DATABASES – TOWARDS A RISK BASED ASSESSMENT OF CRITICAL INFORMATION INFRASTRUCTURES ( CIIS ) IN SOUTH AFRICA

South Africa has made great strides towards protecting critical information infrastructures (CIIs). For example, South Africa recognises the significance of safeguarding places or areas that are essential to the national security of South Africa or the economic and social well-being of South African citizens. For this reason South Africa has established mechanisms to assist in preserving the integrity and security of CIIs. The measures provide inter alia for the identification of CIIs; the registration of the full names, address and contact details of the CII administrators (the persons who manage CIIs); the identification of the location(s) of CIIs or their component parts; and the outlining of the general descriptions of information or data stored in CIIs. It is argued that the measures to protect CIIs in South Africa are inadequate. In particular, the measures rely on a one-size-fits-all approach to identify and classify CIIs. For this reason the South African measures are likely to lead to the adoption of a paradigm that considers every infrastructure, data or database, regardless of its significance or importance, to be key or critical.


Introduction
South Africa has long recognised the need to protect critical infrastructures (CIs).
For example, legislations such as the Defence Act 1 and the National Strategic Intelligence Act 2 contain measures that, amongst others, guarantee the safeguarding of CIs.More specifically, the Defence Act requires the gathering, collating, evaluating and using of strategic intelligence related inter alia to the security of South Africa. 3The strategic intelligence is gathered, collated, evaluated and used in order to assess the attacks or threats of attacks to the security of South Africa's CIs. 4 In general, CIs encompass structural and physical places or areas that are of strategic interest to a country, 5 places or areas that are vital to the country's safety and security and the wellbeing of its citizens. 6Examples of CIs include inter alia petro-chemical stores (eg pump stations and oil refineries), international airports, the reserve bank, electricity distribution stations, strategic power stations, and water storage and distribution facilities.Attacks or threats of attacks to CIs have in the recent past proved to be real and pervasive.These attacks or threats of attacks can take various forms.For example, CIs can be damaged or destroyed by deliberate acts of terrorism, natural disasters, negligence or malicious behaviour. 7o independent attacks to CIs are described below in illustration.The first was an worldwide networks, 16 and the acceleration of electronic commerce (e-commerce). 17e ease of accessing recent ICTs results in or can result in the emergence of certain risks that weaken the security and stability of the information society.These include, amongst others, dishonesty, the illicit revelation of secret information, corruption, theft, deliberate disruption of the system, the destruction of ICT resources, and cyber-terrorism. 18These risks demand that the information or data 19 recoded or kept on computers or computer software be safeguarded, 20 through the establishment of a dedicated information security structure referred to as a critical information infrastructure (CII). 21CIIs generally form part of a country's overall cyber-infrastructure. 22 CIIs guard the various information systems 23 or networks that, if disrupted or destroyed, could have a prejudicial or adverse impact on the health, safety, security and monetary well-being of the citizens of a country or on the effective functioning or performance of a government or economy. 24untries such as the US and Canada recognise the importance of safeguarding CIIs.More specifically, the US has framed a number of statutes in response to the attacks or threats of attacks on its CIIs.These include the Computer Fraud and For an interesting definition of the term "cyber-terrorism", see Denning 2000  http://bit.ly/16rUw3i.19   The meaning of the term "data" in this context is different from that in the more usual context of computer data.Here the term data means the electronic representation of information in any form.See s 1 of the Electronic Communications and Transactions Act 25 of 2002 (the ECT Act).For further interesting reading, see the Council of Europe's Convention on Cybercrime (2001).This paper argues that the provisions of the Electronic Communications Security Pty (Ltd) Act 68 of 2002 may also be of assistance to the general scheme of securing CII.However, this paper examines the provisions of the ECT Act.The structure of the paper is straightforward: Section 2 discusses the notion "critical databases".The analysis includes an examination of a number of concepts that have relevance to the study of critical databases.Section 3 describes the different approaches to the safeguarding of critical databases.The approaches adopted and implemented by the OECD and South Africa, amongst others, will be investigated.
Section 4 investigates the importance of the risk-based approach to safeguarding CIIs.Lastly, section 5 of this paper draws conclusions.

