principles of cyber security - blusphinx.com

Copyright© 2021 BluSphinx Inc. All rights reserved. www.blusphinx.com

Summary

Cyber security has become a key priority across the world, relevant to allactors of human societies: international organizations, national governments,businesses, and individual citizens. However, cyber security remains agenerally poorly understood notion, with unclear boundaries and goals. Ourobjective in this white paper is to define fundamental principles of cybersecurity and lay out a new foundation for a comprehensive and long-termstrategy aimed to increase the security of organizations and individuals inthe cyber space. We believe that cyber security must be on the agendaof every public or private decision maker. Although cyber security sharesprinciples with other types of security, the cyber space presents challengesdistinct from other areas. In order to protect critical systems and dataof any organization and to prepare for emergency crises that may arisefrom increasingly frequent cyberattacks, it is a essential to be proactiveand to develop appropriate cyber security policies. We believe that cybersecurity relies on three equally important, inter-connected areas: Technology,Strategy, and Human Behaviors. As top priority, it will be crucial to developcentral repositories of knowledge and technologies to guide organizations inimplementing the best cyber security strategies and effectively respond toattacks. It will also be crucial to explore one’s strategy and choices carefullybefore a real attack happens, in order to validate trade-offs under attacks.Simulated environments offer a unique opportunity for interactive learningand strategy testing, without incurring the potentially catastrophic cost ofreal attacks, to determine the appropriate course of action.

1

Principles of Cyber SecurityAurélie M.H. Beaumel Thomas Dillig, PhD

Fig. 1: Any security system is only as strong as its weakest link.


Introduction

Cyber security has become a keypriority across the world, rele-vant to all actors of human soci-eties: international organizations,national governments, businesses,and individual citizens. Cyber-attacks are becoming both morefrequent and sophisticated, result-ing in increased reach and dam-age. These damages include mas-sive losses of personal data [1, 2],loss of strategic data [3, 4], moneytheft [5], disruption of critical in-frastructure [6], disruption of ademocratic process [7], overload-ing of Internet servers [8], andmany more. All of these attackshave resulted in significant mate-rial and financial losses, customerloss, very high legal penalties, rep-utation damage, and could eventhreaten human lives in the fu-ture (medical devices, health ser-vices, emergency systems, etc).

However, cyber security re-mains generally a vague no-

tion with unclear boundaries andgoals, poorly understood by de-cision makers and the generalpublic. Even among militaryand civilian experts (technologi-cal researchers, policymakers, lawenforcement, specialized organi-zations, etc), there is currentlyno consensus and common un-derstanding on which principles,techniques, and policies should beused and promoted.

Since cyber security affectsall areas of society and organi-zations, it must be part of anoverall risk management strategythat includes the assessment ofrisks and trade-offs across divi-sions and possible ways to miti-gate them. We believe that cybersecurity must be on the agenda ofCEOs and other top decision mak-ers. It cannot be confined to tech-nical units who may be limitedin their influence over entire or-ganizations. Developing effectiveand comprehensive cyber security

strategies requires a big-pictureperspective.

Our objective in this whitepaper is to define the fundamen-tal principles of cyber securityand lay out a new foundation fora comprehensive and long-termstrategy aimed to increase the se-curity of organizations and indi-viduals in the cyber space.

Security in theCyber SpaceThe concept of cyber space is com-monly used to refer to interac-tions between publicly networkedcomputers on the Internet. Overtime, a virtual world connectingall areas of societies, organiza-tions, and people’s lives has devel-oped in an organic and resilienteco-system. Cyber security is thesecurity of networked informationsystems and data.

However, cyber security isonly meaningful when viewed inthe general context of global secu-rity, which is a requirement for en-suring a peaceful and prosperousdevelopment of human activity.Cyber security should thereforebe considered as a key piece of anoverall risk-management architec-ture that includes notably physi-cal security and human factors.This global security approachshould not be contemplated asthe mere result of adding securitymeasures which would excessivelyconstrain the digital transforma-tion and dramatically reduce itsbeneficial outcomes. Instead, de-veloping appropriate cybersecu-rity policies needs a new attitude,shifting minds and processes fromrisk aversion to risk mitigation,and ultimately to risk manage-ment. In the cyber space, man-

2

Cyber security has become a key priority across the world, relevant to all actorsof human societies: international organizations, national governments, busi-nesses, and individual citizens. Cyberattacks are becoming both more frequentand sophisticated, resulting in increased reach and damage.


aging risks implies a permanentprocess of threat assessment.

