Beyond the Castle Model of cyber-risk and cyber-security

Abstract The predominant metaphor for secure computing today is modeled on ever higher, ever better layers of walls. This article explains why that approach is as outmoded for cyber security today as it became for physical security centuries ago. Three forces are undermining the Castle Model as a practical security solution. First, organizations themselves tear down their walls and make their gateways more porous because it pays off in terms of better agility and responsiveness – they can do more, faster and better. Second, technological developments increasingly destroy walls from the outside as computation becomes cheaper for attackers, and the implementation of cyberwalls and gateways becomes more complex, and so contains more vulnerabilities to be exploited by the clever and unscrupulous. Third, changes in the way humans and technology interact, exemplified (but not limited to) the Millennial generation, blur and dissolve the concepts of inside and outside, so that distinctions become invisible, or even unwanted, and boundaries become annoyances to be circumvented. A new approach to cyber security is needed: Organizations and individuals need to get used to operating in compromised environments. The article's conclusion hints at more nuanced forms of computation in environments that must be assumed to be potentially compromised.

[1]  Ming-te Lu Digital Divide in Developing Countries , 2001 .

[2]  Deborah A. Frincke,et al.  Guarding the Castle Keep: Teaching with the Fortress Metaphor , 2004, IEEE Secur. Priv..

[3]  Manuel Castells,et al.  The Internet Galaxy: Reflections on the Internet, Business, and Society , 2001 .

[4]  LeydesdorffLoet The communication of meaning and the structuration of expectations: Giddens' structuration theory and Luhmann's self-organization , 2010 .

[5]  David Beer,et al.  Power through the algorithm? Participatory web cultures and the technological unconscious , 2009, New Media Soc..

[6]  Richard J. Harknett,et al.  The New Policy World of Cybersecurity , 2011 .

[7]  Clay Shirky Here Comes Everybody: The Power of Organizing Without Organizations , 2008 .

[8]  D. Lyon,et al.  After Snowden: Rethinking the Impact of Surveillance , 2014 .

[9]  Sandra L. Calvert,et al.  College students' social networking experiences on Facebook , 2009 .

[10]  Thomas H. Karas,et al.  Metaphors for cyber security. , 2008 .

[11]  John Domingue,et al.  The Future of the Internet , 1999, Academia Letters.

[12]  Saskia Sassen,et al.  Towards a Sociology of Information Technology , 2002 .

[13]  Jeffrey Roy,et al.  Cyber-Security and Risk Management in an Interoperable World , 2012 .

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Michael Harris,et al.  The End of Absence: Reclaiming What We've Lost in a World of Constant Connection , 2014 .

[16]  Zeynep Tufekci Can You See Me Now? Audience and Disclosure Regulation in Online Social Network Sites , 2008 .

[17]  S. Tefft Digital Divide: Civic Engagement, Information Poverty, and the Internet Worldwide , 2002 .

[18]  Lonnie G Hibbard Communicating with the Net Generation , 2011 .

[19]  Karen K. Myers,et al.  Millennials in the Workplace: A Communication Perspective on Millennials’ Organizational Relationships and Performance , 2010, Journal of business and psychology.

[20]  Thomas J. Johnson,et al.  Believing the blogs of war? How blog users compare on credibility and characteristics in 2003 and 2007 , 2010 .

[21]  Andrea Hershatter,et al.  Millennials and the World of Work: An Organization and Management Perspective , 2010 .

[22]  Martin Gill,et al.  The Handbook of Security , 2014 .