Richer may not be safer

(1)

RICHER MAY NOT BE SAFER

Master thesis

Written by: Arthur de Vries

Msc Crisis & Security Management Date: 9-6-2019 Student number: s1427695: Amount of words: 10442 Supervised by : T. van Steen

(2)

1

Chapter 1. Introduction

In the 2015 American presidential elections a major data breach was discovered, which uncovered a database of personal information of almost 200 million voters. This database supposedly included personal information of voters from all states, and was found by an independent researcher who was looking to raise awareness on data leakage. The official investigation that followed this incident pointed out that the data breach was due to a human error, rather than a technological one. Still, the incident caused distrust in the technological capacities of the government and the voting system (Finkle & Volz, 2015).

The frequency of security breaches against public and private organisations has seen a worldwide rise in the last two decennia. The increase in the amount of attacks has put cybersecurity higher on the agenda of politicians. Due to the dependence on technology in today’s times, citizens, politicians and organisations demand a secure online environment, and that measures are necessary. Many governments have since been implementing new laws and policies to increase the cybersecurity. Some politicians even speak of a cyber-war, referencing to the ‘war on drugs’ in the Reagan administration (Rid, 2012: 15).

These measures against cyber-related threats turn out to be not sufficient, because the threats are becoming more sophisticated with each passing year. This can be attributed to the obvious reason that technology simply becomes better, and the evolution of cyber-threats with it. Twenty years ago, the abovementioned data breach of personal information of voters would not have been possible. This is simply because the data storage of the personal information was administrated on paper, instead of in an electronic database (CASM Staff, 2017: 21).

But next to the technological enhancements the field of cybersecurity has to face, there is a growing interest of political or competitive motives to obtain information. These are usually accompanied by an input of capital in the ‘black market of cyber-criminality’ ,that has seen an increase in the last 5 years, mainly in the United States of America (CASM Staff, 2017: 21).

The latter development poses a real security-threat for all governments that depend on technologies, which almost all do. This constant battle to stay ahead of malicious behaviour is no anomaly to the security studies, however cybersecurity is a relative new field of research. New cyber-threats are created every day due to the technological evolution, so governments have to think ahead how to counter them. More resources are put in each year to prevent cyber-criminality from happening (CASM Staff, 2017: 21).

(5)

4 This, however, does not always work. Multiple small breaches happen every month at Western governmental technological systems, and once so often a big threat manifest itself.

As already mentioned, the field of cybersecurity is a relative new one. There is, however, common ground with crisis management when faced with a crisis or a threat. Popular theories of crisis

management on how to deal with a crisis, for example when a data breach occurs, are also applicable in the field of cybersecurity. This seems odd, because cybersecurity deals more with smaller incidents than bigger crises, and crisis management usually focusses on exceptions; it limits itself to the

analysis of exceptional situations. However, authors as Roux-Dufort (2007 : 105) mention that crisis management is more about the process of a crisis, than about the result of the crisis.

And this process of incubation of a crisis, is interesting for governments in the field of

cybersecurity to prevent cyber-threats from becoming true. Risk management theories, as part of the study of crisis management, can provide measures for governments to deal with cyber-risks. Even basic principles of risk management can create insights in the relative new environment of cybersecurity. For example, Wildavsky (1988: 77) argued that there were two basic ways found in nature of responding to a threat; by preparing yourself sufficiently (anticipation) or focus on recovering after an attack (resilience).

Though sometimes, the risk-theory and the plans are available to counter an cyber-attack, but the monetary funds to facilitate these plans are not. Governments are dealing with certain checks and balances, and are sometimes not able to put in enough funds to create a secure system. It would seem that wealthier countries are more likely to be able to put sufficient funds into their cyber-defence budget. As Wildavsky (1988:61) put it; Richer is safer.

This struggle of checks and balances that all (Western) governments have to face, creates different policies and laws on cybersecurity. One could argue that some governments simply have more funds to spend on cybersecurity, and thus have less cyber-attacks. However, this does not always seem the case.

This has to do with the acceptable risk a government is willing to take. These checks and balances are essentially a decision-problem a government have to face. The acceptable risk distinguishes itself from other decision problems by having at least one alternative option that includes a threat to life or health among its consequences. It is the thought-out decision that takes risk into account (Fischhoff et al., 1983 :2). In other words; the risk a government allows itself to take.

This research focusses on the acceptable risk different governments are willing to take. The

governments that are studied are The United States of America (USA), The United Kingdom (UK) , The Netherlands and Estonia. These governments differ in wealth, measured in Gross Domestic Product (GDP). This is the sum of all goods and services earned in the country in a specific time period.

(6)

5 The possible correlation between wealth and acceptable risk is measured in the following research question:

To what extent does the GDP of a country relate to the perceived acceptable risk in cybersecurity law- and policymaking?

This research contributes to the field of cybersecurity and crisis management by creating a

framework for comparison. Acceptable risk is a well-known concept in risk management, however little research is done on acceptable risk within cybersecurity, especially in the public sector. Due to the novelty of cybersecurity and the compatibility with other crisis management theories, the two concepts are hopefully able to match.

Next to this, this research can also provide an insight in the decision-making process of governments. The ‘game’ of checks and balances is different for any country, and it is of interest to see where the priorities lie of countries with different GDP’s.

Chapter 2. Theoretical framework

This research builds onto the literature and experiences of previous research in the risk-management and the cybersecurity sector. A deeper understanding of the available literature on the core concepts and frameworks are used to explain the research question, and enables us to sufficiently use the concepts in analysis.

As abovementioned, the theoretical framework clarifies what is being analysed. All relevant concepts are mentioned and explained in detail, starting with risk-management.

2.1 Risk Management

Risk management is the study how risks get assessed and controlled. The assessment entails the prioritization of risks; the adding of importance to certain risks over another (Zhang & Chu, 2011: 206). This means that risk prioritization benchmarks risks, where the most important risks are tackled with the most attention. (Boehm, 2005: 5).

Arguably the most used concept in the risk management literature is risk. This concept can be defined in multiple ways, all ascending from decision-making theories. As earlier mentioned, this manifested to a game of checks and balances; a choice between gain and loss.

In corporate literature there is less focus on the potential gain of a decision. When discussing risk, mostly is looked at the potential loss or damage of a decision, because that factor weighs heavier in the decision-making process (Wolke, 2017: 1).