2
Critical databases

Background to the study
It is difficult to give a concise and accurate description of the term "critical database".Any attempt to do so should probably begin with scrutinising the 25 The OECD is formally referred to as the Organisation for European Economic Cooperation or OEEC.It is an intergovernmental body that was established in 1961.The OECD currently has 34 member countries that continuously identify, discuss and analyse global challenges and problems, and promote policies to address those challenges and solve those problems.
meaning of the word "database" itself.Botma et al define a database as an organised collection of electronic software or tools that is used to store information. 26This collection facilitates the accessing, retrieving and using of information or documents that are stored in databases. 27Databases usually consist of data and metadata. 28On the one hand, the term data refers to the electronic representation of information in any form. 29The notion "any form" is generally misleading.It is submitted, however, that information can be represented either manually or mechanically.However, this representation should, insofar as it amounts to a processing of information or data, meet the principles regarding the protection of personal information. 30The requirements relate to processing limitations, purpose Various definitions of the crime of phishing diverge.The differences seems to be influenced by the ever-changing nature of contemporary forms of technologies.For example, Myers provides that phishing encompasses social engineering and/or technical attacks (see Myers "Introduction to Phishing" 1-2.)Such attacks are commonly orchestrated by the sending of electronic mails to a web user falsely claiming to be an established legitimate enterprise, in an attempt to scam the attacks generally rely on nefarious techniques or attacks to weaken the integrity of these databases.Furthermore, outside attacks commonly inhibit the quality of databases and data. 36Outside attacks can generally be classified as either passive or active attacks. 37Passive attacks occur in cases where an e-system or network is infiltrated surreptitiously and without detection. 38Active attacks take the form of altering or adapting an e-system or network. 39itical databases are collections of critical data in an electronic form kept in a site from where the data may be accessed, reproduced or extracted. 40In South Africa, critical data is that the protection of which is declared by the Minister 41 to be of importance to national security or the economic or social well-being of its citizens. 42is includes data that is essential to the daily functioning of an information society. 43Furthermore, critical databases include data the interruption or destruction of which could have widespread effects and consequently result in or generate grave consequences to an information society. 44At a governmental level, an interruption or destruction of critical databases could hamper and/or delay the delivery of services. 45e critical nature of databases requires the taking of steps to preserve their integrity and quality.Their preservation is often guarded in ordered to alleviate the impact of outside attacks.The steps to preserve the integrity and quality of databases are discussed in the section below.
web user into surrendering private information that will be used for identity theft (see Granova

Protecting critical databases
In modern times, attacks or threats of attacks to critical databases have become more pervasive and widespread.It is argued that these attacks or threats existed long before the 9/11 attacks that occurred in the US. 46For example, the attacks that are alleged in the Riggs case took place during September 1988.An accused (Riggs and another) devised a scheme in order to defraud a company (Bell South Telephone Company) that provides telephone services to numerous states in the US. 47In this case a computer was used to gain unlawful access to the company's computer system and networks.When access was gained the accused downloaded a computer file that contained sensitive information.The information detailed the manner in which emergency calls by the police, fire brigade, ambulance and other municipal emergency services by were responded to. 48 is furthermore argued that the hacker attacks on various databases such as those of the Bank of America 49 and the state-owned oil company in Saudi Arabia 50 reveal that the threats posed by outside attacks to the integrity and quality of databases still exists.In particular, the US Industrial Control Systems Cyber Emergency Response Team Control Systems Program (ICS-CERT) details the gravity of these outside attacks. 51For example, the ICS-CERT enunciates that a total of 198 attacks to some of the critical databases in the US were reported during 2011. 52It is therefore submitted that the interconnectedness of modern societies can increase the mayhem that could be caused by outside attacks.An attack on a particular database could have adverse effects on other databases.In some cases, an attack on one country's database(s) could have pervasive consequences on the databases of other countries.
A scrutiny of the protection paradigms of critical databases reveals that they are generally only as strong as their weakest elements. 53Put differently, outside attacks will continue to take place as long as technologies continue to develop. 54The OECD recognises this fact, which is why it developed an all-encompassing framework to alleviate the attacks to critical databases. 55In the terminology of the OECD the measures are referred to as the structure to protect CIIs.
Section 3 below is divided into two parts.Part 3.1 discusses the OECD structure to protect CIIs.Part 3.2 reviews the South African approach to safeguarding CIIs.

