Danny Vande Putte is a civil engineer in electromechanics. Since 2006, he has been responsi-ble for business continuity management (BCM)at the national Bank of Belgium. Since 2011, hehas also been responsible for the operationalissues of the Belgian financial sector. He hasbeen a member of the European System ofCentral Banks BCM task force since 2008 and in2012 took over as its chairman.

Marc Verhelst is a commercial engineer whograduated in finance and management. Since2006, he has become a key actor in operationalcrisis management for the Belgian financialsector. He is also a member of the EuropeanSystem of Central Banks BCM Task Force.

ABSTRACT

Risk management has never been easy. Findingefficient mitigating measures is not alwaysstraightforward. Finding measures for cybercrime, however, is a really huge challengebecause cyber threats are changing all the time.As the sophistication of these threats is growing,their impact increases. Moreover, society and itseconomy have become increasingly dependent oninformation and communication technologies.Standard risk analysis methodologies will helpto score the cyber risk and to place it in the risktolerance matrix. This will allow business conti-nuity managers to figure out if there is still a

gap with the maximum tolerable outage fortime-critical business processes and if extra busi-ness continuity measures are necessary to fill thegap.

Keywords: cyber risk, cyber threat,cyber crime, risk analysis, risk taxon-omy, business continuity management

INTRODUCTIONRisk management has never been easy.Identifying measures to mitigate risks isone thing, but finding efficient mitigatingmeasures that can be justified with cost-benefit analysis is much more compli-cated. Cyber crime and cyber threat,however, represent a really huge challengefor management and IT security expertsbecause the criminals’ techniques andthreats are changing all the time. As thesophistication of cyber crime increases, sotoo does its potentical impact on business.This means that cyber crime is also a hugeconcern for business continuity managers.

Cyber crime is an increasingly commonway of stealing, threatening and blackmail-ing organisations all over the world. It isaffecting the integrity, the confidentialityand/or the availability of the IT environ-ment of organisations. General risk analy-

Journal of Business Continuity & Emergency Planning Volume 7 Number 2

Page 126

Journal of Business Continuity& Emergency PlanningVol. 7 No. 2, pp. 126–137� Henry Stewart Publications,1749–9216

Cyber crime: Can a standard risk analysishelp in the challenges facing businesscontinuity managers?

Danny Vande Putte* and Marc Verhelst**Received (in revised form): 28th October, 2013National Bank of Belgium, De Berlaimontlaan 14, 1000 Brussels, Belgium*Tel: +32 2 221 4629; Fax: +32 2 221 3131; E-mail: danny.vandeputte@nbb.be** Tel: +32 2 221 3419; Fax: +32 2 221 3131; E-mail: marc.verhelst@nbb.be

Danny Vande Putte

Marc Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 126

sis methodologies can be used to make acomplete cyber risk cartography. This car-tography is vital for business continuitymanagers to judge whether current cyberrisk mitigation measures are compliantwith the risk tolerance of the organisa-tion.1

Cyber crime affects the confidence thatcustomers, professionals and governmentdemonstrate towards the organisation. Thismeans that although the organisation’scorporate and financial objectives are notthe direct target they are nonetheless atsignificant risk. There is even a potentialrisk of the organisation going bankrupt.

Many preventive measures can be takento tackle the root causes of cyber crime.But business continuity managers are par-ticularly interested in knowing what meas-ures can be taken to limit the loss of ITsystems, documents and data in the case ofa cyber incident.

Society and its economy have becomeincreasingly dependent on informationand communication technologies (ICT).This dependence has grown even furtherbecause many critical and crucial businessprocesses are provided through solutionsusing IT systems and web connections.Managing these business processes oftenmeans managing huge databases with cru-cial and confidential data and havingaccess to a lot of crucial and confidentialdocuments.

