Following on from Part IV: Report, this part of the capstone project will present a strategy proposal to achieve a human centred cybersecurity culture. NOTE: Following this project, the Commonwealth Government’s recently released Guiding Principles to embed a Zero Trust Culture. This proposal has been updated to demonstrate alignment with this.

Task

In this assessment you will develop a strategy proposal outline for CASA to begin their journey to build a human-centred cybersecurity culture by implementing operational security (opsec) underpinned by cybersecurity principles. This proposal will make a case for a change to how information security is handled at an organisational wide level and will include:

• Strategy kernel 
• Background
• Vision statement
• Principles
• Actions

Strategy Kernel

The human element of cybersecurity is often overlooked. When it is considered, it is typically done in a manner which is burdensome to staff and fails to address cognitive vulnerabilities. Our challenge is to mitigate human cognitive vulnerabilities while minimising additional cognitive load. We will meet this challenge by building a human-centred cybersecurity culture through embedding cybersecurity principles into our business-as-usual ways-of-working. Our actions are to implement operational security, informed by cybersecurity principles, across our non-technical processes and workflows.

Strategy proposal

1 Background

The 2023-2030 Australian Cyber Security Strategy calls for a “whole-of-government zero trust culture” (Dept Home Affairs, 2023b, p. 43). This proposal was developed in response to the question of “what does a zero-trust culture look like?”, and is in alignment with the Commonwealth Government’s recently released Guiding Principles to embed a Zero Trust Culture (Guiding Principles). 

A critical element of organisational culture is our approach to work (State Services Authority, 2013). Considering the importance of people in our processes and work, with the prevalence of human factors in cybersecurity, this proposal focuses on how we can secure our ‘approach to work’, or, operations. This is important because in their operations, organisations can have numerous insecure resources such as workflows, email or non-technical assets which can impact the security IT systems, for example, a staff member emailing a sensitive document to the incorrect recipient. This data leak which bypasses the IT system’s controls and can compromise confidentiality, is not uncommon as evidenced by 68% of government notifiable data breaches being due to human error (OAIC, 2024). 

This is a cross-cutting business challenge which will be guided by knowledge from across CASA. Achieving this with our usual approach of running a project to stand up the process/team, then hand over to business would be challenging and possibly counter to the following vision statement. Our usual approach is typical of Western organisational decision-making which is reliant on an expert/decision maker pair (Danet, 2023, p. 163) and can result in ”disjointed … information security programs” which are “ripe for exploitation” (Brandt, 2021). This “fragmentation of decision-making groups creates ‘gaps’” (Danet, 2023, p. 164), something we want to avoid in a security context. To overcome this challenge we need to engage not only our staff, but CASA as an organisation by lifting cybersecurity risk to an enterprise level. This is in alignment with Guiding Principle 1: Identify and manage cyber security risk at an enterprise level.

2 Vision statement 

Our vision is to build a human-centred cybersecurity culture. This will engage staff in cybersecurity while avoiding additional load on them. This culture will complement our technological controls as well as training and awareness campaigns to protect our assets, people and organisation.

3 Principles

Actions to achieve the vision will be guided by these principles:

1. Securing our critical data and information throughout its lifecycle, regardless of whether it is in a secured IT system or not (actions 4.2, 4.4).
2. Enhancing organisational visibility of information security requirements and controls as well as standardisation of their application (action 4.3).
3. Applying a structured, reusable and repeatable approach to our data and information security (actions 4.5, 4.6, 4.7).

4 Actions 

Actions required to achieve this strategy will include, but not be limited to the following.

4.1 Create supporting documentation 

Governance required to support these actions will require documentation such as policy, standards, procedures, worksheets and guidance as appropriate. This will provide direction and guidance for CASA in undertaking these actions, as well as outlining how they complement/integrate with our existing technological controls as well as training and awareness campaigns. 

Initially a policy creating authority for this vision will be required, with further documentation following as appropriate.

4.2 Identify our high-value data assets

Guiding Principle 3: Know and understand your most critical and sensitive technology assets.

Identifying ‘high-value data assets’ aligns with work required to align with the forthcoming Australian Government Data Governance Framework. Our high-value data assets will inform how we undertake our implementation as well as the controls required.

4.3 Create a Cybersecurity Fusion Centre

Commonwealth Government Guiding Principle alignment

Guiding Principle 1: Identify and manage cyber security risk at an enterprise level. Guiding Principle 2: Understand accountabilities and responsibilities at all levels.  Guiding Principle 4: Maintain resiliency through a comprehensive cyber strategy and uplift plans. Guiding Principle 5: Go beyond incident planning

This action will build on the Zero Trust Project which highlights the importance of cross-functional teams (Business Case RMS reference, D24 29770 2.3.1 Analysis of Change). A Cybersecurity Fusion Centre is a multidisciplinary team bringing together perspectives, skills, data and knowledge on business, information and cyber risk (Amjad et al., 2016, p. 130). By centralising GRC, monitoring, detection and protection, it will raise awareness of threats to  “digital assets and information” (McLaughlin, 2023, p. 27) and enable the creation of informed standards, practices and responses applicable acrossCASA. 