Enhancing cyber security bymaking software systems anddata more secure does not in-crease overall security if other se-curity components (physical se-curity or human factors) remainrelatively weak. For instance, ifan organization equips itself withthe best cyber security technologyto manage a database with con-fidential information, but grantsaccess to the database to a widerange of individuals without suf-ficiently vetting their reliability,the confidential data that the or-ganization is trying to protect willremain vulnerable, regardless ofthe database technology used.1

Any security system is only asstrong as its weakest link. Eventhe best cyber security strategiesrequire a comprehensive securityanalysis of the environment inwhich systems operate and datais stored (or sent). Cyber securitywill only keep data and systemsas secure as the surrounding se-curity allows.

Properties of the CyberSpaceAlthough cyber security sharesprinciples with other types of se-curity, the cyber space presentschallenges different from otherspaces. Due to the idiosyncrasiesof the cyber space, some con-cepts applicable to physical secu-rity need to be revised in the con-text of cyber security. Traditionalsecurity analogies are sometimesmisleading. We will focus on thenotions of Discovery, Attribution,

1The case of Edward Snowden is acompelling example with gigantic con-sequences.

Prevention, and Deterrence to il-lustrate this point.

Discovery

The first step in dealing withan attack is to discover that ithas happened. In the physicalworld, this is relatively easy be-cause many attacks leave an ob-servable physical impact (disap-pearance, damage, etc). On theother hand, in the cyber space,attacks do not necessarily leaveany observable impact. Cybertheft does not necessarily requirethe removal of the stolen informa-tion from the system. Infiltratingthe system and making a copy ofthe data, unnoticed, accomplishesthe same objective and damage.Therefore, securing a cyber sys-tem entails building a system notonly capable of withstanding cy-berattacks, but also able to de-tect if it has been breached. Incontrast to physical attacks, dis-covering that a cyberattack hasbeen perpetrated is a challenge initself.

Attribution

Also in contrast to the physicalworld, it is significantly more chal-lenging to identify the guilty par-ties once a cyberattack has beendetected. By its very nature, theInternet is designed to make itdifficult to connect an action inthe cyber space with someone inthe physical world. It is a veryhard and labor-intensive guessinggame to find out where attackscome from and to prosecute cybercriminals. This difficulty arisesbecause there are multiple layersseparating a cyberattack from its

authors, starting from where theattack took place, to the physicaldevice used to conduct the attack(which may be on the other sideof the world), to the specific per-son who used the device. Addi-tionally, using non-technical ap-proaches to try to solve this prob-lem, such as passing legislation,cannot be effective. Due to the in-herent anonymity of the Internet(or at least its ambiguous identi-fication), the problem of attribu-tion remains a challenge unlessone is willing to break down theInternet. While it is possible fornation-states and large organiza-tions to pinpoint the source ofan attack accurately with addi-tional intelligence, smaller busi-nesses and all the more so indivi-duals do not have access to suchresources and remain defenseless.

Prevention

Given that cyberattacks are moredifficult to identify and attribute,and can have disastrous conse-quences for organizations, busi-nesses, and individuals, prevent-ing them becomes critical. Cyber-prevention currently relies on ap-proaches that are well-known butneed to permanently adapt tonew threats (firewall, antivirus,cryptography, etc). However, thistechnical approach is not enoughon its own, and must be part of acomprehensive view of the activi-ties of an organization (or person)and their vulnerabilities. Sucha global approach should alsotake into account the interactionsand dependencies with other or-ganizations, suppliers, and thepotential cascade effects (shareddatabases, physical security, In-

3

Cyber security is the security of networked information systems and data. Al-though cyber security shares principles with other types of security, the cyberspace presents challenges different from other spaces.


ternet providers, providers of cy-ber security systems, etc). Aboveall, effective prevention relies onall actors of an organization, notonly cyber security experts.

