Module3-Cyber and Information Security

Cyber and Information Security 131
Module - III: Cyberspace and the Law and Cyber

Notes
e
Forensics
in
Learning Objectives:
At the end of this module, you will be able to understand:
nl
●● Security Engineering and Its Importance
●● Cyber Threat Management
O
●● Importance of Cyber Threat Management
●● Threat Management Challenges
●● Risk Assessment, Risk Management and Procedure and Guidelines
ty
●● Cyberspace
●● Cyber Laws and Its Advantages
●● Cyber Lawyers
si
●● Jurisdiction and Sovereignty
●● The IT Act of India 2000
●● Intellectutal Property r
ve
●● Intellectutal Property Right and Implecations
●● Ownership and Enforcement of IPR
●● Defenses for Infringement
ni
●● Copyright Objective and Transfer of Copyright

●● Practical Aspect of Licensing
U
Introduction
Users can share information, socialise, exchange ideas, play games, participate in
conversations or social forums, do business, and create intuitive media in cyberspace,
ity
among other things.
William Gibson coined the word “cyberspace” in his novel Neuromancer, published
in 1984. In subsequent years, Gibson chastised the term, calling it “evocative but
essentially meaningless.” Nonetheless, the phrase is still extensively used to designate
m
any Internet-connected service or function. The phrase is used to describe a variety of

virtual interfaces that are used to create digital realities.
)A
The use of the worldwide Internet for a variety of reasons, ranging from commerce
to entertainment, is one way to talk about cyberspace. We observe the existence of
cyberspace everywhere stakeholders put up virtual meeting rooms. You could say
that wherever the Internet is used, a cyberspace is created. The widespread usage
of both desktop computers and smartphones to access the Internet indicates that the
(c
cyberspace is expanding in a practical (if somewhat theoretical) sense.
Amity Directorate of Distance & Online Education

132 Cyber and Information Security
Online gaming platforms, which are marketed as large online player ecosystems,
Notes
e
are another outstanding illustration of cyberspace. These enormous groups of people
who play together build their own cyberspace worlds that exist solely in the digital
domain and not in the actual world, dubbed “meatspace” by some.
in
Consider what happens when thousands of people who might previously have
convened in physical rooms to play a game instead do so by individually peering into a
nl
device from a faraway location. In a sense, game operators are bringing interior design
to cyberspace by dressing up the interface to make it pleasant and engaging.
Indeed, gaming, like streaming video, exemplifies what our societies have
O
mostly chosen to do with internet in general. Many IT experts and specialists, such
as F. Randall Farmer and Chip Morningstar, believe that cyberspace has grown in
popularity as a medium for social connection rather than technological execution and
implementation. This elucidates how societies opted to construct cyberspace.
ty
Computer forensics is the use of investigation and analytical techniques to collect
and preserve evidence from a specific computing equipment in a way that may be
presented in court. Computer forensics’ purpose is to conduct a structured investigation
si
and maintain a recorded chain of evidence to determine exactly what happened on a
computing device and who was accountable.
r
Data recovery with legal compliance criteria to make the material admissible in
judicial processes is essentially what computer forensics — also known as computer
ve
forensic science — is all about. Computer forensics is often referred to as “digital
forensics” or “cyber forensics.”
The collecting of information in a secure manner is the first step in digital forensics.
ni
The data or system is next examined to see if it was altered, how it was altered, and
who made the changes. Computer forensics isn’t always used in connection with a
crime. The forensic method is also used to collect data from a crashed server, failed
drive, reformatted operating system (OS), or other situation when a system has
U
unexpectedly stopped working.
3.1 Security Management and Risk Management

ity
Risk management is establishing itself as a discipline with its own body

of knowledge and practitioners. Nation-states increasingly have their own risk
management standards, and it is the job of senior executives in many of these
countries to ensure that reasonable risk management policies meet internal and
m
external compliance requirements. Security risk management is a subdomain of risk

management that differs from more generic methods to risk management. Many of
these generic risk management models are missing critical concepts and processes
)A
that are required for effective security risk design, application, and mitigation.
3.1.1 Security Engineering

Cybersecurity engineers, also known as information security engineers, detect
risks and weaknesses in systems and software, then develop and implement high-tech
(c
solutions to protect against hacking, malware and ransomware, insider threats, and
other forms of cybercrime.

The goal of security engineering is to create systems that are dependable in

Notes
e
the face of malice, error, or misfortune. It focuses on the tools, procedures, and
methodologies required to design, construct, and test full systems, as well as to modify
existing systems as their environment changes.
in
Security engineering necessitates a wide range of skills, from cryptography and
computer security to hardware tamper-resistance and economics, applied psychology,
nl
organisational behaviour, and the law. System engineering skills are also crucial,
ranging from business process analysis to software engineering to evaluation and
testing; yet, they are insufficient because they only deal with error and mischance
rather than malice. Like a chess player, the security engineer must be able to think in an
O
adversarial manner; you must have studied many successful attacks in the past, from
their beginnings to their conclusion.
There are important assurance needs for many systems. Their failure could
ty
endanger human life and the environment (as with nuclear safety and control systems),
cause significant damage to major economic infrastructure (cash machines and online
payment systems), jeopardise personal privacy (medical record systems), jeopardise
si
the viability of entire business sectors (prepayment utility metres), and make crime
easier (burglar and car alarms). As we integrate software into everything, security and
safety are becoming increasingly linked. Even the notion that a system is more fragile
r
or unreliable than it actually is has social consequences.
ve
According to popular belief, software engineering ensures that certain things
happen (“John can read this file”), whereas security ensures that they don’t (“The
Chinese government can’t read this file”). The truth is far more complicated. The
security requirements for each system differ significantly. User authentication,
ni
transaction integrity and accountability, fault tolerance, message secrecy, and

covertness are all common requirements. Many systems, on the other hand, fail
because their creators safeguard the wrong things, or the correct things in the wrong
way.
U
Good security engineering necessitates the coordination of four factors. There’s

policy, which outlines what you’re expected to accomplish. There’s a mechanism: the
cyphers, access controls, hardware tamper-resistance, and other gear you put together
ity
to put the policy into effect. There’s assurance: the level of trust you can put in any
individual mechanism. Finally, there’s motivation: the motivation for those defending and
maintaining the system to do their jobs well, as well as the motivation for attackers to try
to circumvent your policies.
m
Goals of Security Engineering:

●● Understand Security Risks
)A
●● Establish Security Needs

●● Develop Security Guidance
●● Determine Acceptable Risks
●● Establish Assurance
(c
Security Engineering concentrates on the security aspects of system construction

so that they can withstand losses caused by a variety of events, from natural disasters

to malicious attacks. Security Engineering’s major goal is to not only meet pre-defined
Notes
e
functional and user requirements, but also to avoid system misuse and harmful activity.
One of a system’s quality elements is security, which refers to the system’s ability to
protect itself against both unintentional and malicious external attacks. It’s a critical
in
issue since system networking has grown, and external attacks on the system via the
internet are a possibility. The security component ensures that the system is available,
secure, and dependable. When a system is networked, its dependability and safety
nl
considerations become increasingly unreliable.
According to the 2019 Cost of a Data Breach Report, firms can save an average
of $1.2 million by detecting breaches early. Organizations are trying to keep up
O
with the steady increase in the number of threats and the complexity of the attacks.
Threat management is more critical than ever for organisations because it improves
collaboration across people, processes, and technology, providing them the best
ty
chance to spot risks earlier and respond faster.
Those who successfully adopt and apply the threat management paradigm
generally get the following benefits:
si
Reduce risk by detecting threats faster, conducting consistent investigations, and
responding faster.
Process measurement
improvement.
r and reporting are built-in to ensure continuous
ve
●● Increased the effectiveness and morale of the security team.
Why do we need security Engineering

ni
Threats can inflict damage to any system m. Threats hinder the system from
providing normal service to the user in a reasonable amount of time, or possibly from
providing services at all. Software faults, human errors, and hardware errors are all
U
examples of inadvertent threats. Intentional, i.e. malicious, incursion calamitous, such

as natural thunderstorms, floods, earthquakes, lights, or power outages
Security risk management

ity
●● Vulnerability avoidance: The system is built in such a way that vulnerabilities are
not possible. If there isn’t a network for example, an external attack isn’t possible.
●● Detection and removal of attacks: The system is designed to identify and remove
attacks before they cause any data programme exposure, similar to how virus
m
checkers detect and remove viruses before they infect the system.
●● Exposure limitation: The system is set up in such a way that the negative
implications of a successful assault are kept to a minimum. A backup policy for
)A
example, enables for the restoration of corrupted data.
Damage caused due to insecurity

●● Programming and data corruption: Unauthorized users may alter the system’s
programmes or data.
(c
●● Unavailability of body service: The system has been harmed, and typical services
are no longer available.
●● Information controlled by the system may be disclosed to those who are not
Notes
e
authorised to read or use the information.
System survivability
in
The ability of a system to continue completing demanding activities on time
even if a few parts of it are affected by malicious attacks or accidents is known as
system survivability. Reliability, dependability, fault tolerance, verification, testing, and
nl
information system security are all aspects of system survival. Let’s take a look at a few
of these elements.
O
●● Adaptability: even if the system is attacked by a threat, it should be able to adjust
to the threat while continuing to provide service to the user. Furthermore, the end-
user should not decrease network performance.
●● Availability: The extent to which software can continue to function in the event of a
ty
system failure.
●● Time: Services should be delivered to the user within the timeframe that the user
has specified.
si
●● Connectivity: When all nodes and linkages are available, a system’s performance
is measured.
●● r
Accuracy: This refers to the degree to which all Software functionalities are stated
without ambiguity or misinterpretation.
ve
●● Software dependency: The extent to which hardware is independent of the
software environment.
●● Hardware reliance: The degree to which software is unaffected by hardware
ni
conditions.
●● Fault tolerance: The extent to which software will continue to function in the event
of a system failure that causes user harm, as well as the extent to which software
U
incorporates recovery functions.

●● Fairness: This refers to the network system’s capacity to arrange and route data
without fail.
ity
●● Interoperability: This refers to the ease with which software can be linked to and
operated by other systems.
●● Quality aspects such as efficiency, integrity, reliability, and usability are all
considered in performance. Speed and throughput are two sub-factors to consider.
m
●● Predictability: This refers to a system’s ability to deliver countermeasures to

system failures in the face of a danger.
)A
●● Modifiability: This refers to the amount of work necessary to make changes to the
software’s functionalities in order to improve their efficiency.
●● Safety: This refers to the system’s ability to avoid causing harm to the network or
personnel systems.
(c
●● Recoverability: This refers to the system’s ability to recover from an accident and
resume normal operations on time.

●● Verifiability: This refers to the time and effort required to validate the Software’s
Notes
e
specified functionality and performance.
●● Security: this refers to the software’s ability to identify and prevent data leaks, data
in
loss, and malicious use, as well as any type of destruction.
●● Testability: This refers to the amount of time and effort required to test the
software.
nl
●● Reusability: This refers to the software’s ability to be reused in various
applications.
●● Restorability: This refers to a system’s ability to quickly restore its services.
O
3.1.2 Importance of Security Engineering
Threat management, also known as cyber threat management, is a framework
ty
that cybersecurity experts use to manage a threat’s life cycle in order to identify and
respond to it quickly and accurately. To remain ahead of risks, threat management relies
on a seamless integration of people, process, and technology.
si
It is the process of incorporating security measures into an organization’s IT
infrastructure, particularly its information system, in order to make the latter an
integrated component of its operational capabilities. Security should be integrated
r
into all phases of the SDLC under the DevSecOps development paradigm, with
ve
every department and stakeholder responsible for the system’s security. Practices
and principles that are incorporated in the design, development, implementation, and
execution of technical controls are included in security engineering services.
Security testing services, procedures, techniques, and technologies are used in

ni
software security engineering to handle any security-related issue that arises within the
SDLC. It protects the IT infrastructure from unexpected system failures or malicious
attacks. Other advantages include:
U
●● Software that has been secured via software engineering can detect, prevent,
withstand, and recover from hostile attacks.
●● Aids in the development of stable and bug-free software that can withstand
ity
malware attacks, abuse or misuse, and inadvertent failures.

●● Allows for the speedy, effective, and efficient remediation of assaults launched at
the software programme and its ecosystem.
●● For teams dealing with application security testing, it provides more agility and
m
speed.
●● Ensures early detection of vulnerabilities that, if left untreated, hackers could
)A
exploit to gain access to the system. Built-in security features can help to address
these flaws and ensure that data transit between modules is more secure thanks
to encryption.
●● The’secure by design’ concept is followed. The security review of code is then
carried out using automated application and web security testing. It enables
(c
programmers to use secure design patterns while creating software modules.

●● Reduces the cost of redevelopment by detecting and fixing security vulnerabilities

Notes
e
during the development process, thanks to the built-in safe software design.
3.1.3 Cyber Threat Management
in
Most security teams deal with data fragmentation, which can lead to security
operations blind spots. Blind spots limit a team’s capacity to quickly recognise, guard
nl
against, and respond to security threats wherever they occur.
More than antivirus software can tackle today’s challenges, which include mutating
software, advanced persistent attacks (APT), insider threats, and vulnerabilities around
O
cloud-based computing services. With the ever-disappearing perimeter of a secure IT
infrastructure and a remote workforce, businesses are exposed to new types of risks
and security threats. In light of the changing threat landscape and transition to cloud,
security professionals have adopted a new mindset: they must presume that breaches
ty
have occurred and will continue to occur.
A cyber threat management system that is enhanced with automation and informed
by AI can assist counter today’s advanced cybercriminal threats. It provides the
si
visibility that security teams require to thrive. Security teams can travel with confidence,
detecting data at risk and vulnerabilities across networks on thousands of endpoints
and between clouds, thanks to the unification of security data.
r
ve
Threat management works
The National Institute of Standards and Technology’s cybersecurity framework
is used by many modern threat management systems (NIST). For private sector
enterprises, NIST provides extensive guidelines on improving information security
ni
and cybersecurity risk management. The NIST Cybersecurity Framework (NIST CF)
for example, is a set of standards and best practices. Its essential structure is made
up of five key functions. They are responsible for identifying, protecting, detecting,
U
responding, and recovering.
Identify
Cybersecurity teams must have a comprehensive awareness of the company’s
ity
most valuable assets and resources. Asset management, business environment,

governance, risk assessment, risk management strategy, and supply chain risk
management are among the categories covered by the identify function.
m
Protect
Much of the technological and physical security controls for establishing and
executing suitable safeguards and protecting critical infrastructure are covered by the
)A
protect function. Identity management and access control, awareness and training, data
security, information protection processes and procedures, maintenance, and protective
technology are among these categories.
Detect
(c
The detect function implements countermeasures in the event of a cyberattack.

Anomalies and occurrences, continuous security monitoring, and early detection
methods are all examples of detect categories.
Respond
Notes
e
The reply function guarantees that cyberattacks and other cybersecurity situations
are dealt with appropriately. Response planning, communications, analysis, mitigation,
in
and enhancements are some of the categories.
Recover
nl
In the case of a cyberattack, a security breach, or any cybersecurity catastrophe,
recovery activities implement strategies for cyber resilience and maintain business
continuity. Improvements in recovery planning and communications are among the
O
recovery tasks.
Due to its potentially disastrous consequences on organisational information

systems, reputational risk, and the loss of consumer and stakeholder confidence, cyber
risk is becoming an ever-growing concern to both public and private institutions. Firms,
ty
non-profits, and government entities were generally unprepared for identifying and
addressing this risk with the advent of the internet and the corresponding proliferation
of information technology, but the threat has increased in both frequency and severity
si
over time, and the nature of attacks has also changed. In many early cases, cyber
attackers and information disruption campaigns disrupted business operations for no
other reason than to amuse themselves, or because they saw getting into corporate
r
information technology (IT) infrastructure as a challenge.
ve
They would deface websites or take down servers to irritate or simply challenge
other cyber specialists to prove they could do it, not for financial gain (Hallam-Baker,
2008). However, as the Internet and e-commerce have developed, employee access
to firm data has increased, and remote access to internal computer systems has
ni
become more widespread, cyber attackers have evolved, becoming more adept,
and their impacts have gotten more destructive (Rhemann, 2011). Current cyber
threats and attackers are increasingly focused on profiting from the consequences of
their attack actions, either by exploiting the data they illegally obtain for private gain
U
or by requiring payments from the victimised enterprise to restore service, access, or

websites to operational functionality (Maillart & Sornette, 2010). (Hallam-Baker, 2008;
Rhemann, 2011). The Federal Bureau of Investigation (FBI), universities, and other
ity
research groups in the United States have all looked into cyber security as a threat to
both public and private entities. According to a joint survey on cyber risk conducted by
the Computer Security Institute and the FBI in 2002, 90 percent of respondents had
identified computer breaches in the previous year, with an average loss of over $2
million per firm (Power, 2002). Most businesses were not fully prepared to tackle these
m
types of catastrophic losses in the then-relatively new era of information technology and
the Internet.
The average loss has fallen to around $300,000 by 2008, according to the
)A
Computer Protection Institute/FBI report, indicating that firms and the security software
they deploy have become more sophisticated in order to deal with the growing threat of
illicit cyber activity (Computer Security Institute, 2008). According to the 2008 CSI/FBI
report, firms dramatically increased their internal budgets for cyber security, implying
(c
that they are spending more money, time, and labour to minimise these risks (Computer
Security Institute, 2008).

Cyber attacks can disrupt power grids, steal information and intellectual property,
Notes
e
expose competitors’ bids, and block business-critical web sites, resulting in significant
financial losses for unprepared businesses. As a result, businesses will likely need to
continue to focus on cyber risk security issues as hackers become more sophisticated,
in
causing more losses to businesses, online services, and operations, and especially
as businesses become more reliant on the Internet for e-commerce, mobile (or
m-) commerce, or simply for daily operations, administration, and field contact with
nl
employees.
Best Practices for Effective Threat Management
O
An organization’s defences and response must be coordinated to stop threats
sooner and more efficiently if it is to succeed and grow quickly. When the following
framework is used, effective threat management can be achieved:
ty
3.1.4 Importance of Cyber Threat Management
With continuously evolving technology, cyber risk management is critical for
si
today’s organisation. Small and large businesses alike must recognise that the present
cyber threats might make them a prime target for attackers. An attack on even the
largest company with a wide client base is possible. A cyber-attack on an unprepared
r
company could result in data loss, financial loss, a loss of brand reputation, and a loss
of employee morale. Installing anti-virus software alone is no longer sufficient to avoid
ve
assaults. Anti-virus software is only one part of risk management.
To mitigate the risks particular to their organisation and eliminate cyber-attack

threats, businesses must develop and implement a risk management strategy. A
ni
cyber risk management strategy can assist decision-makers in understanding the

hazards that come with it on a day-to-day basis. An evaluation of cyber risk will assist
the company in determining the likelihood of any cyber-related assaults to which they
are vulnerable. A cyber risk management strategy can assist a company in identifying
U
and addressing important threats, as well as directing resources and time to the most
effective areas. This will also aid in the prevention of the hazards identified during the
assessment.
ity
Organizations are continuously fighting to stay up with mitigation and prevention

solutions as the number of threats and complicated network and system attacks
grows. Businesses and other organisations can save an average of $1.2 million if
data breaches are identified earlier, according to an IBM article on the Cost of a Data
Breach. Cyber security threat management is more critical than ever for businesses.
m
Threat management improves coordination across common technology security

procedures and people, allowing firms to recognise risks and respond to them faster.
When a company or organisation effectively implements a cyber threat management
)A
framework, they can have access to a number of useful tools, including:
●● Through education, skills, and effective threat management solutions, create a

cohesive security team.
●● Throughout the threat management lifecycle, improvement is achieved through
(c
built-in process reporting and measurement.

