Japan needs Guidelines to Indicate Degree of Negligence in Cyber Attacks NEW!

The damages caused by cyber attacks extends not only to your company but also to your business partners. Unclearness of approximate of liability for compensation or degree of negligence creates unnecessary anxiety and fear among businesses. To resolve such situation, this recommendation report shows collaborative approach based on “Otagaisama Spirit” (reciprocity spirit) in which, if both parties have taken reasonable measures based on clear guidelines, they will share the burden of damages. It is strongly expected that a sense of security that company’s efforts to implement countermeasures are duly evaluated will be provided and that momentum of ambitious companies to come together and take on the crime of cyber attacks will be fostered. This report discusses the creation of guidelines regarding degree of negligence in cyber attacks which is useful in building strong business relationships based on trust between such sincere companies.

Download PDF

The History of Japan's Cybersecurity Policy Vol.8 
Cybersecurity for Critical Infrastructure
On-sites of Rail Transport Security toward the Tokyo Olympics and Paralympics NEW!

Dr. Misumi, a former goverment official in charge of cybersecurity, talks with Mr. Tomomichi Ota who served as Chief Information Security Officer (CISO) at East Japan Railway Company (JR East) from June 2018 to June 2021. As Japan worked to ensure cybersecurity in preparation for the Tokyo Olympics and Paralympics as a whole country, what risks did JR East antisipate, what efforts did it make, and what challenges did it overcome? Mr. Ota talks about various initiatives of the head office of JR East, the world's leading railway operators which oversees over 70 group companies engaged in a wide range of businesses.

Download PDF

The History of Japan's Cybersecurity Policy Vol.7 (1/2)
Policies that Everyone Can Embrace as Their Own Affairs
-　Pick Up Voices On-Site to Increase Effectiveness -

Dr. Misumi, a former goverment official in charge of cybersecurity, talks with Mr Tomoo Yamauchi of MIC who has worked for NISC for 9 years in total from 2011 to 2022 to clarify the government initiatives on policy plannings and implmentations in the field of cybersecurity. With leading the formulation of 3 important policies for critical infrastructures protection, the amendment of the Basic Act on Cybersecurity, and the compilation of the Cybersecurity Strategy, how did NISC view and try to resolve the cybersecurity issues faced Japan's economy and society ? In addition,what measures were taken behind the scenes to make the Tokyo 2020 Olympic and Paralympic Games end peacefully and what is their legacy? In the first part, Mr Yamauchi talks about the background of the formulation of The Basic Policy of Critical Infrastructure Protection, and its aims and meanings.

Download PDF

The History of Japan's Cybersecurity Policy Vol.7 (2/2)
Policies that Everyone Can Embrace as Their Own Affairs
-　Behind the Scenes and Legacy of Cybersecurity Measures for
TOKYO 2020 Olympic and Paralympic Games -

Following the first part, Mr Tomoo Yamauchi, Director-General for Cybersecurity (former Deputy Director-General of NISC), talks about the Tokyo 2020 Olympic and Paralympic Games (Tokyo 2020). How did NISC take initiatives for the preparation and during the event? What is the legacy of Tokyo 2020?

Download PDF

The History of Japan's Cyber/Information Security
Policies (Critical Infrastructures)
A Few Viewpoints to Formulate Future Cybersecurity Policy
with regard to Critical Infrastructure -

Cybersecurity policy has has close relationship with the policies in the field of national security policy regarding critical infrastructure, etc. However, it is not necessarily appropriate to view cybersecurity policy primarily from the perspective of national security policy, and vice versa. In this report, Dr Misumi provides an overview of changes in policies in the field of cybersecurity, targeting those with regard to critical infrastructure, and extracts points that have been emphasized in promoting policy, and then analyzes the relationship with national security policy. Moreover, this report aims to show basic idea when formulating cybersecurity policy with regard to critical infrastructure and to show some viewpoints to be considered in relation to national security policy when formulating and implementing future cybersecurity policy.

