Cyberdefense is of undoubted value. It represents the outermost level of the digital ecosystem, in line with the concept of defense in depth. Picture a balloon filled with air: A single leak in one spot can result in the destruction of the entire object. A balloon does not have any zones that are particularly vulnerable, but rather, the whole vessel is vulnerable, regardless of the exact point where the rupture occurs. An organization’s cyberdefense perimeter is similar. One may believe they are protected on all fronts, but inevitably, the entire attack surface cannot be equally protected in every position, which can have unpredictable consequences. If one point is compromised, then the entire digital surface is compromised.
Most cybersecurity standards, frameworks, and laws have a specific scope (e.g., technology, individuals, critical infrastructures, financial transactions, the supply chain, or any combination of these) without ever achieving full coverage of the digital ecosystem. While there may be attempts to issue broader guidance or regulations encompassing the entire digital ecosystem, nuance in the real world is likely to nullify the end result in the digital world. For example, a country may fail to enforce a rule with due diligence, defeating the overall purpose.
It is not conceivable to rely on a single checklist of cybersecurity measures for all entities in the ecosystem, on a voluntary basis or otherwise; the varying economic and operational capacities of each entity and its risk culture would prevent comprehensive implementation. Thus, a reasonable cybersecurity model is proposed that could feasibly be adapted to the control capabilities of many of the entities within the digital ecosystem.
Abstract Representation of an Ecosystem
A digital ecosystem can be compared to a universe composed of three domains that interact through the substrate of data. The data is the element at the base of the ecosystem and changes its nature according to how it is used, transforming itself into information and acquiring new value depending on the party that is processing it at that moment. Data processing may be conditioned by cross-domain communication enablers, including technology, services, compliance, social behaviors, environmental needs, and more (figure 1).
Domains represent the main focus of legal compliance actions in cybersecurity, according to the attribution of responsibility, that is, the individual, the enterprise, and all other subjects with which they interact, even the unknown ones (i.e., unforeseen threats). The domains consist of:
- People—A set of individuals who request services from suppliers in the ecosystem and who may be (un)aware subjects of actions carried out by third parties against them. They are owners of personal data who are accountable to the law and interact in various ways in both the digital ecosystem and the physical world.
- Organizations—Providers of digital or physical services aimed at both individuals and entities. They are subject to enterprise control regulations as well as technical regulations and have an internal organizational structure with roles and responsibilities for the governance of operational processes.
- World—An external environment formed by third parties providing services, by competitors of those services, by countless other subjects who would like to gain (un)lawful advantages from the use of organizational resources, or from the personal data of individuals.
Data interfaces between individuals and service providers or between organizations and their supply chains are generally related to services regulated by laws, standards, or contracts. Most cyberthreats act precisely on these data interfaces, but a comprehensive protection approach, extended to the entire surface of the ecosystem, is missing. To build an effective security baseline with such breadth, it is necessary to identify the main components of the three domains, understand the legitimate interactions between them, and define common, prescriptive rules.
Defense in the Ecosystem
The first significant step taken toward cyberdefense legislation dates back to 2013. In February of that year, US Executive Order 13636: Improving Critical Infrastructure Cybersecurity was issued, which recognizes the importance and necessity of a common defense against cyberthreats.1 As an initial parameter, it focused on entities most critical to the nation’s infrastructure. In 2014, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was created in a joint effort by public institutions and private companies.2 NIST CSF is a voluntary framework used to assess the weaknesses of an organization’s digital space. This is a fundamental concept that is sometimes overlooked: Before acting, an organization should always conduct an initial assessment to make informed decisions.
In 2016, Europe followed a similar path to protect critical infrastructure through EU Directive 2016/1148 ("concerning measures for a high common level of security of network and information systems").3 Among its prescriptive measures is the reporting of cybersecurity incidents to improve the knowledge base of active threats and create the conditions to react to the entire scope defined by the directive.
