2.6 PESTLE Analysis

Introduction and Purpose of PESTLE

The acronym PESTLE stands for:

P = Political

E = Economic

S = Social

T = Technological

L = Legislation

E = Environmental

The PESTLE analysis provides a method to “understanding risks associated with market […] and the need for a product or service” (CIPD, 2010). The analysis looks at the ‘wider picture’ which is important to consider when determining where the new software application could fit within the market place. The analysis considers the sustainability of a possible idea to outside influences that could impact on its possible usage or lifespan.

These topics are used as part of a mind mapping session and cover a broad spectrum of ideas to provoke inspiration, and aid in gathering a wider collection of research materials for the investigation.

PESTLE Mind Map

The PESTLE mind map (Figure 6) is a collection of ideas based on professional experiences, research from the internet and attendance at conferences such as Info Security Europe 2013.

Figure 6 - Mind Map of PESTLE Topics

Political

Cyber security has become an important political topic for governments around the world. Many of the world’s superpowers have set up military commands dedicated to cyber warfare. The internet has been seen to become the “key battlefield in tomorrow’s world”. As nation states now have the “capability to disrupt elements of other nations’ information infrastructure” (Branigan, 2010).

The US raised the stakes with the militarisation of the internet by offensively targeting foreign networks, and has been “understood to have already participated in at least one major cyber-attack, the use of the Stuxnet computer worm targeted on Iranian uranium enrichment centrifuges”. The fears are “that large-scale cyber operations could easily escalate into full-scale military conflict” (Greenwald, 2013).

In a recent BBB Radio Four programme ‘Under Attack: The Threat from Cyberspace’, cyber-attacks at a state versus corporation level were discussed. These attacks against private companies by foreign states are seen as very one-sided. The capabilities and resources of nation states far exceed corporations even the size of Google, from the defence of attacks on this scale. The UK foreign Secretary William Hague stated “Most countries are under attack and certainly many industries and businesses are under attack” (BBC, 2013).

These ideas seem very detached from the general public, however the reaches of cyber crime now affect our daily lives. In the UK the costs of identity theft fraud measured by CIFAS (the UK’s Fraud Prevention Service) “cost the economy £1.2 billion in one year (Identity Fraud Steering Committee figures, 2008)” (CIFAS, 2013). The numbers of identity thefts reported in the US in 2010 showed 7% of households “experienced one or more types of identity theft victimisation” (Bureau of Justice Statistics, 2011).

In a 2011 report for minsters on protecting the UK in the digital world it states “the UK Government takes these risks seriously” by rating cyber-attacks “as a ‘Tier 1’ threat”. The report has a three objective mission to ensure the UK becomes “one of the most secure places in the world to do business in cyberspace” (UK Cabinet Office, 2011).

Economic

In recent times a number of market manipulation scandals have been uncovered in the financial sector. The latest scandal in 2012 was the rate rigging in the UK of the London Inter-bank offered rate ‘LIBOR’. This has led to the FSA investigating banks and misreported rates. As a result of the FSA findings, Barclays were imposed a fine of £59.5m, and subsequently the “US Department of Justice and the Commodity Futures Trading Commission (CFTC) imposed fines worth £102m and £128m respectively, forcing Barclays to pay a total of around £290m.” The ripples of this scandal are still being felt with UBS being fined a total of £940m by the UK, US and Swiss financial regulators and Deutsche Bank this year setting aside “1bn euros to cover potential litigation” (BBC, 2013).

Social

The catalyst for the increased scrutiny over the financial sector could be a product of the global banking crisis of 2008 which has led to austerity measures across Europe and the US (Amadeo, 2013). In a UK poll by Ipsos MORI “the public feel antagonised by the financial services industry”. Trust appears to be at the heart of the issues, “no one is going to believe in the trustworthiness of a company if they hear that areas of its business are acting in an unethical manner, no matter how much lobbying and advertising the company invests in. […] financial services organisations need to display consistent and positive behaviour across all their business units if they expect to create any positive impact on public perception” (Ipsos MORI, 2012).