The OECD approach
The OECD framework to protect CIIs has four essential components or elements, 56 namely prevention, detection, response and recovery.No particular order is necessarily followed in addressing each of these elements, but it is generally accepted that each one element builds on the others. 57This paper therefore delves into the meaning and importance of these elements in relation to the safeguarding of CIIs.

Prevention
Various provisions of the Marsh Report 58 are essential to the element of prevention.
For example, the Marsh Report states that "waiting for disaster (to happen) is a dangerous strategy." 59The real-time prevention of attacks on the CIIs must occur.
This immediate security should be aimed at preventing future attacks, as well as thwarting present attacks. 60The OECD concurred, and therefore adopted a range of recommendations made in the Marsh Report.For example, the OECD promotes the adoption of clear and objective policies related to the prevention of attacks (cyberattacks) on CIIs. 61These policies are designed to encourage co-operation by or between countries, and by or between countries and the private sector. 62The cooperation must therefore be at the strategy, policy and operational levels. 63This collaboration must facilitate the initiating of a practice that enables the apportioning of skills to ascertain generic vulnerabilities of and risks to CIIs.Secondly, the policies must support the aspiration to dispense knowledge and experience regarding the development of policies and practices to secure CIIs. 64e OECD further acknowledges that the creation of awareness of the various risks to CIIs is one of the "lines of defence" for any CII protection paradigm. 65Awareness extends to ascertaining the degree and significance of the risks to CIIs. 66The rationale for the creation of the awareness is to motivate the design of CII security mechanisms that address and/or respond to the imminent risks. 67

Detection
The OECD recommends that a country's or an organisation's overall CII protection framework should encompass measures to identify and classify the risks of attacks to CIIs. 68This identification and classification ought to extend to CIIs that are most and future attacks or risks to CIIs. 81Consequently, the CERTs or CSIRTs must be structured in a manner that allows them to assist in the monitoring, warning and alerting of attacks, and must be able to carry out CII recovery measures. 82e efficiency and useful functioning of the CERTs and/or CSIRTs must therefore be continuously evaluated.Put differently, the CERTs or CSIRTs must be repeatedly tested and assessed to ensure their proper operation.This testing and assessment must be aimed at guaranteeing that these CERTs or CSIRTs remain secure and stable in emergency situations. 83

Recovery
The OECD regards incident recovery measures (IRMs) as essential in alleviating the impact of attacks on CIIs. 84IRMs generally bring operational and functional stability to CIIs.Furthermore, IRMs provide measures related to the recovery processes and progression or improvement of conditions after the attack. 85For this reason, IRMs ease and accelerate the process of recovering information or data lost after attacks to CIIs. 86

The South African approach
3.2.1 Background to the study CII security in South Africa is needed in order to safeguard e-systems and networks from outside attacks.In particular, South Africa proposes that we should have a "vigilant and proactive approach" to the CII security structure. 88Such an approach requires a constant, regular assessment and forecasting of attacks on CIIs. 89 is argued that the requirement for the regular assessment of attacks on CIIs in South Africa is analogous to the identification and verification procedure which is practised by FICA. 90FICA requires certain institutions, that is, accountable institutions, 91 to undertake the identification and verification process before establishing a business relationship 92 or concluding a transaction between parties 93 or a single transaction 94 with other persons or institutions. 95Such a process has to be recurrent and continuous. 96The purpose of the process is twofold. of the person or people it has established business relationships with. 97Secondly, it identifies any alterations or modifications in the pattern of concluding transactions or single transactions. 98It is therefore inferred that the FICA approach to assessing transaction or single transactions on a continuous basis has shaped the framework that South Africa is adopting to evaluate CII protection measures.
An overview of the South African structure to safeguard CIIs is set out below.The section below describes in general terms the approach that South Africa is adopting to assess and forecast attacks on CIIs.