Guiding principles have also been established for risk assessment. Results and recommendations for risk mitigation must be expressed in a manner that is accessible to all, not only technical professionals. Decisions made based on risk analysis should support an approach to risk management that is adaptable to different situations, cost-effective, and performance-driven. The controls identified should derive from international standards (e.g., International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC] 27001:2022 to implement a protection system, NIST CSF 2.0 to assess the cyberrisk profile)4 The risk assessment process should be cyclical to align with the evolution of technologies and threats. Due to the intrinsic diversity of enterprises, a framework cannot be applied by all in the same way; the one-size-fits-all principle is not suitable for building a security baseline at the ecosystem level.
Reasonable Cybersecurity
Another important component of protecting the digital ecosystem is the concept of reasonable cybersecurity, which encompasses measures aimed at protecting data against loss, misuse, unauthorized access, or modification.5 The measures should be implemented based on a standard of diligence for how a reasonably prudent person would act in circumstances of potential threats.
To effectively define a minimum cross-sector standard for cybersecurity, reasonable cybersecurity advocates must take into account that cybersecurity requirements and expected results will vary based on the type and capacity of the organization in question. Only if they are proportionate to the implementation capabilities of the organization can reasonable cybersecurity measures be prescriptive. Some characteristics have been established to classify organizational capacity:
- Size and complexity of the organization
- Nature and scope of the organization's activities
- Sensitivity of the information to be protected
- Cost and availability of tools to improve information security and reduce vulnerabilities
- Resources and expertise available to the organization
The Center for Internet Security (CIS) Critical Security Controls provides practical guidance to help organizations develop reasonable cybersecurity programs.6 An effective program will provide the organization with the ability to meet compliance requirements with a degree of effort that is acceptable to the organization. Controls must be designed based on the implementation capabilities of the entity. To do so, implementation groups can be used, which represent three degrees of complexity. The mandatory nature of a control is decided by the group level assigned to the organization according to the rule that the level n has the obligation to implement all controls with a level number equal to or less than n. This concept is effective for identifying mandatory controls based on the characteristics of an organization, but it does not provide a formal method for how to attribute the level number to the organization.
Formally Establish the Implementation Capability
EU Recommendation 2003/361/EC is used to define "micro, small and medium-sized enterprises," as illustrated in figure 2.7 An organization can use the respective staff criteria and financial numbers to classify its potential to implement controls. This recommendation provides concrete legal terms to divide entities according to a plausible ability to apply specific rules, thus paving the way for prescriptive controls, with the certainty that each entity can uniquely identify itself through this classification.
Figure 2—Entities Classification Matrix
| Entity Category |
Number of Staff | Total Sales Revenue |
Balance Sheet |
|---|---|---|---|
| Individual | 0 or 1 | N/A | N/A |
| Micro | < 10 | ≤ € 2,000,000 | ≤ € 2,000,000 |
| Small | < 50 | ≤ € 10,000,000 | ≤ € 10,000,000 |
| Medium | < 250 | ≤ € 50,000,000 | ≤ € 43,000,000 |
| Large | > 250 | > € 50,000,000 | > € 43,000,000 |
Through this categorization, it is possible to gauge a control’s implementation plausibility based on the characteristics and capacity of the organization that would be applying it. The clear identification of one’s classification and the adequacy of the control make it realistic to require compliance in a prescriptive manner.
Cybersecurity controls must be defined in a reasonable and adequate way to the current risk profile of the ecosystem, both in terms of implementation capacity and cost.Security Baseline Concept
The division of enterprises into categories allows for the introduction of the concept of a security baseline, i.e., a homogeneous and adequate level of security to tolerate the intrinsic risk in a homogeneous manner within an entire category. For this reason, the responsibilities and the mandatory application of controls must be specifically adapted to the actual implementation capacity of the entities of each category. (figure 3). To make the operational controls identified in the security baseline prescriptive and effective, the entity must have the real economic availability and management capabilities to acquire and govern the specific technologies or services required.