Communication and trainingare two powerful levers of cyber-prevention. It is important toremember that there are genera-tions of people who have not beenraised nor educated in a digital so-ciety. There are many who do nothave basic knowledge of the prin-ciples and systems that increas-ingly govern our daily lives andactivities. Even for younger gen-erations who master the use ofdigital tools at a precocious age,there is to date no widespreadeducation program to teach chil-dren and teenagers the fundamen-tals and risks of digital activities.There is no driving license or aca-demic certificate required to nav-igate the cyber space.

However, prevention shouldnot be viewed only through a lim-iting or repressive lens. It alsoprovides a great catalyst for imag-ination, creativity, and transfor-mation. As example, in the fieldsof aeronautics and aerospace, theneed for reliability and securitystimulated innovation and drovea deep change in cultures, me-thods, and organizations, leadingto well-known improvements interms of reliability and growth.An ambitious agenda for preven-tion of cyber attacks needs to relyon human assets and enable ev-erybody to become a stakeholderand strong link in the cyber secu-rity chain.

Deterrence

In many defense-related contexts,deterrence is a commonly usedprinciple (mutual retaliation, mu-tually assured destruction, etc)that discourages attackers bycommunicating that the costs ofattacking will be very high, or toohigh, for them to bear. As crim-inals are more difficult to detectand catch in the cyber space, itis unclear how threats and deter-rence can effectively work for cy-ber security, except for large-scalehacking operations sponsored bynation-states.Any deterrence ap-proach relies on the credibilityand resilience of the means of de-terrence. It also assumes that thepotential aggressor can be iden-tified without doubts. These re-quirements are hard to meet inthe cyber space. First, capabili-ties for cyber-deterrence need tobe developed by nation-states toguarantee their legitimacy and le-gality. However, there are ma-jor actors of the cyber spaceother than nation-states who mas-ter and even define the rules ofthe game, security, and tools.Which role are they ready to playin a logic of deterrence? Onecould add deterrence against cy-berattacks to a global strategyof deterrence. The 28 mem-bers of the North Atlantic Al-liance have decided that somecyberattacks, particularly pow-erful and/or destabilizing againsone of the Allies, could fall un-der the collective defense clausefrom article 5 of the WashingtonTreaty. This is a major step to-wards the recognition of cyberthreats, but also presents limita-tions. As mentioned above, at-

tribution is a challenge in the cy-ber space, but is also a prerequi-site to trigger an appropriate re-sponse. It is publicly known thatsome nation-states are hiding un-der the identity of hackers groupsresponsible for massive targetedattacks ([3, 7, 6]). In the cyberspace as in other spaces, deter-rence requires to be armed, whichmeans developing sophisticatedintelligence and credible offensivecapabilities. However, for obviousreasons, nation-states developingsuch capabilities do not advertisethem and make at most a state-ment of principle.

Additionally, the use of deter-rence may not be possible againstcriminals who (1) possess nothingof value to be attacked on, (2) arewilling to cause harm for no directgain (financial, territorial, strate-gic), and (3) are willing to “diefor their cause”. These includenon-state actors such as terror-ist organizations or regimes withan “end-of-times” view. This is-sue of asymmetric threat affectsall areas of defense, including cy-ber defense. There is a need forcyber security and defense strate-gies that can work with differenttypes of threats. Deterrence is un-doubtedly on of these strategies,at least for nation-states with am-ple means. But if deterrence me-thods are difficult to apply for allnon-state actors and for nation-states as well, an essential ap-proach to counter cyber threatsis by designing secure cyber sys-tems.

Three Pillars ofCyber SecurityIn order to take any cyber secu-rity policy to the next level, it

4

Communication and training are two powerful levers of cyber-prevention. Thereare many who do not have basic knowledge of the principles and systems thatincreasingly govern our daily lives and activities.

