COUNTRY:
NAME:
ORGANIZATION:
JOB POSITION:
SECTOR:
DATE:
STAKEHOLDER GROUP:
INTERVIEWER:
CYSPA Questionnaire
To support:

Impact analysis of cyber disruptions across target industry sectors

Prioritisation of strategic activities for the CYSPA Alliance
Section 1: All stakeholders
Section 1: General Information [To be completed by interviewer where possible]
Question
Number of employees
Annual turnover
Operates across multiple countries? If yes,
which?
Response
Member of any trade organisation or
initiatives? If yes, which?
Relationships with government
departments? If yes, which?
Page 1 of 17
Section 2a: Users:
Section 2a.1: Assets
This section is designed to identify the types of network and information assets your
organisation has, and how these contribute to both a national and international picture.
What systems, networks and information assets do you operate which you consider to be
critical to your organisation?
For example: Finance systems, CRM systems, HR systems, corporate email,
operational control systems, network management systems, payment systems,
customer information databases.
What systems, networks and information stores do you operate that you consider to be
critical at national or international level (eg are part of critical national infrastructure, or
provide systemic capability at EU level)?
For example: Systems which could be considered to be part of critical national infrastructure.
What systems, networks and information assets external to your organisation is your
organisation critically dependent upon?
For example: National power networks, transport networks, international payments
mechanism such as SWIFT.
Page 2 of 17
Section 2a.2: Threats
This section explores the cyber threat that your organisation faces.
In your opinion, which threat actors present the greatest risk to your organisation?
Please select 2-3 from the list:
Criminal groups or professional fraudsters
Employees/ insiders to the organisation
Hobbyist hackers
Competitors
Those involved in industrial espionage
Activists
State sponsored spies
Suppliers or partners
Other:
In your opinion, what are the most serious threats that are perceived in your organization?
Please select 2-3 from the list:
Natural disasters
Environmental or industrial disasters
Communications services failure
Organizational deficiencies
Software vulnerabilities
Masquerading of identity
Malware
APT (Advanced Persistent Threats)
Software manipulation
Destructive attack
Intrusion in the facilities
Staff shortage
Extortion
Social engineering
Page 3 of 17
Other:
How does potential cyber disruption compare with other operational threats across your
organisation?
Section 2a.3: Impacts
This section explores the potential impact of a cyber disruption on your organisation.
In the event of a cyber disruption, what impact would be of most concern to your
organisation?
Please select 2-3 from the list:
Loss of customer data
Reputation damage through exposure of internal decisions
Interruption of internal service during a trading period
Interruption of service to customer
Direct monetary loss, for example embezzlement
Theft of intellectual property
Theft of competitive bid information or pricing data
Compromise of customer capabilities
Loss or compromise of personal data
Other:
Page 4 of 17
We use a five point scale for assessing the impact of a cyber disruption:
5
Very high
impact
4
High impact
3
Medium impact
2
Low impact
1
Very low impact
0
Negligible
impact
Worst case.
Full prescriptive
controls &
executive
oversight required.
Severe
Major
Moderate
Minor.
Few controls
needed.
No meaningful
impact, no
controls needed.
The table below contains a number of scenarios to explore the impact of a cyber disruption on
your organisation. Using the above five-point scale, for each scenario please rate the extent to
which the different types of impact would affect your organisation:
Impact on the
mission
Financial/economic
loss
Reputational
damage
Information
availability
A cyber disruption leads
to…
For example:
 Level of damage
to operational
effectiveness or
efficiency
For example:
 % revenue lost
 Cost of response
& fines
For example:
 Amount of
negative press
coverage
 Customer
satisfaction
 Public opinion
An outage of your online
services for a prolonged
period
E.g. 2: Low impact on
operational
effectiveness
E.g. 1: Very low
impact – loss of
earnings is <1%
revenue, cost of
response is <1% of
revenue
E.g. 3: Medium
impact – some
negative national
press coverage &
adverse publicity
For example:
 Criticality of
information
availability
 Extent to which
information is
recoverable/
regenerable
E.g. 1: Very low
impact – information
is recoverable and
outage period is
tolerable
Irretrievable loss of a
significant amount of
customer data
Publication of a copy of
your latest corporate
strategy document
An outage of part of
your operational
services
Your corporate email
service being unavailable
for several days
Your Intellectual
Property getting into the
hands of a competitor
Page 5 of 17
Regarding the assets identified in section 2a.1, what are the critical impacts that could be
caused by a cyber disruption on these assets?
For example, financial/economic loss, reputation damage, reduced availability of information.
Section 2a.4: Controls
This section is designed to identify your organisation’s current mechanisms and controls to
protect and mitigate against cyber disruptions.