●● Lower attack risk and faster threat detection lead to more consistent vulnerability
Notes
e
investigations and faster solution implementation.
3.1.5 Threat Management Challenges
in
Protecting against advanced persistent attacks and other threats from insider
sources might be difficult. Many security leaders in the cyber security business are
nl
frequently confronted with problems in their security networks or systems.
System Visibility is Little to None
O
Security teams don’t always have the resources to get a comprehensive picture
of their whole threat landscape, replete with context. Internal data, such as HR users,
cloud information, and databases, is frequently required by teams. External data, such
as threat intelligence, dark web information, and social media sources, must also be
ty
visible. The tension that arises between the absence of integration between point
solutions, information technology security teams, and uneven processes throughout the
company is often the reason of this lack of visibility. According to IBM, businesses can
si
utilise up to 80 distinct security products from over 40 different vendors. The muddled
nature of an overabundance of security products obscures visibility for those who
require it most.
r
Internal (HR, users, databases, cloud) and external (social media, OSINT, threat
ve
intel, dark web, etc.) data sources do not provide complete awareness of their whole
danger environment with relevant context. This is frequently caused by security team
silos, a lack of integration between point solutions, and unclear or inconsistent practices
throughout the company. According to IBM, businesses utilise up to 80 distinct security
products from 40 different manufacturers.
ni
Lack of Insights and Necessary Reporting

A security team may or may not have knowledge of specific KPIs that must be
U
monitored. Furthermore, due to a lack of interaction between the organization’s point

solutions, it is difficult to create progress reports that identify maturity standards and
compliance. Furthermore, if security teams are judged against various KPIs, it can
ity
be difficult to unite them on a common purpose for the firm. Many cyber security
professionals consider that one of the most difficult security problems in developing a
cybersecurity threat management programme is the complexity of an IT environment.
Security teams have no idea which KPIs they should be tracking or how to collect
m
the data they need (e.g. ROI, MTTD, MTTR). Due to a lack of interfaces across their
point solutions, there is no straightforward method to build reports to illustrate progress
against maturity criteria and compliance. Furthermore, when separate security teams
are judged against different KPIs, it might be difficult to coordinate them behind an
)A
unified organisational purpose. The complexity of the IT environment, according to

different analyst reports and what we hear from our IBM prospects, is one of the most
significant security concerns they face.
Burnout and Shortage of Staff and Their Skills

(c
Due to a skills shortage in the industry and analyst fatigue, security leaders are
having difficulty attracting competent personnel and keeping current employees
motivated. Due to the difficulty in obtaining additional personnel budgets, security

Notes
e
directors must devise novel ways to utilise talent from other cross-functional units such
as customer service and technical sales. Following that, these individuals are trained to
be effective in their new profession.
in
Due to a skills scarcity and analyst fatigue, security leaders are having trouble
finding suitable candidates and keeping current employees motivated. It’s also
nl
challenging to locate additional personnel funding, so security leaders must think
outside the box to “borrow” talent from other cross-functional units like customer
service, technical sales, and so on, and then educate them to be effective in the field.
O
Prioritizing cyber risks: It might be difficult to keep up with the expanding number
of cyber dangers. The risk of failure is well understood, yet firms never seem to have
enough people or money to deal with it all in real time. What’s the first thing you’re
going to do? Without a solid risk prioritisation plan in place, no one can survive today’s
ty
fast rising threat vectors and cyberattacks. Staying adaptable in the face of rapidly
changing cyber threats, business conditions, organisational goals, and technology
defences is a critical factor in establishing priorities.
si
Prioritization of cyber risk must be done in the context of a larger picture, related to
key business goals, and measured against a credible threat-to-resources assessment.
Of course, this is decided at the top, probably with significant influence from the board,
r
and it must be communicated to all stakeholders in a clear and concise manner.
ve
Communicating cyber risks to the board and management: CISOs typically find it
difficult to communicate the importance of security to top management and to justify
additional spending in their activities, regardless of how critical they are. It’s difficult to
integrate security concepts into a bigger business strategy, even if they’re critical for
ni
reducing the chance of catastrophes like costly data breaches.
The ability to demonstrate how security measures may assist the company
save time and money on particular operations is a great method to demonstrate your
U
department’s expertise. It’s especially important when CISOs are requesting additional
funding. It is suggested that a metrics-heavy discussion be held to support the point.
Sophisticated ransomware: Ransomware attacks are becoming more common

ity
by the day, and business owners and IT professionals must have a solid recovery
strategy in place to protect their company. There have been various submissions
about ransomware’s progress and the wait-and-see game between fraudsters looking
for ways to avoid detection and guards looking for ways to stop them. Rather than
m
encrypting data at random, criminals are concentrating on high-value company data to

encrypt and hold for ransom.
Microsoft’s recent Digital Defense Report examined cybercrime trends in depth,

)A
bringing its experience and insights to enterprise, server, desktop, and cloud networks.
The most troublesome danger, according to the research, is ransomware, which is the
most common reason for incident response engagements. The analysis reveals that
once threat actors have gained access to a system, they spend less time there. They
took advantage of the chaos generated by the COVID-19 outbreak and launched strikes
(c
considerably sooner than expected.

Cloud risks: Businesses are migrating classified data from legacy data centres to
Notes
e
the cloud due to the expense and flexibility of legacy data centres. Shifting data to the
cloud necessitates the implementation of appropriate setup and security measures, or
firms risk slipping into a trap. Only the cloud service provider’s platform is protected.
in
It is the firm’s responsibility to protect its infrastructure from theft and erasure in the
cloud. To perform forensics on cloud data, current incident response teams must have
the requisite expertise and technologies. Leaders must hold their teams accountable for
nl
their readiness and capacity to manage and respond to cloud security breaches.
Staff and skills shortage: Today’s cyber threats are more complex than ever, and
this has resulted in a consistent pattern of depending too heavily on point solutions
O
to protect against them. While technology is critical to achieving this goal, it is not a
panacea. Mid-market companies frequently lack dedicated cybersecurity personnel who
are just as crucial. The pandemic has worsened this talent gap, as the network graph
ty
has expanded to incorporate at-home laptops and other WFH access points. According
to a Verizon analysis, small businesses will be implicated in nearly one-third of data
breaches in 2020, and the situation can only improve with a combination of processes,
people, and technology. The only way forward is to hire more security specialists and
si
outsource professionals.
Perpetually evolving risks: You can’t really do anything about polymorphism,
r
especially when it comes to malware. Polymorphic malware is a type of harmful computer
software that includes viruses, worms, and spyware. It can modify its appearance
ve
regularly, making it difficult to detect by anti-malware software. As a result, businesses
should consider adding an additional layer of security to their antivirus software.
A device that can act proactively to pinpoint malware should be a company’s first
ni
line of defence. It must be able to prevent data leaks and limit access to malicious
servers. One of the functions of this protective layer is to keep your system safe by
quickly fixing vulnerabilities. Extreme measures may become the norm as cyber threats
grow and cyber-attacks become more hostile.
U
If billions of hackable smart gadgets are connected to an IoT network, the

vulnerability to cyberattacks will increase. Despite incidents of cyberattacks, the IoT
device industry is not standardised and thus not compelled to meet particular security
ity
requirements. To safeguard personal data, business-sensitive information, and vital

infrastructure, it is critical that IoT devices be insulated from the start.
3.1.6 Risk Assessment

m
A security risk assessment, defined as “a fundamental examination that can include

review of documentation, policies, facilities, technology, protection strategies, staffing,
training, and other key indicators to determine the current state of the protection
)A
programme (security) in an effort to identify deficiencies and even excesses, in order to

make recommendations for improvement based on proven methods,” is “a fundamental
examination that can include review of documentation, policies, facilities, technology,
protection strategies, staffing, training, and other key indicators to determine the current
state of the protection programme (
(c
In fact, the process of detecting security flaws has been dubbed a variety of
names. Security assessment, security survey, security audit, and risk assessment

are just a few of the terms that have been used to describe this subject. It’s a
Notes
e
comprehensive on-site assessment and analysis of your current security measures,
whether they’re physical security measures, technology, operations, facilities, security
management, policies, training, reports, or any other area of your security programme
in
or measures, in general. Regardless of title, they’re all aiming for the same thing:
identifying security flaws, dangers, deficiencies, and even excesses, and then devising
a strategy to remedy the issues with specific recommendations based on industry
nl
approved standards and best practices.
Most professionals would agree that the evaluation process should be conducted in
a consistent manner. If there is one thing that is definite in life about such processes, it
O
is that everyone who conducts them does so in their own unique way.
There have been countless publications published over the years that cover
various aspects of a security assessment, so you’d assume that security professionals
ty
would be working from the same starting point. In many circumstances, however,
the opposite is true. Even among security consultants, everyone has a different
perspective, and no two reports are same.
si
In order to measure and evaluate the efficacy of a security programme, quantitative
and qualitative methodologies are frequently used. When doing a security risk
assessment, the individual conducting it must also examine statistics, as statistics
r
are frequently used as a starting point for setting a baseline for the programme. If you
ve
don’t keep track of security incident reports and their consequences, you won’t be able
to properly manage a security programme. If the person conducting the assessment
(referred to as the reviewer throughout this chapter) lacks previous security data (e.g.,
past incident reports) on which to build the baseline, he or she will be at a disadvantage
ni
and will have to start from beginning.

U
ity
m
Figure: Risk assessment process
Context Establishment: The context establishment step is the first stage in

)A
preparing for the following activities, and it entails documenting both the external and
internal context relevant to the assessment in issue. This step establishes the risk
assessment’s aims and objectives, necessitating the cooperation of decision-makers.
Relationships with external stakeholders, as well as the appropriate sociological,
legal, regulatory, and financial environment, are all part of the external context. The
(c
important goals, objectives, policies, and capabilities that may impact how risk should
be assessed are included in the internal context.

In addition to establishing the broad framework for the risk assessment, context
Notes
e
establishment also entails supplying all of the input required for the risk assessment’s
subsequent steps. This is referred to as the context description, and its contents are
detailed further below. The risk assessment’s aims and objectives are what we hope
in
to accomplish. These can be quite high-level, such as meeting corporate objectives or
providing business services, but they are necessary to grasp the assessment’s target,
scope, and focus.
nl
The identification and documenting of the assets with respect to which the risk
assessment is undertaken is a critical step in establishing the context and defining
the evaluation’s focus. We need to be clear about who the risk assessment party is
O
before we can start identifying assets. Only by evaluating the party can one decide what
assets are held, how crucial, important, or valuable they are, and how much security
they require. A risk assessment is usually done with only one party in mind, however it
ty
is possible to include two or more.
We can specify the risk scales and risk evaluation criteria after we’ve defined
the aim and assets. We’ll need scales for outcomes and likelihoods to define the
si
risk scales. In theory, we can apply the same consequence values to all types of
assets, such as monetary loss. However, in practice, when it may be difficult to grasp
the economic implications of risks, this might be difficult. As a result, describing
r
repercussions that are specific to the asset in question is frequently more beneficial.
For example, the repercussions of a service’s availability could be expressed in terms
ve
of downtime. As a result, we first analyse the nature and type of repercussions that may
emerge, as well as how they will be measured for each asset. Furthermore, because
the same risk assessment may contain different types of assets, we may need to
establish multiple consequence scales, one for each type of asset.
ni
Risk Identification
Activities aimed at identifying, describing, and documenting hazards and potential
U
causes of risk are referred to as risk identification. Two factors should be kept in mind
in this regard. To begin with, an incident is always accompanied with a danger. Second,
there are three elements that must exist in order for there to be risk: asset, vulnerability,
and threat. There is nothing to hurt if there are no assets, no vulnerabilities if there are
ity
no weaknesses, and no threats if there are no threats. As a result, we conduct risk

identification for identified assets by identifying threats and comprehending how threats
might lead to incidents (and hence hazards) through exploiting vulnerabilities.
A vulnerability is a defect, shortcoming, or deficiency in an asset that can be

m
exploited by a threat to harm it.
Vulnerabilities include a weak window lock and a lack of an intruder alarm, both of
)A
which can be exploited by a thief during a break-in. Broken smoke detectors, poor staff
training, and a lack of backup copies of important operator manuals are all instances.
The severity of a vulnerability is determined by the risks that could exploit it.
A danger source might be either human or nonhuman, as well as tangible or

intangible. Burglars and careless employees are examples of human threat sources,
(c
whereas natural disasters such as lightning or flooding are examples of non-human

threat sources. An example of an intangible threat source is malware.

Risk Analysis
Notes
e
Risk analysis refers to efforts aimed at estimating and determining the magnitude
of recognised risks. The risk level is calculated by combining the likelihood and the
in
consequence. The goal of this stage is to use the scales specified during context
formation to evaluate the likelihoods and repercussions of the identified episodes.
Each of the assets harmed by an incident constitutes a risk, and we must evaluate the
nl
consequences for each of these assets.
Only by evaluating the party in question can the impact or severity of an

occurrence be judged. The seriousness of a misdirected postal letter that exposes
O
personal patient information for example, is likely to be assessed differently by the
hospital and the patient concerned. As a result, estimating the effects should be done
by walking through all identified instances and assigning estimates with the help of
employees representing the party or someone who can determine the repercussions on
ty
their behalf.
Using a predetermined likelihood scale, likelihood estimate determines the

frequency or probability of incidents occurring. This necessitates the use of empirical
si
data collection methodologies. Interviews and brainstorming sessions to acquire expert
viewpoints, inspection of logs or other statistical and historical data, and utilisation of
existing repositories are examples of such procedures. Many risk-modeling systems
r
include support for likelihood estimation and documentation, such as Bayesian
ve
networks, attack trees, and CORAS diagrams. As a result, the methodologies available
for likelihood estimate may be influenced by how we choose to model or describe the
hazards during risk identification.
Risk Evaluation
ni
Risk evaluation refers to actions that involve comparing risk analysis results to risk
evaluation criteria in order to identify which hazards should be treated.
U
Given the risk calculations and evaluation criteria, this phase should be quite
simple. For example, if we used the risk matrix to specify the risk evaluation criteria,
all we have to do now is plot each risk into the matrix to estimate the risk level. We
take the time to confirm the risk evaluation criteria and combine the risk estimates
ity
because the risk evaluation is a decision point in the overall risk assessment process.
Decision-makers and other risk-assessment people frequently receive new insights
and knowledge about the risks and their effects, and we must ensure that the criteria
that were previously defined are still acceptable. We focus on the risk estimations that
m
we are unclear about, and where this uncertainty implies scepticism about the real risk
level, while consolidating the risk assessment results.
A suggestion for risk assessment is to categorise risks that have similar characteristics.
)A
Risks with similar threat sources, threats, vulnerabilities, and/or assets may be managed
similarly. As a result, in order to prepare for risk treatment and to facilitate cost-effective
therapy, we go over the detected hazards and group them as needed.
Risk Treatment
(c
Risk treatment refers to efforts aimed at identifying and selecting risk mitigation and
reduction options. To emphasise the fact that risks can both decrease and rise as a

result of therapies, this stage is also referred to as risk modification. This is especially
Notes
e
true for risk management strategies that include taking or increasing risk in order to
pursue a business opportunity. This book focuses solely on identifying therapies with
the goal of lowering or eliminating dangers. The definition that follows reflects this.
in
A therapy is a good way to lower your risk level.
In principle, we should aim to treat all undesirable hazards, but regardless of risk
nl
level, this is ultimately a cost-benefit analysis. We might eliminate a low risk if it is very
cheap to do so, even if the risk is acceptable in theory. Similarly, if the cost of treating a
very high risk is unaffordable, accepting it may be the only option.
O
As a result, risk treatment should include both the identification and analysis of
interventions. Treatments can be identified in the same way as risks are identified for
example, by brainstorming or the use of available lists and repositories. An examination
ty
of the costs and benefits of the selected treatments should be used to determine which
treatments to implement. The study should account for the fact that some therapies
can introduce new hazards, and that some therapy groupings can diminish the
isolated effects of one another. Improved intrusion detection or tighter access control
si
for example, may reduce illegal access, but the combined effect of the two cannot be
expected to equal the total of their individual effects.
r
Risk treatment can be divided into four categories: risk reduction, risk retention,
risk avoidance, and risk sharing. We can reduce risk by lowering the probability and/
ve
or severity of occurrences. To do so, we look for ways to eliminate threat sources,
eliminate or mitigate vulnerabilities, or lower the possibility of threats through other
means. Accepting the risk after making an informed decision is known as risk retention.
This is usually an option for dangers that meet the risk requirements but are too
ni
expensive to treat given the other options. Risk avoidance simply means avoiding the
behaviour that causes the risk, which is sometimes the only way to avoid unacceptable
dangers. Transferring the risk, or parts of it, to another party, such as through insurance
U
or subcontracting, is known as risk sharing.
3.1.7 Risk Management, Procedure and Guidelines

ity
The process of discovering, assessing, evaluating, and addressing your

organization’s cybersecurity hazards is known as cybersecurity risk management.
A risk management framework should be used to ensure that a risk management

process is adequate, efficient, and effective. This framework, in turn, should adhere
m
to risk management’s fundamental principles. The following diagram depicts the links
between risk management concepts, framework, and procedure. The framework
should be improved on a regular basis, based in part on experience, discoveries, and
outcomes from the risk management process. This explains the arrow in Figure below
)A
that connects the procedure to the framework. The goals of the risk management
process must be determined as part of the organization’s overall management. This is
why a risk management framework should be used to implement the risk management
process in the firm. The framework establishes the risk management mission and
(c
commitment, as well as risk management policies and duties, risk management

integration into organisational activities, and internal and external communication and
reporting methods. The risk management framework should be evaluated, reviewed,

and enhanced on a regular basis.

Notes
e
in
Figure: Risk management elements
nl
The risk management framework, in turn, must adhere to risk management’s
fundamental principles. The principles apply to all types of risk management, but
companies must understand what they mean to them and how they apply to their own
O
risk management framework. Eleven such concepts are listed in ISO 31000. These
include, among other things, the principles that risk management should create and
protect value, that risk management should be an integral part of all organisational
processes, that risk management should be used in decision-making, and that risk
ty
management should be based on the best available information.
Cybersecurity risk management isn’t only the responsibility of the security team; it
affects everyone in the organisation. Employees and business unit leaders often perceive
si
risk management through the lens of their own business function. Regrettably, they lack
the broad view required to address risk in a consistent and comprehensive manner.
r
Each function has its own goal, which is frequently accompanied by a lack
of understanding and empathy for others. Security and compliance are frequently
ve
viewed as unpleasant barriers to development by IT, which leads with new ideas and
technologies. Security is well-versed on safety, but it is frequently out of touch with
changing regulations and technologies. The sales staff wants to keep their customers
pleased, so they’re seeking for a quick approach to finish security audits. Compliance
ni
strives to keep everyone out of trouble by adhering to rules to the letter, but it often
does so without a thorough understanding of security.
In order to effectively manage cybersecurity risk, all functions must have clearly
U
defined roles and be assigned particular duties. The days of siloed departments
wandering around in a jumbled mess are finished. In today’s risk environment, a united,
coordinated, disciplined, and consistent risk management approach is required. The
ity
following are some critical risk management action components that all businesses
should remember:
●● The creation of solid policies and mechanisms for assessing vendor risk.
●● Emergent risks, such as new legislation with business implications, are identified.
m
●● Internal flaws such as a lack of two-factor authentication are identified.