In addition, many industrial processesare also controlled, monitored and man-aged by ICT. Complex systems, equip-ment and technologies, indispensable forthe management of industrial processes,are linked up and are able to communi-cate, coordinate, cooperate and take actionwithout the need for human intervention.These machine-to-machine applicationsare also common in critical infrastructuresectors. The availability and effectiveness ofcomplex IT systems has become crucialfor the operation of critical infrastructures

such as energy, water, transport, financeand the health sector.

Clearly, if these sectors’ ICT infrastruc-tures are damaged or unavailable, inten-tionally or not, it can have significantconsequences for individuals, organisa-tions, the economy and society as a whole.As a result, a safe internet that is available24 hours per day and seven days per weekis essential.

Even if business managers have devel-oped contingency measures that do notuse ICT systems, these measures will onlybe able to guarantee the service that cus-tomers and stakeholders are expecting fora very short time. Often, business continu-ity plans, which are necessary to effectafter the disaster has occurred, will dependon ICT tools.

In other words, cyber risk cannot beignored by business continuity managers.This paper will try to demonstrate that,whatever the originality of cyber threatsand cyber crime, a general risk approach(such as that of ISACA2 or the InformationSecurity Forum3), based on a general risktaxonomy, general impact and likelihoodscoring tables is very helpful for businesscontinuity managers to deal with today’scyber risks. This paper is based on theauthors’ knowledge and experience withoperational risk management and businesscontinuity management (BCM) acquiredduring their daily responsibilities at theNational Bank of Belgium. In respect ofthe confidentiality rules of the bank, pre-cise details about the cyber risk analysis ofthe bank cannot be given in this paper.

CYBER CRIME IS EFFECTIVE: SOMEEXAMPLESIn the last ten years, cyber crime hasbecome an increasingly common way ofstealing, threatening and blackmailingorganisations the world over. The follow-ing are some examples:

Page 127

Vande Putte and Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 127

• A significant number of PCs, essentiallyprivate consumers’ computers, havebeen frozen by ransom-ware viruses,demanding money in order to unlockthe computers.

• Companies are also victims of this kindof cyber blackmailing. For example, onebanking institution has been affected bycyber crime and the criminals claimed afinancial ransom from the bank in ordernot to make public the clients’ data theyhad stolen.

• Over the five last years, there have beenseveral waves of online banking attacks.Recent attacks have been based onTrojan horses, botnets, (phishing web-sites and social engineering. Botnets(affected networks or groups of infectedcomputers4) constitute the infrastruc-ture used by cyber terrorists for suchillegal activities as distributing spam,company and customer spying, execu-tion of fraudulent transactions, serversabotage and systems interruption ordestruction through distributed denialof service (DDoS) attacks.

• Nowadays, it is not difficult to becomea cyber criminal. Even people operatingon their own can do it. The knowledgeand tools needed for cyber attacks areeasy to find on the web. With limitedtools, the internet allows spying, sabo-tage, subversion, terrorism, propagandaand military cyber operations. Currenttechnology even allows criminals tohide their identity so that supervisionand control by the authorities becomesdifficult or impossible.

• New threats are now rising, such asmass hacktivism for political and ideo-logical reasons aimed at published con-fidential information. Hacktivismcapitalises on social media and net-working and is extremely fast, leavinglittle time for response. In general, cyberhacktivist groups do not have a formalstructure; they can, however, benefit

from an umbrella brand name such asAnonymous. For example, in early2012, a world steel group became themost noteworthy victim of a groupostensibly affiliated to this hacker net-work. Since then, many other hack-tivists have used the same techniques.

• Other recent developments includecyber spying for economic and politicalreasons. The spies try to steal strategies,patents, data stocks in big companies(oil and energy companies, financialinstitutions, etc) as well as in variouscentralised departments in every coun-try. In general, this spying goes unde-tected for months or years and it is notknown precisely what information hasbeen stolen.