Figure 3—Reasonable Baseline Layout Example
| Controls | Individual | Micro | Small | Medium | Large |
|---|---|---|---|---|---|
| 1: Policies and procedures |
Optional | Except the rule Audit lev.A1 |
Need CIO EXT Audit lev.A3 |
Need CIO EXT Audit lev.A5 |
Add new rule Need CIO INT |
| 2: Inventory of ICT assets |
Optional | Except the rule Audit lev.A1 |
Need CIO EXT Audit lev.A3 |
Need CIO INT Audit lev.A5 |
Add new rule Audit lev.A6 |
| 3: Data protection |
Should Except the rule |
Need CISO EXT Audit lev.A3 |
Need CISO EXT Audit lev.A4 |
Need CISO Audit lev.A5 |
Need CISO Audit lev.A6 |
| 4: Secure configuration of ICT assets |
Should Except the rule |
Need CIO EXT Audit lev.A1 |
Except the rule Need CIO EXT |
Except the rule Need CIO EXT |
Need CIO INT Audit lev.A6 |
| 5: ICT supplier management |
Optional | Need CIO EXT Audit lev.A2 |
Need CIO EXT Audit lev.A3 |
Need CIO EXT Audit lev.A5 |
Need CIO INT Audit lev.A6 |
| 6: Access control management |
Should Audit lev.A1 |
Except the rule Audit lev.A3 |
Except the rule Audit lev.A4 |
Add new rule Audit lev.A5 |
Add new rule Audit lev.A6 |
In the baseline scheme illustrated by the figure, the cells must not limit themselves to defining the sole obligation of the control described in the first column but must be able to graduate the implementation effort based on the type of entity. Only in this way will it be reasonable to impose the control in a prescriptive manner.
For example, the mandatory nature of the control as described in the first column will be the default (“shall”), but alternatively, it could be marked “optional” (if possible, it should be done) or “should” (it should be done, otherwise, insert the justification in the risk analysis). For roles of responsibility, such as the chief information security officer (CISO) or the chief information officer (CIO), there may be further choices such as part-time equivalent (PTE) or full-time equivalent (FTE), or internal (Int) or external (Ext). Even the exclusion (Except…) or the addition (Add…) of rules or parts of a control are parameters used to better adhere to the characteristics of the entities involved. The audit levels are described in the forthcoming figure 5.
Management System Methods
On their own, the lists of controls to be implemented are not enough to ensure cybersecurity governance at the level of the entire digital ecosystem. The construction of a cybersecurity management system requires the involvement of all the entities in the ecosystem and the definition of appropriate processes to regulate the phases (figure 4) of effectiveness assessment, implementation of controls, and harmonization of measures. This approach aims to create an effective and homogeneous security baseline for the entire attack surface.
The methods for the functioning of a reasonable cybersecurity management system in a digital ecosystem are largely the same as those of a classic information security management system (ISMS). It is only necessary to adapt them to change the governance perspective, moving from a consideration exclusively focused on one's own organization to the sharing of operations with a public authority, and in addition to harmonizing the controls on the entire ecosystem to ensure their consistent application. The main proposed methods are:
- Assessment—A set of actions necessary to ensure the ability to create a risk profile by defining methods for evaluating the performance and effectiveness of a system. Criteria are also established to determine the operational perimeter of the entity on which the controls will act. The risk assessment process will define the methods of implementation and the frequency of its life cycle.
- Implementation—A set of actions necessary to implement the controls identified by the risk treatment plan and the methods of control monitoring that will be implemented. The preparation phases of reporting on the effectiveness of the system and the management review process are also regulated to ensure uniformity in the assessments.
- Harmonization—A set of actions to maintain an active security baseline that is homogeneous and measurable in effectiveness at the digital ecosystem level. The ability to measure effectiveness is a preparatory step to the implementation of a prescriptive approach. Additional methods contribute to the creation of a baseline implemented uniformly for each category of entities:
- Coordination—A process that ensures that there are common tools at the methodological level for assessment, implementation, and monitoring in order to obtain comparable results
- Communication—A process that promptly shares information about emerging threats and incidents, and provides timely knowledge on updating defense techniques
- Cooperation—A process that actively participates in strengthening the system with solutions for integrating risk management into the supply chain, training services, or external monitoring
For effective governance of the security baseline, the flow of information between entities and control authorities focuses on two themes: sharing information about incidents or emerging threats and assessing the risk profile. Knowledge of cyberincidents helps update the threat register with new scenarios to monitor. Monitoring the risk profile of entities provides a heatmap of how effective the protection measures are and what areas may require improved control.