Fig. 2: The three pillars of Cyber Security.


is necessary to establish strongand concrete foundations. Webelieve that cyber security re-lies on three equally important,inter-connected areas: Technol-ogy, Strategy, and Human Behav-iors.

Strategy directs decision makingand organizational processes, aswell as means to achieve a specificobjective. It therefore entails ma-king the necessary trade-offs forsecuring and organizing data andsystems.

Technology encompasses the sci-ence, techniques, and tools de-signed to disseminate, use, store,and protect data and software sys-tems. It depends to a great ex-tent on human behaviors for itsefficient use. What sets apart di-gital technology is the speed atwhich it evolves. The constant in-crease in computing power withincreasingly smaller devices andthe important data flows are allfactors of the digital transforma-

tion that applies to virtually allaspects of human activities. Theability to explore vast amounts ofdata to extract insights (Big DataAnalytics) will lead to predictiveanalyses that will influence thebehavior of decision makers aswell as populations. The Internetof Things is paving the way fornew applications that will trans-form our daily lives. Artificialintelligence and machine learningwill accelerate the automation ofsome functions, such as advancethe field of robotics. This digitalrevolution presents opportunitiesfor unprecedented progress, butalso presents major risks, espe-cially to secure the data fuelingall these advances. The success ofthe digital transformation will de-pend on the ability of humans (de-velopers, leaders, decision makers,experts, operational teams, etc)to define objectives, limits, rules,and ensure security.

Behaviors include the humanknowledge and behaviors in the

cyber space necessary to reducethe effectiveness of cyberattacks,including the appropriate use ofcyber security technology. Hu-mans are ultimately responsiblefor to orient, prioritize, develop,and implement any cyber secu-rity policy. In this respect, it willbe necessary to develop new me-thods to manage complexity, tobreak down the existing silos ofsociety and foster horizontal coop-eration between experts of differ-ent backgrounds. Efforts to raiseawareness, educate, and train ac-tors of society at all levels shouldbe a top priority to develop a long-lasting and efficient cyber secu-rity. In cyber space, the securityof all depends on each one of us.

Technology:Building more Secure CyberSystemsCyber security deals with the se-curity of software systems, whosefundamental basis is discretemathematics and logic. This isthe key difference between soft-ware engineering in the cyberspace and the physical worldwhere the fundamental basis ofclassical engineering is continu-ous mathematics. The discretenature of software makes thestandard engineering approach of“overbuilding” impossible. To il-lustrate the point with civil en-gineering, if one needs a struc-tural steel beam that can hold 10tons, one would design and man-ufacture a beam sturdy enoughto hold 12 tons to ensure that itwill be able to hold 10 tons, irre-spective of small anomalies thatmay occur. Such an approach isimpossible for software securitybecause the security of any soft-

5

We believe that cyber security relies on three equally important, inter-connectedareas: Technology, Strategy, and Human Behaviors.


ware is a binary property. Thereis no such concept as “a little bithacked”. A software system is ei-ther secure or hacked.

Security measures can also beeither reactive (e.g. putting outa fire) or proactive (e.g. usingfire-proof materials). Since it ischallenging to design proactive se-curity approaches, there is cur-rently substantial focus on react-ing to and managing breaches asthey happen. While this stra-tegy is capable of limiting dam-age in the case of attacks, thewar against cyber attackers willbe won (or lost) at the prepara-tion and set-up stage. We believethat attempting to reactively pro-tect fundamentally insecure andill-designed systems is an expen-sive and ultimately futile exercise.Reactive security, such as inci-dence response teams, can onlybe truly effective on top of a prop-erly executed cyber security stra-tegy that puts secure and layeredsystems in place.

The state of the art in cy-ber security technology revolvesaround proactive security. Inproactive security, one aims tobuild software systems that arefundamentally secure and com-partmentalized into isolated partsto limit the effectiveness of anyone breach.

The field of software verifica-tion has the potential to proveformally that software systemsare secure (e.g. a system withno memory vulnerability). Thistechnology has only recently be-come practical in some settingsthat are relevant to connected sys-tems and cyber security. Softwareverification is already used in iso-lated real-time critical systems

(e.g. aircraft computer systems).The next research steps will be toapply software verification to real-time critical systems with limitedconnectivity (e.g. power plants).In a more distant future, with theadvance and spread of this tech-nology, it could become a legalrequirement for companies to uti-lize secure systems (i.e. systemsthat have been formally verified)for storage of sensitive data (e.g.identity data).

