Skip to main content
SpringerLink
Log in
Book cover

Navigating New Cyber Risks pp 171–197Cite as

Palgrave Macmillan

The Twelve Principles of Safe Places

  • Chapter
  • First Online:

  • 960 Accesses

Abstract

In this chapter, we systematize best cyberdefense practices, which came out of our discussions with expert researchers and practitioners. These practices are conveniently partitioned into twelve principles of safe places. Potential benefits associated with applying each principle to business cybersecurity systems are discussed.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   29.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   37.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   37.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Many of the ideas communicated in this chapter came out of interviews with our consultants, to whom we are really grateful for sharing their thoughts and ideas with us. We are particularly grateful to Boris Taratine for many insightful comments and suggestions, which helped to significantly improve this chapter.

References

  1. CF disclosure guidance: Topic No. 2 2011 cyber security. https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

  2. Updated SEC guidance February 2018 17 CFR Parts 229 and 249 [Release Nos. 33-10459; 34-82746]. Commission statement and guidance on public company cybersecurity disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf.

  3. Godlee, F., Smith, J., & Marcovitch, H. Wakefield’s article linking MMR vaccine and autism was fraudulent. British Medical Journal 342, doi:https://doi.org/10.1136/bmj.c7452 (Published 6 January 2011) British Medical Journal 342: c7452. https://www.bmj.com/content/342/bmj.c7452.

  4. Ruling on doctor in MMR scare. (2010, January). NHS. https://www.nhs.uk/news/medical-practice/ruling-on-doctor-in-mmr-scare/.

  5. Smith, R. (2012, November). MMR uptake rates finally recovered from Wakefield scandal figures show. The Telegraph. https://www.telegraph.co.uk/news/health/news/9705374/MMR-uptake-rates-finally-recovered-from-Wakefield-scandal-figures-show.html.

  6. Health and Social Care Act 2008 (Regulated activities) Regulations 2014. Regulation 20: Duty of candour. https://www.cqc.org.uk/guidance-providers/regulations-enforcement/regulation-20-duty-candour.

  7. Witkin, R. (1983, July). Jet’s fuel ran out after metric conversion errors. New York Times. https://www.nytimes.com/1983/07/30/us/jet-s-fuel-ran-out-after-metric-conversion-errors.html.

  8. Aviation Safety Network. July 1983 Report. https://aviation-safety.net/database/record.php?id=19830723-0.

  9. Great miscalculations: The French railway error and 10 others (2014, May). BBC. https://www.bbc.co.uk/news/magazine-27509559.

  10. Fox-Brewster, T. (2014, September). Londoners give up eldest children in public Wi-Fi security horror show. The Guardian. https://www.theguardian.com/technology/2014/sep/29/londoners-wi-fi-security-herod-clause.

  11. Ross Anderson. (2002, June 20–21). Security in open versus closed systems—The dance of Boltzmann, Coase and Moore. Open source software: Economics, law and policy, Toulouse, France.

    Google Scholar 

  12. Lemos, R. (2002, June). Open, closed source security about equal? Zdnet. https://www.zdnet.com/article/open-closed-source-security-about-equal-5000296876/.

  13. Smith, Luke J. (2018, August). Why buying a car or trying to tax your car this weekend could see you land a £1,000 fine. The Express. https://www.express.co.uk/life-style/cars/1004805/DVLA-car-tax-website-down-fine-buying-car-UK.

  14. John, L. (2018, March). DVLA denies driving license processing site is a security ‘car crash’. The Register. https://www.theregister.co.uk/2018/03/09/dvla_insecure_site_dispute/.

  15. Measuring the cost of cybercrime, WES2012 Conference. https://www.econinfosec.org/archive/weis2012/papers/Anderson_WEIS2012.pdf.

  16. Clayton, R. Measuring Cybercrime, University of Cambridge, Computer laboratory. October 2012. https://www.cl.cam.ac.uk/~rnc1/talks/121019-cybercrime.pdf.