• One last cyber crime development isthe destabilising or immobilising ofcritical and essential infrastructures.Specific malwares allow systems anddata to be managed from outside orenable some industrial facilities to besabotaged. This type of cyber warfarecan be targeted at national authorities.For example, in 2012, the Sality.gencomputer virus affected the centraladministration and the control officesof a public service. The origin of thisattack still remains unclear. A secondexample is in April 2009, when hackersmanaged to enter the US electricitynetwork with the power to influencethe national network. In May 2012, thesuper spy virus Flame was discovered.Flame had infected more than 1,000computers in the Middle East, withvictims including governmental organ-isations, educational institutions andprivate individuals and was able to stealpasswords and take possession of micro-phones and Skype conversations.

On 21st December, 2012 the EuropeanCouncil of Ministers approved the idea ofdeveloping a national cyber strategy.5

Cybercrime

Page 128

Putte:JSC page.qxd 20/01/2014 16:12 Page 128

National computer emergency responseteams (CERTs) and a European CERTwere set up to this end. The EuropeanCyber Security Directive6 requires allcompanies managing critical networks(energy, banks, health) to report every ITcyber incident that has affected theirnormal functioning. This is certainly notthe end of the story; for example, inFebruary, 2013, the European Commissiontabled a proposal for a Directive of theEuropean Parliament and of the Councilconcerning measures to ensure a highcommon level of network and informa-tion security across the EU.7 One of themain conclusions of the international con-ference organised by the European UnionAgency for Network and InformationSecurity in September 2013 was that thereis a strong call for better cooperationwithin and between public and privatesectors as the challenges faced are strik-ingly similar.

CYBER RISK ANALYSIS IN THE GENERAL RISK APPROACHCyber crime is appearing under the guiseof many different kinds of incidents:

• with a wide variety of consequencesand impacts affecting the integrity, con-fidentiality and/or availability of IT sys-tems, documents and data;

• with a wide variety of targets from pri-vate people to private and public organ-isations.

Instead of developing specific risk analysismodels and taxonomies for cyber risks,however, it is worth trying to use the gen-eral risk model accepted for the wholeorganisation and all business processes.This is the only mode of operation guar-anteeing an efficient and coherent riskanalysis for cyber risks and ensuring thatthe correct risk procedure will be followed

when the management has to decidewhich risk mitigation measures to imple-ment in the cyber threat and crimedomain.

A very common risk model is shown inFigure 1. The figure shows the three mainrisk domains: confidentiality, integrity andavailability (also known as the CIA Triad).8

If these are related to the three domains ofinformation security, the definitions canbe narrowed as follows:

(1) Confidentiality is the assurance of doc-uments and data privacy. Only theintended and authorised recipientsmay read the documents and data.Disclosure to unauthorised entities, forexample, using unauthorised networksniffing, is a confidentiality violation.

(2) Integrity is the assurance of non-alteration of documents or data.Document and data integrity is ensur-ing that the information has not beenaltered during transmission, fromorigin to recipient, and during storage.

(3) Availability is being sure of the timelyand reliable access to documents anddata services for authorised users. Itensures that information or resourcesare available when required.

If one tries to analyse an incident, one canlook both upstream and downstream:

• Looking upstream means trying to findout what the possible root causes maybe or, after the incident has occurred,what the root causes were, which maybe easier.

• Looking downstream means trying tosee what impact can be expectedduring and after the incident.

Keeping in mind this relationship betweenroot causes, the underlying reasons why arisk event occurs, the incident itself andthe possible impact of the incident on the

Page 129

Vande Putte and Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 129

organisation are fundamental to the suc-cess of the risk analysis.

RISK TAXONOMYPeople often imagine a great number ofroot causes for incidents. Perhaps, duringtheir risk analysis, line managers will betoo inventive, resulting in a chaotic list ofpossible root causes. Brainstorming ses-sions are a good forum for risk analysis,but to help business managers analyse theroot causes of an incident in a structuredway, it is practical to classify root causes inthe form of a risk taxonomy.9 This classifi-cation also helps to avoid some root causesgetting insufficient attention or even beingforgotten. The following are examples oftypical classifications:

• Staff: Are they well qualified, sufficientin number, correctly managed, moti-vated, applying the ethics and policiesof the organisation, permanent or tem-porary staff?

