MASTER THESIS
Security Convergence in a Critical
Infrastructure
Framework and Enablers for Successful
Implementation
Guido Kamp
S1512811
Leiden University
Master Crisis and Security Management
Supervisors:
Dr. J. Matthys
Dr. R. Prins
Details of the author
Guido Kamp S1512811
g.kamp@umail.leidenuniv.nl
Title of the research
Security Convergence in a Critical Infrastructure Framework and Enablers for Successful Implementation
Key words
Security convergence, security, physical security, cyber security
Subject
i | P a g e
ACKNOWLEDGMENTS
Before continuing, I would like to express my gratitude towards a few people. First of all, I would like to thank my coach, Dr. Joery Matthys and the second reader Dr. Ruth Prins for their help to complete this master thesis. Their critical comments, suggestions and support have been very much appreciated and have improved the quality of this thesis a lot. Second, my gratitude goes out to all the experts in making time in their busy schedules for participating in this study. Your opinions and professional insights were extremely valuable. Furthermore, I would like to thank the organization of the case study in general and the people I have interviewed in particular. Special thanks to the Information Security Architect who functioned as focal point during the case study. Your willingness to plan all interviews and provide all required documentation is very much appreciated.
Third, I would like to express my sincere appreciations towards my colleagues, friends and family. Your support was much appreciated in guiding me through the process. Thank you for respecting my busy schedule and taking care during tough days. Finishing this thesis means the end of an era, and it is time for the next chapter of my life…
Guido Kamp 9 June 2016
ii | P a g e
ABSTRACT
Securing a Critical Infrastructure (CI) is necessary since disruptions, incapacitation or destruction would have debilitating impact on the environment, health, safety, economic and social wellbeing of citizens and on the effective functioning of government. In most cases, security within a CI is fragmented organized since different departments are being responsible for a piece of security. Nowadays, CIs strive increasingly towards security convergence since the silo or stove piped approach appears to be inadequate.
The rationale behind ‘breaking down the silos’ is twofold. First, physical and cyber security measures are more and more intertwined due to evolved technology. And, second, both domains are likely to be challenged interchangeably by converged threats, as vulnerabilities are exploited by the physical and cyber domain in conjunction. Although security convergence is seen by many as an imperative, it is a difficult task due to several challenges according to the literature.
This study establishes a solid conceptual base for the successful convergence of security in a CI; a framework outlining what critical success factors contribute to security convergence. A theoretical grounded security convergence framework including enablers for successful implementation are established, validated with experts in the field and applied to a Distribution System Operator of Electricity and Gas in the Netherlands.
The framework consists of eleven key elements for security convergence. The elements include a security vision and strategy which are aligned to Enterprise Risk Management and the organizational values. Second, a holistic security risk management process at tactical level driven by a security policy which is derived from the security strategy. Third, communication and information sharing throughout the process, top-down direction and bottom-up reporting. Besides, twelve enablers for successful implementation of the framework are identified, including but not limited to consideration of the organization’s risk culture, support from the top, mutual understanding and acceptance, clear establishment of ownership, roles, responsibilities & oversight and monitoring of progress & effectiveness.
The framework supports analytical thinking towards properly security convergence, including design and implementation. This study helps organizations to cope with modern security issues.
iii | P a g e
LIST OF CONTENTS
ACKNOWLEDGMENTS ... i
ABSTRACT ... ii
LIST OF CONTENTS ... iii
LIST OF FIGURES AND TABLES ... iv
1. INTRODUCTION ... 1
2. CONCEPTUAL BACKGROUND ... 4
2.1 Critical Infrastructure ... 4
2.2 Securing Critical Infrastructures ... 5
2.4 Convergence of physical and cyber security ... 10
3. METHODOLOGY ... 12
3.1 Research questions ... 12
3.2 Research approach... 13
3.3 Research method ... 14
3.4 Case study design ... 15
3.5 Data exploitation and assessment ... 16
3.6 Operationalization of concepts ... 19
4. PHASE 1: FIRST DRAFT FRAMEWORK AND ENABLERS ... 21
4.1 Challenges, drivers and imperatives of security convergence ... 21
4.2 Fundamentals of security convergence ... 23
4.3 Towards a security convergence framework ... 25
4.4 Enablers for successful implementation ... 40
4.5 Results of phase 1 ... 44
5. PHASE 2: REVISED FRAMEWORK AND ENABLERS ... 46
5.1 Introduction ... 46
5.2 Validation of the framework ... 47
5.3 Validation of enablers for successful implementation ... 52
5.4 Results of phase 2 ... 56
5.5 Operationalization of concepts ... 63
6. PHASE 3: CASE STUDY ... 77
6.1. Introduction ... 77 6.2. Analysis ... 78 6.3. Results of phase 3 ... 92 7. CONCLUSION ... 94 8. DISCUSSION ... 98 LIST OF REFERENCES ... 100
iv | P a g e
APPENDICES ... 107
Appendix A: Guiding questions expert interviews ... 107
Appendix B: Pre-read expert interviews ... 110
Appendix C: Pre-read case study interviews ... 111
Appendix D: Outline of operationalization scheme ... 112
Appendix E: Overview of Dutch vital sectors, products and services ... 117
LIST OF FIGURES AND TABLES
Figures
Figure 1: Visualization differences Information Security, ICT Security and Cyber Security Figure 2: Interdependency of physical and cyber security and the important role of the human Figure 3: Three phased approach
Figure 4: Vital products and services to society Figure 5: Drivers for convergence
Figure 6: Risk Intelligence Framework
Figure 7: The governance and management sides of security Figure 8: Model for strategic planning of ESRM
Figure 9: PPT-model – People, Policy and Technology
Figure 10: ISO31000 Risk Management Framework – Risk Management Process Figure 11: ERM Framework
Figure 12: Risk Management Framework NIPP Figure 13: Risk Management Framework
Figure 14: First draft security convergence framework Figure 15: High level structure proposed
Figure 16: High level structure final
Figure 17: Revised security convergence framework Figure 18: Security structure ORGANIZATION Figure 19: Policy structure ORGANIZATION Tables
Table 1: List of interviewees expert interviews including field of expertise Table 2: List of documentation and interviews case study
Table 3: Outline of the process steps of the Risk Intelligence Framework Table 4: Overview comparison frameworks
Table 5: Operationalization of concepts framework
Table 6: Operationalization of concepts enablers for successful implementation Table 7: Document analysis topics and interview questions framework
Table 8: Document analysis topics and interview questions enablers for successful implementation
1 | P a g e
1. INTRODUCTION
The entire landscape of Critical Infrastructures (CIs) forms the backbone and arteries of all modern societies, characterized by all networks, systems, services and assets, whether physical or virtual, that are vital to society (Ouyang & Wang, 2015; Yates, 2014). The CI sectors are for example energy, telecommunication/ICT, water supply, health, finance and transportation. Since the various CI sectors in modern world are interconnected and interdependent, a disruption of one CI would impair the functioning of other CIs (Singh, Gupta, & Ojha, 2014). For example, a disruption of the telecom sector would have cascade effects in the entire CI landscape, since CIs are dependent on communication technology. Moreover, disruptions could occur on the one hand unintentionally by human mistake, technical error or a natural disaster, and on the other intentionally by malicious intent. This study is concerned with the latter, also known as security related incidents.
