Resumen

The Target Corporation is a large multi-national organisation which services millions of clients yearly via its stores. Target had various CIIP mechanisms in place to protect sensitive transactional data, but this was not effective enough to prevent a breach in security. Target stored millions of records on clients, which were of a sensitive nature. This information included credit card details, surnames, and addresses (DLA Piper, 2014; Rosenblum, 2014).

Cyber intruders managed to gain access to the sensitive information by exploiting the Point of Sale (POS) vulnerability. This vulnerability within the CII was identified and exploited by infecting third party vendors who had access to the CII of the organisation (Gara, 2014). The exploitation and data harvesting occurred over several weeks, as Target was unaware of the security breach, although some of the security flags were ignored. The main concern is that Target had various CIIP mechanisms in place that did not prove to be effective, resulting in various direct and indirect complications for the organisation. Some of the impacts on the organisation to date are (Gara, 2014; Rosenblum, 2014):

• Loss in revenue – fewer clients are visiting their stores and transacting via electronic means. This is as a direct result of the clients’ losing trust in the organisation;

• Financial losses – all the credit card details that were exposed required replacement, impacting not only Target, but on financial institutions as well;

31 | P a g e

• Legal implications and costs – Target was sued by various parties as a result of the impact caused by the security breach; and

• Management implications – top-level executives were fired as a consequence of the breach, with the board of directors almost following the same course.

From the Target case, it is evident that a breach in CIIP had a devastating impact on the organisation, spanning long durations after the breach had concluded. The case also highlights the fact that top-level management can and should be held accountable for the implementation of effective and efficient CIIP (Radichel, 2014).

2.5.2.2 eBay

The large online retailer, eBay, also suffered a data breach in 2014. Over 233 million users’

credentials and personal information were stolen from eBay’s CII (Schwartz, 2014). This breach occurred over many months without being detected. The exploitation of their CII resulted from employee credentials being obtained, thus granting the cyber intruders access to large repositories of client details (McGregor, 2014). Once again, this form of poor CIIP impacted the organisation from financial and legal points of view.

Other noticeable intrusions and exploitations have also been experienced by organisations such as the CIA, Scotland Yard, Evernote, Domino’s Pizza and UPS, to name but a few (Hardekopf, 2014).

These cases of poor CIIP indicate that even those organisations considered the most secure can be the victims of security breaches, which must certainly impact them in more ways than one.

2.6 Conclusion

Following the case studies discussed in section 2.5.2, it is evident that small, medium, and large organisations need to ensure that effective CIIP mechanisms are put in place. Even with effective CIIP mechanisms being present, these organisations can still experience exploitation events, which have various negative consequences. Out of this need for

improved levels of CIIP within an organisation, the CESIMAS model is defined and presented from Chapter 6 onwards.

As this research is concerned with the crucial nature of ensuring effective and efficient CIIP specifically within an organisation, it was imperative for this chapter to define key terms such as CII and CIIP. As such, a fundamental understanding of the CII landscape within an organisation has been discussed in order to create an understanding of the problem domain.

CIIP is crucial when it comes to ensuring the confidentiality, integrity and availability of all information which enters and exits CII. Chapter 2 created a high-level understanding of the possible types of information exchange that occur in CII, creating various touchpoints which can potentially be exploited to the detriment of the organisation.

32 | P a g e Chapter 2 outlined four research questions, which served as a general outline of the

chapter:

Research Questions

RQ 2.1 CI and CII are broadly defined in the thesis – what exactly is CI and CII within the context of the thesis and why can these terms be used interchangeably in this thesis?

RQ 2.2 CII is dynamic in nature – what is the role of CII within an organisation in the 21^st century?

RQ 2.3 The continuous availability of CII is crucial to any organisation – how is CII protected and what are the modern-day vulnerabilities?

RQ 2.4 Although protecting CII against every single potential threat is not feasible, what are the potential consequences of poor CIIP?

