387 23 6MB
English Pages 264 [266] Year 2022
CYBERCRIME AND CYBERSECURITY RESEARCH
CYBERSECURITY RISK MANAGEMENT AN ENTERPRISE RISK MANAGEMENT APPROACH
No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained herein. This digital document is sold with the clear understanding that the publisher is not engaged in rendering legal, medical or any other professional services.
CYBERCRIME AND CYBERSECURITY RESEARCH Additional books and e-books in this series can be found on Nova’s website under the Series tab.
CYBERCRIME AND CYBERSECURITY RESEARCH
CYBERSECURITY RISK MANAGEMENT AN ENTERPRISE RISK MANAGEMENT APPROACH
KOK-BOON OH BRUCE HO AND
BRET SLADE
Copyright © 2022 by Nova Science Publishers, Inc. DOI: https://doi.org/10.52305/TNSD3712 All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means: electronic, electrostatic, magnetic, tape, mechanical photocopying, recording or otherwise without the written permission of the Publisher. We have partnered with Copyright Clearance Center to make it easy for you to obtain permissions to reuse content from this publication. Simply navigate to this publication’s page on Nova’s website and locate the “Get Permission” button below the title description. This button is linked directly to the title’s permission page on copyright.com. Alternatively, you can visit copyright.com and search by title, ISBN, or ISSN. For further questions about using the service on copyright.com, please contact: Copyright Clearance Center Phone: +1-(978) 750-8400 Fax: +1-(978) 750-4470 E-mail: [email protected].
NOTICE TO THE READER The Publisher has taken reasonable care in the preparation of this book, but makes no expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of information contained in this book. The Publisher shall not be liable for any special, consequential, or exemplary damages resulting, in whole or in part, from the readers’ use of, or reliance upon, this material. Any parts of this book based on government reports are so indicated and copyright is claimed for those parts to the extent applicable to compilations of such works. Independent verification should be sought for any data, advice or recommendations contained in this book. In addition, no responsibility is assumed by the Publisher for any injury and/or damage to persons or property arising from any methods, products, instructions, ideas or otherwise contained in this publication. This publication is designed to provide accurate and authoritative information with regard to the subject matter covered herein. It is sold with the clear understanding that the Publisher is not engaged in rendering legal or any other professional services. If legal or any other expert assistance is required, the services of a competent person should be sought. FROM A DECLARATION OF PARTICIPANTS JOINTLY ADOPTED BY A COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A COMMITTEE OF PUBLISHERS. Additional color graphics may be available in the e-book version of this book.
Library of Congress Cataloging-in-Publication Data ISBN: H%RRN
Published by Nova Science Publishers, Inc. † New York
Contents
List of Figures ....................................................................................... vii List of Tables ........................................................................................ ix Preface
........................................................................................ xi
Acknowledgments ................................................................................ xiii List of Acronyms and Glossary............................................................ xv Chapter 1
Cyber Threats and Enterprise Risk ............................ 1
Chapter 2
Corporate Risk Environment and Cyber Risk ........ 23
Chapter 3
Cybersecurity Enterprise Risk Management .......... 43
Chapter 4
Standards and Regulations ........................................ 69
Chapter 5
Cyber Risk Identification ........................................... 93
Chapter 6
Cyber Risk Assessment............................................. 115
Chapter 7
Cyber Risk Mitigation .............................................. 139
Chapter 8
Cyber Risk Monitoring, Detection and Reporting . 165
Chapter 9
Cyber Attack Response and Recovery .................... 179
Chapter 10
Strategic Cybersecurity Risk Management ........... 197
References
..................................................................................... 219
About the Authors ............................................................................... 239 Index
..................................................................................... 241
LIST OF FIGURES Figure 1.1. Figure 1.2. Figure 1.3. Figure 1.4. Figure 1.5. Figure 2.1. Figure 3.1. Figure 3.2. Figure 3.3. Figure 3.4. Figure 3.5. Figure 3.6. Figure 3.7. Figure 3.8. Figure 3.9. Figure 3.10. Figure 4.1. Figure 4.2. Figure 4.3.
Business strategy and risk management alignment. Cybersecurity uncertainty and risk. Risk types. Chinese characters for “risk.” Cyber risk and opportunity nexus. Corporate risk environment. Value creation from portfolio risk management. ERM, SRM & ORM processes. Five attributes of cybersecurity risk management. Cyber risk control and ERM convergence. ERM framework. Strategic risk management. Operational risk and crisis management processes. Cyber risk exposure relationships. SRM process for cybersecurity ERM. Operational risk management/ crisis management cycle. Standards categories. ERM/SRM related standards. ISO 31000 - framework, principles, and process.
5 11 14 15 16 26 46 47 48 51 53 54 55 59 64 67 74 75 76
viii Figure 4.4. Figure 4.5. Figure 4.6. Figure 4.7. Figure 5.1. Figure 5.2. Figure 5.3. Figure 6.1. Figure 6.2. Figure 6.3. Figure 6.4. Figure 6.5. Figure 6.6. Figure 7.1. Figure 7.2. Figure 8.1. Figure 8.2. Figure 8.3. Figure 9.1. Figure 9.2. Figure 10.1. Figure 10.2.
List of Figures ERM/ORM related standards. 79 NIST/CSF Framework core & ERM/ORM alignment. 81 NIST/CSF Framework Core. 82 ISO 27000 series standards (selected). 85 Risk identification phase in the ERM/ORM cycle. 95 ERM/ORM & NIST/CSF alignment. 102 Bow tie risk analysis. 109 Risk assessment phase in the ERM/ORM cycle. 118 Risk assessment – ERM/ORM & NIST/CSF alignment. 120 Risk likelihood and impact matrix. 123 Heat maps showing severity levels of risks. 124 EMV based on potential impact and probability of events. 129 Economic risk paradigm. 132 Risk mitigation phase in the ERM/ORM cycle. 141 Risk mitigation – ERM/ORM & NIST/CSF alignment. 146 Monitor, detect & report risk in the ERM/ORM cycle. 168 Monitoring, detecting, and reporting cyber risks. 168 Risk monitoring & reporting - ERM & NIST CSF alignment. 174 Cyber crisis management cycle. 181 Incident response process. 187 Integrated cybersecurity ERM. 202 Cybersecurity strategic plan, vision, goals, and objectives. 203
LIST OF TABLES Table 2.1. Table 2.2. Table 2.3. Table 2.4. Table 4.1. Table 5.1. Table 5.2. Table 5.3. Table 6.1. Table 6.2. Table 6.3. Table 6.4. Table 7.1. Table 7.2. Table 7.3. Table 8.1.
Top 10 risks in 2017 & 2020 27 Industry critical systems 30 Types of cyber threats 37 Cyber security incidents, by affected sector (1 July 2019 to 30 June 2020) 41 ERM-ISO 27001 alignment 87 Threat identification questions 97 Vectors, threat actors, and objectives 98 Identify function – outcome categories/ sub-categories 100 Risk aassessment activities & outcomes (per “Identify” function) 119 Probability, impact, severity and action 123 Severity scale 130 WEF recommended VaR cyber risk variables 135 Protect function – outcome categories/sub-categories 147 Four steps of hedging 154 Cyberthreat mitigation tools 156 Detect – Outcome categories and sub-categories 175
x Table 9.1. Table 10.1.
List of Tables Respond and recover – outcome categories/sub-categories Identify – outcome categories/subcategories
183 211
PREFACE The motivation for writing this book is to share our knowledge, analyses, and conclusions about cybersecurity in particular and risk management in general to raise awareness among businesses, academics, and the general public about the cyber landscape changes and challenges that are occurring with emerging threats that will affect individual and corporate information security. As a result, we believe that all stakeholders should adopt a unified, coordinated, and organized approach to addressing corporate cybersecurity challenges based on a shared paradigm. There are two levels at which this book can be read. For starters, it can be read by regular individuals with little or no risk management experience. Because of the book's non-technical style, it is appropriate for this readership. The intellectual information may appear daunting at times, but we hope the reader will not be disheartened. One of the book's most notable features is that it is organized in a logical order that guides the reader through the enterprise risk management process, beginning with an introduction to risk management fundamentals and concluding with the strategic considerations that must be made to successfully implement a cyber risk management framework. Another group of readers targeted by this book is practitioners, students, academics, and regulators. We do not anticipate that everyone in this group will agree with the book's content and views.
xii
Kok-Boon Oh, Bruce Ho and Bret Slade
However, we hope that the knowledge and material provided will serve as a basis for them to expand on in their work or endeavors. The book comprises ten chapters. Chapter 1 is a general introduction to the theoretical concepts of risk and constructs of enterprise risk management. Chapter 2 presents the corporate risk landscape and cyber risk in terms of the characteristics and challenges of cyber threats vis-à-vis the emerging risks thereof from the perspective of a business organization. Chapter 3 presents the idea of enterprise risk management and explains the structure and functions of enterprise risk management as they relate to cybersecurity. Chapter 4 provides the cybersecurity risk management standards, which may be used to build a cybersecurity risk management framework that is based on best practices. The cyber operational risk management process begins in Chapter 5 with the introduction of the risk identification function. Chapter 6 continues with the next step of this process by presenting the risk assessment procedures for evaluating and prioritizing cyber risks. Chapter 7 explains the activities in the third step in the ORM process of risk mitigation and provides examples of the tools and techniques for addressing risk exposures. Chapter 8 presents a critical function from an operational perspective for its role in detecting risk and continual improvement of the organization's cybersecurity processes through the reporting function. Chapter 9 discusses the crisis management steps that businesses must take to respond to and recover from a cyber incident. Chapter 10 emphasizes the essential ERM components that senior management should be aware of and cultivate to create an effective cyber risk control framework by focusing on the strategic aspects of cybersecurity risk management from a business viewpoint. This chapter proposes a cybersecurity ERM framework based on the content given in this book.
ACKNOWLEDGMENTS First and foremost, we want to express our gratitude to our families for their unwavering support throughout the creation of this book. We'd also want to express our appreciation and thanks to the numerous people who have assisted us in learning and practising enterprise cybersecurity risk management in academia and business over the years. Additionally, my special thanks to John Sturdy, my colleague and coauthor on my many journal and conference papers, for helping us network with the numerous organisations that have helped in providing information and encouragement in the writing of this book. We could not have done this without your help and passion for networking. An additional thanks to La Trobe University for the opportunity to share our knowledge and insights on cybersecurity and enterprise risk management with academics and students of the School of Business. Also, special thanks to the many organizations: eGalaxy Solutions Pty. Ltd., Texila College Australia, SERVTAC Chartered Accountants, Shanghai Academy of Social Sciences, National Chung Hsing University, and Career Dragon Pty. Ltd., where we were able to continue teaching, training, and most importantly learning about the many elements of cybersecurity and enterprise risk management. Without these organizations, large and small, that have allowed us to explore and test insight-related concepts in classrooms, projects,
xiv
Kok-Boon Oh, Bruce Ho and Bret Slade
workshops, and consulting engagements over the last decade, this book would not have been possible.
LIST OF ACRONYMS AND GLOSSARY BIA CIA COSO Crisis Crisis management
CCM CCMP
CISO CRO CSP
Business impact analysis. Confidentiality, integrity and availability of information assets. Committee of Sponsoring Organisations of the Treadway Commission. An adverse event caused by the realisation of a risk. A process to prevent or minimise the impact a risk incident can inflict on a company or its stakeholders. The process involves three phases, pre-crisis (planning & preparation), crisis response and postcrisis (recovery). Cybersecurity crisis management. An action plan that instructs the incident response team about a comprehensive approach to managing cyber-attacks before, during and after the incidents to minimize disruptions to business operations. Chief information security officer. Chief risk officer. Cybersecurity strategic plan.
xvi
List of Acronyms and Glossary (Continued)
Cyber incident
A cyber security event, both accidental and malicious, as a result of SND vulnerability that compromises the CIA of an information asset. Cyber risk Risk related to the threats to both digital and physical vulnerabilities of SND leading to a cyber incident or breach, both accidental and deliberate, which could result in losses to a company’s earnings, liability or capital position. CRM The process of analysing, assessing and mitigating cyber security threats. Cybersecurity The practice of protecting both information and noninformation assets that are within cyberspace or can be affected via cyberspace from attacks. Cybersecurity A framework consists of security best practices framework (including standards) that companies adopt for implementing a cybersecurity ERM program to manage cyber risk. Cybersecurity Recommended guidelines, processes and controls standards for the implementation of cybersecurity measures. Cybersecurity Outlines the vision, goals and objectives of the strategic plan organization’s cybersecurity program. (CSP) Data Breach A cyber incident that results in the confirmed disclosure of data to an unauthorised party. EISP Enterprise information security policy EMV Expected monetary value. ERM Enterprise risk management. It is an integrated and layered firm-wide risk management approach covering strategic and operational activities for protecting a company against threats to its business activities.
List of Acronyms and Glossary ERM/ORM ERM/SRM ICT Impact Information security IRP ISO ISMS KPI KRI NIST NIST/CSF
Operational risk management ORM Risk
Risk analysis Risk assessment Risk control
xvii
Operational risk management in the ERM framework. Strategic risk management in the ERM framework. Information and communications technology. A negative consequence from a cyber incident. The security of information assets whether or not the information assets are stored inside or outside cyberspace. Incidence response plan. International Organisation for Standardisation. Information Security Management System Key performance indicators. Key risk indicators. National Institute of Standards and Technology. The National Institute of Standards and Technology’s framework for improving critical infrastructure cybersecurity. The continual cyclic process of implementation of risk controls and decision-making involving risk identification, risk assessment, risk mitigation, and risk monitoring and reporting. Operational risk management Quantifiable uncertainty/threat using a combination of probability of an event and its adverse consequences. Systematic use of information to identify sources and to estimate the risk (ISO/IEC 2002). The overall process of risk quantification and risk evaluation. The action taken by a firm to eliminate, reduce or optimise threats.
xviii
List of Acronyms and Glossary (Continued)
Risk evaluation
The process of comparing the estimated risk against given risk criteria to determine the significance of risk (ISO/IEC 2002). Risk To explore and investigate the corporate risk identification landscapes for threats. Risk Typically includes risk identification, risk management assessment, risk treatment, risk acceptance and risk communication, including exchange or sharing of information about risk between the decision-maker and other stakeholders (ISO/IEC 2002). Risk mitigation Applying risk treatment with a prospective view of balancing risk and opportunity. Risk The process of tracking and evaluation of the levels monitoring of risk in a company to help create new strategies and update older strategies that may have proved to be obsolete or ineffective. Risk reporting The communication of risk information to the relevant stakeholders in the company. Risk treatment Treatment process of selection and implementation of measures to modify risk (ISO/IEC 2002). RP Recovery plan. SND Systems, networks and data. SRM Strategic risk management. Strategic risk The process of planning the control of any risk that management affects a company's business strategy, strategic objectives and strategy execution. TRM Traditional risk management Threat An exposure to a risk event that might result in a financial loss or harm to a company. Vulnerability Weakness of SND or their safeguards that expose the company to cyber threats or attacks.
Chapter 1
CYBER THREATS AND ENTERPRISE RISK 1. INTRODUCTION Cyber risk management is becoming an essential aspect of an organization's major management capabilities. The recent incidents of large-scale cyber incidents involving the compromise of critical systems, networks, and massive data breaches highlight the need for a focused and comprehensive cyber risk management approach within the broader enterprise risk management (ERM) function. Therefore, it is important that organizations design and implement an effective risk management structure and process that is consistent with best practice to allow a systematical coverage of the diversity of cyber risks internal and external to the organization. This measure is often referred to as cybersecurity, which is about protecting an organization's Internet-connected systems such as data, software, and hardware against unauthorized access or damage. Cybersecurity involves implementing risk management measures to strengthen both cybersecurity and physical security for safeguarding the organization's digital assets. This book discusses the enterprise risk management concepts as they pertain to cyber threats and provides a holistic cyber risk management framework within the broader enterprise risk management function of an
2
Kok-Boon Oh, Bruce Ho and Bret Slade
organization. As the two types of enterprise risk functions cannot be addressed in isolation, this book takes the reader through the process of developing an integrated and structured approach for enterprise cyber risk management (CRM) in the context of ERM by describing the foundations of risk management, the policies and processes, the risk factors, cyber threats, the vulnerable assets, and best practices for managing critical information assets. This book posits that ERM and CRM alignment can provide management with a cohesive and effective organizational risk strategy (Frosdick, 1997), albeit the challenges. Therefore, this book attempts to analyze and highlight the theory, frameworks, standards, best practices, and processes associated with the effective implementation of enterprise risk management in an integrative approach as applied to cybersecurity. We adopt and follow the ERM framework presented in Oh, Ho, Pham, Huang & Wang (2018), which delineates enterprise risk management into strategic and operational activities. This book will adapt the ERM model to address cybersecurity by benchmarking with ISO 31000 for strategic risk management and the National Institute of Technology and Science (NIST) Cybersecurity Framework for operational risk management by incorporating the processes and best practices for an effective cybersecurity ERM framework. It is not within the scope of this book to dwell on the technical elements of information technology or the behavioral psychology of cyber threats or attacks. The intent is to present and analyze the key concepts and constructs that form the foundations of an effective and practical enterprise cybersecurity management framework. This chapter starts by defining the general concept of corporate risk by introducing the need for risk management and different types, definitions, and dimensions of risk. It explains the difference between concepts of uncertainty, threat, and risk and how and where the dangers exist within the corporate environment, and the inherent threat to businesses. The new phenomenon of cyber risk is discussed in its presence in the enterprise risk landscape. The concept of enterprise risk management is explained as a strategic business planning and management approach for enhancing decision-making and value.
Cyber Threats and Enterprise Risk
3
2. WHY IS RISK MANAGEMENT IMPORTANT? Under Modigliani and Miller's (1958) perfect market conditions, corporate financial decisions do not influence the value of the firm. Since corporate risk management is a part of the firm’s financing policy, it is therefore irrelevant because investors can alter their holdings of risky assets by themselves to avoid any adverse impact on their wealth position. So why is corporate risk management important if it does not add value? ERM scholars counter by arguing that corporate risk management is relevant because capital market imperfections cause risks to impose real costs on firms and ERM can increase firm value by reducing aggregate risk (Lam, 2001; Segal, 2011). The traditional risk management (TRM) approach is usually used after an incident has occurred to prevent the same circumstance from occurring again. TRM mainly focuses on insurable risks and adopts a silo approach for managing risk that is compartmentalized. Using this approach, an organization excludes all exposure linked to business risk from its scope, rarely draws relative comparisons among its risks to understand how they interact with one another or to assess their overall impact on the organization. ERM, on the other hand, is a forward-looking approach and tries to predict prospective threats events, and circumstances that may or may not materialize. Risk management has become critical in a rapidly changing economic environment and the need for corporate accountability. The business world is getting more complex for risk managers due to globalization, advanced technology, and new developments in finance. Cyber risk is a critical risk factor facing the corporate world today and it can cause a company to suffer a loss of revenue from harm to its reputation, products, supply chains, customer service, and other areas. Hence, effective risk management offers significant benefits and value to business enterprises and their stakeholders (Didraga, 2013). An important benefit of risk management is to reduce cash flow volatility which helps organizations avoid liquidity risk and allow more productive funds to be invested for higher returns (Froot, Sharfstein & Stein, 1993; Nocco & Stultz, 2006).
4
Kok-Boon Oh, Bruce Ho and Bret Slade
Risk management practice ensures that organizations understand and prioritize potential risks for better decision-making to help them achieve strategic goals. The conventional classification of risk management is that of risk identification, assessment, prioritization, mitigation, and reporting (Coyle, 2014; Calandro, 2015). In a report by KPMG Australia (AFR, 2015) titled, "Business Risks are Getting Bigger and Faster," the risk to businesses from technology, terrorism, natural disasters, global financial crisis, and geopolitical turmoil is ever-growing. The way these risks manifest themselves in an organizational context differs because of how they interact with each other and with the other risks in the organization. Therefore, there has been a shift lately to focus on risk control strategy in an organizational context where it is aligned to the organization’s business mission, goals and objectives, and core values to achieve its vision1 (Figure 1.1). Therefore, there is a need for an effective enterprise risk management process for firms to be able to quickly identify, quantify, mitigate and report risks, in line with the organization’s objectives. ERM encourages risk control in an integrated way by asking what and why risks are important to the company's performance. It is a continuous, forwardlooking process that integrates both business and technical management for addressing risk issues that can potentially jeopardize the fulfillment of essential goals. Figure 1.1. depicts a taxonomy of the strategic risk management (SRM) and operational risk management (ORM) processes where the corporate vision, goals, and objectives are aligned with the operational functions of identifying, assessing, mitigating, and communicating risk (Elliot, 2019). The four steps in the ORM can be further categorized into activities relating to “risk awareness” and “risk reduction and reporting” (Figure 1.1.). Risk awareness entails the process that is capable of identifying and assessing corporate risk exposures to recognize the potential for risks within the organization. The firm must have determined 1
A vision describes the company's desired future position and a mission explains what the organization’s goals and objectives are, and how it plans to achieve them. A company’s statement on aims, goals, and values reflects elements of its mission and vision statements.
Cyber Threats and Enterprise Risk
5
a risk-return trade-off balance for it to undertake informed risk mitigation strategies. The risk-return balance is used to assess the acceptable risk levels, and once management has formed expectations about the severity of the risk the mitigation process begins. Mitigation involves choosing the appropriate risk treatment that includes the selective use of various tools and techniques to protect the organization’s assets. Organisational Risk Strategy Vision, Mission & Objectives
Identification
Assessment
Risk Awareness
Mitigation
Reporting
Risk Reduction & Reporting
Figure 1.1. Business strategy and risk management alignment.
The risk reduction and reporting category relates to risk mitigation and reporting of risks, respectively. Risk reduction involves carrying out risk control actions to reduce or minimize the frequency or severity of potential losses. The risk reduction step involves making decisions on whether the corporation should treat, tolerate, terminate or transfer (4Ts) the risk exposure. Having made this decision, the enterprise risk strategy necessitates the company to report to management and the risk team the status of each risk situation and any necessary adjustments to address changes in risk conditions (Ho, et al., 2010).
3. CYBER RISK AND CYBERSECURITY The critical role of the digital economy for firms to gain a competitive edge and expand their business has raised serious concerns about information security. Von Solms & Van Niekerk (2013) define
6
Kok-Boon Oh, Bruce Ho and Bret Slade
information security as protecting information assets that reside inside or outside cyberspace and cybersecurity relates to the vulnerability of information and non-information assets embedded within cyberspace. Information security has undergone two major changes; initially, it was the need for “computer security” (Madnick, 1978) and subsequently “network security” with the introduction of distributed systems and networks (Stalling, 2017). The proliferation in the use of technology in our personal lives and business has seen greater connectivity in the way we interact with each other on our smart devices, which are collectively referred to as the Internet of things (IOTs). This has caused greater concerns about information security from among stakeholders due to the scope and scale of such usage. Technology threats constitute one of the "fastest-changing risks to the global and local economies" and “cyber-attacks and disruption of the digital economy by malevolent actors is a growing problem that changes in technique and capability every month” (Cambridge, 2016). Cyber risk refers to the risk of an enterprise to financial loss due to disruption or damage from the failure of its information technology systems and to its reputation. Digital threats of cyber-attacks by hackers are attempts to breach an organization's digital assets to compromise to change or destroy sensitive information or interrupt normal business processes for malicious intents. Therefore, an effective cyber risk management system minimizes cyber disruptions to business operation by reducing cash flow volatility that firms can reinvest funds back into the business for growth. Cyber risk comprises a group of risks that differ in dimension, technology, methods of attack, and means. In an enterprise risk management context, cybersecurity predicates on human factors (people) and non-human factors (hardware and software) and comprises the use of both virtual and physical security measures against unauthorized access to corporate information infrastructures. Information security, which is about the protection of the confidentiality, integrity, and availability of systems and data, is a subset of cybersecurity.2 2
Von Solms and Van Niekerk (2013) distinguish information security as relating to the human factor in the context of “the role(s) of humans in the security process” and cybersecurity
Cyber Threats and Enterprise Risk
7
Generally, cybersecurity is about protecting an enterprise's internetconnected digital assets such as systems, networks, and data from digital threats. It includes the protection of hardware, software, and data against unauthorized access to data centers and other computerized systems to prevent unauthorized access, modification, or deletion of data. Von Solms and Van Niekerk (2013) describe cybersecurity as “the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization, and users’ assets.” This protection is related to maintaining the confidentiality, integrity, and availability (CIA) of the organization's information, which is commonly referred to as the CIA triad or the three pillars of security. The cybersecurity risk management function incorporates a combination of policies, processes, practices, and technologies to protect systems, networks, and data from unauthorized access, attack, and damage.
4. CYBERCRIME AND CYBER-TERRORISM Both cybercrime and cyber-terrorism are similar in that the perpetrators use computer or information and communication technology (ICT) to carry out an illegal act (Holt, 2012). However, it is important to bear in mind that cyber-terror should not be confused with cybercrime. While cybercrime may degrade and destroy the capability of individuals, organizations, or the state, and it may terrify its victims, it is executed for reasons that are not political. These may be for (and not limited to), financial gain, individual notoriety, or access to information; it does not, therefore, fit within the generally accepted definition of cyber terrorism.
having an additional human dimension “as potential targets of cyber-attacks or even unknowingly participating in a cyber-attack.” Human factors play an important part in the cyber risk environment about their role in providing the leadership and resources in the risk control processes and this distinction is useful when studying the human aspects of cybersecurity.
8
Kok-Boon Oh, Bruce Ho and Bret Slade
Foltz (2004) defines cyber-terrorist attacks if they are intended to "interfere with the political, social or economic functioning of a group, organization or country." There is no unified definition of cyber-terrorism but the literature indicates a common understanding that computers and telecommunications networks form a vector through which malicious parties may seek to interrupt, degrade or destroy the capabilities of a nation-state or its instruments for politically motivated reasons. Holt (2012) argues for a broader definition of cyber-terrorism to “provide a much more comprehensive framework for exploring the ways that extremist groups utilize technology in support of their various agendas.”
5. WHAT IS ENTERPRISE RISK MANAGEMENT? Enterprise Risk Management (ERM) is defined by the word enterprise, which has a distinct connotation from Traditional Risk Management (TRM). The concept of ERM is explained as a strategic business planning and management approach for enhancing decision-making and corporate value. The term “enterprise” refers to a business-wide approach to risk management that is driven by high-level goals and implemented via integrating tools and procedures across all corporate departments. The term “integration” refers to the process of changing a company's operations, adapting its capital structure, and utilising certain financial instruments (Meulbroek, 2002). There are numerous definitions in the market of what constitutes enterprise risk management and the International Standards Organization (ISO) in ISO 31000 defines enterprise risk management as an integral part of organizational processes as well as a part of decision making and the Association of Insurance and Risk Managers in Industry and Commerce (AIRMIC) provides a functional description of ERM as a management tool that enables an organization to formally drive a process for continuous improvement of its risk control capabilities in a changing business environment. Other characteristics in the literature for ERM include describing it as a comprehensive and robust risk management tool,
Cyber Threats and Enterprise Risk
9
compliance process, holistic approach, control structure, strategic framework, and management response to changing environment. The Committee of Sponsoring Organizations of the Treadway Commission3 (COSO) published an Enterprise Risk Management (ERM) standard in 2004. The COSO ERM cube is a well-known risk management framework for undertaking ERM4. It points out that ERM is an ongoing process that applies risk management practices in a strategy setting across the enterprise. It is designed to include a series of risk mitigation activities from the identification of potential threats to monitoring and managing risk within its risk tolerance to provide reasonable assurance for the achievement of business objectives. In the context of cybersecurity, it is about developing a strategic capability to optimize and enhance the organization’s value by protecting its most valuable business systems, networks, and data that are often vulnerable to cyber-attacks. ERM is a systematic strategy to identify, assess, mitigate and monitor any threats or risks of a digital, financial, and operational nature that may disrupt an organization's objectives and operations. It emphasizes a holistic approach to gaining a systematic understanding of the complexities of risks to control them as opposed to the “silo” approach of TRM. By controlling risk, a company can optimize the expensive equity capital needed to support its operating risk cost (Nocco and Stulz, 2006). While enterprise risk management is gaining global acceptance among practitioners and industry, others still have reservations. The following are comments made about ERM:
“Enterprise risk management is an enigma.” (Corporate Compliance Insights) “... enterprise risk management processes are relatively immature and ad hoc.” (North Carolina State University)
The Committee of Sponsoring Organizations Board published in 2004 “Enterprise Risk Management—Integrated Framework” as a reference to help organizations manage risk. Information about COSO can be obtained at https://www.coso.org/Pages/default.aspx. 4 COSO is popular among practitioners because it is linked to the Sarbanes-Oxley requirements for companies listed in the United States. 3
10
Kok-Boon Oh, Bruce Ho and Bret Slade
“… the state of development of ERM in non-financial companies is at a relatively immature stage.” (Standards & Poor’s)
While ERM is a relatively immature practice (Slagmulder & Devoldere, 2018; AICPA, 2020) that is still evolving, nevertheless, it offers a strategic, integrated, structural, and systematic approach to address organizational risk exposure and its innate challenges. A successful ERM system requires strong leadership and alignment to business objectives and functions. Essentially, enterprise risk management (ERM) is a strategic risk control process for assessing risks in an integrated, structured, and systematic manner to identify, quantify, mitigate and report risk that poses a financial threat to a company. Due to the difficulty to identify and understand strategic risk there is no particular definition for it (Mango, 2007). Deliotte (2013) defines strategic risks as those that are influenced or produced by a company's business strategy and strategic goals. The goal of an ERM program is to acknowledge and understand, in a holistic approach, an organization's risk exposure, tolerance for risk, and capability to manage it. The ERM architecture implies a structural process that has a top-down and bottom-up approach for managing risk.
