Cyber security measures are associated with managing risks, patching vulnerabilities and improving system resilience. Key research subjects include techniques associated with detecting different network behavior anomalies and malware, and IT questions related to IT security. Since these research subjects mainly concentrate on the physical, syntactic and semantic layers, present research infrastructures are focused on studying phenomena in the aforementioned layers.
In short, cyber security can be defined as a range of actions taken in defence against cyber-attacks and their consequences and includes implementing the required countermeasures. Cyber security is built on the threat analysis of an organisation or institution. The structure and elements of an organisation’s cyber security strategy and its implementation programme are based on the estimated threats and risk analyses. In many cases it becomes necessary to prepare several targeted cyber security strategies and guidelines for an organisation.
According to ITU the Cyber security is not an end unto itself; cyber security as a means to an end. The goal should be to build confidence and trust that critical information infrastructure would work reliably and continue to support national interests even when under attack. Therefore the focus of national cyber security strategies should be on the threats most likely to disrupt vital functions of society (ITU 2011).
In EU point of view “the borderless and multi-layered Internet has become one of the most powerful instruments for global progress without governmental over- sight or regulation. While the private sector should continue to play a leading role in the construction and day-to-day management of the Internet, the need for requirements for transparency, accountability and security is becoming more and more prominent.” The EU want safeguard an online environment providing the highest possible freedom and security for the benefit of everyone. The EU is presented five strategic priorities, which are (EU 2013):
• Achieving cyber resilience
• Drastically reducing cybercrime
• Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Develop the industrial and technological resources for cyber security
• Establish a coherent international cyberspace policy for the European Union and promote core EU values
Finland’s Cyber security Strategy (2013) defines cyber security as follows: “Cyber security means the desired end state in which the cyber domain is reliable and in which its functioning is ensured.” The strategy adds three notes to the definition:
Note 1: In the desired end state the cyber domain will not jeopardise, harm or disturb the operation of functions dependent on electronic information (data) processing.
Note 2: Reliance on the cyber domain depends on its actors implementing appropriate and sufficient information security procedures (‘communal data security’). These procedures can prevent the materialisation of cyber threats and, should they still materialise, prevent, mitigate or help tolerate their consequences.
Note 3: Cyber security encompasses the measures on the functions vital to society and the critical infrastructure which aim to achieve the capability of predictive management and, if necessary, tolerance of cyber threats and their effects, which can cause significant harm or danger to Finland or its population.
ITU (2011) has created the model of the national cyber security strategy, which has four parts: strategic context, ends, ways and means.
Strategic context consist factors influencing national cyber security activities. National interests flow from national values and guide political decisions. The realization of national interests achieves goals such as economic prosperity, security and stability of the State, protection of individual freedoms and a good international order. Nations use all tools of national power to realise their national interests. Cyber security strategies should focus on tackling threats most likely to prevent government agencies and businesses from carrying out critical missions (ITU 2011).
The Ends are the objectives that a national cyber security strategy seeks to accomplish. Just as national interests flow from national values, ends describe what a nation has to do to support national interests in cyberspace. Thus, cyber security strategies help focus efforts towards ensuring that cyberspace keeps a country secure and prosperous (Ibid).
The Ways identify the strategic activities to help countries govern the security areas. Governance defines how nations may use the resources to attain the outcomes that the ends envisage. In the multi-stakeholder domain of cyber security, the ways define how nations may allocate resources, coordinate and control the activities of all relevant stakeholders (Ibid).
The Means flow from the Ways. The means describe the resources available to achieve the stated ends. It contains concrete activities that would meet the objectives of the strategy and a governance framework for the implementation, evaluation and maintenance of the strategy. The cyber security strategy also has a master plan for the implementation of the strategy and a concrete action plans for each activity. The measures are dependent on the local conditions. Several national cyber security strategies have six priority areas (ITU 2011; Lehto 2013):
- Roles and responsibilities of cyber security
- Cyber security center/situation awareness
- Legislation and supervising the lawfulness of government actions
- Cyber security training and research
- Secure ICT products and services
- National and international cooperation