Share these talks and lectures with your colleaguesInvite colleagues
What lawyers mean by ‘reasonable’ cyber security controls
Regulators, litigators and cyber security standards require that cyber security controls should be ‘reasonable’. But rarely do these authorities define what the word means. Lawyers and regulators have long stated that reasonableness is a balance between protecting others from harm and using controls that are no more burdensome than the risks they reduce. They have illustrated this concept with a calculation that is remarkably similar to risk calculations used in cyber security risk management. This paper explores an accidental collaboration between the cyber security community, judges and regulators to define reasonableness, and demonstrates to readers how they can use risk analysis to defend their security programmes as reasonable.
The full article is available to institutions that have subscribed to the journal.
Chris Cronin is a partner at Halock Security Labs and chair of the Duty of Care Risk Analysis (DoCRA) Council. He is the principal author of the DoCRA Standard and CIS RAM, Center for Internet Security’s Risk Assessment Method. Since 2010 Chris has helped his clients evaluate their information security risks using processes that are as conducive to professional standards as they are intelligible to business executives, regulators and litigators. Chris’s work as an expert witness has helped clients, regulators and litigators evaluate the reasonableness of security controls and programs during regulatory oversight or post-breach legal action. As his firm’s practice lead for risk and governance programmes, he has developed governance programmes and threat modelling processes that help clients achieve and maintain ISO 27001 certification. Chris is an active member of the Sedona Conference, a non-profit think tank for creating and publishing commentaries and guidance to the bench, bar and the public.