(7)

6 Boehm (2005) was the first to introduce risk management to cybersecurity. The discipline of software management lacked a clear academic framework. Boehm built on the risk prioritization theories. He states that the fundamental concept in software risk management is the concept of Risk Exposure or Risk Impact (RE) (Boehm, 2005: 1). Risk Exposure entails the loss of capital an organisation suffers, when a risk manifests. This definition of risk gives us the most complete idea of what risk is in the cybersecurity sector.

The measures an government or organisation can take to reduce risks, have certain costs. This Risk Reduction Cost-theory (RRC) is usually used in corporate settings. However, this RRC can also be used in the governmental setting; how much did the current policy have to change to create the wanted policy?

With this RRC known, one can identify what the relative leverage was (how much effort did the change cost) to obtain the wanted policy. This leverage is called the Risk Reduction Leverage (RRL) (Boehm, 2005 :4). The RRL is made up from the RE before and after the implementation of the policy. With this leverage, the relative effort that the change of policy costed can be measured. This is also part of the risk prioritization theory.

Both concepts of RE and RRL show the impact a risk can have on an organisation, and it should take this cost into account, when handling the risk. These concepts are focussed on the negative side of organizational risks.

Wildavsky (1988: 4) however mentions that there is a certain axiom of connectedness. This entails that the good and the bad are undeniably intertwined, and can not be seen without each other.

This connectedness is shared in most of the multidisciplinary literature of risk; from economics to biology (Skinns et al., 2011: 34).

Next to the negative aspects of risk, are also positive ones. Take for example gambling in a casino; If you bet all your money at once, you have the risk of losing it all. But next to that, you also have the risk of winning double your investment.

These are the benefits of risks, which are not usually mentioned in organizational literature (Skinns et al., 2011: 34).

2.2 Uncertainty

The concept of probability was already briefly mentioned at the definition of RE. There is a concept closely linked to probability that is universally shared about risks; namely uncertainty. If a

government can predict a crisis will happen, for example a hurricane that is approaching, it can take measures to minimize the damage. This anticipation strategy is thus mostly used in predictable

(8)

7 situations, where one knows what is going to happen (Wildavsky, 1988: 77). However, a risk is a situation or crisis that might happen. This uncertainty stands central in the discourse of risk

management (Skinns et al., 2011: 33). The main strategy to counteract this risk, is with trial and error. This strategy is called resilience, and characterizes itself by the ability to bounce back after a crisis or incident has happened. This ‘learning by failing’ approach is popular in risk management literature, because it goes along well with the uncertainty factor of risk (Wildavsky, 1988: 77).

2. 3 Acceptable risk

A brief definition of acceptable risk was already given in the introduction; ‘the risk a government has allowed itself to make’ (Fischhoff et al., 1983 :2). This definition is useful for describing a kind of decision-making process, where the pro’s and the cons are valued against each other. It differs though from the RE, because it does not only take into account the unsatisfactory outcomes, but also the positive outcomes.

The literature is clear in stating that the risk that is associated with the most acceptable option, is not acceptable in any absolute sense (Fischhoff et al., 1983: 139). It is made by the means of consensus and political discussion. The different actors within the government accept the options that the choice offers, they do not accept the risk (Fischhoff et al., 1983: 140).

Because of this , the concept of acceptable risk is however not appropriate for describing the results of the decision-making process. That would require an absolute answer, which not possible with the acceptable risk theory alone.

2.4 Wealth

In his famous work, Wildavsky (1980) argued that the richer are safer, because they can afford to be safe. However in his later work, he refutes his own statement by arguing that richer is not necessarily safer. This is due to two reasons; Firstly , spending an increasing amount of capital on security does not make you money. Eventually the amount spent on security does not reflect the possible gains, and the amount will decrease again (Wildavsky, 1988: 61).

Next to this, when richer societies invest in security, it invites criminals to be even more inventive with their malicious endeavours. This will make it harder and more expensive to counter these endeavours. So in this argumentation, richer does not mean safer. It can even turn into the opposite. (Wildavsky, 1988: 61).

(9)

8

2.5 Field of cybersecurity

2.5.1. Governmental versus Private

The increase in use of technology by organisations has shown major benefits in efficiency and effectiveness. Both the governmental organisations as the private organisations make use of the constantly improving cyber-environment. Both types of organisation benefit from a well-designed technological framework to work in.

However, the governmental and the private organisations have both different goals to accomplish. Where governmental organisations focus on being available for citizens and ultimately serve them, private organisations are more selfish. Their main goal is, usually, to increase the amount of profit and keep the company running.

Nonetheless there are some similarities in both organisations; for example, they both strive to do their work as efficient as possible. The governmental organisations are however bound to a specific budget to achieve this goal, where the private organisation are free to spend as much funds as they like.

2.5.2. Controlling cybersecurity

Controlling a field of security is always a hard task, because these fields tend to be vague and unclear. Three categories of the field of cybersecurity can be identified;

The first category is the human aspect of cybersecurity. While the technology itself can have many faults, the one controlling the technology has proven itself not flawless as well. The United States of America responded in 2010 with the National Initiative for Cybersecurity Education (NICE). “NICE was created with the idea that an important resource in the fight against cyberthreats is people: people who can create the technologies that protect information and resources, people who can recognize cyberthreats and respond to them, and people who understand how to protect themselves and others in cyberspace.” (Paulsen et al., 2012: 76). In the end, it is the people that are able to make sure that technology works as it is intended to. But how much emphasis is there on the people in the laws that are created surrounding cybersecurity?

The second category is the amount of emphasis on the infrastructure of technology. The more regulation on the infrastructure means less cybersecurity threats (Wolter, 2013: 25).

And the last category is the amount of punishment there is on violating the legislation. Kettemann mentioned that international and national law fully applies to the Internet, and should be treated as equal violations in the ‘real’ world (Kettemann, 2019).

(10)

9

Chapter 3. Methodology

3.1 Methodological framework & Operationalization

The research question is divided into 2 variables : the independent variable (acceptable risk) and the dependent variable (the wealth of countries, measured in GDP). Both variables will be

conceptualized, to be able to measure them. Also four assumptions will be made, to retrieve a more in dept answer on the research question. After the conceptualization of the variables, the cases will be brought forth and explained, which is finally followed by the data collection methods and sources.

3.2 The indicators; acceptable risk:

As previous mentioned, acceptable risk is the willingness of a government to take a risk. However, acceptable risk as a concept is still not able to be correctly measured with the abovementioned definition. To conceptualise, we will separate the concept in four categories, based on the discussed literature on risk.