Research problem and objective
Security of CIs against attacks of hostiles or malicious entities remains a serious concern across the globe, according to Singh et al. (2014). Whereas traditionally security entailed the protection of the physical domain by moats, thick walls and watch towers, is instead, security today also concentrates on the digital, or cyber, domain. For example, flood gates and pumping stations necessary to control the water level in a country are remotely controlled and monitored by Industrial Control Systems (ICS). Damage could be caused either physically by for instance cutting cables or digitally by hacking the ICS.
Malicious intenders would try to accomplish their goal via the easiest way, or in other words through the weakest spot of the security triangle. The security triangle consists of three factors, namely physical, cyber/digital and human. Attacks are likely to be executed on the domains in conjunction. An example is the Stuxnet attack on Iran’s nuclear power plant facilities discovered in 2010. The nuclear process was corrupted and hampered. First, an USB stick was physically inserted into a computer by an infiltrated employee. Second, a malicious code – ‘Stuxnet’ – was automatically installed on the software and spread throughout the network. In the past, the boundaries between physical and cyber assets were clear, but the defined boundaries do not longer exist (AESRM, 2007). Consequently. Carney (2011) argues that there is little change for security if physical security and cyber security are treated as separate domains. This phenomenon is in the literature acknowledged as the convergence of security. The convergence of physical security and cyber security enhances alignment and avoids two
2 | P a g e worlds acting separately. However, appropriate alignment from theory to practice seems to be complicated.
The main purpose of this study is to establish a solid conceptual base for the convergence of cyber and physical security in a CI; a framework outlining what critical success factors contribute to security convergence. The framework supports analytical thinking towards properly security convergence, including design and implementation. The study would help organizations to cope with modern security issues.
Scientific and practical relevance
There is a gap in academic world, as well as in practice, about how to converge physical and cyber security. The security discipline on itself has not sufficiently matured yet and the body of knowledge regarding security is limited (Giever, 2007). Expanding the knowledge would be scientifically helpful to further improve the maturity level of the security discipline. Furthermore, the integration dimension is scientifically relevant, according to Zedner (2009). He noted that scholars have tended to think within one domain of security and lacked to integrate domains. In addition, this study is in particular relevant for the field of public administration since an attack on a CI would affect the entire social system. The study of Booz, Allen, and Hamilton (2005) reveals a significant increase of security convergence projects in the public sector. However, most of these projects apparently did not succeed. Furthermore, although the convergence of cyber and physical security has already occurred at the technical level, it has not at the organizational level (Carney, 2011). This study is aimed to bridge this gap.
Research questions
To reach the objective of the research, two research questions are formulated. The first research question and its two underlying sub questions are:
1. What are the critical success factors for security convergence in a critical infrastructure?
1.1 What are the key elements for a security convergence framework? 1.2 What are enablers to successfully implement the framework?
The answer to the two sub questions will provide an answer to the first research question. The outcome is a theoretical grounded and practically validated security convergence framework
3 | P a g e including enablers for successful implementation. The second research question is articulated as:
2. To what extent does critical infrastructure X comply with the framework and enablers?
The framework and enablers will be operationalized and applied to a critical infrastructure in a single case study in order to include an empirical element to the study.
Research outline
In chapter 2 a conceptual background of the research topic is presented to set the scene at research level. The methodology of the research is set out in chapter 3. Chapter 4 presents the first draft framework and enablers by answering the two sub questions of the first research question. In chapter 5 the first draft framework and enablers are revised based on expert interviews. Chapter 6 outlines a single case study in which the framework and enablers are applied in an empirical setting. In chapter 7 an answer is given to the two research questions and conclusions are drawn on the entire study. Finally, chapter 8 reflects the study, including discussion points, limitations and further research possibilities.
4 | P a g e
2. CONCEPTUAL BACKGROUND
In this chapter a conceptual background for the research is presented based on a literature review. This chapter elaborates the subject of the research based on scientific articles. 2.1 Critical Infrastructure
The Critical Infrastructure (CI) is the concept that comprises a service or product vital to a country. In the literature, CIs are defined as:
“All networks, systems, services and assets, whether physical or virtual, that are vital for the welfare and functioning of a community or society” (Alcaraz & Zeadally, 2015; Moteff, Copeland, & Fischer, 2003; Podbregar & Podbregar, 2012) .
The entire composition of CIs consists of vital systems from various sectors, such as health, energy and telecommunications/ICT (Singh et al., 2014). Examples of CI facilities are floodgates, pylons and communications masts. Although the classification of sectors can be different among countries, the overall set of CIs is comparable.
Regardless of the classification, CIs are interconnected and interdependent (Moteff et al., 2003; Singh et al., 2014). This means that one CI is dependent on the provision of services of another CI (Alcaraz & Zeadally, 2015). For example, a telecom operator needs electricity supplied by the energy sector, and the energy sector needs communication technology supplied by the telecom sector to control the systems for electricity generation. Consequently, the dependencies make CIs more complex, more difficult to manage and control, and evidentially more vulnerable (Theoharidou, Xidara, & Gritzalis, 2008). It is considered a major challenge in the field of risk management.
This interdependences give rise to a phenomenon known as ‘cascading events’ – meaning, a disruption of one single CI is likely to cause disruptions of multiple CIs (OECD, 2008; Yampolskiy, Horváth, Koutsoukos, Xue, & Sztipanovits, 2015). Overall, CIs are highly dependent on the availability of telecommunications/ICT, since IT systems run their processes (Luiijf, Ali, & Zielstra, 2011). Therefore, an incident in the digital space can have propagating and amplifying effects on multiple physical domains (Yampolskiy et al., 2015). Should the telecommunication network go down due to a hack of a telecom operator, this could result in major consequences for all reliant parties, such as banking firms, manufacturing firms and even nuclear plants.
