Full Terms & Conditions of access and use can be found athttp://www.tandfonline.com/action/journalInformation?journalCode=taut20

AutomatikaJournal for Control, Measurement, Electronics, Computing andCommunications

ISSN: 0005-1144 (Print) 1848-3380 (Online) Journal homepage: http://www.tandfonline.com/loi/taut20

Cybersecurity and cyber defence: national levelstrategic approach

Darko Galinec, Darko Možnik & Boris Guberina

To cite this article: Darko Galinec, Darko Možnik & Boris Guberina (2017) Cybersecurityand cyber defence: national level strategic approach, Automatika, 58:3, 273-286, DOI:10.1080/00051144.2017.1407022

To link to this article: https://doi.org/10.1080/00051144.2017.1407022

© 2017 The Author(s). Published by InformaUK Limited, trading as Taylor & FrancisGroup.

Published online: 25 Jan 2018.

Submit your article to this journal

Article views: 2018

View Crossmark data

REGULAR PAPER

Cybersecurity and cyber defence: national level strategic approach

Darko Galinec a, Darko Mo�znikb and Boris Guberinac

aThe Ministry of Defence of The Republic of Croatia, Zagreb, Croatia; bThe Republic of Croatia Ministry of Defence, The Croatian DefenceAcademy, Zagreb, Croatia; cCity of Zagreb – Emergency Management Office, Zagreb, Croatia

ARTICLE HISTORYReceived 28 February 2017Accepted 13 November 2017

ABSTRACTCybersecurity encompasses a broad range of practices, tools and concepts related closely tothose of information and operational technology (OT) security. Cybersecurity is distinctive in itsinclusion of the offensive use of information technology to attack adversaries. Use of the term“cybersecurity” as a key challenge and a synonym for information security or IT securityconfuses customers and security practitioners, and obscures critical differences between thesedisciplines. Recommendation for security leaders is that they should use the term“cybersecurity” to designate only security practices related to the defensive actions involving orrelying upon information technology and/or OT environments and systems. Within this paper,we are aiming to explain “cybersecurity” and describe the relationships among cybersecurity,information security, OT security, IT security, and other related disciplines and practices, e.g.cyber defence, related to their implementation aligned with the planned or existingcybersecurity strategy at the national level. In the case study given example of The NationalCybersecurity Strategy of the Republic of Croatia and Action plan is presented and elaborated.The Strategy’s primary objective is to recognize organizational problems in its implementationand broaden the understanding of the importance of this issue in the society.

KEYWORDSAction plan, cyberattack;cybercrime; cyber defence;cyber operations;cybersecurity; nationalcybersecurity strategy;people-centric security

1. Introduction

Cybersecurity has been practiced in military circles forover a decade. In recent years, the term has appearedin a variety of contexts, many of which have little or norelationship to the original meaning of the term. Mis-use of the term obscures the significance of the practi-ces that make cybersecurity a superset of informationsecurity, operational technology (OT) security and ITsecurity practices related to digital assets.

With the understanding of the specific environment,cyber defence analyses the different threats possible to thegiven environment. It then helps in devising and drivingthe strategies necessary to counter the malicious attacksor threats. A wide range of different activities is involvedin cyber defence for protecting the concerned entity aswell as for the rapid response to a threat landscape.

These could include reducing the appeal of the envi-ronment to the possible attackers, understanding thecritical locations & sensitive information, enacting pre-ventative controls to ensure attacks would be expen-sive, attack detection capability and reaction andresponse capabilities. Cyber defence also carries outtechnical analysis to identify the paths and areas theattackers could target [1].

2. Review of previous work

Military terminology has migrated into non-militarycontexts in the same fashion that military technology

has migrated into civilian enterprises (e.g. theAdvanced Research Projects Agency Network (ARPA-NET) becoming the Internet). Other terms, such asadvanced persistent threat (APT; originally a euphe-mism for network attacks supported by the govern-ment of the People’s Republic of China) [2], haveendured similar transitions. In many cases, a migrationof terminology is beneficial, as it develops better speci-ficity in discussions of technology operations. How-ever, the utility of a term is reduced when itsdistinctive meaning is eroded or destroyed as part ofthe migration to a new context.

2.1. Cybersecurity

Definition: Cybersecurity is the governance, develop-ment, management and use of information security,OT security, and IT security tools and techniques forachieving regulatory compliance, defending assets andcompromising the assets of adversaries [2].

According to above-mentioned authors,cybersecurity

(1) is a superset of the practices embodied in ITsecurity, information security, OT security andoffensive security (see Figure 1);

(2) uses the tools and techniques of IT security, OTsecurity and information security to minimizevulnerabilities, maintain system integrity, allowaccess only to approved users and defend assets;

CONTACT Darko Galinec darko.galinec@morh.hr

© 2017 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group.This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricteduse, distribution, and reproduction in any medium, provided the original work is properly cited.

AUTOMATIKA, 2017VOL. 58, NO. 3, 273–286https://doi.org/10.1080/00051144.2017.1407022

(3) includes the development and use of offensiveIT- or OT-based attacks against adversaries; and

(4) supports information assurance objectives withina digital context but does not extend to analoguemedia security (for example, paper documents).

But, in the same time, cybersecurity is not

(1) merely a synonym for information security, OTsecurity or IT security and

(2) use of information security to defend an enter-prise against crime.

(3) Cyberwarfare –although the definition of thisterm is still controversial, the consensus is that“cyberwarfare” refers to the use of cybersecuritycapabilities in a warfare context. This is a com-plex area and should not be confused with physi-cal attacks against infrastructure (e.g. destructionof property and machinery) and informationwarfare (e.g. applying psychological operationsthrough propaganda and misinformationtechniques).

(4) Cyberterrorism – in a similar fashion to cyber-warfare, “cyberterrorism” refers to the use ofcybersecurity techniques as part of a terroristcampaign or activity.

(5) Cybercrime – cybercrime is merely an affected orpretentious term for criminal attacks using ITinfrastructure. It is not related to cybersecurity.

Appropriate uses of “cybersecurity” [2] would bethe following:

(1) In response to threat risk assessments, thedepartment increased its cybersecurity invest-ment to enable reductions in vulnerabilities and

increased capabilities for counterattacks againstidentified attackers (integration of IT securityand offensive capabilities in a single program).

(2) Integration of the IT and OT security programswithin the cybersecurity team enables moreholistic responses to threats (integration of ITand OT in a single program).

(3) The “hacktivist” organization Anonymousemploys a variety of cybersecurity techniques toforward its agenda (use of offensive capabilities).