The Risk Exposure (RE) The benefits Resilience Risk Reduction Leverage

Table 1: the four categories of acceptable risk

3.2.1 The Risk Exposure (RE)

The RE or Risk Impact is the impact that the risk has on an organisation, if the risk manifests (Boehm, 2005: 1). This is measured by the following formula shown in figure 1:

Figure 1 (Boehm, 2005: 1)

Prob(UO) is the probability of an unsatisfactory outcome and Loss (UO) is the loss to the parties affected if the outcome is unsatisfactory. Prob(UO) is measured by comparing so-called risk items to the case. These items can be divided into technical and non-technical problems.

Technical problems might be problems with software or hardware, where for example malicious content is downloaded on a high profile system (Garfinkel, 2012: 30).

(11)

10 frequently observed problems in cybersecurity (Garfinkel, 2012: 31).

These risk items show to what extent the unsatisfactory outcome occurs. If there are risk items present that are not countered by legislation, the score will be 1. If none of the risk items present, the score will be 0.

The Loss (UO) was designed for corporate organisations, where absolute numbers of loss of capital are easily available. To be able to measure this in a governmental setting, one simply looks at the damage that can be done by not implementing the risk items. The intensity of these risk items is measured between 0 (no impact) to 1 (complete impact).

3.2.2 Benefits

The benefits are the possible gains that the government receives for taking the risk. Usually in the cybersecurity sector, the gains are secure and workable systems (Garfinkel, 2012: 31). The amount of benefits one can receive can be linked to the anticipation-theories within the security field of

research. The legislation is implemented with premeditation to acquire these possible benefits. The organisation is thus able to anticipate and avoid risks.

However, there can be other gains from which we are not aware. This is why the benefits are measured in three categories: 0 (no gains), 1 (secure and workable systems) and 2 (1 + other gains).

3.2.3. Resilience

Resilience entails the ability to bounce back after a crisis (Wildavsky, 1988: 77). This trial and error mindset is measurable by researching the older legislation and policies on cybersecurity. If there might have been a faulty law or policy which has been changed for security purposes, it shows signs of resilience. This can be measured in two categories; 0 (no resilience) and 1 (evidence of resilience). The origin of the resilience or no resilience can also create a understanding on why certain decisions have been made. These can, for example, be culturally or monetary motivated.

3.2.4. Risk Reduction Leverage

The Risk Reduction Leverage compares the contemporary legislation or policies on their RE before and after they were implemented. This creates a relative framework from which an statement can be made on the relative risk a government takes. The RRL is measured as shown in figure 2 :

(12)

11 This is measured by taking the current RE and the past RE (both measured in risk items) and subtract that from the relative costs of changing legislation or policies. This Risk Reduction Costs is, similar to the Loss (UO), designed for corporate organisations. However, these Risk Reduction Costs can be measured in a governmental setting as well, by counting how many policies or laws have changed between the two RE’s. This can be measured in 0 (no changes), 1 (small, incremental changes) and 2 (major changes).

The first two categories (the RE and the benefits) weigh the most in settling the score on acceptable risk. The last two categories are designed as supportive categories, to include as much information on the process of decision-making.

3.3 Research design

In the search to the relevant research design for to answer the research question, we stumbled onto multiple possibilities: Experiment, Survey, Archival analysis, History and Case study (Yin, 2003: 5). Yin (2003:5) stated that a researcher should seek the right strategy, based on their Form of research question, the requirement of control of behavioural events and the focus on contemporary events. This is shown in figure 3:

Figure 3 (Yin, 2003: 5).

As shown in figure 3, the case study design fits onto this research, because of explanatory nature of the research question. It doesn’t require control of behavioural events, and it does focus on

contemporary events.

This research is a content analysis , on the legislative changes in cybersecurity law and policies. A content analysis has been chosen to sufficiently analyse the provided data. The use of interviews has been discarded, due to numerous failed attempts of reaching anyone significant.

(13)

12 The comparative case study with a distribution based selection approach has been chosen, to be able to identify and analyse the differences between multiple typical cases. These cases are typical for their field, because they each represent a wealth class of countries (Rohlfing, 2012: 77).

The use of typical cases in this research is done to create a framework for generalization of national governmental cybersecurity legislation. With this generalization, the possibility to analyse the data in a logical, valid and trustworthy manner increases.

3. 4 Hypotheses

The four categories of acceptable risk will be used in this research to answer the research question. However to be able to analyse each category individually with their received effect of the

independent variable, all four categories have received their own assumption.

Hypothesis 1: The higher the GDP of a country, the smaller the risk the government takes. Hypothesis 2: The higher the GDP of a country, the greater the benefits are that the government receives.

Hypothesis 3: The higher the GDP of a country, the more resilient the legislation is. Hypothesis 4: The higher the GDP of a country, the higher the risk reduction leverage.

3.5 Case description

The search for cases in the field of cybersecurity legislation and policymaking has many obstacles one have to face. Firstly, the limitation of time and restriction in the amount of words limits this research on not doing a comparative case study with more countries. This forced the search to go to typical cases, that represented their peers in wealth (GDP). The following distinction has been made in GDP ; 1 (>€ 50.000), 2 ( €40.000- €50.000), 3 ( €30.000- €40.000) and lastly 4 (<30.000). This is shown in table 2.

Country GDP per capita Category

The United States of America € 53.249 (Country economy (1) (2019) 1 (>€ 50.000),

The Netherlands € 44.900 (Country economy (3) (2019) 2 ( €40.000- €50.000),

The United Kingdom € 36.000 (Country economy (2) (2019) 3 ( €30.000- €40.000)

Estonia € 19.500 (Country economy (4) (2019) 4 (<30.000)

Table 2 The GDP of the cases

(14)

13 cybersecurity. Some countries do not have well-functioning internet connection, even in the capital. These countries do not have sufficient infrastructure to be comparable to the countries that do suffice. And for some countries, the legislation was just not available in English, or was only the current legislation available.

All cases that have been selected have sufficient digital infrastructure to be comparable, and have digital copies of their cybersecurity laws and policies on their official governmental websites.

3. 6 Data collection and sources

The data collection of the official legislative documents are all done via the official governmental website of the countries. These websites contain the current and previous editions of their cybersecurity legislation.

Table 3 shows the main sources of information, from where this research will retrieve its

information. These are the official governmental websites, where all the official documents can be retrieved. This research will not include information from other websites, because the possibility of normative arguments and false information is present.

