International Considerations for Cybersecurity Best Practices
By CERT Insider Threat Center on 09/03/2013 | Permalink
Hi! We are Lori Flynn and Carly Huth, CERT cybersecurity researchers.
This post is about our recently published paper that describes how strategies for implementing international cybersecurity best practice should account for five factors: technology profile, laws and regulations, law enforcement, culture and subcultures, and corruption.
NOTE TO OUR READERS
As we begin to include more international cases and considerations in our research, we value your input. What are your ideas about international implementation of best practices against insider threats and other cybersecurity practices? Do you have links to news stories of insider threat cases from outside the U.S.?
Please send us your thoughts and story pointers, to firstname.lastname@example.org.
To write the paper, we needed cybersecurity best practices to analyze with respect to these five dimensions. We used practices from one recent publication that focuses on insider threat. The CERT Program recommends nineteen best practices for preventing, detecting, and responding to insider threats in the Common Sense Guide to Mitigating Insider Threats, 4th Edition. The guide’s implementation recommendations are based on an analysis of primarily U.S.-based insider threat cases.
With our coauthors Randy Trzeciak, and Palma Buttles, we mapped the best practices to the five factors that affect practice implementation internationally, in the report Best Practices against Insider Threats in All Nations. Each practice is analyzed with respect to the five factors. Analysis was conducted both generally and with respect to potential implications of examples from various countries. This paper is an initial exploration of the effects of the international landscape on the implementation of cybersecurity best practices.
Why and how does the paper map practices to the factors for each nation? Consider the following: Organizations need to consider internal as well as external threats, as recommended in best practice 1, Consider threats from insiders and business partners in enterprise-wide risk assessments, which was discussed in the blog post Common Sense Guide to Mitigating Insider Threats—Best Practice 1 (of 19). Several cases in our database illustrate the need to consider this practice on an international scale. In one case, the victim organization outsourced the production of hard drives to a foreign contractor, which subcontracted the work to another foreign organization. The subcontractor organization employed the insider who uploaded a malicious Trojan horse program to 1,800 new hard drives.
This case is a good example of why organizations need to implement Best Practice 1. In addition, the Common Sense Guide to Mitigating Insider Threats, 4th Edition recommends implementing Best Practice 1 using additional mechanisms such as background checks, non-disclosure agreements, and service level agreements. These mechanisms should be implemented for all employees, contractors, and trusted business partners.
However, cultural considerations should play a role in international implementation of best practices. Behaviors that correlate to insider threats in U.S.-based research may not correlate to insider threat in other cultures. In the U.S., concerning behaviors may include tardiness at work or missed project deadlines, but these behaviors may not correlate to threats in polychronic cultures that view time as “adjusted to suit the needs of the people.” Local background checks (or output of a risk assessment) from a country known for corruption may not be reliable. Other considerations, such as the ability to enforce contracts, may depend on the nature of the legal and law-enforcement systems.
Additional international considerations can be found in Best Practices Against Insider Threats in All Nations. We are continuing work on this important topic and are currently completing work applying this analysis framework to cybersecurity practices in two nations. We look forward to publishing a report about the new work in the near future.