5 | P a g e As the previous examples outline, disruption, incapacitation or destruction of the CI would have debilitating impact on the environment, health, safety or economic and social wellbeing of citizens and on the effective functioning of government (Alcaraz & Zeadally, 2015; Brassett & Vaughan-Williams, 2015; Cabinet Office, 2010; Labaka, Hernantes, & Sarriegi, 2015; Moteff et al., 2003; Yates, 2014). The great importance of continued functioning is a key rationale for CI security. The consequences of critical infrastructure loss are twofold:
“an event resulting in (i) a critical infrastructure being destroyed, damaged or affected so that it generates physical forces; or (ii) a loss of critical infrastructure service continuity” (Yates, 2014, p. 102).
The risk to CI loss is a combination of the likelihood and the impact of occurrence (Kriaa, Pietre-Cambacedes, Bouissou, & Halgand, 2015). CIs do not rely on analysis of historical data such as past incidents, but rather on simulation of potential future events to determine the likelihood of loss. Although the likelihood of a disruption of CI can hardly be estimated, the impact will probably be catastrophic (Collier & Lakoff, 2015). Therefore, the likelihood needs to be minimalized.
Disruptions, incapacitation or destruction of the CI can occur unintentionally by human mistake, technical error or a natural disaster on the one hand, and on the other intentionally by a malicious attacker (Brdys, 2014). Studies outlining the intentional origin of disruptions are increasingly relevant since topics like terrorism are a serious concern across the globe, according to Kriaa et al. (2015) and Singh et al. (2014). Therefore, this study focuses in disruptions caused by intent or the so called security-related incidents.
2.2 Securing Critical Infrastructures
Securing the entire CI landscape of a country is a difficult practice due to the complexity and interconnectedness of the various CIs (Singh et al., 2014). Traditionally, CI security was a physical matter as CI operated on the basis of mechanical or electronical devices in offline systems. These systems were expensive to deploy, maintain and operate, and were therefore replaced by new technology (Kim, 2014; Kriaa et al., 2015). Nowadays, modern systems are remotely connected to the internal network (intranet) of the organization. The same intranet may also be connected to the internet for other business activities, such as communication with third parties and clients (Jang-Jaccard & Nepal, 2014). Although efficiency for operations has increased, the digital infrastructure has become a vulnerable spot for external attackers (Labaka
6 | P a g e et al., 2015). Consequently, security of a CI is not solely a physical practice, but also a concern of securing the digital space (Kriaa et al., 2015).
2.2.1 The physical domain
The physical domain is related to all that is literally tangible. Securing the physical domain is a practice of protecting assets and people by physical means. In essence, physical security is the application process of layers of physical measures to prevent unauthorized physical access (Kovacich & Halibozek, 2003). In the middle ages, defensive walls were used to protect cities, towns and villages from potential aggressors. Physical entry was limited to a single gate secured by a city guard and the watch towers enabled to overlook the situation both inside and outside the city wall.
The historical origins and theories of physical security have largely come from military and defense sciences. Although the fundamental aim of protecting people and processes remains, the application of physical security is evolving with the deployment of new technologies (Crowell, Contos, DeRodeff, Dunkel, & Cole, 2007).
2.2.2 The digital domain as new focus area
In the past decades there has been a major shift in what organizations consider as their most important asset. The digitalization has led to the necessity of intangible assets, such as information and communication systems. Nowadays, more and more information is stored on servers, databases and in files, requiring security of the digital domain in order to ensure availability of that information (Rahman & Donahue, 2010).
The global move towards digitalization has led to the importance of the digital domain for the functioning of CIs (Jang-Jaccard & Nepal, 2014). For example, production lines are controlled by Operational Technology (OT), the transportation processes are coordinated by logistic planning software and the administration of a CI is stored in a digital database. All systems are connected to the intranet and the same intranet may also be connected to the internet. The digital domain provides CIs several advantages compared to the physical domain: it is timeless, borderless and anonymous. However, the Internet was designed for information sharing, not protection (COSO, 2015) and thus security was not taken into account during the design phase of the digital domain (UK National Audit Office, 2013). As a result, securing the digital space is a difficult task.
7 | P a g e In the literature, cyber security is a widely used concept for securing the digital domain. The cyber space has several definitions, such as:
“Realm of computer networks (and the users behind them) in which information is stored, shared, and communicated online” (Singer & Friedman, 2014, p. 13).
“Cyberspace is a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (Department of Defense, 2010, p. 64)
The concepts information security, ICT security and cyber security are interchangeably used to address securing cyber space. von Solms and van Niekerk (2013) outlined the differences between these three concepts. First, information security is concerned with the protection of information both physical and digital. Second, ICT security is about the protection of the Information and Communication Technology infrastructure itself. Last of all, cyber security is the most extensive concept, concerning the protection of person(s) using resources and of other assets (not limited to information) stemming from the use of ICT. This means that, cyber security is about the protection of risks that derive from the use of ICT, not the protection from the cyber space itself (von Solms & van Niekerk, 2013). As such, cyber security is the appropriate concept for securing the cyber space. Figure 1 visualizes the relations between the three concepts.
Figure 1: Visualization differences Information Security, ICT Security and Cyber Security (von Solms & van Niekerk, 2013)
8 | P a g e von Solms and van Niekerk (2013) define cyber security as:
“the protection of cyberspace itself, the electronic information, the ICTs that support cyberspace, and the users of cyberspace in their personal, societal and national capacity, including any of their interests, either tangible or intangible, that are vulnerable to attacks originating in cyberspace” (p.101).
Cyber security is often dedicated to an IT (or information security) department (Rahman & Donahue, 2010).
Attackers have recognized the cyber space as new potential entrance to the assets of a CI (Kriaa et al., 2015). The number and sophistication of cyber-attacks have increased significantly in recent years, according to the European Union Agency for Network and Information Security (2014). A survey of Vanson Bourne (2015) among 615 IT decision makers from CIs in the US, UK, France and Germany revealed that 90% had experienced at least one attack over the past year, with a median of 20 each year. The attacks resulted in 60% physical damage, 33% service disruption and in 25% data compromise.
Jang-Jaccard and Nepal (2014) argue that the rise in attacks is not surprising, since cyber-attacks are cheaper, convenient and less risky than physical cyber-attacks. In addition, the attacker is not constrained by geography or distance and prosecution rarely takes place due to the anonymity of the web (Jang-Jaccard & Nepal, 2014)
2.3.3 The interdependency between physical and cyber security
Although the organizational embedding of cyber security and physical security commonly differs, both domains are interdependent (Rahman & Donahue, 2010). First, physical security mechanisms and cyber security mechanisms are interdependent and intertwined due to evolved technology. For instance CCTV technology – a typical physical security measure – is nowadays running over the network controlled by the department responsible for cyber security (Walters, 2009). On the other hand, cyber security mechanisms such as firewalls, intrusion detection and encryption do no stop someone to physically break into a data center and corrupt the network. Second, both domains are likely to be challenged interchangeably by converged-threats (Aleem, Wakefield, & Button, 2013), vulnerabilities exploited both physical and digital in conjunction. The AESRM (2007) argued that 80% of all loss is the interaction of multiple risks.