6. UNCERTAINTY, THREAT & RISK Risk is a multidimensional concept and, essentially, enterprise risk is the uncertainty of future outcomes measured against some future objectives, such as the uncertainty of future cash flows for a firm, and it is therefore associated with the uncertainty with an event in the future that is unpredictable today. Thus, “uncertainty is a state of not knowing whether a proposition is true or false” (Holton, 2004). Uncertainty presents both risk and opportunity. Uncertainty can destroy value as well as provide an opportunity for value creation. All enterprises face uncertainty, to varying degrees, and this poses to management the need in determining the level of uncertainty to accept for
Cyber Threats and Enterprise Risk
11
growing stockholder value. It is a business tenet business that the greater the risk associated with a decision, the greater the reward that decision will yield. While uncertainty is an abstract concept, "risk" is quantified uncertainty measured on two scales, impact and frequency. Impact refers to the intensity or magnitude of damage or loss, whereas frequency is the likelihood of damage, loss, or a missed opportunity. In the context of cybersecurity, fear of uncertainty emanates from the vulnerability of an organization’s information infrastructure that may pose a threat of an adverse cyber event. Vulnerability refers to the likelihood of a cyber-attack due to the weakness in hardware or software of the information infrastructure that could result in the compromise to any of one of the elements within the CIA information security triad. Therefore, cyber threats are the particular uncertainties or dangers that create the potential for cyber risk. Risk is a combination of vulnerability, fear of uncertainty, threat, and potential loss (Figure 1.2). Therefore, leveraging information technology for business poses uncertainty and opportunity to the enterprise with the potential to cause harm or gain to the organization. It is generally accepted that uncertainty is an abstract concept and “risk” is quantifiable uncertainty in terms of its outcome (threat) and probable frequency of occurrence (vulnerability). Risk is quantifiable and refers to the potential loss to the enterprise if it occurs. An evaluation of uncertainty using assessment techniques will allow an organization to recognize whether it constitutes a unique or critical risk to the enterprise. The “immediacy of exposure is critical” for defining what is exposure and “current exposure depends on what would be your current preferences (Holton, 2004).” Figure 1.2 depicts the connection between information infrastructure vulnerability and risk exposure.
Figure 1.2. Cybersecurity uncertainty and risk.
12
Kok-Boon Oh, Bruce Ho and Bret Slade
Risk is the probability of an adverse event occurring with the potential to result in loss to exposed firms. There are many other definitions of risk and the International Organization for Standardization (ISO) in ISO 310005 defines risk as “the effect of uncertainty on objectives” and “an effect is a positive or negative deviation from what is expected.” The classical exposition of the concept of risk is by Knight (1921) in which he defined risk as “measurable uncertainties.” Knight (1921) describes risk as “unknown outcomes whose odds of happening can be measured or at least learned about” and uncertain events are those that “we do not even know how to describe” (Quintana, 2012). Risk is a condition in which there is a possibility of an adverse deviation from a desired or expected outcome. Black (1995) regards risk as the uncertainty surrounding the return at market value on “composite capital” invested by shareholders in a company. According to Holton (2004), risk is the exposure to a proposition of which one is uncertain and that “risk entails two essential components of exposure and uncertainty.” A cyber risk exposure from the use of information technology systems is caused by a threat that is defined as damage or disruption to the business operation that can result in potential losses. Therefore, cyber risks are distinct from cyber threats, which are the specific hazards that give rise to the possibility of cyber risk. Cyber threats such phishing, trojan horse and vulnerability exploitation are possible routes for loss of digital asset confidentiality, integrity, and availability in the context of enterprise cyber risk. The principal cyber risks to an organization are business operational risk from loss due to system downtime, data loss, reputation risk from loss because of harm caused by a cyber-attack to an organization’s reputation or public image, fraud, financial crime and, legal and compliance risk from loss resulting from legal action taken against a firm for breaching the law or regulatory requirements. Employees must understand the severity of enterprise cyber risk and appreciate the responsibility to undergo training covering the risks 5
ISO 31000, Risk Management – Guidelines, provides principles, a framework, and a process for managing risk. It can be used by any organization regardless of its size, activity, or sector. https://www.iso.org/iso-31000-risk-management.html.
Cyber Threats and Enterprise Risk
13
associated with their roles in the use of computers to prevent compromise (Hectus, 2016). Therefore, an enterprise needs to make sure that "communication is timely and relevant and mandatory" (Hectus, 2016)) by properly disseminating, explaining, and training employees in the organization on cyber risk management policies to minimize information security weaknesses and uncertainty. Employees should also have access to review the relevant policies and can demonstrate that they understand the content and their roles and responsibilities according to the policy document.
7. RISK TYPES AND DIMENSIONS Companies typically categorize enterprise risk into financial risks, operational risks, and regulatory risks. There are generally five types of business risk identified in risk management literature, being market risk, liquidity risk, credit risk, operating risk, and legal risk. In today's digital world, cyber threats compound each one of these risks from an information technology usage perspective (Figure 1.3). Each of these five risk types has an underlying cybersecurity implication to it because of the widespread adoption of technology in the economy. These five types are not the only categories of risk but they do capture the main business risks in the market, but the enterprise risk identification process should consider all types of risk relative to these categories. The different dimensions of risk provide for a better understanding of the impact of risk on the firm. The following lists some of the key dimensions of risk that act as foundations for evaluating the extent of the severity it poses to the organization.
Range of possible outcomes – potential loss or benefit from a risk situation Probability of an outcome occurring – degree of likelihood of a risk event happening
14
Kok-Boon Oh, Bruce Ho and Bret Slade
Time and duration of risk event – length of time a risk remains a threat to the organization or the "dwell time" of an attack in the case of cybersecurity Size of exposure – the severity of the risk impact and the extent of its contagion Volatility – predictability of the risk in terms of occurrence and threat pattern Interrelationships – interaction between different risks Complexity – the difficulty of understanding the nature of a threat and its consequences Manageability – availability of tools to mitigate or neutralize the risk Costs to manage the risk exposure – resource implications of a risk The outcome of risk management – lessons from the risk event and actions the enterprise can take to better protect itself from similar events in the future
Figure 1.3. Risk types.
Cyber Threats and Enterprise Risk
15
For cyber risk, the specific dimensions are interconnectivity, interdependence, and speed. Interconnectivity refers to how extensively systems, networks, and data are interconnected. The wider the interconnectivity the greater the cyber risk exposure due to ease of access and contagion or the attack surface. The more interdependent the cyber assets are the greater the potential disruption to the systems and networks in the event of a cyberattack. Speed suggests how rapidly it would take an attack to breach and permeate the network.
8. RISK AND RETURN Risk is a combination of danger and opportunity. It is not possible to have one without the other. The definition of risk is the possibility of adverse consequences happening and it is associated with potential losses, but there are also benefits to be obtained from taking risks. By taking a risk, the firm will benefit from higher returns and therefore increase the firm's value. While taking a risk may increase the firm's value it can also destroy value. The Chinese symbols for risk below, give a much better description of risk (Figure 1.4.).
危機 Figure 1.4. Chinese characters for “risk.”
The first character is the symbol for “danger” while the second is the symbol for “opportunity.” Therefore, while considering taking a risk, firms must consider the balance between risk and reward and should not take risks that do not commensurate with rewards. For example, while companies benefit from increased levels of efficiency by leveraging the use of technology in their operations this also exposes them to cyber risk. To mitigate cyber risk, organizations should invest in safeguards for the
16
Kok-Boon Oh, Bruce Ho and Bret Slade
benefits of security to avoid the cost of cybercrime. Thus, in the context of cybersecurity risk and return, there are two dimensions to this principle. One is at the source of cyber risk and the other is the return on cybersecurity investments in risk mitigations to protect the organization’s digital assets. Figure 1.5. below depicts these dimensions of the risk and return relationship of cybersecurity in the context of cybersecurity investment. There is a rather extensive body of research on risk and return analysis on cybersecurity investment. Gordon and Loeb created a cybersecurity investment model that has now become a standard in the field (Gordon and Loeb, 2002). The Gordon and Loeb model focuses on information technology with an emphasis on information asset protection. Cavusoglu, Mishra, and Raghunathan (2004) provide an explicit outcome-based cybersecurity investment model that tries to compute a return on IT system security investment. Gordon et al., (2015a) consider real options and external factors (Gordon et al., 2015b) when estimating how much a company should spend on cybersecurity investment.
Figure 1.5. Cyber risk and opportunity nexus.
Cyber Threats and Enterprise Risk
17
Every investment in technology or cybersecurity needs to be justified from the point of view of return. The return from technology used in operations can be measured in terms of cost reduction and/or increased revenue or profits. However, it is more difficult to measure the return on investments made in cybersecurity as they don’t ostensibly suggest any return to the organization. Return on Investments (ROI) made in cybersecurity is rather measured by the benefits of security in terms of prevented losses.
9. SYSTEMATIC AND UNSYSTEMATIC RISKS We can perceive corporate risk as alpha risk or unsystematic risk (the competency of the company’s management) and beta risk or systematic risk (the volatility of the market). Unsystematic risk is firm-specific risk and caused by factors that surround an individual firm and are unique to the firm. Unsystematic risk is the result of variations specific to the firm or industry and is that part of a firm's risk exposure associated with random events; it can be eliminated by proper diversification. Cyber risk can be an example of unsystematic or firm-specific risk. Cyber risks are potential business losses relating to reputational, financial, equipment downtime, operational, productivity, and regulatory as a result of a firm’s digital vulnerabilities. On the other hand, systematic risk or market risk cannot be avoided or diversified away and this is the risk that all firms face because of economywide factors that affect them. Systematic or market risk is that part of the total risk that occurs from the basic variability of the firm's value as represented by its stock price, this tendency of stock prices to move together with the general market cannot be eliminated by portfolio diversification. Systematic risk is measured by beta, which is the slope of the regression line between a stock's returns (the dependent variable) and the returns on the market (the independent variable) over some time. The higher the beta, the riskier the stock due to fluctuating returns.
18
Kok-Boon Oh, Bruce Ho and Bret Slade
A broad application of these risk concepts to cybersecurity would be to perceive the local area networks (LAN) as the domain of unsystematic risk and wide area networks (WAN) as a source of systematic risk. Furthermore, the failure of a single component of a digital system or network can result in larger-scale failures, such as the collapse of essential infrastructure. For example, a successful attack on the core infrastructure of the internet such as the Border Gateway Protocol (BGP) would result in a systematic risk event to an entire country.
10. STANDALONE RISK AND PORTFOLIO RISK Standalone risk is the risk associated with a specific entity or investment. Standalone risk refers to the aggregate or portfolio risk of a single company or a single operating unit, division, or asset, within a company as opposed to a wider, well-diversified portfolio. Cyber risk is only one of the many operational dangers that a company must deal with. Cyber risk is the danger of company losses in the digital realm, including financial, reputational, operational, productivity, and regulatory losses. Losses in the physical realm, such as damage to operating equipment, can be caused by cyber risk. It is critical to emphasise that cyber risk is a type of business risk or standalone risk that primarily affects the firm under attack. However, because of the interconnectedness of systems and networks, some cyber hazards may have a larger attack surface, resulting in digital contagion and systemic failure of these external systems and networks. Portfolio risk is the overall risk of a group of assets. The portfolio risk is normally lower than the sum of the individual risks of the assets in the portfolio where the assets are not highly correlated. The context of portfolio risk management in cybersecurity is one where the risk manager must have a clear understanding of the organization's investment portfolio's aims to set risk targets according to the corporate risk tolerance, risk-reward balance, and objectives, within an ERM setting. Doing so will enable ERM to optimize the enterprise risk portfolio by sharing risk
Cyber Threats and Enterprise Risk
19
information through the ERM reporting channel to implement an appropriate risk treatment strategy, and monitor key performance indicators (KPIs) for the effectiveness of risk mitigation and key risk indicators (KRIs) for caution against risk exposures.
11. RISK TOLERANCE Organizations take risks to drive business growth and the level of risktaking must be balanced with the organization's risk profile that includes its risk tolerance and capability to manage risk exposure within the accepted tolerance. They need to know what are the risk appetite or risk tolerance levels (the terms risk appetite or risk tolerance are used interchangeably) as they act as triggers for action. Risk tolerance refers to the amount of risk that the management is prepared to accept to achieve the corporation’s mandates and priorities. It is part of the enterprise risk management policy that guides managers on the amount of risk the enterprise is willing to tolerate to achieve its objectives. While some organizations are conservative and more risk-averse, others are willing or may need to take greater risk and will have to invest more resources into risk mitigation. There is no single risk appetite that applies to all organizations, nor is there a “right” risk appetite (COSO, 2012). Some managers are risk-averse while others are risk takers creating different perspectives of corporate risk tolerance (the same can be said for investors). Therefore, through the enterprise risk management process, the leadership can set its risk tolerance level and any unwanted exposure may be mitigated and the company is left bearing the residual risk it is willing to assume. If a risk exposure falls within the risk tolerance of the firm, the risk manager doesn't need to take any action. If the risk is greater than the level tolerated by corporate policy, the prudent manager would examine strategies to mitigate the risk faced by the company (Oh, Ho, Pham, Huang & Wang 2018).
20
Kok-Boon Oh, Bruce Ho and Bret Slade
It should be clear as to who is responsible or have ownership for setting the risk tolerance policy in a company. The board of directors (BoD) and senior management should collectively be responsible for agreeing and establishing the cyber risk tolerance policy, including the Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Information Officer (CIO), and Chief Risk Officer (CRO) in conjunction with the Chief Information Security Officer (CISO). The board needs to have a clear understanding of the organization's risk profile to define a cyber risk appetite statement. The statement must contain specific risk acceptance criteria. Risk appetite is a senior management decision to accept the residual risk having considered all relevant risks and after applying controls to critical risks and it must be communicated throughout the organization. Cyber risk appetite informs and implicates all business units in an organization and justifies continuing cross-functional conversations about its relevancy. Organizations in highly regulated industries like banks tend to possess highly mature risk management practices and therefore have a more established risk tolerance policy. One way to set corporate risk appetite is to identify risks and then assess them based on the impact of each risk if it was to occur. The impact of varying risks is then ranked from critical to, high, medium, and low. This ranking allows a company to establish a threshold on what, and how much it can accept or tolerate for each identifiable risk. Therefore, risk appetite sets the boundaries for determining which risks can be tolerated and prioritizing those critical risks that need to be treated. A business risk appetite policy enables managers to align their risk efforts to achieve business objectives by prioritizing and allocating resources to those areas that the company has the least appetite for risk. For example, for those cyber risks beyond the company's risk tolerance, it enables the CISO to invest in cybersecurity measures to protect the company's vulnerable cyber assets to ensure the company's business is secured at the appropriate costs. Management should also consider mitigation costs when assessing risks to determine their tolerance of them. For some risks, it may cost more to implement risk management
Cyber Threats and Enterprise Risk
21
solutions than to deal with the problem if it occurs. Regardless of whether it is zero or high tolerance for cyber risks, a formal risk appetite policy will guide the CISO and other managers on actions as to how much to invest and devote time to what should be secured.
CONCLUSION The focus of this book is about cyber risk management and it is becoming a big issue for the private and public sectors. The growing use of technology in businesses and the connectivity of smart devices are contributing to increase cyber risk. Risk management has evolved significantly as organizations shift from the traditional silo practice to an enterprise-wide approach and cyber risk control is no exception. As enterprise cyber threat is an emerging risk, some organizations have fully integrated cybersecurity with the enterprise risk management (ERM) function while in other organizations, cybersecurity only has a limited presence in ERM. Ideally, cybersecurity should be treated as a critical risk alongside traditional risk areas such as financial risk, supply chain risk, regulatory compliance, occupational health and safety (OHS) and fraud detection, and so on. Some companies consider cybersecurity risks as part of operational risk in the company's enterprise risk management framework as the cybersecurity threat landscape poses an increasing challenge for chief information security officers (CISOs) and senior management. The cyber threat lurks in the borderless virtual space and creates a risk to companies because of its anonymity and unpredictable attack motivated by political and financial gain. Based on this pretext, the government and industry must work together to develop a robust and formal cybersecurity risk management framework and regulatory regime to protect themselves and others, such as the General Data Protection Regulation (GDPR) that has recently come into force. The rest of this book will address the different aspects of cybersecurity starting with Chapter 2 which deals with the cyber risk environment,
22
Kok-Boon Oh, Bruce Ho and Bret Slade
Chapter 3 explains the ERM functions with their associated components, and Chapter 5 deals with the various standards and regulations relevant for designing and implementing cybersecurity oriented ERM operating framework. Chapters 5 to Chapter 9 covers the operating risk management activities of the ERM process. Last but not least, Chapter 10 discusses the strategic aspects of cybersecurity risk management and proposes an ERM model for this purpose.
Chapter 2
CORPORATE RISK ENVIRONMENT AND CYBER RISK 1. INTRODUCTION The primary objective of the firm is to maximize shareholder wealth and an effective enterprise risk management program enhances corporate value. Financial theory suggests that rational firms would hedge their risk exposure to remove the variability in their cash flows. In today’s digital economy, cyber threats constitute a potential source of variability to the firm's cash flow in the form of losses to earnings, liability, and capital. The significance of this view is that by removing variability firms enhance the predictability in cash flows allowing them to invest in future projects without uncertainty about the negative impact of price fluctuations. Therefore, the corporate management team is responsible to identify, assess, mitigate and monitor all the risk variables that ultimately affect the profitability of the firm. To the shareholders, the risk of the firm is measured by the required rate of return on their equity investment (Ho, Oh, Durden & Slade, 2010).
24
Kok-Boon Oh, Bruce Ho and Bret Slade
The cyber threat is a significant and growing risk facing businesses with 72% of larger US businesses reporting a cyber-attack in the past year and 47% of all US firms experiencing two or more (Hiscox, 2017). This chapter explores the corporate risk environment focusing on cybersecurity and its implications for enterprise risk management. It explains the existent and emerging risk exposure from technology and the inherent risks from cyber threats across corporate functions.
2. CORPORATE RISK ENVIRONMENT The initial stage of an effective risk-management system is to identify and understand the qualitative differences of the types of risks that organizations face (Kaplan & Mikes, 2012). Understanding risk means that companies can consciously plan for the consequences of adverse outcomes and therefore are better prepared for the inevitable uncertainty (Jorion & Khoury, 1996). Corporate or business risks can be perceived as alpha (the competency of the company’s management – i.e., unsystematic risk) and beta (the volatility of the market – i.e., systematic risk) risks. Alpha is a historical comparison of an asset's return on an investment (e.g., a firm) to its risk-adjusted expected return. Beta is a historical measure of volatility and the beta of an asset (such as a stock or a portfolio) is a measure of how it moves in comparison to a benchmark (i.e., a market index). These risks can also be broadly classified into internal risks and external risks according to their source of origin. Generally, alpha or firm-specific risks are internal, and beta or market risks are external risks. Kaplan and Mikes (2012) suggest there are three types of risk being “preventable,” “strategy” and “external,” while Toma and Alexa (2012) identify seven categories of business risk that are considered critical to business enterprises. Alpha or firm-specific risks are those arising from the firm’s operations such as governance, processes and procedures, human factors, supply chain, physical factors, systems and technological factors, liquidity, and production capacity, and marketing methods. They are also known as unsystematic risks from the events taking place within the business
Corporate Risk Environment and Cyber Risk
25
enterprise. Theoretically, these unsystematic risks can be diversified away by holding a portfolio of assets according to investment portfolio management (Markowitz, 1952). Beta or systematic risks emanates from the political and economic environments or events occurring outside the business enterprise. Beta risks are those related to economic factors, natural factors, regulatory and political factors, social trends, legal systems, intergovernmental agreements, competition, terrorist and criminal activities, international health issues, and financial markets. In finance, systematic risk cannot be diversified away by holding a portfolio of assets, and investors are rewarded for taking on systematic risk. Both the systematic and unsystematic risk factors collectively contribute to the aggregate risk exposure of the firm. Modern business technologies permeate all business activities from the board down to the factory floor, which means that many organizations, big or small, treat cybersecurity as a key management focus to prevent harm to their organizations. All ICT processes that support information systems, networks, and data are important digital assets of the organization. Figure 2.1. depicts the corporate risk environment where cybersecurity poses a significant underlying risk to technology-dependent organizations in modern business. Each enterprise has its “own unique business and organizational structure” and “the data used to measure the risk will vary by organization, process, and functionality” (Toma & Alexa, 2012). Likewise, corporate cyber risk exposure is dependent upon the industry, size, structure, and risk profile of a particular enterprise and the main risk concerns are business interruption, data loss, theft of intellectual property, and reputational loss. Generally, larger companies defined as having 250 or more employees are better resourced and prepared to deal with the cyber risk but they are also more likely to be targeted (Hiscox, 2017). Figure 2.1. depicts the corporate risk environment with the pervasive cybersecurity risk influence on the various risk groups and risk categories. The alpha risk or unique risk is firm-specific and only affects the firm and the beta risk is a market-wide risk that impacts all firms. Operational risk relates to potential losses from inadequate or failure of a firm's internal
26
Kok-Boon Oh, Bruce Ho and Bret Slade
processes and people. There are three types of operational risks being technology risk, fraud risk, and human factor risk (Crouchy, Galai, & Marck, 2006). All three risks are relevant to cybersecurity as they define some of the implicit causes of cyber-attacks. Political risk to a firm arises as a result of political instability or change and environmental risk relates to the probability and consequence of a natural disaster or environmental accident. The economic risk or systemic risk is an external risk that is affected by economic factors such as unemployment, income tax, or gross domestic production. Political risk and economic risk can affect the firm through its operations thus creating unwanted risk exposure.
Corporate Risk Environment Cybersecurity Risk
Alpha
Beta
Figure 2.1. Corporate risk environment.
The corporate risk environment contains several layers of cyber threats that are inherent in both the internal (alpha) and external (beta) support infrastructures. Figure 2.1 shows these layers as administration, operation and customer (operations), sovereign and environment (politics &
Corporate Risk Environment and Cyber Risk
27
environment), and market (economics). The supply chain has also become the main concern as a source of cyber risk emanating from third parties such as suppliers and service providers (Starr, Newfrock & Delurey, 2003). Hence, in recognition of the need for risk management actions and resilience to cyber-threats in the supply chain, NIST has recently added a new category that deals with ICT supply chain risk under the 'Identify' function of its NIST/CSF framework. The “Global Risk Management Survey 2017” report by Aon Corporation presents the top 10 risks in 2017 and those projected for 2020 (Table 2.1). The top four risks have underlying technology implications and as a consequence, they are likely to have inferences to cybersecurityrelated issues. The reported top 10 risks are as follows6: Table 2.1. Top 10 risks in 2017 & 2020 2017 Top 10 Risks 1. Damage to reputation/brand 2. Economic slowdown/slow recovery 3. Increasing competition 4. Regulatory/legislative changes 5. Cybercrime/hacking/viruses/malicious codes 6. Failure to innovate/meet customer needs 7. Failure to attract or retain top talent 8. Business interruption 9. Political risk/uncertainties 10. Third-party liability (inc. E&O)
Projected 2020 Top 10 Economic slowdown/slow recovery Increasing competition Failure to innovate/meet customer needs Regulatory/legislative changes Cybercrime/hacking/viruses/malicious codes Damage to reputation/brand Failure to attract or retain top talent Political risk/uncertainties Commodity price risk Disruptive technologies/innovation
Aon (2017) reveals new driving factors such as cyber-crimes that have evolved from stealing personal information and credit cards to hacking and coordinated attacks on critical infrastructures. This changing situation requires an array of new strategies, techniques, and tools to counter the new complexities of risks.
6
Global Risk Management Survey 2017. http://www.aon.com/2017-global-risk-managementsurvey/pdfs/2017-Aon-Global-Risk-Management-Survey-Full-Report-062617.pdf (accessed 15/10/2020).
28
Kok-Boon Oh, Bruce Ho and Bret Slade
3. CORPORATE CYBERSECURITY As business increases the use of the Internet to conduct operations, corporations need to implement effective cybersecurity measures to protect their systems, networks, and data from cyber-attacks. Cybercrime involves using computers on the Internet to break the law such as disrupting business operations by attacking corporate business systems, stealing data, and illegally accessing information to carry out identity theft and fraud for financial gain. Corporations have largely focused attention on the threat of data and privacy breaches, the emerging threats in the corporate cyber environment are more diverse and complex. Cyber risk exposures are already threatening businesses in the form of business interruption, intellectual property theft, and cyber extortion from a potential cyber-attack. These types of cyber threats can result in the business suffering financial losses due to reputation and brand damage, fraud, disruption to business, incurring extra costs to restore affected systems, and compliance in notifying the relevant authorities of the breach. To be on top of the game, firms should adopt a risk-based systems approach that integrates the “physical, information, cognitive, and social domains” to better understand and manage cybersecurity (Collier, Linkov & Lambert, 2013).
4. IMPACT OF TECHNOLOGY The global economy has undergone a significant change in the last two decades from one which was based on traditional land, labor, and capital to include information technology as another indispensable factor of production. The digital world embraces information and data processing as an inalienable part of the modern business model. The technological world is rapidly evolving with more connectivity, interdependence, and speed of business networks. This development is largely driven by artificial intelligence (AI), quantum computing, cloud solutions, 5G
Corporate Risk Environment and Cyber Risk
29
communication, the Internet of Things (IoT), the use of robotics in manufacturing, big data, and automated logistics. Leveraging technology enables companies to become more efficient in terms of cost, productivity, and reach which enhances business competitiveness. For example, network technologies have globalized information communication changing the ways enterprises conduct their global value chain activities and business models. Also, cloud computing has allowed more storage space and reduced costs. However, these benefits also increase the cyber risk exposure of the organization’s systems, networks, and data. Enterprises are experiencing a large number of cyber breaches, threats, and attacks, and there is a growing urgency for them to act swiftly and with precision to prevent disruptions to their operations and bottom-line. Sensitive data may be at risk of financial fraud or identity theft if it falls into the wrong hands. With the increasing use of technologies in business and our lives, large amounts of information are generated and shared online. The rapid rise of incidents such as data breaches, malware, phishing, ransomware, DDoS, trojans, and social engineering attacks have already created many challenges for these enterprises.
5. CRITICAL SYSTEMS, NETWORKS, AND DATA The three main aims of cybersecurity are described as protecting the “Confidentiality, Integrity and Availability” of information commonly known as the CIA triad (or CIA model). Cyber RM protects confidentiality by keeping sensitive information private, integrity by maintaining consistency of systems, networks & data, and availability to free authorized access of an organization’s information systems. The critical information assets of a company can be categorized as systems, networks, and data. Critical assets and sensitivity levels differ significantly among companies and industries as certain systems, data, systems, and applications are more vulnerable than others (McKinsey, 2017). A successful cyber-attack on critical assets will lead to business
30
Kok-Boon Oh, Bruce Ho and Bret Slade
operational disruption, loss of reputation, or compliance infringement, which will likely result in economic losses to the company.
5.1. Critical Systems The first step in ERM is being able to identify the organization’s critical systems, networks, and data. The Business Impact Analysis (BIA) method (Chapter 6) is widely used for identifying critical systems, networks, and data, and prioritizing their criticality to business operations. A critical system is one whose failure could endanger the existence of the organization that runs it, the environment it operates in, or human lives (Koski & Mikkonen, 2015). Respectively, they are referred to as missioncritical, business-critical, and safety-critical systems. Mission-critical systems are charged with carrying out the functions of organizations for achieving their stated objectives; a failure would result in an organization's incapacity to carry out its core operations. A business-critical system has a special role to play in the efficient delivery of a company's services and downtime would interrupt service delivery and result in economic losses. Table 2.2. Industry critical systems Industry Retail Education
Finance
System Point-of-Sale (POS) Learning Management Systems Industrial control systems (ICS) (e.g., Supervisory Control and Data Acquisition (SCADA) systems) Avaloq Core
Healthcare Aviation
Healthshare ERP systems
Power, utilities, and manufacturing
Purpose For processing customer payments. For conducting planning, delivery, and assessment of online learning. Control industrial processes where hardware is integrated with the software.
