Task
The capstone project was the twelfth and final course of my masters. Students with an average grade of over 65% and willing external stakeholders are eligible to submit a proposal for an Externally Directed Project – this means they can design and run a project of their own instead of completing the university aligned project. I chose this option to explore the zero-trust culture called for in The Australian 2023-2030 cyber security strategy.
- A 250-word (+/- 10%) overview pitch outlining the key aims, and importance of your project.
- A list of key deliverables of the project, and for each, word count, attributes and measures of success.
Pitch
Cybersecurity is often viewed as a technical problem in need of technical solutions, however as technology becomes more entwined with our lives, it is becoming apparent that it is socio-technical (Davis et al., 2014) in nature and in need of solutions that are both technical and non-technical (Dept Home Affairs, 2023a, p. 19). The 2023-2030 Australian Cyber Security Strategy calls for a “whole-of-government zero trust culture” (Dept Home Affairs, 2023b, p. 43), but does not describe what this culture is or provide guidance on how to achieve it.
Organisational culture guides both our approach to work and how we interact with others (State Services Authority, 2013), with trust being critical to the latter. So when considering zero-trust culture, the focus of this project will be on the ‘approach to work’, or, operations. In their operations, organisations can have numerous insecure resources such as workflows, email or non-technical assets connected via processes to IT systems. These can affect one another, e.g.: a compromised IT system may impact decision making that is reliant on its data; conversely, data leaks outside of IT systems can compromise confidentiality, as evidenced by 68% of government notifiable data breaches being due to human error (OAIC, 2024).
Exploring the concept of zero-trust culture, with the insight that it is relevant to our operations and that these can contain insecure resources, highlights the importance of security in our operational activities. This is known as operational security (opsec) (Space Operations Command, 2023) and I propose that by applying zero-trust principles to opsec, we can create a zero-trust culture.
List of deliverables
| Deliverable | Attributes/ word count / duration | Measures of success |
| Project outline | Presentation, 5 minutes • Recorded for submission • Presented to stakeholders • Project outline (this document) • Pitch, 250 words • List of deliverables • Project plan (schedule and tasks) | • Introduces the concepts of zero-trust, operational security and zero-trust culture. • Makes a connection between the above concepts and Australia’s cyber security strategy. •Contextualises the above concepts in relation to government organisations. |
| Presentation | 10 minute presentation • Recorded for submission • Presented to stakeholders | •Explain the information environment • Outline threats to the information environment • Explain how attack effects can affect operations • Introduce opsec and outline its benefits • Introduce zero-trust and look at how its principles could be applied to opsec |
| Report | 3000+ words | • Provides detailed background on zero-trust and operational security. • Demonstrates integration of of zero-trust principles to operational security • Provides a clear explanation on the need to expand the scope of organisational information security and how the above point can assist. |
| Strategy proposal | 1000+ words | • Makes a case for a change to how information security is handled at an organisational wide level • Provides: • Strategy kernel •Vision statement •Principles |
| Reflection | 600 words | • Demonstrates an ability to synthesise learnings throughout the project • Demonstrates an ability to critically assess project plans and performance • Demonstrates an ability to synthesise research and develop the proposal into a well articulated and clear argument. |
References
Davis, M. C., Challenger, R., Jayewardene, D. N. W., & Clegg, C. W. (2014). Advancing socio-technical systems thinking: A call for bravery. Applied Ergonomics, 45(2), 171–180. https://doi.org/10.1016/j.apergo.2013.02.009
Dept Home Affairs. (2023a). 2023-2030 Australian cyber security strategy discussion paper. https://www.homeaffairs.gov.au/reports-and-pubs/files/2023-2030_australian_cyber_security_strategy_discussion_paper.pdf
Dept Home Affairs. (2023b). 2023-2030 Australian cyber security strategy. https://www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdf
OAIC. (2024, February 22). Notifiable data breaches report: July to december 2023. OAIC. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023
Space Operations Command. (2023, January 5). OPSEC history: From ancient origins to modern challenges. Space Operations Command (SpOC). https://www.spoc.spaceforce.mil/News/Article-Display/Article/3260002/opsec-history-from-ancient-origins-to-modern-challenges
State Services Authority. (2013). Organisational culture. https://vpsc.vic.gov.au/wp-content/uploads/2015/03/Organisational-Culture_Web.pdf