The Chapter IX structure
Chapter IX of the ECT Act provides and/or seeks to provide measures for the deterrence of attacks on CIIs.In particular, sections 53, 54 and 55 of the ECT Act grant the Minister extensive powers to design measures to avert cyber-attacks.For example, the Minister decides on the data that should be identified and classified as essential to the protection of the national security of South Africa. 99The Minister component parts; and the general description of the information stored on CIIs. 104A description of the information stored on CIIs must, however, exclude the actual contents of a CII. 105The information that forms the basis of CIIs must be maintained by the Department 106 or any institution specified by the Minister for that purpose. 107The Department or institution must therefore refuse to disclose the information, subject to certain exceptions. 108More specifically, the information should be accessible only to the employees of the Department or institutions. 109For purposes of the disclosure of critical information, the term "employees" excludes "general employees". 110The employees refer to as being able to hold the information are those are responsible for the keeping of the register. 111condly, the rules regarding the management of CIIs relate, amongst other things, to the accessing, transferring and controlling of CIIs; infrastructural and procedural It is argued that an approach to secure CIIs functions adequately in an environment where a risk-based or sensitive framework is adopted.This risk-based framework is recognised inter alia by the OECD.More specifically, the OECD principles or guidelines contain provisions related to the conducting of a risk-assessment-based analysis. 113The risk-assessment-based analysis assists in ascertaining the degree and extent of the risks to critical information security measures. 114Section 4 below therefore reviews the risk-based theory.In addition, section 4 examines the approaches to the risk-assessment-based analysis which are adopted by the OECD that pre-empt wrongdoing." 121Accordingly, risk management is a forceful process that seeks to: Identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organisation's objectives. 122e risk management framework depends and/or relies on establishing the source or sources of the risks and/or threats. 123It extends to identifying inter alia the type of risks at issue, and asking if the risks could affect a specific event or process. 124rthermore, risk management enables organisations and sometimes individuals to direct or allocate organisational and individual resources to high-risk areas. 125e notion "risk" derives from the Italian verb risicare, 126 which means "to dare". 127e verb risicare is used in the Italian proverb chi non risica, non rosica which translates in English into "nothing ventured, nothing gained". 128Some scholars believe that the idea of risk was seriously considered during the Italian Renaissance, 129 when the concept of risk was developed as mathematically astute gamblers sought to "unlock the mysteries of dice throwing". 130is paper submits that the structure of the risk-based theory is comparable to the risk management framework.For example, the risk-based theory discards a onesize-fits-all approach to regulation and accepts that a holistic and elastic regulatory framework is indispensable.This framework focuses on the number and degree of risks related to a particular event.It presupposes that certain facts or circumstances are unknown, and that the unknown facts should be evaluated by means of a risk- assessment-appraisal process 131 which encompasses, inter alia, risk identification, risk classification and risk analysis. 132The risk-assessment-appraisal process accordingly is opposed to the idea of relying on "intuition and guesswork" as the basis for assessing risks. 133stly, the risk-based theory presupposes that a fitting method of regulating facts or circumstances is to investigate and scrutinise those facts or circumstances. 134This scrutiny is commonly made by applying measures (preventative or otherwise) notwithstanding the absence of facts to determine the outcome. 135The foundation for such a scrutiny is to strike equilibrium between the taking of the measures and the identification of the imminent risks. 136In other words, a balance should be maintained or sought to be maintained between the number and extent of the measures and the number and degree of the risks.Therefore, in cases where the risks are high, stricter measures to prevent or deter the risks should be applied.
The OECD and to some extent, the South African structures to safeguard CIIs reveal that a risk-assessment-based analysis is indispensable to the general scheme to protect CIIs.The sections below, namely sections 4.2 and 4.3, will therefore examine both the OECD and the South African approaches to the risk-assessmentbased analysis.