However, we could face with some inappropriateuses of “cybersecurity”:

(1) In order to mitigate the theft of laptops, thestore’s cybersecurity plan calls for the use ofwholedrive encryption. (This describes a basic ITsecurity action.)

(2) The cybersecurity policy mandates the use ofcomplex passwords for all CAM systems on thefactory floor. (This describes a basic OT securityrequirement.)

2.2. Cyber defence

There are no common definitions for Cyber terms –they are understood to mean different things by differ-ent nations/organizations, despite prevalence in main-stream media and in national and internationalorganizational statements [3].

However, [1] gives definition and further explana-tion of term cyber defence as follows: Cyber defence isa computer network defence mechanism whichincludes response to actions and critical infrastructureprotection and information assurance for organiza-tions, government entities and other possible networks.

Cyber defence focuses on preventing, detecting andproviding timely responses to attacks or threats so thatno infrastructure or information is tampered with.With the growth in volume as well as complexity ofcyberattacks, cyber defence is essential for most entitiesin order to protect sensitive information as well as tosafeguard assets.

Cyber defence provides the much-needed assuranceto run the processes and activities, free from worriesabout threats. It helps in enhancing the security strat-egy utilizations and resources in the most effectivefashion. Cyber defence also helps in improving theeffectiveness of the security resources and securityexpenses, especially in critical locations.

By the recognition of the need to accelerate detec-tion and response to malicious network actors, theUnited States (US) Department of Defense (DoD) hasdefined a new concept, Active Cyber Defence (ACD)as DoD’s synchronized, real-time capability to dis-cover, detect, analyse, and mitigate threats and vulner-abilities [4].

Figure 1. Components of cybersecurity.

274 D. GALINEC ET AL.

2.3. People-centric security

People-centric security (PCS) is a strategy that repre-sents an alternative to conventional information secu-rity practice. PCS aims to strike a balance between riskreduction and employee agility. It is a strategicapproach to information security that emphasizes indi-vidual accountability and trust and de-emphasizesrestrictive, preventative security controls. The conven-tional control-centric approach to information securityis increasingly untenable in rapidly evolving and evermore complex technology, business and riskenvironments.

Security leaders in organizations with the appropri-ate culture should investigate whether some or all ofthe concepts and principles of PCS are applicable totheir security strategies. Such an investigation shouldindicate areas where a more people-centric approachwill enable more cost-effective, trust-based security [5].

PCS is based on a set of key principles, and on therights and related responsibilities of individuals. Thepremise of PCS is that employees have certain rights.However, these are linked to specific responsibilities.These rights and responsibilities are based on anunderstanding that, if an individual does not fulfil hisor her responsibilities, or does not behave in a mannerthat respects the rights of his or her colleagues and thestakeholders of the enterprise, then that individual willbe subject to sanction.

(1) This compact of rights and responsibilities cre-ates a collective co-dependency among employ-ees, exploiting existing social capital within theenterprise.

(2) PCS principles presume an emphasis on detec-tive and reactive controls, and transparent

preventative controls, over the use of intrusivepreventative controls.

(3) PCS favours the maximization of a trust spacewithin which individual autonomy and initiativeis encouraged.

(4) PCS presupposes an open, trust-based corporateculture, and associated executive awareness andsupport.

(5) PCS principles presume that individuals have theappropriate knowledge to understand theirrights, responsibilities and associated decisions.

On the other hand, PCS is not

(1) a replacement for common sense defence indepth security;

(2) a relaxation of security requirements or behav-ioural standards;

(3) identity management, nor is it specificallyfocused on the digital identity of individuals;

(4) aimed at all individuals, but rather at employeesof the enterprise; and

(5) (just about) security awareness and training [3].

2.4. Methodology

Figure 2 [4] illustrates key components and relation-ships related to cyber security:

(1) Cyber security breaches target Data, in mostcases confidential data, such as customer recordsor other valuable information

(2) Data are stored, processed and communicatedon, by or to Assets, such as software, networks,devices (servers, workstations, smart phones,etc.), websites, people and third parties

Figure 2. Cybersecurity key components and relationships.

AUTOMATIKA 275

(3) Threat Actors, such as organized crime gangs,activists and nation states will deploy Threats,usually targeted at or via Assets to access Data

(4) Controls which defend against Threats aremostly applied to Assets and occasionallydirectly to Data

(5) Some Controls such as encryption of mobiledevices protect against specific Threats, such asloss or theft of mobile devices, whereas otherControls, such as software patching protectagainst multiple Threats, such as crimeware, webapp attacks, cyber espionage, etc.

(6) Threats will aim to exploit weaknesses (or vul-nerabilities) in Controls to access Data

(7) If the right Controls are applied to the rightAssets and they are implemented effectively rela-tive to the level of Threat then the organizationwill be able to defend itself against the Threat. Ifthis is not the case then a Data breach will occur.

3. Cybersecurity strategy, cyber operationsand security risk management

While the cost of defending cyber structures as well asthe payoffs from successful attacks keeps rising, thecost of launching an attack simultaneously keepsdecreasing [6].

By the standard military definition, “strategy” is theutilization of all of a nation’s forces, through large-scale, long-range planning and development, to ensuresecurity or victory. For traditional wars against tradi-tional monolithic opponents, that approach worked.

However, for today’s world of asymmetric warfareand rapidly changing threats, the medical definition ofstrategy from Merriam-Webster’s dictionary is moreappropriate for addressing cybersecurity: “an adapta-tion or complex of adaptations (as of behavior, metab-olism or structure) that serves or appears to serve animportant function in achieving evolutionary success”.

The key to increasing cybersecurity is getting tolower levels of vulnerability. Although threat aware-ness is important, by reducing vulnerabilities, allattacks are made more difficult [7].

3.1. Cyber operations

Cyber operations consist of many functions spanningcyber management, cyberattack, cyber exploitation,and cyber defence, all including activities. In theirnature those activities are proactive, defensive, andregenerative. Here we shall mention ACD as a subsetof cyber defence which focuses on the integration andautomation of many services and mechanisms to exe-cute response actions in cyber-relevant time.

ACD is comprised of a set of logical functions tocapture details from enterprise-level architecture tooperational realization with the primary objective to

become a living part of Ministry of Defences’ cyberoperations to help defend the nation from cyber-basedadversaries

Among the many needs of war-fighter operations,there is the need to be secure, which includes the con-cepts of hardening, protecting, attacking, and defend-ing among the war-fighter domains of land, sea, air,space, and cyber. Cyber is an integrating capability forthe other domains, as well as a standalone domain thathas its own unique needs for cyber defence [8].

