Visible to the public Does the NIS implementation strategy effectively address cyber security risks in the UK?

TitleDoes the NIS implementation strategy effectively address cyber security risks in the UK?
Publication TypeConference Paper
Year of Publication2019
AuthorsShukla, Meha, Johnson, Shane D., Jones, Peter
Conference Name2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)
Date Publishedjun
KeywordsCA, CNI, CNI sectors, collaborative implementation approach, Computer crime, connected smart technology implementations, critical national infrastructure, cross-sector CNI service security measures, cyber attack, cyber risk management, cyber security, cyber security risks, cyber spaces, Cyber-physical security, cyber-risk management capabilities, cyber-security risk management capabilities, DSP, IGP, IoT, legislation, Metrics, national framework, NCSC, network and information security, NIS, NIS directive, NIS framework, NIS implementation, NIS implementation strategy, NIS key strategic objectives, NIS objectives, noncyber elements, OES, pubcrawl, Regulation, Resiliency, risk management, Scalability, security of data, security risk management, smart city, Standards organizations, supply chain, UK Critical National Infrastructure sectors
AbstractThis research explored how cyber security risks are managed across UK Critical National Infrastructure (CNI) sectors following implementation of the 2018 Networks and Information Security (NIS) legislation. Being in its infancy, there has been limited study into the effectiveness of this national framework for cyber risk management. The analysis of data gathered through interviews with key stakeholders against the NIS objectives indicated a collaborative implementation approach to improve cyber-risk management capabilities in CNI sectors. However, more work is required to bridge the gaps in the NIS framework to ensure holistic security across cyber spaces as well as non-cyber elements: cyber-physical security, cross-sector CNI service security measures, outcome-based regulatory assessments and risks due to connected smart technology implementations alongside legacy systems. This paper proposes ten key recommendations to counter the danger of not meeting the NIS key strategic objectives. In particular, it recommends that the approach to NIS implementation needs further alignment with its objectives, such as bringing a step-change in the cyber-security risk management capabilities of the CNI sectors.
DOI10.1109/CyberSecPODS.2019.8884963
Citation Keyshukla_does_2019