●● IT risk mitigation, which could include training programmes, new policies, and
)A
internal controls.
●● The total security posture is put to the test.
●● For regulatory investigations or to reassure prospective customers, documentation
of vendor risk management and security is required.
(c
Broadly speaking, the cybersecurity risk management process involves four stages:

●● Identifying risk: assessing the environment in which the firm operates in order
Notes
e
to detect present or potential hazards that may have an impact on business
operations
in
●● Assess risk: Analyzing identified risks to determine how probable they are to have
an influence on the organisation, as well as the potential impact
●● Control risk: Identify strategies, procedures, technology, or other steps that can
nl
assist the organisation in reducing risk.
●● Review controls: analysing how successful controls are at managing risks on a
regular basis, and adding or changing controls as needed
O
When it comes to risk management, most companies follow a four-step strategy
that starts with risk identification. Then, depending on the possibility of threats exploiting
vulnerabilities and the possible consequences, risk is assessed. Organizations assess
ty
risks and choose from a number of mitigation techniques. The fourth phase, monitoring,
is designed to manage risk and keep current in a constantly changing environment.
The good news is that there is lots of assistance available for firms wishing to
si
analyse their risk level. To guide government information system risk assessments,
the National Institute of Standards developed NIST Special Publication 800-30, a third-
party risk management methodology. The guidance in Special Publication 800-39 is
r
supplemented by the 800-30 framework. It is closely tied to Special Publication 800-53,
a third-party risk management framework for federal information systems that includes
ve
a catalogue of security and privacy rules. Despite the fact that NIST SP 800-30 isn’t
required in the private sector, it is a valuable resource for any firm assessing risk.
Develop a Cybersecurity Risk Management Plan

ni
Identify Cybersecurity Risks
“The possibility for an unanticipated, negative business result involving the failure
U
or misuse of IT,” according to Gartner. To put it another way, what are the chances of
an existing threat exploiting a vulnerability, and what would the implications be if it did?
The initial step in the management process is to identify the risks. With the development
of IT systems, the explosion of regulations, and the complexities of COVID, modern
ity
security teams have their hands full. Potential hazards lurk around every corner.
You must first comprehend threats, vulnerabilities, and the consequences of their
confluence before you can assess risk.
Threats are situations or occurrences that have the potential to harm an

m
organization’s activities or assets by gaining illegal access to information systems.

Hostile attacks, human errors, structural or configuration faults, and even natural
calamities are all potential threats.
)A
Vulnerabilities are flaws in an information system, security method, internal control,

or implementation that a threat source can take advantage of. Vulnerabilities can be
identified externally in supply chains or vendor connections, and are frequently the
result of poor internal operations such as security.
(c
Consequences are the negative outcomes that emerge as a result of threats

exploiting vulnerabilities. Their impact is a measure of the severity of the repercussions,

and while attempting to analyse risk, your organisation will need to estimate such
Notes
e
expenses. Keep in mind that these expenditures are typically incurred as a result of lost
or damaged data, which can be a huge commercial setback for any company.
in
Assess Cybersecurity Risks
Risk assessments are a fantastic way to underline the importance of security
throughout your company. Assessing risk helps your team to develop communication
nl
and cooperation, which will help them play a key part in risk management in the future.
What is the level of risk in your company? When the answer becomes evident,
O
assessment is the most critical stage. Begin by naming all of your assets and ranking
them in order of significance. Second, make a list of all potential risks and weaknesses
in your environment. At this point, apply appropriate safeguards to all known
vulnerabilities. Next, try to predict the chance of a threat event occurring and perform
ty
a “impact analysis” to quantify the prospective repercussions and financial impact.
Your risk assessment will then be used to influence risk management choices and risk
response strategies in the future.
si
With a four-step process, the NIST Guide for Conducting Risk Assessments
presented in Special Publication 800-30 can assist your team. Clarify your aim, scope,
restrictions, and risk model/analytics to be used before beginning your evaluation. To
r
determine the overall risk, conduct your assessment and list risks by likelihood and
impact. These findings will be disseminated and used to guide your team’s mitigation
ve
actions across the company. Finally, by continuously monitoring environments, this
guide directs the maintenance of your assessment.
Identify Possible Cybersecurity Risk Mitigation Measures

ni
Identifying and evaluating risk is only the first step. What will your company do
about the risk you’ve discovered? What will be your risk management mitigation
strategy? What plan do you have in place to deal with residual risk? The most effective
U
risk management teams, according to history, have a well-thought-out plan in place to

guide their risk response strategy.
Understanding all of your risk mitigation options—your team can use either
ity
technical or best practice methods, or ideally a combination of both—is the crucial third
step of reaction. Encryption, firewalls, threat hunting software, and engaging automation
for better system efficiency are examples of technological risk mitigation strategies. The
following are some of the best risk-mitigation strategies:
m
●● Cybersecurity training programs

●● Updating software
)A
●● Privileged access management (PAM) solutions

●● Multi-factor access authentication
●● Dynamic data backup
Smart businesses understand the need of using real data to inform their risk
(c
response tactics and risk management posture. They use realistic data from real-world
applications to prioritise risks and mitigation strategies.

Use Ongoing Monitoring

Notes
e
The dangers in your environment have been recognised, assessed, and addressed
by your organisation. That would suffice in an ideal world. But, as we all know, change
in
is unavoidable, so your team will need to keep an eye on things to ensure internal
controls stay in line with IT risk.
●● Regulatory change: Maintaining a constant awareness of all legislation and
nl
their changes will guarantee that your internal controls are in line with external
expectations.
●● Vendor risk: As new vendors are brought on board, make sure to examine and
O
document security and compliance policies. Remember that their flaws could
become your headaches.
●● Internal IT usage: To stay ahead of any gaps, know what technology your internal
ty
teams use and how they utilise it.
3.2 Cyber Laws
si
The legal challenges surrounding the use of communicative, transactional, and
distributive features of networked information devices and technology are referred to
as cyber law. It’s the law that governs the internet. Computers, networks, software, data
r
storage devices (such as hard discs, USB discs, and so on), the Internet, websites,
ve
emails, and even electronic gadgets such as cell phones, ATM machines, and so on
are all included in cyber space. The Information Technology (IT) Act of 2000 defines
the offences that are punished. Because the fundamental goal of this Act is to provide
a conducive environment for commercial I.T. use, some criminal omissions and
commissions while using computers have been excluded. With the legal recognition
ni
of electronic records and the revisions to many parts of the IPC established by the IT
Act, 2000, several offences relating to the cyber-arena have been added to the IPC’s
respective sections.
U
3.2.1 Cyberspace
In his 1982 short storey “Burning Chrome,” William Gibson created the term
ity
“cyberspace” to describe a computer-generated virtual reality. However, after appearing

in William Gibson’s novel Neuromancer in 1984, the phrase gained popularity.
Cyberspace is a compound word whose origins can be traced back to the Greek word
kybernetes, which means pilot, governor, or ruler. The name ‘cyborg’ is derived from
m
the root ‘cyber,’ which refers to a humanmachine synthesis created by combining the
human body with modern high-tech gear.
According to Gibson, cyberspace is the moniker for a genuine non-space

)A
environment that is defined by the ability for individuals to interact virtually through
‘icons, waypoints, and artificial realities.’ The Gibsonian cyberspace (Kneale, 1999) is
an urban ‘thin’ realm that deals with urban experiences and problems including crime,
social isolation, and poverty. It reflects socio-economic tensions and geographic
divisions that occur in vastly expanded and highly polarised cities, where speed and
(c
movement in cyberspace serve as crucial metaphors for new spatial experiences.

Gibson admits that his visionary stories did not foreshadow the widespread usage of
computer networks like as the Internet around the world; rather, he simply leveraged
current technological breakthroughs to make sense of the imagined and futuristic

Notes
e
worlds described in his novels (Gibson, 1996).
However, the term “cyberspace” no longer refers solely to the fictitious “matrix” in
in
William Gibson’s novels; it now refers to science reality rather than science fiction. It
has now become a shorthand for the concept of computer networks as a virtual place,
both on and off the Internet. Instead of using human-part metaphors (brains, memories,
nl
etc.) to explain the first emergence of computers, the literary word cyberspace is used
to describe and understand the function of ICT networks. ‘When you pick up the phone,
you don’t “go” somewhere. However, when the computer is connected to the same
phone lines, spatial and kinetic metaphors abound’ (Nunes, 1995: 1).
O
The “information superhighway” metaphor, according to Vinton Cerf, one of the
Internet’s founders, “has very little ability to convey either where the Internet arose
or where it could go” (Cerf forward, in Stefik, 1997). According to Stefik, politicians,
ty
particularly in the United States, employ the highway metaphor in their discourse to
persuade people that large-scale Internet investments, like a motorway system, will
benefit the general good. Stefik, on the other hand, elicits four additional metaphors
si
from present Internet discourse: First, digital libraries, databases, and other archival
information services use the digital library metaphor. It emphasises the publication
and storage of accumulated knowledge for societal preservation and access. Second,
r
the Internet is depicted as a communications system using the electronic mail
metaphor. Finally, the electronic market paradigm is applied to issues of digital trade,
ve
digital money, and digital property. Finally, the metaphor of digital worlds appears in
descriptions of geographic and social settings, network navigation, groupware and
multi-user virtual environments, augmented reality, telepresence, and ubiquitous
computing (Stefik, 1997: xx-xxi).
ni
Cyberspace is a phrase that has yet to be fully defined and has no geographical
boundaries. It’s a term that refers to the use of the Internet on a global scale.
Cyberspace is also known as a virtual realm because its physical existence is
U
undetectable. “The total connectivity of human beings through computers and

telecommunications, regardless of physical geography,” according to cyberspace.
William Gibson, a science fiction author, created the word “cyberspace” to characterise
the vast array of information resources accessible via computer networks. For our
ity
purposes, cyberspace is a place in which digital data shared via computer networks
facilitates communication and interaction between two humans or between an individual
and a computer. This type of connection or communication can be employed for a
variety of reasons.
m
Identity theft is a concern when more information is provided through digital

communication. Because there is no way to prohibit the transmission of fraudulent
identity information or the duplicate of someone else’s identity information. To avoid
)A
these issues, the sender’s true identity should not be communicated with the message;
instead, a verification mechanism should be employed to persuade the recipient that
the message was indeed delivered by the sender. It is no longer necessary to send
one’s true identify. The principle of validating rather than exposing provides the sender
with an additional degree of security.
(c
Cyberspace is a phrase that has yet to be fully defined and has no geographical
boundaries. It’s a term that refers to the use of the Internet on a global scale.

Cyberspace is also known as a virtual realm because its physical existence is

Notes
e
undetectable. “The total connectivity of human beings through computers and
telecommunications, regardless of physical geography,” according to cyberspace.
William Gibson, a science fiction author, created the word “cyberspace” to characterise
in
the vast array of information resources accessible via computer networks. For our
purposes, cyberspace is a place in which digital data shared via computer networks
facilitates communication and interaction between two humans or between an individual
nl
and a computer. This type of connection or communication can be employed for a
variety of reasons.
Although the Internet is currently the largest network for connecting computers,
O
cyberspace as a notion is unrelated to it. Cyberspace engagement and communication
existed before the Internet and the World Wide Web, and they will continue to exist after
the Internet is no longer the preferred network.
ty
In cyberspace, there is currently no common method for identifying. It is impossible
to completely identify an entity or determine whether or not an object possesses a
given attribute. This discrepancy is caused by inherent differences between digital and
si
physical environments, and when implementing an identity system for cyberspace, one
must consider more than just the architectural nature of the system; any system chosen
will have social ramifications that must be considered as well. An entity’s identity is a
r
one-of-a-kind piece of information. Identity is nothing more than a set of qualities that
are either inherent or given to you by someone else. The colour of a person’s hair
ve
and whether or not he is attractive are both aspects of their identity that are normally
evaluated by another person.
Architecture of cyberspace
ni
Although various groups of networks are keeping some rules and regulations to
make a minimal architecture using TCP/IP and a virtual global server system, a global
cyberspace architecture for a worldwide standard is not yet attainable. A speculative
U
architectural decision has been outlined in this article.
Link and No-Link: An Architectural Choice

ity
As previously stated, any digital identity system must decide where it falls on the
continuum of anonymity and responsibility, i.e., it must use an acceptable level of Type
II unbundling. However, it is evident that not all positions along this continuum are
equivalent in the context of law enforcement. One point stands out from the rest: the
point at the far end of the spectrum where there is no traceability at all. This point will be
m
referred to as “no-link” for the sake of clarity in our subsequent discussion. Within the
digital identification architecture, there is no mechanism for determining the relationship
between data in cyberspace and the real-world recipient or sender at the no-link point.
)A
The no-link point simply means that there is no obligatory link between cyberspace
and the actual world; nevertheless, this does not rule out the possibility of a secondary,
non-mandated method of identifying identification that might be put on top of the no-link
architecture. The remaining points on the spectrum will be referred to as “link” points.
This suggests that verifying the real-world identity of the sender and receiver of data in
(c
cyberspace is a requirement of the architecture.

Benefits and drawbacks are connected with both link and no-link architecture.
Notes
e
Access to link information can be confined, theoretically, to a suitably regulated law
enforcement agency with precise regulatory processes in place for collecting the
information, thanks to a link architecture. However, not everyone will have access to the
in
information included in the architectural link; for those without access, link architecture
is equivalent to no-link architecture. The value of identification remains, but the ability
to learn about a person’s real-world identity from the system’s architecture is restricted
nl
to those bodies with access. As a result, the most fascinating topic of discussion
is that of law enforcement: when can a link system successfully be employed as
a no-link system, and do the benefits of being able to determine a link outweigh the
O
disadvantages?
Except at the extreme of one-to-one identity, there is a requirement to distinguish

between “transient anonymity” and “permanent anonymity” at all locations along
ty
the continuum. There is no persistent link between the giver of the information
and the recipient of the information with ephemeral anonymity; this is similar to
anonymous leafleting. Persistent anonymity is perhaps more useful: it allows the
sender and receiver to maintain their cyber identities without revealing their real-
si
world identities, i.e., both the sender and receiver mutually agreed and defined their
private communication channel in the network that is not accessible to anyone else
under any circumstances unless the private information of any party is not tempered or
r
compromised. It only allows the real-world identity to be revealed within a link system.
ve
The continuity is retained in a no-link system, but the link is not facilitated. Both types of
anonymity are useful in certain situations, but persistent anonymity is more likely to be
effective in general.
No Link
ni
As previously stated, the advantages of a no-link system are mostly related to

concerns of freedom of speech and action. The no-link architecture greases the gears
U
of capitalism in the commercial domain. People who are unconcerned about being
personally identified with the products they purchase are considerably less likely to
be concerned about social standards that would have previously prevented them from
acquiring a product. Unbundling allows for the appropriate level of identification required
ity
by commerce without requiring the disclosure of the whole real-world identity. The
absence of traceability also aids free speech: where potential oppressors are unable to
determine the sender’s real-world identity, there is no threat of oppression.
Link Architecture
m
As previously stated, the advantages of a no-link system are mostly related to

concerns of freedom of speech and action. The no-link architecture greases the gears
of capitalism in the commercial domain. People who are unconcerned about being
)A
personally identified with the products they purchase are considerably less likely to
be concerned about social standards that would have previously prevented them from
acquiring a product. Unbundling allows for the appropriate level of identification required
by commerce without requiring the disclosure of the whole real-world identity. The
absence of traceability also aids free speech: where potential oppressors are unable to
(c
determine the sender’s real-world identity, there is no threat of oppression.

3.2.2 Cyber Laws

Notes
e
Cyberspace has developed as a new medium of communication in an era of
widespread use of information communication technology networks, devices, and
in
services. International Internet bandwidth is fast increasing worldwide, according to
the International Telecommunication Union (ITU), and India is one of the world’s front
runners. In India, Internet usage is rapidly increasing in both cities and villages. Mobile
nl
phones are being used by an increasing number of individuals, which has accelerated
their expansion in the country. As a result, the new virtual realm has spawned a slew of
social and political difficulties, as well as new hurdles in combating technology-driven
cybercrime and safeguarding people’s privacy and intellectual property rights.
O
We will quickly cover the international and national laws that regulate cyberspace
in this part.
ty
International Law
Some international projects connected to cyberspace include the UNCITRAL
Model Law of 1996, the Model Law on E-Signature of 2001, and the United Nations
si
Convention on the Use of Electronic Communications in International Contracts of
2005.
UNCITRAL Model law 1996 - The United Nations Commission on International

r
Trade and Law adopted the first Model Law on E-commerce in 1996. (UNCITRAL). On
ve
the 30th of January, 1997, the United Nations General Assembly passed a resolution
approving it. The regulation’s main goal was to achieve international uniformity in
e-commerce law and to treat paper-based and electronic information equally. India is
a signatory to this Model Law, and as a result, the Information Technology Act of 2000
ni
was enacted.
Model law on E-Signature, 2001(MLES) - The United Nations Commission on

International Trade and Law (UNCITRAL) adopted the Model Law on ESignature
U
in 2001 with the goal of enabling and facilitating the use of electronic signatures by
setting technical reliability standards for the equivalency of electronic and handwritten
signatures. The law could help governments create a modern, harmonised, and
equitable legislative framework to address the legal treatment of electronic signatures
ity
and provide assurance about their status. As a result, in 2000, India passed the
Information Technology (Amendment) Act, which makes the necessary changes.
The United Nations Convention on the Use of Electronic Communications in

International Contracts, adopted in 2005, is a treaty that governs the use of electronic
m
communications in international contracts. - It was enacted on November 23, 2005, and

went into effect on March 1, 2013. It acknowledges that electronic communications play
a critical role in supporting local and international trade and economic development,
)A
as well as improving the efficiency of commercial activities. Its goal is to establish a

standard approach for removing legal barriers to the use of electronic communications
in a way that is acceptable to countries with a variety of legal, social, and economic
systems. The Electronic Communications Convention intends to make electronic
communications more widely used in international trade by ensuring that contracts and
(c
other electronic communications are as legitimate and enforceable as their paper-based

counterparts.