Download PDF

An integrated risk analysis framework that bridges AI and security

This report systematically organizes the relationship between AI and security using information security risk assessment methodology. It introduces a framework for examining risk scenarios considering the impact of AI on threats, vulnerabilities, and assets. The report categorizes threats, provides examples of AI security risk scenarios, and offers response strategies for each scenario type. It concludes with recommendations to re-examine AI security within the risk framework, take appropriate measures distinguishing between new and conventional areas, and develop dual-major human resources in AI and security from a medium-to-long-term perspective, emphasizing the importance of sharing the overall picture of AI security between experts.

Download PDF

The History of Japan's Cybersecurity Policy Vol.6
"Protection of Critical Infrastructures at the Dawn of
Cybersecurity Policies"

This time, Dr. Misumi talks with Mr. Joji Tateishi who served as Counselor in charge of protecting critical infrastructure at the time of establishment of National Information Security Center (NISC).
"Japan is a country with a 'culture of shame' and people do not tend to share one's shame with others. Also, we need to be careful that Japanese people are unwilling to take action unless something happens, though it is sad to admit that".
What were the Japan's challenges Mr. Tateishi became aware of as he strived for policy making at a time when Japan's economy and society has not experienced big-scale cyber incidents so that security awareness was not cultivated.

Download PDF

The History of Japan's Cybersecurity Policy Vol.5
"Action Plan on Cybersecurity for Critical Infrastructures"
that Guarantees Results

Dr. Misumi talks with Mr. Norihisa Yuki who served as Counselor in charge of protecting critical infrastructure at NISC. In an era where cybersecurity issues are directly linked to social safety and threats are becoming more sophisticated, what efforts are necessary for the security of critical infrastracture that requires constant service? What kind of mindsets were behind of ”Action Plan on Cybersecurity for Critical Infrastractures" which encompassed new appeals such as management responsibility or strengthening of failure reponse systems?

Download PDF

The History of Japan's Cyber/Information Security Policies:
Organization and Strategy Edition

In July 2022, JCIC launched a series of interviews on the history of Japan's cybersecurity policy. The National Security Strategy approved in December 2022 showed policies such as the introduction of active cyber defense and the developmental reorganization of NISC so as to establish a new organization to centrally and comprehensively coordinate policies on cybersecurity. With the aim of contributing policy consideration, Professor Ikuo Misumi of Tokai University, the interviewee of JCIC's series, overviews Japan's strategies so far on cyber/ information security and the organizations which have formulated and promoted those strategies.

Download PDF

The History of Japan's Cybersecurity Policy Vol.4
Building a Foundation of Japan's Cybersecurity Policy
～Overcoming Infallibility～

Dr. Misumi talks with Mr. Keiichiro Seki who served as Counsellor of the Cabinet Secretariat at NISC. They look back on the days that some concepts or efforts such as "risk predicated society", security by design, risk countermeasures for supply chain, or GSOC were considered as policy menu. What thoughts and discussions existed and what were overcome?

Download PDF

Agile Risk Management for Enterprises to
Navigate the Tide of Generative AI

Generative AI is a technology with great potential, and we are at a point where its potential is about to be realized. Because of its power, discussions are being exchanged from various perspectives about active use, information on new services, cautious theory and preventive regulations. Each company is confronted with the proposition "how to deal with generative AI" and must decide a better policy in the flood of information.
This paper proposes a framework for organizing and analyzing information on generative AI that is updated daily from the perspective of enterprise risk. Based on the concept of agile governance, which is suitable for risk management of rapidly changing targets, we presented a method for implementing adaptive management after organizing the overall picture of generated AI risks. The intended readers are mainly corporate risk managers (CRO, company-wide risk management) and digital risk managers (CTO, CIO, CISO, etc.), but we hope that it will be used by a wide range of people related to the use of generative AI.
We hope that the contents of this report will help various companies face the risks of generative AI and take on the challenge of drawing out its potential.