9 | P a g e The human factor as an important link
Walters (2010) mentioned the importance of human security next to physical and cyber security, the linkage is visualized in Figure 2. The human factor has a tremendous impact on the success and failure of the organization his efforts to secure and protect their valuable assets (Metalidou et al., 2014).
“Any security system, no matter how well designed and implemented, will have to rely on people”(Gonzalez & Sawicka, 2002, p. 1).
Although an organization may have proper physical and cyber security controls in place, a disgruntled employee cannot be stopped for inserting a malicious USB stick into a desktop.
The role of humans in security is twofold, security breaches can either occur due to unintentional mistakes or by intentional acts. Stuxnet, as earlier mentioned, is an example of the latter. A matter of concern for human security is the concept ‘social engineering’, defined as the manipulation of people in order to influence their behavior, force to undertake certain actions or to procure information (de Wit, 2014). This means that personnel may for instance be blackmailed or seduced to deliberately leak valuable information. The obtained information can be used by an attacker to prepare and plan a targeted attack.
Measures to avoid social engineering are enhancing security awareness, informing employees about relevant policies and educating personnel to properly perform security tasks (Dimkov, 2012; Walters, 2010). Security awareness campaigns should be the priority of the organization according to Metalidou et al. (2014). However, the main point of concern remains the fact that human behavior is unpredictable (Dimkov, 2012). The role of the human will be taken into
Figure 2: Interdependency of physical and cyber security and the important role of the human factor
10 | P a g e account during this study, without explicitly mention the human as third factor in security. Since the human has been incorporated in the domains of physical and cyber security.
2.4 Convergence of physical and cyber security
The traditional approach to security is to treat all risks by separate teams within different functional departments (Aleem et al., 2013). However, this traditional approach – named ‘silo’ or ‘stove piped’ approach – has proven to be inadequate for contemporary risks (Rahman & Donahue, 2010). It leads to gaps due to the fact that risks are analyzed and handled by different departments separately instead of organizational wide (AESRM, 2007). Managing risks in a traditional fashion is considered to be inefficient with regards to financing of security activities, according to Aleem et al. (2013). As new technologies arise and threats become increasingly complex, the need emerges for a holistic view of security that takes a converged approach of physical and cyber security. The literature calls this phenomenon the convergence of the physical and cyber security (Eugene Schultz, 2007), in short security convergence.
The Alliance for Enterprise Security Risk Management (AESRM), a partnership of three international security organizations ISACA, ISSA and ASIS, addressed issues surrounding the convergence of physical and cyber security. The ISACA and ISSA are originally rather concerned with security issues regarding cyber, whereby ASIS is rather focused on physical security. The three organizations exchanged their knowledge and expertise on both professions within the Alliance. The AESRM conducted several studies about the security convergence in 2005, 2006, 2007 and 2009. The convergence in the security arena is defined as:
“...the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings” (AESRM, 2009, p. 5)
The definition implies the need to break down organizational boundaries – in other words disassemble organizational silos – to encourage information exchange and manage security holistically enterprise wide (Booz et al., 2005; Rahman & Donahue, 2010)
2.4.1 Reasons for convergence
Scientists argue that the power of security depends on the entire security system and not just a single piece of it (Giles, 2005; Jones, 2006; Ting, 2007). All types of security controls must be integrated to balance risk tolerance with risk reduction, maximize change of solution delivery
11 | P a g e and in the end sufficiently manage security risk (Nunes-Vaz & Lord, 2014). In 2005, the AESRM mentioned that managing security risk in a complex, dynamic, global world can be achieved by considering and tackling risks holistically, so both the physical and cyber domain in conjunction. As mentioned earlier, the main reason for convergence is twofold. On the one hand, the evolving nature of threats directed to both the physical and cyber domain in conjunction require convergence. On the other hand, the boundaries between physical and cyber security measures are blurring. Physical security is the owner of CCTV hardware, cyber security of the log files. It is ambiguous who in charge is in case of information theft as they both ‘possess’ a part of the measure (Rahman & Donahue, 2010). Therefore, tearing down the department boundaries is logical as it avoids indistinctness about ownership.
2.4.2 Benefits of convergence
The overarching benefit of convergence is that different departments responsible for security are enabled to work together towards a common goal. By doing so, risks are reduced at enterprise level which eases problem solving of larger security issues (Anderson, 2007). Convergence provides the organization better insight in the enterprise risks and overall compliance requirements (Larson, 2009; Rahman & Donahue, 2010). Furthermore, the convergence of age-old security principles with new technologies improves governance, streamlines communication and improves incident response (Crowell et al., 2007). In addition, convergence leads to more simplified, efficient and effective processes, according to Anderson (2007). For instance, convergence enhances the security investigation process as log files of the access control system and CCTV records are both in possession of the investigation team in case of a laptop theft. What is more, digital identified security risks can be partially mitigated by physical security measures and vice versa. To exemplify, proper physical access control reduces the probability of malware being installed by a physical intruder. Likewise, proper network encryption reduces the probability that physical security measures such as CCTV are deliberately disabled before a criminal act. All in all, security convergence is seen by many as an imperative (AESRM, 2007).
However, the literature acknowledges several challenges for security convergence. As a result of these challenges, a study in 2006 revealed that convergence was still in its infancy. Only 24% of the respondents had experienced some form of convergence (AESRM, 2007). The AESRM (2007) argued that perceptions have to change before security convergence would become the accepted and adopted way of managing security risks.
12 | P a g e
3. METHODOLOGY
The aim of this chapter is to outline the methodological design to find an appropriate answer to the research questions. Furthermore, choices are made regarding the research approach, method of data gathering and analysis.
3.1 Research questions
Based on the literature review, the following main research question was shaped:
1. What are the critical success factors for security convergence in a critical infrastructure?
The concept critical success factors (CSFs) has an elusive nature since it is defined in many different ways. CSFs in the context of this research are those underlying or guiding principles of the effort of security convergence that must be regarded to ensure that it is successful (Caralli, 2004). The CSFs for security convergence in a CI had not been studied widely.This led to a knowledge gap of what the actual CSFs were that needed to be taken into account. The desired outcome of the study was a framework for the convergence of physical and cyber security in a critical infrastructure including enablers for successful implementation. Two related sub questions were defined in order to find an answer to the main research question:
1.1 What are the key elements for a security convergence framework? 1.2 What are enablers to successfully implement the framework?