National Law
Notes
e
The Government of India enacted the 2000, which was revised in 2008 to
incorporate the UNCITRAL Model Law on Electronic Signatures, 2001, as a signatory
in
to the UNICITRAL LAW on E-commerce. Many traditional crimes that can be committed
with or without the use of computers and technology have been included in the category
of traditional crimes and hence fall under the purview of the Indian Penal Code, 1860
nl
as modified. The Evidence Act of 1872 has been revised, and sections 65A and 65B of
the Indian Evidence Act of 1872 now allow electronic data to be used as evidence. The
Reserve Bank of India Act, 1934, and the Banker’s Book Evidence Act, 1891, have both
been altered to make it easier to collect evidence in the case of cybercrime or other
O
matter related to such offences. The main goal of these modifications is to address the
challenges of electronic commerce, electronic crimes, and electronic evidence, as well
as to allow for more control of Electronic Fund Transfer.
ty
Cyberlaw is a relatively new field that draws from a variety of areas of traditional
law and is rapidly growing in importance. It is multidisciplinary, addressing a wide range
of criminal and civil issues, including financial crimes, cyberbullying, and First and
si
Fourth Amendment rights. Cyberlawyers frequently deal with issues such as privacy,
control, and access. Cyberlaw is becoming increasingly popular among HLS students.
Cyberlaw, being a continuously changing and expanding area, promises to open up
many more doors in the future.
r
ve
Criminal law, internet privacy, health privacy, civil and human rights, net neutrality
and regulation, and national security are all key doctrinal areas of cyberlaw.
Criminal Law
ni
Financial crimes, stalking and harassment, human trafficking, and child pornography
are just some of the crimes that can be committed on or through the Internet.
●● Financial Crimes and Fraud: Small-scale and large-scale financial crimes and
U
fraud are alarmingly easy to commit with computers. Cyberlaw-related financial

crimes range from simple one-time fraud to increasingly sophisticated schemes
that target specific groups (such as the elderly). As more and more personal
information is stored online and potentially exposed to theft, identity fraud is
ity
becoming a major worry. Attorneys at the federal and state levels (for example,
at the Department of Justice and in state Attorneys General’s offices) all work to
investigate and prosecute such conduct.
●● Stalking and Harassment: Information about private persons is more available
m
than ever before because to social media sites like Facebook, Twitter, and
LinkedIn, as well as photo-sharing apps like Instagram. Unfortunately, this ease
of access can lead to cyberstalking, harassment, or cyberbullying. Furthermore,
)A
the anonymity of the Internet allows people to attack their targets while remaining
anonymous. Several high-profile criminal cases involving the suicides of children
and teenagers who were subjected to severe cyberbullying have brought these
issues to light.
●● Human Trafficking: Human trafficking is estimated to affect at least 27 million
(c
people worldwide who are compelled to work as slaves, sex workers, soldiers, or
domestic labourers. 8 Human trafficking is now nearly always worldwide, and it

almost always involves the use of the Internet. Human trafficking is a burgeoning
Notes
e
legal topic; more than half of the states in the United States already have statutes
that specifically punish human trafficking over the Internet.
in
●● Child Pornography: Producing, having, and sending child pornography is
unlawful in the United States and many other countries, and it is punishable by
imprisonment. As of 2008, 94 of the 187 Interpol member states had domestic
nl
legislation addressing child pornography, with numerous others having legislation
prohibiting all pornography, regardless of age.
Online Privacy
O
When governments, other organisations, or individuals utilise the Internet to obtain
information about individuals or groups, privacy concerns arise. Privacy concerns have
grown in importance as people send more and more private information over the Internet
ty
and store private data on machines that are not under their physical control. Every day,
there are new threats to Internet privacy. For example, ad corporations use cookies to
track browser history, while law enforcement officials go through Facebook profiles
for evidence of criminal conduct. Many groups aiming to safeguard privacy and Fourth
si
Amendment rights online offer lawyers opportunities in litigation, policy, and research.
Health Privacy
r
Health information privacy is a specialised topic, and with the rise of online medical
ve
data, it has become a significant subject of cyberlaw. The Health Insurance Portability
and Accountability Act (HIPAA) of 1996 safeguards the privacy of medical records
and governs the circumstances under which medical practitioners can share patient
information. All hospitals and healthcare facilities must comply with electronic records
ni
law by adopting electronic medical records (EMR) by 2015. This is mandated by the
Affordable Care Act (ACA). Attorneys are needed by medical providers and businesses
that deal with medical records to ensure compliance with HIPAA and other rules;
U
these lawyers can work in-house or as outside counsel. Attorneys are also required to
enforce these federal statutes. The Office for Civil Rights in the Department of Health
and Human Services (HHS) for example, is in charge of enforcing HIPAA’s three
main components: (1) the privacy of individually identifiable health information; (2) the
ity
security of electronic, protected health information; and (3) the protection of identifiable
information used to analyse patient safety events and improve patient safety.
Freedom of Expression and Human Rights

m
The Internet has become increasingly important in the areas of freedom of

expression and human rights. Many people now consider Internet access to be a
human right rather than a luxury, as it has become one of the key means of acquiring
and disseminating information. Many countries’ lawyers are working to increase and
)A
safeguard Internet access and freedom of expression. Lawyers in the United States
frequently discuss these concerns in the context of the First Amendment.
3.2.3 Cyber Laws and Its Advantages

(c
Cyber Law, often known as cybercrime law, is a branch of the legal system that
deals with internet and cyberspace crime.

Cyber Law is a broad concept that refers to user rights to freedom of expression,
Notes
e
access to and use of the Internet, and online privacy.
The most significant function of cyberlaw is to assist in the definition or
in
representation of cyber society’s rules. It also aids in the formation of legally binding
digital contracts, which aids in the protection of cyber assets.
This is why it is critical for the success of any internet business. It also aids in the
nl
legal recognition of electronic records like electronic papers and digital signatures.
Why do we Need Cyber Laws
O
The significance of cyber law is that, in an age of increasing electronic
communication, the terms “cyber laws” and “cyber crimes” have become increasingly
complicated.
ty
The internet’s primary goal was to make human existence easier and
communication more efficient. However, as the number of people using the internet
grows, so does crime.
si
As a result, we need rigorous rules to protect users’ rights, property rights,
copyright, data protection, and so on. That is why Cyber Laws are required.
Advantages of Cyber Laws r

ve
These are some advantages of cyberlaw which are listed below:
●● Setting up an online business requires a secure e-commerce platform.

●● The site is secured by a digital certificate.
ni
●● Unwanted content is being blocked from the internet.

●● Traffic must be well monitored.
U
●● Defend yourself from typical scams.

●● Cyber Cell is an example of a new security agency.
●● Software and hardware security are both important.
ity
●● E-Forms are used correctly and efficiently.

●● Emails are a legitimate method of communication that has been sanctioned by the
courts.
Cyber laws, which have become required and are structured with the goals outlined
m
in the preceding paragraph, benefit society by providing specific benefits in the interest
of internet users who are victims of cybercrime. The Information Technology Act of
2000 and the Information Technology (Amendment) Act of 2008 deal with promoting
)A
e-commerce and ensuring the legality of e-filing and digital signatures, both of which
are important for successful business in the digital world. The IT Act, which was drafted
with the sole purpose of dealing with concerns relating to cyberspace, has become
associated with cyberlaw. All Acts dealing with cybercrime, on the other hand, might be
classified as cyber laws.
(c
●● It hastens the pace of e commerce, which would not have been conceivable or
successful without cyber law, which protects all parties engaged in the transaction.

●● The IT Act, which gives legal status to e-commerce transactions and Electronic
Notes
e
Data Interchange (EDI), has revolutionised the commercial sector. The electronic
communication of commercial documents between company partners is referred
to as EDI. Assigning legality indicates that it has been sanctioned by the law, and
in
that any issue can now be brought before a court of law. Through e commerce,
any company, regardless of size, can now market and sell their products to people
all over the world. This has aided corporate organisations in expanding their
nl
operations in a shorter time and at a lower cost.
●● The effective application of cyberlaws allows for e-governance and e-filing of
documents. E governance is the way of the future, in which government is
O
conducted entirely by electronic means. The four types of e governance are G2C,
G2B, G2G, and G2E, in which the government transacts with the said groups
electronically.
ty
●● Giving legal status to all electronic transactions has left an indelible mark on
the financial and commercial sectors. Funds can be moved from one location
to another, from one account to another, and payments can be made from one
account to another, all of which are legal and valid. All of this is feasible because to
si
the IT Act of 2000, which made such transactions legal.
●● Companies can now become certifying authorities for granting digital signature
r
certifications thanks to the IT Act of 2000. Capricorn Identity Services Pvt. Ltd for
example, is one of the firms that certifying authorities have authorised to produce
ve
Digital Signature Certificates.
●● The IT Act addresses security challenges that are critical to the digital world’s
strength. The consequences for data theft and misuse dissuade criminals,
ni
which may encourage internet users to rely on cyberspace, thereby promoting

commercial and financial activity.
●● The Information Technology Act, as well as specific sectoral legislation for banking,
U
telecom, and other industries, govern the acquisition and use of personal data.
Sec 43A of the Information Technology Act of 2008, which applies to private
organisations, provides for compensation if a corporation fails to utilise reasonable
security methods to secure sensitive data such as passwords, debit or credit card
ity
numbers, and so on. Such protections in cyber laws give users of technology
peace of mind concerning data security. This will aid in the widespread adoption of
technology and the acceleration of the economy’s pace.
●● The IT Act provides a statutory remedy in the form of large compensation for any
m
misuse of data in any way, which encourages electronic commerce and internet
use. Section 72 of the Information Technology Act of 2008 for example, makes
it illegal for a government official to release records and information without the
)A
person’s agreement, unless the law allows it. The penalty is either a fine of Rs 1
lakh or imprisonment for up to two years, or both. Such harsh penalties prevent
those with nefarious intent to misuse data.
●● By securing data, cyber laws provide security to a country’s political and financial
stability.
(c
●● These laws safeguard victims of cybercrime by preventing copyright infringement,

financial fraud, stalking, and other internet-related crimes.

●● To broaden the scope of the IT Act, sets of information technology regulations

Notes
e
are issued, with the rules focusing on controlling data collection, transfer, and
processing. The Information Technology (Intermediaries Guidelines) Rule for
example, restricts the publication of certain types of content on the internet.
in
3.2.4 Cyber Lawyers
nl
In the face of rising information technology and unscrupulous actors, cybersecurity
has become increasingly vital. The intricacies of information and our vulnerability to
hacking, ransomware, and other crimes are increasing as the internet and technology
become more interwoven in our lives, woven into our daily existence.
O
As a result, the number of experts trained to deal with the legalities of this data
and criminal behaviour is growing. As more organisations, governments, and private
individuals conduct important business online, cyberlaw, with cybersecurity as a branch,
ty
is gaining traction. Because information is routinely sent, it is possible for anyone to
intercept it and use it for nefarious purposes.
People and organisations are protected from unlawful or unauthorised use of
si
electronic data through cybersecurity.
Cybersecurity Law
r
Cybersecurity law is a type of regulation that focuses on appropriate technological
ve
activity, such as computer hardware, software, the internet, and networks. Cybercrime
law, also known as cybersecurity law, safeguards enterprises, government
organisations, and private persons against criminals getting unauthorised access to
their data and utilising it for nefarious purposes.
ni
A cybersecurity lawyer must first be well-versed in the law and have a thorough
understanding of not only the law, but also how technology works. A cybersecurity
attorney must be well-versed in both legal vocabulary and technology.
U
Cybersecurity Lawyer
A cybersecurity attorney in the United States must be familiar with the following
ity
statutes: the Electronic Communications Privacy Act, the Computer Fraud and Abuse
Act, and the Stored Communications Act, as well as the Cybersecurity Information
Sharing Act of 2015, data breach notification laws, the Federal Trade Commission Act,
and many others.
m
A cybersecurity attorney advises individuals and organisations on how to

implement strategies to meet state, federal, and international legal requirements, acts
as a crisis manager during any form of cyber misconduct to mitigate loss, and ensures
that organisations and individuals follow the law. They also represent clients before
)A
regulatory bodies.
Lawyers who specialise in cybersecurity can serve as litigators or as advisors to

businesses and government entities.
(c
A cybersecurity attorney who acts as a consultant can help a company with

pre-litigation issues. A litigator, on the other hand, is an expert in criminal and civil
prosecution and has a thorough understanding of how online operates.

Cybersecurity Lawyer’s Portfolio

Notes
e
Cybersecurity attorneys, to be successful, must have portfolios with:
●● A deep understanding of how government works
in
●● Thorough knowledge of litigation
●● Understanding of the client’s internal practices
nl
Government: A cybersecurity lawyer must be well-versed in all cyber legislation
(and there are many). Cybersecurity lawyers can help their private organisations
create durable and mutually productive partnerships with government agencies tasked
O
with enforcing cybercrime laws and statutes by comprehending these laws and the
government agencies tasked with enforcing these laws and statutes.
Different government agencies, such as the FBI, CISA (Cybersecurity and

Infrastructure Security Agency), and others, can assist private firms in various ways.
ty
These organisations can also assist private enterprises in dealing with cyber-attacks on
their confidential information and give beneficial tools.
Because cyber dangers can be global, a cybersecurity lawyer who wants to provide
si
his client with the best counsel needs to grasp how international laws and treaties work.
For example, a cybersecurity lawyer with a thorough understanding of the

r
Budapest Convention on Cybercrime, the first international treaty aimed at combating
internet and computer crime by harmonising national laws, improving investigative
ve
techniques, and increasing international cooperation, will be able to broker deals
between countries that follow these laws.
When a cybersecurity lawyer completely comprehends how national and

ni
international governments operate, as well as the laws enacted, he or she can

confidently navigate his or her organisation through the often perplexing cybersecurity
landscape.
U
Litigation: Understanding the litigation landscape will aid a cybersecurity attorney in

navigating state and federal court rulings and their implications for the client.
When fresh cases and judgements are filed in the courts, these cases serve
ity
as a guideline for what government officials and agencies should be looking for. A
cybersecurity lawyer should keep track of cybersecurity-related lawsuits and advise
their clients accordingly.
Internal Practices: Every organisation in the information age requires the

m
assistance of a cybersecurity attorney to assist in the risk assessment process.
For example, when conducting a risk assessment, a cyber lawyer must assist in
directing the assessment and reducing potential liabilities. A corporation can apply best
)A
and legal practices in its cybersecurity programme if it includes a cybersecurity lawyer

in the risk assessment process.
Furthermore, when a corporation wishes to convey cybersecurity-related

information, they must have a cybersecurity lawyer examine and sign off on the
(c
communication message before it is sent.

3.2.5 Jurisdiction and Sovereignty

Notes
e
Jurisdiction
in
Jurisdiction is the premise that in any legal system, the competent court has the
authority to hear and decide a case. The presence of different parties in diverse regions
of the world who have only a virtual nexus with each other is the major concern with
cyber law jurisdiction.
nl
Where the cause of action begins is traditionally where the jurisdiction belongs,
but how can you know where the jurisdiction lies when there are several parties
O
involved in different parts of the world? Because a transaction in cyberspace involves
three parties: the user, the service provider, and the person/business with whom the
transaction is conducted, the most efficient law should address whether a specific event
in cyberspace is governed by the laws of the state or country where the user is located,
ty
or by the application of all other countries’ or states’ laws.
In the cyber world, unlike in the real world, every transaction involves three
participants. The User, the server Host, and the party involved in the transaction. The
si
main question is which country’s law should be applied. As a result, the main difficulties
that might be detected are
●● What criteria do we use to determine which country’s law applies and which court
r
has jurisdiction when there are cross-border interactions?
ve
●● What basis does a country have to claim that it is enforcing rules and regulations if
the internet activity originates in a separate jurisdiction?
As a result, where the contractual parties or parties in dispute are of different
ni
nationalities, questions of jurisdiction are governed by both state and international law.
When there are foreign parties to a dispute, international law requires that the state’s
law be used.
U
When it comes to determining a country’s jurisdiction under international law,

there are three types of jurisdiction. These are prescriptive jurisdiction, adjudicative
jurisdiction, and enforcement jurisdiction.
ity
Prescriptive jurisdiction
The state has the authority to make laws that apply to specific people and
situations; however, international law limits a state’s ability to prescribe laws if there is a
conflict of interest with another state.
m
Jurisdiction to Adjudicate
It is the ability of the state to bring a person or item before civil or criminal courts
)A
or administrative tribunals, whether or not the state is a party to the proceedings. If the
state and the individual have a sufficient relationship.
Jurisdiction to Enforce
Is the state’s power to incentivize or punish noncompliance with laws and
(c
regulations? A state’s law, on the other hand, can be executed by officers with the
authorization of the relevant state officials. Without consent, everything from an arrest

to the production of documents and a police arrest cannot be carried out. However,
Notes
e
there may be instances where the state has the authority to prescribe but not the
authority to adjudicate. In criminal matters, in particular, there is no jurisdiction to
adjudicate without jurisdiction to adjudicate since courts do not apply criminal laws from
in
other states.
Personal jurisdiction refers to a court’s authority over the individuals or entities
nl
involved in a litigation. Asking the question, “What right does a court have to assess
the rights of the parties engaged in the action?” is one way to think about personal
jurisdiction. To put it another way, determining whether a court has personal jurisdiction
over a person entails determining whether it would be just for the court to make a
O
judgement against that individual. The legislation that rules the court must provide it
authority to assert jurisdiction over the parties to the case, and this requirement must be
satisfied for a court to have personal jurisdiction.
ty
Sovereignty
The phrase “cyber sovereignty” comes from internet governance and refers to a
state’s authority to make and enforce rules in cyberspace. Bruce Schneier, one of the
si
main voices in internet governance, coined the term to describe countries’ attempts to
regulate portions of the internet within their borders.
r
One of the most prominent attempts to describe how existing international legal
rules relate to cyberspace is the Tallinn Manual 2.0, published in 2017. Governments
ve
debate cyber sovereignty using notions like intervention, use of force, due diligence,
and state accountability from the perspective of international law. The link between data
and territoriality, on the other hand, calls into question some of the most fundamental
assumptions of international law. These are “changes that amount, really and
ni
prospectively, to a reorganisation of territoriality in international law,” as Fleur Johns

puts it. The new concerns are data access and technical proficiency, rather than
territorial boundaries and physical property.
U
However, cyber sovereignty does not have to imply government control. It refers to
the ability to design and implement rules in cyberspace first and foremost. Alternatively,
it could refer to the authority to pronounce the law in cyberspace, i.e., having juris-
ity
diction. For the sake of this paper, I’d like to debunk the notion that sovereignty and
jurisdiction are purely state-related terms.
Lawrence Lessig wrote Code and Other Laws of Cyberspace in 1999, in which
he argues, using copyright law as an example, that a single dot is ruled by competing
m
legal, normative, market, and architectural frameworks. In their book Blockchain and
Law: The Rule of Code, Primavera De Filippi and Aaron Wright claim that “both public
and private actors might possibly employ blockchain technology to construct their own
)A
system of rules and laws,” which is a more modern iteration of this idea. As a result,
we should analyse cyberspace as a hybrid techno-legal governing system. “The idea of
‘law’ and ‘technology’ on opposite sides of a regulatory schematic needs to be replaced
with an integrated vision of co-coordinating and co-constituting technolegal regulation,”
according to Goldenfein.
(c
One of the most significant notions supporting the world’s governance systems is
the principle of state sovereignty. The theory stretches back to Bodin in the 16th century

(Grimm, 2015), albeit it was not realised as a concept of international organisation until
Notes
e
the end of World War 2 after centuries of empires, colonial expansion, and territorial
aggression (Jackson, 1999).
in
The concept of sovereignty and the theory of the state are inextricably linked. If
Weber’s fundamental definition of the state as a monopoly on the legitimate use of force
is accepted, then sovereignty restricts that privileged status to a single, well-defined
nl
territory. By restricting governments to a defined territory, sovereignty as an institution
is supposed to reduce chaos among states. It starts with the assumption that each
functioning government is supreme and legitimate in its own space, and then applies
reciprocal non-intervention and voluntary interaction principles to each sovereign
O
unit. If Leviathan addresses the home problem of anarchy, sovereignty is expected to
accomplish the same on a global scale. Even yet, sovereignty has a limited impact on
international order. State anarchy is still a constant and unavoidable reality.
ty
Stephen Krasner (Krasner, 1999) concluded that sovereignty is best understood as
“organised hypocrisy” – a space between anarchy and institutionalisation where rulers
adhere to traditional norms of sovereignty when it provides them with resources and
si
support and deviate from them when violating them provides them with benefits.
Even the most conservative views on sovereignty recognise that a global

internet poses a threat to what Krasner referred to as interdependent sovereignty, or
r
governments’ power to control the movement of information, money, and goods across
ve
their borders. (2011, Betts & Steven) However, an increasing number of politicians and
security professionals appear to believe that the best approach to address this issue
is to develop new ways to reassert national borders or implant them in technology.
This drive comes from both intellectuals and politicians who seek to tighten their grip
ni
on the media. The appeal to sovereignty in Internet governance is heard when states
stand to benefit from a more controlled internet; however, this does not prevent them
from exploiting the capabilities of a globalised network for transnational surveillance,
economic and military espionage, and the exercise of military power, corroborating
U
Krasner’s account of ‘organised hypocrisy.’ In this way, there is little difference between
authoritarian nations and Western liberal democracies.
ity
3.2.6 The IT Act of India 2000

The Information Technology Act was enacted in reaction to changes in the IT
sector, with the goal of facilitating e-commerce and e-governance while also combating
cybercrime. The Internet has become a necessity in today’s world, and as its use
m
grows, more clarity in the domain is required. The IT Act was an attempt to provide
that clarity and direction. This lesson examines several aspects of the Information
Technology Act of 2000 and the Information Technology Amendment Act of 2008.
)A
The law governing information technology is the Information Technology Act of

2000. The IT Act of 2000 was enacted after both houses of Parliament passed the
IT Bill. The Act is based on the Commission on International Trade Law of the United
Nations (UNCITRAL). It is concerned with electronic commerce and cybercrime. “An
Act to provide legal recognition for transactions carried out by means of electronic data
(c
exchange and other forms of electronic communication, usually referred to as electronic

commerce,” according to the bill. The Act went into effect on October 17, 2000.