The OECD approach to the risk-assessment-based analysis
The OECD encourages awareness of the risks to CII security. 137This awareness is, according to the OECD, to be sustained in circumstances where a risk-assessmentbased analysis is carried out.The OECD therefore demands that such an analysis should be broad-based.In other words, the risk-assessment-based analysis must The awareness of the risks to CIIs must therefore encourage the developing of preventive measures. 141Furthermore, the requisite awareness must promote the undertaking of steps to enhance the security of information systems and networks. 142Put differently, the risk-assessment-based analysis must assist in determining the levels of risks and must also aid in the selection of suitable risk management controls. 143An ongoing or periodic review structure must therefore be developed.This structure must assist in re-examining and revaluating the measures developed to safeguard CIIs. 144The review procedures must be structured in a manner that adequately addresses the risks or threats associated with the constant developments in modern ICTs.

The South African approach to the risk-assessment-based analysis
The South African structure to secure CIIs seems to diverge from that which is championed by the OECD.Notwithstanding the abovementioned, this paper argues that there are a number of barriers to South Africa's progress towards establishing a risk-assessment-based analysis as part of its scheme to safeguard CIIs.Firstly, the fact that the Cybersecurity Policy is still in its drafting phase obstructs South Africa's overall agenda to curb cybercrime.Secondly, the general provisions contained in the Cybersecurity Policy could be thought to support the adoption of a one-size-fits-all framework.Consequently, South Africans could be falsely persuaded that CIIs could be protected by merely ticking boxes. 146

Conclusion
South Africa has made great strides to protect CIIs.The South African approach is one that encourages the adoption of a model which requires the regular assessment of attacks or threats of attacks to its CIIs.Accordingly, it is argued that this approach is a representation of the identification and verification procedure that is found in FICA.Nevertheless, it is argued that the South African approach is rulebased as opposed to risk-based.Put differently, it implicitly promotes an inflexible and incongruous culture of protecting critical databases.For example, it is submitted 145 The South African National Cybersecurity Policy (GN 118 GG 32963 of 19 Feb 2010). 146 The proposal for a one-size-fits-all approach to a process to identify and classify CIIs is implicitly advocated by Von Solms.See Von Solms "Securing the Internet" 2-3.
that the evolution of attacks or threats of attacks to CIIs is linked to developments in contemporary technologies.Accordingly, the emergence of new technology brings about or can bring about the emergence of new attacks or threats of attacks on CIIs.Fixed rules or regulatory frameworks will fail to deal adequately with these regular developments.It is furthermore argued that South Africa should adopt a generalised approach in regulating the risks posed or potentially posed by outside attacks to CIIs.For example, no specific provisions can be found that to regulate the aforementioned.Only an inference can be drawn from various provisions that are contained in the Draft Cybersecurity Policy.Consequently, South Africa fails to follow the coordinated approach found in many instruments of the OECD.
Therefore, it is recommended that South Africa should adopt the four essential principles or elements that form the basis of the OECD's structure to safeguard CIIs.
The adoption of these OECD principles would enable South Africa to undertake a process to forecast, identify, assess, monitor, and recover from, attacks or threats of attacks to its CIIs.Furthermore, South Africa should accept that risks of attacks differ in terms of their degree and size.Consequently, a method to forecast, identify, assess, monitor and recover from, risks of attacks will generally diverge according to their pervasive or critical nature.It is furthermore recommended that regulations, ordinances or guidelines should be suited to the nature of the threats as described It is argued that the measures to protect CIIs in South Africa are inadequate.In particular, the measures rely on a one-size-fits-all approach to identify and classify CIIs.For this reason the South African measures are likely to lead to the adoption of a paradigm that considers every infrastructure, data or database, regardless of its significance or importance, to be key or critical.