Establishing a Cybersecurity Fusion Centre is recommended to drive and support the growth of our cybersecurity culture. This will help overcome the aforementioned fragmented decision making by leveraging “different skills and abilities, which enriches the thinking and decision-making process” (Danet, 2023, p. 164). The fusion centre would have organisation wide scope with expected benefits across:

1. Consistent approach to information and data security across CASA: centralised decision making, common language and approach, whether the systems are technological or non-technological.
2. Knowledge building and transfer: The combination of knowledge and skills facilitates sharing “knowledge about what is happening across the various areas of the business” (Amjad et al., 2016, p. 130). It also uplifts participants both in cybersecurity and organisational knowledge. The knowledge generated can then flow back to the divisions through the fusion centre participants who now have the ability to guide implementation.
3. Advanced threat detection: A fusion centre can drive a shift from remediation to mitigation of potential issues (McLaughlin, 2023, pp. 29-30) by bringing business leaders and IT security onto the same page about what needs protecting​. This will complement our Security Information and Event Management (SIEM) implementation and the zero-trust project’s continuous monitoring, by informing the right events to monitor (Hally, 2023).
4. Continuous improvement: The fusion centre will promote review of current risks as well as identification of emerging risks and how they are managed.
5. Insider threat protection: While the development of a human centred cybersecurity culture will aid in reducing accidental insiders (the primary cause of government data breaches) the fusion centre will also help mitigate malicious insiders. The fusion centre will provide a cross-functional approach bringing together information from diverse sources which is required to mitigate malicious insider threats (McLaughlin, 2023, p. 29), supporting our proposed Insider Threat Program.

These benefits will allow us to be forward facing, continuing our journey of proactive cybersecurity and placing us to adopt advanced technical approaches such as threat hunting and prediction. This will enable us to identify and survive the unknown unknowns, such as the ‘living off the land’ attacks, where adversaries gain access and use legitimate system tools to become insiders. ​

This team will take responsibility for the remaining actions. Due to CASA’s size and resourcing constraints, consideration will need to be given to the practicalities of staffing this initiative, considerations may include: consolidation of existing information management teams, a mixture of permanent and seconded staff from other business areas (with dedicated FTE of seconded staff) or rotating staff through the team.

4.4 Undertake an organisational network analysis

Commonwealth Government Guiding Principle alignment

Guiding Principle 3: Know and understand your most critical and sensitive technology assets.

Organisational Network Analysis (ONA) is a set of tools which allows organisations to map “how communications, information, and decisions flow through an organization.” (McDowell et al., 2016). The ONA will reveal connections within CASA with touchpoints to our ‘high-value data assets’. These connections are “crucial organisational assets” (Marocco et al., 2024, p. 3) and will inform the prioritisation of, and implementation of opsec.

4.5 Select a maturity model 

Commonwealth Government Guiding Principle alignment

Guiding Principle 4: Maintain resiliency through a comprehensive cyber strategy and uplift plans.

Maturity models allow organisations to assess their current state, determine their desired state and identify gap filling actions to achieve that state (Paulk et al., 1993, as cited in George et al., 2020, p. 14). Taking this approach can help CASA to best place its resources to achieve desired results.

Literature exists to inform the creation of bespoke maturity models (George et al., 2020), however given the size of CASA and the resources available it is suggested we select an existing model and make modifications, if required, to contextualise it to our needs. Existing maturity models which may inform discussions include: 

·   The Global Engagement Maturity Model (The Hoover Institution, 2020, p. 130)

·   NIST Cyber Security Framework tiers (NIST, 2024, p. 24)

4.6 Determine cybersecurity principles to inform our opsec analysis

Commonwealth Government Guiding Principle alignment

Guiding Principle 4: Maintain resiliency through a comprehensive cyber strategy and uplift plans. Guiding Principle 5: Go beyond incident planning

Building on the findings of the preceding report, applying cybersecurity principles will assist in making defensible decisions on the “appropriate countermeasures” selected. Applying an aligned paradigm across all information security, may produce benefits in workforce planning, cross team collaboration and incident response.

Considerations include: 

• The principles of confidentiality, integrity and availability
• Adopting the attackers’ mindset (using tools such as cyber kill chains and MITRE ATT&CK)

4.7 Apply OpSec to high-value data assets

Commonwealth Government Guiding Principle alignment

Guiding Principle 3: Know and understand your most critical and sensitive technology assets. Guiding Principle 4: Maintain resiliency through a comprehensive cyber strategy and uplift plans. Guiding Principle 5: Go beyond incident planning

Based on our maturity model goal using the maturity model selected at 4.5 and apply the opsec process, informed by cybersecurity principles determined at 4.6, to each of the high-value data assets identified at 4.2.

4.8 Enter BAU and continuous improvement

Following successful implementation of actions 4.1 to 4.7, the Cybersecurity Fusion Centre will enter business-as-usual taking responsibility for cyber and information security. This will include continuous improvement to refine it’s operations and outcomes.

References

Amjad, A., Nicholson, M., Stevenson, C., & Douglas, A. (2016). From security monitoring to cyber risk monitoring. Deloitte Review, 19.

Australian Signals Directorate. (2024, February 8). Identifying and mitigating living off the land techniques. Cyber.Gov.Au. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques

Brandt, J. (2021, November 1). Operational security: A business imperative. ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2021/operational-security-a-business-imperative

Danet, D. (2023). View of cognitive security: Facing cognitive operations in hybrid warfare1. https://papers.academic-conferences.org/index.php/eccws/article/view/1442/1160

George, A., Schmitz, K., & Storey, V. C. (2020). A framework for building mature business intelligence and analytics in organizations. Journal of Database Management, 31(3), 14–39. https://doi.org/10.4018/jdm.2020070102

Marocco, S., Marini, M., & Talamo, A. (2024). Enhancing organizational processes for service innovation: Strategic organizational counseling and organizational network analysis. Frontiers in Research Metrics and Analytics, 9. https://doi.org/10.3389/frma.2024.1270501

NIST. (2024). The NIST cybersecurity framework (CSF) 2.0. National Institute of Standards and Technology. http://dx.doi.org/10.6028/nist.cswp.29