  17. Hoffman, C. (2014, February). 5 serious problems with HTTPS and SSL security on the web. How-To Geek. https://www.howtogeek.com/182425/5-serious-problems-with-https-and-ssl-security-on-the-web/.

  18. February 28th DDoS incident report. (2018, March). GitHub Engineering, skottler. https://githubengineering.com/ddos-incident-report/.

  19. Ranger, S. (2018, March). GitHub hit with the largest DDoS attack ever seen. ZDNet. https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/.

  20. Memcached. https://memcached.org/.

  21. Understanding Triangulation fraud. (October 2015). Radial. https://www.radial.com/insights/understanding-triangulation-fraud.

  22. Red Team Definition from Financial Times Lexicon. http://lexicon.ft.com/term?term=red-team.

  23. “DoDD 8570.1: Blue Team”. ADI (formerly Sypris Electronics). https://www.sypriselectronics.com/information-security/cyber-security-solutions/computer-network-defense/.

  24. Cyber guardian: Blue team, SANS Institute https://www.sans.org/cyber-guardian/blue-team.

  25. Murdoch, D. (2014). Blue team handbook. Incident Response Edition (2nd ed.). Scotts Valley: CreateSpace Independent Publishing Platform. ISBN 978-1500734756.

    Google Scholar 

  26. Miessler, D. (February, 2016). The difference between red, blue, and purple teams. https://danielmiessler.com/study/red-blue-purple-teams/.

  27. Jamil, A., Sectier. (2010, March 29). The difference between SEM, SIM and SIEM. https://www.gmdit.com/NewsView.aspx?ID=9IfB2Axzeew=.

  28. Kubecka, C. (2011, December 29). 28c3: Security log visualization with a correlation engine. https://www.youtube.com/watch?v=j4pF9VUdphc&feature=youtu.be https://events.ccc.de/congress/2011/Fahrplan/events/4767.en.html.

  29. Swift, D. (2010). Successful SIEM and log management strategies for audit and compliance. SANS Institute. https://www.sans.org/reading-room/whitepapers/auditing/paper/33528.

  30. Pauli, D. (2016, November). IoT worm can hack Philips Hue lightbulbs, spread across cities. The Register. https://www.theregister.co.uk/2016/11/10/iot_worm_can_hack_philips_hue_lightbulbs_spread_across_cities/.

  31. Ronen, E., O’Flynn, C., Shamir, A., Weingarten, A.-O. IoT Goes nuclear: Creating a ZigBee chain reaction. IoT IEEE Security & Privacy. https://doi.org/10.1109/msp.2018.1331033.

    Article  Google Scholar 

  32. Symmetric vs. asymmetric encryption—What are differences?, SSL2Buy. Accessed October 2018. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences.

  33. An overview of public key infrastructures (PKI). Accessed October 2018. https://www.techotopia.com/index.php/An_Overview_of_Public_Key_Infrastructures_(PKI).

  34. Kocher, P., Jae, J., & Benjamin, J. Differential Power Analysis (DPA). Cryptography Research, Inc. https://www.paulkocher.com/doc/DifferentialPowerAnalysis.pdf.

  35. Introduction to side-channel attacks, Rambus. Accessed October 2018. http://info.rambus.com/hubfs/rambus.com/Gated-Content/Cryptography/Introduction-to-Side-Channel-Attacks-eBook.pdf?hsCtaTracking=c476fb62-8de1-44e8-b7c9-9607f0cb447e%7Cafdca38a-dd94-44ba-a18c-a7eb8ad70d5d.

  36. DPA Countermeasures. Rambus. Accessed October 2018. https://www.rambus.com/security/dpa-countermeasures/.

  37. Seppala, T. J. (2016, November). Hackers hijack Philips Hue lights with a drone. Engadget. https://www.engadget.com/2016/11/03/hackers-hijack-a-philips-hue-lights-with-a-drone/.