Fintech integration and consolidation of services. Storing health records. To consolidating compliance, flight time tracking, inventory control, manuals, service bulletins, and maintenance schedule.
Corporate Risk Environment and Cyber Risk
31
A safety-critical system safeguards the physical safety of a company's employees as well as the environment. Table 2.2 presents some examples of industries and their critical systems.
5.2. Networks An information network is a collection of two or more computers that are connected to share data and resources such as printers and hard drives. It's also known as a computer network. Networks help to transmit data in and out of the organization. The most common type of computer network used for company administration is a local area network or LAN. LANs, also known as Ethernet (wired) or Wi-Fi (wireless), are networks that have restricted connections to devices that are close to each other. A wide area network (WAN) is a huge computer network that connects multiple computers across long distances. Large corporations frequently utilize wide area networks (WANs) to connect their office networks; each office normally has its LAN, which connects via a WAN. The Internet is a WAN in and of itself.
5.3. Data Data deemed critical to an organization's success or that must be preserved for regulatory purposes is referred to as critical data. The organization's servers house large amounts of confidential information that is accessed and used throughout the organization daily. Examples of critical data are employee information, customer data, operational data, intellectual property data, financial data, and any personal information that is covered by data-protection laws. The raises the question of how to restrict access to keep this information confidential. Confidentiality refers to restricting access to networks and data to authorized personnel only. Unauthorized access is often prevented by using data encryption
32
Kok-Boon Oh, Bruce Ho and Bret Slade
algorithms such as RSA7, AES (Advanced Encryption Standard)8 and Twofish/Blowfish9. Encryption alters the stored information thus making it incomprehensible and therefore unusable to unauthorized users.
6. HUMAN FACTORS Cybersecurity predicates on human factors (people) and non-human factors (hardware and software) because cyber-attacks are intended to cause confusion and information overload to influence human behavior (Cayirci & Ghergherehchi, 2011). Human factors play an important part in the cyber risk environment about their role in providing the leadership and resources in the risk control processes as well as a vulnerable factor in exposing the enterprise to cyber risk exposure. Organic personnel should be taken seriously in developing a holistic and effective cyber risk framework for the company. The recent WannaCry ransomware attacks epitomize how the human factor played a major role in making businesses worldwide vulnerable. Therefore, the human factors of cybersecurity represent the human activities or actions (or non-actions) that result in a malicious hack or data breach. NIST/CSF (2014) under its Protect function in subcategory PR:IP11 prescribes cybersecurity should be included in human resources practices. Humans are the weakest link in the enterprise cybersecurity chain (Dodel & Mesch, 2019). Humans are currently the greatest threat to data security and are putting the businesses at risk, whether due to the impact RSA algorithm is named after its designers in the 1970’s. Ron Rivest, Adi Shamir, and Leonard Adleman: Rivest-Shamir-Adleman working for the Massachusetts Institute of Technology came up with the encryption method. 8 It was designed in 1998 by the Belgian cryptographers, Vincent Rijmen and Joan Daemen. Its original name was Rijndael. NIST chose AES as the new encryption standard as it was declassified and was deemed 'capable of protecting sensitive government information well into the next century. It is popular for its easy implementation. 9 Twofish is a successor to Blowfish. Both methods are developed by the same designer, Bruce Schneier. Blowfish was designed in 1993 as a general-purpose algorithm and the security of the cipher has been tested and proven in time. Both methods are symmetric meaning they use the same key is used for enciphering and deciphering. Both encryption methods are not been patented and are free to use. 7
Corporate Risk Environment and Cyber Risk
33
of externalities (Anderson & Moore, 2006; Gordon, Loeb, Lucyshyn, & Zhou, 2015), intentionally, through their carelessness or lack of knowledge (Hadlington, 2017). There is a paucity of information about the correlations between human behavior and cybersecurity. Although technological advances and cybersecurity challenges transcend national borders, more research is needed on the implicit role played by countryspecific factors on humans such as culture (Henshel, Sample, Cains, & Hoffman, 2016), demographics (Klimoski, 2016; Lau, Pastel, Chapman, Minarik, Petit & Hale, 2018) or legal regime to improve cybersecurity risk management. A proactive approach is needed for businesses to plan and invest the human component of cybersecurity to avoid attacks that can cost the organization millions of dollars. Cyber risk awareness is the first line for the defense of a company's digital assets. Human fallacies such as carelessness, lack of knowledge, haste, misinformation, susceptibility to social engineering trickery are targeted and exploited by cybercriminals. Most cyber-attacks on employees are cleverly designed and targeted through social engineering to prey on vulnerabilities using techniques that are proven to have a high rate of success.
7. CYBER RISK LANDSCAPE Cyber risk management has become a severe preoccupation for large organizations and the public sector. The growing use of technology in businesses, smart devices (e.g., smart home appliances), and personal mobile devices, like tablets, smartphones, watches, and glasses, are contributing to increase cyber risk. The embrace of the digital economy has exposed companies to the potential of the loss of confidentiality, integrity, and availability of proprietary information from cyber events, both accidental and deliberate. Cyber threats can manifest in different ways that may involve human and/or non-human intervention. There are four categories of cybersecurity issues are access to information systems, secure communication, security management, and development of secure information systems (Siponen & Oinas-Kukkonen, 2007).
34
Kok-Boon Oh, Bruce Ho and Bret Slade
The cyber risk landscape has seen a dire change in the methods of cyber-attacks on organizations. An objective assessment of the organization's cyber landscape is necessary to identify and mitigate any cybersecurity gaps and threats. The distinction between internal and external digital architectures of organizations has become a blur with the rise of the Internet of Things (IoT), the proliferation of mobile devices, and third-party cloud services. The extension of the digital borders has made it harder to protect against hackers as they exploit the expanding attack surface where there is no clear line of defense. Many organizations believe the perimeter is the frontline of defense10 but it is only one component of the overall cybersecurity strategy. Defending a network and its data that requires many levels of security is known as defense in depth. The cyber landscape can thus be summarised as follows:
The interconnectedness between various parties to conduct various business activities created a diverse cybersecurity risk landscape; All business entities are exposed to the challenge of dealing with cyber risk; Cyber threat is considered to affect only information assets but the increasing use of physical systems that are integrated with cyber online systems allows cyber-attacks to impact the physical sphere; The Internet of Things (IoT) refers to physical devices that are connected through the internet and thus integrate the cyber world with the physical world, and These smart and mobile devices are augmented with communications, information storing, and sensory technologies.
7.1. Cyber Threat, Vulnerability, and Risk ISO 27000 (2014) defines cyber risk as “information security risk is associated with the potential threats that will cause vulnerabilities of an 10
Perimeter defense is one level of protection for an organization's network against cyberattacks, and it acts as a firewall against external threats.
Corporate Risk Environment and Cyber Risk
35
information asset or group of information assets to be exploited and thereby cause harm to an organization.” NIST (2002) describes cyber risk as “IT-related risks arise from legal liability or mission loss due to: (i) Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; (ii) Unintentional error and omissions; (iii) IT disruptions due to natural or man-made disasters; (iv) Failure to exercise due care and diligence in the implementation and operation of the IT system.” Cyber threats have become a major concern for both the public and private sectors with recent attacks such as the ransomware attack on National Health Service Trusts11 in May 2017 and the Yahoo breach12 in December 2016 that caused major disruptions to business, and the Dyn13 attack, which saw IoT devices turned into a huge botnet that brought down several online services. Cyber-attacks are increasing in scale and severity, and organizations are starting to recognize that they are now a matter of when not if. Cyber threats can manifest in the forms of loss of data/confidentiality, cyber extortion or ransomware, network downtime, theft of intellectual property, human error, virus transmission, internal sabotage, and hacker attack. They can also result in the destruction or corruption of financial records, email records, customer records, employee personal information, trade secret, and supply chain files. The management literature defines the concept of a threat as an external risk factor to an organization. However, in the context of cybersecurity threats refer to circumstances or events, that originate from external or internal sources, with the potential to result in losses to an organization by way of their outcome. Whilst vulnerabilities in an organization’s information systems, networks or servers, or cybersecurity measures are weaknesses that can be exploited to make threat outcomes possible that can cause damage or loss. A cyber threat can manifest itself in the form of a security incident (an attack) or a breach. An act that seeks
11
The United Kingdom. One billion accounts held at Yahoo were compromised. 13 On October 21, 2016, Dyn was targeted in a series of distributed denial of service attacks (DDoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn. 12
36
Kok-Boon Oh, Bruce Ho and Bret Slade
to unlawfully access data, damage information, or disrupts digital operations by accident or exploiting weaknesses in an organization's information systems or cybersecurity measures is regarded as a cyber threat. Threats can be categorized as malicious or unintentional and internal or external. Malicious internal threats are hostile acts committed by insiders to gain unauthorized access to vital information systems. Malicious external threat attempts by outsiders to gain unauthorized access to sensitive information systems. Unintentional external threats are dangers that occur as a result of the organization's interactions with external actors. Unintentional internal threats by insiders are acts that may have a detrimental impact on the firm's systems but are usually due to human error or neglect. A cybersecurity incident is a general term to refer to the fact that attempts have been made to compromise an organization's systems, networks, or data (Von Solms & Van Niekerk, 2013). A security incident involving a compromise to data confidentiality, integrity, or availability is commonly referred to as data breaches where unauthorized users gain access to sensitive information. Data includes personally identifiable information (PII), protected health information (PHI), and intellectual property. A data breach is a type of security incident but not all security incidents are data breaches. Therefore, an organization that successfully repels a cyber-attack has experienced an incident but not a breach. A security incident may not involve data at all but can refer to any cyber event that violates an organization's critical system or network infrastructure. Cyberattacks that are carried out to disrupt computers, networks, and servers to interrupt business operations are considered security incidents. Therefore, attacks using malware, ransomware, and DOS/DDOS are classified as security incidents. Cybercriminals access information and data businesses, customers, and employees for financial gain or to disrupt a company’s operations for other motivations. Therefore, companies must understand the attack methods cybercriminals are likely to use to gain access to their cyberinfrastructures to prepare for a cyberattack. The common types of cyber threats, attacks, and installation methods employed by these threat actors
Corporate Risk Environment and Cyber Risk
37
are malware, phishing, DDOS, man-in-the-middle, drive-by downloads, malvertising, SQL injection, and password attack. The threats, attack methods, and potential risks are summarized in Table 2.3 below: Table 2.3. Types of cyber threats Threats Malware
Attack & installation methods Spamming businesses to plant malware and compromise computers using email attachments, software download, and operating system vulnerabilities. Use of computer viruses, worms, rootkits, adware, spyware, trojan horse, and ransomware.
Potential risk Data breach Digital economic espionage - stealing intellectual property or products in development Data theft or damage systems
Social engineering/ Phishing
Malicious activities are carried out through human interactions, information such as through employees or customers. Obtaining and exploiting user passwords, usually via emails that redirect users to bogus websites. Phishing is exploited for stealing banking/login credentials & data and impersonating users. Attempt to infect as many organizations or people as possible through phishing and spear phishing to encrypt their data.
Cyber extorting & ransoming - demand money for undoing encrypted data.
Distributed Denial of Service (DDoS)
A sub-category of denial of service (DoS) requires the use of multiple connected devices, called botnets, to inundate targeted websites with massive fake traffic. The purpose of the attack is to disable a system and make a service unavailable.
Network downtime Ransoming
Man-in-themiddle
By impersonating the person or entity on the other end.
Communication confidentiality
Drive-by downloads
Drive-by download refers to the automated download of software to a user's device, without the user's knowledge or consent. Occurs when computers are infected by visiting legitimate websites.
Data breach Network downtime
38
Kok-Boon Oh, Bruce Ho and Bret Slade Table 2.3. (Continued)
Threats
Attack & installation methods Hackers can deploy a variety of malicious applications to a victim’s device such as trojan horses (backdoors or rootkits to provide remote control of the user’s device), ransomware (allows the attacker to encrypt or destroy data on the device), and botnet toolkits (attackers may directly install a botnet application that performs actions like sending spam email or participating in DDoS).
Potential risk
Malvertising
An infected advertisement is used by perpetrators to inject malicious code into legitimate online advertising networks.
Virus transmission Infecting consumers with malware by infecting ads and banners on websites
Password attack/Brute force
An attempt to steal or decrypt a password. This is usually done by using brute force, password sniffers, cracking programs, keylogger attacks, and dictionary attacks. The brute force method uses trial-anderror to guess login information or encryption keys to gain access to a site or server.
Data breach Digital economic espionage Attack on websites
Rogue software
Also referred to as smitfraud or scareware. It is essentially malware designed to cause disruptions to a computer system and by tricking the user into purchasing anti-virus software. Once the scareware is downloaded the user's computer is infected.
Fraud by deceiving victims to pay for removing a fake malware
Structured Query Language (SQL)
SQL is a hack using malicious code injection to destroy or manipulate a database and gain access to potentially valuable information.
Compromise data integrity Data theft
An advanced persistent threat (APT)
A generic term for an attack operation in which an intruder, or a group of intruders, establishes a long-term unlawful presence on a network to mine extremely sensitive data.
Compromise data integrity Data theft
Corporate Risk Environment and Cyber Risk
39
Incorporating innovative technology approaches in products and processes is the primary focus for improving cyber security. However, technology isn't the only means through which hackers can get access to a target system. They usually use social engineering tactics that take advantage of human error and neglect. Exploiting human weaknesses to get access to personal information and protected systems is known as social engineering. So instead of hacking computer systems to get access to a target's systems, social engineering depends on exploiting people. Phishing is a type of social engineering in which a cybercriminal poses as a trustworthy company and asks for personal information via email or malicious websites. Malicious email is the most common type of cybersecurity issue, and phishing and spearphishing emails have remained the most common cyber security incidents (ACSC, 2020). Defending against social engineering attacks necessitates greater attention on the human part of cybersecurity, such as increased security awareness training that causes employees to reconsider clicking on certain emails. A better understanding of human behavior in the cyber security equation can lead to more effective products and processes (Sasse & Flechais, 2005; Predd, Pfleeger, Hunker, & Bulford, 2008; Pfleeger, Predd, Hunker & Bulford, C. 2010).
7.2. Cyber Threat Actors The most common forms of threat actors that have evolved from the cyber world and pose a risk to an organization's cybersecurity by gaining unauthorized access to hardware are cybercriminals, business rivals, insiders, and nation-states. Cybercriminals are motivated by financial gains and they threaten an organization by stealing data, money, and information through data theft, ransoming, and extorting activities. Cybercriminals are professional and organized and they work as
40
Kok-Boon Oh, Bruce Ho and Bret Slade
individuals or teams to commit malicious activities14. Business rivals carry out cybercrime to disrupt a business or illegally access data to gain a competitive advantage, which will almost certainly result in financial losses for the target company. Insiders are current or former workers, suppliers, sub-contractors, and other partners who pose a threat to an organization when they compromise a firm’s business networks. Their illicit activities can be either malicious for financial gains or as a result of emotional motive15. Unintentional acts are a result of human error, negligence, or insufficient knowledge. Through espionage, disruption, and theft, nation-states are dedicating substantial time and resources to attaining strategic cyber advantage to enhance their national objectives, intelligence gathering capabilities, and military capability16.
8. INDUSTRIES AT RISK Losses due to a cyber breach can come in different forms. Organizations that possess intellectual property (IP) as valuable assets are susceptible to significant financial losses due to an accidental or deliberate breach or theft. SND to most organizations are valuable assets and any business disruption or the loss of data due to a cyber breach can result in loss of market value (Kamiya, Kang, Kim, Milidonis & Stulz, 2020). Private data held by an enterprise, such as personal identifiable information (PII) should remain confidential and any unauthorized disclosure from a cyber breach can result in costly litigation and regulatory fines against the organization. A cyber breach can also cause severe business interruption to an organization’s operations or system failure resulting in a loss of revenue or Sina Weibo is one of China’s largest social media platforms. In March 2020 an attacker obtained part of its database containing 538 million Weibo users and sold the database on the dark web for $250. 15 Ali Baba lost 1.1 billion pieces of user data in 2019 to a developer working for an affiliate marketer. 16 A malware attack on Saudi Aramco in 2012, Cybercriminals stole 500 million accounts from Yahoo in 2014 through the use of a phishing scheme, GitHub’s DDoS attack in 2015, and a US nuclear facility was breached in a cyberattack in June 2017. 14
Corporate Risk Environment and Cyber Risk
41
civil liabilities from customers. Professional cybercriminals who are sophisticated in using IT to carry out cyber fraud or scams on organizations, particularly financial institutions, are becoming a common threat. These cybercriminals are also involved in holding organizations to ransom using ransomware software to carry out DOS/DDOS attacks. Overall, a cyberattack can cause considerable reputational damage as an attack that causes considerable harm to the organization is likely to be perceived negatively resulting in a loss of confidence in stakeholders such as investors, shareholders, customers, and regulators. Those industries that are normally vulnerable to cyber-attacks are financial services, healthcare, government, education, energy & utilities, and business (retail, manufacturing & e-commerce). The ACSC (2020) reported about 35% of incidents involving critical infrastructure in Australia, including energy, water, health, communications, and education (Table 2.4). Table 2.4. Cyber security incidents, by affected sector (1 July 2019 to 30 June 2020) Government/Federal Government/State Other Individual Education & Research Financial services IT Health Retail Professional services Water Communications Transport Mining & resources All other sectors Source: Australian Cyber Security Centre, 2020.
20% 16% 9% 9% 5% 4% 4% 7% 3% 3% 3% 2% 2% 1% 10%
42
Kok-Boon Oh, Bruce Ho and Bret Slade
CONCLUSION Management needs to have a clear knowledge of the cyber threats in their organizations to appreciate the risk implications to the business and how these cyber threats can be addressed in the risk control system. The ability of an organization to prevent harmful malware from reaching its critical information systems is vital to cybersecurity. Malware comes in a variety of forms, each with the potential to cause catastrophic damage to systems, networks, and data. Protecting an organization from social engineering attacks necessitates an acute understanding of the techniques and software that criminals are likely to use.
Chapter 3
CYBERSECURITY ENTERPRISE RISK MANAGEMENT 1. INTRODUCTION Extant literature refers to Enterprise Risk Management (ERM) as an aggregate risk control practice that is synonymous with strategic risk management, enterprise-wide risk management, integrated risk management, holistic risk management, and corporate risk management (D’Arcy, 2001; Liebenberg & Hoyt, 2003; Kleffner, Lee & McGannon, 2003; Hoyt & Liebenberg, 2006). Firms use ERM as a governance tool for predicting and managing risks as it enables them to prepare for risk mitigation along different dimensions for improving strategic and operational risk management. It is also a compliance device to ensure regulatory conformity. The purpose is to enhance planning to help an organization achieve its goals taking into consideration an organization's tolerance for risk and opportunities in the market. Comprehensive knowledge of the role and purpose of corporate risk management provides a useful insight and allows the development of practical frameworks of the risk control levers that can optimize organizational performance (Ho, at al., 2010). This chapter introduces the
44
Kok-Boon Oh, Bruce Ho and Bret Slade
enterprise risk management approach as a management process for decision-making by analyzing the steps involved in its implementation to ensure risks are identified and managed effectively within an enterprise. In this day and age of online business, the benefits of cyber risk management (CRM) are substantial. The literature suggests shareholders behave adversely to cyber-attacks (Bose & Leung, 2014; Modi, Wiles & Mishra, 2015; Higgs, Pinsker, Smith & Young, 2016) and CRM helps in addressing the threats and establish the appropriate defenses. In the World Economic Forum's 2017 Global Risk Report, cyber risk was highlighted as the risk of greatest concern to doing business in more than one-third of OECD countries. The benefits to a company include increased shareholder value from efficient risk mitigation resulting in a better brand and reputation, and optimize risk-return outcomes from being able to promptly identify and address risk for better outcomes for the whole company. ERM theory postulates that all risks should be managed together in a portfolio (Bezis, 2014; Bromiley et al., 2015; McShane, 2018). In this chapter, we discuss the attributes of an effective ERM framework by advocating a holistic approach for embedding and maintaining a CRM program within the ERM framework capable of categorizing, evaluating, and managing cyber threats. The organization’s business strategy is articulated in its objectives that are aligned with its risk appetite when formulating risk strategies. The entity’s Board of directors and senior management are responsible for establishing the ERM processes that set the strategy for managing risk across the enterprise within its risk appetite thereby assuring the achievement of the entity’s objectives. The enterprise risk management (ERM) framework adopts a high-level approach on the process, guidance, and direction to risk control by providing "a robust and holistic top-down view of key risks facing an organization" (COSO, 2009). The ERM process enables management to strategize risk control, identify, assess, mitigate and monitor risk in the face of uncertainty sequentially and holistically as risks span across different business functions. Therefore, the company’s risk control program is designed to provide value for its stakeholders by incorporating the cyber risk strategy into the ERM framework to allow the
Cybersecurity Enterprise Risk Management
45
entity to effectively manage cyber risk. This gives the entity a portfolio perspective for managing cyber risks for better outcomes.
2. VALUE CREATION Appreciating the nature of risks is to take advantage of opportunities that arise from them to create value for the firm. The connection between business growth and technology is indisputable and while firms leverage technology to create value, risk management efforts enhance value by protecting firms against cyber threats (Figure 3.1). The absence of or inadequate risk management policies can result in adverse economic consequences to organizations and their stakeholders. Weak risk management can result in significant “dead weight” costs in organizations, which negatively affect organizational value (Kerzner, 2009). Firms must treat the enterprise risk management process as a central function that involves a strategic and definitive risk policy, quantitative analysis, mitigation, monitoring, and reporting to add value (Oh et al. 2018). Beasley et al. (2008) suggest that the equity market reacts positively to the appointment of senior management to oversee a firm’s ERM processes. Hoyt and Liebenberg (2011) found a positive relationship between the appointment of a CRO and firm value. Andersen and Roggi (2012) investigated the correlation between effective risk management and reduction of earnings and cash flow volatility. They concluded that there are significant positive relationships to lagged performance measures between the variables after controlling for industry effects and company size in their study. However, the results from other studies on the correlation between ERM and firm value have been inconclusive. The goal of ERM is to systematically coordinate and manage all risks, both strategic and operational risks, relating to corporate governance, finance, production, information technology, human resources, supply chains, or distribution networks. ERM implies a portfolio theory approach to create value to benefit shareholders, managers, and stakeholders because
46
Kok-Boon Oh, Bruce Ho and Bret Slade
the aggregate risk of a portfolio should be less than the sum of the individual risks provided the risks are not 100% correlated.
Figure 3.1. Value creation from portfolio risk management.
3. STRATEGIC CYBER RISK MANAGEMENT Cyber risk control constitutes a part of the organization’s risk management initiative and should be embedded within the broader enterprise risk management strategic framework. Strategic cyber risk management is crucial to the firm for value creation (Young, 2000) because firms that have identified the risks are better prepared to deal with them more productively and cost-effectively. Cyber risks can be construed as risks that possess the risk characteristics of Kaplan and Mikes’ (2012) risk categories of “strategy risk, preventable risk, and external risk.” Cyber risks can be considered strategy risks because they originate from leveraging information technology in business "to generate superior returns." Cyber risks are "preventable" by "monitoring operational processes and guiding people's behaviors and decisions toward desired norms," while it may not be possible to eliminate "preventable" cyber risks,
Cybersecurity Enterprise Risk Management
47
they should be kept within the organization's accepted risk tolerance. Examples are to increase employees' cyber risk management knowledge, instill a strong cyber risk culture, and ensure compliance with operational risk management policies and processes to avoid compromising the organization's information infrastructure. Cyber risks also have an "external" dimension to them as some arise from external events that are beyond their influence or control. Some of these external factors are advances in hacking technology, criminal intent, and third-party network vulnerabilities.
Figure 3.2. ERM, SRM & ORM processes.
A comprehensive and robust enterprise risk management framework is the foundation for cyber defense (Figure 3.2). Strategic Risk Management (SRM) is a high-level function used to manage risks in an organization to enable the organization to achieve its strategic objectives. At the strategic level, management must allocate budgets for planning and implementing the risk management policies. Therefore, senior management must be involved in formulating and monitoring the strategic risk management policies and processes. The risk management process starts with the board of directors. Board members must ensure clear strategy; policies and processes are established and implemented for effective cybersecurity governance. Operational Risk Management (ORM) is a process for conducting risk identification, risk assessments, making risk choices, and putting risk
48
Kok-Boon Oh, Bruce Ho and Bret Slade
controls in place., The execution of the corporate risk management policy aimed at mitigating risk exposure is conducted is at the operational level. The performance or results of the risk management process must be continuously monitored and reported to management to ensure that policies are constantly under review and evaluation to ensure they remain relevant and effective.
Figure 3.3. Five attributes of cybersecurity risk management.
There are five critical attributes for effective cybersecurity risk management (Figure 3.3) according to Chaudhary and Hamilton (2016)17. The different industry and organizational settings of companies and the scale, complexity, and ever-changing nature of cyberattacks mean that there is no one-size-fits-all solution for cybersecurity risk management. 17
“The Five Critical Attributes of Effective Cybersecurity Risk Management,” Raj Chaudhary and Jared Hamilton (2016), BankDirector.com, Charting a Course for America’s Banking Leaders. https://www.crowe.com/-/media/Crowe/LLP/folio-pdf/The-Five-CriticalAttributes-of-Effective-Cybersecurity-Risk-Management_FS-16003-202A.pdf (accessed 12/9/2020).
Cybersecurity Enterprise Risk Management
49
According to Chaudhary & Hamilton (2016), to be effective, the five traits outlined here must be part of a company's approach to limit the risk of business disruptions and data breaches. An "effective cybersecurity framework" is necessary, at the top, to establish the corporate vision, goals, and objectives for safeguarding the CIA of the company’s information assets. It provides the plans, policies, and guidelines for the cybersecurity process to be implemented to achieve the firm's cybersecurity objectives. A “balanced distribution of responsibility” helps to define the role and responsibility of each member in carrying out the cybersecurity plan. A “holistic approach to cybersecurity” will ensure that technical, human, physical, and intangible assets (Gerber & Von Solms, 2005) protection measures are considered, addressed, and observed to protect the firm's critical assets against cyber threats. An “effective risk assessment process” will accurately identify the cyber threats the firm is exposed to and quantify the adverse impact on critical business operations. Last but not least, a comprehensive “incident response plan” is important for quick and efficient response to a cyberattack to minimize the damage and also to recover from the event (Chaudhary and Hamilton 2016).
4. CONVERGENCE BETWEEN ERM & CYBERSECURITY This section examines the need to align and integrate cybersecurity risk control with enterprise risk management (ERM). The concept of ERM has been described as a strategic business planning and management approach for enhancing decision-making and corporate value. Madnick (1978) suggests that the technical approach to addressing computer security should be augmented by business and management considerations. The convergence of business and digital risk is becoming more evident as business growth and technology strategies are strongly intertwined, albeit the challenges faced by organizations in the integration process (Stine, Quinn, Witte, Scarfone & Gardner, 2020). Convergence has been defined as “... a trend affecting global enterprises that involve the
50
Kok-Boon Oh, Bruce Ho and Bret Slade
identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”18 Cyber risk control continues on this path as it becomes a critical risk to organizations due to the increasing reliance on and use of the Internet of Things. For effective integration of cyber risk management into the strategic planning process, “the risk unit must be able to ensure that information of strategic risk is current, complete and reliable” (Maia & Chaves, 2016). While conventional risks are addressed and included in the enterprise risk management framework of many organizations (Figure 3.4), companies are exposed to cyber risks because they leverage information technology in their business operation as their business strategy. Effective cyber risk management requires a dynamic approach for formulating risk controls as an integral part of the strategic planning process. The traditional cybersecurity approach has been one that manages cyber threats through its own set of technical and internal controls within IT (Siponen & OinasKukkonen, 2007) or the silo approach, and is separate from the processes required for enterprise-wide risk management. An alignment of cybersecurity with the wider risk strategies, policies, and responsibilities of an organization's enterprise risk management goals and objectives is necessary (Collier et al. 2013). A comprehensive and holistic ERM framework needs to consider all relevant risk information from managers or employees across the organization to reduce the possibility of formulating wrong strategies or overlooking important ones. Such a move would entail a consistent approach between personnel of different business units thereby minimizing risk exposure to the organization. For convergence to enhance enterprise risk management requires the organization to treat it as a decision-making tool and understand the benefit of oversight and review by the board and senior management. Cybersecurity strategies and resulting policies should target helping the 18
The Alliance for Enterprise Security Risk Management 2006, Convergence of Enterprise Security Organizations, ISACA Information Security Management Conference ISACA Network Security Conference 18 September 2006 Las Vegas, NV, USA.