The result of the first sub question was a framework containing the key elements necessary for security convergence. The answer to the second sub question outlined the enablers to successfully implement the proposed framework. The framework and the enablers for successful implementation were together the critical success factors for security convergence. Hence, the answer to the first and second question together form an answer to the main research question.
In addition, in order to include an empirical element into the research, a second research question was articulated:
2. To what extent does critical infrastructure X comply with the framework and enablers? First of all, a first draft framework including enablers for successful implementation was developed based on academic literature. The theoretical grounded framework and enablers were validated with security experts in the field by means of interviews. The insights gathered
13 | P a g e through the interviews were processed resulting in an answer to the first research question, a revised framework and enablers for successful implementation. In the end, the framework and enablers were operationalized and applied in a single case study in order to illustrate the empirical relevance and to find an answer the second research question.
3.2 Research approach
This study followed a qualitative research approach. A qualitative study is based on words rather than numbers (Bryman, 2012). As the aim of this study was to identify the reasons behind the obstacles of convergence, a qualitative in-depth research was more appropriate than a quantitative study (Ehigie & Ehigie, 2005). Furthermore, a qualitative study involves systematic and detailed study of individuals in a natural setting (Kaplan, 2005). This was necessary for this study, since the goal was to understand the situation and to create a framework that is representative of reality with as little preconceptions as possible. Furthermore, quantitative research is in general not appropriate to build a framework, since it is rather focused on testing relationships between certain mechanisms and goals based on data. Instead, a qualitative research helps to thoroughly understand the dynamics of security convergence, the identification of mechanisms and relationships between different parts of the framework. As such, qualitative research is rather focused on theory building (Bryman, 2012). Last, the study was concerned with the explanation of “why” security convergence appears to be difficult and “how” the concept could be successfully implemented. Kaplan (2005) argued that qualitative research is suitable to answer why and how questions.
The research was divided into three phases. In each phase, several research methods were used. Figure 3 visualizes the three phased approach.
Phase 1. Desk research and document analysis Phase 2. Expert validation Phase 3. Empirical application: Case study First draft framework and enablers Revised framework and enablers Conclusions and discussion
14 | P a g e The selected approach offered the right balance between preexisting (academic) literature and expert knowledge in the field. An open and emergent approach was used in order to give space for empirical material to influence the interview questions. It enabled the opportunity to research the topic in a less prejudiced way.
3.3 Research method
Multiple methods were used to gather relevant data for this research, i.e. a triangulation of methods. A triangulation of methods increases the validity, reliability and confidence in findings (Bryman, 2012; Golafshani & Salehi, 2010). The methods chosen were (1) desk research, (2) document analysis and (3) interviews. A similar composition of data collection methods was used by Caralli (2004) in his qualitative research to establish a foundation for Enterprise Security Management.
3.3.1. Phase 1 – Desk research and document analysis
The first draft framework and enablers were built upon desk research and document analysis. Desk research is a broad search method used to determine what knowledge was already available on security convergence. The found articles, like academic literature, governmental policies and standards were explored with document analysis.
3.3.2. Phase 2 – Expert interviews
The first draft framework and enablers were validated with several experts in the field by means of expert interviews. Interviews were chosen as data gathering method because it offers in general a trustful relationship between the researcher and the interviewee, which goes further than standardized survey questionnaires (Blazejewski, 2008). Semi-structured interviews were conducted based on a prepared interview format, which provided a structure without retaining the possibility to delve deeper into certain issues (Eriksson & Kovalainen, 2008). The list of guiding interview questions can be found in Appendix A. A semi-structured interview format was prepared and sent out to the interviewees as pre-read. By doing so, the experts had the opportunity to have a look at the framework prior to the interview. The pre-read slides can be found in Appendix B. The benefit of the chosen method was that the interviewees were prepared
15 | P a g e for the interview and as such came up with concrete, plain and valuable answers
3.3.3. Phase 3 – Case study
A case study was chosen as method to apply the framework and the enablers for successful implementation in an empirical setting. A case study is defined by Yin (1984) as:
“an empirical inquiry that investigates a contemporary phenomenon within its real-life context, when the boundaries between phenomenon and context are not clearly evident, and in which multiple sources of evidence are used” (p. 23).
First, a case study was chosen as research method to create synergy between on the one hand the framework, enablers and concepts developed by academic theory and on the other hand to include practical relevancy. Second, the method was justified by Yin (2003) for qualitative research when the focus is to answer ‘why’ and ‘how’ questions. This study was aimed towards ‘how’ security convergence can be successfully designed and implemented. Third, the case study was suitable to empirically apply the framework as it is generally meant for explanatory purposes, according to Labaka (2015). However, on the other hand, Bryman (2012) argues that a case study in general has disadvantages, such as the fact that external validity and generalization remain difficult due to a small sample. Therefore, generalization of the findings of the particular case study needed to be carefully scrutinized in order to avoid confirmation biases. In addition, it is important to keep in mind that the case study was meant to provide an example of how the framework could be applied in a CI. Further research in other sectors would be interesting to show how the framework could be applied in a broader setting. The case study design is outlined in paragraph 3.4.
3.4 Case study design
A holistic study design was used to show how the framework and the enablers for successful implementation could be applied in practice. A single case was examined, which was selected on purpose to ensure applicability to the research subject of CIs. The unit of analysis was the organization. The name of the organization is not stated in the report due to confidentiality. Furthermore, the case study was conducted at a Distribution System Operator of Electricity and Gas in the Netherlands. Hence, the case organization was suitable for the application of the framework and enablers. The energy sector, consisting of oil, electricity and natural gas, is
16 | P a g e of high importance to the Dutch society. Luiijf, Burger & Klaver (2003) argued that electricity is a vital source of energy for most of other products, services and society at large.
“failure of electricity supply may have almost an immediate impact” (Luiijf et al., 2003, p. 10)
The study of Luiijf et al. (2003) visualized the level of vitality of each sector to society, see Figure 4. The higher and the more to the right in the graph, the more vital the service to society is. The blue triangle represents the energy sector. Although three blue symbols are visualized, Luiijf et al. (2003) do not specify which symbol counts for electricity, gas or oil. Notwithstanding the fact that all three blue symbols are scoring high in the graph.
The organization pursues a converged security approach for the protection of their critical infrastructure. The documentation around security convergence was in place, which described the desired way of working. The security convergence framework could be applied to the elements used in the practical documentation. Furthermore, the enablers for successful implementation of the framework could be discussed with the various stakeholders involved in the implementation of the converged security approach. A more in-depth description of the particular case itself is outlined in Chapter 6.
3.5 Data exploitation and assessment
In this paragraph, an outline is given on the way data was exploited and assessed.