Download PDF

China as a Target of Cyber Attacks

Chinese cybersecurity vendors claim in their annual reports that ‘China is one of the main victims of APT attacks'.
This paper aims to understand trends in cyberspace and what problems China is facing from aerial perspective by reading through the publically available Chinese resources which stand in opposite views (‘China as a taget of foreign APT groups’) to Nothern-American cybersecurity vendors.

Download PDF

The History of Japan's Cybersecurity Policy Vol.3
Policy Making at the Dawn of the Japan's Information Security
- Participating the Start-up of NISC -

Dr Misumi talks with Mr Masahiko Kobayashi who served as director at the time of establishment of NISC, the National Information Security Center. NISC was established in 2005, at a time when the understanding of information security increased in various countries, but in Japan, the conditions of a comprehensive information security policy promotion system were not sufficient. Under such environment, how was the new organization aiming to ensure information security born, and with what philosophy did strategies and rules come into being?

Download PDF

The History of Japan’s Cybersecurity Policy Vol.2
Building a Crisis Management System in Turbulent Times

Dr Ikuo Misumi, a well-known expert on cybersecurity policy, digs into a series of Japan's cybersecurity policies. As the volume two, Dr Misumi talks with Mr Tetsuya Yoshikawa, former assistant chief cabinet secretary (in charge of security and crisis management) / former director general of the National center of Incident readiness and Strategy for Cybersecurity (NISC), who formulated the "Information Security Strategy for Protecting the Nation" and promoted the construction of an initial response system and the development of an information aggregation system for large-scale cyber attacks, etc.

Download PDF

The History of Japan's Cybersecurity Policy
Determination of the Japanese Government to Achieve
"Cybersecurity Strategy" with No One Left Behind

Dr Ikuo Misumi, a well-known expert on cybersecurity policy, digs into a series of Japan's cybersecurity policies. As the kickoff, Dr Misumi talks with Mr Tetsushi Yoshikawa, Deputy Director-General of Japan's National Center of Incident Readiness and Strategy for Cybersecurity (NISC) who is the key person of the latest cybersecurity strategy of Japan.

Download PDF

Set Internal Security Resources at 0.5% or More

A DX with Security strategy is essential to promote DX, to increase companies’ productivity and efficiency, and to avoid financial loss. In order to develop and implement your DX with Security strategy, JCIC recommends you follow the approach below ;
● Visualize risks using a cyber-risk estimation model
● Develop a DX with Security strategy
　- Use a framework to explain the strategy as a story
　- Security investment should be 0.5% or more of consolidated sales revenue
　- Security personnel should be 0.5% or more of the total number of employees
● Set security key performance indicators (KPIs) and monitor them regularly

・Probable Maximum Loss” cyber-risk estimation model（Excel）

Download PDF

Realizing DX with Security through
"Proactive Plus Security Human Resources"

The "plus security human resources (person with security knowledge)" is a new concept proposed by JCIC. Now, the necessity of this concept has been recognized, and measures and policies for "plus security" are beginning to be discussed in many places. In addition to the necessity of "plus security human resources development," this report delves into the promotion of the visualization of security human resources and stresses the necessity of this. In order to become a competitive company by realizing DX with Security, which is an aggressive IT investment that takes safety into account in order to achieve a safe and secure society, it is essential to have a new way of thinking, "proactive security," which is not only the traditional realization of defense through regulations and prohibitions, but also a promoter of acceleration.

Download PDF

Rebalancing convenience and security to contend with 2025

Due to the unexpected advent of COVID-19, many companies and organizations had their workers begin working remotely. As a result, the balance between convenience and security was lost. When JCIC conducted interviews and literature surveys to investigate company trends, it discovered great variation in the ways companies thought about convenience and security control. Each company can be classified as one of four types.

Download PDF

Offensive Plus Security Human Resources

This report illustrates the necessity of "Offensive Plus Security Human Resources " in the DX era. Offensive Plus Security Human Resources (people who know about information security in addition to their digital innovation work) are required rather than deffensive security human resources.

