research2 australia

Cyber Defence Number 3. A Business Approach

Written by

admin

in

,

Given that an organisation may wish to make an informed decision about their cyberdefence concerns, the following approach can deliver a coherent evaluation.

In the APRA practice guide, CPG 235, a “fractal” primitive of data processing is defined. This logical data-life cycle “primitive” suggests the following cybersecurity concepts:

  • Perimeter protection – a component of data-capture
  • Zero-trust – data processing, retention and publishing
  • Data Centric Security – data processing, retention and disposal given that publication suggests outputs beyond the domain into the data-capture of a related data process.
Figure 1. CPG 235 Data Processing “Fractal” Primitive
Figure 2. CPG 235 Data Processing “Fractal” primitive, decomposed to the next level of resolution.

A simple business plan can be created for each “primitive”, described by cybernetic analysis estimating the cost of risk mitigation and the contingent provision required in the event of a catastrophic event. Some of the details required for this exercise may already be present as they are an output from other work e.g. privacy impact assessments.

Figure 3. Illustrative “business plan” with expenditure and provisions. Variables including time-scales, line-item detail can be adjusted as required by circumstances.

Expenditure in tooling and expertise etc. can then be allocated to the protection of these assets, the data processed and the supporting infrastructure, ranked by the cost of remediation of a catastrophic event.

Such existing sophistication or its elements already exist in many entities, for example, financial institutions but can be replicated or adapted to be of use in more modest circumstance. The analysis can be either as high or as low in resolution as required.

Through a focus on monetary values, matched to the charts of account or financial plans, the argument for cyberdefence investment can be made more easily to managerial colleagues from non-IT disciplines.

To complete the exercise, a test against contemporary jurisdictional regulation can be conducted through examination of the scheme of expenditure. Given that incidents will always occur, the question can be asked: “Is this a reasonable response that would be deemed a prudent act of stewardship when viewed by internal and external parties?”.

In conclusion

The outlined approach, where the questions “Why” and “What” are separated from the “How” enables an informed consideration and thus decision-making framework for the deployment of cyberdefence. Communication between management disciples is facilitated and measurable financial outcomes can be identified and subsequently evaluated for future refinement of the domain e.g. technology upgrade, process automation.

Further reading:

Australian Signals Directorate Cyber Security Report 2024-2025

ABS GDP Statistics September Quarter 2025

ABS National Accounts 2024-2025 Key tables

CPG 235 Prudential Practice Guide, Managing Data Risk

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by