Country Source

The United States of America Homeland Security (2019), Cybersecurity, retrieved at 9-6-2019 on:

https://www.dhs.gov/topic/cybersecurity

The Netherlands Nationaal Cyber Security Centrum (2019),

Wetgeving cybersecurity, retrieved at 9-6-2019 on : https://www.ncsc.nl/actueel/dossiers/wetgeving-cybersecurity.html

The United Kingdom Government of the United Kingdom (2019), Minimum Cyber Security Standard, retrieved at 9-6-2019 on:

https://www.gov.uk/government/publications/the-minimum-cyber-security-standard

Estonia Republic of Estonia, Ministry of Foreign Affairs

(2019), Cyber Security, retrieved at 9-6-2019 on:

https://vm.ee/en/cyber-security

(15)

14

Chapter 4 The Analysis of Cybersecurity Law

4.1 The United States of America (USA)

The legislation on cybersecurity is built on three federal regulations, which require governmental organisations, financial institutions and healthcare organisations to protect their systems and information accordingly. These regulations are respectively the following:

1. Health Insurance Portability and Accountability Act (HIPAA). The storage and use of personal information within Healthcare organisations is protected by this Act. Every organisation has to meet the requirements in this act, which consists of acquiring proper technological equipment and the fair use of personal details (Nosowsky & Giordano, 2006: 576).

2. The Gramm-Leach-Bliley Act. This Act protects the customers of financial institutions, by requiring these institutions to explain how they share and use personal information. This creates transparency for the customers, and a safer technological environment (Janger & Schwartz, 2001: 1222).

3. The Federal Information Security Management Act (FISMA) as part of the Homeland Security Act. The main purpose of this Act is the protection of information and information systems within the federal agencies and organisations. It places requirements, which are comparable to requirements depicted by the HIPAA. These requirements should prevent the misuse of the technology used by the federal government (Ross et al., 2005: 864).

These regulations are the primary source of legislation regarding cybersecurity. The main idea that can be derived from this is that the federal government has put requirements on the use of technological and information systems. However, in the world of technology new kinds of

information systems and other technologies are regularly introduced. The legislation has to change when technology evolves, to maintain effective and efficient use of law.

These regulations, for example, do not address the software- and hardware-creating organisations in the USA. These organisations make up a considerable part of the American economy, so the need for effective legislation is rising. (Drexel University Information Technology, 2019).

The recent federal laws are built on the above-mentioned legislation. They are an addition or small tweak to the existing law to make it more in line with the current state of technology.

These laws present the changes the USA had to go through, and are usually implemented after a crisis or risk has been identified. The legislations that are relevant for this research are the following;

4. the Cybersecurity Information Sharing Act (CISA). This Act entails the enhanced sharing of

information regarding cybersecurity issues. This law is made for the software- and hardware-creating organisations, with the idea in mind to share the internet traffic information from the American

(16)

15 government and these organisations (Ross et al., 2005: 865).

5. the Cybersecurity Enhancement Act and the National Cybersecurity Protection Advancement Act. These Acts were brought to life to educate citizens and organisations about the use and misuse about cybersecurity. These communications were designed to help develop the field , as well as lowering the risk of an cybersecurity incident (Bergman, 2015).

6. the Federal Exchange Data Breach Notification Act. This legislation ensured that whenever it is known that citizens personal data is acquired by a breach of an security system, this person is informed of this occurrence (Bergman, 2015).

4.1.1 The Risk Exposure

The Risk Exposure or Risk Impact can be measured in the Prob(UO) times the Loss (UO). To analyse the Risk Exposure, the risk items that make up the Prob(UO) and the Loss (UO) are identified. These can be separated into two categories; technical and non-technical problems.

Technical problems

The FISMA and the HIPAA contribute to the solution for possible technical problems in the federal government. The use of certain minimal requirements for technological systems is an important part of risk-aversion. The CISA regulates the private sector in on the technical aspect of cybersecurity, by making minimal requirements for the operating systems.

Both Acts talk about sanctions that can occur if the organisations are not able to meet the

requirements. However, the Acts both do not state any measures for the organisations themselves when a crisis occurs.

Non-technical problems

The biggest problem that the USA tries to avoid with its legislation is the human aspect of cybersecurity. There are multiple Acts that limit what an organisation can or may do, in order to decrease the risk of a cyber-crisis. These Acts, for example the Gramm-Leach-Bliley Act , make sure that the organisations are transparent and supervised.

Whenever a crisis breaks out, the responsible organisation is able to adequately be transparent about what the source of the issue is and resolve it. This might be harder if most information is behind closed doors.

The problem that however is noticeable is the use of vague language in the Acts, especially in the requirements. This vagueness creates an open interpretation of the Act, which damages the integrity

(17)

16 and effectiveness of the legislation. Two similar organisations that should obey the same Act, can have two different interpretations of the minimal requirements.

The Prob (UO) here is 1, because of the abovementioned two reasons; the vagueness of the legislation that is open for interpretation and the lack of clear measures named in the Acts.

The Loss (UO) is the relative impact that the risk items might cause. The impact of a crisis in the USA usually gets followed up by a new Act that counters this issue in the future. However, the vagueness of the legislation will create more issues in the long run. The ability to anticipate the dangers seems to be lacking in the American legislation. This is also seen in the lack of concrete measures for cyber-related crises in the Acts. That is why the Loss(UO) is 1.

The final Risk Exposure is thus = Prob (UO) * Loss(UO) = 1 * 1 = 1

4.1.2. The Benefits

The requirements set by the numerous Acts are able to keep the risk of a cyber-crisis occurring to a minimum. This creates secure systems, that are regularly inspected and/or supervised by

administrators.

The focus on transparency by the USA in their legislation is prevalent and a benefit for both the customer/citizen as well as the private/public organisations themselves. The customer/citizen is aware of what is happening with their personal data, and the organisations can show that they do everything following the books.

As earlier mentioned, the vague language made it that it would be hard for organisations to fully understand what was to be expected from them.

However, this situation creates the opportunity to find ingenious new ways of securing technological systems, and thus developing the cybersecurity sector even more. In other words; the USA benefits from this side effect of the vagueness of legislation. A side note has to be made that this benefit can also be a double-edged sword, where the new security systems are a total failure. Nonetheless, there are always inspectors that are in right of FISMA to test these security systems.

The benefits that the USA has received because of their cybersecurity legislation is that they have secure and workable systems. Next to this, there were more gains, like transparency and the opportunity for new security systems to be developed by organisations. The USA receives 2 for Benefits.