Download PDF

Corporate Cybersecurity Disclosure Report

Through panel discussion, professional interviews and research, JCIC summarized the key points of corporate cybersecurity disclosure. JCIC concluded that managements' attitude of dealing with cybersecurity is important to disclose. (Only available for Japanese version)

Download PDF

Cybersecurity KPI Model

This report illustrates “Cybersecurity KPI Model” as our original model to visualize cybersecurity. Cybersecurity KPI Model is able to identify organization's KPIs according to their maturity level and to objectively evaluate performance and to reduce the potential financial impact.
・An Example of Cybersecurity KPIs (Japanese) （PDF）

Download PDF

Shortfall of Human Resources and its Solutions:
Plus (+) Security Human Resources

This report illustrated that the often claimed shortage of human resources in the area of information security is not one of security specialists but rather plus security human resources (people who know about information security in addition to their primary tasks).

Download PDF

Quantifying Cyber Risk Survey

According to our survey, the stock value index declined by an average of 10% from the day on which a data breach was disclosed, and the companies experienced an average decrease of 21% in net profit. Japanese companies should discuss cyber risks as part of their corporate governance.
- Cyber-risk estimation model "Probable Maximum Loss"（Excel）

Download PDF

Cybersecurity Information Sharing Survey

Major countries of the world are encouraging the sharing of information on cybersecurity by enacting national cybersecurity laws and regulations. Japan should maintain a close watch on the status of these countries to see whether these laws and regulations enhance their cybersecurity levels and whether public-private partnerships are being conducted in a successful manner.

Download PDF

Cyber Ecosystem in UK (UK Survey Report)

In May 2024, JCIC's senior fellow Hida visited UK as a member of Japanese study team on UK's cyber ecosystem invited by the Innovate UK, an organization which belongs to the UK Research and Innovation ( a national funding agency) . In this column, Hida will explain the UK's innovation initiatives and introduce examples of the government's support for start-up companies.

Download PDF

The People's Republic of China (PRC or China) tends to exercise
more control over data within the territory of the PRC

For China, data are resources, which subject to be protected by the country. Therefore, it is an important matter which should be placed at the center of national policies in order to protect sovereignty in cyberspace, public interest, and national security.
This paper aims to learn about China's digital, information and cybersecurity policies, then to understand its current trends and security perspectives.
The paper hopes to bring new insights to readers who are involved in overseas business, including in PRC, or who are interested in PRC's policies and cybersecurity situation.

Download PDF

Why Information Security is Imperative for DX Promotion

This commentary introduces the practice which convinced the author of the importance of information security for DX promotion when he was responsible for security export licensing at METI. Based on the author’s administrative career, this commentary illustrates that DX will be more efficient and effective if information security is considered as an imperative part of DX from the very beginning of planning.

Download PDF

Why Financial Sector use “KRIs” for cyber risk management?

Through our interviews and surveys, we found that some financial sectors use KRIs (Key Risk Indicators) to visualize their cyber risks. This commentary illustrates the benefits of KRIs for cyber risk management.
・An Example of Cybersecurity KRIs (Japanese) （PDF）

Download PDF

Outlook of the Overseas' Law and Regulation in 2019

Policy trends of cybersecurity and privacy protection. This column was written by Kenji Uesugi, Senior fellow of JCIC.

Column

Predicting the Unpredictable Direction of the Trump Administration 2.0 NEW!

JCIC's Senior Research Fellow Tsuneo Watanabe, an outstanding expert on foreign and security policy, Japan-US relations and US policy analysis, this time talks about the direction of Trump Administration 2.0.

Column

The benefits of mandatory cybersecurity disclosure NEW!

In December 2023, the SEC mandated the disclosure of cyber risk management in annual reports. A similar requirement in Japan could enhance shareholder protection and raise executive awareness. This column describes the importance of standardizing cybersecurity information in the annual reports to provide valuable insights for shareholders.

Column

Quality, Safety, and Cybersecurity

In order to raise cybersecurity awareness throughout the company, why not learn from the quality and safety initiatives that Japanese companies have been implemented by Japanese companies? Here, we will look at ways to ensure that employees are aware of cybersecurity by following the example of the 5S movement in companies.