17 | P a g e 3.5.1. Desk research and document analysis
The first step of the study consisted of collecting documentation related to the research topic, such as scientific articles. For this purpose, keywords were put into various online science databases, such as Web of Science, Leiden University Library, Scopus and Google Scholar. Different online science databases were used interchangeably in order to obtain as many valuable articles as possible. If a paid article was found in Google Scholar, another search engine was used in order to find an available version. Literature which was not accessible with Leiden University credentials could unfortunately not be used for this research. Furthermore, a diversity of keywords was used to search for appropriate documents. Because the main keywords were closely related to the topic of the study. On the one hand, a single word component was tried, such as ‘critical infrastructure’, ‘physical security’, ‘vital infrastructure’, ‘digitalization’, ‘cyber security’ and ‘human security’. On the other hand, a combination of two or more word components were used, for instance ‘critical infrastructure AND security’. The variety of search words resulted in a diversity of gathered documentation, mainly scientific articles. Related articles proposed by the website were checked, as such several additional articles were found.
The first selection process of articles was based on an assessment of the title and the content of the abstract. Interesting articles were saved according to a consistent procedure. First, all collected documentation was saved in a dedicated folder. Second, all files were imported into ATLAS.ti and EndNote. ATLAS.ti was used to analyze, label and process all data and EndNote was used to centrally store and generate references.
The second step in the selection process consisted of a deeper analysis, by reading the introduction, conclusion and discussion. By doing so, it was determined whether an article could be relevant or not. Codes were directly assigned to the articles by means of ATLAS.ti. These codes were useful in selecting and processing all relevant data. All information found about a certain topic was easily visible in ATLAS.ti by selecting the code assigned to the topic. The references of relevant articles were checked to identify additional literature. As a result, more interesting articles were found, and as such, assessed via the same procedure as described. All in all, the approach enabled the body of knowledge to be expanded gradually, which formed in the end the basis for the development of the first draft framework.
18 | P a g e 3.5.2. Expert interviews
The first draft framework and the enablers for successful implementation of the framework formed the basis for the expert interviews. In total, six experts with various backgrounds were interviewed. The interview outcomes provided valuable insights for improvement points of both the first draft framework and the enablers for successful implementation of the framework. After the interviews, the draft version was revised. All interviews were recorded and summarized afterwards. The interview reports were not part of the public report. The interviewees were in Chapter 5 referred to as ‘expert 1’, ‘expert 2’ et cetera. The numbers were randomly assigned and have another sequence than presented in Table 1.
A list of interviewees including field of expertise is illustrated in Table 1, see below. Interviewee Field of expertise Years of
experience Organization / position Mark de Groot Critical Infrastructure Security
18 KPN – Team lead Red Team, CISO Office
Han Hindriks Risk Management 12 Deloitte – Consultant (Manager level) Maarten Te Kulve Security Risk Management 18 De Haagse Hogeschool
(University of Applied Sciences) – Security Risk Management
Lecturer
Dick Berlijn Defense and security 45 Senior Board Advisor Deloitte and member of various other Advisory Boards Martijn Ronteltap Corporate Security of a vital infrastructure in Energy and Telecom sector
20 Deloitte – Consultant (Senior Manager level)
Eric Luiijf Cyber Operations and Critical (Information) Infrastructure Protection
40 TNO – Consultant critical infrastructure security protection
19 | P a g e 3.5.3. Case study
The case study consisted of both document analysis and interviews. The document analysis topics and interviews were based on the operationalization scheme in paragraph 5.5. The documentation provided a first picture of the security convergence approach of the organization. Furthermore, the interviews gave room to delve deeper into certain topics with the interviewees which were considered relevant and/or needed additional clarification. Pre-read was sent to the interviewees containing general information of the research, see Appendix C. Subsequently, the interviews could be conducted efficiently as the interviewees were already aware of the research at the start of the interview. In total, four stakeholders were interviewed. The interviews were recorded and transcribed afterwards. The transcriptions of the interviews and documents were left out of the public report due to confidentiality. All in all, the documentation and the interviews gave a clear picture of the security convergence approach of the case study organization and points of improvement based on the framework and enablers. The list of documentation and interviews can be found in Table 2.
Documents Interviewees
1. Security Vision 1. Privacy and Security Advisor of GRC 2. Security Policy 2. Corporate Information Security Officer 3. Information Security Policy 3. Physical Security Specialist
4. Information Security Architecture 4. IT/Cyber Security Specialist 5. Strategy for Security Management System
6. Information Security Management System processes
7. Document with strategic ideas for integration
8. Security Standard
Table 2: List of documentation and interviews case study
3.6 Operationalization of concepts
The operationalization of concepts is the process of defining how a concept is measured, observed and applied in a particular study (Vohs & Baumeister, 2007). First of all, the relevant concepts, read critical success factors, of security convergence had to be identified. These factors consisted of a security convergence framework including enablers to successfully implement the framework. The framework and enablers were first drafted based on desk research and document analysis in chapter 4. Afterwards, all concepts of the framework and enablers were validated through expert interviews resulting in a revised version in chapter 5.
20 | P a g e Second, the concepts of the framework and enablers were operationalized in an operationalization scheme in paragraph 5.5.1. The operationalization process translated the theoretical, conceptual variables of the framework and enablers into a set of specific operations or procedures that define the concepts’ meaning for this particular study. The purpose of operationalization was to establish a bridge from theory to practice. The process was important to avoid ambiguity about the exact definition of concepts of the framework and enablers (Vohs & Baumeister, 2007). In this study, each concept was defined and split up in indicators to enable the variable to be observed and measured in practice.
Third, document analysis topics and interview questions were defined based on the indicators of each variable. The topics and questions covered all indicators in order to ensure that the concepts could be appropriately observed. The topics and questions can be found in paragraph 5.5.2. In the operationalization scheme, a reference was included to the document analysis and interview questions scheme.
All in all, the operationalization of concepts was relevant for this study to specify how the critical success factors could be observed and measured in practice. The operationalization was carried out in a later phase of the study since the exact concepts became apparent in chapter 4 and final in chapter 5. The operationalization of concepts can be found in paragraph 5.5.
21 | P a g e
4. PHASE 1: FIRST DRAFT FRAMEWORK AND ENABLERS
In this chapter the first draft security convergence framework and enablers are developed. It answers both the first and second sub question: (1) what are the key elements for a security convergence framework, and (2) what are enablers to successfully implement the framework? First, paragraph 1 describes the challenges, drivers and imperatives of security convergence. Second, paragraph 2 outlines the fundamentals of security convergence to establish a foundation for the framework. Last of all, paragraph 3 and 4 formulates an answer to the sub questions.