  38. Kim Zetter. (2015, January). A cyberattack has caused confirmed physical damage for the second time ever. Wired. https://www.wired.com/2015/01/german-steel-mill-hack-destruction/.

  39. Die Lage der IT-Sicherheit in Deutschland 2014 German. Steel Mill Hack Report. https://www.wired.com/wp-content/uploads/2015/01/Lagebericht2014.pdf.

  40. Timeline: How Stuxnet attacked a nuclear plant. BBC, Iwonder. https://www.bbc.com/timelines/zc6fbk7.

  41. Phil Muncaster. (2018, June). MPs: CNI attacks are UK’s biggest cyber-threat. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/mps-cni-attacks-are-uks-biggest/.

  42. Spanier, G. (2016, March 8). Protecting brand reputation in the wake of a cyber-attack. Raconteur. https://www.raconteur.net/risk-management/protecting-brand-reputation-in-the-wake-of-a-cyber-attack.

  43. Why digital-age directors need directors and officers (D&O) cover. (2018, February 28). The Telegraph. https://www.telegraph.co.uk/business/risk-insights/directors-need-d-and-o-insurance/.

  44. Australian metal detector company counts cost of Chinese hacking. (2015, June). Reuters. https://www.reuters.com/article/china-cybersecurity-australia/australian-metal-detector-company-counts-cost-of-chinese-hacking-idUSL3N0YX2OX20150624.

  45. Monaghan, A. (2016, May 12). TalkTalk profits halve after cyber-attack. The Guardian. https://www.theguardian.com/business/2016/may/12/talktalk-profits-halve-hack-cyber-attack.

  46. Ashley Madison data breach. Wikipedia. Accessed October 2018. https://en.wikipedia.org/wiki/Ashley_Madison_data_breach.

  47. Thomsen, S. (2015, July 20). Extramarital affair website Ashley Madison has been hacked and attackers are threatening to leak data online. Business Insider. http://uk.businessinsider.com/cheating-affair-website-ashley-madison-hacked-user-data-leaked-2015-7?r=US&IR=T.

  48. Ashley Madison hack threatens to expose 37 m adulterers, Sophie Curtis, The Telegraph. https://www.telegraph.co.uk/technology/internet-security/11750432/Adultery-website-Ashley-Madison-hack-threatens-to-expose-37.5m-cheaters.html.

  49. Ashley Madison hack: 2 unconfirmed suicides linked to breach, Toronto police say. (2015, August 24). CBC Canada. https://www.cbc.ca/news/canada/toronto/ashley-madison-hack-2-unconfirmed-suicides-linked-to-breach-toronto-police-say-1.3201432.

  50. Richard Chirgwin, Ashley Madison spam starts, as leak linked to first suicide. (2015, August 23). The Register. https://www.theregister.co.uk/2015/08/23/ashley_madison_spam_starts_as_leak_linked_to_first_suicide/.

  51. 10 Effective ways to protect your intellectual property. (2018, July 23). Forbes Technology Council. https://www.forbes.com/sites/forbestechcouncil/2018/07/23/10-effective-ways-to-protect-your-intellectual-property/#254c7f5732e1.

  52. iRobot sues Hoover and Black & Decker over robo-vacuums. (2017, April 18). BBC. https://www.bbc.co.uk/news/technology-39629339.

  53. D&O liability in data privacy and cyber security situations in the US. (2014, January). Financier Worldwide. https://www.financierworldwide.com/do-liability-in-data-privacy-and-cyber-security-situations-in-the-us/#.W9V-GtP7QdU.

  54. 15 U.S.C.A. § 45(n) (West). In assessing the reasonableness of cybersecurity practices, courts have considered the sensitivity of data, the size and complexity of the company’s network, and the cost of additional security measures. See F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 255 (3d Cir. 2015).