The field of systems and net-working has worked for manyyears on techniques to separate,firewall, and compartmentalizeaccess and data in the presenceof breaches. Quite a numberof these technologies are alreadywidely used in commodity com-puting (processes, virtualization,sandboxing), but are often ig-nored at the higher levels of cybersecurity strategy.

We believe that the further de-velopment of technical fields suchas software verification, combinedwith appropriate separation tech-nologies and cryptography, hasthe potential to yield highly se-cure systems that are no longervulnerable to most of the cur-rent cyberattack vectors withinthe next decade, given the rightinvestments and incentives.

More generally, it is criticalfor organizations and decisionmakers to develop a clear under-standing of the current techno-logical state-of-the-art, costs, andlimitations to create secure soft-ware programs, systems, and in-frastructures.

Strategy:Managing and Reducing At-tack SurfacesCyber security can be dividedinto systems security and datasecurity. While cutting-edge sys-tems technology can help enhancethe protection of systems anddata, it is also necessary to have astrategy about what data to pro-tect and how to organize it. Weidentify three principles underly-ing any data security strategy:

� “It is impossible to secureeverything” — Identify thedata to secure

� “The most secure data isthe data you do not store” –Limit the data to store

� “Don’t put all eggs in onebasket” — Compartmental-ize data

It is impossible to secure ev-erything

The increasing amounts of avail-able data combined with the lim-itation of resources (computa-tional, financial, organizational,etc) make it impossible to secureall data, no matter how power-ful the organization. In this light,the ability to classify data, iden-tify data to secure, and allocatedata security resources accord-ingly, becomes a critical capabil-ity. Not all data is equal, itsimportance depends on the po-tential damage that its releasecan cause. Data that is vital forbusiness operations or very sen-sitive personal data should getthe strongest (and most expen-sive) protection level. On theother hand, ancillary data that

6

We believe that attempting to reactively protect fundamentally insecure and ill-designed systems is an expensive and ultimately futile exercise. Reactive se-curity can only be truly effective on top of a properly executed cyber securitystrategy that puts secure and layered systems in place.


is not security critical can havelower (less expensive) security lev-els, and public data does not needsecurity by definition. Anotherpoint to consider is that criticaldata may become less sensitiveover time. For instance, some tac-tical data goes out of date aftera number of years and may nolonger require the highest secu-rity levels. Therefore, a prerequi-site to setting up a cyber securitysystem is to decide which data tosecure, with which level of secu-rity, and for how long.

Currently, one of the majorgaps in this area is the lack of astandard framework and quanti-tative metrics to help organiza-tions determine which data to se-cure.

The most secure data is thedata you do not store

Another principle to increase datasecurity is to consciously limit theamount of data to store in thefirst place. In a “Big Data” worldwhere data collection, storage,and processing capacity keeps ex-panding, organizations and indi-viduals tend to keep more datain their information systems anddevices, which in turn increasestheir exposure and vulnerabilityto cyberattacks. Every bit ofstored data is a potential breachopportunity and therefore carriesa cost. In order to reduce risksand costs, one needs to make theconscious effort to store only datathat is necessary and not suc-cumb to the temptation of storingmore data just because the sys-tem has space. Where possible,it is preferable to store data in atemporal, aggregate, anonymized,

or incomplete form so that it con-tains less or no privileged infor-mation. An example would beto store online only the last weekof diplomatic cables, instead ofthe full year. Beyond individualorganizations and citizens, thisprinciple can guide legal bodiesregulating which records must bekept by companies or individuals.While the most secure data is thedata that is not stored, record-keeping practices need to complywith the law.

The major challenge in thisarea is lack of awareness and ed-ucation of organizations and indi-viduals. At a broader level, thisprinciple also requires legislativebodies to make tradeoffs in the le-gal framework to balance record-keeping and cyber security needs.