• Governance of the organisation: Is its strat-egy risk averse or risk-taking? What isthe willingness to be legally compliant?

• The kind of business processes with which

the organisation is involved: Does theorganisation have to deal with opera-tional processes, with project manage-ment or support services like facilities,security, etc?

• The use of and dependence on IT systemsand other infrastructures: Considerationsinclude buildings, offices, specific tech-nical installations, etc.

• External events: For example, human(cyber) threats and natural catastrophes.

It is clear that all these aspects have to betaken into account when thinking aboutthe root causes for cyber crime incidents.

Listing the kind of incidents that canhappen is often an easier way of starting arisk analysis. During a brainstorming ses-sion, asking the question ‘what kind ofincidents can happen in your businessentity?’ will result in a plethora of inci-dents. But it can also be very helpful forbusiness managers to use the organisation’staxonomy and to carry out the analysisaccording to a classification of incidents.Examples of a typical classification com-prise human error, human failure, occupa-tional incidents, infrastructure disruptions,fraud, disasters and attacks.

Cybercrime

Page 130

������� �� ��������� ���� �

���� ���� ���� �� �����

� ����

� �����

� ������ �

���� ������

� ��� �����

� ����� ��������

� ������������

� ����� ��

� � ��������

� ������

Figure 1:Common risk model

Putte:JSC page.qxd 20/01/2014 16:12 Page 130

In cyber crime, most incidents can beclassified as human failure in the applica-tion of security measures, infrastructuredisruptions caused by the cyber criminal,internal fraud that helps cyber criminals toprepare their attacks and massive attacksfrom the outside, all simply aimed to hurtthe organisation.

The impact of an incident can be classi-fied into three different dimensions:achieving (or not achieving) businessobjectives, reputational damage and thefinancial situation of the organisation. Toestimate the financial impact of an inci-dent, both the direct and indirect impactmust be considered. Stealing money froma bank by either a ‘classic’ robbery or viacyber crime will have a direct impact onthe financial situation of the bank. An inci-dent damaging the reputation of a com-pany, eg a very controversial declaration bythe CEO, will have no direct financialimpact, but it can be the reason why cus-tomers lose their confidence in the com-pany with a huge impact on sales, whichwill surely have a negative influence onthe company’s financial results.

These three impact dimensions are defi-nitely applicable in for-profit companies.But non-profit organisations and publicorganisations cannot make abstract riskanalysis. The documents and data theyreceive, transmit and store often containconfidential information and they have toguarantee this confidentiality. Facing a con-fidentiality breach would probably meanthem losing their reputation, being stigma-tised and criticised by the public or their‘clients’. In these circumstances, a possibleconsequence is for the whole board to befired. Non-profit organisations and publicadministrations, whatever their non-profitobjectives, have to accomplish their missionand deliver their goods and services to thepublic and professionals on time. As such,they must also analyse the need for businesscontinuity plans in case of cyber attacks.

THE DIFFERENCE LIES IN THE TAIL

Business continuity professionals knowthat with threats such as natural disasters,terrorist attacks with classic explosives,mass disease epidemics and huge fires andexplosions, their stakeholders will not nec-essarily blame them if they see that thebusiness continuity measures guaranteeonly a minimum service. Cyber crime,however, seems to produce a differentreaction from stakeholders, and blamemight well be laid at the door of the busi-ness continuity professionals even if theonly result of a cyber attack is a temporar-ily reduced service level.

Theft of data, information or elec-tronic money will directly affect thefinancial situation of the organisation.This can be organised by cyber terroriststhrough social engineering (false webfriends, for example), through malwareon customers’ computers, phishing oridentity theft. Phishing can take the formof e-mails requesting personal informa-tion or even phone calls asking for per-sonal data. In essence, the organisation hasdone nothing wrong, but when it isknown by the public that customers’money has been stolen via the organisa-tion’s ICT infrastructure, it can result inthe public and media blaming the organ-isation for carelessness. This, in turn, candamage its reputation in such a way thatother customers also lose their confi-dence in the organisation, with a subse-quent impact on its business and financialobjectives.