The introduction of the internet, followed by an increase in internet-based business

Notes
e
transactions, demanded the creation and implementation of legislation to regulate
the industry. Digital technology has changed our lives; more and more people and
businesses are adopting it and using it to do a variety of tasks. The overall atmosphere
in
was tense prior to the passage of the Information Technology Act of 2000. Individuals
and businesses were aware of the benefits that digitisation brought, but they were
wary of engaging in activities, particularly monetary transactions, due to the lack of a
nl
legal framework that would protect them from unintended consequences. In 1996,
the UNCITRAL adopted the Model Law on Electronic Commerce to keep pace with
the advancements in the digital world. As a signatory, India was expected to enact
O
legislation in accordance with the Model Law. With these considerations in mind, the IT
Bill was introduced to facilitate E-commerce and E-governance.
In the year 1998, the IT Bill was drafted. The bill was then presented to a
ty
Parliamentary standing committee, where several changes were suggested. Finally,
the IT Ministry proposed certain revisions, and the ones that were authorised were
kept in the law, while the remainder were removed. The Union cabinet and later both
houses of Parliament adopted the law. The Bill received the President of India’s assent,
si
and it became an Act on October 17, 2000, when it went into effect. The IT Act of 2000
amended the Indian Penal Code 1860, the Indian Evidence Act 1872, the Bankers Book
Evidence Act 1891, and the Reserve Bank of India Act 1934, including issues relating to
r
electronic crimes and evidence, as well as the necessity for laws governing electronic
ve
funds transfers.
Amendments in it act 2000

In the year 2000, the Information Technology Act was passed to bring about the
ni
necessary reforms for the expansion of digitisation and e-commerce transactions,

as well as to assure the safety and security of such transactions, thereby preventing
crimes. The statute was later revised to reflect changes in the domain; these
U
adjustments were approved by both chambers of Parliament in 2008 and obtained

President’s approval on February 5, 2009, resulting in the Amendment Act. It brought
about a number of favourable changes. It was seen as an attempt by the Indian
government to design a policy that can keep up with changing technologies. The Act’s
ity
administration is handled by the Indian Computer Emergency Response Team (CERT-

In). The amendment tried to address the security concerns raised by the earlier Act by
filling in the gaps created by it.
The Act was long overdue, as increased digitisation has resulted in an increase
m
in crimes committed in the digital environment or with the aid of digital aids. Sending/
sharing inappropriate content, phishing, identity theft, frauds, and other felonies were
all crimes that needed to be prosecuted. All of these issues led to modifications to the
)A
Information Technology Act of 2000, opening the path for the Information Technology
Act of 2008. The Information Technology Act of 2008 altered the country’s cyber
law structure. The Act addressed a variety of issues, including the incorporation of
electronic signatures, the inclusion of a larger number of cyber offences, data protection
and privacy concerns, and issues linked to the use of digital/cyber media for terrorism.
(c
Amendment Act, 2008 IT Act 2008

The following are the key contributions of the Amendment Act 2008:
●● Several definitions were added to the Act to add clarity and make it more inclusive:
Notes
e
1. “Authentication of any electronic record by a subscriber using the electronic
technology defined in the second schedule, including digital signature,”
in
according to the definition.
2. Cell Phones, Personal Digital Assistants (Sic), or a mix of the two, as well as
any other device used to communicate, send, or transmit any text, video, audio,
nl
or image, are considered communication devices.
3. “Cyber cafe” refers to any establishment where members of the public can gain
access to the internet in the ordinary course of business.
O
4. Cyber security “means preventing unauthorised access, use, disclosure,
disruption, alteration, or destruction of information, equipment, devices,
computers, computer resources, communication devices, and information held
ty
therein.”
5. The bill also changed the definition of “intermediary” to include telecom service
providers, network service providers, internet service providers, web hosting
si
service providers, search engines, online payment sites, online auction sites,
online market places, and cyber cafes.
●● The Act also made adjustments to the fines and compensations for computer,
r
computer system, and other property damage. If someone “destroys, deletes, or
ve
alters any information residing in a computer resource, or diminishes its value or
utility, or affects it injuriously by any means; steals, conceals, destroys, or alters or
causes any person to steal, conceal, destroy, or alter any computer source code
used for a computer resource with the intent to cause damage; he shall be liable to
pay damages in the amount of one crore rupees to the person so affected.”
ni
●● Sections on “penalty for transmitting offensive communications using

communication services” were added to Computer Related Offenses. “Any
U
electronic mail or electronic mail message sent with the intent to annoy or
inconvenience the addressee or recipient, or to deceive or mislead the addressee
or recipient regarding the origin of such messages (Inserted vide ITAA 2008) shall
be punishable by imprisonment,” it continued.
ity
Digital signature & encryption

Any subscriber may employ a digital signature to authenticate an electronic record
under the terms of the Information Technology Act of 2000. “Asymmetric crypto system
and hash function that encapsulate and change the initial electronic record into another
m
electronic record. (Section 2(1)(p) of the Information Technology Act, 2000)” is used to
authenticate the electronic record.
)A
Traditionally, an individual’s signature on a document aids in document

authentication and provides assurance to the receiver about the document’s integrity. In
the event of a paper-based document, this is conceivable, but in the case of an electronic
document, simply mentioning the name at the conclusion of the document or email
provides little confidence about its legitimacy. For the protection of electronic documents,
(c
the IT Act of 2000 acknowledges public key cryptography. Section 3 of the Act also gives
a user the ability to affix his digital signature to an electronic record, allowing him to
authenticate it. “Asymmetric crypto system and hash function that envelops and changes

the initial electronic record into another record” will be used in the authentication process.
Notes
e
Any other individual with access to the public key can verify the electronic record.
Furthermore, each subscriber has a private and public key pair that is unique to him
and serves as a working key pair. The generation of a digital signature necessitates the
in
encryption of certain data. The steps in the procedure are as follows:
●● The message to be signed with a digital signature is outlined and then processed
nl
with the help of a hash function algorithm. The hash result, which is unique to the
message, is the outcome of this processing.
●● The sender’s private key is used to encrypt the hash result produced. The Digital
O
Signature is what it sounds like.
●● The Digital Signature is then added to the message, which is then sent via the
internet to the recipient.
ty
●● When the message is received at the receiver’s end, he decrypts it using the
sender’s public key. The recipient is confident of the message’s authenticity
and integrity if the sender’s message is successfully decrypted using his public
key and the hash result is computed and compared to the output of the digital
si
signature.
Attribution
r
There is no tangible component to conversation that takes place over the internet.
ve
As a result, assigning duties and defining linkages becomes more complicated. The
action of attributing a work or statement to a certain author, artist, or person is known
as attribution. The Information Technology Act of 2000 (Section 11) specifies how an
electronic document can be traced back to the person who created it. The electronic
ni
document will be ascribed to the creator if the following conditions are met:
●● If the electronic record was sent by the originator himself.

●● If it was sent by someone who had been given power by the originator to act on
U
his behalf in relation to that particular electronic document.

●● If it was sent using an information system that was programmed by the originator
or on his behalf to send the electronic record automatically.
ity
If A sends an email to B for example, A will be the originator of the electronic record
and B will be the addressee in this case.
Acknowledgement and dispatch of electronic records

m
Section 12 of the IT Act addresses the methods for acknowledging receipt of an

electronic record, whereas Section 13 of the IT Act addresses the time of receipt of an
electronic record.
)A
If the originator of the electronic record has not specified a specific mode of
acknowledgement, the acknowledgement can be made by “any communication by the
addressee, automated or otherwise” or “any conduct by the addressee, sufficient to
indicate to the originator that the electronic record has been received.” If an individual
(c
receives a meeting invitation for example, the individual can send a thank-you email to
the sender, or send an automated answer, or express interest by attending the meeting.
These actions demonstrate that the receiver has acknowledged your message.

In addition, if the originator of the electronic record “stipulated that the electronic
Notes
e
record shall be binding only upon receipt of an acknowledgment of such electronic
record by him,” the electronic record “shall be deemed to have been never sent by
the originator unless such acknowledgment has been received.” However, if the
in
originator has not specified that the electronic record will be binding only upon receipt
of acknowledgement, and the acknowledgment has not been received by the originator
within the time specified or agreed upon, or if no time has been specified or agreed
nl
upon within a reasonable time, the originator may give notice to the addressee stating
that no acknowledgment has been received by him and specifying a reasonable time
within which the acknowledgment must be received, the originator may give notice to
O
the addressee stating that
The IT Act’s section 13 deals with the transmission of electronic records. The
moment of dispatch is defined as the point at which an individual sends an electronic
ty
record and it enters a computer outside of the sender’s control. In addition, the location
of dispatch is the sender’s place of business, and the place of receipt is the receiver’s
place of business.
si
Regulation of certifying authorities
The “Controller of Certifying Authorities” can be appointed by the central
government, according to the Information Technology Act. The controller of certifying
r
authorities has power over certifying authorities regulation. The Centre’s government
ve
may also appoint Deputy Controllers, Assistant Controllers, and other officers and staff
as needed.
The Controller has the power to allocate responsibilities and roles to the Deputy
Controllers and Assistant Controllers. The Controller’s responsibilities include
ni
overseeing the activities of the Certifying Authorities, defining their roles, certifying
their keys, establishing standards for them, and making decisions about the desired
qualification and relevant experience of the Certifying Authorities, among other things.
U
The Controller is responsible for certifying Certifying Authorities’ public keys and
resolving any conflicts of interest that may arise between them and the subscribers.
The Controller has the authority to recognise foreign Certifying Authorities as

ity
Certifying Authorities with the prior approval of the Central Government. He also has the
authority to revoke recognition if he believes “that any Certifying Authority has violated
any of the conditions and restrictions subject to which it was granted recognition.” Any
individual can also apply to the Controller for a licence to issue Electronic Signature
Certificates in India, according to the Act. The licence may be issued if the applicant
m
meets the Central Government’s requirements, and it is only valid for the time period
specified by the Central Government. The application for renewal of the licence must
be accompanied by the necessary fees and submitted 45 days prior to the expiration
)A
date of the existing licence. Depending on the merits of the case and the documentation
submitted with the application, the licence application may be approved or rejected.
The Controller has the authority to suspend the licence if he is satisfied after an
investigation that the Certifying Authority has made false and incorrect statements and
that the conditions under which the licence was issued have not been met; however,
(c
the Certifying Authority must be given a reasonable opportunity to be heard before the
licence is revoked.

Any of the Controller’s functions may be delegated to the Deputy Controller,

Notes
e
Assistant Controller, or any other official by the Controller. The Controller, or any other
official authorised by him, has the authority to initiate an investigation/enquiry into any
alleged violation of the IT Act or any other laws or regulations. They will also be able to
in
get information from “any computer system, any apparatus, data, or any other material
linked with such system.” “The Controller or any officer authorised by him in this respect
shall use the similar powers given on Income-tax authorities under Chapter XIII of the
nl
Income-tax Act, 1961 (43 of 1961), and shall exercise such powers, subject to the
limitations imposed by that Act.”
Certifying Authorities must ensure that they are following the procedures and
O
protocols outlined in the Act, as well as ensuring that their personnel follow the
procedures and regulations. They must follow security protocols and employ resources
that are not vulnerable to harmful assaults. They must also display the licence in a
ty
prominent location on their premises, and they must submit it immediately if the licence
is suspended or revoked. They must also follow the disclosure guidelines to maintain
the process’ sanctity, and they must notify the concerned stakeholders if the integrity of
their computer systems is compromised.
si
3.3 Intellectual Property Right
r
Intellectual property (IP) is a word that refers to the distinct and unique works of
an individual’s intellect for which the individual’s property rights are recognised. This
ve
unit will go over the definition of the term as well as other relevant subjects in depth.
Individuals must be granted property rights for the originality of their works, inventions,
and discoveries, as well as innovations, in order to appreciate and regard the human
resource. The unit will also discuss the intellectual property rights’ varied concerns and
ni
priorities. The unit begins with a definition and description of intellectual property and
intellectual property rights. The concept of intellectual property rights is then defined.
We propose an intellectual property form and analyse intellectual property’s nature. The
U
nature and purpose of intellectual property rights are next discussed, followed by an
examination of the many challenges that arise as a result of intellectual property rights.
3.3.1 Intellectual Property

ity
Inventions, literary and artistic works, designs, and symbols, names, and pictures
used in business are all examples of intellectual property (IP).
Intellectual property (IP) is a term that refers to mental inventions that are unique
m
in nature and have not been reproduced by anyone or anywhere. Inventions, literary
and artistic works, symbols, names, images, and designs utilised in business are all
examples of intellectual property. Since millennia, the term “intellectual property”
)A
has been used. “Only in this way can we protect intellectual property, the labours of
the mind, productions and interests are as much a man’s own...as the wheat he
cultivates, or the flocks he rears,” wrote Justice Charles L. Woodbury in one of the court
judgments in 1845.
The phrase “discoveries are...property” dates back to a previous era. The World
(c
Intellectual Property Organization (WIPO) was founded in 1967 as a result.

Intellectual property can be divided into two categories: I individual property and (ii)
Notes
e
copyright.
Individual property: Individual property refers to properties that are unique and
in
intangible in nature and are tied to commercial or industry-related items, such as
inventions (patents), trademarks, industrial designs, and geographic indications of
origin.
nl
Copyright: Literary and artistic works such as novels, poetry, and plays, films,
musical works, articles, and artistic works such as drawings, paintings, pictures, and
sculptures, as well as architectural designs, are examples of original and intangible
O
creations. Copyright includes performing artists’ rights in their performances,
phonogram makers’ rights in their recordings, and broadcasters’ rights in their radio and
television shows.
ty
An individual, like any other tangible property, has the right to own and preserve its
mind’s original creativity. Intellectual property is the term for such a right. An intellectual
property right establishes ownership, and anyone who want to use it must first obtain
permission from the owner. If such creations are exploited without first obtaining
si
authorization, legal action may be taken against the individuals involved.
Non-physical property that is the result of original thought is referred to as
r
intellectual property. Intellectual property rights typically encompass the control of
physical manifestations or expressions of ideas, rather than the abstract non-physical
ve
reality. A content creator’s interest in her ideas is protected by intellectual property law,
which assigns and enforces legal rights to produce and control tangible manifestations
of those ideas.
ni
Intellectual property law has a long and illustrious history dating back to ancient
Greece and before. There was a refinement of what was protected within different
sectors as different legal systems progressed in safeguarding intellectual works. During
the same time period, numerous moral justifications for intellectual property were
U
proposed, including personality-based, utilitarian, and Lockean justifications. Finally,

many people have criticised intellectual property and intellectual property protection
systems. This essay will cover all of these topics, with a focus on the legal and moral
ity
notions of intellectual property in Anglo-American and European countries.
Copyright
Original works of writing fixed in any physical medium of expression are
protected by copyright (17 U.S.C. 102 (1988)). Literary, musical, artistic, photographic,
m
architectural, and cinematographic works, as well as maps and computer software, may
be copyrighted. Something must be “original” to be protected—the work must be the
author’s own creation; it cannot be the consequence of copying (Bleistein v. Donaldson
)A
Lithographing Co., 188 US 239 (1903)). The expression must also be “non-utilitarian” or
“non-functional” in character, which further restricts the scope of what can be protected.
If they fall somewhere, utilitarian products, or products that are beneficial for work,
fall under the jurisdiction of patents. Finally, rights only apply to tangible expressions
and derivatives of such expressions, not to abstract ideas themselves. For example,
(c
copyright law does not protect Einstein’s Theory of Relativity, as expressed in many
essays and publications. Someone else could read these writings and describe the

notion in her own terms, and she could even get a copyright for it. While this may be
Notes
e
concerning to some, such rights are not covered by copyright law. Plagiarism may be
committed by someone who borrows abstract theories or ideas and expresses them in
her own words, yet she cannot be held culpable for copyright infringement.
in
Patents
An invention is protected by a patent, which is an exclusive right awarded to
nl
the inventor. In general, a patent gives the patent owner the right to decide how - or
whether - others can use his or her creation. The patent owner gives up this privilege in
exchange for making technical information about the invention publicly available in the
O
published patent document.
Trademarks
ty
A trademark is a symbol that distinguishes one company’s goods or services from
those of other companies. Trademarks date back to ancient times, when artists used to
sign their wares with their signature or “mark.”
si
Trade secrets
IP rights on confidential knowledge that can be sold or licenced are known as trade
r
secrets. Unauthorized acquisition, use, or disclosure of such secret information by
others in a manner that is inconsistent with honest commercial practices is considered
ve
an unfair practice and a violation of trade secret protection.
Geographical indications
Geographical indications and appellations of origin are signs that are applied to
ni
items that have a specific geographical origin and that have attributes, a reputation, or
features that are fundamentally due to that location. A geographical indicator usually
includes the name of the items’ place of origin.
U
Industrial designs
An industrial design is the decorative or aesthetic aspect of a product. A design can
ity
be made up of three-dimensional elements like an article’s shape or surface, or two-

dimensional elements like patterns, lines, or colour.
General Critiques of Intellectual Property

Leaving aside the strands of reasoning that seek to defend moral claims to
m
intangible works, as well as the more concentrated issues with these perspectives,
there are a number of broad critiques of intellectual property rights to address.
)A
Information is Not Property