What measures are currently in place to protect the critical assets you identified in 2a.2
from cyber disruptions?
What contingency plans do you have in place in the event of a cyber disruption on these
assets?
Who has overall accountability in your organisation for ensuring resilience against cyber
disruption?
Which elements of your organisation have a role in achieving resilience?
Page 6 of 17
Generally what information security measures do you employ across your organisation?
Do you feel staff within your organisation understand relevant policies about how different
data types are required to be protected?
For example, policies around protection of personal data, financial services data etc.
Page 7 of 17
Section 2b: Providers:
Section 2b.1: Threats
This section is designed to explore the kinds of cyber threats that are faced by the market
sectors your organisation operates in.
Which industry sectors does your organisation primarily provide services or products to?
In your opinion, what are the most serious threats that are perceived at the market
sector(s) your organisation operates in?
Please select 2-3 from the list:
Natural disasters
Environmental or industrial disasters
Communications services failure
Organizational deficiencies
Software vulnerabilities
Masquerading of identity
Malware
APT (Advanced Persistent Threats)
Software manipulation
Destructive attack
Intrusion in the facilities
Staff shortage
Extortion
Social engineering
Other:
Page 8 of 17
In your opinion, what threat actors present the greatest risk to the market sector(s) your
organisation operates in?
Please select 2-3 from the list:
Criminal groups or professional fraudsters
Employees/ insiders to the organisation
Hobbyist hackers
Competitors
Those involved in industrial espionage
Activists
State sponsored spies
Suppliers or partners
Other:
Section 2b.2: Impacts
This section is designed to explore the level of impact a potential cyber disruption could
have on the market sectors your organisation operates in.
In your opinion, what are the biggest cyber security risks and areas of most concern in
these industry sectors?
Page 9 of 17
Section 2c: Public Authorities:
Section 2c.1: Assets
This section is designed to identify the critical infrastructure and assets at a national level.
Which systems, networks, information assets or organisations are you most concerned
about in terms of cyber security risk from a national or international level?
Which other systems, networks, information assets or organisations do you consider to be
critical at a national or international level?
Section 2c.2: Impacts
This section explores the potential impacts and key challenges that your country faces in
relation to cyber security.
At a national level, what level of risk does cyber security currently pose?
What impacts are of most concern at national or international level?
Page 10 of 17
Section 2c.3: Controls
This section is designed to identify the current mechanisms and controls that protect and
mitigate against cyber disruptions at a national level.
What initiatives or bodies are currently in place at a national level to improve cyber
security?
For example CERTs, information sharing schemes, threat intelligence schemes,
awareness schemes.
Are there any further planned national intiatives or bodies designed to improve cyber
security? If so are you able to provide objectives and approximate timescales for these?
In your opinion, do you think the level of cyber security across key organisations in your
country is sufficient? Please provide an explanation for your response.
Page 11 of 17
Section 3: All stakeholders
Section 3: Benefits
This section will explore which kinds of strategic direction and action you would be
interested in CYSPA taking.
CYSPA Benefits map:
The benefits map shows the different benefits that CYSPA’s stakeholder groups can
achieve through involvement with the CYSPA project and Alliance. Which of these benefits
are of most interest to your organisation?
Are there any other benefits or outcomes that you would like to achieve through
involvement with CYSPA?
Page 12 of 17
If you operate across multiple countries within the EU, what are the biggest challenges this
poses from a cyber security perspective?
For example, differing legislative requirements for management of personal data
across nations, different levels of law enforcement in relation to cyber crim, differing
levels of cyber security maturity across countries.
The European Commission is currently involved in and/or sponsoring a number of
initiatives related to cyber security. What kinds of activities do you think are missing at
European level?
For example, Europe-wide standards, maturity models, common legislation on cyber
security issues, etc.
CYSPA is currently assessing a number of different strategic directions that it could take to
actively contribute to improved cyber security across industry. Of the below strategic
themes, which would be of most interest to you?
[Please assign each theme a priority of High, Medium or Low]
Theme
Understanding the cyber security landscape
Direct action with users
Evolving the policy and legislative landscape
Defining common standards and measures
Improving information and intelligence sharing
Streamlining the incident process
Supporting new technology
Page 13 of 17
Your prioritisation (H, M, L)
Section 4: All stakeholders
Section 4: Stakeholder and environmental context
This section will explore the political, business and market environment that your
organisation operates in.
What is your opinion of the level of cyber security maturity within your market sector
across Europe?
For example:
-
-
How mature do you consider your industry to be in relation to others?
How aware do you think organisations in your sector are about cyber security
concepts and issues?
What market trends in your industry are relevant to cyber security?
Do you think cyber security is a differentiator currently for organisations in your
sector?