Compartmentalize data

For data that needs to be stored,compartmentalization can helpreduce cyber vulnerabilities. Asthe old saying goes, “don’t put allyour eggs in one basket”. For in-stance, in the case of customerdata, one could store sensitivepersonal data (e.g. Social Secu-rity Number, credit card number,date of birth, etc) in a differentdatabase that is more secure thanthe database used to keep cus-tomer shopping history. Becausethe Internet is a widely accessi-ble place, it is also better not toconnect critical data to the Inter-net, wherever possible, in orderto limit the risk of cyber securitybreaches and the impact of cyber-attacks. For instance, one couldchoose to keep historical diplo-matic cables in an offsite physicallocation that is not connected to

any online system. A good prac-tice is therefore to separate confi-dential data into different com-partments (e.g. day-to-day in-formation vs. historical records),each in a different storage loca-tion (online vs. offline), with theobjective of keeping only the min-imum necessary data in widelyaccessible places.

Human Behaviors:Central Component of CyberSecurityHuman behaviors is one of thethree pillars of cyber security. Cy-ber security is ultimately aboutthe security of human beings,who are increasingly connectedand thus exposed to cyber risks.Cyber security highlights theinter-connectivity and collectiveresponsibility of all actors in so-ciety (international authorities,national governments, businesses,and individual citizens) to createa more secure cyber space.

Raising awareness and fur-ther education in cyber secu-rity

Knowledge and understanding ofcyber security remain largely lim-ited. With the increase of cy-ber threats, it is critical to raiseawareness and educate organiza-tions and citizens about cyber se-curity. Any effective educationapproach has to include princi-ples, technology, and best prac-tices related to cyber security. Ifthe focus is only on the technol-ogy side, human behaviors will re-main the weakest link in the cybersecurity chain. If the focus is onlyon human users, the learnings will

7

Cyber security can be divided into systems security and data security. Whilecutting-edge systems technology can help enhance the protection of systemsand data, it is also necessary to have a strategy about what data to protect andhow to organize it.

Fig. 3: The trade-offs between costs, productivity and security.


only have short-term value be-cause technology evolves quicklyby its very nature. The objectiveis to teach people fundamentalprinciples that withstand the evo-lution of technology, not ad-hocfixes to cyber security vulnera-bilities which quickly become ob-solete as new vulnerabilities arefound.

Growing a common knowl-edge base for cyber security

Cyber security is generally verypoorly understood, in part be-cause the technological and or-ganizational know-how is still inits infancy. The implications ofconnecting systems is still in theprocess of becoming understood,even as the process of connectingsystems across the board contin-ues to progress rapidly. The un-derlying technology is not verynew (about 50 years old) but isevolving much faster than pre-vious human periods of techno-logical breakthrough (e.g. In-dustrial Revolution). As a re-sult, there is no consensus, widely

known principles, and guidelineson how to make an informationsystem secure. In contrast, theprinciples of civil engineering arewidely known and accepted. Con-sequently, improving cyber se-curity and related behaviors re-quires building the credibility ofcyber security as a discipline andfoster its development, with ob-jectives and strategies in placethat guide how to reach it.

One of the largest gaps in cy-ber security today is a widely ac-cepted knowledge base for cybersecurity principles and technolo-gies. Any successful cyber secu-rity strategy will require the col-lection, buildup, and spread ofknow-how in each key area, at na-tional and international levels. Itrequires a clear understanding ofthe current state-of-the-art, costs,limitations, and areas of develop-ment for programs, systems, in-frastructures, processes, and peo-ple. Additionally, policymakersneed to continue to find ways toincentivize organizations and indi-viduals to adopt best practices in

cyber security. Significant effortshave been done in recent yearsacross nations and organizations,but more remains to be done.

ConclusionCyber security is a key challengefacing every organization today,and even more so going forward.While there are many inadequatesolutions for cyber security, thereis no single best solution. To facethis challenge, decision makerswill need to develop their cyber se-curity strategy, according to theirown specific objectives and activ-ities, and make necessary trade-offs. Cyber security inherentlyinvolves tradeoffs between secu-rity, costs, and organizational pro-ductivity. Security tools come ata cost and the more data is re-stricted and compartmentalized,the more cumbersome it is to usethe data to do work. Differentorganizations face different prior-ities and constraints, and musttherefore define which tradeoffsare acceptable.