16A
network is an "intricately connected system of things or people."See Milone 2002 Business Lawyer 383.See Council of the European Union and Commission of the European Communities 2000 http://bit.ly/YZQlMX.
that information safeguarding extends beyond CIIs.In particular, information protection also encompasses inter alia authentication or validation and a) of the Council of the European Union Framework Decision on Attacks Against Information Systems(2005) [hereinafter referred to as Council Framework Decision 2005/222/JHA] defines an information system as any device or group of inter-connected or related devices, one or more of which, pursuant to a programme, performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for purposes of their operation, use, protection or maintenance.Bendisch et al "Towards a European Agenda" 1-2; Van Niekerk and Maharaj 2011 South African Journal of Military Studies 101.
furthermore sets out measures to ascertain and classify the data that are fundamental to the protection of the economic and social wellbeing of South African citizens.100Lastly, the Minister establishes procedures for the identification of such data.101In other cases, the Minister prescribes rules for the registration and management of CIIs.102Firstly, the rules provide for the registration of the full names, address and contact details of the critical database administrator; 103 the location of CIIs or their 97 LIoyds Bank Ltd v The Chartered Bank of India, Australia and China 1928 All ER 285 297A-F.98 LIoyds Bank Ltd v The Chartered Bank of India, Australia and China 1928 All ER 285 297A-55 ECT Act.103 A critical database administrator is a person who is responsible for the management and control of a critical database.See s 1 ECT Act.
rules and requirements for securing the integrity of CIIs; procedures and technological methods to be used in storing and archiving CIIs; disaster recovery plans in the event of the loss or destruction of CIIs or their component parts, and any other matter required for the adequate protection, management and control of CIIs. 112Section 55(2) of the ECT Act furthermore introduces a procedure or mechanism for the management of other CIIs.These other CIIs include databases administered by public bodies.Section 55(2) states that such management should be performed in consultation with the members of the Cabinet affected by Chapter IX of the ECT Act.Examples of these members include, amongst others, the Minister of Defence, the Minister of Police and the Minister of State Security.104 Section 54(2)(a)-(c) ECT Act.The recording of these particulars may, however, be waived at the Minister's discretion in terms of s 55(2)(a) and (b) ECT Act. the ECT Act this is the South African Department of Communications.See s Act.For an interesting study of the exceptions to the rule that information contained in the register should be kept secret, see s 56(2)(a)-(e) ECT Act.Section 56(1) ECT Act.110 Section 56(1) ECT Act.111 Section 56(1) ECT Act.
above.The aim should be to alleviate the impact of new attacks or threats of attacks to CIIs, owing to the constant developments in technologies.The regulations, ordinances or guidelines should generally promote a culture of protecting CIIs which examines the foreseen and unforeseen, or foreseeable and unforeseeable risks of attacks to CIIs.Botma et alNavigating Information Literacy Botma T et al Navigating Information Literacy: Your Information Society Survival Toolkit 2 nd ed (Pearson Cape Town 2008) Bowling, Marks and Murphy "Crime Control Technologies" Bowling B, Marks A and Murphy C "Crime Control Technologies -Towards an Analytical Framework and Research Agenda" in Brownword R and Yeung K (eds) Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (Hart Oxford 2008) 51-78 Brazzoli "Future Prospects of Information Warfare" Brazzoli MS "Future Prospects of Information Warfare and Particularly Psychological Operations" in Le Roux L (ed) South African Army Vision 2020: Security Challenges Shaping the Future South African Army (Institute for Security Studies Pretoria 2007) 217-232 Carcano et al "State-based Network Intrusion Detection Systems" Carcano A et al "State-based Network Intrusion Detection Systems for SCADA Protocols -A Proof of Concept" in Rome E and Bloomfield B (eds) Critical Information Infrastructures Security: CRITIS 2009 (Springer Verlag Berlin 2010) 138-150 Chandrasekhar "Living with Disasters" Chandrasekhar D "Living with Disasters -A Planning Approach to Critical Incidents" in Schwester RW (ed) Handbook of Critical Incident Analysis (Sharpe New York 2012) 186-200 Conant and Ashby 1970 Int J Syst Sci Conant RC and Ashby WR "Every Good Regulator of a System Must be a Model of That System" 1970 Int J Syst Sci 89-made great strides towards protecting critical information infrastructures (CIIs).For example, South Africa recognises the significance of safeguarding places or areas that are essential to the national security of South Africa or the economic and social well-being of South African citizens.For this reason South Africa has established mechanisms to assist in preserving the integrity and security of CIIs.The measures provide inter alia for the identification of CIIs; the registration of the full names, address and contact details of the CII administrators (the persons who manage CIIs); the identification of the location(s) of CIIs or their component parts; and the outlining of the general descriptions of information or data stored in CIIs.
and Eloff 2005 Computer Fraud and Security 6).
Included in the list are attorneys, boards of executors or trust companies, estate agents, financial instruments traders, management companies, persons who carry on the business of banks, mutual banks, persons who carry on long-term insurance businesses, persons who carry on business in respect of which a gambling licence is issued, persons who carry on the business of dealing in foreign exchange, persons who carry on the business of lending money, persons who carry on the business of rendering investment advice or investment-broking services, persons who issue, sell or redeem travellers' cheques, money orders or similar instruments, Postbanks, members of the stock exchange, the Ithala Development Finance Corporation Limited, persons who have been approved or who fall within the category of persons approved by the Registrar of Financial Markets, and persons who carry on the business of a money remitter.
Firstly, enables accountable institutions to detect any changes in the activities or behaviour 88 The South African Cybersecurity Policy 11 (GN 118 GG 32963 of 19 Feb 2010).89 The South African Cybersecurity Policy 11 (GN 118 GG 32963 of 19 Feb 2010).90 See s 21 Financial Intelligence Centre Act 38 of 2001 (hereinafter referred to as FICA).91 Accountable institutions are those listed in Schedule 1 of FICA.94 Section 1 FICA defines a single transaction as a transaction other than a transaction which is concluded in the course of a business relationship.95 Sections 21(1) and (2) of FICA.96 Columbus Joint Venture v Absa Bank Ltd 2002 1 All SA 105 (SCA); Energy Measurements (Pty) Ltd v First National Bank of South Africa 2000 2 All SA 396 (W); Indac Electronics (Pty) Ltd v Volkskas Bank Ltd 1992 1 All SA 411 (A).

