Severe incidents and aftermaths of cybersecurity failures are regularly reported in the news media. Cybersecurity has monumental importance as nations need to protect their critical infrastructure from the devastating effects of state-sponsored cyberterrorism while enterprises are safeguarding their intellectual property, online trust, reputation, as well as the data of their customers from organized criminal hacker groups. While the human costs of cybercrime can’t even be measured when many victims have had their sensitive personal information compromised, the monetary cost of cyber-attacks is projected to hit an annual 10 trillion euros by 2025.

But what is the true meaning of cybersecurity? According to Merriam-Webster’s dictionary, the word cybersecurity means, the measures taken to protect computers or computer systems (as on the Internet) against unauthorized access or attack. However, the actual origins of the etymology of cyber is actually far more accurate than just something to do with computers and internet security. It is so, that the word cyber comes from the ancient Greek words kubernētēs, which refers to “a pilot or steersman” and kubernēsis which means “the gift of governance”.

Due to its wide nature, the governance of various risks and threats is exactly what cybersecurity is about. Cybersecurity is such a large entity, that it simply can’t be handled ad-hoc or one-sidedly. Some examples of the multitude of dimensions of cybersecurity vary from identity and access management, incident management, information security aspects of business continuity, cryptography, supplier relationships, user awareness and behavior, human resource security, asset management, physical and environmental security, and compliance with regulatory requirements. And all these aspects have to be systematically governed.

There are many cybersecurity governance frameworks that are typically based on vast control libraries to manage the various cybersecurity risks and threats, whereas one of the most utilized frameworks is the ISO/IEC 27001 standard. However, the actual selection process of the most impactful cybersecurity controls is a critical step, but also a major management challenge, where decisions about controls should be based on data-driven performance measurement metrics. This is when my research comes into play, as it provides new information about the most typical cybersecurity failures and controls how to manage these failures.

In my research, I have studied the General Data Protection Regulation (GDPR) penalty cases, which are issued due to cybersecurity failures by the supervisory authorities in various EU member countries, where I use the ISO/IEC 27001 controls as failure identifiers. As a result, my study presents the most frequent cybersecurity failures corresponding to ISO/IEC 27001 controls and furthermore how these failures and controls correlate with each other.

My study shows that inadequate access restrictions and management of privileged access rights are a very typical cause of a data breach and deficiencies in information security awareness, education and training lead to several contrasting issues, as staff members do not know what is expected of them. Furthermore, my study determined that the lack of applying a proper information classification scheme in organizations is a cause of many different cybersecurity shortcomings because, without risk assessments, further risk-based controls such as proper cryptographic techniques, adequate logging, relevant measures against malware, or adequate system security testing can’t be implemented. My study shows that the top correlation of controls is between inadequate data-labelling schemes and employees’ mishandling of sensitive information, which proves the point that user awareness is in the centre of cybersecurity control fulfilment.

From a very practical point of view, my results can be used to enhance cybersecurity by applying and verifying the most important cybersecurity controls based on their impact and interdependence.

Mikko Suorsa
PhD Student, School of Technology and Innovations, University of Vaasa, Finland
The researcher works as Cybersecurity Manager in Berlin in an international energy corporation