(18)

17

4.1.3. The Resilience

The legislation of the USA is built on resilience. Almost every named relevant Act, next to the three federal regulations, are implemented because of previous cyber-crises. These crises had such an impact that the federal government decided to prevent similar incident to occur. Examples of resilience are the requirements organisations have to abide for their security systems. The federal government discovered that when a public organisation has a cyber-incident, it could have great impact on the National Security. That is why the Cybersecurity Enhancement Act was implemented. Because of these signs of resilience, the USA gets the score of 1 at Resilience.

4.1.4. The Risk Reduction leverage

As abovementioned, the three federal regulations where the original Acts in the cybersecurity-sector for the USA. The later Acts that were implemented are focussed on organisations and how to prevent cyber-crises from occurring. This meant that the REbefore had more technical problems. The non-technical problems however were the same in both situations.

The Risk Reduction costs can be measured in the amount of legislation later added. The amount of relevant Acts that were later added, can be seen as incremental changes. This is because of the resilient origin of the Act; they were implemented after a crisis had occurred, so the federal government had to change the legislation.

Thus even though there were multiple Acts introduced later on, the changes could be seen as incremental. That is why the Risk Reduction Costs is 1.

The RRL is in this situation as follows: REbefore – REafter / RRC= 1-1/1=1. The positive outcome of the RRL means the leverage is high enough to support the new policies. It has also shown a insight in the history of policies in the USA, namely that it is reliant on resilience.

The following table has been created to sum up the above:

Risk Exposure 1

The Benefits 2

The Resilience 1

The Risk Reduction Leverage 1

(19)

18

4.2 The United Kingdom

The legislation on cybersecurity of the United Kingdom rests on four domestic Acts, and on several multinational regulations of the European Union. The relevant acts are as follows;

Domestic legislation

1. The Computer Misuse Act of 1990. This act specifies what the misuse of technology entails, and identifies hacking as a offence (Government of the United Kingdom, 2019).

2. The Official Secrets Act of 1989. This Act entails the National Security strategy of the United Kingdom. The risk or a threat of cybersecurity is identified in this Act as a National Security issue, and should thus be handled accordingly by governmental officials. In reality this means that whenever there is a breach of cybersecurity issue on a relatively large scale, the UK government is required to supervise the situation (Government of the United Kingdom, 2019).

3. The Communications Act of 2003. This is the primary legislative source of information regarding what telecommunicators are allowed to do and not to do. The telecommunicators are all providers, software- and hardware-creating organisations, and governmental organisations.

The same rules apply for both the public as the private sector (Government of the United Kingdom, 2019).

4. The Data Protection Act of 1998. This Act provides a regulation on how to obtain, hold, use or disclose information discreetly. The Act describes the implementation of the Data Protection Directive of 1995, which provides regulation of the processing of information relating to individuals (Government of the United Kingdom, 2019).

European Union Regulations

In June 2016, the UK decided to leave the European Union. This situation called ‘Brexit’ is able to have great impact on the legislation and thus the way how personal data is processed within the UK. In this paper, the UK is still considered a part of the European Union, which results in the obedience of set legislation.

5. Privacy and Electronic Communications Regulations of 2003. This regulation is a directive from the European Commission to establish certain requirements of secure communication. The directive does not make a distinction between public and private parties, when discussing the obligations to take appropriate technical and organisational measures to safeguard the security of their service. These requirements are to be followed by every member state of the European Union (Government of the United Kingdom, 2019).

(20)

19 6. The General Data Protection Regulation (GDPR) of 2016. In this regulation, the protection of natural persons regarding the processing of personal data is discussed. Rules are established for the free movement of personal data within the European Union (Government of the United Kingdom, 2019).

4.2.1. The Risk Exposure

The technical problems the UK might face, are countered by specifically mentioning what the issues might be. By creating legislation that is clear and transparent, misinterpretations of the Acts and policies can be avoided. This is the most clear in the Computer Misuse Act, where the right way to operate and maintain a cybersecurity system is described.

The Data Protection Act deserves a special mention, because of the description on how to store (personal) data in a discreet and secure manner.

However, the Acts do not include measures to be taken when a cyber-crisis occurs. The specification of what to do in different situations is useful in times of crises, but is not included. This is because organisations are responsible to resolve their own crises. Only when the National Security might be in danger, does the UK government step in. This is mentioned in The Official Secrets Act.

Non-Technical problems

The UK does handle all the obvious non-technical problems fairly well, by educating both the organisations as well as the public about cybersecurity and the proper use of technology. This minimizes the human error aspect of cybersecurity.

The issue with the legislation of the UK is that it can be quite outdated. The same relevant Acts as previously mentioned are used for over 15 years, with minimal change to them. In a time where technology is constantly evolving, this might be a risk that the UK is taking.

However, the EU directives help the UK keep up with the current technological improvements. The British Acts are incrementally changed because of the EU directives. Nonetheless there are little signs of new domestic Acts being implemented.

(21)

20 The lack of measures to be taken in the legislation of the UK government creates a viable risk for the cybersecurity sector as a technological problem. Next to this is are the non-technical problems ; the outdated domestic legislation is updated by the EU directives, which decrease the possible risk. Because of this, the Prob(UO) is 1.

The Loss(UO) is the potential impact that is able to occur when a risk manifests itself. The measures to be taken in times of crises are not documented in the Acts and can thus change per organisation. This entails that in a time of crisis , the government can not be sure what measure an organisation is going to take. This is a decent risk, which can be avoided by implementing an anticipation strategy. This makes it that Loss (UO) for the UK has the value of 1.

The Risk Exposure, or risk impact is thus the Prob(UO) * the Loss(UO) = 1 * 1 = 1. The impact on the UK if a cybersecurity risk manifests itself would be severe, because of the weaknesses that are abovementioned.

4.2.2 The Benefits

The great benefit of the UK cybersecurity legislation is the focus on correct way of operating, maintaining and controlling the technological systems. In multiple Acts, different area’s of essential systems are named and certain requirements are stated. These requirement have to be met, which preserves the security.

Another benefit is that there is no distinction between public and private organisations in the requirements that they have to meet. This keeps the inspection clear and structured, and one can not easily deviate from the requirements stated in the Act.

The Benefits shows that there are workable and secure systems due to the clear requirements that are set. There are however no signs of other gains, thus the score of Benefits for the UK is 1.

4.2.3 The Resilience

The UK has held onto their domestic legislation for a long time, while adding little increments to the relevant cybersecurity Acts. The only signs of new legislation were the changes that had to be made in order to oblige to the EU directive.

(22)

21

4.2.4. The Risk Reduction Leverage

The Risk Reduction Leverage is able to be measured by adding the old legislation and the newer ones. However, the UK did not made considerable changes onto the cybersecurity legislation. Therefore it is not possible to measure the REbefore of the UK.