The nature of the risk-based theory
and, to some extent, by South Africa.More specifically, Chapter IX of the ECT Act embodies the South African structure to protect critical databases.The Chapter IX structure to secure CIIs or databases is supported by certain provisions of the Draft 117The institutionalist and the systems theories of regulation were promoted by Morgan and Yeung.See in general, Morgan and Yeung Law and Regulation53-75.118The"Good Regulator Theorem" is favoured by Conant and Ashby.See Conant and Ashby 1970 Int J Syst Sci 89.
the relevant internal and external factors that have an impact on CIIs.138These factors include, amongst others, technology, physical and human factors, policies, and third-party services with security implications.139Furthermore,the riskassessment-based analysis is required to include information components supporting encompass For example, no clear and/or ascertainable measures are set out by South Africa regarding the risk-assessment-based analysis.South Africa, it further appears, favours and/or adopts a generalised view in respect of the risk-protect CIIs in the provisions of the South African National Cybersecurity Policy.For example, South Africa provides that relevant tools, policies, security concepts and safeguards, risk management approaches, actions, training, best practices, assurances and technologies that can be used to protect the cyber-environment, to Critical databases; critical information infrastructures; national security; social and economic well-being *Mzukisi N Njotini.LLB (Vista), LLM (cum laude) Information Technology Law, (UNISA), LLD Candidate, (UNISA).Senior Lecturer, Department of Jurisprudence, College of Law.UNISA, South Africa.Email: njotim@unisa.ac.za.