Managing Cyber-Risk: Contracts, Litigation, Acquisitions & Procurement

An analysis of twenty (20) C ommercial- O ff- T he- S helf (COTS) Technologies was executed in order to investigate how they may be applied to minimise the Cyber-Threats associated with ‘undefined requirements’ pertaining to C ontracts, L itigation, A cquisitions & P rocurement (CLAP). However, our analysis concludes that only one (1) COTS Technology is capable of achieving this objective (Testimation Technology); as demonstrated utilising four (4) Simplified Examples. One (1) Simplified Example pertaining to C ontracts, demonstrates Cyber-Threat minimisation by precisely & unambiguously specifying the minimum level of Cyber-Confidence to be delivered & the maximum level of Cyber-Risk to be tolerated. Three (3) Simplified Examples pertaining to L itigation, A cquisitions & P rocurement respectively, demonstrate Cyber-Threat minimisation by the application of a D ecision A ssistance T able (DAT) generated by this COTS Technology. All four (4) Simplified Examples presented, demonstrate how it is possible to Manage Cyber-Risk utilising a scientifically formulated tool which has been experimentally verified to Predict & Measure all forms of Cyber-Risk to greater than 98.07% accuracy.


Defining The Problem
To date, no institution (globally) possesses the capability to be aware of their Risk Exposure with respect to Undiscovered Defects (i.e. their Cyber-Risk) within Information Technology (IT) Systems. Undiscovered Defects can be a platform for exploitation as parties, of various motivation, seek to gain financial advantage for potential mischief; e.g. the North Korean government, terrorist groups, organized crime. However, beyond malicious intent exist more perilous Cyber-Threats; 'undefined requirements'. Commonly, Business Sponsors expect Software Developers to 'somehow know' what these 'undefined requirements' are or should be. Conversely, the Software Development Team (SDT) responsible for building The Solution, expects that every requirement has already been captured and authorised such that all other aspects are deemed Out-of-Scope. From the perspective of the SDT, no 'undefined requirements' exist at the end of the Requirements Gathering Phase (RGP).
Irrespective of best intentions, it is neither practical nor feasible to capture all possible requirements unambiguously for an exact 'meeting of the minds' in any commercial IT engagement via narratives & documentation; e.g. a contract. People & corporations apply best endeavours to avoid 'undefined requirements', but it remains virtually impossible to completely close the gap. To circumvent this impasse, humanity has developed various statistical techniques to precisely quantify a necessary outcome; e.g. vaccine efficacy. By defining a necessary outcome with statistical precision, two (or more) parties may commercially engage whilst unanimously agreeing upon deliverables, but without the delivery path being relevant to all stakeholders. Because the delivery path becomes irrelevant to some of the parties involved (e.g. often the Business Sponsor), many of the consequences associated with 'undefined requirements' vanish; the net effect being to simplify the engagement.
One of the most significant requirements often remaining undefined is 'the level of Cyber-Confidence to be delivered'; i.e. the level of Defect-free Confidence to be delivered. Alternatively, this may be described as 'the maximum permissible level of Cyber-Risk'; i.e. the maximum level of Undiscovered Defects to be tolerated. Consequently, three (3)

COTS Technology
The

Other COTS Technology
As with any research endeavour, a thorough literature survey followed by a rigorous literature review is standard practice. However, at the time of writing this article & in the context of its objective, no useful &/or relevant literature was found or known to exist specifically dealing with the Cyber-Threats associated with 'undefined requirements'; despite exhaustive searching. One may be inclined to conclude that an 'undefined requirement' is a synonym for Scope Creep, in which case an abundance of literature exists. However, this is not helpful in our objective because an 'undefined requirement' may or may not lead to Scope Creep. Even if literature is cited drawing a connection between Scope Creep and 'undefined requirements', it never (to the knowledge of the author) explicitly relates Scope Creep to Cyber-Risk expressed as a statistical probability; e.g. Cyber-Risk = 1% probability of Undiscovered Defects: • A possible explanation for this being that the commercial nature of our article's objective acts as a deterrent to publication. Corporations may be reluctant to reveal unfavourable information of a commercial nature, & independent authors may be concerned about infringing Intellectual-Property (IP) Laws by revealing Cyber-Risk information which may potentially lead to litigation To circumvent this obstruction, we executed a rigorous Commercial-Off-The-Shelf (COTS) Technology review of existing Cyber-Risk Management products available from the following firms: Consequently, no like-for-like comparison is possible between Testimation COTS Technology & the products from the firms listed above. Moreover, no comparable alternative is known to exist.

Contractual Mechanisms
Thus far, we have demonstrated via Tab