Cyber defence includes three complementary cate-gories: “proactive“, ”active” and “regenerative”. ”Proac-tive" activities harden the cyber environment andmaintain peak efficiency for cyber infrastructure andmission functions. “Active” activities stop or limit thedamage of adversary cyber activity in cyber-relevanttime. “Reactive” activities restore effectiveness or effi-ciency after a successful cyberattack.

These categories form a continuum of cyber-secu-rity activities occurring continuously and simulta-neously on networks, integrated by a commonframework of automation that includes ACD as a sub-set of integrated cyber defence. The focus herein is onACD [8].

Furthermore, cyber defence includes employingnon-real-time big-data analytics to find trends in his-torical data repositories; likewise, cyber defenceincludes actuarial-like predictions of future events.

Attacks in the non-cyber domains require physicalproximity and time to execute (e.g. a bomb must beclose to a target; a bullet must physically hit its target).

Cyber is unique in the lack of need for physicalproximity to execute an attack (that is, anyone with anInternet connection is a potential participant in thisworldwide battle space) and in the vastly reduced timerequired to perpetrate an attack (for example, bits on awire travel much more quickly than traditional troopsor munitions).

ACD addresses this vastly reduced time necessaryfor a successful attack by integrating many solutions toprovide response actions in cyber-relevant time.Cyber-relevant time is a purposely vague term thataccommodates the needs of the battle space.

If the battle space is a Central Processing Unit(CPU) and Random Access Memory (RAM), and thecombatants are software applications vying for control,the cyber-relevant time is nanoseconds to microsec-onds. If the battle space is between two computers ofclose physical proximity, cyber relevant time is milli-seconds to seconds. For a battle space between twocomputers on opposite sides of the world communicat-ing via satellite links, cyber-relevant time is seconds.With live operators and delays inherent in cognitiveprocessing, key strokes, and mouse clicks, cyber rele-vant time is seconds to minutes.

The requirements for ACD increase as the adversarybecomes smarter and quicker [8].

276 D. GALINEC ET AL.

ACD monitoring activity may provide data feeds tothese analytics, and the ACD sense-making activitymay take influence from these analytics in the formof decision support algorithms. However, these histori-cal and future analytics are outside the scope of real-time processing and, therefore, outside the scope ofACD.

3.2. Cybersecurity risk management

Cyber security breaches, such as those at Ashley Madi-son, the US Office of Personnel Management and JPMorgan Chase have demonstrated the real and presentthreat from cyber breaches. Director of the NationalSecurity Agency and head of the United States CyberCommand, Admiral Mike Rodgers has been moved tostate that ‘It’s not about if you will be penetrated butwhen’ [9].

In response, there is an urgent need for organiza-tions to truly understand their cyber security statusand where necessary take urgent remedial actions torectify weaknesses. If there is not sufficient visibility ofcyber security status, organizations will not be able tomanage cyber security risks and they will almost cer-tainly suffer a breach.

“Visibility of cyber security status” means havingthe complete picture, with measurements so that wecan answer the following questions:

(1) What are our current measured levels of cybersecurity risk across the Enterprise from the mul-tiple threats that we face?

(2) Are these cyber security risks tolerable?(3) If not, what is our justified and prioritized plan

for managing these risks down to tolerablelevels?

(4) Who is responsible and by when?

The ability to measure cyber security status is fun-damental; if we cannot measure then we cannot man-age. Security incident and event management (SIEM)and data analytics solutions can provide valuable indi-cations of actual or potential compromise on the net-work but these are partial views, indicators of ouroverall risk status but not measurements of our riskstatus.

Similarly, threat intelligence services can identifydata losses and provide valuable indications of actualor impending attacks but again these are not measure-ments of our risk status. The same can be said individ-ually about outputs from compliance management,vulnerability management, penetration testing andaudits.

Only by pulling together all of the relevant indica-tors and partial views can we develop overall risk-

based measurement and visibility of our cyber securitystatus [9].

When confidence in our cybersecurity risk measure-ments exists it is possible to respond to events andmake decisions quickly, e.g.

(1) Be able to identify risks that we are not preparedto tolerate and have a clear and prioritized risk-based action plan for the control improvementsnecessary to reduce these risks to an acceptablelevel

(2) To have a better understanding of the implica-tions from threat intelligence or outputs fromSIEM and data analytics allowing faster, bettertargeted responses

(3) To develop risk-based justifications for invest-ment in cyber security solutions and services.

But with the very high level of threat and high ratesof change in both the threat and control landscapes weneed to be able to refresh our view of our cyber securitystatus on an almost daily basis.

Cybersecurity risk management which previouslymight have been an annual process as part of planningand budgeting is now a critical real-time facilitator inthe battle against cyber breaches [9].

Cyber security breaches occur when people, pro-cesses, technology or other components of the cybersecurity risk management system are missing, inade-quate or fail in some way. So we need to understand allof the important components and how they inter-relate.

This does not mean that your risk management sys-tem needs to hold details of (for example) every endpoint and the status of every vulnerability on the net-work because there are other tools which will do thatbut the risk management system does need to knowthat all end points on the network have been (and arebeing) identified and that critical vulnerabilities arebeing addressed quickly.

3.3. Cyber resiliency

Cybersecurity success is essentially the result of aneffective risk management process. However, this pro-cess is being challenged by the inherent complexity ofsystems, developed with vulnerable components andprotocols, and the crescent sophistication of attackers,now backed by well-resourced criminal organizationsand nations.

With this scenario of uncertainties and high volumeof events, it is essential the ability of cyber resiliency

Cyber resiliency is the ability of a system, organiza-tion, mission, or business process to anticipate, with-stand, recover from, and adapt capabilities in the face

AUTOMATIKA 277

of adversary conditions, stresses, or attacks on thecyber resources it needs to function.

3.4. Cyberattack model (intrusion Kill Chain)

The treatment of a cyberattack requires the use of anappropriate attack model. Using an attack model it ispossible to recognize the current state of an attack andits possible future states. An attack model is a model ofhypothesis which will be used to infer possible actionsof attackers.

The Lockheed-Martin Intrusion Kill Chain (IKC)[10] model has been adopted as the central basis of ourattack model. IKC is a model of seven stages that anattacker inescapably follows to plan and carry out anintrusion.

The IKC stages (see Figure 3) are presented as fol-lows [11]:

(1) Information Gathering – Collecting target’sinformation, such as used technologies and itspotential vulnerabilities.

(2) Weaponization – developing malicious code toexplore identified vulnerabilities, coupling thedeveloped code with unsuspected deliverablepayloads like pdfs, docs, and ppts.

(3) Delivery- Transferring the weaponized payloadto the target environment.

(4) Exploitation – Use of vulnerabilities in order toexecute the malicious code.