Cybersecurity Enterprise Risk Management
51
organization achieve its business objectives, which predicates the successful implementation of an effective ERM system (Zhao, Huang & Low 2013).
Other corporate risk controls
Enterprise Risk Management
Cyber Risk Control
Figure 3.4. Cyber risk control and ERM convergence.
Enterprise risk management is a set of policies and processes used by organizations to manage risk. The CRM policies and processes reflect the actions for risk mitigation that align with business goals and expectations within the set parameters of the risk strategy. Figure 3.4 depicts how cybersecurity operations management should integrate and align with the ERM process, inclusive of other risk controls, to create a holistic approach to operational security.
5. THE ERM FRAMEWORK AND PROCESS The architecture of ERM incorporates a top-down and bottom-up process for managing risk comprising of the strategic and operational tiers. This form of ERM structure will be the guiding framework for the development and implementation of the organization's CRM capabilities in the subsequent chapters. An ERM framework helps a company visualize the risks in its cyber environment by incorporating the risk management process into overall corporate governance (Weill & Ross, 2004). It does this by evaluating the process to ensure it aligns with the company’s objectives and risk tolerance. The framework should be able to scan the cyber environment to identify the types or nature of cyber risks an organization encounters (Zhao et al. 2013; Elliot, 2019), assess to
52
Kok-Boon Oh, Bruce Ho and Bret Slade
determine where and how an organization would be affected, and recommend measures for risk mitigation. According to ISO 31000, each organization must identify all risks, including their nature, the circumstances or events that promote their occurrence, and the potential repercussions in terms of the company's mission objectives. In developing a framework, the company must understand what structure would meet the needs of a business. What underlying strategic objectives the ERM is intended for would form the basis of the ERM strategy. Some of the primary objectives that companies hope to achieve in their ERM strategy are mitigation against threats, coordination & integration of the risk control function, compliance, and leveraging on risk to exploit opportunities for value creation. These objectives should have the visible support of the board of directors, senior management (c-suites), and the commitment and participation of all relevant business units, managers, and line personnel in the organization hierarchy (Zhao, Huang & Low, 2013) for them to be effective. In the following sections, we will discuss some of the essential elements of the generic ERM framework, roles and responsibilities of management, and the functional steps for the rolling out of the process.
5.1. Structure and Elements We define the ERM as a framework that contains the pre-emptive measures that a company put in place to mitigate its risk exposure. The framework consists of two tiers with built-in steps and actions to form the holistic and comprehensive ERM process. An ERM plan includes both SRM and ORM. SRM considers the entire company, its vision, objectives, goals, and its strategy (Weick and Suncliffe, 2007). While ORM takes a more practical approach to an organization's risk profile by involving in functional risk assessment and control activities. Figure 3.5 depicts the enterprise risk management structure consisting of both SRM and ORM.
Cybersecurity Enterprise Risk Management
53
Figure 3.5. ERM framework.
Both SRM and ORM are important to firms and must be managed as part of their entire risk management program. At the SRM level, management is responsible for setting the enterprise risk management agenda with the purpose to provide companies with a framework that defines key principles & objectives (Lerbinger, 1997), a common risk language, budget, clear guiding processes, and direction for managing enterprise risks (Figure 3.6). The enterprise’s risk integration starts at the planning stage by analyzing the high-level strategic business objectives to identify risks that can create uncertainty and drive variability in performance. It breaks the strategic objectives down into operational targets and key performance indicators (KPIs). Next, management states the risk control vision, goals, and objectives for protecting the business objectives. This approach helps managers to better appreciate the business proposition underlying each risk control objective and encourages them to take ownership of the risk process. At the strategic level, the SRM elements that require attention include establishing the risk control organizational structure, key risk indicators (KRIs), and tolerance levels for critical risks. SRM establishes the link between risk management with business vision, strategy, goals, and objectives. The strategic level comprises the board of directors whose main function is to define and approve the enterprise risk management strategic plan and policies and to ensure that resources are budgeted for their effective implementation (Quarantelli, 1988). Those managers at the strategic level must then explicitly communicate these policies to the rest of the organization (Quarantelli, 1988).
54
Kok-Boon Oh, Bruce Ho and Bret Slade
Figure 3.6. Strategic risk management.
The ORM process contains four pre-emptive steps and two reactive steps to a potential cyber-attack, as depicted in Figure 3.7. The pre-emptive steps are “Identify” (Step 1), “Assess & Quantify” (Step 2), “Mitigate” (Step 3), and “Monitor and Report” (Step 4). These four steps are critical success factors for a successful ERM process (Zhao, et al. 2013). The two reactive actions relate to incident “Response” (Step 5) and “Recovery” (Step 6) of the operational process (see Figure 3.7) are risk control actions that fall into the definition of the crisis management function of the enterprise. The ERM is a predictive risk control method for identifying, assessing, and mitigating risk, and a crisis management strategy is critical when a cyber incident occurs, whether or not it was anticipated, to avoid costly lawsuits and losses. Therefore, the functions of incident response and recovery are not strictly part of the enterprise risk management process but they do overlap in the learning, reporting, and mitigation enhancing activities concerning some of the ERM functions.
Cybersecurity Enterprise Risk Management
Crisis Management
55
Operational Risk Management Management
Figure 3.7. Operational risk and crisis management processes.
The first phase of the ORM process is to identify the cyber risk exposure of the enterprise, which requires an understanding of the firm's business strategy, objectives, and operations. It is only with this knowledge that we can understand and able to set the stage with the relevant objectives and criteria for identifying cyber threats. This could be accomplished by asking questions (Gregersen, 2018) about the “why, what, who, when, and where” relating to the role cyber dangers play in generating corporate value (see Chapter 5). Step Two is about assessing threats through quantification to estimate the impacts on business performance. The estimated threats or risks are then ranked according to their severity and probability of occurrence on a risk map. Those risks that are highly ranked or critical are the ones the enterprise has to prioritize effort. Step Three is to mitigate risk exposure and the general approach is to choose from the options available to the firm including techniques for taking on, transferring, treating, or terminating a risk. Step Four entails the ‘monitor, detect and report’ task, where the risk conditions are reported to the relevant parties for appropriate action. The partial or full cycle of the operational risk control cycle is repeated to continuously address the risk situation (Oh et al. 2018). The
56
Kok-Boon Oh, Bruce Ho and Bret Slade
crisis management actions of ‘Respond’ (Steps Five) and ‘Recovery’ (Step Six) are addressed separately in Chapter 11.
5.2. Role of Management The development of new requirements in many countries, such as the Sarbanes Oxley Act 2002 in the United States, for the Board of directors and officers to sign off on their corporate risk management practices has greatly increased the profile of risk management and its related activities for organizations. Strategic ownership and senior management participation are needed to steer the ERM towards a strategic orientation. This requires setting goals and strategic objectives for risk management (Zhao et al. 2013) and the commitment of the Board and senior management to follow it through. Planning and designing the ERM process starts at the highest level of management and in a corporation, this is normally the Board of directors. The BOD approves the corporate risk management policy as well as the budget for the implementation and maintenance of the procedures. There has also been an increase in attention on the effectiveness of the Board as a risk oversight mechanism with the greater complexities of risks facing organizations. On the other hand, ERM champions are important key players in the organization for implementing an effective ERM process. Stakeholders and regulators expect robust discussions of risk assessment and risk management policies at the senior management level culminating in more effective risk control practices and compliance. The management of a firm is primarily responsible for its risk management process but the Board of directors must also be informed about and appreciate the risks facing the firm to maintain oversight of the risk management process. The treatment of all risks should be fully disclosed and accepted by the Board of directors in the interest of good corporate governance. All employees must be aware of the risk benchmarks and senior management or the Board ought to be confident that the risks of the business are being managed consistently and following
Cybersecurity Enterprise Risk Management
57
overall corporate strategy (Oh et al., 2019). An integrated and cooperative approach to cyber risk management is imperative among employees to promote an efficient and coordinated defense against cyber-attacks (Chileshe and Kikwasi, 2014). This entails removing the silo mentality from a company's risk management activities. Management must ensure communication (Grabowski & Roberts, 1999; Chileshe & Kikwasi, 2014) and aligning the various entities of the business with the ERM framework are prioritized. In the case of enterprise cyber risk, the strategic ownership lies with the Chief Information Security Officer (CISO) who oversees cybersecurity in the organization and the respective line managers to comply with the processes. The CISO is also responsible for liaising with other technology users in the organization in managing the CIA of the information infrastructure. A proactive and timely approach by all employees to cyber risk control within the ERM framework is important to a rapidly changing environment to gain strategic competitive advantage and business success.
5.3. Enterprise Information Security Policy The Enterprise Information Security Policy (EISP) is a high-level document that serves as the foundation for drafting policies that cascade down the organization's hierarchy. It is written jointly by senior management including the company's Chief Executive Officer (CEO), Chief Information Security Officer (CISO), Chief Technology Officer (CTO), and Chief Risk Officer (CRO). It serves as a roadmap to guide the company on writing policies and procedures, implementing future security programs, and setting the benchmarks for how the company manages specific cybersecurity matters. Essentially, the EISP describes the company's philosophy and relevant guiding principles for an effective cybersecurity policy and aids in setting an organization's security activities by reflecting and supporting the organization's vision and strategic objectives. The EISP adopts and uses risk management standards and industry best practices to guide, determine and recommend the appropriate
58
Kok-Boon Oh, Bruce Ho and Bret Slade
cybersecurity framework for the organization. The framework consists of instructions on guiding enterprise risk principles & culture, tolerance levels, roles & responsibilities, lines of communication, policy implementation and maintenance, as well as the obligations of end-users (who may be employees, contractors, suppliers, related third parties, or consumers). The EISP also specifies risk ownerships and the channels and methods for line personnel and executives to communicate and key players who are responsible and accountable for the overall security program. The EISP does not require a frequent update.
5.4. Budgets Advancements in digital technologies have contributed to the rapid growth of digital activities in economies around the world. An assessment of the organization's cyber landscape is conducted to identify the organizational digital risk profile. Digital activity level is a determinant of the size of an organization's cyber security threats or exposure. A firm with a larger digital footprint would have greater cyber risk exposure. The exposure footprint determines the resources needed to mitigate the risk and also helps to prioritize the future investment for risk management. The effectiveness of the ERM process is a function of the amount invested in personnel and resources needed to manage the ERM processes but also bearing in mind that it is impossible to achieve 100 percent security no matter how much is invested. An organization has to decide how much to invest in the ERM function in terms of human resources and infrastructure (information technology). In terms of cybersecurity, the cyber risk exposure can be construed as a function of the digital activity level of the organization and the amounts invested in risk control resources (Figure 3.8). Management is continually confronted with the task of determining the level of resources to be allocated to ERM by conducting a costs-benefits analysis to obtain an optimal trade-off between investments and risk exposure. The level of investment will help to define the risk mitigation strategies.
Cybersecurity Enterprise Risk Management
59
Figure 3.8. Cyber risk exposure relationships.
Gordon and Loeb (2002) propose a general digital information vulnerability model for investment based on the “1/e rule” that suggests that the optimal amount of information security investments should not exceed 1/e of the value at risk.19 Hence, a digital asset with a value of $1 million with an attack probability of 30 percent and success of 60 percent would likely incur a potential loss of $180,000 ($1m x 0.3 x 0.6). The amount of information security investment justified under the model would be $66,240 (i.e., $180,000 x 0.368).
5.5. Cybersecurity Risk Culture The organization needs a strong corporate risk culture for risk management to be successful (Grabowski & Roberts, 1999). Risk culture is necessary to get ERM broadly understood, accepted, and implemented across the organization (Chileshe & Kikwasi, 2014). A strong corporate risk management regime entails consistency and engagement so that everyone throughout the organization is aware of the process and expectations and is responsible and accountable for its success20. Thus, 19 20
1/e ≈ 36. 8%. The article “Corporate Discipline Underpins Risk Management” highlights the role culture plays in enhancing the enterprise risk management function. http://www.afr.
60
Kok-Boon Oh, Bruce Ho and Bret Slade
employees should have a clear understanding of their roles in committing to cyber security and specific responsibilities to safeguard the organization against cyber breaches. Cybersecurity culture is outlined in the EISP and corresponding subpolicies. According to Deliotte (2013), some of the key elements behind a strong cybersecurity culture are: an employee's goals, values, and ethics are in line with the company's risk appetite, tolerance, and approach; risk must be considered and accounted for in all aspects of the business; people are willing to discuss risk openly and honestly; policies and procedures are followed in SRM & ORM; there are formal communication channels and procedures that emphasize the necessity of timely reporting, and employees are fully aware of and comply with the policies and procedures.
5.6. Performance Measurement The capacity to link risk measures to metrics of overall organizational performance is a key feature of ERM. The majority of risk management evaluation methodologies rely on indicators to assess the susceptibility of risk-related factors using both qualitative and quantitative indicators. For ERM to be successful, the organization needs specified and wellunderstood performance measures or key performance indicators (KPIs). The key performance indicators, which focus on the enterprise's historical performance or key operations, are critical for effective management. The kind of performance metrics necessary should be closely tied to the strategic goals of the firm. Hence, risk measurements included in the ERM framework should be capable of analyzing and measuring its benefits and performance goals. Furthermore, the performance results could provide feedback for the firm's cognitive and behavioral learning processes as well as deliver concrete value (Feurer, 1995) to help review and determine risk control strategies.
com/news/special-reports/evolving-business-risk/corporate-discipline-underpins-riskmanagement-20150409-1mhril.
Cybersecurity Enterprise Risk Management
61
To monitor changes in risk conditions or circumstances and detect new risks, effective management will implement a set of indicators or metrics. Key risk indicators (KRIs) are used to detect and mitigate risk at the corporate level. A key risk indicator is a forward-looking technique for tracking risk that may or may not materialize; it is used as a warning system for future actions. KRIs use statistics or measurements that can provide a view into a firm's risk situation to warn the company about changes that may signal risks (Les Coleman, 2009). A KRI is used to track a specific risk to take measures to mitigate it. Because a firm’s environment is constantly changing, KRIs must be implemented to gather current information about risks to improve management's ability to lead effectively and avoid unfavorable outcomes. An example of a KRI that measures the aggregate risk exposure of an organization is the value at risk (VaR) method which is a value that expresses the magnitude of a company's potential financial losses.
6. SCOPE OF STRATEGIC CYBER RISK CONTROL IN AN ERM PROGRAM The scope of an ERM program needs to ensure that the scope of business objectives and the scope of risks and their control processes are aligned and consistent to enable the company to achieve its ERM objectives. Management needs to agree on the expectations, objectives, and benefits of the ERM. To set the scope of an ERM program management should start with defining the types of risk that ERM will cover and the business processes that ERM is intended to address. The risk types that an ERM program is focused on can include cyber, strategic, operational, and financial risks. Cyber risk exposure originates from the use of information technology and permeates the company's operational, financial, and strategic functions. Strategic risk exposure is the result of poor planning.
62
Kok-Boon Oh, Bruce Ho and Bret Slade
Operational risks are those related to ICT, supply chain, people, and regulatory considerations. Financial risks include investment, liquidity, credit, investment, interest rate, exchange rate, and asset market value. Nowadays, cyber risk pervades the entire organization in activities that are connected to the company’s digital infrastructure. The primary objective for defining the risk types covered in a company's ERM program is to allow management to cohesively manage the critical risks that can cause harm to the company’s performance and strategic goals. The ERM program enables managers to have a common understanding of those critical risks and as a reference to definitive processes to manage those risks. It is described as a comprehensive, holistic and cross-divisional risk management approach that addresses the interdependencies as well as contradictory components of the risk management process (Borker & Vyatkin, 2012). To plan and implement an effective cybersecurity enterprise-wide risk management system program, the Board of directors and senior management need to understand all cyber threats to their organization. The pervasive nature of cybersecurity in today’s technology-based business environment underpins the need for an ERM system where the entire organization is involved in tackling, tracking, and treating cyber threats. Corporate assets should be defined according to their category and ownership to maintain high visibility for cyber threats. Every company should cultivate a heightened awareness by identifying the vulnerable business systems, networks, and data to assess, manage and monitor cyber risks. The Board should empower the CISO to oversee the management of cyber risks by applying appropriate policies, including standard operating procedures and cause-effect analyses. It is important that risk monitoring with the relevant metrics are incorporated into the cybersecurity ERM process to identify and detect risks to enable a timely and appropriate response.
Cybersecurity Enterprise Risk Management
63
7. ERM ORGANIZATIONAL STRUCTURE & MANAGEMENT PROCESS There is no single best way to implement an ERM framework. A company-specific strategic ORM framework in terms of the appropriate organizational structure and design around ERM (Grabowski and Roberts, 1999) that works and is effective requires an understanding of the organizational entities that will manage ERM, and their roles and functions. The board of directors and c-suite officers are responsible for leadership and oversight of the SRM and ORM processes around the ERM. Furthermore, each employee and business unit need to participate in the enterprise risk management process and understand their roles and responsibilities and how they impact the organization's risk profile. The following sections outline the attributes when implementing the strategic cyber ERM framework.
7.1. Strategic Risk Management (SRM) To implement and oversee the strategic risk management process, senior management must understand the role of leadership and governance in controlling cyber risk. The strategic risk management process starts with the involvement of the BoD and c-suite followed by the appointment of a Chief Risk Officer (CRO) and the establishment of the risk committee (Figure 3.9). Management also allocates budgets for implementing risk management policies. The risk management processes must be continuously monitored and the results reported to management to ensure that policies are periodically reviewed and evaluated to ensure they remain relevant and effective (Oh, et al. 2019). Creating a specialized risk entity or committee through the CRO is a common way to institutionalize the ERM role. The chief risk officer (CRO) will have oversight of SRM functions in conjunction with the risk committee. The committee is often chaired by the CFO or CEO. The CRO
64
Kok-Boon Oh, Bruce Ho and Bret Slade
reports to the CFO or CEO and regularly briefs the committee on security. The CISO's SRM reporting line is to the CRO and like the CRO may be called upon by the committee for technical advice. It is quite likely that organizations would also integrate existing OH&S, compliance, internal audit, and financial risk management practices with the risk committee to achieve a holistic approach to ERM. Figure 3.9 highlights the key SRM activities in the ERM framework from board involvement right up to the oversight of the ORM implementation.
Figure 3.9. SRM process for cybersecurity ERM.
The risk committee would serve as a strategic entity responsible for developing, implementing, and managing a comprehensive, integrated risk management plan, as well as coordinating individual functional risk management activities, serving as an assessment center, and serving as an advisory and technical resource for various business units, including the organization's senior management and Board of directors.
Cybersecurity Enterprise Risk Management
65
7.2. Operational Risk Management Operational risk is a term that describes the uncertainties and risks that an organization faces when doing day-to-day business activities in a specific function or industry. Cyber threats are a form of operational risk. The Basel Committee on Banking Supervision has defined operational risk in the financial services industry as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events." Therefore, the operational risk exists in every aspect of a business. The challenge for any organization is whether it has completely identified all of the risks in the business. A risk-based approach is an effective method for detecting cyber risk elements to target in cyber risk management (McKinsey, 2019). The Risk-Based Approach is a method for identifying, assessing, and prioritizing risks to an organization. It's a flexible approach that allows businesses to adjust their cybersecurity strategy to their individual organizational needs and operational vulnerabilities and weaknesses. While it is not possible to identify and eliminate 100% of all risks that an organization is exposed to, it is important to identify the most critical risks. A firm's standard business procedures must include a cybersecurity operations management component. The operational level of the ERM has the functional responsibility in seeing that the SRM cybersecurity strategies, action plan, and policies & procedures are implemented within the specific organizational units. Operationalization of the cyber SRM plan is carried out through the implementation of appropriate ORM processes. The ISO 31000, which is adopted by many firms in practice, describes operational risk management process as including the following steps: 1) Establish the context; 2) Identify the risks; 3) Conduct a risk analysis; 4) Conduct a risk evaluation, and 5) Treat the risks. These steps work in a continuous cycle in tandem with monitoring and review, and communication and consultation. Cybersecurity refers to the safeguarding of corporate data and technology against theft, corruption, and unauthorized or unintentional access. Customer trust in a company is dependent on an efficient corporate
66
Kok-Boon Oh, Bruce Ho and Bret Slade
cybersecurity operations management function. Cybersecurity operational risk management necessitates the active engagement and dedication of employees at all levels of the business to guarantee that the enterprise risk management structure and processes have the following characteristics: clear cybersecurity risk policies and processes for the business and employees outlining the cybersecurity measures to protect the firm's systems, networks, and data; all staff are trained and are aware of cybersecurity policies and procedures, including roles and responsibilities; a cyber recovery plan in place and know how to use it, and all computers, websites, and business systems up to date. The ORM processes consist of four important risk control measures and two risk events response actions (Figure 3.10). All six steps supplement and complement each other to form the ERM operational function. The cycle is categorized into two tiers of risk management and crisis management. To manage and mitigate cyber risk, ORM entails the deployment of controls to identify, assess, mitigate, and monitor and report risks. When a cyber-attack event is detected, it is reported to senior management (CISO and CRO) for the risk events plan to be activated. Risk management is proactive and involves activities made to prevent hazards, whereas crisis management is reactive and involves actions taken to counteract a risk event, as mentioned in the prior chapters. Both layers working together will provide the organization with a comprehensive and holistic cyber risk management framework. The ORM framework is structured to identify cyber threats and risks from systems, networks, and data, assess cyber risks using qualitative & quantitative methods and understand the stock of cyber technologies, mitigate cyber risks by designing a risk mitigation strategy, and monitor, detect and report cyber risks (Figure 3.10). In the monitoring phase, the effectiveness of the risk measures is reported periodically back to the people responsible for the preceding three phases for review and to make appropriate adjustments to ensure that the enterprise risk management process remains relevant and adequate to address the existing risks, be it in risk identification, risk assessment or risk mitigation. Managers must
Cybersecurity Enterprise Risk Management
67
maintain an ongoing vigilance of risk awareness at the operational level through the monitoring, detection, and reporting process (Ho, et al., 2010).
Operational Risk Management
Crisis Management
Figure 3.10. Operational risk management/crisis management cycle.
The ORM's crisis management function is responsible for putting the Incident Respond Plan (IPR) into action in the case of a cyber-attack, as well as the Recovery Plan (RP) for recovering from cyber-attacks. The cybersecurity crisis management plan is a document that outlines the actions to be taken during a cyber breach event and for reviewing and updating the firm's risk mitigation plan. During a cyber-attack, employees consult the risk events response plan to help them through the incident response and incident recovery actions.
68
Kok-Boon Oh, Bruce Ho and Bret Slade
CONCLUSION Enterprise risk management is difficult to implement because it necessitates organizational dedication and collaboration. The ERM cybersecurity programs must have strong leadership and top management support, as well as the available resources for implementation. ERM has a lot of advantages, but it also has a lot of challenges. Some challenges that must be addressed by management for the organization to implement a holistic and effective risk management framework include demonstrating the benefits of ERM cybersecurity programs, the need for a common risk vocabulary, organizational risk awareness culture, formulating risk tolerance statements and capabilities to identify, assess, mitigate and report cyber risks that impact on organizational objectives. An effective crisis management plan consisting of incident response and recovery components is also essential.
Chapter 4
STANDARDS AND REGULATIONS 1. INTRODUCTION This chapter explains the significance and usefulness of adopting standards to treat cyber risk for consistency, uniformity, and compliance with best practices. In today’s dynamic cyber business environment, there is a growing trend towards enterprise risk management that aligns risk to strategic goals and operational priorities. Therefore, existent cyber risks should be analyzed, categorized, and operationalized into an enterprise’s cyber risk framework. The increasing number of cybersecurity regulations such as international, national, and accepted best practice standards require greater attention of management to protect critical operations and information. A study of the major standards (also regulations) that exist can provide insights into different cyber risk situations and practices to generate relevant and helpful ideas for implementing a cybersecurity ERM framework in different industrial, business, and regulatory contexts. In addition, it heightens awareness of compliance with the privacy and data security regulations that the company may be subjected to. The study of enterprise risk management approach as a management process for decision-making involves analyzing the steps involved in its implementation to ensure risks are identified and managed effectively
70
Kok-Boon Oh, Bruce Ho and Bret Slade
within an organization. Risk management has become critical in a rapidly changing economic environment that stems from digital connectivity, globalization of business and financial markets, and the need for corporate accountability. The last few years have seen an increased interest in risk management from industry and business planners as a result of losses from the increase in the number of cyber-attacks and high-profile corporate failures due to risk exposure. However, the practice of enterprise risk management is still relatively new fragmented, and under-researched compared to other areas of management21. Numerous risk management methodologies have been proposed, as well as various distinct guidelines, and standards that have been published. The purpose of this chapter is to introduce and discuss the relevant cyber risk management standards that can be used as guides at the strategic (governance) and operational (implementation) levels to develop a working framework for an organization. Some popular cyber risk management standards are presented to highlight the key components needed for establishing a holistic and effective enterprise-wide cybersecurity framework. The relevant imperatives in the ERM function such as executive-level sponsorship, leadership, policy formulation, a risk appetite definition with acceptable tolerance boundaries; structured process steps, oversight and reporting of the identified risks, risk monitoring, incident response, and recovery plan are illustrated and addressed. It is important to note that studying the different standards provides risk managers with a solid foundation to decide the relevant elements applicable to their company’s ERM initiative. Therefore, companies may choose to adapt their practices from multiple frameworks rather than adopt only one framework. The popular strategic and operational standards or frameworks will be discussed. It is also worth noting that some areas that standards address may overlap between the strategic and operational ERM
21
Research commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) highlights the state of play in this area. “COSO Report on ERM 2010,” at https://www.coso.org/Documents/COSO-Survey-Report-FULL-Web-R6FINAL-for-WEB-POSTING-111710.pdf.
Standards and Regulations
71
levels. This book adopts the NIST Cybersecurity Framework (NIST/CSF) as the reference standard at the operational cybersecurity risk management (CRM) level. We do this by incorporating elements of the NIST frameworks into a proposed cybersecurity-focused ERM model. We highlight the key components and mechanisms to illustrate and emphasize how they can be used by companies to establish a cyber ERM framework with SRM and ORM capabilities to safeguard SND against cyber-attack.
2. REGULATORY RISK MANAGEMENT The goals of standards or regulations, whether enforced or selfregulatory, are to reduce the likelihood of vulnerability, reduce the damage caused by vulnerability, and providing effective damage recovery mechanisms. Standards can be classified as self-regulated or enforced regimes. Self-regulation is a procedure in which an organization is asked to voluntarily monitor and regulate its adherence to specific standards, rather than having an outside, independent body such as a governmental entity oversee and enforce those standards. Alternatively, enforceable cybersecurity regulations are interventions that recognize the likelihood of an attack and, as a result, allow for the integration of detection and recovery processes into the traditional information security protection process. Therefore, regulatory compliance is a corporate function that focuses on meeting the criteria of externally imposed risk management laws, security standards, and industry guidelines. The globalization of business resulting from digital connectivity, trade, foreign direct investment, and global supply chains, has brought about a new set of risks that require a concerted and coordinated effort from the professions, regulators, governments, and corporations to address. Regulatory risk management is about aligning a company’s corporate governance function with industry good practices to enable an organization to mitigate those risks to achieve its strategy. The objective is to enhance the organization’s ability to understand business processes, manage operational changes and regulatory expectations. The task of “controlling
72
Kok-Boon Oh, Bruce Ho and Bret Slade
risk is an urgent one given that some risks are acquiring global proportions, and international standards, regulatory response and coordinated action at the international, regional, national and local levels are the best and perhaps the only means of treating risks that have potentially worldwide consequences” (UNECE, 2012). Countries have their corporate governance structures and national practices in these jurisdictions, and the primary objective of all countries is to promote greater efficiency and effectiveness in managing risk (OECD, 2014)22. Cyber risk poses a major challenge to regulators as it is a relatively new phenomenon that exists in a technologically complex landscape. Both technology and cyber risks are evolving rapidly. Companies must comply with specific risk management standards in a regulated environment, yet risk management methods are universal and evolving, and rules may not keep up with more current and innovative approaches. The establishment of internationally consistent standards will help multinational companies implement ERM and regulatory CRM practices across different jurisdictions for effective oversight. This makes CRM an organizationwide effort and avoids the silo or weakest-link effect when responding to threats in our highly interconnected digital world.
