A NOVEL CONCEPT FOR CYBERSECURITY: INSTITUTIONAL CYBERSECURITY 1 A novel concept for Cybersecurity: Institutional Cybersecurity ˙ Ibrahim S ¸is ¸aneci, Osman Akın, Muhammer Karaman, Mehmet Sa˘ glam Abstract—Broader use of digital technologies in all aspects of our lives, exponential expansion of cyberspace, along with complex and advanced cyber threats, lead us to reevaluate the cybersecurity concept that has been involved in our documents and directives differently or inadequately. One of the main issues in this evolving cyberspace is the perception of cybersecurity. Encapsulating a large scale of elements from individual to govern- ment level, cybersecurity approach particularly has two outstand- ing dimensions; national and institutional cybersecurity. Compli- cating, shape shifting and stretching the imagination, emerging cyber threats have demonstrated that traditional security needs and approaches do not fulfill cybersecurity requirements and can no longer withstand robustly to emerging cyber threats. In this study, a novel concept, “Institutional Cybersecurity”, is suggested instead of information security(InfoSec) processes being used in present state by institutions. Index Terms—Institutional Cybersecurity, Cyber risk, Dilem- mas and Challenges of Cybersecurity, Evolution of cybersecurity I. I NTRODUCTION Information technology has become widespread in our life that contains from cell phones and computers to more complex systems such as Information Technology(IT) infrastructures, power grids, air traffic management systems, industrial manu- facturing, and banking sectors. It seems they will continue to be in upward trend in the future. Security of these information technology components will be more important due to the increase of cyber attacks day by day. The more the critical infrastructures depend on the information system, the more cyber risks we have to expect. Previous cyber attacks, in particular the case in Estonia in 2007 [1], have showed that existing vulnerabilities in networks and information systems host serious damage risks. In recent years, in addition to traditional cyber attacks, new attack tech- niques such as advanced persistent threat related attacks, using zero-days, rootkit malwares and etc., have been used in many incidents that have a specific target to be attacked. Therefore, cyber attacks need to be handled comprehensively due to lack of attribution and geographical boundaries, low costs, low- risk for the attacker, and a large scale of applicability. Hence, technical measures are not enough alone to cope with these kind of complex cyber threats. ˙ I.S ¸is ¸aneci is with the Comp.Eng.Dept., Gebze Institude of Technology, Gebze-Kocaeli,Turkey, (e-mail: sisaneci@gyte.edu.tr). O.Akın is with the Comp.Eng.Dept., Hacettepe University, Ankara,Turkey, (e-mail: oakin@hacettepe.edu.tr). M. Karaman is a Cyber Security Expert, e-mail: (muammerkara- man29@gmail.com) M. Sa˘ glam is with the Comp.Science Dept., VirginiaTech, Virginia, USA, (e-mail: msaglam@vt.edu) The terms as InfoSec, Information and Communication Technology (ICT) security, cybersecurity, etc. have utilized to define different concepts to address a wide variety of risks. In traditional cybersecurity perception, familiar terms are frequently used such as ICT security, InfoSec, information assurance, cybersecurity and so forth. By the dramatic up- growth in the complexity of malwares and computer viruses, institutions could be vulnerable to cyber attacks due to the emerging cyber risks. Therefore, from now on emerging cyber risks should be elaborately redeemed and scrutinized in a new sense of cybersecurity awareness. However, advanced multi dimensional and complex cyber attacks necessitate and implicitly bring forth some other definitions and concepts like National Cybersecurity, Individual and Corporational Informa- tion Security, Cybersecurity Awareness (c-saw) and so on. In this study, the evolution of cybersecurity is reviewed and the need of a new cybersecurity concept is emphasized. Besides, a new concept to provide institution-level cyberse- curity is also proposed . The term “institution” is used for public and private sector companies that have infrastructures under potential cyber risks and critical services. This new concept enables us to understand cyber risks better than traditional approaches and basically contains the cybersecurity challenges, components and main principles in institutional level. The organization of this study is as follows. In Section 2, we briefly define crucial terms as InfoSec, cyberspace and cyber threats. In Section 3, we briefly review InfoSec approach and evolution of cybersecurity, giving special emphasis on its challenges and dilemmas. Next, in Section 4, we propose a concept, “Institutional Cybersecurity”, in particular the main features and principles of Institutional Cybersecurity, the top down approach, and components of institutional cybersecurity. Finally, the conclusions and future work are presented in section 5. II. CYBER ENVIRONMENT &SECURITY TERMS Cyber environment and common cybersecurity terms are briefly stated in this section to understand clearly the variety of understanding the literature. A. Cyber Environment Cyberspace The cyberspace defined as “the notional environment in which communication over computer networks occurs.” or “A global domain within the information environment consisting