4.1 Challenges, drivers and imperatives of security convergence
The literature acknowledges different challenges to security convergence. The physical and cyber domain have different origins, protection philosophies, designs, functionalities, implementation, maintenance and management approaches (AESRM, 2006). The backgrounds, salaries and educations differ, and in addition, the mutual understanding of both professions is often lacking (Jones, 2006; Rahman & Donahue, 2010). On the one hand, staff of a physical or corporate security department is commonly former law enforcement officers or military/police officers. On the other hand, most IT or information security departments consist of staff with technical backgrounds. Physical security professionals commonly lack the knowledge of technology, and vice versa, cyber security specialists ordinarily lack experience of physical surveillance, according to Rahman and Donahue (2010). The different departments have different budgets and priorities (Johnson, 2007). The AESRM (2007) argued for three major obstacles for integration, namely cultural barriers, process/change management and training/knowledge gaps. As a result of these challenges, a study revealed that convergence
Phase 1. Desk research and document analysis First draft framework and
22 | P a g e was still in its infancy, only 24% of the respondents had experienced some degree of convergence (AESRM, 2007).
The literature mentions different drivers for organizations to converge physical and cyber security. The driver for security convergence could be either forced or voluntary by nature. Anderson (2007) argued that the challenges contemporary business environments face force a need to re-engineer security on strategic and tactical level. New compliance and regulation restrictions or economic factors are common drivers for the necessity to converge. Examples of economic factors are for instance budget cuts for security, increased risk complexity due to globalization and growing demands of shareholders to streamline businesses (Anderson, 2007). From a voluntary perspective, budget efficiency and better risk management are named as common drivers (Booz et al., 2005). A study of AESRM (2007) revealed that (1) the reduction of combined physical and cyber risks, (2) the increase of information sharing and (3) a better protection of assets are the main drivers for convergence, see Figure 5 for the results.
Booz et al. (2005) describe five imperatives for the convergence of security:
1. Rapid expansion of the enterprise eco system, referring to globalization and outsourcing of security activities;
2. Value shift from physical to digital information based assets, referring to the increasing importance of cyber security;
3. Blurring of functional boundaries due to new technologies, referring to technological developments which overlap physical and cyber security functions, e.g. CCTV; 4. Compliance and regulations developments towards a rather enterprise focus; 5. Pressure to reduce costs on the one hand and mitigate risks efficiently on the other.
23 | P a g e 4.2 Fundamentals of security convergence
Security convergence can be achieved through different routes. The suitable approach, level, and extent of security convergence depends on the unique culture and structure of the organization in question (AESRM, 2007; Rahman & Donahue, 2010). Hence, proper due diligence in security convergence is important to overcome the challenges before mentioned (Mehdizadeh, 2004). Attributes of convergence are for instance company size, industry regulations, process design, culture, risk perception and the level of dependency on ICT for the physical protection of assets (Anderson, 2007). The literature describes three organizational approaches for security convergence:
1. Integrate physical and cyber security functions under one single manager, as such the responsibility is assigned to one person.
2. Keep both disciplines as separate departments, but have them reported to the same manager to emphasize converged reporting rather than operations.
3. Keep the functions separate, assist in process management and facilitate information sharing by bringing security issues to a risk council.
(AESRM, 2007; Rahman & Donahue, 2010).
Scientists argue that central supervision of physical and cyber security in conjunction is a first step towards security convergence, but they advocate for consolidating all security functions. Security convergence should be considered in a broader fashion. In the literature, a shift in thinking towards security convergence as attribute to Enterprise Risk Management is acknowledged (Anderson, 2007; Booz et al., 2005). Security is a component of Enterprise Risk Management (Larson, 2009). The theories of Enterprise Risk Management – from now ERM – will be further outlined to identify critical success factors for security convergence. Alternative concepts for ERM are strategic risks management, integrated risk management and corporate risk management (Aleem et al., 2013).
4.2.1. Enterprise Risk Management
ERM is concerned with the process of risk identification across the entire enterprise and managing risks to an acceptable level. ERM is a business-based, adaptive and unified approach to risk management. The Committee of Sponsoring Organizations of the Treadway Commission defines ERM as:
24 | P a g e “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004, p. 2)
The definition reflects some noteworthy points in regard to security convergence. First, ERM is a process applied in a strategic setting. The responsibility of risk management is usually assigned to senior management (CAS, 2003). The statements of the AESRM (2007) that (1) security is mostly considered at a tactical level and (2) security convergence is an attribute of ERM, are understandable since ERM enables the security convergence issue to be brought to a strategic level. Second, ERM is a process to identify potential events across the enterprise. Hence, risks are identified and handled at enterprise level rather than discipline level. This point is also noted as key element for security convergence (AESRM, 2007; Booz et al., 2005). Third, ERM is a process designed to manage risks to provide reasonable assurance. This point is important since the framework is aimed to be applied to a CI where assurance is necessary. In addition, ERM theory is of added-value to security convergence since its approach enhances the collaboration between both the physical discipline and the cyber discipline. First, the Casualty Actuarial Society (CAS) (2003) argued that ERM provides a logical structure to link certain subject areas together. Second, the AESRM (2007) notes that ERM provides a common and unified framework that structures the cross-functional collaboration resulting in greater cohesion. Third, risk management is acknowledged by the US Government as corner stone for the protection of CIs (DHS, 2013).
ERM treats a vast variety of risks in a holistic and comprehensive manner at enterprise level. An integrated approach to ERM is appropriate for the diversity of internal and external risks that organizations face in these days and age, according to Aleem et al. (2013). Organizations adopt ERM to harmonize governance, risk and compliance activities, abbreviated as GRC. It encompasses all sources of risks which can threaten the organization, from hazardous risks to financial, operational and strategic risks. Security risks are also incorporated in ERM. From a business perspective, security has a role in supporting growth by improving risk management. From a public perspective, security is aimed towards ensuring the safety and wellbeing of the society as a whole. The recognition of security professionals to treat security risks across all
25 | P a g e different silos is in particular referred to as Enterprise Security Risk Management (ESRM). ESRM is a vital element of ERM, according to ASIS (2010).
4.2.2. Enterprise Security Risk Management
ESRM is particularly concerned with the protection of assets in all forms, so e.g. reputation, people, environment, information and so forth against security threats (AESRM, 2007). The literature acknowledges ESRM as a holistic view of security, which goes beyond security convergence. Typically ESRM activities are physical security, business continuity, cyber security and crisis management (ASIS, 2010). A study of the ASIS (2010) about ESRM revealed that more than eight out of ten respondents considered ESRM as a broader practice than security convergence. Security convergence is seen as one step in the ESRM process and it is thence logical to adopt security convergence into ESRM. ASIS (2010) notes that security convergence is the first step in an ESRM project. Aleem et al. (2013) argue for security convergence as priority area. Instead, critics argue that security convergence is a too narrow concept and only a small part of what is needed to sufficiently protect an organization (ASIS, 2010). Accordingly, ESRM captures the bigger picture of security nowadays and the theory is used in order to outline the broader perspective of security convergence.