3. CYBERSECURITY STANDARDS AND FRAMEWORKS All firms should have a cyber risk management framework policy that defines the structure within which they will manage the diversity of risks, both within and external to their business, in a manner that is consistent with the accepted industry and firm organization-wide approach to risk management. 22
To illustrate the different contexts of regulatory risk systems, the Organization for Economic Co-operation and Development’s (OECD, 2014) article, “Risk Management and Corporate Governance, Corporate Governance” on corporate governance frameworks and practices relates to corporate risk management in three jurisdictions (Norway, Singapore, and Switzerland) highlights the different corporate governance structures and national practices in these jurisdictions. http://www.oecd.org/daf/ca/risk-management-corporategovernance.pdf.
Standards and Regulations
73
As the number of malicious cyber-attacks increases and become more sophisticated, many organizations consider a systematic approach to cybersecurity a necessity and a priority. This has led to initiatives by governments, regulators, and industry peak bodies to develop cybersecurity standards to assist organizations in establishing systemic and effective cybersecurity programs to enhance their digital security. Standards are defined as recommended guidelines, processes, and controls for the implementation of cybersecurity measures. Cybersecurity standards can also be clearly defined as measurable rules and requirements that have to be met to consider something compliant with the standard in question. This requires the organization to identify regulatory breaches and implement improvement measures and processes to ensure the effective management of compliance and regulatory obligations. Cybersecurity frameworks, on the other hand, are working models that incorporate best practices (focusing on “what to do,” rather than “how to do it”) as well as strategic and systematic guidelines from standards, defining the structures containing processes, practices, and technologies that businesses can readily adopt to protect their systems, networks, and data from cyber threats. Aligning organizational CRM to the ERM framework can result in a more robust risk control framework but this poses a challenge to most organizations as there is no uniform approach to implementing ERM (Rubino, 2018). The commonly cited ERM frameworks in the literature include the ISO 31000 risk management guidelines and the COSO ERM (Ahmad, Ng & McManus, 2014; Agarwal & Ansell, 2016). Risk management frameworks can be categorized by the types of organization and operation they apply to. While ISO 31000 and COSO/ERM are enterprise risk management frameworks that offer general guidelines for any type of organization, Basel III focuses on assessing risk and managing capital to strengthen the regulation, supervision, and risk management of the banking industry (see Figure 4.1). In the CRM category, COBIT covers a wide range of IT operations, while ISO 27001 focuses on the information security management part of the IT function.
74
Kok-Boon Oh, Bruce Ho and Bret Slade
NIST CSF COBIT ISO27001/27002 GDPR
IT
Operation
General
ISO31000 COSO/ERM
Basel III
Finance
General Industry
Figure 4.1. Standards categories.
4. CYBERSECURITY STRATEGIC ERM STANDARDS All firms should have an ERM framework policy that defines the structure with which they will manage the diversity of risks, both within and external to their business, in a manner that is consistent with the industry and firm enterprise risk management approach. Strategic ERM is premised on risk governance that defines the overarching risk standards, policies, practices, and processes to steer a corporation. The risk management strategy represents the company's risk governance requirements by providing an organized and cohesive approach to risk management. The popular strategic ERM standards as they apply to CRM are discussed in this section. The standards relevant to the planning and implementation of the overarching strategic ERM/SRM framework as shown in Figure 4.2 (adapted from Figure 3.6).
Standards and Regulations
75
Figure 4.2. ERM/SRM related standards.
4.1. ISO 31000 The ISO standards consist of codified risk management standards by the International Organization for Standardization (ISO). The ISO standards are internationally agreed upon by experts for describing the best way to achieving quality management across the organization. The ISO standards for cybersecurity guide the organization on how to keep sensitive information secure. The relevant standards in the family of ISO standards on ERM and cyber risk management are ISO 31000 and ISO 27000 series, respectively. This tutorial discusses the significance and relevance of ISO 31000:2018 Risk management - Guidelines to Strategic Risk Management (SRM) as a component of the ERM process. A management system is a set of guiding policies, processes, and procedures about a subject used by a company to ensure that it can complete the activities necessary to meet its goals and objectives. ISO 31000 provides foundation guidance for designing and implementing an enterprise risk management system (ERM) using a systematic approach. It outlines a generic approach to risk management that can be utilized by any type of company and may be applied to many categories of risks (financial, safety, and project risks). It focuses on both setting the standard and
76
Kok-Boon Oh, Bruce Ho and Bret Slade
implementing how all levels of an organization across its various business units may structure and integrate risk management. The design approach is that "risk management should be embedded into the policy development, business, and strategic planning and review, and change management processes" (Standards Australia 2009, p. 11). Alongside this is an emphasis on internal accountability, communication, reporting, recording, and risk posture review.
Figure 4.3. ISO 31000 - framework, principles, and process.
The original version of International Standard Organization 31000 (Risk Management – Principles and Guidelines) was published in 2009 and it was updated in February 2018. The structure of ISO 31000 consists of 3 components to provide the principles, a framework, and a process for
Standards and Regulations
77
managing risk (Figure 4.3). ISO 31000 offers a universally applicable outline for organizations to adopt an organization-wide approach for enterprise risk management. The ISO 31000 is a flexible framework that allows organizations to apply the principles and components that are most suited to their specific circumstances, as well as change other principles and components as needed. Therefore, it can be used by any organization regardless of its size, activity, or sector and as an international standard, it would be appropriate for those organizations with international operations. The organization’s ERM can be based on the ISO 31000 risk principles, serving as a guideline, method, rationale, design, and execution to underpin the implementation of its framework and processes. According to ISO 31000, these principles are not prescriptive and organizations should adopt and tailor these principles to their specific circumstances. Figure 4.3 depicts the ISO 31000 proposed structure that comprises the strategic risk management (SRM) and operational risk management (ORM) components. As a high-level guideline for the management of risk, it is a valuable tool for guiding the strategic planning activities for defining the actions needed in both these functions. These activities include formulating risk strategies per business vision, goals, and objectives, appointing key risk officers, defining the enterprise risk philosophy and culture, setting the risk tolerance threshold, allocating budgets for resources to implement the ERM function, and developing ERM implementation policies and processes.23 ISO 31000’s “Principles” highlights the underlying rudiments of an effective and efficient enterprise risk management program for creating value and protecting the organization. The underlying philosophy of the ISO 31000’s “principles” postulates risk management as a value proposition for organizations where an integrated risk management program that is structured, comprehensive, customized, inclusive, and dynamic permeates all business activities is capable of creating enterprise value for its shareholders. The risk management function is an important component of decision-making that is based on open discussion about 23
In the context of cybersecurity risk management, this involves preparing the Cybersecurity Strategic Plan (CSP) and Enterprise Information Security Policy (EISP).
78
Kok-Boon Oh, Bruce Ho and Bret Slade
threats and the best available information. The risk management processes are systematic, organized, and integrated and are capable of identifying and mitigating the organization’s assets at risk and their vulnerabilities in a timely and dynamic way. The organization recognizes humans and culture as important factors in the risk equation that must be considered and leveraged upon in all ERM initiatives. In addition, the organization's risk landscape, particularly cybersecurity due to rapidly evolving technology, is constantly changing so the ERM framework has to be flexible and adaptive to accommodate new knowledge and information for continual improvement. The “Framework” describes the elements of the enterprise risk management functions that reflect the organization's risk principles. The framework fosters leadership and commitment to ensure it is capable of integrating the ERM activities at the SRM and ORM levels of the organization in risk architecture, strategy, and protocols (IRM, 2018) or the design and implementation of policies and processes. In design, the framework must observe legal and regulatory compliance. The framework articulates the risk management principles and aligns with ERM objectives of the organization in offering an integrated practical and dynamic framework inclusive of evaluative and improvement mechanisms. An organization is ready to develop the “Process” after creating the risk management Framework. The process is “multi-step and iterative; aimed to identify and analyze risks in the organizational context,” according to ISO 31000. The “Process” outlines the steps (SRM & ORM) to be undertaken in the ERM function. They include studying the “scope, context and criteria” of managing the enterprise’s risk as well as conducting risk assessment, risk evaluation, risk treatment and, documentation and reporting (ISO 31000). The SRM and ORM processes are iterative for incessant vigilance and informed protection cycle against threats through communication and interaction among management, CRO risk manager, risk owners, participants, and stakeholders.
Standards and Regulations
79
4.2. COSO Enterprise Risk Management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the Enterprise Risk Management (ERM) standard in 2004, "COSO ERM Integrated Framework: Application Techniques (2004).” The original 2004 version was updated to the “Enterprise Risk Management – Integrating with Strategy & Performance” in 2017. The COSO ERM cube is well known to risk management practitioners and it is used by many organizations that are required to comply with Section 404 - Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX).
5. CYBERSECURITY OPERATIONAL STANDARDS Operational standards are used as a reference to design and implement an enterprise cybersecurity framework.
Operational Standards NIST/CSF ISO 27000/27001/27002 COBIT 5 GDPR Basel III
Figure 4.4. ERM/ORM related standards.
80
Kok-Boon Oh, Bruce Ho and Bret Slade
The standards offer insight into recommended guidelines, processes, and controls relating to security measures to plan and establish the actions of the ERM operational framework. Some of the more popular operational cyber risk management standards are, namely, NIST/CSF, ISO27000 series, COBIT5, GDPR, and Basel III (Figure 4.4).
5.1. NIST Cybersecurity Framework The NIST framework for improving critical infrastructure cybersecurity (NIST/CSF) consists of “standards, guidelines, and best practices to manage cybersecurity-related risk”24 is in response to President Obama's issued Executive Order 13636, on February 12, 2013. Originally developed and commissioned to serve as the primary communications tool and cybersecurity measure for US organizations that own, operate, or supply critical infrastructure. The NIST/CSF guides establish the necessary processes and fundamental controls for optimal cybersecurity for organizations in all sectors and of all sizes (i.e., large companies and SMEs). It is used by many multinational corporations and international governments and organizations around the world. The objective of the framework is to “develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.” The NIST/CSF has an implementation focus that is easy to understand making it a practical and useful tool for cyber risk management. It provides a structured and systematic approach for organizations to apply risk management principles and best practices. The framework enables organizations an oversight of their security strategies and to build, maintain and upgrade their cybersecurity operations to mitigate cyber risks. It is flexible and technology-neutral and can be used by any business to formally manage cyber risks.
24
The US National Institute of Standards and Technology (NIST)’s latest version 1.1 of the Cybersecurity Framework has been around since April 2018.
Standards and Regulations
81
The NIST/CSF structure consists of three parts: Framework Core, Framework Profile, and Framework Implementation Tiers. According to NIST, “they aid organizations in easily expressing their management of cybersecurity risk at a high level and enabling risk management decisions” by aligning business objectives and drivers with cybersecurity activities. The functions in the Framework Core are aligned with the phases of the ORM model (Figure 3.7) to form the cybersecurity operational risk control framework proposed in this book (Figure 3.10). Figure 4.5 depicts the alignment between NIST/CSF Framework Core functions with the ERM/ORM phases.
Figure 4.5. NIST/CSF Framework core & ERM/ORM alignment.
5.1.1. Framework Core The Framework Core comprises five interdependent core functions and their associated secondary functions that organizations can adopt for mitigating cyber threats and risks posed to the business operations25. The five core functions (code) are “Identify (ID), Protect (PR), Detect (DE), Respond (RS) & Recover (RC)” (see Figure 4.6) and together they form the backbone of the framework for a successful and holistic cybersecurity infrastructure. The five interdependent functions and categories all work continuously and concurrently, around which all other important 25
Source: National Institute of Technology & Science, Cybersecurity Framework. https://www.nist.gov/cyberframework/online-learning/five-functions.
82
Kok-Boon Oh, Bruce Ho and Bret Slade
cybersecurity elements are organized. The NIST/CSF's helpful references provide a direct link between its functions, categories, subcategories, and other frameworks' specific security measures. Identify function refers to defending the company against cyberattacks where the cybersecurity team must have a detailed awareness of the organization's most valuable assets and resources. The categories under this function are asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management.
Figure 4.6. NIST/CSF Framework Core.
Standards and Regulations
83
The key technological and physical security controls for establishing and executing suitable safeguards and protecting critical infrastructure are covered by the protect function. Identity management and access control, data security, information protection processes and procedures, maintenance, and protective technology are the categories. The detect function implements countermeasures in the event of a cyberattack. The categories are anomalies and events, security continuous monitoring, and detection processes. The respond function categories ensure that cyberattacks and other cybersecurity situations are dealt with promptly and appropriately. Response planning, communications, analysis, mitigation, and enhancements are some of the specific areas. In the case of a cyberattack, security breach, or other cybersecurity event, recovery efforts implement plans for cyber resilience and maintain business continuity. Improvements in recovery planning and communications are among the recovery tasks. The NIST/CSF only gives a checklist of actions to be conducted, not instructions on how to inventory physical devices and systems or software platforms and applications. A company can use whatever technique it wants to document its inventory. If a company requires additional direction, it can consult the helpful references to similar controls in other complimentary standards. The NIST/CSF gives companies a lot of flexibility in selecting the technologies that best suit their cybersecurity risk management needs.
5.1.2. Framework Profile The Framework Profile (also known as the "Profile") is the alignment of the Functions, Categories, and Subcategories with the organization's business needs, risk tolerance, and resources. A Profile enables firms to create a cybersecurity risk reduction plan that is closely connected with organizational and sector goals, takes into account legal/regulatory requirements and industry best practices, and reflects risk management priorities. Framework Profiles can be used to characterize the existing state of various cybersecurity activities, as well as the desired objective state or
84
Kok-Boon Oh, Bruce Ho and Bret Slade
target profile. The outcomes required to meet the targeted cybersecurity risk management objectives are listed in the Target Profile. Therefore, profiles help organizations communicate business/mission requirements to all stakeholders, as well as risk communication between business units and companies.
5.1.3. Framework Implementation Tiers The Framework Implementation proposes four implementation stages to help firms track their progress towards implementing the NIST/CSF.
Tier 1 (partial) – Implies the organization is familiar with the NIST/CSF, and some components of control may have been applied in some portions of the infrastructure. Cybersecurity actions and protocols have been implemented in a reactive rather than planned manner. The company has a poor understanding of cybersecurity issues and lacks the processes and resources needed to ensure data protection. Tier 2 (risk-informed) - The company is increasingly conscious of cybersecurity threats, and information is shared informally. It lacks a well-thought-out, repeatable, and proactive cybersecurity risk management methodology across the board. Tier 3 (repeatable) - The company and its senior management are well aware of the dangers of cybercrime. They've put in place a repeatable, company-wide cybersecurity risk management strategy. The cybersecurity team has devised a strategy for successfully monitoring and responding to intrusions. Tier 4 (adaptive) - The company is prepared and cyber-resilient, and it uses lessons learned and predictive indicators to avoid cyber-attacks. The cybersecurity team works to develop and advance the organization's cybersecurity technology and procedures, as well as swiftly and effectively adjust to threats. Risk-informed decision-making, policies, procedures, and processes are all part of an organization-wide approach to information security risk management. Cybersecurity risk
Standards and Regulations management is incorporated into budget organizational culture in adaptive enterprises.
85 decisions
and
5.2. ISO 27000 Series
ISO 27000 Overview & Vocabulary
The ISO 27000 series standards offer a guide to assist companies in managing cyber-attack risks and data security threats26. The ISO27000 series standards are risk-aligned, which means that businesses are urged to assess the security threats to their information before managing them in various ways, dealing with the largest risks first. The ISO 270001 family of standards, often known as the ISO 27000 series, is a set of best practices designed to assist businesses in improving their information security.
ISO 27002 Code of Practice
ISO 27003 Implementation Guide
ISO 27004 Measurements
ISO 27005 Risk Management
ISO 27001 Requirements
ISO 27006 Certification Requirements
ISO 27032 Guidelines for Cybersecurity
ISO 27033 Network Security
ISO 27103 Using an ISMS for Cybersecurity
Figure 4.7. ISO 27000 series standards (selected).
The ISO 27000 standard is one of 46 in the series, and it serves as an introduction to the family as well as a glossary of keywords and concepts, some of the standards are presented in Figure 4.7. ISO 27000 standard 26
ISO 27005:2011 is aligned with the risk management standard ISO31000 to enable easier integration of enterprise risk management approaches with information security risk management. It provides practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. It has good guidance on threats, vulnerabilities, likelihoods, and impacts.
86
Kok-Boon Oh, Bruce Ho and Bret Slade
'provides guidelines for information security risk management and 'supports the general concepts specified in ISO 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. The following sections introduce selected ISO standards to illustrate the types of contents that are in them. The standards covered are ISO 27000 (Overview & Vocabulary), ISO 27001 (Requirements), ISO 27002 (Code of Practice), ISO 27003 (Implementation), and ISO 27005 (Risk Management).
5.2.1. ISO 27000 – Overview and Vocabulary ISO 27000 provides a summary of the Information Security Management Systems (ISMS). It also includes a glossary of words and meanings that are frequently used in the ISMS family of standards. This text is useful to companies of all types and sizes (e.g., commercial enterprises, government agencies, not-for-profit organizations). 5.2.2. ISO 27001:2005 - Requirements ISO 27001 is the standard for ISMS, and it includes standards for the risk management process, which should be consulted for selecting security solutions that are appropriate for the threats faced by a company. ISO 27001 provides a methodology on how to implement information security or cybersecurity in an organization and is an internationally recognized best-practice standard for an ISMS. It highlights the requirements for an ISMS system. The goal is to create commercial benefits while adhering to legal and regulatory obligations as well as the expectations of all parties involved. It is technology-neutral and applicable to any type of organization with broad application. It helps companies identify risks and puts in place security measures to manage or reduce risks to business digital systems, networks and data. By being ISO 27001 compliant, a company demonstrates it meets the ISMS international best-practice and shows customers, suppliers, and other stakeholders that it is capable of handling the information securely. Table 4.1 aligns the ERM with the elements in the ISP 27001:2005 standard.
Standards and Regulations
87
Table 4.1. ERM-ISO 27001 alignment ERM Strategic RM
Operational RM
Formulate risk strategy & policy + Evaluate & align information assets to business strategy Identify risk to critical assets
IEC/ISO27001:2005 Establish a structure, processes & risk tolerance for coordinating ISMS through the appropriate policy for managing informational assets.
These processes result in a constant review & updating of information asset inventory and answer the question, "what needs to be protected?" Assess risk Once the critical assets have been identified, the organization performs risk assessment according to an agreed methodology (to answer the question ("what are the threats to the assets?"). This results in a list of risks that are then ranked according to their level of criticality. +Crisis Mitigate risk Taking into account the risk acceptance criteria, the Management organization decides whether to accept each risk, avoid it, transfer it or mitigate it by implementing the appropriate measures. Monitor & report The ISMS has a set of improvement processes: all risk procedures within its scope are subject to regular internal + audits and corrective and preventive actions, and the Crisis response & characteristics of the system and the risks are analyzed recovery during periodic management reviews. Source: Adapted from “Risk management in regulatory frameworks: towards a better management of risks,” UNECE, p.10 & https://www.iso.org/standard/42103.html.
5.2.3. ISO 27002 - Code of Practice ISO 27002 is a guideline document that outlines best practices for implementing the risk controls contained in Annex A of ISO 27001. It complements ISO 27001 and should be read in conjunction with it. ISO/IEC 27002 provides the best practices on information security controls for establishing, implementing, or maintaining ISMS. ISO 27002 is a "code of practice," not a formal specification like ISO/IEC 27001. It is a broad, advising document, which suggests information security controls to address information security control objectives coming from threats to information's confidentiality, integrity, and availability.
88
Kok-Boon Oh, Bruce Ho and Bret Slade
5.2.4. ISO 27003 – Implementation Guide ISO 27003 covers ISMS implementation guidance. It guides implementing the ISO 27000 series standards, covering the management system aspects in particular. Its scope is simply to provide a practical guide for implementing an Information Security Management System (ISMS) in an organization based on ISO 27001. The process outlined in this international Standard for assisting in the implementation of ISO 27001 includes preparing an ISMS implementation strategy in an organization, defining the business's organizational structure, and securing management approval. It also provides a list of the critical ISMS activities and examples of how to fulfill the ISO 27001 requirements.
5.2.5. ISO 27005 – Risk Management One of the most significant aspects of an organization's ISO 27001 compliance effort is risk assessments. ISO 27005 explains how to conduct an information security risk assessment that meets ISO 27001's standards. It is a set of principles for establishing a systematic approach to information security risk management, which is required to identify organizational information security needs and construct an effective information security management system. Even though ISO 27005 does not provide a specific risk management methodology, it does suggest a continuous information risk management strategy based on six critical components: Establishing the context; Assessment of the dangers; Treatment for risk factors; Acceptance of risk, Risk communication and, Review and monitoring of risks.
5.3. Control Objectives for Information and Related Technology (COBIT 5) Since 2012, COBIT 5 has been playing a crucial role as a business framework for the governance and risk management of enterprise IT. This framework also emphasizes a strategic integration of enterprise and IT
Standards and Regulations
89
security. In 2019 it was updated in response to the changes brought by new technologies and business practices. COBIT 5 is a generic and overarching framework that may be used on businesses of all sizes, whether they are for-profit, non-profit, or government. It is a business framework for enterprise IT governance and management based on a single language for all stakeholders to express goals, objectives, and expected outcomes. The framework provides a set of tools to manage the risks of organization IT to assure that is functioning properly. It is based on and incorporates industry standards and best practices in the following areas: IT should be strategically aligned with business objectives; service delivery and new project development are valued; risk management function is performed throughout the organization, and risk control performance is reviewed and measured periodically. The goal of COBIT 5 is to assist enterprises in maximizing the value of their intellectual property by ensuring compliance and managing risk and security through effective IT governance and management.
5.4. General Data Protection Regulation (GDPR) There is greater attention towards tougher data protection regimes globally with countries in Asia, Europe, and North America considering or have already enforced new laws relating to data protection rules. These laws are rigorous in terms of the threat of significant fines in the event of a breach. There are tougher guidelines on data protection in the pipeline in Australia, Hong Kong, Singapore, and China and more countries are expected to join the bandwagon. The principles for handling and security of personal data shall be lawful, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. The European Data Protection Regulation introduced as of May 25th, 2018 applies to all member states to harmonize data privacy laws across Europe.
90
Kok-Boon Oh, Bruce Ho and Bret Slade
The purpose of the GDPR is to ensure there is accountability in the management of data. Data protection must be considered early in the design phase, with control measures in place for the type of data, data source, and data minimization strategies, and data security is built-in and is enabled by default. GDPR requires those who collect, utilize and retain data will be assigned data protection responsibilities by the organization, and when necessary, a data protection officer should be appointed. When collaborating with third parties, data processing agreement contracts must be in place. To ensure data security, the business will employ technical and operational safeguards such as two-factor authentication and end-to-end encryption. Staff training, a data privacy policy, and limited access privileges to personal data are examples of operational measures. Under GDPR, processing personal data is typically banned unless the processing is expressly permitted by law or the data subject has given his or her consent.
5.5. Basel III The Basel Committee on Banking Supervision designed Basel III as a set of internationally agreed-upon policies in response to the financial crisis of 2007-09. The reforms are intended to improve bank regulation, oversight, and risk management. Its purpose is to fortify global capital by reinforcing liquidity rules to build a more resilient banking sector to prevent financial and economic instabilities. Basel III encompasses crucial issues of banking sectors regarding minimum capital requirements and buffers, risk coverage, capital conservation buffer, countercyclical buffer, and leverage ratio. The level of technology investment necessary to comply with Basel III requirements will be primarily determined by a bank's investment to comply with Basel II regulations. If a bank already has fully operational and auditable risk management and measurement system, it will only need to make incremental investments to meet Basel III's 'solvency' requirements.
Standards and Regulations
91
CONCLUSION To improve enterprise cyber risk management, more efforts and cooperation are needed to standardize frameworks and terminology to provide for a consistent or universal approach to addressing cybersecurity issues. There is greater attention towards tougher data protection regimes globally with countries in Asia, Europe, and North America considering or have already enforced new laws relating to data protection rules. These laws are rigorous in terms of the threat of significant fines in the event of a breach. There are tougher guidelines on data protection in the pipeline in Australia, Hong Kong, Singapore, and China and more countries are expected to join the bandwagon.
Chapter 5
CYBER RISK IDENTIFICATION 1. INTRODUCTION The first phase of the operational risk control process is risk identification, which lays the foundation for building the organization’s risk profile. Cyber risk is another kind of operational risk that a firm faces in its daily business activities. The cyber risk management function requires the organization to design and implement risk mitigation measures at both the strategic and operational levels. There are different aspects of risk mitigation for protecting the security of an organization’s critical information assets and this chapter discusses the first step in the operational risk management (ORM) process for cybersecurity. This step is one relating to identifying cyber risks in the company. As input to the enterprise risk management process, it is an important function because if a risk cannot be identified, the subsequent phases of the risk management process cannot be implemented for that risk. Most large enterprises have risk management systems that identify risks associated with a given set of assets. Typically, these systems collect data from throughout the business to indicate where risks may lie and then communicate that information to the risk team to be analyzed. The systems operate to notify businesses (or
94
Kok-Boon Oh, Bruce Ho and Bret Slade
specifically, the owner of a particular risk issue) of the risk exposures, including any security breaches. This chapter introduces some of the tools and techniques used to scan the enterprise informational assets to identify cyber threats. This function requires an understanding of the company’s business, business objectives, and environments. It is only through this knowledge that we can identify the inherent risks and appreciate the nature of the risk exposure it poses to the organization. Typically, in an enterprise risk management context, the goal of this function is to identify all the firm’s risk factors, including financial, social, economic, political, legal, and cyber risks that can have a significant adverse effect separately, or in combination, on its cash flows, earnings, and financial position.
2. RISK IDENTIFICATION Risk identification is about collaboration, data collection, analysis, and brainstorming involving relevant stakeholders in an environment that encourages free and open risk disclosure and debate. The enterprise risk management operational framework is a four-step process (Figure 5.1) that starts with risk identification and requires an understanding of the firm’s operations and objectives. This first step of the ORM process requires a company to identify its critical assets and the greatest vulnerabilities that may prevent it from realizing its business objectives. The purpose of risk identification is to prepare a listing of all the relevant risks that might affect the company. It allows a visual and an insight into the primary areas of uncertainty by detecting and categorizing as many of the company’s risk factors as possible. The process of identifying risk can happen as initial risk identification for a new company or as a continuous assessment (Robin et al. 2002) function to identify emerging risks necessitated by changes in the operating environment. Risk identification is also conducted in the SRM process as an initial risk assessment for establishing risk strategies, action plans, policies & procedures (see Figure 3.9: SRM process for cybersecurity in Chapter 3).
Cyber Risk Identification
95
The emerging cyber threats are a result of a rapidly changing technological environment as systems become more interconnected. Some of these threats are likely to emanate from cloud computing, artificial intelligenceenabled attacks, deepfakes, blockchain, machine learning poisoning, and smart contract hacking (Belani, 2020).
Figure 5.1. Risk identification phase in the ERM/ORM cycle.
As discussed in Chapter 1, it is worth reiterating that uncertainty (threat) is an abstract concept and “risk” is quantifiable uncertainty in terms of its outcome (impact) and probable frequency of occurrence (vulnerability). It is only through an understanding of the business objectives and its operations that we can appreciate the complexities of its risk exposure (Oh et al., 2018). For example, a cyber-attack may result in reputational damage to the firm that may cause liability losses and future revenue losses27. Therefore, the purpose of risk identification is to discover as many of the threat events that may result in risk exposure. It is not possible to identify all the potential cyber threats nor are all cyber risks critical to the extent that they may cause substantial harm to the company. 27
Yahoo data breaches in 2013 and 2014 (reported in 2016) illustrate how cyberattacks caused the firm to suffer losses due to reputational damage. Yahoo became a regulatory enforcement target and incurred costs from an ongoing government investigation.
96
Kok-Boon Oh, Bruce Ho and Bret Slade
Nevertheless, the risk identification focus must be deliberately expansive (Robin et al., 2002) and the risk manager should identify as many potential threats as possible. It is the management's responsibility to identify risks and the chief risk officer should take the lead and responsibility to perform risk identification on strategic objectives. An alpha-beta risk approach in risk analysis is needed to consider the risks inherent in the market, industry, and the unique risks of the firm's operations. Some industries are more susceptible to cyber-attacks (Ettridge, Guo & Li, 2020; Kamiya et al., 2020). This approach must take into account the firm’s entire risk environments, both internal and external risk factors.
