An activity usually has a justification. In organizations a program, policy, or habitual way of doing things is often a result of patent letters, articles of association, board resolutions, heads of arrangement or some other enabling document or action that created the organization and gave it a mission. Missions sometimes are clarified or changed as a result of the currently popular mission, vision, and value statements.
In the public sector there may be by-laws, minutes of city council, resolutions, motions, design guidelines, or other matters to empower organizations. Sub-national governments also pass motions in legislatures and so do national governments.
Laws usually trump such things, so statutes and court rulings can alter, proscribe, or preclude one’s activities. International bodies come into play when they set guidelines, form agreements, negotiate treaties, and so on.
Evaluating a simple hot lunch program in a school can become arduous. Both NGOs and certain schools may deliver such programs. The NGO may because of a broad humanitarian mandate and senior managers decided that hot lunches are congruent with the mandate. The school does it under a directive from the school board, funded by the ratepayers of the city. If pressed, neither party might be able to find a definitive resolution of boards empowering this action. The action may arise out of a general statement or may have just evolved over time.
An evaluator may find that the city has had settlement of immigrants downloaded to it from senior governments and hot lunches may be in keeping with that mandate. Sub-national and national health authorities as well as others have guidelines on diet, and there is prima facia evidence that without the hot lunch program, many students would not meet daily dietary requirements. Self-regulating medical associations have such guidelines too.
The World Health Organization and other UN bodies have statements on diet, and so might the UN High Commissioner for Refugees, but these students aren’t refugees. With 2800 by-lateral agreements among the OECD countries, there may be language in some about this topic, and there would certainly be agricultural standards in many trade agreements. The European Union probably has standards too.
An evaluator could judge the program on its existence. Hot lunches are good. Students need to eat. They can. Thus, it’s a good program.
But one could also compare the program with guidelines and standards and see whether the calories or dietary balance in the hot lunch is appropriate. Various standards might be met, and others not met.
For example, when evaluating calorie consumption, a set value may not produce the very best health effects. This is especially true in cases where there is a predominantly higher concentration of students experiencing chronic disease. A hot meal could contain a higher ratio of carbohydrates and fats, but little to no protein. This issue is only further compounded if the school offers a hot lunch program yet does not have a physical activity program. But should standards of the UN, WHO, or others apply here?
The judicious researcher might probe how hot the hot lunch is. Certain foods should not be eaten at certain temperatures and this might prove problematic in the evaluation of the program. The lunch was served, but was it eaten? How to know?
Then, as with President Lyndon Johnson’s Great Society legislation in the US, there can be unintended consequences. The hot lunches keep kids in school and not at home for lunch, interrupting family time. Kids might not eat breakfast, the most important meal of the day, in anticipation of the hot lunch. Students with religious protocols or dietary needs may not eat lunch at all. The hot lunch is not very hot.
This same set of methodological problems applies to the evaluation of cyber security in an organization. There may be a resolution of the board, executive leadership, a policy statement, or something vague about privacy and security in organizational documents. These are all subject to interpretation.
There are sub-national and national laws but they don’t apply everywhere. There is a national law and many directives requiring cyber-security. There are some UN conventions and agreements, but some have no signatories and most have only been adopted by a few countries.
To compound matters, such terms as cyber security, cyber terrorism, cyber-crime and such do not have uniformly accepted definitions. So we are charged measuring our ability to protect against an ill-defined threat without uniform law, standards, or guidelines. What is to be done?
It is we evaluators that have to set criteria against which to judge this program of cyber security.
First, we can assess the threat. How stringent a program do we need? Let’s set some parameters:
the organization operates in several jurisdictions
third parties contribute to and help manage our supply chain
clients/customers can interact with us online
employees perform a variety of functions–some interact with customers and suppliers and many don’t
the organization supplies most employees with communications devices and technology
employees have their own devices which are in their homes and portable
The initial solution to this problem could be as simple as a checklist. The following are just a start:
Cyber security systems should be asymmetrical
Not all employees need access to everything
Our organization needs oversight and validation of all security in our supply chain
By asymmetrical we mean that the threat changes over time, and security should change to keep pace.
Moreover, security should be different in different organizations, in different jurisdictions, for different employees, and for divisions and functions within an organization.
European researchers Thierry Balzaq and Myrian Dunn Cavelty capture this notion in their article “A theory of actor-network for cyber-security” when they note that “…fluidity as an overarching threat accounts for multiple policy responses and practices in cyber-security.” Too many people with lots to lose think of the Internet or cyber-space as a single big amorphous entity to be managed.
But this article (quoting scholar Nick Bingham), notes that cyberspace is a “fragmented, divided and contested” group of infrastructures. Nicely muddying the waters, Balzaq and Cavelty note that even malware forms its own network within the networks of computers, software, malware removal, and is a positive force for those who use it for malicious purposes.
It’s clear that cybersecurity means different things to different groups. These authors call it “a multifaceted set of practices designed to protect networks, computers, programs and data from attack, damage or unauthorised access—in short, it is standardised practices by many different actors to make cyberspace (more) secure.”
What actors will make cyberspace more secure and what are the standardized practices? What does a board, CXO, risk manager, or other executive need to know and need to implement to mitigate potential damages? Research shows that these are tough questions to answer and there is both too little and too much guidance in the marketplace.
First, it may surprise many to find that there are not good working definitions in law of “cyber-crime.” As in the classic court ruling about pornography, we may know it when we see it, but have not yet codified it in law.
Researcher Elaine Fahey in her article “The EU’s Cybercrime and Cyber-Security Rulemaking: Mapping the Internal and External Dimensions of EU Security” notes “no commonly agreed definition of cybercrime in EU law or no specific cybercrime Directive.” She adds that there’s only a “minimal or limited harmonisation of laws, so much so that several Member States sought to rely upon existing legislation in place…”
For sure, the definition may “include offences against computer data and systems, but also more broadly, to include offences committed with the help of computer data and systems.”
It’s hard to imagine anything happening in modern life without computers or computer data.
Fahey goes on to note that other factors include confidentiality of data, militarism, national laws, and measures spanning several nations in the European Union, for example. She defines “[s]oft law as “awareness raising exercises” and multi-lateral cooperation.
Into the mix comes the North Atlantic Treaty Organization (NATO) which naturally wants “a single market for cyber-security products, including voluntary EU certification.” This is natural, because NATO has also wanted to standardize the military equipment used by member countries in case soldiers have to use each others’ equipment on the battlefield.
Several other organizations come into the mix, including the Council of Europe, the Organization for Economic Cooperation and Development (OECD), ASEAN nations in Asia-Pacific. While each one has their own unique differences, each has to abide by its treaty obligations–including the NORAD, NAFTA, the Commonwealth, Internet Corporation for Assigned Names and Numbers (ICANNs) responsible for the Domain Name System (DNS), and countless others.
Multiple actors involved in standards and regulation usually means no standards and regulation. Now is the time for our global organizations to get to the table to hammer these issues out. People and countless electronic systems will also be safer for it.