A confidentiality breach will certainlyaffect the organisation’s reputation firstand this could result in a loss of confidenceamong its clients, public or professionals,who might stop doing business, with apredictable impact on the organisation’sfinancial situation.

When a cyber terrorist successfullybreaks into internal IT systems, they can

Page 131

Vande Putte and Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 131

surely cause system, application or datastorage unavailability. But even worse, thecyber terrorist can paralyse the IT envi-ronment from outside, even withoutentering it, by using the technique of aDDoS attack. Even if the public or themedia cannot blame the organisation forbeing the victim of such an attack, theattack may still have a lasting impact onbusiness objectives and income, as well asdamaging its reputation over a longerperiod.

IMPACT SCORING TABLESOther important elements of the risk tax-onomy are the impact and likelihood scor-ing tables. The scoring tables usuallycomprise five levels (see column 1 of Table1). Some organisations prefer more levelsfor a more granular score. This can beuseful if the line management can rely onadequate information during the riskanalysis to make the right distinctionbetween the different levels. Three levelsseems to be easy but is probably inade-quate for making a good selectionbetween the ‘must have’ and ‘nice to have’mitigation measures.

A scoring table for business objectiveswill depend on the kind of business inwhich the organisation or company is

involved. For a central bank, score 5 willbe given for a total failure in deliveringstatutory tasks, such as regulating the liq-uidity of the financial markets. Score 1 isgiven when only internal expectations arenot achieved.

Creating a scoring table for reputationdamage is certainly achievable, but scoringthe reputation damage depending on thekind of possible incident will be a verydifficult job. As reputation damage is, inprinciple, highly intangible, there could bea very big difference in scoring intentionsbetween the board, line managers and riskmanagers. Nevertheless, the organisationmust also still have a taxonomy for thisimpact. For instance, level 1 means that thecredibility of the organisation is affectedfor only a short time, perhaps just a fewdays, and level 5 means that the credibilityis affected for years.

A financial impact scoring table israther simple: level 1 is worth a certainamount of money; level 2 is, for example,worth ten times more; and so on, up tolevel 5.

THE LIKELIHOOD OF AN INCIDENTThe final taxonomy to define in this gen-eral risk model is the scoring table for thelikelihood of an incident happening. For

Cybercrime

Page 132

Table 1: Impact and likelihood scoring table

Score if Likelihood

Reputation affected Score if Score Level of availability of the business for Financial loss (em) incident occurs

5 Service no longer available >3 years >10m Every year4 Only partial service available 1–3 years 1–10m Every 1–2 years3 Service available but quality not guaranteed 3 months–1 year 100,000–1m Every 2–5 years2 Service delivery could be affected 1 week–3 months 10,000–100,000 Every 5–10 years1 Service quality could be affected <1 week <10,000 Max every 10 years

Putte:JSC page.qxd 20/01/2014 16:12 Page 132

some incidents, such as natural disasters,historical data can be found to estimatethe realistic likelihood of a disaster occur-ring. For some incidents, such as terroristattacks, historical data might not exist inthe organisation because it has never beenthe victim of that kind of attack.

Conversely, for cyber crime, it is likelythat incidents have happened and thethreat is constantly growing. But theseobservations do not help to correctly scorethe likelihood of a cyber incident and todetermine which extra mitigation meas-ures are worth implementing and whichare not.

A solution to the lack of historical datafor scoring or estimating the likelihood ofthe threat is by taking a ‘qualitativeapproach’. The following facets can betaken into consideration for a qualitativeapproach to cyber crime: what skills areneeded? (sometimes very few because thetools are available on the internet); is col-laboration needed? (eg with internal staff);are the actions easy to trace to the origin?(some tools can wipe out traces); howmuch time is needed to commit thecrime? (cyber criminals have time, theirservers are probably up and running per-manently); must the cyber criminal investa lot of money? (a PC is enough todevelop and initiate some attacks).