Critics contend that information is not the type of thing that can be owned or
possessed, and therefore it cannot be considered property in the traditional sense.
Numbers and propositions are examples of abstract items that cannot causally interact
(c
with material objects and hence cannot be owned or possessed. The notion that one
might possess and therefore own the novel expressed by the book A Tale of Two Cities
for example, makes about as much sense as the notion that one could possess and

thus own the entity denoted by the symbol “2.” On this approach, whatever ideas might
Notes
e
be appropriate for abstract objects, the concept of property does not, according to these
theorists. At best, the term “intellectual property” refers to nothing, and at worst, it is
incomprehensible.
in
At least two objections can be made to this analysis. To begin with, it is unclear
if ownership, as a notion, necessitates physical possession. One could argue that
nl
the core of ownership is power — the ability to prohibit others from particular actions
involving the relevant entity — rather than physical control or possession. Second,
claiming that information objects are not property does not entail that granting writers
or content creators a legal right to prevent others from stealing those things without
O
their agreement is invalid. The fact that some entity E isn’t “property” means just that
it shouldn’t be legally protected as such; it doesn’t mean that E shouldn’t be protected
in other ways. It’s possible that such legal rights should be referred to as something
ty
other than “intellectual property rights,” although they may be referred to as “intellectual
content rights,” for example.
Information is Non-Rivalrous
si
Many argue that the non-rivalrous nature of intellectual works establishes a
prima facie case against access-restricting rights. We have a solid argument against
moral and legal intellectual property rights because intellectual works are not normally
r
consumed by their usage and can be enjoyed by many people at the same time
ve
(creating a copy does not deprive anyone of their belongings) (Kuflik 1989; Hettinger
1989; Barlow 1997). Many people believe that restricting access to intellectual works
is unjustified, which is one cause for rampant piracy. Consider the following more
formalised version of the argument:
ni
P1. If a physical or intangible work may be utilised and consumed by a large

number of people at the same time (is non-rivalrous), then it should be made available
to as many people as possible.
U
P2. Intellectual works that are protected by copyright, patents, or trade secrets are
non-rivalrous.
C3. As a result, there is an immediate prima facie case either in favour of

ity
intellectual property rights or in favour of providing maximum access to intellectual

works.
3.3.2 Intellectutal Property Right and Implecations

m
Intellectual property rights are one of the most commonly discussed topics in
scientific circles, and protecting scientific discoveries with commercial potential is one
of the most important considerations. Human knowledge is equally valuable in this day,
)A
when persons are viewed as valuable resources by organisations, and it may propel
organisations to new heights.
Based on western scientific philosophy and knowledge generating methods,

knowledge is assumed to be the result of individual creativity. Intellectual property
(c
rights, in this paradigm, are property rights to products of the mind, which are the
consequence of an individual’s knowledge and creativity. Intellectual property
rights confer legal ownership of mental inventions, encompassing both artistic and

commercial works. Owners of intangible assets are granted exclusive rights under
Notes
e
intellectual property law, as well as the financial incentive of monopoly profits.
A sample of intellectual property form
in
Individuals must assert ownership of intellectual property rights in order to
safeguard and recognise their originality and creations. Individuals or businesses
can claim ownership by filling out a standard form and submitting it to the appropriate
nl
person or entity (for example, government of India is the concerned authority who
protects such rights in India). The following is an example of a standardised format for
an intellectual property rights form:
O
A sample intellectual property right form is shown in the diagram below.
ty
si
Figure: Sample intellectual property form
r
Nature of intellectual property rights
ve
Except for copyright, which is global in nature in the sense that it is immediately
available in all countries of the Berne Convention, IPR are generally territorial or
geographically based rights (that is, they may differ from country to country). These
are monopoly rights, which means that no one can use them without the permission
ni
of the right holder. All intellectual property rights, with the exception of copy rights and
trade secrets, must be renewed on a regular basis. IPR, like any other property, can be
assigned, gifted, sold, and licenced. Geographic indications, on the other hand, could
U
be used to safeguard particular agricultural and traditional items.
●● Intellectual property rights seek to achieve the following goals:

●● It aids in the protection of an individual’s creation’s ownership and originality.
ity
●● It acknowledges the person or authority in question.

●● It enables intellectual property owners to profit financially from the assets they
have generated.
m
●● They are given financial incentives to create intellectual property and to undertake
the costs of intellectual property investment.
●● Individuals’ inventiveness is sparked by such rights, which helps to economic
)A
progress.
●● It can also provide some financial assistance to the rightholder through the
monopoly of their creations.
●● It helps an individual’s financial situation as well as the country’s economy.
(c

Intellectual property rights in India

Notes
e
In India, the importance of intellectual property is well recognised at all levels:
legislative, administrative, and judicial. India has approved the World Trade
in
Organization (WTO) accord (WTO). This agreement includes, among other things,
a Trade Related Aspects of Intellectual Property Rights (TRIPS) Agreement, which
went into effect on January 1, 1995. It establishes minimum criteria for the protection
nl
and enforcement of intellectual property rights in member nations, requiring them
to encourage effective and adequate intellectual property rights protection in order
to reduce trade distortions and barriers. The TRIPS Agreement imposes duties on
member nations to provide a minimum level of protection within their legal systems and
O
practices.
The Agreement establishes norms and standards in the domains of intellectual

property listed below:
ty
●● Copyrights and related rights
●● Trade Marks
si
●● Geographical Indications
●● Industrial Designs
●● Lay out Designs of Integrated Circuits
r
ve
●● Protection of Undisclosed Information (Trade Secrets)
●● Patents
●● Plant varieties
ni
Transition Period
India, as a developing country, has a five-year transition time (from January
1, 1995) to implement the Agreement’s terms (until January 1, 2000). A five-year
U
transition period, ending January 1, 2005, is also available for expanding product patent
protection to previously unprotected areas of technology. This would mostly be in the
pharmaceutical and agricultural chemical industries.
ity
Copyrights
The Indian Copyright Act of 1957, as revised by the Copyright (Amendment) Act
of 1999, completely implements the Berne Convention on Copyrights, to which India
is a signatory. India is also a signatory to the Universal Copyright Convention and the
m
Geneva Convention for the Protection of Rights of Producers of Phonograms. India is

also a member of the World Intellectual Property Organization (WIPO) in Geneva and
the United Nations Educational, Scientific, and Cultural Organization (UNESCO).
)A
The copyright legislation has been updated on a regular basis to keep up with
evolving needs. The most recent update to the copyright law, which took effect in May
1995, brought about significant revisions and brought the copyright legislation in step
with advances in satellite broadcasting, computer software, and digital technology. For
(c
the first time, the new law includes safeguards to protect performance rights as outlined
in the Rome Convention.

Trade Marks
Notes
e
Any symbol, or combination of signs, capable of distinguishing one undertaking’s
goods or services from those of other undertakings has been defined as a trade mark.
in
Under the TRIPS Agreement, such identifying marks are considered protectable subject
matter. The Agreement stipulates that the original registration and each subsequent
renewal shall be for a period of not less than seven years, with the registration being
nl
renewable forever. Licensing of trade marks on a compulsory basis is not permissible.
A comprehensive review of the Trade and Merchandise Marks Act 1958 was
conducted in light of changes in trade and commercial practices, globalisation of trade,
O
the need for simplification and harmonisation of trade mark registration systems, and
other factors, and a Bill to repeal and replace the 1958 Act was passed by Parliament
and notified in the Gazette on December 30, 1999. This Act harmonises Trade Marks
Law with worldwide systems and practices, as well as making it TRIPS compatible. The
ty
law is now being implemented.
Types of intellectual property rights
si
The term “intellectual property” refers to the ownership of an intellectual work
rather than the work itself. Depending on the nature of the work, intellectual property
rights can be divided into several categories. Copyrights, trademarks, patents, industrial
r
design rights, and trade secrets are the most frequent categories of intellectual
property, as detailed below:
ve
Copyright: It’s a legal privilege granted to the creator of a literary or artistic work.
The right to control the publication, dissemination, and modification of creative works is
an exclusive right. Articles, books, music, software, paintings, and other creative works
ni
are all protected by copyright rules.
For a limited time, the owner, also known as the copyright holder, retains the
right. The work can be republished or duplicated by others as time passes. A copyright
U
usually lasts for the duration of the owner’s life and up to 50 to 100 years after death.
In case of anonymous works, the right lasts for 95 years after publication or 120
years after the creation.
ity
Trademarks:
Companies, political parties, governmental agencies, and a variety of other
organisations can be identified or recognised by using symbols that they have
m
assigned. These symbols are trademarks, which are commonly used to identify a
certain product and to designate its source. A trademark is a set of words, phrases,
symbols, logos, designs, images, or gadgets used by an individual, legal entity, or
business to differentiate their products from those of others. Reebok/LG/Whirlpool/
)A
Godrej for example, may be identified by their emblem, which is embossed on their
items. Another example is the logos of non-governmental organisations (NGOs) such
as WHO, UNICEF, and others, which distinguishes these organisations from one
another.
(c
The businesses have their trademarks registered, and these trademarks are legally
protected. If these trademarks are ever misappropriated, the owners can take legal
action against the people who do so. The right to trade marks protects a company’s
or institution’s products and services that aid in the development of its brand, including
Notes
e
pharmaceuticals.
They can be registered on a national or worldwide level, giving them the right
in
to use the TM mark. The letters TM are appended to an unregistered trade mark. If
a competitor or anybody else uses the same or similar name to trade in the same or
related field, this can be enforced in court.
nl
Patents: Patents are intellectual property rights that are tied to new discoveries.
Patents protect novel products, processes, and apparatus. The right to patent
states that the innovation is not evident in light of previous work, that it has not been
O
reproduced, and that it has not been disclosed elsewhere in the world at the time
of filing. However, patents can only be granted to inventions that have a practical
application. Persons who invent a new machine, process, object of manufacture, or
composition of matter, as well as biological discoveries, are granted this right.
ty
There are various patent eligibility standards that vary by nation, and one’s
invention must match these criteria in order for their rights to be protected. In general,
the innovation must be novel, imaginative, and useful or industrially applicable.
si
In order to get a patent for his or her invention, the person must first register. Once
a person receives a patent for an invention, he or she has the only right to prevent
r
anyone from creating, using, selling, or distributing the patented invention without
permission. A patent is generally valid for 20 years from the date of filing the application
ve
(for the patent).
Industrial design rights: These are also known as intellectual property rights,
and they safeguard the appearance of items. These rights are given to products that
ni
stand out because of their unique shape or pattern. A design can take the form of a
shape, colour, pattern, or a mix of these elements. It could be a manufactured item or a
handcrafted item. The design can be two-dimensional (based on pattern, colours, and
lines) or three-dimensional (based on texture, colours, and lines) (as per shape and
U
surface).
The right is granted based on a number of characteristics, including novelty,

inventiveness, and aesthetic appeal. The owner of an industrial design right has
ity
the only right to manufacture and sell any goods to which the design is applied. The
permission is granted for a term of ten to twenty-five years. The design must be
registered either on a national level or as part of an EU (European Union)-wide single
right.
m
Trade secrets: Trade secrets are the rights awarded to a company’s designs,
procedures formulas, instruments, processes, recipes, patterns, or concepts in order to
acquire a competitive advantage.
)A
Intellectual Property Implications

As previously stated, strong intellectual property rights encourage inventive activity
by enhancing the appropriability of innovation returns. Innovating companies also have
more resources to spend in the next generation of creative activities because they
(c
collect a higher percentage of the advantages of their innovative activity. Competitors

can syphon off income that would otherwise go to innovators if they are able to enter

and/or remain in a market by obtaining an innovator’s intellectual property for less than
Notes
e
the fair market price (either through theft, coerced transfer, or government-mandated
reductions).
in
As a result, the intellectual property issue is about nothing less than a necessary
framework condition for global trade and innovation. Policymakers cannot afford to
take innovation for granted, as it is the most vital “good” for the future of the global
nl
economy and society. Because, contrary to what economist Robert Solow allegedly
claimed, innovation does not fall from the sky like “manna from heaven.” Rather,
innovation is the result of a comprehensive national innovation system that includes
not only market incentives for inventors (supported by IP protection), but also additional
O
incentives, laws, and policies. These policies cover scientific research, technological
commercialization, information and communications technology investments, education
and skills development, taxes, trade, government procurement, competition, and
ty
regulatory policies, among others. Furthermore, in an interconnected world, ideas
developed in one country are implemented in almost all others. For example, if a South
Korean inventor develops significantly improved battery technology, the entire globe
benefits.
si
Given that the world is essentially in the adolescent stages of a truly integrated
global economy, how countries decide, individually and collectively, to pursue
r
innovation-based growth strategies has significant implications for the global innovation
system, as ITIF argues in “Contributors and Detractors: Ranking Countries’ Impact
ve
on Global Innovation.” This is true in part because the policies countries undertake
to maximise their local innovation may not be the ideal ones for maximising global
innovation production, especially when those policies are mercantilist in nature.
“National innovation policies strategically interact to produce emergent de facto
ni
innovation policies,” according to Australian innovation economist Jason Potts. Because

new ideas and their externalities are not easily controlled by national borders, the
economics of the innovation problem—market failure in producing new knowledge and
U
knowledge as a public goods problem—is fundamentally global.”
Countries that use institutional barriers to prevent innovators from fully realising the
economic benefits of their ideas engage in damaging “innovation mercantilism,” which
decreases global innovation. These countries seek prosperity by enacting protectionist,
ity
trade-distorting policies that tip the market scales in favour of domestic technology
production, such as weakening intellectual property rules and enforcement forcing
companies to transfer the rights to their intellectual property or technology, or stealing
intellectual property outright. 77
m
Discriminatory handling of IP held domestically versus by foreign enterprises is at

the centre of many IPR opponents and innovation mercantilist country agendas. These
tactics target foreign IP as part of an industrial strategy aimed at assisting domestic
)A
enterprises in acquiring or imitating foreign innovations so that they can get closer to
the technological frontier without having to pay for technology or paying below market
value for it. In this way, innovation mercantilist countries employ both sides of the
“pro” and “anti” IP debates: they recognise the importance of IP in technological and
economic development, but they undermine foreign IP in order to obtain it in a zero-
(c
sum game; however, they support export protection for domestic firms (including
IP embedded in their goods and services), and they expect fair treatment in foreign

markets for their firms’ IP. (To put it another way, such governments seek robust IP
Notes
e
restrictions that only apply to other countries.)
However, mercantilism of innovation is a zero-sum game: It may help a country’s
in
economy in the near term, but it usually depletes the world’s knowledge and invention
stock. This is accomplished by innovation mercantilism, which stops successful
innovators from attaining the higher-than-normal profits required to reward the risky
nl
initial investment (so-called “Schumpeterian profits”). Failure is widespread in the world
of innovation since it is based on risk and uncertainty; for every Apple that succeeds
with an iPad, there are countless IT businesses that fail. Furthermore, innovation
industries risk not only losing market share but perhaps going out of business. This
O
reality brings to mind Schumpeter’s maxim that “any item of corporate strategy must
be understood in the context of the perpetual gale of creative destruction.” Because if
firms could only expect average returns on successful innovations, none of them would
ty
assume the huge risk of investing in them. This is especially true in many developing
countries, where new ideas are desperately needed.
The disruption and distortion of the economics of innovation-based sectors
si
is one of the main reasons why innovation mercantilist activities are so harmful
to global innovation. Innovation-based businesses and sectors, in particular, rely
on profits from one generation of innovation to fund investment in the next. The two
r
most R&D-intensive industries in the United States for example, are life sciences and
semiconductors, both of which invest more than 20% of their yearly revenues on R&D.
ve
They must do so because, as innovation-based industries, they compete primarily by
inventing new-to-the-world, next-generation products, rather than by cutting costs.
As a result, the OECD concludes that “pharmaceutical sales revenues and R&D
expenditures have a significant degree of association.” 78 (In reality, pharmaceutical
ni
R&D spending and revenues have a nearly one-to-one (0.97) association.) 79 This also
explains why academic research demonstrates a statistically significant association
between a biopharmaceutical company’s previous-year profitability and current-year
U
R&D expenditures, and why pharmaceutical companies with the highest revenues also
have the highest R&D expenses.
3.3.3 Ownership and Enforcement of IPR

ity
The ownership of a physical object differs from the ownership of the copyright
embodied in the object.
Intellectual property ownership, sometimes known as IP ownership, refers to the

m
ownership of ideas and concepts. However, defining IP ownership is more difficult than
defining ownership of tangible assets.
IP Rights and Ownership

)A
Intellectual property isn’t a physical asset like a building or computer equipment.

Instead, intellectual property (IP) is a collection of concepts and ideas.
These are the sole ways to safeguard intellectual property in the United States:
(c
●● Trademarks
●● Patents

●● Copyrights
Notes
e
The ownership of a piece of property and the rights that come with it are usually
straightforward. To own a given sort of property usually entails the ability to perform the
in
following:
●● Possess it
●● Enjoy it
nl
●● Sell it
Prevent others from following in your footsteps.
O
The majority of laws relating to property ownership and control deal with issues that
arise from shared or contested ownership.
ty
When it comes to a physical product or a piece of real estate, there is usually little
doubt about who owns it. There’s also little doubt about what complete ownership of
such properties entails.
si
When it comes to intellectual property, ownership is more difficult to define. The
major problem is that intellectual property is intangible. Physical bounds cannot be used
to touch, hold, or define it. IP ownership, on the other hand, refers to a person’s interest
r
in mental works. Owning intellectual property (IP) entails owning an idea or concept
rather than an object or piece of real estate. Although IP is intangible, like real estate, it
ve
can be sold or otherwise transferred.
Who Owns IP
The proprietor of an idea or concept that is the subject of IP is usually the person
ni
who came up with it. However, the following methods can be used to release or transfer
IP rights:
U
●● Transaction
●● Agreement
●● Operation of law
ity
●● Passage of time
When a person owns intellectual property rights, he or she can prevent others
from using the concepts or ideas that make up the IP. The scope of these rights is
determined by the governing law as well as the type of IP concerned. For example,
m
rights could be limited to preventing others from commercially exploiting the IP.
It’s crucial to note that just because a firm paid for the work to be generated doesn’t
mean it owns the IP. The legal position varies based on the work’s originator. The
)A
following parties may be involved in the creation and ownership of intellectual property:
Founders
In many cases, founders invent, develop, and register their intellectual property
(c
rights before forming their business. They could for example, perform the following:
●● Register domain names

●● Coin brand names

Notes
e
●● Develop a website
●● Formulate algorithms
in
When founders create an IP before their company is incorporated, they own the IP
rather than the company. For their services with the company, founders rarely enter into
consultancy or employment agreements. As a result, the firm will not possess the IP
nl
developed by the founders during their service after the company is formed.
Employees
O
The basic norm is that any IP developed by employees belongs to the corporation.
The IP, on the other hand, must be created while they are employed. There are
exceptions, and employment agreements should always include clear ownership
ty
provisions.
Consultants or Independent Contractors
si
Consultants almost usually hold IP ownership rights to anything they develop
unless there is a documented contract that transfers ownership. Because corporations
frequently hire consultants, both parties are typically aware of the necessity to draught a
legal contract to transfer ownership rights if one does not already exist.
r
ve
Third Parties
Contracting with third-party enterprises to produce a product or service is common
among early-stage and startup businesses. For example, new enterprises might hire
product designers, web developers, or software developers. Unless the two parties
ni
agree differently, the third party retains the IP rights despite the fact that the corporation
pays for the services.
The fact that property is intangible does not negate its worth or the fact that it can
U
be owned. Concepts and ideas can be immensely valuable in the world of intellectual
property. It’s critical to preserve your rights if you have intellectual property that you
wish to profit from. A legal professional with competence in this area can assist you in
ity
protecting them.
You can post your legal need for help with IP ownership on UpCounsel’s
marketplace. Only the top 5% of lawyers are accepted onto UpCounsel. UpCounsel’s
lawyers have graduated from Harvard Law School and Yale Law School, and have an
m
average of 14 years of legal experience, including work with or on behalf of firms such
as Google, Menlo Ventures, and Airbnb.
Enforcement of IPR
)A
If the intellectual property system is to make the desired positive contribution to

economic and social welfare, mechanisms must be provided to ensure that IP rights are
honoured in an effective, timely, and accessible manner, while also taking into account
the legitimate interests of others. By establishing general rules for the enforcement of IP
(c
rights, the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS)

broke new ground in multilateral law. It requires WTO members to make effective,

balanced, and fair processes available that provide for required remedies while
Notes
e
preventing their abuse and the establishment of barriers to lawful commerce.
Contracts between parties are commonly used to do business. IP laws, on
in
the other hand, are not the same. They are not consensual in nature, but they have
the effect of binding, in some ways, even people who have no relationship with the
intellectual property owner.
nl
IPRs are fundamentally negative rights in the sense that they are instruments
designed principally to prevent any third party from using them commercially in any
manner in violation of the terms of the relevant legislation without legal authorization
O
from the holder of the right. The problem has gotten worse since technological
advancements have made copying and counterfeiting of articles, even on a large scale,
straightforward, cheap, and quick; information storage and communication is simple
and can be done anywhere. For global trade, national borders have become irrelevant.
ty
Enforcement of IPR refers to the existence of legal and administrative procedures
and mechanisms that assist the IPR holder in ensuring that his statutory rights are
respected by others and that he is able to enjoy the limited monopoly that comes with
si
the grant of an IPR in line with the law.
The purpose of IPR enforcement is to ensure that the legal rights conferred on
the holder of the rights by the grant of an IP instrument (patent, trademark, design,
r
copyright, etc.) are completely respected. The primary concern of a right holder is to
ve
maximise the value of his IPRs through economic exploitation. In the instance of
infringement, however, the right holder’s concern is how to prohibit unauthorised use
of his intellectual property, recover damages as a result of such unauthorised use, and
deter future infringements.
ni
Obviously, multiple individuals and authorities would be involved in enforcement.