The need for continuous comparisons and aggregation of results to assess the general state of the ecosystem requires a flexible and practical method. A maturity model represents a suitable solution because it is simple, reliable, and low-cost. Simplicity means that the evaluation process is easy to understand, timely, and can be implemented even by enterprises with low operational capacity. Furthermore, despite having a qualitative approach, it does not lack expressive capacity; the evaluation should indicate cases of improvement, invariance, or worsening compared to the previous evaluation.
Verification Process
To ensure the effectiveness of the measures adopted in building the security baseline, a periodic verification of the results achieved should be performed through a cyclical maturity evaluation. An agile verification system can balance the assessment process with auditing. For each control and category of entity, the most suitable type of verification must be defined. The latter can be divided into levels, established as a progression of increasingly stringent obligations starting from a self-assessment up to an international certification (figure 5).
Figure 5—Audit Levels
| Code | Audit Type Description |
|---|---|
| A0 | No obligation |
| A1 | Self-assessment updated annually and available in case of authority verification |
| A2 | Self-assessment updated at least annually and published in a public register |
| A3 | Three-year remote audit with plausibility check for certificate and A2 obligation |
| A4 | Three-year remote audit with request for evidence for certificate and A2 obligation |
| A5 | On-site audit for international certification and A2 obligation |
| A6 | On-site audit for international certification with annual surveillance |
The results of the assessment must be submitted to a public register managed by the reference authorities of the entities included in the ecosystem, while the certificates and certifications are managed by the certification bodies as proof of an independent audit.
Conclusion
During a cyberattack, the entire surface of the digital ecosystem is potentially available to the attacker. Protecting this surface requires the definition of a security baseline that adequately reflects the control implementation capabilities of the entities within the ecosystem. A system based on minimum measures that are the same for everyone is not realistic, and it is therefore necessary to build a management system with scalar measures based on the capabilities of the entities and extended to the entire ecosystem. The approach must be holistic to effectively address all technical, legal, and organizational issues relating to the entities that make up the ecosystem. Furthermore, to ensure the application of the established rules, the mechanism must be prescriptive. For this reason, cybersecurity controls must be defined in a reasonable and adequate way to the current risk profile of the ecosystem, both in terms of implementation capacity and cost.
A reasonable cybersecurity management system must have methods to ensure assessment and implementation as if it were applied to a single entity rather than the entire digital ecosystem. In addition, there must also be methods to ensure communication of the results and the necessary support to focus efforts on the security baseline. At the regulatory level, the baseline represents an opportunity to simplify the description of legal requirements in cybersecurity measures because it is sufficient to declare the gap with respect to the baseline, i.e., to establish the desired change in control maturity.
Endnotes
1 The White House, Exec. Order 13,636, USA, 12 February 2013
2 National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0, USA, 26 February 2024
3 EUR-Lex, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union, European Union, 2016
4 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Joint Technical Committee on Information Technology (ISO/IEC JTC 1), ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection―Information security management systems―Requirements, Edition 3, 2022
5 Center for Internet Security, Reasonable Cybersecurity Guide, October 2024
6 Center for Internet Security (CIS), CIS Critical Security Controls
7 EUR-Lex, Commission Recommendation of 6 May 2003 Concerning the Definition of Micro, Small and Medium-Sized enterprises (Notified Under Document Number C(2003) 1422), European Union, 2003
LUIGI SBRIZ | CISM, CRISC, CDPSE, ISO/IEC 27001 LA, ITIL V4, NIST CSF, TISAX AL3, UNI 11697:2017 DPO
Is a lead auditor, trainer, and senior consultant on risk management, cybersecurity, and privacy. He is also a member of several international associations that focus on cybersecurity, risk, and privacy. Sbriz has been responsible for risk monitoring at a multinational automotive company for more than seven years. Previously, he was responsible for ICT services and resources management in the Asia-Pacific region (China, Japan, and Malaysia) after serving as worldwide information security officer for more than seven years. He developed an original methodology for risk monitoring, integrating operational risk analysis tools, conducting control maturity assessments, and executing a risk-based internal audit process. Additionally, he designed an OSINT-based cybermonitoring tool and is proposing a digital identity authentication standard. He can be reached on LinkedIn (https://www.linkedin.com/in/luigisbriz).