Cyber security refers generally to the ability to control access to networked systems and the information they contain. Where cyber security controls are effective, cyberspace is considered a reliable, resilient, and trustworthy digital infrastructure. Where cyber security controls are absent, incomplete, or poorly designed, cyberspace is considered the wild west of the digital age. Even those who work in the security profession will have a different view of cyber security depending on the aspects of cyberspace with which they personally interact. Whether a system is a physical facility or a collection of cyberspace components, the role of a security professional assigned to that system is to plan for potential attack and prepare for its consequences.

Although the word “cyber” is mainstream vernacular, to what exactly it refers is elusive. Once a term of science fiction based on the then-emerging field of computer control and communication known as cybernetics, it now refers generally to electronic automation (Safire 1994). The corresponding term “cyberspace” has definitions that range from conceptual to technical, and has been claimed by some to be a fourth domain, where land, sea, and air are the first three (Kuehl 2009). There are numerous definitions of cyberspace and cyber security scattered throughout literature. Our intent is not to engage in a debate on semantics, so we do not include these definitions. Moreover, such debates are unnecessary for our purpose, as we generally use the term “cyber” not as a noun, but as an adjective that modifies its subject with the property of supporting a collection of automated electronic systems accessible over networks. As well reflected in language-usage debates in both the field of cognitive linguistics and popular literature on lexicography, the way language is used by a given community becomes the de facto definition (Zimmer 2009), and so we request that our readers set aside the possibility that they will be confused by references to “cyberspace” and “cyber security” and simply refer to their own current concept of these terms when it makes sense to do so, while keeping in mind that we generally the term cyber as an adjective whose detailed attributes will change with the system of interest.

At a high level, cyber security is typically explained in terms of a few triads that describe the objectives of security professionals and their methods, respectively (Bayuk 2010). Three that combine to cover most uses of the term are:

These reflect the goals of cyber security, the means to achieve cyber security, and the mechanisms by which cyber security goals are achieved, respectively.

Prevent, detect, respond addresses goals common to both physical and cyber security. Traditionally, the primary goal of security planning has been to prevent a successful adversary attack. However, all security professionals are aware that it is simply not possible to prevent all attacks, and so planning and preparation must also include methods to detect attacks in progress, preferably before they cause damage. However, whether or not detection processes are effective, once it becomes obvious that a system is threatened, security includes the ability to respond to such incidents. In physical security, the term “first responders” refers to the heroic individuals in policy, fire, and emergency medical professions. Response typically includes repelling the attack, treating human survivors, and safeguarding damaged assets. In cyber security, the third element of the triad is often stated in slightly more optimistic form. Rather than “respond” it is “recover” or “correct.” This more positive expectation on the outcome of the third triad activity, to recover rather than simply respond, reflects the literature of information security planning, wherein security management is recommended to include complete reconstitution and recovery of any business-critical system. Because information technology allows diversity, redundancy, and reconstitution for the data and programs required to operate systems, information security professionals expect that damage can be completely allayed. In either case, the lessons learned in response are expected to inform prevention planning, creating a loop of continuous security improvement.

People, process, technology addresses methods common to both technology management in general and to cyber security management as a specialized field. This triad observes that systems require operators, and operators must follow established routines in order for systems to accomplish their missions. When applied to security, this triad highlights the fact that security is not achieved by security professionals alone, and also that cyber security cannot be accomplished with technology alone. The system or organization to be secured is acknowledged to include other human elements whose decisions and actions play a vital role in the success of security programs. Even if all these people had motivation and interest to behave securely, they would individually not know how to collectively act to prevent, detect, and recover from harm without preplanned process. So security professionals are expected to weave security programs into existing organizational processes and make strategic use of technology in support of cyber security goals.

Confidentiality, integrity, and availability addresses the security objectives that are specific to information. Confidentiality refers to a system’s capability to limit dissemination of information to authorized use. Integrity refers to ability to maintain the authenticity, accuracy, and provenance of recorded and reported information. Availability refers to the timely delivery of functional capability. These information security goals applied to information even before they were on computers, but the advent of cyberspace has changed the methods by which the goals are achieved, as well as the relative difficulty of goal achievement. Technologies to support confidentiality, integrity, and availability are often at odds with each other. For example, efforts to achieve a high level of availability for information in cyberspace often make it harder to maintain information confidentiality.Sorting out just what confidentiality, integrity, and availability means for each type of information in a given system is the specialty of the cyber security professional. Cyber security refers in general to methods of using people, process, and technology to prevent, detect, and recover from damage to confidentiality, integrity, and availability of information in cyberspace.

