Service Management, Resource Planning, and Governance. Elsevier.
Bodeau, D., Boyle, S., Fabius-Greene, J., & Graubart, R. (2010, September). Cyber security governance. Mitre.
CACI. (2011). Cyber Threats to National Security.
Department of Homeland Security. (2011, September). Blueprint for a secure cyber future. Retrieved February 1, 2012, from http://www.dhs.gov/files/
publications/blueprint-for-a-secure-cyber-future.shtm.
Information Security Forum. (2011). Cyber Security Strategies: Achieving cyber resilience. Retrieved from https://www.securityforum.org/downloads/
documentview/5901.
IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Ed. (2nd ed.).
IT Governance Institute. (2007). COBIT Security Baseline: An Information Survival Kit, 2nd Edition.
Ottis, R., & Lorents, P. (2010). Cyberspace: Definition and Implications. Presented at the Proceedings of the 5th International Conference on Information
Warfare and Security, Dayton.
The Cabinet Office. (2011, November 25). The UK Cyber Security Strategy. Retrieved from http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy.
The World Economic Forum. (2012). Partnering for Cyber Resilience.
Von Solms, B., & Von Solms, R. (2005). From information security to…business security? Computers & Security, 24(4), 271–273. doi:10.1016/j.
cose.2005.04.004.
Wiener, N. (1948). Cybernetics or Control and Communication in the Animal and the Machine. New York: John Wiley.
Cyber risks towards a governance framework
11