A quick reflection on these qualitativeaspects (see the expressions betweenparentheses) leads to the conclusion thatthe likelihood of cyber crime success willrange between several times a year fororganisations that are not well protectedand two to five years for organisationsusing state-of-the-art protection measures.

MAKING THE LINK BETWEEN THECYBER RISK ANALYSIS AND THEBCM SYSTEMIn general, an organisation can try to avoid,mitigate or transfer risks. Avoiding the risk

by not doing business or not using the ITinfrastructure at risk is surely no valid meas-ure for mitigating cyber crime. The samegoes for trying to transfer the risks to athird party. As such, an organisation mustundertake a large number of measures tomitigate cyber risks — some to limit thelikelihood, others to limit the impact.

As Figure 1 shows, risk control and mit-igation measures can be developed foreach step of a risk event.

For example, the root causes of manycyber risks linked to employees and affect-ing the integrity of stored data can be mit-igated by ensuring that all employees areaware of cyber threats10 and know how toapply the security guidelines consciously.

The likelihood of an incident occurringcan be lowered by installing and maintain-ing powerful firewalls or by encryptingconfidential data during transmission andstorage.

The impact of penetration by a hackercan be limited by segregating the internalnetworks so that penetration on one partof the network does not necessarily affectanother. The affected network segmentshould easily be isolated from the rest ofthe system in order to carry out the neces-sary investigations and cleaning opera-tions. This also resolves business continuitymatters because it prevents the completecessation of business activities as a result ofshutting down the entire network.

The result of the cyber risk analysis willplace the cyber risks and threats on therisk tolerance matrix, as shown in Figure2. If the explained methodology is fol-lowed, the place in the risk tolerancematrix takes into account all the existingmeasures. The risk tolerance policy of theorganisation can, for example, say that redresidual risks have to be accepted by theexecutive board, yellow by the head ofdivision and green can be the responsibil-ity of the line manager.

For a cyber risk situated in the red

Page 133

Vande Putte and Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 133

zone, it could be that the board cannotaccept this residual risk and decides toimplement extra mitigation measures sug-gested by the IT experts in an attempt tolower the residual risk. Lowering the resid-ual risk can mean lowering the possibleimpact or the likelihood, or loweringboth. On the other hand, as cyber crime isevolving all the time, it could be that acyber risk mitigated by a number of meas-ures shifts from a green zone (acceptable)to a yellow or even red zone and that newaction plans for new measures will beneeded.

Taking into account the possible successrate of cyber criminals, it is certainly toooptimistic to hope that all the residualcyber risks will be situated in the greenzone. It is evident that, without businesscontinuity plans, a number of residualcyber risks will be situated in the red zonebecause of the impact that the cyber attackcan have on the availability of the time-critical business processes. In other words,business continuity plans will be necessaryto limit the impact of cyber incidents toan acceptable level.

One of the cornerstones of the BCMsystem is the list of maximum tolerableoutages (MTOs) of the time-criticalprocesses. This paper will not elaboratefurther on how these MTOs can be estab-

lished as many possible methodologies aredescribed in BCM best practices (eg thoseof the Business Continuity Institute). Mostof the time they are determined via aninherent risk analysis of the unavailabilityof the business process.

For critical actors of the financialsystem (banks, payment systems and settle-ment systems) a lot of business processeswill be considered as very time-criticalwith short MTOs. MTOs of two and fourhours are not unusual.

The next step is to link the MTOs ofthe business processes to the recovery timeobjectives (RTOs) of the critical resourcesthat are needed for the execution of thesebusiness processes. One of the criticalresources necessary for almost every busi-ness process will be IT systems, IT tools,applications and databases.