Cyber has created productivity enhancements throughout society, effectively distributing information on a just-in-time basis. No matter what industry or application in which cyber is introduced, increased productivity has been in the focus. The rapid delivery of information to cyberspace often reduces overall system security. To technologists engaged in productivity enhancements, security measures often seem in direct opposition to progress due to prevention measures that reduce, inhibit, or delay user access, detection measures that consume vital system resources, and response requirements that divert management attention from system features that provide more immediately satisfying system capabilities. The tension between demand for cyber functionality and requirements for security is addressed through cyber security policy.

The word “policy” is applied to a variety of situations that concern cyber security. It has been used to refer to laws and regulations concerning information distribution, private enterprise objectives for information protection, computer operations methods for controlling technology, and configuration variables in electronic devices (Gallaher, Link et al. 2008). But there is a myriad of other ways in which literature uses the phrase cyber security policy. As with the term “cyberspace,” there is not one definition, but there is a common theme when the term cyber security is applied to a policy statement as an adjective. The objective of this guidebook is to provide the reader with enough background to understand and appreciate the theme and its derivatives. Those who read it should be able to confidently decipher the numerous varieties of cyber security policy.

Generally, the term “cyber security policy” refers to directives designed to maintain cyber security. Cyber security policy is illustrated in Figure 1.1 using a modeling tool that is used to make sense of complex topics called a systemigram (Boardman and Sauser 2008). A systemigram creates an illustrative definition succinctly by way of introducing components of the thing to be defined (all nouns) and associating them with the activity they generate (all verbs). The tool requires that all major components be connected via a “mainstay” that links the concept to be defined (top left) to its purpose or mission (bottom right). The mainstay is expected to capture the layman’s view of the concept. Other perspectives on the concept to be defined may be represented as supplementary perspectives on the complex concept.

In Figure 1.1, cyber security policy is presented as something that codifies security goals in support of constituents who are expected to modify their behavior in compliance with the policy to produce cyber security. Figure 1.2 fleshes out the concept, adding the color of different perspectives on cyber security policy. Although not all the additional nodes and links are strictly within the scope of a definition of cyber security policy, they provide insight into the scope as defined in the mainstay of the systemigram of Figure 1.1.

In Figure 1.2, the links to and from the “governance bodies” node illustrate that cyber security policy is adopted by governing bodies as a method of achieving security goals. The figure is purposely generic as governing bodies often exist outside of the organizations that they govern. For example, a nation-state may be a governing body, but one may also consider a centralized corporate security office a governing body over multiple independent business units. The links emanating from the “enforcement agencies” node illustrate the role of policy enforcement agencies, who establish laws, rules, and/or regulations that are meant not only to affect constituent behavior, but also affect others, who thereby become stakeholders in the policy process. The links on the far left acknowledge the role of standards that are set by management of organizations who are bound by the governing bodies to comply with policy. The links emanating from the node labeled “vendors” depicts the vendor relationships of con­stituents and management, who both influence and are influenced by vendors who provide tools for security policy compliance and support systems security with products and services.

The clusters of nodes and links within and adjoining the “organizations” node refer to an organization that is subject to policy. It shows that such organizations observe cyber security policies issued by governing bodies as well as establish their own internal cyber security policies. It also illustrates that organizational management is both supporting and is being supported by systems that are impacted by security policy. The “systems” node refers to the systems used to operate cyberspace, highlighting the interdependent relationship between security controls and system resources. It shows that there is a trade-off between systems resources devoted to security controls and those required to process information; that is, the more security control processes can be integrated into systems operation, the less of a resource drain security will be. A typical goal in an internal organizational cyber security strategy is to optimize this trade-off, using documented policy as a communications tool to create awareness that such decisions have been made.

Note that, as illustrated in Figure 1.2, the role of policy is to provide a foundation upon which to prescribe rules for behavior that are expected to achieve cyber security. There is a wide variety of cyber domains that will have vastly different policy statements and associated rules. These domains are further described in Chapter 6. Goals for cyber security do not directly translate into behavior, but a cyber security strategy based upon cyber security goals is expected to culminate in better cyber security policy. Organizations create standards for implementing technology controls and related operational processes and constituents use these standards to comply with policy. Standards are not themselves policies. Rather, they are translations from policy objectives onto a set of technologies and operational processes. Where a standard is directed at policy compliance, it specifies a combination of process and technology configuration that will achieve policy compliance. However, standards may be issued that are not directed at any specific policy objective, and policies may lack corre­sponding standards.

As depicted in Figure 1.2, cyber security policy is adopted by a governing body and formally applies only to the corresponding domain of governance. The constituents of a security policy, who may also be considered stakeholders, will vary with the scope of the po...