(5) Installation – Remote Access Trojan’s (RAT) aregenerally installed which allows adversary tomaintain its persistence in the targetedenvironment.

To defeat more sophisticated defence systems,attackers may require the execution of one or moreIKCs to circumvent different defensive controls.

3.5. Cyber resiliency situational awareness

Cyber resiliency success is a result of timely and well-coordinated actions coming from an effective decisionmaking process.

In a resilient system, defenders must be able to per-ceive the movement of attackers, understand themeaning of these movements, and take actions thatwill best counter these movements minimizing effectsand allowing a rapid recovery of affected assets.

As in any conflict, the side that has informationdominance has the greatest chance of victory. Achiev-ing information dominance is about achieving SA (anddenying it to the enemy). SA essentially answers thequestion of which data are as follows:

Command and control (C2). Adversary requires acommunication channel to control its malware andcontinue their actions. Therefore, it needs to be con-nected to a C2 server.

Actions. it is the last phase of the kill chain in whichadversary achieves its objectives by performing actionslike data exfiltration. Defenders can be confident thatadversary achieves this stage after passing through pre-vious stages [11].

4. National cybersecurity strategy and actionplan

The Internet has obviously become a relied-on com-munications infrastructure, much like the telephonesystem was a century ago. However, the evolution andtechnological underpinnings of the Internet are verydifferent from that of telecommunications or any otherinfrastructure.

Thus, different approaches are required to ensurereliable and secure services in cyberspace than on theold telecom networks, and the development of publicpolicy has to proceed very differently, as well. Gartnerrecommends that of national cybersecurity policy takea more realistic approach toward stimulating higherlevels of security in cyberspace, rather than takingapproaches that simply stimulate higher spending orhigher visibility. Although there is definitely a role forgovernment to play, driving higher levels of security incyberspace through policy will be much more like try-ing to deal with global warming than like dealing withtelephone, banking or automotive industry policies [7].

According to [7] a national cybersecurity strategyshould leverage the strengths of the government todrive evolution of the standard security practices usedby government agencies, businesses and citizens intheir daily use of cyberspace.

The goals of such a strategy should be to define thecurrent areas of shortcomings, apply leverage towardclosing those gaps, assess progress and repeat.

A national cybersecurity strategy should not beaimed at having the government seek to control thelevel of security on the Internet or issue legislation tomandate solutions.

Cybersecurity is an inherently distributed problemthat will continue to evolve at the speed of technology.

Figure 3. Intrusion Kill Chain.

278 D. GALINEC ET AL.

Thus, the cybersecurity strategy should focus onprimarily eliminating or shielding vulnerabilities thatenable attacks versus reporting attacks – like a hurri-cane preparedness strategy, which mandates redesign-ing structures or building higher levees versus thedeployment of more water gauges.

4.1. Case study

The National Cyber Security Strategy [12] is a docu-ment with which the Republic of Croatia intends tostart planning, in a systematic and comprehensiveway, the most important activities for protecting all theusers of modern electronic services, both in the publicand economic sectors and among the generalpopulation.

4.1.1. Basic notionsThe aim of the Strategy is to achieve a balanced andcoordinated response of various institutions represent-ing all the sectors of the society to the security threatsin modern-day cyberspace. The Strategy recognizes thevalues that need to be protected, the competent institu-tions and measures for systematic implementation ofsuch protection.

The Strategy is a statement of the cyber securitystakeholders’ determination to take measures in theirrespective areas of responsibility, cooperate with theother stakeholders and exchange the necessary infor-mation. It is a statement of their readiness to continuetheir own further development and adjustment, so thatthe Croatian cyberspace would be organized, available,open and safe to use.

The Strategy and Action plan for its implementa-tion envisage the approach to cyberspace as the virtualdimension of the society. The goal of making the Strat-egy and implementing it by applying the measureselaborated in the Action plan is therefore consistentwith the Cybersecurity Strategy of the European Union[13] and is directed towards achieving the maximumlevel of competence and coordination among all of oursociety’s sectors, for an efficient implementation of lawand protection of democratic values in the virtualdimension of today’s society, that is, in cyberspace.Such a goal can only be achieved with a common, effi-ciently coordinated approach including a whole rangeof different institutions responsible for differentsectors.

The reason for this lies in the fact that the very com-plex area of cyber security covers all the segments ofthe society and largely exceeds the technical area fromwhich it once arose with the rapid development of theInternet and accompanying information and commu-nication technologies.

The fundamental issue in cyber security is thereforethe issue of organization, which is resolved in the Strat-egy through better and more effective connection of all

the segments of the society, using as much as possiblethe existing bodies and their legal responsibilities.

The recognized objectives in different areas of cybersecurity should be achieved by applying the measureselaborated in the Action plan for each individual objec-tive of the Strategy.

The description of the measures presented in theAction plan for the implementation of theStrategy shows that the Strategy will be implementedfor the most part in the framework of the existingfunds of the bodies competent for the activities in aparticular measure and the bodies that will also beinvolved.

The added value of these existing funds and otherresources is achieved through organizational measuresfor the harmonization and better coordination in vari-ous bodies’ work on similar activities, a more efficientexchange of information and, generally, through thesynergy of different institutions and society sectorsthat have so far not been sufficiently connected andcoordinated when it comes to the activities related tocyberspace.

The intention of adopting the Strategy and Actionplan and introducing a systematic and comprehensiveapproach to the area of cyber security is to achieve anumber of objectives very important for the develop-ment of the entire society, in particular:

(1) Systematic approach in the application anddevelopment of the national legal framework totake into account the new, cyber dimension ofthe society.

(2) Implementing activities and measures toimprove the security, resiliency and reliability ofcyberspace;

(3) Setting up a more efficient mechanism for infor-mation sharing in order to ensure a higher levelof general safety in cyberspace.

(4) Raising the awareness of security of all cyber-space users.

(5) Encouraging the development of harmonizededucation programmes.

(6) Encouraging research and development, particu-larly in the area of e-services.

(7) Systematic approach to international coopera-tion in the area of cyber security.

The methodology of approach chosen to define thecontents of the Strategy was based on determining thegeneral goals of the Strategy, society sectors covered bythe Strategy, and basic principles of approach to theimplementation of the Strategy.

Societal segments important for cyber security aredivided into areas estimated to be of highest impor-tance for Croatia at this level of development of theinformation society. The selected areas of cyber secu-rity are as follows:

AUTOMATIKA 279

(8) Electronic communication and informationinfrastructure and services, further divided intopublic telecommunications infrastructure, e-gov-ernment infrastructure and electronic financialservices.