Column

When Cybersecurity Itself Becomes Infrastructure :
"Target-Rich, Resource-Poor" and "Cyber Poverty Line"

In an era where daily life cannnot be carried out without digital, cybersecurity is an infrastructure in itself. Based on the open letter titled "Prioritaize Community Cybersecurity" which UC Berkley's Long-term Cybersecurity Center and others issued right before the presidential election day, JCIC introduces the concepts of "target-rich, resource-poor" and "cyber poverty line", and discusses the need to care for cybersecurity of "small but essential organizations for people's daily lives" which could be overlooked by the mindset centered on national security. 

Column

Information Fragmentation among Americans and Its Impact on
Democracy Seen in the US Presidential Election

With the presidentail election just around the corner, JCIC Senior Research Fellow Tsuneo Watanabe,  a sought-after media expert on foreign and security policy, Japan-US relations and US policy analysis, talks about divisions in American society and democracy 

Column

Global Cybersecurity and Privacy Trends (FY2023)

JCIC analyzed 168 newsclips distributed in FY2023 and add some comments to the articles that may influence future trends.

Column

The security clearance system "starts with you, Parliament"

Discussion on the security clearance system is progressing in the Diet. This system is necessary for the protection and utilization of intelligence, however, while civil servants are subject to due diligence under the Act on the Protection of Specially Designated Secrets, and certain private citizens are subject to due diligence under this bill, senior government officials will not be applicable. JCIC consider how politicians should properly be evaluated with refering the situations in other countries.

Column

Global Cybersecurity and Privacy Trends (2nd Half of FY2022)

JCIC analyzed 143 newsclips distributed in the 2nd half of FY2022 and add some comments to the articles that may influence future trends.

Column

From the ambiguity between cybersecurity and information security

What is the difference between cybersecurity and information security? It is not much of an issue to operate them as generally the same. It is acceptable to say that some cybersecurity measures are equal to information security measures, and the reverse is true as well. However, the words are different because there are differences. If you are engaged in this field, you must be interested in the differences. This column discusses the relationship between the two, using the definitions in The Basic Act on Cybersecurity. In the course of the discussion, the history of NISC and the backstory of information security and cybersecurity policy in Japan will be touched upon.

Column

Global Cybersecurity and Privacy Trends (1st Half of FY2022)

JCIC analyzed 137 newsclips distributed in the 1st half of FY2022 and add some comments to the articles that may influence future trends.

Column

How to decipher Harvard Belfer Center’s Cyber Power Index 2022

Belfer Center for Science and International Affairs of Harvard Kennedy School released National Cyber Power Index 2022. Japan stepped down from 9th of the year 2020 to 16th. How to decipher this result? Does Japan need to take it seriously?

Column

SMEs Cybersecurity

Large companies need to address cyber risks within their own companies while also looking at risks across their supply chains. However, it is difficult for SMEs , which are the members of supply chain, to invest sufficient funds to develop specialized functions and facilities for digital and security. This column discusses to promote cybersecurity measures for SMEs.

Column

The Real Part of Cybersecurity Countermeasures:
Toward the Improvement of Resilience

JCIC has been advocating the strengthening of cybersecurity measures from management perspective, and has been researching the role of management, HR development & utilization including proactive plus security human resources, and DX with security because of direct linkage between cybersecurity and business. We will continue to research these themes with a particular focus on the strengthening of cybersecurity countermeasures. JCIC will work toward " the improvement of resilience".

Column

Global Cybersecurity and Privacy Trends (2nd Half of FY2021)

JCIC analyzed 139 newsclips distributed in the 2nd half of FY2021 and add some comments to the articles that may influence future trends.

Column

The Way of Communication of CEOs and Lawmakers at
the Review of a Cyber Attack with Serious Impacts on the Society

When the society is severely affected by a serious cybersecurity attack against a private entity, what does the CEO state and what do lawmakers intend to ask when reviewing? A serious ransomware attack which targeted Colonial Pipeline Company in May, 2021 caused serious damage to the East Coast of the U.S. in terms of fuel provision. We examine the communication between CEO of Colonial Pipeline and lawmakers through the hearing at the Congress in June 2021.