Next to this, the Risk Reduction Costs is able to be defined, because of the changes the UK have to make due to the EU directive. These small, incremental changes give the RRC the score of 1.

The Risk Reduction Leverage is not applicable to the UK, due to having no prior legislation on cybersecurity.

Risk Exposure 1

The Benefits 1

The Resilience 0

The Risk Reduction Leverage N.A.

(23)

22

4.3 The Netherlands

The Netherlands has a separate law regarding cybersecurity, called the Network and Information Systems Security Act (Dutch: Wet beveiliging netwerk- en informatiesystemen). This Act used to be called the Cybersecurity-act, to implement the EU directive ‘Network and Information Security’. The following elements in the Dutch legislation on cybersecurity are relevant to this research: 1. Because the legislation is based on the EU directive, The Netherlands must force essential service providers (healthcare providers for example) and digital service providers to firstly take adequate measures to manage security risks, prevent incidents and if incidents do occur, minimize their consequences. Secondly, the Netherlands has to report serious incidents to the national authority of the CSIRT (Computer Security Incident Response Team) (Nationaal Cyber Security Centrum, 2019). 2. The CSIRT is divided into two separate authorities, with one focussing on advice and assistance and the other on supervision and sanctions. This division is made to be more compatible to the existing Dutch division of tasks in other sectors (Nationaal Cyber Security Centrum, 2019).

However, when a serious incident occurs both authority’s of the CSIRT have to be informed. 3. Public and private organisations are able to choose their own security systems to protect their data. It is primarily up to the organisations themselves to determine which concrete measures are appropriate and proportionate for them. However, if the Dutch government or the EU decides to change this ‘freedom’, the organisations have to oblige and reconstruct their security systems. 4. The essential service providers and digital service providers have to report all cybersecurity incidents that can impact the continuity of the service. Smaller incidents can be reported to the NCSC (National Cybersecurity Centrum). These will analyse the situation and report back to the organisation with advise and measures to be taken(Nationaal Cyber Security Centrum, 2019).

Next to this, the Dutch Act called the ‘Uitvoeringswet Algemene verordening gegevensbescherming’ (AVG) protects the natural person regarding the processing of data. This Act is part of the

implementation of the EU directive GDPR (Nationaal Cyber Security Centrum, 2019).

4.3.1. The Risk Exposure

(24)

23 Technical problems

The main technical problem here is that there is little attention to the measures that can be taken by the organisations whenever there is a cybersecurity-crisis. It is clearly stated in the legislation that the organisations are responsible to handle the crisis if the problem occurs from their system. The NCSC however does give these measures. Whenever there is a big enough threat, the

organisation has to contact the NCSC and the CSIRT. After analysing the situation, the NCSC and the CSIRT cooperates with the organisation to minimize the impact of the crisis.

Non-Technical problems

The Netherlands do require the essential service providers and digital service providers to take adequate measures for the possibility of crises. However, this line in the Act is open for

interpretation. The vague language does not create an uniform strategy, which can lead to confusion and different cybersecurity systems.

The other non-technical problem that might occur is that the organisations do not report an incident in time at the NCSC and the CSIRT, because they do not wish to get sanctioned. The organisation then proceeds to handle the incident by itself, which can result in an even greater incident if not handled properly.

The fact that the NCSC and the CSIRT are passive in this situation, increases the risk.

The Prob (UA) consists of the non-technical problems. The vague language within the legislation and the passive attitude of the NCSC are the reason the score of the Prob (UA) is 1.

The Loss (UA) also consists of the non-technical problems. The impact the vague language of the legislation is a non-sufficient security-strategy which can impact the organisation/ government heavily. The chance that an organisation does not want to inform the NCSC and the CSIRT is present, and could also have great impact on the organisation and government. The Loss (UA) score is thereby 1.

The Risk Exposure for the Netherlands is Prob(UA) * Loss(UA) = 1 * 1 = 1

4.3.2. The Benefits

The availability of the NCSC and the CSIRT for advice is a useful tool that organisations are able to use in times of crisis. The supervising half of the CSIRT does also sanction, and thus keeps an eye on the public and private organisations.

Together with the requirement to make adequate measures to decrease the risk of cyber-related incidents, the Dutch legislation provides secure and workable systems.

(25)

24 Netherlands with multiple different security strategies. This helps the development of cybersecurity in The Netherlands, which is a benefit.

The secure systems and the increase of cybersecurity development in the Netherlands, cause the Benefit score to be 2.

4.3.3. The Resilience

The Netherlands does make use of resilience as a strategy to minimize the impact of cybersecurity related incidents. The NCSC is one of the examples of this. Almost every country does have an Cybersecurity Centre, but this is not always directly related to the government. The NCSC in the Netherlands is a part of the Ministry of Domestic Affairs and was brought to life due to a high demand of an advisory body. A few years later, the EU created the CSIRT, which is essentially the same as the NCSC. The difference is that the CSIRT has to account to the EU, and the NSCS to the Dutch government.

The Netherlands does use Resilience, which causes the score to be 1.

4.3.4. The Risk Reduction Leverage

The Netherlands only has one Act on cybersecurity, which entails all the relevant laws and policies. This law in the Netherlands does not have another relatable legislation prior to it, which makes it hard to compare the REbefore and REafter.

The Risk Reduction Costs is measurable, to give some insight in the changes of the Dutch legislation. The changes that are applied to this Act are incremental, with little changes and additions over time. The RRC is because of this 1.

However, this means that the RRL is not applicable to the Netherlands.

Risk Exposure 1

The Benefits 2

The Resilience 1

(26)

25

4.4 Estonia

The Estonian cybersecurity legislation consists of one Act, accordingly called the ‘Cybersecurity Act’. The legislation states rules for service providers that make use of technology to support their service. These service providers can be both private as public. They should permanently apply organisational, physical and information technological security measures to prevent and resolve cyber security incidents. Also the mitigation of the impact the cybersecurity incident might have, is the

responsibility of the service provider itself (Republic of Estonia, Ministry of Foreign Affairs, 2019).

The Act does not count for the secret service of Estonia, which means that processing of state secrets and classified information do not fall under this legislation.

1. The service provider is required to prepare a system risk assessment. In this assessment a list of risks that might affect the security of the system and the continuity of the service are determined. Also the determination of the severity of the consequences that might occur in the case of a cybersecurity incident, is required in such an assessment. Because the service providers are

responsible for resolving the security issue, the risk assessment is necessary. The measures taken to reduce the impact of the cybersecurity incident, should be approved by the Estonian government. This risk assessment should always be available to be shown to government officials, and should be updated as frequently as possible.