(9) Critical communication and information infra-structure and cyber crisis management;Cybercrime.

Along with the areas of cyber security, the Strategyalso recognizes the interrelations among the areas ofcyber security, thus ensuring coordinated planning ofall joint activities and resources in the mentioned cybersecurity areas. The following interrelations among theareas of cyber security have been selected:

(1) Data protection (groups of protected informa-tion, such as classified information, personaldata, trade secret).

(2) Technical coordination in the treatment of com-puter security incidents.

(3) International cooperation.(4) Education, research, development and raising the

awareness of security in cyberspace.

The Strategy is based on the existing legislation andresponsibilities, but it recognizes the need for certainlaws to be revised through the implementation of themeasures from the Action plan and harmonized withthe recognized requirements of the society’s virtualdimension, which has already become an integral partof both the private and professional lives and activitiesof all citizens and institutions.

The adoption of the Strategy cannot immediatelysolve all the problems that have occurred and accumu-lated throughout the past twenty years of rapid techno-logical development and globalization of the society,the problems that are now present in every facet of oursociety.

The Strategy definitely represents the first steptowards a systematic and lasting improvement of thecurrent state in the area of cyber security and marksthe beginning of introducing long-term and systematiccare for all the future challenges in the society’s virtualdimension, which is extremely important for the fur-ther development of the society.

4.1.2. PrinciplesComprehensive nature of the approach to cyber secu-rity by covering cyberspace, infrastructure and usersunder the Croatian jurisdiction (citizenship, registra-tion, domain, address);

Integration of activities and measures arising fromdifferent cyber security areas and their interconnectionand supplementation in order to create a safercyberspace;

Proactive approach through constant adjustment ofactivities and measures, and adequate periodic adapta-tion of the strategic framework they stem from;

Strengthening resilience, reliability and adjustabilityby applying universal criteria of confidentiality, integ-rity and availability of certain groups of informationand recognized social values, in addition to complyingwith the appropriate obligations related to the protec-tion of privacy, as well as confidentiality, integrity andavailability for certain groups of information, includingthe implementation of appropriate certification andaccreditation of different kinds of devices and systems,and also business processes in which such informationis used;

Application of basic principles as basis of the orga-nization of modern society in the area of cyberspace asthe society’s virtual dimension:

Application of law to protect human rights and lib-erties, especially privacy, ownership and all otheressential characteristics of an organized contemporarysociety;

Developing a harmonized legal framework throughcontinued improvement of all the segments of regula-tory mechanisms of state and sector levels, andthrough harmonized initiatives of all the sectors of thesociety, that is, bodies and legal entities that are stake-holders in this Strategy;

Application of the principle of subsidiarity througha systematically elaborated transfer of power to makedecisions and report on cyber security issues to theappropriate authority whose competences are closestto the matter being resolved in areas important forcyber security, from organization through coordina-tion and cooperation to the technical issues ofresponding to computer threats to certain communica-tion and information infrastructure;

Application of the principle of proportionality tomake the level of protection increase and related costsin each area proportional to the related risks and abili-ties in limiting the threats causing them.

4.1.3. General goals of the strategySystematic approach in the application and enhance-ment of the national legal framework to take intoaccount the new, cyber dimension of the society, keep-ing in mind the harmonization with international obli-gations and global cyber security trends;

Pursuing activities and measures to increase thesecurity, resilience and reliability of cyberspace, whichneed to be applied in order to ensure the availability,integrity and confidentiality of the respective groups ofinformation used in cyberspace, both by the providersof various electronic and infrastructure services and bythe users, namely all legal entities and individualswhose information systems are connected tocyberspace;

280 D. GALINEC ET AL.

Establishing a more efficient mechanism of infor-mation sharing necessary for ensuring a higher level ofgeneral security in cyberspace, whereby each stake-holder is required, especially concerning certain groupsof information, to ensure the implementation of ade-quate and harmonized standards of data protection;

Raising security awareness of all cyberspace userswith an approach that distinguishes between the par-ticularities of the public and economic sectors, legalentities and individuals, and which includes the intro-duction of the necessary educational elements into reg-ular and extracurricular school activities, along withorganizing and implementing various activities aimedat making the broader public aware of certain currentissues in this domain;

Stimulating the development of harmonized educa-tion programmes in schools and higher educationinstitutions, through targeted and specialist courses, byconnecting the academic, public and economic sectors;

Stimulating the development of e-services throughbuilding user confidence in e-services by defining theappropriate minimum security requirements;

Stimulating research and development in order toactivate the potential and encourage harmonizedefforts of the academic, economic and public sectors;

Systematic approach to international cooperationwhich makes possible an efficient transfer of knowl-edge and coordinated information sharing amongstthe different competent national authorities, institu-tions and sectors of the society, with a view to recog-nizing and creating capabilities for successfulparticipation in business activities in a globalenvironment.

4.1.4. Sectors of the society and forms ofcooperation of cybersecurity stakeholdersDefining the sectors of the society and their meaningfor the purposes of this Strategy, as well as forms ofcooperation of the cyber security stakeholders, alsoprovided the definition of the scope of this Strategy.

For the purposes of the Strategy, sectors of the soci-ety and their definitions are as follows:

(1) Public sector with various competent authoritieswhich are the stakeholders of the Strategy, otherstate authorities, bodies of local and regionalself-government units, legal entities with publicauthorities and institutions representing in vari-ous ways the users of cyberspace and entitiesobliged to apply the measures arising from theStrategy.

(2) Academic sector in close cooperation with thestate authorities which are the stakeholders ofthe Strategy, and other education institutionsfrom the public and economic sectors represent-ing in various ways the users of cyberspace and

entities obliged to apply the measures arisingfrom the Strategy.

(3) Economic sector in close cooperation with thecompetent state and regulatory bodies which arethe stakeholders of the Strategy, especially legalentities subject to special regulations concerningcritical infrastructures and defence, as well as allother legal entities and business entities repre-senting in various ways the users of cyberspaceand entities obliged to apply the measures arisingfrom the Strategy, with all the particularities ofthose legal and business entities, with regard totheir scope of work, number of employees andmarkets they cover.

(4) Citizens in general, representing the users ofcommunication and information technologiesand services. The state of security in cyberspacereflects on the citizens in various ways. It alsorefers to the citizens who do not use cyberspaceactively, but their data are in cyberspace.

Forms of cooperation of cyber security stakeholdersenvisaged by the Strategy are as follows:

(1) Coordination within the public sector.(2) National cooperation of the public, academic and

economic sectors.(3) Consultation with the interested public and

informing the citizens.(4) International cooperation of cyber security

stakeholders.