In order to validate trade-offsunder attacks, it is crucial to ex-plore one’s strategy and choicescarefully before a real attack hap-pens. Simulated environments of-fer a unique opportunity for inter-active learning and strategy test-ing, without incurring the poten-tially catastrophic cost of real at-tacks, to determine the appropri-ate course of action. These learn-ing and testing methods are nowcrucial to develop central reposi-tories of knowledge and technolo-gies to guide organizations in im-plementing the best cyber secu-rity strategies. They constitutealso a cornerstone for the requiredcyber security training at all lev-

8

An important objective is to teach people fundamental principles that withstandthe evolution of technology, not ad-hoc fixes to cyber security vulnerabilitieswhich quickly become obsolete as new vulnerabilities are found.


els, from top decision makers tooperational teams.

Blu SphinxFocused on using technology forgood and to help build a strongnational economy, Blu Sphinx is atechnology venture supported bythe National Science Foundationto develop a new breed of Enter-prise Resource Planning Software(ERP) for small and medium-sized businesses. Blu Sphinx aimsto leverage technology to makethe world a better place, includ-ing giving today’s smaller busi-ness owners robust tools to im-prove outcomes and achieve posi-tive growth.

AuthorsAurelie Mei-Hoa Beaumel is co-founder & CEO of Blu Sphinx. Shehas BA/BS/MS degrees from Stan-ford University in Economics andCognitive Science, and has a decadeof experience advising senior leadersin Business and Strategy.

Thomas Dillig is co-founder & CTOof Blu Sphinx. He has a PhD fromStanford University in ComputerScience, and has a decade of experi-ence in cutting-edge AI and SoftwareSecurity research at top academic in-stitutions and companies.

For more information, visit ourwebsite: www.blusphinx.com

You can contact the authors [email protected].

Bibliography[1] The New York Times, “De-

fending Against HackersTook a Back Seat at Ya-hoo, Insiders Say.” http:

//www.nytimes.com/2016/09/

29/technology/yahoo-data-

breach-hacking.html?_r=0,September 28, 2016.

[2] The New York Times, “ForTarget, the Breach NumbersGrow.” http://www.nytimes.

com/2014/01/11/business/

target-breach-affected-

70-million-customers.html,January 10, 2014.

[3] The New York Times, “F.B.I.Says Little Doubt NorthKorea Hit Sony.” http:


08/business/chief-says-fbi-

has-no-doubt-that-north-

korea-attacked-sony.html,January 7, 2015.

[4] The Washington Post, “OPM says 5.6 million finger-prints stolen in cyberattack,five times as many as pre-viously thought.” https:

//www.washingtonpost.com/

news/the-switch/wp/2015/09/

23/opm-now-says-more-than-

five-million-fingerprints-

compromised-in-breaches/,September 23, 2015.

[5] Reuters, “Bangladesh Bankofficial’s computer washacked to carry out $81million heist: diplomat.”http://www.reuters.com/

article/us-cyber-heist-

philippines-idUSKCN0YA0CH,May 19, 2016.

[6] ICS-CERT, “Cyber-AttackAgainst Ukrainian CriticalInfrastructure.” https://ics-

cert.us-cert.gov/alerts/IR-

ALERT-H-16-056-01, February25, 2016.

[7] The New York Times, “SpyAgency Consensus Grows That

Russia Hacked D.N.C..” http:


27/us/politics/spy-agency-

consensus-grows-that-

russia-hacked-dnc.html,July 26, 2016.

[8] The New York Times, “Hack-ers Used New Weaponsto Disrupt Major Web-sites Across U.S..” http:

//www.nytimes.com/2016/

10/22/business/internet-

problems-attack.html, Octo-ber 21, 2016.

9

For more information, visit our website at www.blusphinx.com.

principles of cyber security - blusphinx.com

Documents