The standard business continuity meas-ures needed to recover the above-mentioned IT components within a shorttime comprise implementing high-availability protocols that can rely on twosimilar systems each capable of delivering100 per cent of the output without anysingle point of failure, network architec-tures and system hardware ensuring systemreliability and robustness. Business conti-nuity managers are not necessarily ITexperts, but if they try to understand the

Cybercrime

Page 134

2013

2014

2013

201X

Figure 2: Risk tolerance matrix

Putte:JSC page.qxd 20/01/2014 16:12 Page 134

capabilities of these standard business con-tinuity measures implemented by IT col-leagues, they will very quickly understandthat, because of the nature of cyber threatsand cyber crime, these measures will notguarantee that the organisation will beable to recover, faster than the desiredRTO, the IT environment for the time-critical processes.

To reflect further on possible businesscontinuity plans for cyber threats, inci-dents and attacks, examples are given ofthree types of cyber crime affecting theavailability of the business processes:

(1) A cyber attack blocking access fromand to the internet cloud, typicallyDDoS attacks. All the internal IT sys-tems, tools, applications and databasesare in working order, but the employ-ees cannot communicate with theoutside world and clients cannot con-tact the organisation.

(2) A cyber attack where the cyber crim-inal succeeds in penetrating the ITsystems and is able to erase and destroyimportant parts of the operatingsystem, tools, applications and data-bases.

(3) A cyber attack where the cyber crim-inal succeeds in penetrating the ITsystems without the intention to eraseor destroy but to steal or alter infor-mation in documents or databases.

BUSINESS CONTINUITY PLANS TOTACKLE THESE CYBER-ATTACKSOften, business continuity plans foreseewhat can be called temporary contingencymeasures by using ‘old-fashioned’ manualprocedures on paper. But it is well knownthat these manual procedures, sometimesstarted in a time frame smaller than theRTO, will allow someone to do only themost essential tasks really necessary imme-diately after the disaster has occurred.

Because of the very great dependency byorganisations on IT systems, the IT envi-ronment has to be available very quicklyin order to guarantee the minimum serv-ice an organisation wants to offer its stake-holders before the MTO is exceeded, evenafter a major incident has occurred.

There exist different IT tools to limitthe impact of type 1 cyber attacks. Thesetools try to block, divert or wipe outcriminal traffic trying to consume com-pletely the bandwidth connecting theorganisation’s IT infrastructure with theinternet. Another (old-fashioned) businesscontinuity plan (BCP) for the most time-critical business processes is using privatenetworks, like SWIFT in the financialsector. Applying different network tech-nologies and trying to have at least onenetwork technology independent from theinternet can also be a great help.

For a type 2 cyber attack, the main BCPwill be to have the backups of the operat-ing systems, tools, applications and data-bases on tapes, CDs or other independentoffline support media, which cannot bedirectly addressed by the cyber criminal.These backups must be in such a formatthat they allow start-up from scratch in ashorter time than the MTO of the mosttime-critical business processes.

With type 3 cyber attacks, it could bereasoned that, notwithstanding thatintegrity and confidentiality are importantnotions in the field of risk analysis and riskmitigation measures, business continuityplans are not needed for such cyber attacksbecause their availability is not affected.Knowing that it can take a long time todetect this kind of cyber crime, whichtherefore means that the cyber criminalhas had a long time to deeply penetratethe IT environment, the IT securityexperts will probably suggest that thewhole IT environment is isolated fromany external access in order to analyse thedegree of penetration and infection. To

Page 135

Vande Putte and Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 135

make it even more complicated, they willprobably not guarantee the time neededfor the disinfection, which could takehours, days or even weeks, as a result of thecomplexity of the cyber crime.

As mentioned earlier, network segrega-tion can help as, first, it makes it more dif-ficult for the cyber criminal to penetratethe whole IT environment. Secondly, theisolation, enabling analysis and cleansing,can be organised in layers and will notmean the unavailability of all the businessprocesses at the same time.

Another option to consider is reopen-ing the connections to the internet for themost time-critical business processesduring the time that the IT experts are notfully convinced that all the cyber attacktraces are cleaned. This means that onecannot exclude the possibility that, forexample, the malware will restart its oper-ation and reinfect the IT environment.Only very intensive monitoring of the ITenvironment and very specialised supportof IT security experts will convince theboard to take a decision that holds thatkind of uncertainty.