RQ 2.1: CI and CII are broadly defined in the thesis – what exactly is CI and CII within the context of the thesis and why can these terms be used interchangeably in this thesis?

Advancements in technology have led to more organisations utilising electronic means to perform business operations, interact with suppliers and provide services to clients via their CI and CII. This proliferation and adoption of new technologies has led to CI and CII

becoming the core lifeblood of the organisation.

The research question indicated that CI and CII are broadly used terms globally. To provide a more accurate scope, section 2.1 defined these aspects as those assets within an

organisation through which information exchange can occur in numerous ways. It is important to note that these terms can refer to both physical and virtual elements within the context of an organisation.

RQ 2.2: CII is dynamic in nature – what is the role of CII within an organisation in the 21^st century?

RQ 2.1 alluded to the fact that CII is crucial to the existence of an organisation. This is

evident, as more organisational processes (both primary and supporting) are being executed within the space of CII. This direct reliance on CII to drive organisational processes creates a dynamic environment where information exchange can occur at various stages.

Examples of these steps included transactional-level data, BYOD environments, and VPN-level communications between CII nodes. Every single informational exchange touchpoint can alter other touchpoints at any given stage in time, creating a truly dynamic and complex environment. This raises some difficult security concerns, as information exchange can occur externally as well as internally within the organisation’s CII.

RQ 2.3: The continuous availability of CII is crucial to any organisation – how is CII protected and what are the modern-day vulnerabilities?

33 | P a g e Firstly, it is important to note that implementing protection mechanisms for CII is not a linear problem that can easily be solved. The dynamic nature of CII makes it difficult to implement effective and efficient protection mechanisms, more so in BYOD environments.

Sections 2.2 and 2.3 alluded to the various factors that influence the consideration of protection mechanisms, as well as the potential creation of vulnerabilities.

Section 2.3 described a high-level overview of some of the aspects which must be considered when assessing and deliberating on the protection mechanisms and

technologies that must be implemented. This was visualised as a cyclical graph of nodes and edges in Figure 2.3. Most important to note, is that implementation of protection

mechanisms for CII is not a one-direction process but a cyclical process, where all levels of employees must be involved.

Potential modern-day vulnerabilities were briefly discussed. These included dynamic BYOD environments, information exchange flows from various networks, employee awareness, and the rise of cyberterrorism in the modern age. These are a few of the potential

vulnerabilities. Section 2.4 spoke to the protection mechanisms typically implemented to protect CII and described their caveats and pitfalls.

RQ 2.4: Although protecting CII against every single potential threat is not feasible, what are the potential consequences of poor CIIP?

Section 2.4 formally defined CIIP as the mechanisms, processes, policies, and technologies that are implemented to protect CII. CII operates in a dynamic environment, resulting in CIIP becoming even more challenging as time progresses. Threats exist from both inside and outside an organisation, prompting a holistic RVA to determine the organisation’s appetite for risk regarding certain CII components.

Although typical CIIP mechanisms have limited effectivity, as discussed in section 2.4, failure to provide effective CIIP can have devastating consequences for an organisation. Section 2.5 concluded the chapter by discussing some of the consequences and impacts that poor CIIP can have on an organisation. These included:

• Reputational loss;

• Revenue loss;

• Loss of trust;

• Loss of IP; and

• Legal implication and ramifications.

A high-level discussion was concluded in section 2.5, where specific reference was made to security breaches in multi-national organisations. In all the case studies, the impact of poor CIIP had a crucial impact not only on the organisation but also on third parties, such as clients and suppliers.

34 | P a g e In addressing each of the research questions in Chapter 2, the fundamental background literature was introduced, creating an understanding of the problem domain that this thesis addresses. This chapter introduced some high-level concerns, elaborated upon in the literature chapters to follow.

Chapter 3 discusses Multi Agent Systems; their ideal characteristics which are suitable for the problem domain of CIIP; and how MASs are used advantageously in the CESIMAS model to address the problem domain.

35 | P a g e If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions. – Albert Einstein

36 | P a g e