2. The service provider is required to monitor their own system for malicious behaviour or software compromising. If the service provider hires a third party to administer the system or use another party to host the system, the service provider itself is responsible for the applications of the security measures in the system of the other party.

3. Whenever a cybersecurity incident occurs, the service provider is required to construct sufficient measures that comply with the general security measures of the Estonian government. The results should be documented and reported to the authorities.

4. There is an obligation for a service provider to inform the Estonian Information System Authority immediately but no later that 24 hours after becoming aware of the cyber incident.

This incident should have a significant impact on the security or continuity of the system.

The Act also describes what service providers are able to see as a serious threat, and gives directions on how to report the incident.

5. The service provider is required to abide by international regulation of the EU in processing and transferring data. This is part of the GDPR directive, which protects natural persons (Republic of Estonia, Ministry of Foreign Affairs, 2019).

(27)

26

4.4.1. The Risk Exposure

The Risk Exposure or Risk Impact can be measured in the Prob(UO) times the Loss (UO). To analyse the Risk Exposure, the risk items that make up the Prob(UO) and the Loss (UO) are identified. These can be separated into two categories; technical and non-technical problems.

Because of the clear and transparent Act, all organisations in Estonia are able to read what to do in times of crises. There are strict requirements on how to operate and maintain the cybersecurity systems, and because of the mandatory risk-assessment the measures that can be taken in times of crisis are clear.

Non-Technical problems

Because of the mandatory risk-assessment, the required measures on what to do in times of crisis, and the transparency of the Act, there seems to be no obvious technical problems.

This creates the following Risk Exposure; Both of the risk item the technical and the non-technical problems did not encounter any risks. Thus the Prob(UO) and the Loss (UO) are both 0.

This creates the following score for the Risk Exposure; Prob(UO) * Loss(UO) = 0 * 0 = 0.

4.4.2. The Benefits

The benefits of the Estonian Cybersecurity Act begin with the transparent and clear writing of the Act itself. There is little room for interpretation, and the instructions are clear to whom one must go in times of crisis.

The mandatory risk-assessment is a valuable asset to have. The organisations can protect themselves from risks using the anticipation strategy, as well as creating measures to counter when an incident does occur.

The Estonian Act also depicts the responsibility in times of the crisis. The organisation itself is responsible, but the government will intervene whenever the continuity of the service is in danger. These points make up the benefits score of Estonia a 2.

4.4.3. The Resilience

There was no proof of the use of any resilience in the Estonian Cybersecurity Act. This might have been the case, but this information was not available. This makes the Resilience score for Estonia a 0.

(28)

27

4.4.4. The Risk Reduction Leverage

The Estonian Cybersecurity Act did not have any relatable predecessors, which makes it hard to compare the REbefore and REafter. The RRL is thus not applicable to the Estonian case.

The changes that were made to the Estonian Act were small and incremental, and mostly ordered from the EU within a directive. This makes it able to score Estonia with the Risk Reduction Costs: 1.

Risk Exposure 0

The Benefits 2

The Resilience 0

Table 7 Estonia

4.5 Analysis summary

The following table shows the results from the analysis next to each other.

USA UK The Netherlands Estonia

Risk Exposure 1 1 1 0 The Benefits 2 1 2 2 The Resilience 1 0 1 0 The Risk Reduction Leverage

1 N.A. N.A. N.A.

Table 8, All cases with the acceptable risk indicators

The Risk Exposure shows that all cases but Estonia will suffer from an impact once there is an cybersecurity incident. Estonia has had the most coverage with their mandatory risk-assessment strategy and transparent legislation, which leaves little room for interpretation.

Other cases suffered from little transparency in the legislation (USA) or not having adequate measures available for when a incident occurs (all cases).

All but one case seemed to benefit from the legislation on cybersecurity to achieve workable and secure systems, as well as other gains. The odd one out was the UK, by not having extra gains linked to the legislation, like an increase in the development of the cybersecurity sector (USA and the

(29)

28 Netherlands).

The Resilience was present in the cases of the USA and the Netherlands, where there was proof of improvement, all be it incremental. In the cases of Estonia and the UK, there was no proof of resilience. This however, does not mean that there was no resilience.

The Risk Reduction Leverage was not applicable in most cases, only the USA had complying

legislation. This is partly because of the novelty of the cybersecurity sector, where most legislation is the first of its kind.

The other reason might be that the Risk Reduction Leverage is generally not applicable to governments, because it was designed for private organisations.

The Risk Reduction Leverage did show the Risk Reduction Costs, which showed the effort that went into new legislation. The RRC was the same in all cases, with a score of 1 . This shows us that all governments do make use of incremental, small changes in order to adapt to the evolution of technology.

Chapter 5 Conclusion

This research was conducted to retrieve an answer on the following research question :

To what extent does the GDP of a country relate to the perceived acceptable risk in cybersecurity law- and policymaking?

To answer this question, four indicators that resemble the concept of acceptable risk were selected. These indicators were put as hypotheses, and were used in the analysis of the cybersecurity

legislation of the United States of America, the United Kingdom, the Netherlands and Estonia. What follows are the answers to the four hypotheses.

5.1 Answer to (sub) research question(s)

Hypothesis 1: The higher the GDP of a country, the smaller the risk the government takes.

This hypothesis can be rejected on the basis of this research. Estonia, the lowest GDP country of this case selection, had the lowest Risk Exposure. This means that they actually took the least risk of all other countries. The case with the highest GDP, the USA, actually took the most risk. The vague language in the legislation made it so the Acts were open for interpretation, and there was little incentive to create measures for during an incident.

(30)

29 Hypothesis 2: The higher the GDP of a country, the greater the benefits are that the government receives.

This research did not show any relation between the GDP of a country and the benefits it gained from having cybersecurity legislation. In fact, all cases showed to gain benefits from the legislation. This hypothesis should thus be rejected.

Hypothesis 3: The higher the GDP of a country, the more resilient the legislation is.

The resilience was demonstrable in two of the four cases, where new legislation was used in order to build onto the old legislation. The two other cases did not show any signs of resilience, however this does not mean that there is no resilience.

This case comparison showed that the country with the highest GDP and the third highest GDP had resilience. Therefore, no absolute conclusion can be derived from this research and the hypothesis should be rejected.

Hypothesis 4: The higher the GDP of a country, the higher the risk reduction leverage.