To begin, there must be a plaintiff who owns the IPRs and a defendant who is accused
of infringing on those rights (defendant). The remedies can be pursued in civil or
U
criminal lawsuits, as well as through arbitration or mediation. Courts, attorneys/lawyers,

professional specialists (for example, to testify on technically complex problems),
and, of course, legal and administrative machinery are all required to carry out the
outcomes of litigation. Collective management societies may be involved in the
ity
matter of copyrights. There may also be some organizations/associations involved

with intellectual property protection. Customs authorities enter the picture if action
to prohibit infringement involves action at national boundaries. If the violation has an
international dimension, it is necessary to use the mechanisms and procedures set
forth in applicable international treaties and accords, including the TRIPS Agreement
m
and the WIPO-administered Treaties. As a result, infringement entails a slew of practical

considerations as well as a slew of legal ones that demand careful study. Infringement
actions can take a long time and cost a lot of money. There’s also the risk that the
)A
defendant will contest the IP’s legitimacy, further complicating the situation.
Who makes the initial move in terms of enforcing the law? Because IPRs
are private rights, the individual who owns the right and is harmed by the claimed
infringement must seek redress. It is his job to keep track of whether or not his rights
(c
are being violated in any way. He should be keeping an eye on what his business rivals
are up to, and have a nose for anything that infringes on his rights or harms his financial

interests. Naturally, he must gather evidence to back up his suspicions and claim that
Notes
e
his rights have been violated.
Because of the challenges and complications involved in prosecuting an
in
infringement case, it is frequently preferable to approach the suspected infringer in a
polite manner first to see if a reasonable solution can be achieved without resorting to
legal remedies. It’s conceivable that a person isn’t aware that his actions are infringing
nl
on someone else’s intellectual property rights. If he is made aware of this, he may
stop acting in this manner, and the infringement may be handled amicably. If the
infringement is not intentional, such a result is likely. If the infringement is deliberate,
however, such a warning may not achieve the desired consequence; yet, the fact
O
that the rights owner did inform him of the illegality of the defendant’s act to no avail
would strengthen the plaintiff’s case in court proceedings. However, there is a need for
caution in this situation. If the plaintiff fails to establish infringement, he may be held
ty
accountable for damages for the wrongful warning and subsequent action.
If the preliminary warning fails to deter infringement, then, depending on the

circumstances, one should consider engaging in discussions, mediation, arbitration, or
si
other alternative dispute resolution procedures.
The costs of litigation may be expensive if a claim must be filed specifically in a civil
court. Depending on one’s circumstances, it may be worthwhile to consider purchasing
an insurance policy to cover such lawsuits. r
ve
When violation is serious, intentional, and on a large scale, criminal legal
processes are frequently used. In criminal procedures, the offender may be sentenced
to prison. In criminal situations, however, the bar of proof is great. In a civil lawsuit,
the defendant’s guilt may be determined on the basis of a preponderance of the
ni
evidence, while in a criminal case, the defendant’s guilt must be proven beyond a
reasonable doubt. In addition, whereas an interim order can be issued in a civil case to
ask the defendant to cease allegedly infringing conduct before the trial, no such relief
U
is possible in criminal proceedings. Pre-trial processes such as ‘discovery’ are allowed

in civil trials for extracting information from a defendant; however, this is not the case in
criminal cases.
ity
For these reasons, most businesspeople believe that civil action is more
appropriate for enforcing private property rights than criminal action.
However, in some countries, a state agency can commence criminal proceedings

without the right owner filing a complaint of infringement beforehand, but such a
m
complaint is beneficial in prosecution.
3.3.4 Defenses for Infringement

)A
Intellectual property (IP) is a type of property that encompasses speculative and

intangible human intelligence inventions. There are many different forms of intellectual
property laws, and some governments in the globe respect them more than others.
Copyright laws, patent laws, trademark laws, and trade secret laws are the most well-
known categories of Intellectual Property. Intellectual property law’s fundamental goal is
(c
to promote the invention and production of a wide range of intellectual commodities.

To accomplish this goal, the law grants individuals and businesses property
Notes
e
rights to the information and creative goods they create, usually for a limited time.
This provides an economic incentive for people to create since it allows them to profit
from the knowledge and intellectual goods they develop. These financial incentives
in
are believed to foster innovation and contribute to a country’s technical advancement,
which is ultimately determined by the level of protection provided to innovators.
nl
India has rules and protection for intellectual property in a variety of areas, which
are listed below:
●● Trade Marks deals with the Trade Marks Act 1999
O
●● Patents deals with the Patents Act, 1970 (as amended in 2005)
●● Copyrights and Related Rights deals with the Copyright Act, 1957
●● Industrial Designs deals with the Designs Act, 2000
ty
●● Geographical Indications deals with the Geographical Indications of Goods
(Registration and Protection) Act, 1999
si
●● Plant Varieties deals with The Protection of Plant Varieties and Farmers’ Right Act,
2001
●● Data Protection deals with the Information Technology Act, 2000
Infringement of IP laws
r
ve
A violation or breach of an intellectual property right is known as intellectual
property infringement. When a document protected by IP laws is used, duplicated, or
otherwise exploited without the permission of the original rights owner, IP rights are
ni
infringed. Counterfeiting and piracy are examples of intellectual property infringement.

“ Counterfeiting is the act of replicating or emulating genuine items, usually to a lower
quality, in order to profit from the better market worth of the mimicked product. Piracy
is defined as the unauthorised copying, usage, reproduction, and/or distribution of
U
intellectual property-protected materials. Copyrights, patents, trademarks, industrial

designs, and trade secrets are all examples of intellectual property rights.
As an example of intellectual property violation, consider the following:

ity
●● Copyright infringement
●● Patent infringement
●● Trademark infringement
m
●● Design infringement
Defences against infringement of Intellectual Property laws

)A
A defendant may present a defence (or defences) in civil or criminal proceedings

under common law in order to avoid criminal or civil culpability. A defendant may, in
addition to contesting the accuracy of any allegation made against them in a criminal or
civil proceeding, make allegations against the prosecutor or plaintiff, or raise a defence,
arguing that even if the allegations made against the defendant are true, the prosecutor
(c
or plaintiff should be held accountable. Nonetheless, the defendant is not accountable

for the same. In the same way, intellectual property law has few defences.

Copyright Infringement Defence

Notes
e
●● Invalidity: The defendant has the ability to demonstrate and establish that the
owner’s copyright is void.
in
●● License: The defendant may show that they hold a valid driver’s licence.
●● Public Domain: The defendant may be able to successfully establish that the work
performed is already in the public domain.
nl
●● Statute of Limitations: The defendant may claim that the statute of limitations for
bringing an infringement action has expired.
O
●● Accident: The defendant may claim that he or she was unaware of the violation
or that the infringement was unintentional. In most cases, this is not a viable
argument for commercial use of a copyrighted work.
ty
●● Fair Use Doctrine: According to the fair use concept, a copyrighted work must be
used in a valid and legal manner that does not infringe on the holder’s rights. The
following are examples of permissible fair use:
●● review of the material (such as critique or criticism)
si
●● academic use (such as teaching the material or research)
●● satire or other parody of the work
●● news or public commentary. r
ve
Patent Infringement Defence
●● The defendant can either prove that they are not infringing by providing data, or
they can argue that the asserted patent is invalid, if that is the case.
ni
●● The defendant may be forced to discontinue selling or manufacturing the infringed

product.
●● By cross-claiming your patent portfolio, the defendant may be able to negotiate
U
licence payments with the patent owner (if the plaintiff is not an NPE).
●● To prevent the infringement allegation, the defendant may begin with a non-
infringement defence. Among all the available options, the cost of engaging an
ity
expert for non-infringement defence is believed to be the finest.

●● The defendant may be able to show that the plaintiff obtained the patent illegally.
That the claim’s topic is not an invention as defined by this Act, or is not patentable
under the Patents Act of 1970.
m
●● Inadequate disclosure of the invention or the method to be used to carry it out.

●● If the application for a patent was not filed within twelve months of the date of the
first application filed for protection for the innovation made in a convention country
)A
or in India, the patent will be issued.
Trademark Infringement Defence

Doctrine of Laches: The plaintiff failed to establish a right or claim, which, when
(c
combined with the passage of time and other circumstances, causes prejudice to the
defendant and serves as a bar in a court of equity.

●● Estoppel: The doctrine of estoppel is made up of three parts:

Notes
e
●● Position of authority assumed by the defendant.
●● Submission to and dependence upon that assumption by the plaintiff
in
●● Injury suffered by the plaintiff as an immediate consequence of such
submission and dependence.”
●● Unclean Hands:
nl
Only used by a court where a plaintiff who is ordinarily entitled to relief has acted in
such a way that the public interest in punishing the plaintiff outweighs the necessity to
prevent the defendant’s illegal behaviour.
O
●● Fair Use/ Collateral Use:
Reasonable use permits for fair comment that happens to involve the use of the
ty
trademark for a purpose other than that for which it is typically used. Advertising (as
long as no false claims are made) and parody cases are the most common examples
(but it is not fair use when a claimed parody is used to promote competitive goods or
services). The usage of goods with a pre-existing mark is known as collateral use.
si
Essentially, the theory of collateral permits a party to identify a registered item as
a component of a more sophisticated product by its trademarked name without danger
r
of being held accountable for infringement. This is only true if the party does not
mislead the public into believing the goods being offered is legitimately marketed by the
ve
trademark owner.
Design Infringement defense

Repair Defense
ni
If the goal of using the design is to fix a product, the repair defence is a
comprehensive defence to a charge of design infringement. It only applies to
complicated products with two or more interchangeable component pieces. The
U
use of the part must, in whole or in part, restore its overall appearance. In this case,
repair entails restoring or replacing broken pieces, as well as replacing incidental
items when restoring a component part or performing maintenance on a complicated
ity
product. After the scope of the repair defence has been determined, spare part sellers
can be confident in knowing how far the repair defence applies to the sale of spare
parts. Importers and sellers of spare parts in the automobile aftermarket should
remain cautious, especially when employees are dealing with consumers and making
purchases. Original Equipment Manufacturers might change their design protection
m
strategy based on what the’repair defence’ includes.
3.3.5 Copyright Objective and Transfer of Copyright

)A
Section 14 explains what copyright is and how to use it. “Copyright” means for the
purposes of this Act, the exclusive right, subject to the provisions of this Act, to do or
authorise the doing of any of the following acts in respect of a work or any substantial
part thereof:
(c
A copyright is a set of rights that are automatically granted to someone who creates
an original work of authorship, such as a book, music, film, or piece of software. These

rights include the ability to duplicate the work, create derivative works, distribute copies,
Notes
e
and publicly perform and show it.
To visualise how these rights can be used or leased, consider them as a bundle of
in
sticks, with each stick representing one of these rights. Each “stick” has the right to be
kept by the copyright owner, to be transferred individually to one or more individuals, or
to be transferred collectively to one or more people. In a nutshell, copyright gives the
nl
owner control over how his or her copyrighted works are distributed to the public.
The basis for copyright protection is found in the United States Constitution. The
Framers considered that granting authors limited exclusive rights to their publications
O
would “advance the progress of science and useful arts.”
The basic goal of copyright is to encourage and compensate authors to create

new works by providing property rights and making those works available for public
ty
enjoyment. According to the argument, by allowing creators certain exclusive rights
that allow them to safeguard their creative works from theft, they benefit economically
while the public benefits from creative works that would not otherwise be developed or
distributed.
si
While copyright legislation is meant to benefit the general public by providing
access to creative works, it’s crucial to note that creators are under no duty to make
their copyrighted works available.
r
ve
The rights granted to copyright owners are, of course, subject to various limits.
Under certain circumstances, anyone can use a work without first obtaining permission
from the copyright owner or paying the copyright owner. Fair use is a fantastic example
of this, and you can learn more about it here.
ni
A work must meet three essential characteristics in order to be protected by

copyright. The task must be completed as follows:
Original: A work must simply be generated separately to be considered original. To

U
put it another way, it can’t be replicated. There is no requirement that the work be fresh,
unique, innovative, or ingenious (as under patent law). To achieve the originality criteria,
a work just needs to show a minimal level of ingenuity. Only a few projects fall short of
ity
the required level of inventiveness.
Authorship of a Work: A work must be a product of creative expression that falls

into a category of copyrightable subject matter to qualify as a work of authorship for the
purposes of copyright protection. Literary works, musical works, motion films and other
m
audiovisual works, derivative works, compilations, and other works are all examples of
copyrightable subject matter.
A work must be fixed in a physical medium of expression to meet the fixation

)A
requirement. Protection is immediately applied to a qualified work after it is completed.

A work is deemed fixed if it is sufficiently persistent or stable to allow it to be observed,
reproduced, or otherwise communicated for more than a brief period of time.
Transfer of Copyright
(c
A copyright transfer is the transfer of an owner’s property rights in a creative work.

Copyright transfers can happen on their own or as part of larger asset purchases or

transactions. Copyright Transfer or Assignment Agreements establish ownership

Notes
e
records as well as the transfer and protection of all parties’ rights.
It simply means that a Copyright owner has the exclusive authority to transfer
in
his or her Copyright to any other person or entity. The assignee becomes eligible for
all rights relating to the Copyright to the transferred work as a result of the transfer or
assignment. A simple grant of the right to sell and publish the copyrighted work, on the
nl
other hand, is a publishing right, not a copyright transfer.
The Copyright assignee becomes eligible for any Copyright-related right, and he or
she is treated as the Copyright owner for those rights. In the case of unassigned rights,
O
the assignor is also recognised as the Copyright owner. If the assignee dies before the
work is completed, the legitimate representatives of the assignee are entitled to the
Copyright Transfer benefits.
ty
Mode of Transfer (Section 19)
Copyright Assignment/Transfer is only legitimate if it is written and signed by the
assignor or their duly authorised agent or representative, according to Section 19.
si
The transfer of a Copyright in a Work must acknowledge the work and explain the
type of rights given, as well as the duration and geographic scope of the transfer.
Furthermore, it must state the amount of royalty owed, if any, to the author or their legal
r
representatives during the time of the transfer, as well as the fact that the transfer may
be extended, revised, or terminated on mutually agreed-upon terms.
ve
If the date of transfer is not specified, it will be assumed to be five years from the
date of transfer. If the regional scope of the transfer is not specified, it would be applied
across India.
ni
The transfer of Copyright work against the terms and conditions on which rights
have been given to a specific Copyright society where the actual creator of the work is
a member will be void, according to Section 19(8). Furthermore, Sections 19(9 & 10)
U
provide that the Copyright Transfer for making a cinematograph film or sound recording
does not impair the creator’s right to an equal part of the royalties and compensation
payable for the use of their protected work.
ity
Copyright Transfer Disputes (Section 19 (a))

According to Section 19(a), if the assignee fails to make adequate use of the rights
assigned to them and such failure is not attributable to any act or error of the assignor,
the Board may revoke the transfer after receiving a complaint from the assignor and
m
conducting such inquiry as it deems necessary.
In the event of a dispute over the transfer of Copyright, the Appellate Board,
after receiving a complaint from the aggrieved party and conducting any necessary
)A
investigation, may issue an appropriate ruling containing an order for the recovery of
any royalties due.
Copyright Transfer by Operation of Law (Section 20)

(c
If the Copyright owner dies without leaving a will, the Copyright will be passed on
to his or her personal representative as part of the estate. Section 20 states that if an
individual is eligible for Copyright under bequest and such work has not been published
before the testator’s death, such individual shall be considered to have work Copyright
Notes
e
so long as the testator was the Copyright owner immediately before his or her death,
unless the conflicting intention is shown under the testator’s will or any supplement to it.
in
3.3.6 Practical Aspect of Licensing
Licensing is a powerful and adaptable tool for forming collaborations and
nl
bringing innovation out of the shadows of an inventor’s studio and into the light of the
marketplace.
Simply described, a licence is similar to a “lease” agreement between an owner
O
(licensor) and a lessee (licensee), in which the owner (licensor) grants rights to use
property in exchange for a fee.
Licenses apply to intangible assets (i.e., IP), which are mental creations such
ty
as formulas, drawings, procedures, software, or literary and creative works that are
protected by patents, trademarks, copyrights, know-how, or trade secrets, rather than
leasing something “physical” like a car or a home.
si
IP, unlike tangible property, can be licenced to multiple users in various locations at
the same time. The lease/license, on the other hand, is only valid for a limited time and
is subject to the terms and conditions of a mutually agreed-upon licencing agreement.
r
These agreements also place restrictions on how IP can be used, ensuring that
ve
licensees only pay for the value of their use and that licensors receive their “fair share” for
each use. Inventors are able to fund and undertake additional research and development
(R&D) as a result of this recompense, and the innovation cycle is sustained.
Almost everything can be licenced as long as it has a property right that can be
ni
protected. Patents, trademarks, copyrights, know-how, and trade secrets can all be
used to legally protect IP rights. Licensing permits a person to use another’s legally
protected intellectual property (IP) rights within the terms and conditions of a licence
U
agreement.
There are several different forms of IP rights that can be licenced. We frequently
refer to “technology” as “licensable.” Technology is usually associated with practical or
ity
industrially useful items, materials, machinery, processes, or methods, such as a new

medication. New technology can be legally protected by a government-issued patent if
legal requirements are completed, and the patent holder can subsequently licence the
technology to a licensee for usage. It is also possible to licence technology in the form
of a trade secret or know-how.
m
The use of a name, logo, symbol, or other identifying characteristic that identifies
a trademark with the source of a goods or service can establish trademark and similar
rights. A trademark right (based on the creation of goodwill associated with a brand) can
)A
also be licenced to another party.
Practical considerations in trade secret licensing

Trade Secret Audit
(c
What is licenced in a licencing agreement should be very specific. Patents,

trade secrets, and other types of intellectual property rights are often transferred as

a package in most licencing agreements. As a result, it’s critical to understand what

