Cyber and general informational security has been taking centre stage recently with the widely reported data and system breaches. The latest example is a South African Financial Services Provider, whose IT infrastructure security was breached and had segments of their data held for ransom. The trend is rising as malicious elements seek monetary gains through exploiting an organisation’s data. With data being this generations’ gold, the miners are out in full force. This ought to lead to cyber security requirements being inspected closer.
System providers are doing their bit in identifying and patching software flaws but the humans in the information system are consistently the weakest link. The hackers and malicious social engineers are utilising more sophisticated and targeted ways to try and breach security systems and protocols. The question is, how do we, as shepherds of the business and system requirements stand a chance against this?
Cyber security requirements in the digital age have evolved from being simple non-functional elements at the end of a traditional requirements document, to being key elements of the design that proactively secures information and systems. Legislation in the form of Protection of Personal Information (POPI) and General Data Protection Regulation (GDPR) require more stringent and proactive security requirements. As we build our information systems, cyber security needs to be at the forefront of our design, while enabling the users and recipients of this information to do their jobs effectively.
There is no such thing as absolute security when access to information is also a requirement. Any gain in security or accessibility always involves some sort of trade-off. These trade-offs need to be weighed by business and IT according to the following considerations:
- The severity of the risk – how impactful is this event on the organisation, if it occurs?
- The probability of the risk – the risk increases with the type and value of information as well as the number of possible failure points.
- The magnitude of the cost – if a breach happens, what is the potential cost to recover, the impact on the business reputation and the likely downtime? We need to balance these against the cost of implementation and ease of use.
- The effectiveness of the countermeasure – these are the system and user measures for reducing risk. How aware are staff of security measures and what tools and techniques are available to them to mitigate the risks?
Cyber security used to be looked at (from a requirement perspective) purely through the lens of “Is this effective?”. The question must evolve to “Is this a good trade-off?” and business needs to be at the forefront of that decision. Using techniques such as Abuse Case Development and User Stories that focus on the security aspects, is crucial.
Get the business to try and break the various security aspects of the system as part of user testing and ensure that your security requirements can Identify, manage and report on these cyber security incidents. Cyber security must no longer be an afterthought, it must be a critical driver in the design of the information system.
The costs of not investing the necessary time and effort in functional security requirements can be huge, now more than ever. Get in touch with us to help you navigate this cyber security minefield.