3. IDENTIFYING CYBER THREATS Identifying cyber threats faced by a firm requires an understanding of the company's business, business objectives, and threat environments. The risk strategy has to be consistent with the company’s objectives starting with the risk identification step to make sure that the key business assumptions made by management are understood to capture as many cyber risk factors as possible. Assumptions vary according to the company’s business, where a utility company fears a power outage28 and a healthcare business is concerned about electronic health record (EHR) downtime29. This knowledge will help in associating the company’s vulnerabilities with the potential cyber threats to its business systems, networks, and data. Therefore, the risk identification process should start with a view of the business and its value chain to identify critical information assets (McKinsey, 2017). Gregersen (2018) suggests that asking questions about a subject is a good technique for achieving results 28
On 23 December 2015, the information systems of three Ukrainian energy distribution companies were compromised by hackers disrupting the electricity supply to consumers. It is the first known successful cyberattack on a power grid. 29 On 27 September 2020, a ransomware attack on 400 UHS care sites that caused a three-week HER downtime resulted in $67 million in lost operating income, labor expenses, and overall recovery costs.
Cyber Risk Identification
97
in brainstorming sessions. In Table 5.1, the threat identification questions based on “what, why, who, when, and where" of the cybersecurity of digital assets throughout the business value chain can help to discover potential risk factors in terms of how they create and destroy value in a firm. Table 5.1. Threat identification questions Questions What do we do to create value?
Implications What are the digital resources we cannot do without? What are the organization’s critical digital assets?
What can happen to destroy value? Why? When? Who? & Where?
What is the impact on value from a threat based on the probability and the estimated distribution of risk outcomes?
NIST/CSF category ID:AM; ID:BE; ID:SC
What digital assets should be protected? What are the potential cyber threats or harm to our infrastructures (networks, systems & data), employees, customers, partners, and visitors?
ID:AM; ID:BE; ID:SC
What are the potential losses? What priority and quantity of resources need to be assigned and allocated to minimize negative risk impact?
ID:RA
The impact or loss to the firm from cybersecurity risk is largely a result of a compromise on the confidentiality, integrity, and availability of a firm’s critical systems, networks, and data. The usual consequences from such risks can be categorized as denial of service, information corruption, and data theft. Proactive and early identification of threats is essential components of effective risk management. The screening for risk covers all digital infrastructures and applications of a company where business SND assets reside. The risk identification methodologies should define, categorize the vulnerabilities or weaknesses as to how they can pose a
98
Kok-Boon Oh, Bruce Ho and Bret Slade
threat to the organization. A clear, unambiguous, consensus description of the risks captured is the minimum outcome from the risk identification processes (Robin et al., 2002). At the micro-level, an effective identification function requires the systematic listing, classification, and risk assessment of all value-creating information assets used by the organization. Likewise, the macro risk factors or market risk factors are also listed, classified, and assessed for their impact on the organization. Once the value-creating SND processes and vulnerable assets are recognized, a thorough identification of associated threats or dependencies is conducted. If companies are to understand the various types of threats, they are likely to face and the types of countermeasures that need to be implemented, it is particularly important to define the objectives of different criminals or perpetrators and their motivations. Threats can be categorized by motivations into four different categories as discussed in Chapter 2. The vectors of attack, threat actors, and motivations are presented in Table 5.2 below: Table 5.2. Vectors, threat actors, and objectives Vector of attack Unintentional external threats
Threat actor/Cause, motivation & objectives Third-party partners/Human error, negligence, or accidental act
Unintentional internal threats
Employee or third parties (suppliers, sub-contractors, or partners) /Human error, negligence, or accidental act
Malicious external threats
Hackers/Financial gain Hacktivists/Sabotage to express political, social, or religious views Criminal syndicates/Financial gain Nation-states/Sabotage, cyberwar, or data theft
Malicious internal threats
Employee or third parties/Emotion or data theft for financial gain
There are generally three forms of financial gains for cybercriminals who carry out cyber-attacks, being extortion, ransom, or sale of stolen data (Fowler, 2016). On the other hand, cybercriminals driven by political or ideological motivations commit crimes to enforce their philosophical
Cyber Risk Identification
99
convictions. Employees who pose a malicious internal cyber threat to the company are those who steal sensitive data for financial gain. Another type of malicious internal threat comes from employees who commit cybercrime to vent their frustrations by destroying a company's networks. Malicious external threats that are state-sanctioned or sponsored are carried out by nation-states for economic, political, and military objectives. The impacts from such cyberattacks can be data theft, intelligencegathering, and destructive attacks on critical assets. The output of the risk identification process is a set of risk statements (Robin et al., 2002) that report the results explaining the profile and causal relationship of threats recognized by the risk identification participants. This information should be documented in the risk register.
4. NIST/CSF – IDENTIFY FUNCTION “Identify” is the first core function of NIST/CSF Framework Core that assists in “developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities.” It is important to identify as many of the potential risks that may cause harm to the organization's systems, networks, and data to protect the CIA security triad for the organization to operate normally. This function provides the foundation for the subsequent NIST/CSF functions to be built upon. To do this, organizations must conduct a comprehensive inventory of potential cyber risks that must be documented for quantification of their potential impacts on business. Each NIST framework function comprises outcome categories and subcategory activities that describe the kinds of processes and tasks organizations should carry out for that framework level. The Identify function contains six outcome categories and their respective subcategory activities (Table 5.3).
100
Kok-Boon Oh, Bruce Ho and Bret Slade
Table 5.3. Identify function – outcome categories/sub-categories Identify (ID) Category Asset management (ID:AM)
Business Environment (ID:BE)
Sub-category Asset inventory (ID:AM1) Software inventory (ID:AM2) Organization ICT map (ID:AM3) External ICT catalog (ID:AM4) Resources priority list (ID:AM5) Cybersecurity roles & responsibilities (ID:AM6)
Governance (ID:GV)
Risk assessment (ID:RA)
Supply chain role (ID:BE1) Organization IT & Industry position (ID:BE2) Organizational mission, objectives & activities (ID:BE3) Dependencies & critical functions for service delivery (ID:BE4) Resilience requirements for service delivery (ID:BE5) Information security policy (ID:GV1) Information security roles & responsibilities coordination (ID:GV2) Legal and regulatory requirements (ID:GV3) Governance and risk management processes (ID:GV4)
Critical assets identified & documented (ID:RA1) Shared information on threats & vulnerabilities (ID:RA2) Internal and external threats are documented (ID:RA3) Likelihoods & impacts analysis (ID:RA4) Threats, vulnerabilities, likelihoods, and impacts are used to determine risk (ID:RA5) Risk responses identified and prioritized (ID:RA6)
Risk management strategy (ID:RM)
Risk management processes (ID:RM1) Risk tolerance (ID:RM2) Informed risk tolerance (ID:RM3)
Supply chain (ID:SC)
Cyber supply chain RM processes defined and agreed upon by organization stakeholders (ID:SC1) Suppliers and third-party partners of information systems, components, and services are assessed & documented (ID:SC2) Supplier and third-party contracts implement measures to meet the organization’s cybersecurity objectives & plan (ID:SC3) Suppliers and third-party partners are routinely assessed to confirm satisfactory contractual obligations (ID:SC4) Recovery planning and testing and response are conducted with both suppliers and third-party providers (ID:SC5)
Cyber Risk Identification
101
The shaded sub-categories in Table 5.x are those that pertain to the Risk Identification function (Step One) in the ERM/ORM process. The actions reflected in these sub-categories are also considered to be consistent with the SRM initiatives of the “risk assessment” phase of the ERM model (see Figure 3.9: SRM process for cybersecurity ERM in Chapter 3). The remaining categories/sub-categories are more closely aligned with other components of the TRMM. The categories business environment (ID:BE), governance (ID:GV), and risk management strategy (ID:RM) are activities that are consistent with the SRM process (The strategic aspects of these categories are discussed in Chapter 10). Whilst some of the sub-categories (ID:RA4; ID:RA5 & ID:RA6) in the “Risk Assessment” category would match the Assessment phase activities in the ORM process. The threat identification question of estimating the “probability and distribution of risk outcomes” to estimate the impact on firm value (Table 5.3) corresponds with sub-category items “likelihoods and impacts analysis” (ID:RA4), “utilizing threats, vulnerabilities, likelihoods & impacts to determine risk” (ID:RA5) and “risk responses identified and prioritized” (ID:RA6), which are also activities conducted in the “assessment” phase (Step 2) in the ERM/ORM process. These activities are discussed in detail on risk assessment in Chapter 6. In Table 5.3 above, the sub-categories that are highlighted in asset management (ID:AM) and risk assessment (ID:RA) categories (and supply chain (ID:SC)) of the NIST/CSF’s Identify function are actions (see Figure 5.2 below) that are aligned with the Identify stage of the ERM/ORM. The following section discusses these sub-categories vis-à-vis the Risk Identification phase. Asset inventory (ID:AM1) pertains to the identification and documentation of all critical SND or digital assets, including “software platforms and applications,” (ID:AM2) that are required to facilitate the company in fulfilling its business strategies and business objectives. A network diagram is prepared to shows how the company’s information network works (ID:AM3). It depicts the various components that make up a network, including external systems (ID:AM4), as well as how they
102
Kok-Boon Oh, Bruce Ho and Bret Slade
interact, such as routers, devices, hubs, firewalls, and the Internet to help identify threats and vulnerabilities. The critical information assets are then documented (ID:RA1), including that of suppliers and third-party partners (ID:SC1), for analysis to protect against cyber-attacks. Cybersecurity threat information is shared with different sources (ID:RA2) to communicate and heighten awareness of internal and external threats (ID:RA3).
NIST/CSF
ERM/ORM Risk identification (Step 1)
Core function: Identify Category: AM & RA Sub-category: Asset inventory (ID:AM1) Software inventory (ID:AM2) Organization ICT map (ID:AM3) Catalogue external ICT (ID:AM4) Critical assets identified & documented (ID:RA1) Shared information on threats & vulnerabilities (ID:RA2) Internal and external threats are documented (ID:RA3) Cyber supply chain RM processes defined and agreed by organization stakeholders (ID:SC1)
Figure 5.2. ERM/ORM & NIST/CSF alignment.
5. RISK IDENTIFICATION, THREATS, AND CIA TRIAD The CIA cyber security triad (Rouse, 2014) as referred to earlier consists of the three cybersecurity attributes of confidentiality, integrity, and availability for an organization's digital infrastructure. It provides a useful dimension to complement the traditional risk management framework in cybersecurity analysis (Gerber & Von Solms, 2005). It is used to identify and classify cyber risks to better understand the types or
Cyber Risk Identification
103
methods of cyber-attacks and how they compromise each of these three elements (Biener, Eling & Wirfs, 2015; McShane & Nguyen, 2020).
5.1. Confidentiality A data breach is likely to affect confidentiality, which is about keeping sensitive information private and only accessible by those who are authorized to do so. Restrictions must be put in place to control those who have authorized access. Data should be categorized according to their levels of sensitivity and different restrictions are implemented according to the degree of sensitivity. Sensitivity refers to the damage or disruption to the organization if the data is compromised. The types of threats to the confidentiality of systems are when encrypted data are cracked, man-in-the-middle attack, a data breach, or unauthorized copying of sensitive data and installing malware or spyware on a server.
5.2. Integrity Integrity relates to maintaining consistency, accuracy, and reliability over the lifecycle of the data. Controls include file permissions and user access control. Controls over data changes are also necessary by using data checksums or cryptography. Graphic checksums for verification and integrity backup must be available to restore data to its original state. A web intrusion for malware insertion or a malicious malware attack would compromise the integrity of the organization’s data. A malicious unauthorized database scan or a modification (such as a website defacement) could cause the loss of integrity of key data. A ransomware attack or a denial of service, to install spam and viruses to a company’s computers on the Internet can also result in loss of integrity of computer systems and data.
104
Kok-Boon Oh, Bruce Ho and Bret Slade
5.3. Availability Availability requires the rigorous maintenance of all hardware to ensure they remain functional and always available. An efficient functional operating environment without software conflicts is important for the optimal functionality of the systems and networks. Systems updates must be actioned immediately and there must be enough bandwidth to cater to digital traffic that is expected. Availability of systems can be lost from denial of service (D/DDOS) attacks, ransomware attacks such as the WannaCry ransomware attacks, forced data encryption, and malicious internal disruption of power supply to server rooms. Donn B. Parker proposed the Parkerian hexad, a set of six information security factors, in 1998. The Parkerian Hexad (PH) is based on the CIA model. The Parkerian hexad adds three more security features to the three fundamental security features of the CIA triad. The three additional features are possession or control, authenticity, and utility. Humans are the greatest threat to information security. The additions to the CIA triad can be used to provide a more detailed description or dimension of a security situation, including the vulnerability of people, to facilitate cyber threat identification, assessment, and mitigation (Falco et al., 2019). The additional features make the CIA triad a more comprehensive and complete model for data security today.
6. RISK IDENTIFICATION TOOLS AND TECHNIQUES Risk identification is all about trying to determine and characterize threats to “systems, people, assets, data, and capabilities” (NIST/CSF) and finding techniques, tools, and models to carry out the task. There is no universal or uniform approach in ERM in the use of tools or techniques for identifying risks that could cause an organization's strategy and objectives to fail. The risk identification task involves determining the types of problems that could jeopardize the company’s ability to do business.
Cyber Risk Identification
105
Sometimes companies bring in cybersecurity consultants to advise management on how to identify the threats. The problems identified are listed and are further explained and categorized into more detailed scenarios. For example, a problem could be identified as a cyber threat caused by a data breach and malware attack as the specific type of risk within the category. Information about those problems is captured in the organization’s risk register with the actors, vectors of attack, and inherent risks explained in detail. The problems and risks can be categorized according to risk types such as financial, operational (including cyber risk), or regulatory in the register. If a phenomenon has not been studied substantially in the literature, it warrants a qualitative approach to explore and understand the key factors, i.e., unknowns (Pham & Oh, 2021). There is still only a paucity of knowledge especially about the human behavioral aspects of cybersecurity (Hurst, Merabti & Fergus, 2014; Gisladottir, Ganin, Keisler, Kepner & Linkov, 2017), which requires further qualitative research into human behavior of attackers and victims of cyber events. Identifying cyber threats essentially uses a qualitative approach with the prerequisite technical knowledge of the interdependences and interactions between business processes and information system components. The qualitative methods can include expert judgment or questionnaires to identify cyber threats. The qualitative evaluation aims to decompose risk to identify the exposure of a system or network to cyber threats and to assess the impact on potential performance relative to management criteria. Therefore, it is important to reiterate that before beginning the identification, the analyst must understand the business model, business system or network and its functions, the IT architecture, and management philosophy. The common approaches for identifying risk are SWOT analysis, information gathering techniques, root cause analysis, checklist analysis, assumption analysis, document review, expert judgment, factor analysis of information risk, and penetration testing. They are discussed in detail in the following sections.
106
Kok-Boon Oh, Bruce Ho and Bret Slade
6.1. SWOT Analysis (Strengths, Weaknesses, Opportunities, and Threats) SWOT (Strengths-Weaknesses-Opportunities-Threats) analysis is a structured management approach with well-established techniques frequently employed for strategy formulation. SWOT analysis is a study undertaken to identify an organization’s strengths and weaknesses, as well as its external opportunities and threats, and from which risks are determined. SWOT is a kind of situation analysis approach in management science: S is Strength which refers to the advantages of a corporation; W is Weakness refers to the disadvantages of a corporation; O is Opportunity meaning market opportunities of the firm; T is Threat which means external threats and risks of the firm. S (Strength) and W (Weakness) are the internal elements of a corporation including structure, culture, systems, networks, databases, financial and human resources. O (Opportunity) and T (Threat) refer to factors in the external environment (e.g., the Internet, third party systems & networks, political risks, competitors, and market risks) that a corporation does not control. To identify cyber risks using SWOT, the primary focus should be on analyzing and debating the corporation's weaknesses and threats. However, in a rapidly-changing digital landscape, opportunity and threat may converge and matters that are regarded as opportunities may pose some threats for the company, such as the adoption of eCommerce or information technology. On the contrary, threats may have opportunities such as a potential data breach and outsourcing of data storage to a cloud provider. Therefore, management must focus on studying market conditions to identify opportunities from risks as well as analyze and understand the strengths and weaknesses within the organization to gain advantages (Ho, Oh, Durden & Slade, 2010). However, the rigidity of SWOT may restrict creative thinking and as a result, some risks may not be identified.
Cyber Risk Identification
107
6.2. Information Gathering Techniques Three techniques are addressed. 1. Brainstorming or workshopping is a group information gathering technique with a focus on the identification of risk for the enterprise. Firstly, all participants must have the same understanding of the risk (Robin et al., 2002) and are informed clearly of the objectives of the brainstorming session before being left to create a list of risks. It may take several iterations of brainstorming to narrow down the initial list of risks to those that are considered critical. Based on their different backgrounds and shared knowledge, participants work as a team to facilitate and contribute to the task in a brainstorming session. For brainstorming to be effective as a risk identification technique, participants in each session need to collectively possess a crosssection of knowledge of enterprise risk management and the relevant risk environment to help explain how risks and objectives are linked and how they can affect different businesses and divisions. The disadvantages of this approach are senior management domination and some risks are missed because wrong people are involved. 2. The Delphi Method is a structured communication technique that relies on a panel of experts. For ERM key managers or personnel are considered the "experts" in their areas of operation and are consulted in a systematic and interactive forecasting process to identify enterprise risks. The experts answer questionnaires in two or more rounds and their responses are compiled, and results are sent back to them for further review until a consensus is reached. 3. ‘Survey’ or ‘Interviewing’ for information gathering involves conducting interviews with operational managers, employees, participants, experts, stakeholders, etc. to identify risks. A risk questionnaire can be used to identify risks by asking a series of questions on threats and vulnerabilities in both internal and
108
Kok-Boon Oh, Bruce Ho and Bret Slade external digital landscapes. Typical questions are those asking employees to list the significant cyber/information risks relating to attaining strategic business goals or objectives. The collated information from surveys can be used in brainstorming sessions to further define, refine, and narrow the list to only the critical risks. This technique garners greater involvement than workshops but may be disadvantaged because it relies on historical knowledge.
6.3. Bow-Tie Analysis It is crucial to evaluate the relationships between different assumptions while modeling cyber threats and vulnerabilities. A bow-tie diagram is a useful tool for in-depth risk analysis and identifying interdependencies. The Bow-tie method forms the basis of risk analysis to identify and analyze threats and vulnerabilities to determine where risk controls may be necessary. This type of study aids in determining the causes and effects of each risk, as well as improving risk modeling and detecting correlations between various strategic business objectives, management assumptions, and scenarios. It graphically depicts the pathways of risks in a simple qualitative cause-consequence diagram. The left-hand side of the diagram analyses the cause of an event or risk (the fault tree) and the right-hand side analyses the consequences (the event tree). Diagrammatically, the bow tie is constructed from fault and event trees where the knot of the bow tie is at the point where on the left the fault tree paths converge and, on the right, the event tree spans out (Figure 5.3). The information for the construction of the bow tie diagram is collected from brainstorming sessions on risk exploration and discovery. The causes on the left side of the bow tie need to be aligned to the business objectives, critical assets, and vulnerabilities to identify the threats to the organization.
Cyber Risk Identification
109
Vision, Mission, Strategy & Objectives Systems, Networks & Data Confidentiality, Integrity & Availability
Causes
Consequences
Risk Management Strategy
Figure 5.3. Bow tie risk analysis.
From the causes and consequences identified, the threats are examined and quantified in the assessment step to help design the risk management strategy for mitigating the vulnerabilities (causes) and/or consequences (risks) by changing the likelihood of the event or circumstance, or changing its consequences, respectively. For example, antivirus software may protect a system from a malware attack or prevent a cause from happening while network segmentation may prevent an attack from spreading to other parts of a network by limiting the consequences. The bow-tie method is also useful for reviewing risk mitigation controls or measures to monitor and gauge their effectiveness as part of the operational risk management cycle.
6.4. Business Impact Analysis The Business Impact Analysis (BIA) aligns information system elements (systems, networks, and data) with the organization's stated objective, identifying the most significant information system elements based on the cost of business disruption. A business impact analysis (BIA) is a systematic procedure for identifying critical SND by evaluating the possible impact and implications of a cyber breach or risk incident based
110
Kok-Boon Oh, Bruce Ho and Bret Slade
on their criticality to business operations. Hence, the BIA’s function overlaps risk identification (Step 1) and risk assessment (Step 2). It is a viable tool for risk identification as well as risk assessment for ranking risks for the subsequent phase of the risk control process (i.e., Step 3 - risk mitigation) to plan and develop strategies for minimizing risk. The BIA, as a risk assessment tool, is vital to the risk control process because it assesses the possible consequences and implications of a cyber-attack on critical business systems, networks, and data by quantifying the financial and nonfinancial costs. The first stage of BIA is to define the business operations that the system or network under consideration support and determining the maximum amount of time the system or network can be disrupted while still completing its objective (i.e., costs or impact). Next, the resources necessary to resume business operations are identified. Based on information collected in these two stages, we can align the systems or networks to business objectives and important processes. Priority levels can then be assigned to rank these systems and networks.
6.5. Network Diagram and Flowchart A network diagram is a visual representation of a network’s architecture and data flow to identify critical components that are key to success from analyzing where data is processed, where it is utilized and stored. It is used as a risk identification tool to gain a better understanding of a network to conduct a more effective evaluation of the vulnerabilities or weaknesses that pose a risk to the organization. The Flowchart Method uses graphs to depicts the systematic flow of data to portray the activities of a system or network to identify threats and weaknesses. Some of the techniques that can be applied in the identification process to assess flowcharts for risks are dependency analysis, site analysis, decision analysis, and critical path analysis. These techniques can be used to demonstrate dependencies within an organization to identify critical systems and networks. However, the flow
Cyber Risk Identification
111
chart method is very much process-driven and does not reflect frequency or severity, but merely for determining systems with the potential for threats and substantial losses.
6.6. Document Reviews (Historical Data) & Expert Judgment Reviewing related documents such as academic literature, research, experiences, articles, SOPs, data, and so on is a frequent approach for detecting threats or risks linked with a process, an asset, or an event. This is because many risk situations typically have a high level of similarity and consistency over time across different asset classes. However, depending just on historical data is insufficient, therefore it's critical to also seek the wisdom of expert judgment to help identity, characterize and validate threats in light of rapidly changing technology, risk landscapes, and market conditions.
6.7. Vulnerability Assessment (“Pen Test”) & Footprinting The penetration testing process starts with footprinting. It is the first step performed in vulnerability assessment or “pen test” processes to observe and review an enterprise’s information infrastructure to identify weaknesses. Footprinting tools are used to collect basic information about the target systems for observing and reviewing an enterprise’s computer systems or networks to identify weaknesses. Footprinting can adopt a passive or an active approach to reviewing an enterprise's information system. For example, analyzing a website or analyzing a system activity log is passive footprinting, while trying to gain access through war games, social engineering, or phishing is an active approach. Penetration testing or "pen test" is another way of identifying security weaknesses in the systems, networks, and database servers in an enterprise's information infrastructure. A pen test is a deliberate attempt to gain access to a company's systems or data to methodically test the
112
Kok-Boon Oh, Bruce Ho and Bret Slade
robustness of their cyber and security to identify vulnerabilities that hackers can exploit. They are conducted by specialist firms who are experts in testing for vulnerable infrastructure for cyber threats. These tests frequently uncover misconfigured equipment to reveal software that permits unfiltered database access and the use of manufacturer default passwords. Pen tests are also conducted on employees and supply chain suppliers to check on compliance with phishing or social engineering procedures. Tests are also conducted on physical security procedures and safeguards. By allowing the risk team to assess the enterprise's cyber risk profile, a pen test is an important technique for identifying cybersecurity threats in systems and networks to prevent an attack before it happens. Penetration test results are documented as a risk identification technique, and threats are subsequently reviewed and prioritized as part of the operational risk control process. The findings of pen tests are documented in the risk register and used to formulate strategies for the risk control plan.
7. RISK REGISTER The Risk Register is a master and living document that is used to organize the findings from the risk identification process. The risk register is updated regularly with the comprehensive qualitative and quantitative risk information of the organization. It becomes a part of the ERM documentation process within the context of the organization’s risk management strategy. A Cyber Risk Register identifies the most serious threats to a company as well as any opportunities that can be exploited. The risk register includes information about:
Network diagram or flowchart to show the surface area List of risks & opportunities Sources or root causes of risks Assumptions made in the risk identification process
Cyber Risk Identification
113
Risk categories (i.e., internal/external, system/network/data, cybersecurity/finance/HR) Probabilities and impacts in quantitative risk analysis Prioritized list of quantified risks (criticality) List of potential mitigations or responses Resources required for specific risk mitigation options
A risk register helps an enterprise in monitoring issues and addressing problems as they arise and allocating security resources more rationally and cost-effectively. A comprehensive cyber risk register is also an effective method for facilitating the activities in the ORM process and also to show external stakeholders that the organization understands cyber risk and is taking steps to effectively manage its consequences.
CONCLUSION The risk identification and analysis outcome aids in determining the risk-adjusted likelihood of achieving strategic objectives, as well as the significant risks that may negatively or positively affect the achievement of these strategic objectives. To improve the quality of the identification process Hurst et al. (2014) suggest the use of big data analysis techniques and behavioral studies to detect risks. Risk identification in the ERM process allows an organization to assess, review and define the organization's current state of cybersecurity and to identify any gaps in the ERM processes for rectification. It helps to prepare the organization for the next step in the ERM process, which is the risk assessment phase.
Chapter 6
CYBER RISK ASSESSMENT 1. INTRODUCTION It is important to analyze all the business systems, networks, and data of an organization that are vulnerable to cyberattacks. Once the cyber threats have been identified, the Board and senior management will need to assess the threats to estimate their criticality according to the probabilities associated with various possible outcomes or losses. This estimation allows cyber threats to be evaluated for their riskiness profile for ease of management. Doing this requires quantifying risks for a definitive assessment of the relative impacts and likelihoods to enable the risk manager to be in a position to form strategies and structure effective risk mitigation programs that protect the enterprise from the effects of risk. President Obama in his speech, “On Securing our Nation’s Infrastructure,” at the White House on May 29, 2009, said: “It is not enough for the information technology workforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts.”
116
Kok-Boon Oh, Bruce Ho and Bret Slade
The cyber risk landscape poses an increasing challenge to the organization in terms of business disruption and the need to allocate resources to control it. The assessment function involves quantifying and ranking cyber risks. Risk quantification of a cyber event enables the risk manager to evaluate and analyze the impact of the event on the organization and its operations. Analyzing the impact of a cyber event will help to determine the criticality of the breach concerning the harm it causes and whether its impact is within the organization's risk tolerance. Quantifying the business impact of cybersecurity poses a challenge to the company and quantifying the likelihood of such an event is an even greater challenge. Hence, quantifying the financial impact of a cybersecurity event is very difficult and requires a certain amount of tact and ingenuity. The monetary impact of some cybersecurity events or incidents can be measured, such as the costs of remediation, security investment, business interruption, legal fees, litigation damages, fines for non-compliance, incident response, and recovery. Other costs are qualitative and are more difficult to quantify. These include loss of reputation, goodwill, and intellectual property, which lead to a negative perception of the firm resulting in losing competitive advantage and market share. However, it is also necessary to convert qualitative risk analysis into quantitative terms, i.e., probability and impact, to enable risks to be managed. This Chapter discusses the second step in the enterprise risk management process relating to assessment or evaluation that involves the quantification of cyber risk for incorporating a cyber risk program into the ERM process. This Chapter discusses this step in the enterprise risk management process in the context of risk quantification. It explains the tools, techniques, and procedures for measuring cyber risk impact on the organization. Risk assessment involves the quantification of individual risks and then ranking them on a risk map based on impact and likelihood to evaluate their criticality. The goal is to evaluate all the firm's risk exposures, including financial, social, economic, political, and legal risks, to determine their monetary impact on the enterprise.
Cyber Risk Assessment
117
2. CYBER RISK ASSESSMENT The President’s Cyber Space Policy Review drafted by the National Security Agency identified the challenge and need for robust assessment of cyber threats and what would have to be done to address the growing problem with enterprise cybersecurity30: "If the risks and consequences can be assigned a monetary value, organizations will have greater ability and incentive to address cybersecurity. In particular, the private sector often seeks a business case to justify the resource expenditures needed for integrating information and communications system security into corporate risk management and for engaging partnerships to mitigate collective risk."
The operational ERM process is a four-step model that starts with risk identification. The risk assessment function discussed in this chapter is the second step in this process (Figure 6.1). During the risk assessment stage, the potential cyber threats identified in the preceding step are quantified and ranked according to criticality against other threat scenarios or potential disruptions based on the threat's frequency probability and the possible adverse impact on business operations. Therefore, risk quantification constitutes an important basis of risk assessment, which is an essential capability for companies to form risk mitigation strategies. Risk quantification allows management to prioritize investment decisions within the broader ERM framework to achieve the goal of managing identified risks according to the company’s risk strategy and to help it achieve its business objectives. After the potential risks are quantified, the board and management rank the risks according to their likelihood of occurrence and potential impact. Ranking ensures that only the most critical risks are addressed and resources are prioritized to addressing these risks. It is only with a definitive assessment of the relative scales and likelihoods involved; can the risk manager be in a position to 30
Obama Administration, Cyberspace Policy Review – Assuring a Trusted and Resilient Information and Communications Infrastructure, May 2009.
