INVITATION TO CYBERSECURITY 102 harms the public good. One way governments address externalities is by imposing fines and legal liability on companies to help correct the imbalance. Several such regulations have been attached to PII and other personal and private data, including educational, health, and financial records, driving up the value of this data to organizations and incentivizing them to invest more resources into protecting it. Understanding these regulations and laws and how they apply is an important part of security governance. Table 5.4 lists some of the major data privacy regulations in the United States. Table 5.4 Major data privacy regulations in the United States. Intellectual property (IP) is another type of data that has value. IP is proprietary information that provides a competitive advantage to an organization. Organizations spend a considerable amount of resources to amass their IP and value it highly. For example, a pharmaceutical company may invest millions of dollars in the research and development of experimental drugs. The records and data they compile are an example of IP. Another example are blueprints for a jet or rocket. Organizations have other data of value besides IP, including their financial data, emails, and other business records. This data could be an attractive target to business competitors and also to criminals that might try to use it for blackmail or to embarrass an organization in a doxxing attack. Some organizations, like the United States military and intelligence agencies, store data related to national security. The value of this data is based on the harm it would cause to the United States if it were divulged. This type of data is categorized and protected according to its classification (more on data classification in Chapter 8). 5.3.2 Cyber Threats We examined cybersecurity threat actors and their attacks at length in Chapters 3 and 4. In this section we take a step back and look at threats from a wider angle before defining cyber threats in terms of cyber risk management. In general, a threat is anything that can cause harm, and they can be internal or external to an organization. For cybersecurity, this is the difference between insider threats and outside hackers. Both are serious cybersecurity threats.
RkJQdWJsaXNoZXIy MTM4ODY=