All these forms of cooperation are carried out in asystematic and coordinated manner, in accordancewith competences, capabilities and objectives, andaccording to the functionally elaborated cyber securityareas defined in the Strategy.

4.1.5. Cybersecurity areasCyber security areas are defined in accordance with theevaluation of Croatia’s priority needs at the time ofdrafting the Strategy and they cover the security meas-ures in the area of communication and informationinfrastructure and services, where we have public elec-tronic communications, e-Government and electronicfinancial services as infrastructure of primary strategicinterest for the entire society.

Protection of critical communication and informa-tion infrastructure is also a very important area ofcyber security. It may be present in each of the threeinfrastructure areas mentioned above, but has signifi-cantly different characteristics and it is necessary todetermine the criteria for recognizing thosecharacteristics.

Cybercrime has been present in the society for along time in different forms, but at today’s level ofdevelopment of the society’s virtual dimension it poses

AUTOMATIKA 281

a constant and growing threat to the development andeconomic prosperity of every modern state. That iswhy countering cybercrime is also considered a prior-ity cyber security area and it is necessary to define thestrategic goals to improve the efforts in countering thistype of crime in the coming period.

The area of cyber defence represents the part of thedefence strategy falling under the responsibility of theministry in charge of defence issues. It is the subject ofseparate elaboration and action, which will be pursuedusing all the necessary elements arising from this Strat-egy. Cyberterrorism and other cyber aspects ofnational security are dealt with by a small number ofthe competent bodies within the security and intelli-gence system and require a separate approach, andthat will also include the use of all the necessary ele-ments arising from this Strategy.

Cyber security areas are analysed in relation to thegeneral goals of the Strategy in order to identify thespecial objectives aimed at achieving improvements ineach individual area and the measures necessary forachieving the goals of the Strategy. The special objec-tives, as well as the measures that will be further elabo-rated by the Action plan for the implementation of theStrategy, are determined with regard to the definedsociety sectors and the influence of the cyber securityarea on each individual sector, but also with regard tothe forms of mutual cooperation and coordination ofcyber security stakeholders. The principles defined bythe Strategy are followed in the elaboration of the cybersecurity areas.

It is logical to predict that vulnerability of geospatialdata is expected to be potentially and ultimately targetsfor physical attacks on objects within the data (e.g.changing the metadata with false information withinthe georeferenced data).

4.2. Implementation of the Strategy

Action plan for the implementation of the Strategy,made for the purpose of implementing the Strategy,elaborates the defined strategic goals and determinesthe implementation measures necessary for achievingthose goals, along with the competent authorities andthe list of deadlines for their implementation.

Action plan for the implementation of the Strategyallows for systematic oversight of the implementationof the Strategy and serves as a control mechanismwhich will show whether a certain measure has beenimplemented in its entirety and has produced thedesired result, or it should be redefined in accordancewith the new requirements.

In order to determine in due time whether the Strat-egy is achieving the desired results, namely if thedefined goals are being accomplished and the estab-lished measures implemented within the planned timeframe, it is necessary to set up a system of continuous

monitoring of the implementation of the Strategy andAction plan, thus also setting up a mechanism forcoordinating all the competent government bodies increating the appropriate policies and responses tothreats in cyberspace.

For the purpose of reviewing and improving theimplementation of the Strategy and Action plan for itsimplementation, the Government of the Republic ofCroatia will establish the National Cyber SecurityCouncil1 (hereinafter “the National Council”), whichwill

(1) systematically monitor and coordinate theimplementation of the Strategy and discuss allissues relevant to cyber security;

(2) propose measures to improve the implementa-tion of the Strategy and Action plan for theimplementation of the Strategy;

(3) propose the organization of national exercises inthe area of cyber security;

(4) issue recommendations, opinions, reports andguidelines related to the implementation of theStrategy and Action plan, and

(5) propose amendments to the Strategy and Actionplan or propose the adoption of a new Strategyand action plans, in accordance with the newrequirements.

Based on the requirements described in the area ofcyber crisis management, the National Council will

(1) address issues essential for cyber crisis manage-ment and propose measures for higher efficiency;

(2) analyse the reports on the state of security sub-mitted by the Operational and Technical CyberSecurity Coordination Group;

(3) issue periodic assessments of the state of security;(4) define cyber crisis action plans;(5) issue programmes and action plans for the Oper-

ational and Technical Cyber Security Coordina-tion Group and direct its work.

To ensure the support for the work of the NationalCouncil, the Government of the Republic of Croatiawill establish the Operational and Technical CyberSecurity Coordination Group,2 which will

(1) monitor the state of security in national cyber-space for the purpose of detecting threats thatmay result in cyber crisis,

(2) issue reports on the state of cyber security,(3) propose cyber crisis action plans, and(4) perform other duties according to the issued pro-

grammes and activity plans.

The representatives in the interdepartmental body,the Operational and Technical Cyber Security

282 D. GALINEC ET AL.

Coordination Group, mutually ensure access to opera-tional information from their scope for the purpose ofcoordinated action during cyber crises.

The entities tasked with the measures from theAction plan for the implementation of the Strategy areresponsible for monitoring and collecting informationon the implementation and efficiency of the measuresand are required to submit consolidated reports to theNational Council once a year, no later than the end ofthe first quarter of the current year for the previousyear or, if necessary, more frequently, namely at therequest of the National Council.

The National Council will submit the reports on theimplementation of the Action plan for the implemen-tation of the Strategy to the Government of the Repub-lic of Croatia no later than the end of the secondquarter of the current year for the previous year.

The Strategy will be revised after three years ofimplementation, based on the reports of the entitiestasked with the measures from the Action plan for theimplementation of the Strategy. The National Councilshall submit to the Government of the Republic ofCroatia a consolidated report with the proposedamendments to the Strategy no later than the end ofthe year of revision.

5. Results of the action plan implementationstrategy

5.1. Generally

Strategy and Action Plan were adopted on 7.10.2015(NN number. 108/2015). The National Council andOperational-Technical Coordination for Cyber Secu-rity (NN number 61/2016) have been established forthe implementation of the prescribed goals (generaland special) and measures.

The original data for 2016 were collected in a stan-dardized form (questionnaire) by filling in the Question-naire of all relevant cyber security officers in theRepublic of Croatia (30 institutions). Questionnairesrequired metrics of deadlines and specifically indicatorsof implementation. Reports on Implementation of theAction Plan for the Implementation of the Strategy in2016 have been submitted and the last published AnnualReport on the Implementation of the Action Plan andthe Strategic Security Strategy on the Government of theRepublic of Croatia website (57th Session, Publication22.09.2017) [14]. We personally participated in the draft-ing of the Strategy and the Action Plan, as well as inpublic discussions, round tables, and the collection,processing and analysis as well as in the publication ofdata and results. In the work on the preparation of theannual report, 40 relevant cybernetic security stakehold-ers are involved in the Republic of Croatia.

