Business Strategy analysis of Cybersecurity Incidents

In the current social and economic processes, information and communication services play a decisive role, changing several entities’ operations. The growing dependence that has developed over the last two decades made the security needs introduced political will, which has resulted in an iterative evolution of the regulatory environment. Hence, the legal framework requires that several entities develop protection that includes controls enhancing both preventive and reactive in a risk-proportionate manner under the business value to be protected. Nevertheless, due to the nature of cybersecurity, the development of such capabilities is not the task of a single organisation but all entities involved in cyberspace, including, e.g., individuals, non-profit and for-profit organisations, public sector actors. Therefore, each involved entity should design protection capabilities in a risk-proportionate manner, which requires strategic approaches and tools and requires organisations to learn from security incidents. This paper reviews the essential formal security strategy formulation tools, applying in the Facebook’s case based on publicly available information. The analysis aims to confirm the importance of management’s attitude and support for tackling cybersecurity’s challenges.

Tools for Effective Regulation: Is “More” Always “Better”?

Regulatory inspections and enforcement are seen by many as a key instrument to ensure the effectiveness of regulations – it is broadly assumed to be essential to have supervision and “deterrence” to promote compliance with rules, and thus achievement of regulatory outcomes. However, this presupposes that rules are indeed adequate for reaching outcomes, and that control is what drives compliance with rules. A different approach suggests that compliance is more complex and driven by a combination of factors (ethics, social conformity, procedural justice and legitimacy etc), that rules are imperfect, and that risk-focused, risk-proportionate “regulatory delivery” will achieve better results, more “effectiveness”. Considering a case study of occupational safety inspections and outcomes in Britain, France and Germany, we observe that higher numbers of inspections are not correlated with less fatal incidents, and that, on the contrary, the best outcomes are achieved in the country having the least inspection visits, the most risk-focused system, and the broadest approach to “regulatory delivery”, combining engagement with regulated industries, guidance, responsive and risk-proportionate enforcement, and risk-based, targeted inspections.