Column

Global Cybersecurity and Privacy Trends (1st Half of FY2021)

JCIC analyzed 142 newsclips distributed in the 1st half of FY2021 and add some comments to the articles that may influence future trends.

Column

What Country’s Top Leader Talks about Cybersecurity ①U.S.
～A Cyber Attack on U.S. Critical Infrastructure Gave
a Boost to President Biden～

Leader’s attitude, whether a company or a country, is always the key factor for tackling challenges. JCIC tries to find what countries’ top leaders think about cybersecurity through their real messages. Messages by the President Joseph Biden of the United States of America will be firstly examined to explore his thoughts on cybersecurity.

Column

Why we talk about "DX with Security" now

The main theme of this column is "DX with Security". This column was written by Toshinori Kajiura, President of JCIC.

Column

The Inforgraphics of China's Internet Development Trend in 2020

In order to deepen our understanding of the recent developments and trends in the internet in China, Of the following two reports, one prepared by the China Internet Network Information Center (CNNIC), an organization directly under the jurisdiction of China's State Council (CAC), and the other prepared by China's CSIRT, which was established in 2001,JCIC exctracted information that may be of particular interest to Japanese companies in this document.
- "The 47th Statistical Report on China's Internet Development" (reported by CNNIC)
- "Internet security in China Monitoring Data Analysis Report in the first half of 2020" (reported by CN CERT/CC)

Column

Global Cybersecurity and Privacy Trends

JCIC analyzed 184 newsclip distributed in FY2020 and add some comments to the articles that may influence future trends.

Column

China Personal Information Protection Law (PIPL)

The main theme of this column is the China Personal Information Protection Law (PIPL) and impact on Japanese Businesses.

Column

Cybersecurity ; Lesson learned from COVID-19

Cybersecurity has something in common with coronavirus (COVID-19). This column illustrates lesson learned from COVID-19, written by Toshihiro Hirayama, Senior fellow of JCIC.

Column

What is required for cybersecurity disclosure

In this column, reviewing the discussion about the visualization of cybersecurity countermeasures in Japan, and summarizing the way of thinking of information security / cybersecurity disclosure. This column was written by Yumi Aoki, Senior fellow of JCIC.

Column

OECD Digital Security

This column aim to summarize OECD Digital Security policy.

Column

5G Cyber Risks

The main theme of this column is the cyber risks related to 5G technology. This column was written by Toshinori Kajiura, President of JCIC.

Column

Digital utilization of medical industry and cybersecurity

Describing digital utilization of medical industry and cybersecurity This column was written by Toshinori Kajiura, President of JCIC.

Column

COVID-19 Data Privacy

The main theme of this column is COVID-19 Data Privacy policy trend.

Column

Cybersecurity Information Sharing

Japan should learn from the U.S. Cybersecurity Information Sharing Act (CISA) to improve cybersecurity information sharing. This column was written by Kenji Uesugi, Senior fellow of JCIC.

Column

Supplychain Cyber-risk Guidelines

Describing about Supplychain Cyber-risk Guidelines. This column was written by Yumi Aoki, Senior fellow of JCIC.

Column

Critical Infrastructure Protection

The main theme of this column is the global policy trends of critical infrastructure protection against cyber attacks. This column was written by Yumi Aoki, Senior fellow of JCIC.

Column

South Korea's Cybersecurity Strategy

What should Japan learn from South Korea's Cybersecurity Strategy? It is very useful to understand it in the geopolitical point of view. This column was written by Kenji Uesugi, Senior fellow of JCIC.

Column

Investment in Risk Management

The main theme of this column is the challenge of investment in risk management. This column was written by Toshinori Kajiura, President of JCIC.

Column

Transformation to become the major industry

Describing the human development of cybersecurity industry. This column was written by Toshihiro Hirayama, Senior fellow of JCIC.

Column

A paradox of the risk management

Describing a paradox of the cyber risk management. This column was written by Toshinori Kajiura, President of JCIC.

Column