What is your opinion of the European Commmission’s proposal for a Directive on Network
and Information Security? Are there any objectives or actions in the proposal that you
particularly support or oppose?
For example, the proposed threat information sharing between the Financial Services
Industry and Government.
Is there any other information that you would like to provide, or topics that you would like
to discuss in relation to cyber security and CYSPA?
Page 14 of 17
Annex 1 - Glossary
accountability
assignment of actions and decisions to an entity
[ISO-27000:2012]
process of tracing information system activities to a responsible source.
[CNSS 4009:2010]
asset
anything that has value to the organization.
NOTE. There are many types of assets, including:
a) information;
b) software, such as a computer program;
c) physical, such as computer;
d) services;
e) people, and their qualifications, skills, and experience; and
f) intangibles, such as reputation and image.
[ISO-27000:2012]
availability
property of being accessible and usable upon demand by an authorized entity
[ISO-27000:2012]
ensuring timely and reliable access to and use of information.
[NIST SP 800-53:2009]
contingency plan
Management policy and procedures designed to maintain or restore business operations,
including computer operations, possibly at an alternate location, in the event of emergencies,
system failures, or disasters.
[NIST SP 800-34:2010]
control
means of managing risk, including policies, procedures, guidelines, practices or
organizational structures, which can be of administrative, technical, management, or legal
nature
NOTE 1 Controls for information security include any process, policy, procedure, guideline,
practice or organizational structure, which can be administrative, technical, management, or
legal in nature which modify information security risk.
NOTE 2 Controls may not always exert the intended or assumed modifying effect.
NOTE 3 Control is also used as a synonym for safeguard or countermeasure.
[ISO-27000:2012]
critical infrastructure
Critical infrastructures are those physical and information technology facilities, networks,
services and assets which, if disrupted or destroyed, would have a serious impact on the
health, safety, security or economic well-being of citizens or the effective functioning of
governments in European Union (EU) countries.
Page 15 of 17
Critical infrastructure includes:
 energy installations and networks;
 communications and information technology;
 finance (banking, securities and investment);
 health care;
 food;
 water (dams, storage, treatment and networks);
 transport (airports, ports, intermodal facilities, railway and mass transit networks
and traffic control systems);
 production, storage and transport of dangerous goods (e.g. chemical, biological,
radiological and nuclear materials);
 government (e.g. critical services, facilities, information networks, assets and key
national sites and monuments).
http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/l
33259_en.htm
Critical infrastructures are organizations or institutions with major importance for the public
good, whose failure or damage would lead to sustainable supply bottlenecks, considerable
disturbance of public security or other dramatic consequences.
[DE CSS:2011]
A term used by governments to describe assets that are essential for the functioning of a
society and economy (e.g. electricity generation, gas production, telecommunications, water
supply etc.).
[NZ CSS:2011]
disruption
an unplanned event that causes an information system to be inoperable for a length of time
(e.g., minor or extended power outage, extended unavailable network, or equipment or
facility damage or destruction)
[NIST SP 800-34:2010]
impact
a measure of the effect of an incident, problem or change on business processes. Impact is
often based on how service levels will be affected. Impact and urgency are used to assign
priority.
[ITIL:2011]
the magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information system
availability.
[NIST SP 800-60:2008]
incident
an unplanned interruption to an IT service or reduction in the quality of an IT service. Failure
of a configuration item that has not yet affected service is also an incident – for example,
failure of one disk from a mirror set.
[ITIL:2011]
Page 16 of 17
mitigation
limitation of any negative consequence of a particular event.
[ISO/IEC Guide 73]
implementing appropriate risk-reduction controls based on risk management priorities and
analysis of alternatives.
[NIST SP 800-53 Rev 4]
resilience
the ability to quickly adapt and recover from any known or unknown changes to the
environment through holistic implementation of risk management, contingency, and
continuity planning.
[NIST SP 800-34:2010]
adaptive capacity of an organization in a complex and changing environment
[ISO Guide 73:2009]
risk
a measure of the extent to which an organization is threatened by a potential circumstance
or event, and typically a function of (1) the adverse impacts that would arise if the
circumstance or event occurs and (2) the likelihood of occurrence.
[US ESC:2012]
possibility that a particular threat will adversely impact an information system by exploiting a
particular vulnerability.
[CNSS 4009:2010]
risk - level of risk
magnitude of a risk or combination of risks, expressed in terms of the combination of
consequences and their likelihood
[ISO Guide 73:2009]
threat
potential cause of an unwanted incident, which may result in harm to a system or
organization
[ISO-27000:2012]
any circumstance or event with the potential to adversely impact an information system
through unauthorized access, destruction, disclosure, modification of data, and/or denial of
service.
[CNSS 4009:2010]
Page 17 of 17