The economic downturn has also been linked to an increase in internal company threats. A report by CIFAS ‘Staff Fraudscape’ showed increases across a range of measures in dishonest actions by staff. “The theft of customer data from a company for personal use rose by 18% in 2012 and represents – perhaps – the most serious challenge for the future” (CIFAS, 2013).

Technological

The topic of IT Security has become more relevant in IT as more corporations have leveraged the benefits of distributed ‘Cloud’ based infrastructures and services. The nature of the Cloud allows companies’ information and software applications to sit outside their internal networks. This creates interesting challenges as “companies need to be able to view data access logs and audit trails to verify that only authorized users are accessing the data” (Webopedia, 2013). In combination with this, Cloud ‘App Templates’ enable rapid deployment of cloud based services within minutes, allowing configuration of servers, network resources, application platforms and associated firewall rules, data replication and accesses between services (DNS Europe, 2013). The proliferation of servers and data on the Cloud has given rise to the new world of ‘Big data’. It is important that access controls are put in place to protect companies’ data as they begin to consume and distribute increasing amounts of data from sources across the Internet (Elemental, 2013).

One of the most effective control measures in an ever increasing landscape of access management considerations is the concept of ‘Least Privilege’ access (Carlson, 2013). “The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. The principle is also applied to things other than people, including programs and processes” (Rouse, 2008). This reduces the possible attack surface for a hacker to exploit, by limiting the level and numbers of user accounts to a given system.

Legislation

By early 2014 the UK government plan to enact additional regulations to the banks to help “reduce the severity of future financial crises”, with a ‘ring-fence’ around the deposits of people and small businesses, to separate the high street from the dealing floor and protect taxpayers when things go wrong (UK Government, 2013). To enforce the new rules the government has set up the Prudential Regulation Authority. “The PRA works alongside the Financial Conduct Authority (FCA) creating a “twin peaks” regulatory structure in the UK. The FCA is responsible for promoting effective competition, ensuring that relevant markets function well, and for the conduct regulation of all financial services firms. This includes acting to prevent market abuse and ensuring that consumers get a fair deal from financial firms” (UK Government, 2013).

Environmental

The environmental concerns for access management are important in energy security when protecting key power and water utilities operations using Supervisory Control and Data Acquisition (SCADA) systems. This area has become more of a focus as companies “increasingly utilize commercially off-the-shelf (COTS) software, connect to the enterprise layer and move toward IP connectivity. This has contributed to higher threat levels and increased vulnerability”. Under legislation utility companies need to be able to provide evidence of access to their systems. “The SCADA records likely will have a critical place amid the scrutiny. The first hurdle facing the company is ensuring that the records can be produced”. The risks to these systems have become noteworthy with “evidence recovered from al Qaeda suggest[ing] terrorists are interested in our SCADA networks […] in addition, the number of “SCADA hacking” presentations is increasing at security and “hacker” conventions” (Bodungen, et al., 2009). This can be seen with the upcoming 2013 Blackhat USA conference in July advertising a course on “attacking, defending and building SCADA systems” (Blackhat, 2013) and the Department of Homeland Security on-going ‘Cyber Storm’ penetration tests in these areas (US Department of Homeland Security, 2013).

References

Amadeo, K., 2013. Austerity Measures. [Online]

Available at: http://useconomy.about.com/od/usdebtanddeficit/a/Austerity-Measures.htm

[Accessed 20 July 2013].

BBC, 2013. Timeline: Libor-fixing scandal. [Online]

Available at: http://www.bbc.co.uk/news/business-18671255

[Accessed 20 July 2013].

BBC, 2013. Under Attack: The Threat from Cyberspace. [Online]

Available at: http://www.bbc.co.uk/programmes/b0367nrt

[Accessed 16 July 2013].

Blackhat, 2013. Attacking, Defending and Building SCADA Systems. [Online]

Available at: http://www.blackhat.com/us-13/training/attacking-defending-and-building-scada-systems.html