The sample was representative as it covered 30 rele-vant institutions that are critical to cyber security in

the Republic of Croatia, collected and processed datarelate to 77 measures for 5 areas and 4 links to thecyber security area specified in the Action Plan andStrategy.

The data were collected on a scientific basis. Previ-ously mentioned (i.e. received) data were processedusing qualitative analytical methods.

Using scientific findings based on qualitative analy-sis, from the collected data, we were able to formulateand present the results.

The data collection methodology allows continua-tion of experimental research that will be repeatedsequentially. The applied methodology is used for acomprehensive assessment of cyber security in theRepublic of Croatia.

5.2. Analysis and results of measuresimplementation

The processed data relate to 77 measures (33 measuresin the areas and 44 measures in the area links) listed inthe Action Plan supporting a total of 35 specific and 8general goals in the Strategy elaborated for 5 areas and4 links of cyber security. Collaboration is the intercon-nectedness of the implementation of measures withspecific and general goals.

A reference model has been developed forapproaching and drafting the Strategy and Action Planand for some countries in the region (e.g. the Republicof Slovenia). The approach was systematic, compliantcoherent and comprehensive.

An example of a global campaign of WannaCry’smalicious code was also analysed with regard to esti-mates, i.e. reduction of damage and learned lessons.

All measures of the Action Plan have defined imple-mentation indicators, and the reporting format hasenabled four degree readings on the status of imple-mentation: fully implemented / implemented, imple-mented / carried out, implemented / implemented to alesser extent or implementation not started.

After processing the data from the accompanyingreports of individual measures, out of the 30 relevantcyber security institutions in the Republic of Croatiaand the analyses carried out in certain areas and linksof the areas defined in the Strategy’s objectives andimplementation of the Action Plan, the results are asfollows:

a) for the following areas:(1) Public Electronic Communications (3 measures):

the Strategy has defined three goals, and theAction Plan identified three measures. Imple-mentation indicators: two measures with a 12-month implementation deadline (since the adop-tion of the Strategy) and one long-term measure,

(2) Electronic management (8 measures): the Strat-egy has defined three objectives, and the Action

AUTOMATIKA 283

Plan has developed 8 measures, both sequentialand dependent, with descriptive concrete indica-tors of implementation and set implementationdeadlines. Reporting on the implementation ofmeasures in this area 2016 report is absent. Thekey problem is the insufficient link between tech-nological development strategies and projects inthe area of information technology with securitystrategies and requirements,

(3) Electronic financial services (4 measures): theStrategy has defined two strategic goals in thispriority area, and Action Plan 4 measures thespecific implementation indicators and deadlinesthat have already been implemented. The sub-mitted reports have shown that the measures arebeing implemented, but not fully realized,

(4) Critical Communication and Information Infra-structure and Crisis Management (13 measures):critical communication and information infra-structure are those communication and informa-tion systems that manage critical infrastructure,or are essential to its functioning, regardless ofwhich critical infrastructure sector is concerned.In order to protect processes that are crucial tothe functioning of the state and economy, theStrategy has defined five goals. To achieve thesegoals, the Action Plan foresees the implementa-tion of 13 measures. The Council established aworking group of the Council for the Implemen-tation of the EU NIS – European Union Direc-tive on Security of Network and InformationSystems (NIS Directive) on measures for a highcommon level the security of network and infor-mation systems across the EU from 6 July 2016.For these functionalities, it is foreseen to estab-lish national Competent Authorities for 7 EUcritical infrastructure sectors envisaged by theEU NIS Directive. and

(5) Cybernetic Crime (5 measures): the Strategy out-lined five objectives, and the Action Plan foresees5 measures, which, given their character, need tobe implemented on a continuous basis.

Total areas have: 33 measures.

b) For area links:(1) Data Protection (6 measures): the Strategy has

identified five objectives and the Action Planenvisages 6 measures, one measure being imple-mented on a continuous basis, for 4 measures 12months or 24 months from the adoption of theStrategy or the beginning implementation, whilethe implementation of one measure depends onthe adoption of EU directives,

(2) Technical Coordination in Computer SecurityIncidents (5 measures): the Strategy sets outthree objectives, and the Action Plan for the

achievement of these goals has provided for 5measures, one of which is to be implemented 12months after the adoption of the Strategy, whilethe remaining should be carried outcontinuously,

(3) International Co-operation (6 measures): theStrategy has set 6 objectives and the Action Planforesees 6 measures for the achievement of thesegoals, for which continuous implementation and

(4) Education, Research, Development andEnhancement of Cyber Security (27 measures):the Strategy defines three objectives, and theAction Plan has 27 measures for the achievementof these goals, out of which for 3 measures haveimplementation deadline 2017–2018., and for 2measures 6 months or 12 months from the adop-tion of the Strategy, while the remaining 22measures should be implemented on a continu-ous basis.

A key issue is the need for much greater consistencyof cyber security, and better training of lecturers at dif-ferent levels and types of education.

Total area links have: 44 measuresThere are 77 measures in total.From the above results it can be concluded that the

Strategy 2016 was realized in accordance with the pos-sibilities or engagement of all the stakeholdersappointed by the Coordinator and the Council,through the implementation of the Action Plan meas-ures that support the specific and general objectives ofthe Strategy.

5.3. Conclusion on results

Most of the institutions, in the capacity of the individ-ual Action Plan measures, of which the Councilrequested the filling in of the form, carried out theirobligation and provided the necessary data for analysisto the Council.

The beginning of the implementation of the ActionPlan in 2016 has given some results in a large numberof 30 joint institutions – cybernetic security stakehold-ers of various profiles. All institutions – stakeholdershave recognized and linked activities within their com-petence with the thematic conceptual measures of theAction Plan. Certain coordinators of the implementa-tion of the measures have done their job. In order tofurther implement the national measures in this area,it is necessary to complete the implementation of activ-ities, if necessary with the change of the legislativeframework in the area of national critical infrastruc-ture, in order to be able to access the implementationof measures in the area of critical communication andinformation systems.

A key issue is the need for much greater consistencyof cyber security, and better training of lecturers at

284 D. GALINEC ET AL.

different levels and types of education. That is why theresults of the cybernetic security education programsbeing conducted in the Republic of Croatia arequestionable.