    Google Scholar 

  55. Enhanced cyber risk management standards, 81 Fed. Reg. 74315 (proposed 26 October 2016) (to be codified at 12 C.F.R. pt. 30). https://www.federalregister.gov/documents/2016/10/26/2016-25871/enhanced-cyber-risk-management-standards.

  56. Cyber-security regulation, Wikipedia. Accessed October 2018. https://en.wikipedia.org/wiki/Cyber-security_regulation.

  57. Cyber-attack: Your legal responsibilities as a company director. (2017, September). Finch. https://www.finchib.co.uk/cyber-attack-legal-responsibilities-company-director/.

  58. Kurt, M. N., Yılmaz, Y., & Wang, X. (2018, June 28). Real-time detection of hybrid and stealthy cyber-attacks in smart grid. IEEE arXiv:1803.00128v2 [cs.IT]. https://arxiv.org/pdf/1803.00128.

  59. Cazorla, L., Alcaraz, C., & Lopez, J. (2018 June). Cyber stealth attacks in critical information infrastructures. IEEE Systems Journal, 12 (2). https://ieeexplore.ieee.org/document/7445136.

  60. Is data manipulation the next step in cybercrime? Cloudmask. Accessed October 2018. https://www.cloudmask.com/blog/is-data-manipulation-the-next-step-in-cybercrime.

  61. David M. (2017, November 17). ID card security: Spain is facing chaos over chip crypto flaws. ZDNet. https://www.zdnet.com/article/id-card-security-spain-is-facing-chaos-over-chip-crypto-flaws/.

  62. Leyden, J. (2017, November 3). Estonia government locks down ID smartcards: Refresh or else. The Register. https://www.theregister.co.uk/2017/11/03/estonian_e_id_lockdown/.

  63. Meltdown and spectre. Accessed October 2018. https://meltdownattack.com/.

  64. WikiLeaks dumps docs on CIA’s hacking tools. Krebsonsecurity. Accessed October 2018. https://krebsonsecurity.com/tag/weeping-angel/.

  65. Friedmann, S. (2017, March 13). What is the weeping angel program? John Oliver debunked the rumors. March 2017. https://www.bustle.com/p/what-is-the-weeping-angel-program-john-oliver-debunked-the-rumors-43861.

  66. Lee, D. (2016, February 18). Apple v the FBI—A plain English guide. BBC. https://www.bbc.co.uk/news/technology-35601035.

  67. Lapowsky, I. (2018, April 18). How Russian Facebook ads divided and targeted US voters before the 2016 election. Wired. https://www.wired.com/story/russian-facebook-ads-targeted-us-voters-before-2016-election/.

  68. Stewart, E. (2018, July 31). Facebook has already detected suspicious activity trying to influence the 2018 elections. Vox. https://www.vox.com/2018/7/31/17635592/facebook-elections-russia-2018-midterms.

  69. Facebook-Cambridge Analytica data scandal. BBC. Accessed October 2018. https://www.bbc.co.uk/news/topics/c81zyn0888lt/facebook-cambridge-analytica-data-scandal.

  70. Hatton, E. (2018, February 12). Life online: How big is your digital footprint?, RNZ. https://www.radionz.co.nz/news/national/350224/life-online-how-big-is-your-digital-footprint.

Download references

Author information

Authors and Affiliations

  1. University of Birmingham, Birmingham, UK

    Ganna Pogrebna

  2. The Alan Turing Institute, London, UK

    Ganna Pogrebna

  3. Warwick Business School, University of Warwick, Coventry, UK

    Mark Skilton

Authors
  1. Ganna Pogrebna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Skilton
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ganna Pogrebna .

Rights and permissions

Reprints and permissions

Copyright information

© 2019 The Author(s)

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Pogrebna, G., Skilton, M. (2019). The Twelve Principles of Safe Places. In: Navigating New Cyber Risks. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-030-13527-0_13

Download citation

Publish with us

Policies and ethics

Search

Navigation