Article Preview
Top1. Introduction
Contemporary organisations in any industry are increasingly, and in most cases once and for all, dependent on information systems and connections between them. This dependence holds true both intra- and inter-organisationally. The used information systems may have legacy elements, sometimes even dating back to the time when an internet connection was not a common feature in organisations repertoire. Today most organisations are online all the time, and their internal systems are used in environments that are already or easily connected to the internet. The internet population is estimated to over two billion individuals at the moment (James, 2012). The amount of devices connected to the internet is approximated to grow fivefold by the end of the decade (Evans, 2012). Some of these users are there with no-good intentions. Not all users are there with purely good intentions.
According to a definition cyber threats are Internet-borne activities that may harm or have the potential to harm a computer or network and compromise the confidentiality, integrity, or availability of network data or systems (CCIP, 2013). In public cyber threats are often discussed from the national infrastructure’s and national safety’s perspectives. However, the operations of organisations do not always follow national borders even though their organisational infrastructures are subjected to one national infrastructure at a time. Organisations sometimes operate in a truly international or even global environment. Hence, the threats they face in their operations are not national, they are global. In the national cyber strategies it however seems, that the operation of, for example, companies is assumed to abide by national boundaries.
Organisations should use internally confirmed information security policies and procedures as tools to manage their information security. The policies usually address multiple threats that the information of the organisation is facing. Most of the threats addressed are direct threats. However, it is important to understand the complex nature of the cyber dimension and not to be short-sighted in this regard. The problem is to recognise also the possible indirect, second-hand, and collateral effects and to prepare for them as well. “If it runs on computers and computer networks, it's a potential target” says the chairman of the U. S. government’s subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Patrick Meehan (2013). The paranoia-arousing question is: what does not run on computers? Organisations are increasingly reliant on computer systems for all their activities.
The purpose of this paper is to explore the cyber threats that businesses may face and how they can prepare for the risk in advance in their information security policies. The research question in this paper is ‘What challenges does the cyber dimension of threats present for organisations and their information security policies?’ The paper presents theoretical background on information security policies and the cyber threat phenomenon in section two. In section three the paper analyses the threats and their potential effect on the operations of organisations with the use of scenario analysis. In the last section the paper assesses the possibilities to take the cyber threats into account in information security policies.