Developing cyber security within the Strategy andAction Plan should be the framework for the develop-ment of all national education programs in this area,and the Council should be involved in the advisoryprocess of the relevant ministry and other bodiesrelated to curricular reform and the improvement ofall types and levels of education in the field of cyber-netic security and defence in the Republic of Croatia.

5.4. Guidelines for the implementation of actionplan measures by the end of 2017

The report points to inadequate horizontal communi-cation between the involved 30 institutions – stake-holders in the implementation of Action Planmeasures. It requires the following:

(1) coordinated and targeted implementation ofmeasures for the achievement of general and spe-cific objectives as defined in the Action Plan andStrategy, and stakeholders to further developtheir core competences and mutually link andco-ordinate, creating synergistic effects at bothnational and sectoral levels;

(2) involve other stakeholders in the implementationof measures wherever they can achieve addi-tional quality in the realization of the goals fromwhich the measure comes from.

6. Conclusion and future work

The government has a major role to play in stimulatingprogress toward higher levels of cybersecurity. Reduc-ing vulnerabilities is the high-leverage area for increas-ing cybersecurity.

An operations-focused approach is needed. Manygovernment agencies can be used as best-practiceexamples of enforcing existing regulations.

Limitations of national cybersecurity strategy arerelated to interrelations and interconnections betweenmany actors at many hierarchical levels.

Nowhere has technological development been moredynamic and comprehensive than in the area of com-munication and information technology. The focushas always been on the rapid development and intro-duction of new services and products, while the secu-rity-related aspects usually had little influence on thebroad acceptance of new technologies.

The life cycles of modern-day information systems,from the process of planning, introduction and usageto their withdrawal from use are very short, whichoften makes their systematic testing impossible and is

most commonly applied as an exception, in expresslyprescribed cases.

Users usually have minimal knowledge of the tech-nology they are using, and the technology is applied insuch a way that makes it very hard to estimate thesecurity characteristics of the majority of commercialproducts regarding the protection of user dataconfidentiality and privacy. Due to that, users’attitude towards the communication and informationtechnology is based almost exclusively on blindconfidence.

Modern societies are deeply imbued with communi-cation and information technology. People are nowa-days connected using various technologies for thetransmission of text, image and sound, including theincreasing Internet of Things (IoT) trend.

While a deviation in the normal functioning of acertain kind of communication and information sys-tem could go unnoticed, improper operation of someother systems could have harsh consequences for thefunctioning of the State; it can cause loss of life, dam-age to health, great material damage, pollution of theenvironment and the disturbance of other functionali-ties essential for the proper functioning of the societyas a whole.

From the beginning of the development of commu-nication and information technologies until the pres-ent day, deviations in their proper functioning haveoccurred due to different reasons, from human erroror malicious action to technological error or organiza-tional omission.

The creation of the Internet and connecting a num-ber of communication and information systems of thepublic, academic and economic sectors, as well as citi-zens, created the contemporary cyberspace composednot only of this interconnected infrastructure, but alsoof the ever growing amounts of available information,and users communicating increasingly among them-selves using a growing number of different services –some completely new, some traditional, but in a new,virtual form.

Deviations in the proper operation of these inter-connected systems or their parts are no longer merelytechnical difficulties; they pose a danger with a globalsecurity impact. Modern societies counter them with arange of activities and measures collectively called“cyber security”.

Based on the vulnerability of geospatial data it maybe ultimately logical to expect attacks with physicalconsequences on objects within the data (e.g. changingthe metadata with false information within the geore-ferenced data).

Further investigations of ours are directed towardsfinding ends and means in order to enable successfulstrategy implementation, including new cycle of plan-ning, coordination and control of the action plan ful-filling, including georeferenced data.

AUTOMATIKA 285

Key roles related to that goal have people (actors)and their performance at all levels of national hierar-chy (cybersecurity combined with PCS).

Notes

1. Interdepartmental panel composed of the authorisedrepresentatives of the competent bodies with nationalor sectoral policy and coordination responsibilities.

2. Interdepartmental panel composed of the authorisedrepresentatives of the competent bodies with opera-tional and technical responsibilities.

Disclosure statement

No potential conflict of interest was reported by the authors.

ORCID

Darko Galinec http://orcid.org/0000-0003-4465-6143

Reference

[1] Cyber Defense. https://www.techopedia.com/definition/6705/cyber-defense. Accessed 2017-02-10.

[2] A. Walls, Perkins E, Weiss J. Definition: “Cybersecur-ity”, G00252816. Gartner Inc.; 2013.

[3] NATO Cyber Cooperative Cyber Defence Center ofExcellence Tallin Estonia. https://ccdcoe.org/cyber-definitions.html. Accessed 2017-02-10.

[4] United States Department of Defense. Strategy foroperating in cyberspace. Department of Defense; 2011.

[5] Scholtz T. Definition: “People-Centric Security“,G00250121. Gartner Inc.; 2013.

[6] Infosecurity. http://infosecurityinc.net/wp-content/uploads/2011/07/Consult-Cyber-1Cyber-Threats-Diminishing-Attack-Costs-gaIncreasing-Complexity4.jpg. Accessed 2016-11-15.

[7] Pescatore J. Toward a national cybersecurity strategy,G00167598. Gartner Inc.; 2009.

[8] Herring MJ, Willett KD. Active cyber defense: a visionfor real-time cyber defense. J Inform Warfare. 2014;13(2):46–55.

[9] Marvell S. The real and present threat of a cyber breachdemands real-time risk management. Acuity RiskManagement; 2015.

[10] Hutchins EM, Cloppert MJ, Amin RM. Intelligence-driven computer network defense informed by analysisof adversary campaigns and intrusion kill chains. 6thAnnual International Conference on Information War-fare and Security; 2011.

[11] Yano ET, Gustavsson PM, A�hlfeldt R. A framework to

support the development of cyber resiliency with situa-tional awareness capability. 20th ICCRTS Proceedings:C2, Cyber, and Trust. International Command andControl Institute; pp. 1–11, 2011.

[12] Government of the Republic of Croatia. The nationalcyber security strategy and action plan for the imple-mentation of the strategy. Official Gazette; 108/2015,2015.

[13] European Commission, Cybersecurity strategy of theEuropean Union: an open, safe and secure cyberspace,Brussels, 7.2.2013, JOIN 1 final, 2013.

[14] Annual report on the implementation of the actionplan and the strategic security strategy on the govern-ment of the Republic of Croatia. http://www.uvns.hr/hr/aktualnosti-i-obavijesti/izvjesce-o-provedbi-akcijskog-plana-za-provedbu-nacionalne-strategije-kiberneticke-sigurnosti-u-2016-godini. Accessed 2017-09-26.

286 D. GALINEC ET AL.