The country with the highest GDP, the USA, was the only country that was able to use the Risk Reduction formula in effect. The RRL was not applicable to the other cases, which leaves little comparison to be made. What follows is the rejection of this hypothesis due to lack of evidence.

All hypotheses have been rejected. What does that mean for the relation between the acceptable risk and the GDP? Firstly, it shows that there is no demonstrable relation between a high GDP and a low acceptable risk. All countries had some form of acceptable risk, but Estonia took the least risk by implementing new strategies that were unknown to the other countries.

As earlier mentioned, the first two indicators (Risk Exposure and Benefits) were the most important for the answer of the research question. The benefit indicator did not show any relation, but the Risk Exposure did. One outcome of the research was that the smaller GDP countries had more

transparent and specified legislation. Both the Netherlands and Estonia named instances that were responsible for the supervision and administration of the cybersecurity legislation. The USA and UK did not specify these legislative bodies. This preciseness contributes to minimizing the risk that a country takes; less human errors are made because of different interpretations and the right instances are called for advice.

This lets us answer the research question: According to this research, smaller GDP countries take less acceptable risks in cybersecurity legislation.

(31)

30

5.2 Limitations and avenues for further research

Based on the results, it can be said that one of the indicators of the acceptable risk, Risk Exposure, provided the necessary methodological framework to answer the research question. The other indicators were disproven or not applicable.

The answer to the Benefits hypothesis seemed obvious; it would be strange if the legislation was not beneficial to the governmental and private organisations. This is because it is especially made to reduce risk, and thus increase the benefits.

The last indicator, the Risk Reduction Leverage, is a concept from the private sector which is used to measure the relative leverage of a risk. This seemed inapplicable when comparing governmental organisations and their legislation. However, the RRL did contribute to a deeper understanding of the cases.

Another limitation that this research encountered was the choice for a literature study. The

researcher had tried in 38 different occasions to add interviews to this research, which all failed due to the unwillingness to talk about this subject.

Follow-up research could go more in depth with interviews on the reasoning behind certain

legislation, and for example find out if there were signs of resilience in the creation of the legislation. A case study on a larger scale would be able to generalize the claim that was made in this research. The next step could be a more in depth research on the reasoning behind the legislation, or a more general overview of all countries in a specific region.

(32)

31

Bibliography

Bergman, K. (2015), Cybersecurity legislation raises concerns for journalists, News Media & the Law, 39, (2), 8.

Boehm B. (1989), Software risk management, Lecture notes in computer science, 387: 5, Berlin : Heidelberg

CASM Staff (2017), Cybersecurity, Communications of the ACM, 60:4, pp. 20-21

Country economy (1) (2019), United States GDP, retrieved on 9-6-2019 on

https://countryeconomy.com/gdp/usa

Country economy (2) (2019), United Kingdom GDP, retrieved on 9-6-2019 on

https://countryeconomy.com/gdp/uk

Country economy (3) (2019), The Netherlands GDP, retrieved on 9-6-2019 on

https://countryeconomy.com/gdp/netherlands

Country economy (4) (2019), Estonia GDP, retrieved on 9-6-2019 on

https://countryeconomy.com/gdp/estonia

Drexel University Information Technology (2019), Federal Laws, retrieved at 9-6-2019 on :

https://drexel.edu/it/security/policies-regulations/fed-laws/

Finkle, J. & D. Volz (2015), Database of 191 million U.S. voters exposed on Internet: researcher, retrieved on 9-6-2019 at:

https://uk.reuters.com/article/us-usa-voters-breach-idUKKBN0UB1E020151229

Fischhoff, B., S. Lichtenstein, P. Slovic, S.L. Derby, and R.L. Keeny (1983), Acceptable Risk, Cambridge University Press: Cambridge

(33)

32 Government of the United Kingdom (2019), Minimum Cyber Security Standard, retrieved at 9-6-2019 on: https://www.gov.uk/government/publications/the-minimum-cyber-security-standard

Homeland Security (2019), Cybersecurity, retrieved at 9-6-2019 on:

https://www.dhs.gov/topic/cybersecurity

Janger, E. J., & P.M. Schwartz (2001), The Gramm-Leach-Bliley act, information privacy, and the limits of default rules, Minn. L. Rev., 86, 1219-1260

Kettemann, M. C. (2019). ‘This is not a drill’: international law and protection of cybersecurity. In Research Handbook on Human Rights and Digital Technology, Edward Elgar Publishing

Nationaal Cyber Security Centrum (2019), Wetgeving cybersecurity, retrieved at 9-6-2019 on :

https://www.ncsc.nl/actueel/dossiers/wetgeving-cybersecurity.html

Nosowsky, R., & T. J. Giordano (2006), The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule: implications for clinical research, Annu. Rev. Med., 57, 575-590.

Paulsen, C., Mcduffie, E., Newhouse, W., & Toth, P. (2012), NICE: Creating a Cybersecurity Workforce and Aware Public, IEEE Security & Privacy, 10(3), 76-79.

Republic of Estonia, Ministry of Foreign Affairs (2019), Cyber Security, retrieved at 9-6-2019 on:

https://vm.ee/en/cyber-security

Rid, T. (2012), Cyber War Will Not Take Place, Journal of Strategic Studies, 35:1, pp. 5-32

Rohlfing, I. (2012), Case studies and causal inference: An integrative framework, Palgrave Macmillan

Ross, R., S. Katzke,, & P. Toth (2005), The new FISMA standards and guidelines changing the dynamic of information security for the federal government, MILCOM 2005-2005 IEEE Military

Communications Conference (pp. 864-870)

Roux-Dufort, C. (2007), Is Crisis Management (Only) a Management of Exceptions?, Journal of Contrigencies and Crisis Management, 15:2, pp. 105-114

Skinns, L., Scott, M., & Cox, T. (2011), Risk (Darwin College lectures ; 24). Cambridge ; New York: Cambridge University Press

(34)

33 Wildavsky, A. (1988, Searching for Safety, Transaction Books: Piscataway

Wolke, T. (2017), Risk Management, Berlin, Boston: De Gruyter Oldenbourg

Wolter, D. (2013), The UN Takes a Big Step Forward on Cybersecurity. Arms Control Today, 43(7), 25.

Yin, R. K. (2003), Case Study Research - Design and Methods, Thousand Oaks: Sage Publications.

Zhang, & Chu. (2011), Risk prioritization in failure mode and effects analysis under uncertainty, Expert Systems With Applications, 38(1), 206-214.

Richer may not be safer