Notes
e
precise technology and private information are involved in the transfer. 30 While patents
are usually easy to find and keep track of, certain know-how isn’t. To solve this issue
and inventory any trade secrets, a thorough trade secret audit should be implemented.
in
The following are some fundamental measures that can be taken:
●● An in-depth analysis of what gives the company a competitive advantage over
nl
competitors in the same industry;
●● Identification of non-public information that the corporation does not want anyone
outside the company to know;
O
●● Meeting with the company’s department leaders to assess what important and
competitive information each department may possess;
●● Determine which types of trade secrets are common in a given sector and which
ty
ones exist within the organisation.
Furthermore, before engaging into licencing negotiations or agreements,
confidential information should be thoroughly evaluated to ascertain the genuine
si
value of trade secrets. Another advantage of conducting a trade secret audit is the
successful prevention of trade secret theft (by implementing adequate protections), as
well as the prompt detection and response to data breaches and proprietary information
misappropriation. r
ve
Non-Disclosure Agreement (NDA)
When it comes to licencing trade secrets, a “so-called black box dilemma” must be
carefully considered. [– t]he owner of a trade secret cannot “let the cat out of the bag,”
ni
and a potential licensee will not want to “purchase a pig in a poke.” 34 Some sensitive
information must be released during preliminary discussions, and unfettered disclosure
may result in the loss of proprietary know-how.
U
The most typical precaution against such possible loss is a non-disclosure agreement
(NDA). The NDA trades some secret information for a guarantee of confidentiality; it also
specifies the purpose for which the confidential information may be used, the safeguards in
place to protect it, and the restrictions on its disclosure to third parties. 35 Typically, an NDA
ity
is offered as a stand-alone legal tool that comes before licence discussions. Even if licence
negotiations fail, such “separation” helps to reinforce the impression that the supplied secret
information is always covered by the NDA’s duty to maintain secrecy. Furthermore, as part
of the technology transfer documentation, the entire agreement or a portion of it may need
m
to be incorporated into the final licencing agreement.
Basic Principles
)A
A licencing agreement, especially one that covers multiple types of intellectual

property, can be a long, complicated, and difficult to understand document. In addition
to being difficult to read, such agreement may also be difficult to understand – by the
licensee or by the courts, greatly diminishing its legal value. The finished document
will be clear, concise, and easy to comprehend by using clearly defined terminology,
(c
applying user-friendly numbered subheading structure, minimising the occurrence

of redundant terms and passages, and implementing other basic characteristics of
effective document composition.
Important Terms
Notes
e
The best strategy to maintain the privacy of the trade secrets being transferred is
to have a formal agreement. “Provisions that define the technology area with precision,
in
establish a confidential legal relationship between the parties, furnish proprietary
information for a specific purpose only, obligate the recipient to hold information in
confidence, and spell out exceptions to secrecy obligations” should be included in such
nl
an agreement. If the agreement covers more than one type of intellectual property,
it may be helpful to split the trade secrets – either in a separate agreement or as a
component of the licence agreement.
O
Subject Matter
It can be difficult to define a topic matter, but it is crucial. A trade secret can be
defined in the agreement itself or by a reference to a separate document or exhibit; in
ty
the event of “amorphous know-how that may [only] be transferred orally or visually,” a
reference to extrinsic communications is often necessary.
License Grant, Prohibitions, Improvements
si
These terms clarify what the licensee is and is not allowed to do with the trade
secret licencing agreement’s subject matter - the right to access, utilise, and disclose
r
private information. The grant must be carefully and narrowly designed to prevent
the licensee from using the trade secret in an area or to an extent that the licensor
ve
did not intend. It must also prevent any use or disclosure not expressly authorised by
the agreement, and it must only provide the licensee with what the licensee requires.
Any tangible property or copyrighted works provided to the licensee during the transfer
should be subject to separate restrictions and permissions under the agreement.
ni
Protective Safeguards and Confidentiality Policy

Given the sensitive nature of trade secrets, the measures that will assure
U
their continued secrecy must be specified in the contract. The licensor shall expect
acceptable protection measures, preferably equal to or greater than the licensor’s own
measures at the time of transfer (assuming the licensor has put in place adequate
safeguards).
ity
Royalty
Trade secret royalty plans are far more flexible than royalty schemes for other
categories of intellectual property. The revealing of the proprietary information is the
m
licensor’s consideration for the “bargained-for” exchange. Furthermore, state contract

law governs royalty payments for trade secrets; the principle of “freedom of contract”
permits the parties to “build the criteria that will be utilised to determine that payment.”
)A
Remedies
The potential of trade secret loss as a result of the licensee’s mismanagement
of the information is too great to ignore. The licensor would want built-in remedies
in the licencing agreement if such a loss occurred. A clause in the agreement that
(c
automatically ends the agreement and revokes licenced rights upon material breach
should be inserted as a deterrent and as an effective means of “damage control.”

Summary
Notes
e
●● Cybersecurity engineers identify vulnerabilities in systems and software, then
develop and deploy high-tech solutions to prevent hacking, malware, ransomware,
in
insider threats, and other cybercrimes.
●● The goal of security engineering is to create systems that are dependable in the
face of malice, error, or misfortune.
nl
●● Four factors must be coordinated for good security engineering. There’s policy
that specifies your responsibilities. In order to implement the policy, you’ll need
cyphers, access restrictions, hardware tamper-resistance, and other tools. There’s
O
assurance: how much you trust any given mechanism. Finally, there’s motivation:
both for defenders and attackers to accomplish their duties properly.
●● The ability of a system to continue completing demanding activities on time even if
ty
a few parts of it are affected by malicious attacks or accidents is known as system
survivability.
●● Threat management, also known as cyber threat management, is a framework that
si
cybersecurity experts use to manage a threat’s life cycle in order to identify and
respond to it quickly and accurately.
●● A cyber threat management system powered by automation and AI can help
r
counter today’s sophisticated cybercriminals. It gives security teams the visibility
ve
they need. Thanks to the unification of security data, security teams can detect
data at risk and vulnerabilities across networks on thousands of endpoints and
clouds.
●● Businesses must create and implement a risk management strategy to eliminate
ni
cyber-attack dangers. A cyber risk management strategy can help decision-makers

grasp the daily threats. An assessment of cyber risk will help the organisation
determine the possibility of any cyber-related attacks.
U
●● A cyber risk management strategy can help a corporation detect and mitigate
threats while allocating resources and time effectively. In addition, it will help
prevent the threats found during the assessment.
ity
●● In order to identify deficiencies and even excesses in the protection programme

(security), a security risk assessment is defined as “a fundamental examination
that can include review of documentation, policies, facilities, technology, security
strategies, staffing, training, and other key indicators to determine the current state
of the protection programme (security).
m
●● Risk identification is the process of identifying, describing, and recording hazards

and potential causes of risk. Two points should be kept in mind. First, an incident
always carries a risk. Second, risk requires three elements: asset, vulnerability,
)A
and threat.
●● A vulnerability is a flaw or weakness in an asset that can be exploited by a threat.
●● A weak window lock and no intruder alarm are two vulnerabilities that a burglar
can exploit during a break-in.
(c
●● Risk analysis is the process of estimating and quantifying known risks. To

calculate risk, combine likelihood and consequence. This stage uses the context

formation scales to assess the likelihood and consequences of the detected

Notes
e
incidents.
●● A risk management framework should be used to ensure that a risk management
in
process is adequate, efficient, and effective. This framework, in turn, should
adhere to risk management’s fundamental principles.
●● Cybersecurity risk management isn’t only the responsibility of the security team; it
nl
affects everyone in the organization.
●● Risk assessments are a fantastic way to underline the importance of security
throughout your company. Assessing risk helps your team to develop
O
communication and cooperation, which will help them play a key part in risk
management in the future.
●● Cyber law refers to the legal issues involving the use of networked information
ty
devices and technologies for communication, transaction, and distribution. The
law controls the internet. Computing, networks, software, data storage (hard
drives, USB drives, etc.) and even electrical devices such as cell phones and ATM
machines are all part of cyberspace.
si
●● The IT Act of 2000 defines the offences. Because this Act’s primary purpose is to
promote commercial I.T. use, some computer-related crimes have been excluded.
●● r
The IT Act of 2000, which recognised electronic records and revised various parts
ve
of the IPC, introduced several cyber-related offences to their relevant sections.
●● Privacy concerns have grown in importance as people send more and more
private information over the Internet and store private data on machines that are
not under their physical control.
ni
●● Cybersecurity law regulates proper technological activities such as computers,

software, networks, and the internet. Cybercrime law protects businesses,
governments, and individuals from criminals gaining unauthorised access to their
U
data and using it for malicious purposes.

●● A cybersecurity attorney advises individuals and organisations on how to comply
with state, federal, and international laws, acts as a crisis management in the
ity
event of cybercrime, and ensures that individuals and organisations respect the
law.
●● The phrase “cyber sovereignty” comes from internet governance and refers to a
state’s authority to make and enforce rules in cyberspace.
m
●● Intellectual property (IP) is a word that refers to the distinct and unique works of an
individual’s intellect for which the individual’s property rights are recognized.
●● Scientific discoveries having economic potential are among the most widely
)A
debated topics in intellectual property circles. Now that people are valued as
resources, human knowledge may help organisations achieve greater heights.
●● Any symbol, or combination of signs, capable of distinguishing one undertaking’s
goods or services from those of other undertakings has been defined as a trade
(c
mark.
●● A form of property, intellectual property includes speculative and intangible human
intelligence innovations. Intellectual property laws come in numerous forms, and
some nations respect them more than others. The most well-known types of
Notes
e
Intellectual Property include copyright, patent, trademark, and trade secret laws.
●● In the case of an author’s work such as a book, music, film or software, copyrights
in
are automatically given. These rights allow you to copy, produce derivative works,
distribute copies, and publicly perform and show the work.
●● A copyright transfer is the ownership of a creative work. Copyright transfers
nl
can occur alone or as part of bigger asset purchases. Copyright Assignment
Agreements maintain ownership records and preserve all parties’ rights.
Glossary
O
●● SDLC: Software Development Life Cycle
●● APT:Automatically Programmed Tool
ty
●● NIST:National Institute of Standards and Technology
●● CF:Cybersecurity Framework
●● OSINT: Open Source Intelligence
si
●● KPI:Key Performance Indicator
●● ROI:Return On Investment
●● r
MTTD:Mean Time To Detect
ve
●● MTTR: Mean Time To Repair
●● CISOs:Chief Information Security Officer
●● WFH: Work From Home
ni
●● IoT:Information of Things
●● SP:Special Publication
U
●● PAM:Privileged Access Management

●● USB:Universal Serial Bus
●● IT:Information Technology
ity
●● IPC:Indian Penal Court

●● ATM:Automated Teller Machine
●● ICT:Information and Communication Technology
m
●● TCP/IP:Transfer Control Protocol/Internet Protocol

●● ITU:International Telecommunication Union
)A
●● SQL: Sequential Query Language

●● UNCITRAL:United Nations Commission on International Trade and Law
●● HIPAA:Health Insurance Portability and Accountability Act
●● EMR:Electronic Medical Records
(c
●● ACA:Affordable Care Act

●● IAB:Internet Architecture Board
●● HHS:Health and Human Services

Notes
e
●● EDI:Electronic Data Interchange
●● CISA:Cybersecurity and Infrastructure Security Agency
in
●● CERT:Computer Emergency Response Team
●● PDAs:Personal Digital Assistants
nl
●● IP:Intellectual Property
●● WIPO:World Intellectual Property Organization
O
●● WTO:World Trade Organization
●● TRIPS: Trade Related Aspects of Intellectual Property Rights
●● UNESCO:United Nations Educational, Scientific, and Cultural Organization
ty
●● NGOs:Non-Governmental Organisations
●● WHO: World Health Organisation
si
●● UNICEF: United Nation International Children’s Emergency Fund
●● EU:European Union
●● OECD: Organisation for Economic Co-operation and Development
●● R&D: Research and Development
r
ve
●● NDA: Non-Disclosure Agreement
Check Your Understanding

ni
1. _ _ _ _ _ _ _identify vulnerabilities in systems and software, then develop and deploy

high-tech solutions to prevent hacking, malware, ransomware, insider threats, and
other cybercrimes.
U
a. Mechanical Engineers
b. Civil Engineers
c. Cybersecurity engineers
ity
d. Architects
2. _ _ _ _ _ _is the ability of a system to keep running even if some pieces are damaged
by malicious attacks or accidents.
m
a. System Survivability
b. System Security
c. System Vulnerubility
)A
d. Computer Security
3. _ _ _ _ _ _is a methodology used by cybersecurity experts to manage a threat’s life
cycle and identify it swiftly and accurately.
a. Threat Management
(c
b. Authentication

c. Password
Notes
e
d. None of the above
4. Activities aimed at identifying, describing, and documenting hazards and potential
in
causes of risk are referred to as_ _ _ _ _ _ _.
a. Risk Analysis
nl
b. Risk Treatment
c. Authentication
d. Risk Identification
O
5. The process of discovering, assessing, evaluating, and addressing your organization’s
cybersecurity hazards is known as_ _ _ _ _ _.
a. Risk analysis
ty
b. Cybersecurity Risk Management
c. Risk Treatment
si
d. None of these
6. _ _ _ _ _ _ is a branch of the legal system that deals with internet and cyberspace
crime.
a. IPC
r
ve
b. Cyber Crime
c. Security Breaching
d. Cyber law
ni
7. _ _ _ _ __ _ is a term that refers to mental inventions that are unique in nature and
have not been reproduced by anyone or anywhere.
U
a. Copyright
b. AI
c. Intellectual Property (IP)
ity
d. All of the above

8. A_ _ _ _ _ _ _ is a symbol that distinguishes one company’s goods or services from
those of other companies.
m
a. Patents
b. Copyright
c. Trade Secrets
)A
d. Trademark
9. _ _ _ _ _ _a legal privilege granted to the creator of a literary or artistic work.
a. Patents
(c
b. Copyright
c. Trade Secrets

d. Trademark
Notes
e
10. The extent to which hardware is independent of the software environment is termed
as_ _ _ _ .
in
a. Time
b. Fairness
nl
c. Software Dependency
d. Hardware Reliance
11. _ _ _ _ _ _ refers to the system’s ability to avoid causing harm to the network or
O
personnel systems .
a. Safety
b. Time
ty
c. Fairness
d. None of the above
si
12. _ _ _ _ _ _ _refers to the degree to which all Software functionalities are stated
without ambiguity or misinterpretation.
a. Connectivity
b. Time
r
ve
c. Fairness
d. Accuracy
ni
Exercise
1. What is Security Engineering?
2. What is the Importance of Security Engineering?
U
3. Explain Cyber Threat Management.

4. What is the Importance of Cyber Threat Management?
ity
5. What do you understand by Threat Management Challenges?

6. Define Risk Assessment.
7. What are Risk Management, Procedure and Guidelines?
m
8. Explain Cyberspace.
9. Define Cyber Laws.
10. What are Cyber Laws and Its Advantages?
)A
11. Who are Cyber Lawyers?

12. Define Jurisdiction and Sovereignty.
13. Explain in detail The IT Act of India 2000.
(c
14. What do you understand by the term Intellectual Property?

15. What are Intellectual Property Right and Implications?

16. Explain Ownership and Enforcement of IPR.

Notes
e
17. What do you mean by Defenses for Infringement?
18. What are Copyright Objective and Transfer of Copyright?
in
19. Explain Practical Aspect of Licensing?
Learning Activities
nl
1 Cyber laws are useful. Comment and support you answer?
2 Create a risk assessment plan for an ecommerce company?
O
Check Your Understanding - Answers
1. c
ty
2. a
3. a
4. d
si
5. b
6. d
7. c r
ve
8. d
9. b
10. a
ni
11. a
12. d
U
Further Readings and Bibliography:

1. Handbook of Digital Forensics and Investigation, Eoghan Casey
2. Digital Forensics Basics: A Practical Guide Using Windows OS, Nihad A.
ity
Hassan
3. Cyber Forensics, S. Murugan
4. Cyber Forensics: From Data to Digital Evidence, Albert J. Marcella and
Frederic Guillossou
m
5. Singer, P. W.; Friedman, Allan (2014). Cybersecurity and Cyberwar: What

Everyone Needs to Know
)A
6. Costigan, Sean; Hennessy, Michael (2016). Cybersecurity: A Generic

Reference Curriculum
7. Lee, Newton (2015). Counterterrorism and Cybersecurity: Total Information
Awareness (2nd ed.)
(c
8. Hayes, Carol M. “Chilling Effects: Code Speech and the Cybersecurity

Information Sharing Act of 2015.”

Module3-Cyber and Information Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module3-Cyber and Information Security

Uploaded by

Copyright:

Available Formats

Cyber and Information Security 131

Module - III: Cyberspace and the Law and Cyber

●● Copyright Objective and Transfer of Copyright

among other things.

any Internet-connected service or function. The phrase is used to describe a variety of

cyberspace is expanding in a practical (if somewhat theoretical) sense.

Amity Directorate of Distance & Online Education

unexpectedly stopped working.

3.1 Security Management and Risk Management

Risk management is establishing itself as a discipline with its own body

external compliance requirements. Security risk management is a subdomain of risk

3.1.1 Security Engineering

Amity Directorate of Distance & Online Education

The goal of security engineering is to create systems that are dependable in

transaction integrity and accountability, fault tolerance, message secrecy, and

Good security engineering necessitates the coordination of four factors. There’s

Goals of Security Engineering:

●● Establish Security Needs

Security Engineering concentrates on the security aspects of system construction

Amity Directorate of Distance & Online Education

Why do we need security Engineering

examples of inadvertent threats. Intentional, i.e. malicious, incursion calamitous, such

Security risk management

example, enables for the restoration of corrupted data.

Damage caused due to insecurity

incorporates recovery functions.

●● Predictability: This refers to a system’s ability to deliver countermeasures to

Amity Directorate of Distance & Online Education

Security testing services, procedures, techniques, and technologies are used in

malware attacks, abuse or misuse, and inadvertent failures.

programmers to use secure design patterns while creating software modules.

Amity Directorate of Distance & Online Education

●● Reduces the cost of redevelopment by detecting and fixing security vulnerabilities

3.1.3 Cyber Threat Management

responding, and recovering.

most valuable assets and resources. Asset management, business environment,

The detect function implements countermeasures in the event of a cyberattack.

Due to its potentially disastrous consequences on organisational information

or by requiring payments from the victimised enterprise to restore service, access, or

Amity Directorate of Distance & Online Education

Best Practices for Effective Threat Management

To mitigate the risks particular to their organisation and eliminate cyber-attack

cyber risk management strategy can assist decision-makers in understanding the

Organizations are continuously fighting to stay up with mitigation and prevention

Threat management improves coordination across common technology security

framework, they can have access to a number of useful tools, including:

●● Through education, skills, and effective threat management solutions, create a

built-in process reporting and measurement.

Amity Directorate of Distance & Online Education

3.1.5 Threat Management Challenges

System Visibility is Little to None

Lack of Insights and Necessary Reporting

monitored. Furthermore, due to a lack of interaction between the organization’s point

unified organisational purpose. The complexity of the IT environment, according to

Burnout and Shortage of Staff and Their Skills

motivated. Due to the difficulty in obtaining additional personnel budgets, security

reducing the chance of catastrophes like costly data breaches.

Sophisticated ransomware: Ransomware attacks are becoming more common

encrypting data at random, criminals are concentrating on high-value company data to

Microsoft’s recent Digital Defense Report examined cybercrime trends in depth,

considerably sooner than expected.

Amity Directorate of Distance & Online Education

Perpetually evolving risks: You can’t really do anything about polymorphism,

If billions of hackable smart gadgets are connected to an IoT network, the