118
Kok-Boon Oh, Bruce Ho and Bret Slade
structure effective risk mitigation programs that protect the corporation from the effects of risk. Management uses the list of prioritized cyber risks in the assessment stage to justify investments in risk mitigation to reduce the probability of an attack or that a breach will have a significant impact on business operations to reduce enterprise risk.
Figure 6.1. Risk assessment phase in the ERM/ORM cycle.
The primary risk assessment methods are qualitative analysis and quantitative analysis. Both qualitative and quantitative evaluations have inherent problems linked to data and/or information content from the analytical models. So, it may be necessary to combine the two for the risk and opportunity projections to be as accurate as possible. A mixed-method approach which is a combination of these two methods is used to enhance the assessment can take the form of two distinct evaluations or a hybrid method in which qualities from both methods are included throughout the assessment process (Pham & Oh, 2021). These methods and the tools and techniques used are discussed in the following sections.
Cyber Risk Assessment
119
3. NIST/CSF –RISK ASSESSMENT (IDENTIFY FUNCTION) The NIST Cybersecurity Framework comprises five interdependent core functions and their associated secondary functions. There are three outcome categories in the NIST/CSF Identify function that contain outcomes and activities that align with the “Assessment” phase (Step 2) of the operational ERM (ORM). The risk assessment actions in the normal ERM process are reflected in the NIST/CSF "Identify" function under the “Asset Management” (ID:AM), “Risk Assessment” (ID.RA) and “Supply Chain” (ID:SC) as outcomes and their respective activities (Table 6.1). Table 6.1. Risk aassessment activities & outcomes (per “Identify” function) Identify (ID) - Assess Category Asset management (ID:AM) Risk assessment (ID:RA)
Sub-category Resources priority list (ID:AM5)
Supply chain (ID:SC)
Critical assets identified & documented (ID:RA1) Shared information on threats & vulnerabilities (ID:RA2) Internal and external threats are documented (ID:RA3) Likelihoods & impacts analysis (ID:RA4) Risk responses identified and prioritized (ID:RA5) Suppliers and third-party partners of information systems, components, and services are assessed & documented (ID:SC2)
Table 6.1, highlights the relevant risk assessment categories and subcategories (i.e., activities & outcomes) of the NIST/CSF “Identify” function. The outcome categories Asset Management (ID:AM), Risk Assessment (ID:RA), and Supply Chain (ID:SC) all contain activities that apply to actions in the risk assessment phase of the ERM/ORM process. The following section discuss these sub-categories vis-à-vis the ERM/ORM Risk Assessment task.
120
Kok-Boon Oh, Bruce Ho and Bret Slade
NIST/CSF
ERM/ORM Risk Assessment (Step 2)
Core function: Identify Category: AM, RA & SC Sub-category: Resources priority list (ID:AM5) Critical assets identified & documented (ID:RA1) Shared information on threats & vulnerabilities (ID:RA2) Internal and external threats are documented (ID:RA3) Likelihoods & impacts analysis (ID:RA4) Risk responses identified and prioritized (ID:RA5) Suppliers and third-party partners of information systems, components and services are assessed & documented (ID:SC2)
Figure 6.2. Risk assessment – ERM/ORM & NIST/CSF alignment.
Figure 6.2 summarizes the sub-categories relevant to the ORM process. The outcome category ID:RA defines risk assessment as a process for the organization to understand the relative cybersecurity risk associated with organization operations, operational assets, and individuals. Information about cyber threats and vulnerabilities identified (ID:RA1) in Step One is shared (ID:RA2), documented (ID:RA3), and assessed for their potential business impacts, and likelihoods to determine the quantum of the risk exposure (ID:RA4). The same actions are conducted for suppliers and third-party partners (ID:SC2). Based on threats, vulnerabilities, likelihoods, and impacts to determine risk, critical assets are recognized and prioritized according to their degree of risk or severity (ID:RA1) and resources are allocated according to criticality (ID:AM5). All this information should be captured in a risk map and the risk register.
Cyber Risk Assessment
121
4. QUALITATIVE RISK ASSESSMENT The qualitative assessment is usually the first step in determining the risk effect of the organization's threats that are considered relevant to its strategic objectives and initiatives. The qualitative assessment aims to describe the threat scenario (Rot, 2008). The qualitative approach generally assesses by measuring the level of severity of a cyber threat on the organization's systems, network, and data. Typically, descriptive scales such as "Low, Moderate, Serious and Critical" (Table 6.2) are used to achieve this. While qualitative evaluations are less accurate, when used correctly, they may provide useful direction in the first identification of risk throughout an organization. A qualitative evaluation of an organization’s risk environment will be able to direct attention to those areas of risk impact that demand a deeper understanding. Access to reliable data is a prerequisite to qualitative risk analysis and it is always a challenge to gather good data for qualitative analysis. It conducts an easy and subjective risk evaluation of cyber threats and vulnerabilities for identifying and prioritizing risks. The qualitative assessment uses questionnaires in which people are asked to rank risk on a risk scale (Peltier, 2001), for example of low, moderate, serious, or critical (Table 6.2), or on a heat map (Figure 6.4) to evaluate risk. Where numerical data are not used, qualitative analysis “presents results in the form of descriptions, recommendations” where there is only “a qualitative description of assets’ value, determination of qualitative scales for the frequency of threat occurrence and susceptibility for a given threat” (Rot, 2008). Qualitative assessment does not provide a “tangible” quantum of losses as a consequence of the threat over time. Without knowing the cost associated with the threat, it is difficult to decide on an appropriate risk management strategy. When using the qualitative risk assessment method, it may be necessary to quantify risks using their probabilities and impacts to enable the risks to be managed objectively and effectively. The qualitative approach allows for a better understanding of the phenomenon and improves validity (Creswell, 2008), especially the business process and IT
122
Kok-Boon Oh, Bruce Ho and Bret Slade
function of cybersecurity, which is often the weakness of a quantitative model. On the other hand, due to potential subjectivity biases of the qualitative approach, the quantitative approach is strong (Babbie, 2008) in terms of reliability and generalizability (Brewer & Hunter, 2006). A mixed-method approach is useful when neither the qualitative nor quantitative approach in itself is sufficiently adequate to answer the research question (Corbin & Strauss, 2008). The qualitative risk assessment techniques and tools for collecting data to determine the likelihood and impact of risks are brainstorming, Delphi technique, bow-tie analysis, surveys or interviews, historical data, and SWOT analysis (these methods are explained in Chapter 6 – Risk Identification). The qualitative data collected can be used to determine cyber threats emanating from systems and assets using a risk scale to provide a visual scenario of a threat situation. We explain the procedures for preparing a heat map method and the technique for evaluating the quality of the data (i.e., RDQA) used for developing the organization’s risk map in the following sections.
4.1. Heat Map The heat map is a tool to provide a visual representation of the results from the risk likelihood and potential impact assessments for characterizing and prioritizing risks. It is presented in the form of a matrix that shows the relationship between the impact and likelihood of a risk. The matrix helps in identifying those risks which require an immediate response. It may be customized according to the needs of the subject or project under review. Most companies would usually have a standardized template for this matrix but would modify it to makes the matrix list more suitable for different risk evaluations. The likelihood of the risk occurring and the impact relates to the adverse effect of the risk on the organization. According to the literature (Nifakos et al., 2021; Higgsetal, 2016; Ettredge et al., 2018; Kamiya et al. 2020; Boasiako & Keefe, 2020)., firm age, R&D investment, workload, intangible
Cyber Risk Assessment
123
assets, business worth, profitability, capital expenditures, acquisitions, and growth potential have positive a correlated with the probability of a successful cyber-attack. After the likelihood-impact assessment, a risk would fall within one of the four quadrants shown in Figure 6.3.
High
IV
Low
Impact
III
I
II
Low
High
Likelihood Figure 6.3. Risk likelihood and impact matrix.
Each risk is assessed using a risk scale based on a likelihood score and an impact score such as high = 10, medium = 5, or low = 1. Risks that fall within the range of 1 to 5 are classified as low and those in the range between 5 and 10 are classified as high. Hence, a risk with a likelihood score of 3 and an impact score of 4 would fall in quadrant I and be considered low risk. Table 6.x shows the classification of risks according to their severity based on their scores. Table 6.2. Probability, impact, severity and action Quadrant I II
Likelihood Low High
Impact Low Low
Severity Low (L) Moderate (M)
III
Low
High
Serious (S)
IV
High
High
Critical (C)
Action Action needed Action within a particular timeframe Action within a short timeframe Immediate action
Using the scoring method in the risk assessment and identification process allows risks to be ranked according to low, moderate, serious, or critical Table 6.2. The results are then summarized into a heat map, which
124
Kok-Boon Oh, Bruce Ho and Bret Slade
reflects an x-y scatter plot of likelihood versus impact with a colored background to differentiate group risks into threat levels (Figure 6.4). The heat map provides a visual ranking of risks into various risk groups displaying the top risks faced by the company. A risk that falls in the “critical” quadrant (IV or C) would be ranked among the most severe risk exposure and would have priority in attention and resource allocation.
Serious
Impact
Impact Low
S
C
C
M
S
C
L
M
S
Critical
Moderate
Likelihood
Likelihood
Figure 6.4. Heat maps showing severity levels of risks.
Classifying a risk event as low severity with low impact and low likelihood of occurrence necessitates immediate actions by the company such as a new contingency plan as well as corrective activities. A moderate risk level denotes that the risk has a low to a medium negative impact but a relatively high likelihood of occurrence, thus requiring the organization to implement effective actions within a particular time frame. A risk classified as serious suggests that it has a significant negative impact on the business but a relatively low likelihood of occurrence necessitates the quick deployment of risk-mitigation measures within a short time frame. When the risk event's likelihood and/or impact are extreme and/or high, the risk impact is extremely important. Expected to have a significant negative influence on the company's reputation. When risks are classified as critical the risk level is exceedingly high, necessitating the deployment of risk-mitigation controls almost quickly. When both the likelihood and the impact of a risk occurrence are great, the risk could cause significant damage and disrupt the organization's operations.
Cyber Risk Assessment
125
4.2. Risk Data Quality Assessment (RDQA) The risk data quality evaluation technique is used to determine the extent to which data regarding hazards is required and collected for risk management purposes. The technique addresses the extent to which the risk is understood and also examines the data's accuracy, dependability, quality, and integrity concerning the risk. The risk manager will try to determine the reliability or precision of the data that must be analyzed for completing the qualitative analysis of risks. For qualitative cyber risk analysis, the data or information must be reliable to get an accurate picture of the potential threats or vulnerabilities associated with the business systems or networks. Low-quality data is unreliable and inaccurate for assessing cyber risk exposure. In Risk Data Quality Assessment, to determine the reliability of the information provided the risk manager must determine the person's expertise or knowledge of the company’s SND and associated vulnerabilities. Due to the frequent changes in the IT and cybersecurity landscapes, data timeliness, or the degree to which data is current, is critical and the extent to which data is relevant and suitable for the purpose intended. It is important to validate that it is sufficiently inclusive to ensure all essential data elements are collected to confirm data availability. Finally, the risk manager must be assured that the data's quality and reliability are suitable for the intended application without bias, error, or omission and the data's integrity is unaffected by bias or manipulation. This risk assessment tool focuses on ensuring that the data or information is used in performing the risk analysis is robust, credible, and unbiased. It works on the premise that only quality and credible information can provide reliable findings. Not questioning the credibility of the information or data can often lead to incorrect analysis and making the wrong decisions, thereby exposing the organization to more risks (i.e., addressing or fixing the unreliable information is far less costly compared to the impact of risks if it materializes).
126
Kok-Boon Oh, Bruce Ho and Bret Slade
5. QUANTITATIVE RISK ASSESSMENT The quantitative assessment is usually done on areas of threats that have been identified as needing additional investigation during the qualitative assessment phase. A quantitative assessment gives a greater degree of information and knowledge of impact by determining the impact of identified risks on overall business objectives. The traditional approach to risk quantification in ERM relies on numerical characterizations of operational risk and financial risk. It is a formal and systematic risk analysis approach that requires data to sufficiently quantify the threats associated with business activities and the effect of identified risks on overall business objectives. Quantification enables risks and risk investment decisions to be prioritized to fulfill one of ERM's major goals, which is to manage recognized risks to acceptable levels to maximize the possibility of an enterprise achieving its goals. Quantitative risk assessment of cybersecurity is based on the likelihood that particular threats will manifest from a monetary dimension that measures losses associated with those threats under different threat scenarios. Other than measuring the effects of cyber threats on business objectives, quantification of cyber risk allows companies to estimate the impact or exposure of companies for decision-making, allocating resources to prioritize their cybersecurity capabilities, and obtaining sufficient cybersecurity insurance protection. Thus, the objectives of quantitative risk assessment are to estimate the impact of risk on the enterprise's goals and objectives by estimating the cost of risk mitigation and potential losses if a risk happens and to prioritize risks and allocate resources to the response that requires immediate attention. Some of the basic financial estimates needed for ERM-related decision making are: the severity of any risk exposure to the strategic business goals; the monetary exposure from SND risks or business entities; the risk exposure of external parties (service providers, contractors, suppliers); the adequacy of budget and insurance cover for risk exposure; the costeffectiveness of the risk treatment; the best risk-reward balance for risk
Cyber Risk Assessment
127
mitigation; and the value at risk (VaR)31 of the firm from the identified risks. Quantitative cyber risk assessments are sometimes challenging because of insufficient data available to perform the assessment. Quantifying cyber risk is very similar in degree of difficulty to valuing technology. An attempt to value information risk faces the same challenges as in technology valuation in terms of rapid evolution, lack of historical data, and intangibility (Burch et al., 1979; Oh & Ho, 2010). Rapid evolution because the cyber threat landscape is fast-changing as we embrace a digital world with heightened risk from ever-increasing Internet of Things connectivity with mobile applications and devices, all of which is driven by rapid technological advancement. The intangibility of cyber threats that lurk in the virtual world of systems, networks, and servers lacks visibility making it difficult to predict and estimate the scope and scale of potential losses. A paucity of data, particularly historical data, makes quantitative modeling of cyber exposure difficult. Many traditional quantitative risk models such as EMV, decision tree, regression analysis, factor analysis, and value at risk are difficult to apply due to a lack of data. The challenge to risk assessment is on how to assign a monetary value to the rapidly evolving cyber risks with access to limited data. Not all relevant data will be available and it will be necessary to use a combination of historical data as well as proxy data to represent data that are difficult to access for predicting a cyber event. Even if exact information were available, it would quickly become obsolete owing to rapid technological advancements and variables such as advances in the tools accessible to would-be attackers (Miller, Wagner, Aickelin & Garibaldi, 2016). Data collection should be from both internal and externals sources based on which companies should be able to forecast the impact of a cyber event over the short- to medium-term. The relevant information that is usually needed in cyber breach modeling includes that of customer behavior due to a cyber event, network externalities, stock market reaction to a cyberattack on company shares, likelihood of an attack, costs of damage loss or disruption, and 31
Value at Risk (VaR) is a statistic that quantifies the maximum financial losses within a firm over a specific time frame.
128
Kok-Boon Oh, Bruce Ho and Bret Slade
cybercriminal motivation behind an attack. According to Chacko, Sekeris & Herbolzheimer (2016) companies should differentiate cyber threats and other business risks in their risk models by considering three perspectives when it comes to assessing and quantifying cyber risk. They are “foregone revenue & ancillary payments, liability losses, and reputational damage because a company can still suffer losses even if the perpetrators do not benefit from the cyber-attacks. To make estimates, discover new information or get a better knowledge of cybersecurity, various methods are used in the collecting of data or evidence for analysis. Some of the quantitative risk tools and techniques used to collect data to help with quantitatively determining the probability and impact of risk are presented in the following sections.
5.1. Expected Monetary Value Analysis (EMV) Calculating the EMV is a risk management methodology to determine risk impact. EMV helps to quantify and compare risks that exist in different operations in the organization. The risk contingency is calculated by multiplying the probability by the impact. EMV is a good tool for measuring the overall ranking of risks. The formula is: EMV = P X I where, P = Probability (the measurement of the likelihood of the occurrence of the risk or event) I = Impact (the amount to be spent or loss sustained if the risk occurs) EMV = Expected Monetary Value
5.1.1. Steps to Calculate Expected Monetary Value (EMV) To calculate the Expected Monetary Value in risk management: 1. Assign a probability of occurrence for each risk.
Cyber Risk Assessment
129
2. Assign a monetary value for the impact of the risk when it occurs. 3. Multiply Step 1 and Step 2 and the value obtained in performing this step is the Expected Monetary Value. This value is positive for opportunities (positive risks) and negative for threats (negative risks). 4. Risk management requires that a firm addresses both positive and negative risks. The EMV calculates the potential impact of an event and multiplies it by the probability of that event happening (Figure 4.x). Low impact and low probability events are those in Quadrant I. If they fall within the risk tolerance of the firm, they would not require any immediate action but will need to need monitored for changes. Those low-impact events with a high probability of occurrence (Quadrant II) won't have a huge impact on the firm's total risk exposure but high-impact events, even a low probability of occurrence (Quadrant III) can be potentially devastating. The most critical events are those that have a high impact and high probability (Quadrant IV). High
IV
I
II
Impact
III
Low
Probability
High
Figure 6.5. EMV based on potential impact and probability of events.
In summary:
130
Kok-Boon Oh, Bruce Ho and Bret Slade Table 6.3. Severity scale
Quadrant I II III IV
Probability Low High Low High
Impact Low Low High High
Severity Low Moderate Serious Critical
5.2. Monte Carlo Analysis (SIMULATION Technique) Monte Carlo simulation, or probability simulation, is a scenario analysis technique for estimating the impact of risk in cybersecurity, cost, financial, project management, and other forecasting models. The Monte Carlo analysis can be used to assess the effect of uncertainty on the company’s strategic objectives by simulating the outcomes or impact to evaluate a specific or the overall risk. A Monte Carlo analysis requires a computer-based program. Monte Carlo simulation is the quantitative risk analysis technique that allows a firm to model the future value of a variable, in this case, an enterprise risk, by simulating its behavior over time. The Monte Carlo technique has been used to model information security investments (Conrad, 2005; Burtescu, 2012; Fagade, Maraslis, & Tryfonas, 2017), ICT risk (Baiardi & Sgandurra, 2013), information security management system (Bamakan & Dehghanimohammadabadi, 2015), cyber insurance (Woods & Simpson, 2020) and cyber-attack simulation. The Monte Carlo technique is similar to running a series of "what-if" scenarios on the model. The uncertain input variables in a Monte Carlo model are represented by probability distributions of possible values and the results are distributions of the range of possible outcomes that could occur and the likelihood of any outcome occurring. These results are generated by recalculating the model over and over again, by using different randomly selected sets of values from the probability distributions each time.
Cyber Risk Assessment
131
Monte Carlo simulation allows a corporation to calculate all valid combinations of inputs to simulate all possible outcomes of particular risk exposure. The results are probability distributions of possible outcomes that the firm can use to determine the likelihood of certain events occurring (Oh, et al., 2018). The steps involved in building a Monte Carlo model are (see Watsham & Parramor, 1997) for a detailed description of the process): 1. Determine the stochastic character of the input variables, which is the physical (or mathematical) system described by a set of probability distribution functions (PDF); 2. Draw random numbers that are modeled to represent the same probability distribution as the underlying variables to mimic the movement of the input variables; 3. Simulate the underlying variables by simulating the stochastic character of the original variables with the input variables; 4. Repeat the process and score (or tally) the mean of all the results, where the mean reflects the predicted value of the simulated variable, and 5. To improve accuracy and cut down on processing time for Monte Carlo simulation, variance reduction techniques are used. For each uncertain variable (i.e., attempts) the method simulates the random process governing its value. The model is based on the assumption of possible outcomes within a probability distribution and the type of distribution selected is based on the historical patterns of the variable. By repeating these simulations, the simulated distribution of the values is expected to come close to the “real” distribution of the variable. The Monte Carlo approach can be used on virtually any type of portfolio, non-linear positions, and complex derivatives. The complexity of this approach makes it less user-friendly (Oh, et al., 2018).
132
Kok-Boon Oh, Bruce Ho and Bret Slade
5.3. Decision Tree A decision tree is a decision support tool that uses a tree in which each branch node represents a choice between several alternatives, and each leaf node represents a classification or decision. A decision tree helps to analyze many alternatives at one single point in time. The decision tree approach takes into account future events or implications from making the decision today. It is used to calculate Expected Monetary Value in complex situations and it also accounts for mutual exclusivity. The criterion of measurability is a central feature of proactive risk management as the effective management of risk is only possible if it is economically quantifiable. For instance, a risk manager has to quantify the risk exposure of a transaction to determine the amount to hedge as a buffer against unexpected losses. On the same token, the clearinghouse of an exchange sets margin requirements for investors trading on the exchange. The economic concept of risk is usually presented as the “basic risk paradigm” (Rescher 1983, Ansell & Wharton, 1992), a variant of which is presented in Figure 6.6. X A
P B 1-P
X1
X2
Source: Oh, et al., 2018. Figure 6.6. Economic risk paradigm.
A
In Figure 6.6, A and B represent options such as whether or not a firm should invest in cybersecurity technology, and X, X1, X2 are potential outcomes. The risk situation is defined as one in which a decision must be
Cyber Risk Assessment
133
made between at least two different options, A and B, and each has a distinct outcome, either X, X1, and X2. The outcomes are described as possible benefits and possible losses with some that are unpredictable and have correlated probabilities. The fundamental structure of the problem is one of economic optimization, regarding certain value scales which minimize loss and maximize utility. The risk behavior of the firm's choice is represented by one of the branches in the decision tree in Figure 6.6. Open framing using decision trees allows values and probabilities to be assigned, providing alternate scenarios. This process enables each phase of the process to be broken down into a series of decisions and the size and characteristics of the process can change at each decision point, depending on the decision taken. The advantage of this technique is the ability to scope out available options at each decision point (Oh, et al., 2018).
5.4. VaR The concept of VaR was first conceived in 1994 by Dennis Weatherstone32 at J. P. Morgan when he wanted to present the board of directors with a simple estimate of maximum expected losses, without the complex statistics33. The VaR methodology is also applied in large nonfinancial corporations like Microsoft and Unocal Corporation. The valueat-Risk (VaR) model is an important part of the ERM process for measuring and managing risk exposure. VaR is a comprehensive risk measure that has generated a heightened interest in its use as a corporate risk management tool especially in the integral role it plays in enterprise risk management (oh, et al., 2018). A VaR calculation conveys a monetary amount at risk over a period at a given confidence interval. VaR is a model that is used to predict the worst-case loss with a specific confidence level (e.g., 95%) over a period of time (e.g., 1 day, 1 week, or 1 month, etc.). For example, a VaR of $10 million with a 95% level of confidence suggests that potential loss will exceed $10 million with a 5% probability over the 32 33
Dennis Weatherstone was at one time the Chairman of J. P. Morgan. J. P. Morgan’s product RiskMetricsTM calculates VaR (Website: http://www.jpmorgan.com).
134
Kok-Boon Oh, Bruce Ho and Bret Slade
given period. The VaR method is traditionally used to quantify the risks that originate from assets like bond portfolios, stock portfolios, or raw material resources. Lately, there has been a lot of interest in discussing the adoption of VaR to frame enterprise cyber risk exposure. Similar to a financial VaR, a cyber VaR model can be used to calculate the potential losses of an organization from a cyber incident over a given period. Using the same example given above, we can reframe the hypothesis in a cybersecurity context to state that with a VaR of $10 million with a 95% level of confidence, the potential loss from a successful cyberattack will exceed $10 million with a 5% probability over the given period. Monte Carlo simulation is the quantitative risk analysis technique that allows a firm to model the future value of a variable by simulating its behavior over time. The Monte Carlo simulation method estimates the VaR using a randomly generated set of values for uncertain variables to simulate the risk factors. The World Economic Forum34 suggested specific properties or variables "that industries and individual companies should incorporate into their models" for estimating cyber risk (Reagan, Raghavan & Thomas, 2015). According to Regan et al. (2015), the VaR component variables are categorized into three groups, namely, “vulnerability, assets, and profile of attackers” (see Table 6.4 below). It is similar to running a series of "what-if" scenarios on the model. Cyber risk factors that affect the entire organization can be measured for their impact on the organization using scenario analysis in the context of “extreme scenarios” (Dowd, 1998) in the VaR model. For example, Monte Carlo simulation can be used to estimate cyber risk based on the risk variables, and the VaR measure is scaled as the percentile relevant to the desired confidence level (Jorion 1997; Duffie and Pan 1997) to assess enterprise risk. There is still no consensus as to the most appropriate VaR estimation procedure. The current research on VaR estimation is mainly focused on testing the various parametric and simulation procedures over alternative data sets, confidence levels, portfolios, and holding periods. Due to the diversity, the complexity of risks, and information needs, it is always 34
World Economic Forum, “Partnering for cyber resilience: Towards the quantification of cyber threats,” January 2015.
Cyber Risk Assessment
135
difficult to develop VaR estimates that capture all the demands and risks faced by corporate risk managers. Table 6.4. WEF recommended VaR cyber risk variables Vulnerability Assets Existing vulnerabilities Tangible assets The maturity level of Intangible assets defending systems Number of successful breaches Source: Adapted from Reagan, Raghavan & Thomas, 2015.
Profile of Attackers Type of attackers Type of attacks Tactics and motivations
5.5. Business Impact Analysis (BIA) To be consistent with the ORM process adopted in this book, we define risk identification as a process to establish what kind of risk events a firm could encounter, while risk assessment refers to gaining an understanding of the financial impact of a risk event may have on a business. The BIS framework overlaps both these activities in the ORM process as one is an extension of the other. In Chapter 5 on risk identification, the BIA method is used to identify risk factors and it can also be adopted for risk assessment, quantification, and ranking of risks since a business impact analysis study aims to predict how any identified risks will impact the firm if they materialize and produce information that can be used for the development of mitigation and recovery strategies.
6. RISK MAPPING Risk mapping is a tool for identifying, controlling and managing risk. The main objective of the risk mapping process is to describe and structure the organization’s risk environment to assess and rank the importance of cyber threats in terms of likelihood (frequency) and impact, define risk-
136
Kok-Boon Oh, Bruce Ho and Bret Slade
mitigating actions and assign risk owners. It can be used as the primary risk management process for firms who are conducting the first pass at risk assessment without a full ERM system in place or as the initial threat identification technique in an SRM process. The first step to an integrated risk control process is by mapping the full spectrum of risks a firm faces to understand the opportunities and manage these risks. This involves the firm identifying and quantifying the impact of the various risks it faces, or essentially the first two stages of the ERM process. Once a list of exposures is compiled, a theoretical value is placed on each exposure, i.e., a severity value and a frequency value. Using those values, the exposures should then be placed on the risk map. Risk mapping is a helpful tool for companies to visualize the key exposures according to their severity. It also enables management to be better aware of all the risks the firm faces in the light of the demands of shareholders, stakeholders, regulatory and market scrutiny. The heat map in Section 4.1 and risk map in Section 5.1 are examples of risk mapping employed in qualitative and quantitative risk analysis, respectively.
CONCLUSION The advantages of using the qualitative approach in risk assessment are its ability to prioritizing risks, simple and cost-effective and provide a quick risk calculation. However, the drawbacks of this method are broad characterization and estimation of risk, no numerical data, and difficulty to carry out a cost-benefit analysis. The benefits of the quantitative approach are a quantitative description of the impact and an improved risk profile. The drawbacks are a model risk that may cause inaccurate results and higher costs of implementation. There are other risk quantification tools and techniques that are covered in this chapter but are also valuable instruments for performing the same task. One particular method that targets information security is the Factor Analysis of Information Risk (FAIR) approach for cybersecurity and operational risk is a Value at Risk (VaR) framework. FAIR examines
Cyber Risk Assessment
137
and analyses the factors that influence risk, as well as how they interact. It's a methodical approach to identifying, assessing, and quantifying cyber risk and operational risk in monetary terms through accurately estimating probability for the frequency and impact of loss events.