CONCLUSIONSociety, in general, and its economicprocesses, in particular, has become moreand more dependent on ICT. Many com-plex business processes are linked togetherand many emergency solutions also usethe same IT tools.

This implies that there is an increasingimportance given to incidents that couldaffect these IT systems. Cyber threats andcyber crime are important root causes.Cyber risk is not a matter for tomorrow— cyber crime is already effective. Recentexamples in the field of cyber blackmail-ing, Trojan horses or botnet attacks, phish-ing cases or mass hacktivism, prove thatthe cyber war is taking place with botheconomic and political objectives.

Standard risk analysis methodologieswill help to score the cyber risk and placeit in the risk tolerance matrix accepted bythe organisation. In the risk tolerancematrix, one can see the residual risk thattakes into account all the measures that theIT experts have put in place to defend theorganisation against cyber crime. With thisinformation, business managers and busi-ness continuity managers, together withIT security experts, can decide if there isstill a gap in the MTO for the time-critical business processes and whether thegap of unavailability is too important orunacceptable so that extra business conti-nuity measures become necessary.

Current business continuity plans formajor fires, flooding, explosions or ITrecovery plans based on duplicated infra-structures are not adaptable and will notbe efficient against cyber crime. Businesscontinuity measures protecting the organ-isation against the most important effectsof cyber crime must be as innovative andcreative as the cyber attacks themselves.Most of the time, manual procedures canonly help for a very short lapse of time. Ina very short space of time (and by the nextday, at the very latest) the IT environment,at least partially, must be available again.

On the other hand, a number of (old-fashioned?) solutions are conceivable, suchas private networks, network segregationand full backups on tape or CD. Anotherstrategy might be to continue to use theleast important IT environment necessaryfor the most time-critical businessprocesses, without having a 100 per centguarantee that the cyber ‘pollution’ hasbeen stopped and the IT environment hasbeen completely cleaned, but with veryintensive monitoring by IT tools and ITsecurity experts.

NOTES AND REFERENCES

(1) Clarke, J. (2009) ‘Resilience underattack: Techniques for continuing online

Cybercrime

Page 136

Putte:JSC page.qxd 20/01/2014 16:12 Page 136

business in the face of securitycompromise’, Gotham Digital Science,27th February.

(2) Previously known as the InformationSystems Audit and Control Association,ISACA now goes by its acronym only, toreflect the broad range of IT governanceprofessionals it serves.

(3) The Information Security Forum (ISF)is the world’s leading independentauthority on information security.

(4) Herath, H. M. P. S. and Wijayanayake, W.M. J. I. (2009) ‘Computer misuse in theworkplace’, Journal of Business Continuity& emergency Planning, Vol. 3, No. 3, pp, 259–270.

(5) Delafortrie, S. and Springael C. (2012)‘Communication relative à lacyberstratégie belge’, available at:http://presscenter.org/fr/pressrelease/20121221/communication-relative-a-la-cyberstrategie-belge

(accessed 5th November, 2013).(6) Cyber Security Strategy – securing

cyberspace, .be, CMR aanvullendeinformatie van 18-12-2012

(7) European Commission (2013) ‘Proposalfor a Directive of the EuropeanParliament and of the CouncilConcerning measures to Ensure a HighCommon Level of network andInformation Security across the Union,2013/0027 (COD)’, EuropeanCommission, Brussels.

(8) Kellep, C. (2012) ‘ConfidentialityIntegrity Availability (CIA) Triad’,Security Orb, 28th June.

(9) Cebula, J. J. and Young, L. R. (2010) ‘ARisk Taxonomy of Operational CyberSecurity Risks’, Software EngineeringInstitute, Pittsburgh, PA.

(10) Scully, T. (2011) ‘The Cyber Threat,Trophy Information and the FortressMentality’, STRATSEC.NET PTYLTD., Sydney.

Page 137

Vande Putte and Verhelst

Putte:JSC page.qxd 20/01/2014 16:12 Page 137