To sum up, ERM as broad practice beneficially supports security convergence due to the enterprise level, strategic and unified approach (AESRM, 2007). ESRM is the security practice within ERM which is acknowledged to be overarching for security convergence (ASIS, 2010). ERM and ESRM theories will be taken into account for the identification of key elements for the framework and enablers for successful implementation.
4.3 Towards a security convergence framework
In this paragraph the key elements for a security convergence framework are studied. The elements are based on different theories of ERM and ESRM. First, the requirements for a proper framework are identified. Second, ERM theory is outlined, analyzed and compared. Finally, a first draft framework is shaped with incorporation of the identified key elements. The framework is aimed to organize security convergence at strategical and tactical level. This means that the framework could be applied regardless the type of security structure at operational level.
26 | P a g e 4.3.1 Requirements of the framework
A study of the literature reveals several requirements of a proper security convergence framework. The first draft framework should meet the requirements as set in order to sufficiently manage security convergence. The following requirements have been identified:
1. The framework should enable security convergence to be aligned to the overall mission, vision, strategic goals of the organization. Subsequently, the organizational culture should be incorporated and set by senior or executive level management (Caralli, 2004; ISO, 2009). As such, the framework will enable alignment to the business processes which ensures that security is seen as an enabler for the organization (Caralli, 2004). Security driven by a common high level purpose facilitates that all disciplines can prioritize efforts accordingly.
2. The framework should provide the foundation and arrangements that will be embedded throughout all organizational levels. In addition, the framework should support top down coordination and bottom up reporting in order to safeguard adequate decision making and implementation (AESRM, 2007; ISO, 2009).
3. The security convergence framework should enable risk management at enterprise level. Hence, resources can be allocated to the most critical risks as risks are considered at enterprise level rather than on each discipline separately (AESRM, 2007; Booz et al., 2005). In addition, an enterprise level approach optimizes security practices in all levels, according to Habash et al. (2013). The integration and correlation of risks clarify dependencies of risks in different domains.
4. The security convergence framework should enable risks to be managed strategically from top down towards the tactical and operational levels of the organization. The framework does assist to understand, measure and mitigate risks across all levels aligned to the context of the organization. It should be intended to bring all security activities together into a holistic approach (Aleem et al., 2013; ISO, 2009).
5. The framework should construct security as an end-to-end process rather than a product. The constantly changing threat environment requires an approach which espouses the entire security lifecycle including a periodic review (Andress, 2003; CAS, 2003; Michael 2008).
27 | P a g e 4.3.2 Foundation for the framework
The theory of ERM and ESRM will be analyzed and compared in order to create an appropriate framework. The Risk Intelligence Framework of AESRM (2007) will be used as starting point since it is specifically assigned as a security convergence framework. In addition, Larson (2009) used the framework in his study to address the best practices of security convergence. The relevancy and completeness of the inner ring of the Risk Intelligence Framework of AESRM (2007) for security convergence will be determined by comparing the framework to four different ERM frameworks, namely: ISO31000, COSO (2004), NIPP (2013) and the Risk Management framework of Habash et al. (2013).
Risk Intelligence Framework
The Risk Intelligence Framework models security convergence as a risk-based relationship between four pillars managed through a continuous cycle, see Figure 6.
The framework is composed of two rings, namely an outer ring with four pillars and an inner ring with a continuous cycle. The aim of the framework is to create and preserve value by organizing both the outer and inner ring sufficiently (AESRM, 2007). Larson (2009) argued that the center of the framework called ‘Risk Intelligence to Create and Preserve Value’
28 | P a g e basically refers to security convergence, the final product of cohesion between the pillars (Larson, 2009).
The outer ring represents the four core elements of security, namely governance, people, process and technology. The inner ring could provide the basis to understand, measure and mitigate enterprise risks aligned to the context of the organization.
The outer ring – core elements of security convergence
The AESRM (2007) argues that each of these pillars must be organized in order to accomplish effective security convergence. Subsequently, a right balance between the pillars is important to be able to adapt to rapid changes. Andress (2003) argues that security is not a product but a pervasive and ongoing process of reviewing and revising based on the changing environment. As a result, the key factor of considering security convergence as an end-to-end process will be achieved by adopting this approach.
Further study of the core elements of security shows different structures. Booz et al. (2005) and ISACA (2009) do mention four elements, but they do not explicitly mention governance as element. First, the study of Booz et al. (2005) indicates that a security convergence framework must incorporate ‘strategies’ in addition to people, processes and technology. Second, the Information Systems Audit and Control Association – ISACA – mentions in a Business Model for Information Security (2009) ‘organization design/strategy’ as fourth element, besides people, technology and process. The differences in the study of Booz et al. (2005) and ISACA (2009) compared to the model of Posthumus and von Solms (2004) is the factor strategy instead of governance. However, strategy is a component of governance according to Posthumus and von Solms (2004), and vice versa governance is a component of strategy, according to Booz et al. (2005) and ISACA (2009).
Posthumus and von Solms (2004) developed a model which makes a distinction between governance and management level, see Figure 7.
29 | P a g e The model enables top down coordination and bottom up reporting, which was identified as key requirement for the framework of security convergence. At governance level, the Board of Directors determines the security directions – by formulating the mission, vision and strategy. These directions are translated to a policy at management level.
The mission of an organization reflects the values and priorities of the top of the organization. The mission clarifies values and rationale for the organization and should be defined in such a way that it gives direction on the one hand, but leaves room for creativity on the other (Piëst & Ritsema, 1993). The vision defines the dot on the horizon – it specifies where the organization is trying to go to. The vision and mission are the glue that hold an organization together (OnStrategy, 2015; Teamleiders Academie, 2012). The vision defines the parameters of what a project is intended to accomplish and is as such necessary for strategy development, according to Vecchi, Van Hasselt, and Angleman (2013). The strategy specifies actions to be undertaken within a certain timeframe to accomplish the organization’s mission and vision. The process of strategic planning helps the organization to focus on the mission, the common purpose and vision (Caralli, 2004). In terms of security convergence, strategic planning would help the organization to set a security vision and strategy. The vision and strategy provide direction, without losing individuality, flexibility and autonomy (CAS, 2003).
The model of Caralli (2004) clarifies the relationships between the mission, organizational strategy, security strategy and operational activities, see Figure 8.