Chapter 7
CYBER RISK MITIGATION 1. INTRODUCTION It is unrealistic in today’s technology-driven business environment to avoid cyber risk. As a driving force behind long-term growth, a digital transformation is a strategic option for modern firms because technology helps to optimize business processes. The integration of technology into business can be seen in marketing, human resource management, production, supply chain, finance, and communications. The reason why cyber risks should be managed or controlled is predicated on the risk impact of the risk exposure on business (operations) and financial (market value & funding) strategies. The risk mitigation objective pertains to anticipating potential risks and mitigating those risks before they threaten the company’s strategic objectives. The objectives of cybersecurity are realized in risk mitigation. Risk mitigation can also mean the reactions implemented in the event of an attack to minimize or neutralize an attack. This objective normally refers to a proactive response (Zhao et al. 2013) or stance in cyber risk management to counter the impacts of a cyber-attack. Risk mitigation is the third step in the operational risk management process. Risk mitigating options available to a firm include taking on, transferring, treating, or
140
Kok-Boon Oh, Bruce Ho and Bret Slade
terminating a firm’s critical risks, which is also known as the 4Ts of risk management. Effective mitigation for cybersecurity requires technical capabilities in ERM, information infrastructure, risk assessment, and risk protection tools and techniques. The areas covered in this chapter include describing and explaining the basic concept of risk mitigation in the ERM framework, the use of insurance, 4-Ts, hedging and, the cyber and physical tool-kits for risk mitigation.
2. MITIGATING RISK The purpose of risk identification and assessment phases is to prepare for risk mitigation. Mitigation includes activities designed to reduce the likelihood of a risk event occurring and/or reduce or optimize the effect of a risk event if it does occur. Planning at the strategic risk management level of the organization plays an important role in ensuring the success of the operational risk management process. The planning that goes into managing risk is an important aspect of risk mitigation. Planning includes the ongoing maintenance of the risk log that contains up-to-date information about the sources and dimensions of the risk, its exposure and the alternative mitigation strategies and tools, and budgets for mitigation actions. The planned mitigation strategies and actions will need to be communicated to all relevant participants for implementation. The CISO should corroborate the mitigation outcomes with c-suite executives that the results meet corporate risk tolerance, expectations, and objectives. Risk mitigation is the third phase in the ORM process (Figure7.1). The best mitigation against a cyber threat is to have an effective enterprise risk management framework in the organization that incorporates a cyber risk control program. The ERM comprises the strategic and operational levels in providing a comprehensive and holistic framework for controlling enterprise risk, including cyber risk. At the operational level, the operationalization of the corporate risk management policy uses either mitigation or insurance to address risk exposure. Mitigation involves
Cyber Risk Mitigation
141
taking measures to minimize the possibility of adversity by adopting either one or more of the “4-Ts” risk mitigation techniques explained below. One way would be to implement a strategy to minimize the damage or loss if the adverse event occurs by implementing contingent measures that can be developed to reduce the impact of an event once it has occurred.
Figure 7.1. Risk mitigation phase in the ERM/ORM cycle.
Mitigation actions are based on the conditions of the risk landscape and assumptions used in the risk strategy including the correlation between cyber and other types of risks. Changing the strategy may require different approaches and result in different outcomes. Mitigating risks can be exogenous involving third parties (Gordon et al., 2003; Marotta & McShane, 2018) through the use of outsourcing, hedging, or insurance mechanisms to reduce residual risk to an acceptable level. Endogenous mitigation includes improving security protocols in operating processes or implementing appropriate risk control measures. Firms should consider all types of security measures in their cyber risk mitigation “whether they are physical, digital, or related to people, processes or technologies involved in the activities” (OECD, 2015). To obtain the best result, the firm needs to embrace the optimal mix between and within exogenous and endogenous mitigating measures to achieve the desired level of residual
142
Kok-Boon Oh, Bruce Ho and Bret Slade
risk. Therefore, it is important for management to conduct a regular review of the effectiveness of the mitigation function to maintain an effective risk strategy and for assurance purposes. The endogenous approach to risk mitigation is to reduce the incidence of adverse events where business decisions are determined by corporate policy measures. This may happen when a corporation makes a decision to avoid investing in a project or market perceived to be high risk. Kaplan and Mikes (2012) identified three categories of risks, being “preventable,” “strategy” and “external,” and accordingly, each category requires a different risk mitigation strategy. Kaplan and Mikes (2012) suggest that preventable risks are “best managed through active prevention: monitoring operational processes and guiding people's behaviors and decisions toward desired norms." Strategy risks require mitigation actions to minimize the probability of the risks occurring and to improve the company's ability to respond and recover from the occurrence of the risk events. As external risks emanating from "natural and political disasters and major macroeconomic shifts" cannot be “influenced or controlled by the organization,” the best strategy is to identify these potential risks and be prepared to mitigate their impact (Kaplan and Mikes, 2012). Operations management for enhancing cybersecurity requires both cybersecurity and physical security to protect against breaches in security. According to Siponen and Oinas-Kukkonen (2007), the four cybersecurity challenges are “access to information systems, secure communication, security management, and secure information system development” and the recommended risk mitigation techniques for treating these risks are to employ password, biometrical authentication; encryption; key management, virtual private networks, and security language coding.
3. FOUR TS’ MITIGATION TECHNIQUES As organizations become concerned about risks that might obstruct the achievement of the objectives, risk control measures are implemented to mitigate the risks. The Four-Ts approach describes the techniques to
Cyber Risk Mitigation
143
reduce or avoid risks. Four-Ts risk mitigation refers to the risk-mitigating strategies of tolerating, transferring, treating, and transferring risks. The explanations of the four-T’s strategies are as follows:
3.1. Transferring Risk The risk transfer method does not reduce total risk, but it does shift risk ownership to another party. The strategy of transferring cyber risk is predominantly predicated on the use of insurance as a risk mitigation instrument (Gordon, Loeb & Sohail, 2003). Transferring risk to another party can be achieved through the use of insurance or payment to third parties who are prepared to assume the risk on behalf of the organization. While purchasing insurance for traditional risks is very simple, doing so for cyber risk might be difficult owing to its novelty and dynamics. However, insurance remains a popular risk transfer instrument for cybersecurity risk (Falco et al., 2019a). Transferring risk requires a quantitative risk assessment. For a counter-party to assume risks, it is necessary to quantify risks to assess that there is an adequate reward in the exchange for assuming risks, i.e., the risk-return relationship consideration. The ability to determine a fair and equitable return/price to be paid by the firm to the "risk-taker" provides both parties with an idea of the risk-return balance to bear the risks associated with specific uncertainties. Risk transfer strategy may be applied to business partners (such as contractors or suppliers), derivatives, or insurance firms primarily to limit the financial effect on the organizations’ critical infrastructure or the responsibility for deploying mitigation mechanisms. The counter-party that assuming the risk is willing to do so because it has the experience, knowledge, long positions, skills, or other attributes to optimize or reduce the risk. This is a win-win arrangement as each party believes itself to be better off by the risk transfer. An example of transferring cyber risk to a third party is to engage cloud computing for data storage. By outsourcing a firm's data management, the risk of a data breach is transferred to the
144
Kok-Boon Oh, Bruce Ho and Bret Slade
professional cloud service provider who is an expert in data security, storage, and warehousing. A cloud data warehouse is a database delivered in a public cloud provider as a managed service that optimizes costs, capacity, security, availability, and analytics. On the other hand, storing corporate data in the cloud has attracted the attention of cybercriminals for malicious attacks, and therefore cloud technology does not only help to mitigate risk but poses new cybersecurity issues to both users and cloud service providers. As a general rule, the risk transfer approach can be effective for low-probability but high-impact hazards.
3.2. Treating Risk Treating risk refers to taking on a risk by the business but at the same time taking measures to mitigate or control the risk to reduce the probability of the risk occurring or minimize its impact before its occurrence. An example of risk treatment is to hedge a financial risk by purchasing an investment (a financial derivative or security) to reduce the risk of adverse price movements in an asset. In project risk management the establishment of a reserve or buffer is an example of risk hedging for mitigating the effects of project risks. A contingency is one example of a buffer where a large allocated contingency will reduce the risk of the project running out of money before a project’s completion. Other than cash reserves, buffering can also include the allocation of additional resources (inventory, machines, labor, or time) to allow for uncertainties in future requirements. Firewalls, antivirus, intrusion detection and prevention systems, policies, and incident response management are all common cybersecurity measures. After treating the unacceptable risk there is likely to be some residual risk leftover unless there is a perfect hedge. It is impossible to eliminate all risks connected with a given risk exposure; residual risk refers to any risk that persists after controls have been implemented. The residual risk is what the organizations have to tolerate as long as it is within its risk tolerance level.
Cyber Risk Mitigation
145
3.3. Tolerating Risk Tolerating risk is similar to accepting risk where no action is taken to mitigate risk but a firm continues with the risky activity despite the absence of mitigations. This could be due to the high costs of instituting risk mitigation activity or the risks of impact are negligibly low that they can be tolerated by the business. This strategy is most effective when the cost of managing the risk using one of the other techniques is more than the cost of assuming the risk. Alternatively, a risk could have been treated and is reduced to an acceptable level in which an organization would tolerate the residual risk. These risks should continue to be monitored even when they are tolerated because they may change in the future to make them no longer tolerable. A decision to tolerate risk is only made after it is informed by assessing the many components of the risk.
3.4. Terminating Risk This risk strategy deals with a risk situation by not engaging in an activity that would expose a firm to risk. This is the simplest method, but it's also the most expensive because by avoiding it the firm forgoes all of the activity's benefits. As mentioned earlier risk termination is not a viable option in today's digital world that depends on technology for business growth. Risk termination or avoidance is the elimination of some risk by changing the perimeters of the risk environment. This can be done by altering an inherently risky environment, process, or practice to eliminate the risk. Using hardware and software with a robust security design for connecting to the internet might be considered a type of avoidance (Falco et al., 2019a & 2019b) to mitigate cyber risk. It is generally believed that risk avoidance is underutilized as a strategy for risk mitigation because if something presents a risk and can be removed without it affecting the business, and then removing the risk should be the first option considered, rather than attempting the treat, tolerate or transfer it. The same strategy can be used for reviewing practices and processes in
146
Kok-Boon Oh, Bruce Ho and Bret Slade
all areas of the business. This strategy can be effective for risks that would result in catastrophic failure if they were to occur and that none of the other strategies can adequately handle.
4. NIST/CSF – PROTECT FUNCTION The Protect function helps an organization develop and implement necessary mitigating measures so that it can continue to provide critical services while limiting or containing the impact of a cybersecurity incident. All the categories and sub-categories (Table 7.1; Figure 7.2) under the NIST/CSF Protect function apply to the Risk Mitigation phase in the ERM/ORM process. The following section discusses these sub-categories and categories as they apply to the Risk Mitigation phase (Step 3) of the TRMM.
NIST/CSF ERM/ORM Risk Mitigation (Step 3)
Core Function: Protect Category: All Sub-category: All those in “Protect” + Risk responses identified and prioritized (ID:RA5)
Figure 7.2. Risk mitigation – ERM/ORM & NIST/CSF alignment.
During the risk assessment task, all identified risks are quantified and ranked and, the risk responses are identified and resources are prioritized (ID:AM5) for treating the most critical risks first. The ERM/ORM risk mitigation phase is equivalent to the Protect function in the NIST/CSF framework, which is concerned with the implementation of mitigating measures to protect the organization’s critical assets from cyber-attacks. The categories and sub-categories with their respective key protective measures are summarized below.
Cyber Risk Mitigation
147
Table 7.1. Protect function – outcome categories/sub-categories Protect (PR) Category Access Control (PR:AC)
Awareness and Training (PR.AT)
Sub-category Identities and credentials are managed for authorized devices and users (PR:AC1) Physical access to assets is managed and protected (PR:AC2) Remote access is managed (PR:AC3) Access permissions are managed, incorporating the principles of least privilege and separation of duties (PR:AC4) Network integrity is protected, incorporating network segregation where appropriate (PR:AC5)
Data Security (PR.DS)
Information Protection Processes and Procedures (PR.IP)
All users are informed and trained (PR:AT1) Privileged users understand roles & responsibilities (PR:AT2) Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities (PR:AT3) Senior executives understand roles & responsibilities (PR:AT4) Physical and information security personnel understand roles & responsibilities (PR:AT5) Data-at-rest is protected (PR:DS1) Data-in-transit is protected (PR:DS2) Assets are formally managed throughout removal, transfers, and disposition (PR:DS3) Adequate capacity to ensure availability is maintained (PR:DS4) Protections against data leaks are implemented (PR:DS5) Integrity checking mechanisms are used to verify software, firmware, and information integrity (PR:DS6) The development and testing environment(s) are separate from the production environment (PR:DS7) A baseline configuration of information technology/industrial control systems is created and maintained (PR:IP1) A System Development Life Cycle to manage systems is implemented (PR:IP2) Configuration change control processes are in place (PR:IP3) Backups of information are conducted, maintained, and tested periodically (PR:IP4) Policy and regulations regarding the physical operating environment for organizational assets are met (PR:IP5)
148
Kok-Boon Oh, Bruce Ho and Bret Slade Table 7.1. (Continued)
Protect (PR) Category
Maintenance (PR.MA)
Sub-category Data is destroyed according to policy (PR:IP6) Protection processes are continuously improved (PR:IP7) Effectiveness of protection technologies is shared with appropriate parties (PR:IP8) Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed (PR:IP9) Response and recovery plans are tested (PR:IP10) Cybersecurity is included in human resources practices [e.g., de-provisioning, personnel screening] (PR:IP11) A vulnerability management plan is developed and implemented (PR:IP12)
Protective Technology (PR.PT)
Maintenance and repair of organizational assets is performed and logged promptly, with approved and controlled tools (PR:MA1) Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access (PR:MA2) Audit/log records are determined, documented, implemented, and reviewed following policy (PR:PT1) Removable media is protected and its use restricted according to policy (PR:PT2) Access to systems and assets is controlled, incorporating the principle of least functionality (PR:PT3) Communications and control networks are protected (PR:PT4)
The access control (PR:AC) category requires the restriction of only authorized people, processes, or devices, as well as authorized activities and transactions, to have access to the organization’s assets and associated facilities. The use of mitigating security measures and internal controls are essential to regulate this type of restriction. For access to devices and users, the identities and credentials are managed to allow access to approved devices and users only. Physical access to assets as well as remote access must be monitored, secured, and controlled. Access permissions are controlled using the least privilege and separation of duties concepts and
Cyber Risk Mitigation
149
network integrity is safeguarded, with a suitable network segregation strategy to limit the impact of a network intrusion. In the awareness and training (PR:AT) category, all employees and partners of the business receive cybersecurity awareness training and are taught to conduct their information security-related duties and responsibilities following relevant policies, procedures, and agreements. To ensure the confidentiality, integrity, and availability of information, all information and records (data) are handled following the organization's risk plan. Assets are properly recorded, controlled, and protected at all times to ensure adequate capacity and prevention against data leaks. Information protection processes and procedures (PR:IP) are implemented to manage the protection of information systems and assets with the maintenance and use of security policies, protocols, and procedures. At the minimum, a basic configuration of industrial control systems incorporating information technology is available. The physical working environment for organizational assets complies with policy and regulations. Data management is regulated including policy for data destruction. To facilitate business continuity, response (Incident Response Plan) and recovery (Incident Recovery Plan) plans have been implemented and are being managed. Human resources management should include cybersecurity considerations for such practices as training and personnel screening. Maintenance (PR:MA) addresses the maintenance and repair of industrial control and information system components by highlighting the need for compliance with formal policies and procedures. Maintenance and repair should be carried out by approved parties and controlled tools and logged, including remote asset maintenance which should be conducted securely to avoid unauthorized access. Protective technology or technical security solutions (PR:PT) should be managed according to applicable policies, procedures, and agreements to ensure the security and resilience of systems and assets. Audit/log records must be documented, managed, and maintained according to policy. Likewise, removable media is regulated, protected and its use is limited. Access to communications and control networks are restricted and
150
Kok-Boon Oh, Bruce Ho and Bret Slade
protected and the principle of least functionality is used to control access to systems and assets.
5. CYBERSECURITY INSURANCE Insurance is an important cyber risk mitigation tool in the cyber risk management framework (Gordon, et al., 2003). However, the stand-alone cyber insurance market remains a fraction of the scale of other commercial property and liability insurance markets with a penetration rate at 30% of enterprises in almost all countries (OECD, 2017). Insurance involves a firm paying (premium) the insurance company to assume risk, while hedging involves taking a market position in the form of an investment in derivatives to offset risk. Using insurance is a common risk mitigation strategy relating to risk transfer, one of the 4-Ts of risk mitigation, that involves entering into a contractual arrangement to pass on a pure risk from one party to a counter-party. The purchase of a cyber insurance policy is an example of this arrangement whereby the risk of loss from a cybersecurity breach or incident is passed from the firm to the insurer. Insurance is a well-established industry and it possesses a huge amount of risk mitigation knowledge and experience that can be applied to cyber risk mitigation. The insurance market comprises firms that provide services in financial protection to individuals and corporations. An insurance policy taken out by a customer is a financial contract that transfers risk from the insured to the insurer. Under the arrangement in the insurance contract, the insurer promises to pay the insured an amount of money if the insured suffers financial loss due to the occurrence of the event covered by the policy. Generally, speculative risks are uninsurable risks. They are risks that very few insurance companies are willing to cover. Other uninsurable risks include those that are the result of general economic conditions and government actions.
Cyber Risk Mitigation
151
Insurable risks are those pure risks that cannot be predicted or avoided. They are those which insurance companies will cover and they should generally meet the conditions that losses must be quantifiable, there are a significant number of similar risk cases, the risk is unlikely to affect all insured simultaneously and the risk is beyond the control of the insured. For instance, the causal factors affecting cyber risk may change or evolve rapidly to render an insurance policy obsolete within the cover period, making it challenging for both the insurer and the insured parties (Falco et al., 2019a). Losses involving reputational damage or intellectual property theft are rarely covered by cyber insurance policies (OECD, 2017). To ensure that sufficient revenue is generated from the premiums charged, an insurance company needs to predict the probable amount of claims it has to pay in a given period. However, the cyber-insurance sector faces an issue of information asymmetry between buyers and sellers, as well as a paucity of historical data that insurers may use to calculate risk, leading to underestimation of future losses from cyber risks (Gordon et al., 2003; Pandey & Snekkenes, 2014; Biener, Eling & Wirfs, 2015). This situation poses a major challenge to insurance companies as to succeed as a business they must cover their costs that include sales, administration, and general expenses (SGAs), payments to meet the claims of policyholders, and dividends. The amount of premium for a specific type of risk is estimated based on the probability of loss eventuating from that risk. Thus, the insurance premium places a cost on firms’ cyber risk exposure ahead of potential losses and would be considered an effective and convenient mitigating tool in an uncertain and challenging cyber risk environment. The coverage limits for cyber insurance are typically substantially smaller than those available for conventional risks and therefore come at a much higher price (OECD, 2017). AGCS (2015) forecasts that cyber insurance premiums will grow globally at a compound annual growth rate of over 20% over the next decade.
152
Kok-Boon Oh, Bruce Ho and Bret Slade
While cyber insurance will not abrogate the need for robust cybersecurity measures, “insurance can contribute to improving the management of cyber risk and should be considered an essential component of countries' strategies for addressing digital security risks” (OECD, 2017) by creating a second line of defense to mitigate the financial loss from a cyber-attack. The increase in cyber threat awareness and cyber incidents as well as regulatory changes in many countries and industries is driving the rapid growth of cyber insurance (AGCS, 2015). A recent survey of 3,000 companies in the United States, Germany, and the United Kingdom found that 55%, 30%, and 36% of those surveyed, respectively, have taken up cyber insurance (Hiscox, 2017). There are limitations and challenges to using insurance as an instrument for cyber risk management. The rapidly changing cyber threat landscape is not only the issue that cyber insurance underwriters must deal with but also the lack of reported cybersecurity incidents making it more difficult to accurately estimate the cost of such occurrences. Therefore, cyber threat is not a well-defined risk in insurance and the lack of data for pricing (Gordon, Loeb & Soghail, 2003), therefore insurance pricing and products are still evolving (Mukhopadhyay, 2013) as the commercial, legal and technical ramifications of cybersecurity become clearer. The lack of data on cyber incidents makes it challenging for insurers to assess and cover cyber exposures (OECD, 2107). In addition, there are challenges relating to adverse selection and moral hazard (Gordon, et al., 2003) in using insurance to manage cyber risk. The types of incidents and their losses related to the cyber risk that are insurable are categorized as data confidentiality, system malfunction or issue, data integrity and availability, and malicious activity (OECD 2017)35.
35
This categorization approach is developed by the CRO Forum by the OECD based on questionnaire responses received from the re/insurance companies and brokers active in this market globally and the ministries of finance and insurance regulators responsible for overseeing that market.
Cyber Risk Mitigation
153
Finally, it should also be noted that a cyber security incident may be covered by a cyber insurance policy but damages such as compromised data leading to loss of reputation, stolen intellectual property resulting in loss of competitive advantages and lost customer loyalty from business disruption are consequences that may not be recovered by insurance. Nevertheless, there is cyber insurance available to cover a relatively wide range of cyber-related issues (HM Government & Marsh, 2015).
6. HEDGING CYBER RISK Hedging is a risk control method used for treating risks. The concept of hedging is to take an equal and opposite position to the risk exposure to offset any loss from the exposure by an equal profit from the hedge. A hedge position consists of a party taking an offsetting position in related security or asset, such as an option, futures contract, or commodity. The primary goal of hedging is to allow corporations to proactively manage their risk to achieve the optimal risk profile taking into consideration the risk-return relationship of each corporation. Invariably, the process will involve analyzing the benefits of protection against the costs of hedging as well as the level of risk tolerance that a firm may possess. Therefore, an effective hedging position is commensurate with the degree of corporate risk aversion given a certain state of risk exposure. As such hedging is not necessarily an attempt to eliminate all risks but rather to transform unacceptable risks into more manageable or controllable risks. One of the key challenges for the corporate risk manager is to ascertain the behavior and impact of cyber risk to determine the types and magnitude of risk the company is willing to bear and the ones it can transform by hedging. The degree of controllability will depend very much on the availability of risk management instruments and the market phenomenon of basis risk. A perfect hedge does not result in any residual risk and can eliminate all risk in a position or portfolio. The basic idea of setting up a hedge is to first identify and measure the exposure the organization faces and then construct another position with
154
Kok-Boon Oh, Bruce Ho and Bret Slade
the opposite exposure. The literature suggests four basic steps to hedging and they are shown in Table 7.2. The first step of identifying the source of the risk exposure is to locate and document the vulnerabilities and weaknesses for assessing the likely economic impact from the exposure. The source could be business systems, networks or data, or any combination of them. Once the source and nature of the exposure have been established a quantitative assessment of the financial significance of the risk exposure needs to be conducted. This requires an appreciation of the characteristics of the source of risk by conducting impact and frequency studies and forecasts. When all this is done then the risk manager can decide on the appropriate hedge that needs to be put in place. Some common digital security procedures such as data backup or making a mirror of a website may be considered as a risk treatment or hedging technique. Table 7.2. Four steps of hedging Steps Identifying the source of risk exposure Quantifying the exposure Assessing the impact of exposure Selecting the appropriate hedge
Functions Identify business systems and networks & data for vulnerabilities or weaknesses Estimate financial impacts or losses from disruption to operations Analyze risks and rank them by criticality Allocate resources to mitigate and manage critical risks
The company needs to measure the sensitivity of the company's performance to the source of risk to understand the benefit (security or positive risk) and impact (cost or negative risk) that arise from the exposure. This analysis will help establish the criticality of exposure to the business and allows the company to offset the negative risk against positive risk to balance the risk-reward trade-off. There is also a need to establish whether the exposure is contingent upon the outcome of another event, such as investments in technology. If so, hedging such exposure may need an option-based strategy. However, the cost of risk management in cybersecurity is still often not fully understood, including the cost of business downtime or recovery time.
Cyber Risk Mitigation
155
The overall impact of a risk can be evaluated by studying the costs and benefits to the company and its shareholders of a particular hedging strategy. The prospect of losses that a company may be inflicted with can cause disruptions to the execution of the company’s business strategy. Therefore, one of the benefits that emerge from risk management is that it allows managers to focus directly on shareholder value as an objective in decision making. The next step is to determine the type of risk management product (derivatives) to use in the hedge. Derivatives are financial instruments whose value is based on the value of the underlying assets. Generally, there are two types of derivatives being exchange-traded and over-the-counter (OTC) derivatives. Exchange-traded derivatives (ETDs) are standardized instruments exchanged on a licensed exchange, with the clearinghouse acting as a middleman on each contract. Over-the-counter derivatives are custom-made contracts that are traded directly between two counter-parties without an intermediary. While derivatives are one of the most traded financial instruments on the market the same cannot be said about cyber-financial instruments. At the moment only cyber-insurance products are the only viable option available to companies to hedge their information security risks and there is a need to establish a cyber-financial derivatives trading market offering a broader set of novel risk-mitigating financial instruments (Pandey & Snekkenes, 2014).
7. CYBERSECURITY MITIGATION TOOLS & TECHNIQUES Cybersecurity relates to protecting information systems from cyberattacks using technologies that are applied to systems, networks, and data. Trying to keep up with the rapid evolution of algorithms, commercial applications and software makes mitigating cyber risk that much more challenging. The following Table 7.3 presents some of the cyber threats, their attack methods, and risk mitigation tools and techniques.
156
Kok-Boon Oh, Bruce Ho and Bret Slade Table 7.3. Cyberthreat mitigation tools
Threat Malware
Social Engineering/ Phishing
Denial of Service/ Distributed Denial of Service (DOS/DDOS)
Man in the middle
Drive-by downloads
Attack method Mitigation Use of computer viruses, Install firewalls to screen attachments adware, spyware, trojan for malware horse, and worm to steal data Avoid opening suspicious attachments or damage systems. Malware Check the authenticity of URL links is planted using email Operating system software maintenance attachments, software to check for weaknesses downloads, and exploiting Regular updating of patches on firewalls operating system and operating systems vulnerabilities. Acquiring and exploiting user Check to confirm the email address of passwords typically through the sender is genuine emails by redirecting the Staff training users to counterfeit websites. Implement technical measures such as Phishing is exploited for firewall, rigid data classification, stealing banking/login strong/unique passwords, regular review credentials & data and of access record & impersonating users. Regular updating of patches on firewalls and operating systems A sub-category of denial of Use of scrubbing or filtering centers to service (DOS) requires the analyze traffic to a website to remove use of multiple connected malicious traffic devices, called botnets, to Content delivery networks to minimize inundate targeted websites the distance between resources and users with massive fake traffic. The Firewall purpose of the attack is to Strong password disable a system and make a service unavailable. By impersonating the person VPN - A remote-access VPN for mobile or entity on the other end. users to establish secure connections to an organization's network. Use encrypted wireless access point (WAP) Ensure the security of HTTP connection HTTP Strict Transport Security (HSTS) security policy mechanism Where computers are infected Avoid visiting malicious websites by visiting websites. Use strong passwords and usernames for
admin accounts Install and keep anti-virus software up to date Remove outdated or unsupported components on websites
Cyber Risk Mitigation Threat Malvertising
Password attack
Rogue software
SQL attacks
Attack method Advertisements that are criminals use to infect businesses by redirecting a computer to be injected with malware. An attempt to steal or decrypt a password. This is usually done by using brute force, password sniffers, cracking programs, keylogger attacks, and dictionary attacks. Also referred to as smitfraud or scareware. It is essentially malware designed to cause disruptions to a computer system and by tricking the user into purchasing antivirus software. Once the scareware is downloaded the user's computer is infected. SQL is a hack using malicious code injection to steal, modify and destroy data SQL attacks. It can be used to elevate privileges at the application or database or as a base to attack other systems.
157
Mitigation Install adblocker Regular updating of patches Avoid websites that make unbelievable offers
Strict password policy including frequent changes to passwords, minimum length, and unrecognized words. Use a multitude of alpha-numeric characters in passwords.
Use anti-virus protection Regularly update firewalls Keep up to date with software information and do not trust individual websites that offer security products
Firewall Reduce attack surface Regular update of patches Use principle of least privilege Do not share database accounts between applications
8. NETWORK PROTECTION TECHNIQUES The network is central to cybersecurity as reducing the attack surface of a network, known as network protection or security, is to prevent employees from accessing harmful domains while using devices connected to it. Dangerous domains are those that house phishing scams, exploits, and other malicious content on the internet. The network protection system is made up of both hardware and software that protects the underlying networking infrastructure from unauthorized and malicious intrusions.
158
Kok-Boon Oh, Bruce Ho and Bret Slade
8.1. Perimeter Network A demilitarized zone (DMZ), also known as a perimeter network or screened subnet in cybersecurity, is a physical or logical subnetwork that contains an organization's external-facing services to networks such as the Internet. The purpose of the DMZ is to provide a buffer zone and a gateway to external networks thus limiting the internal network’s exposure to the public Internet and its threats. The perimeter network is secured by devices such as firewalls, some forms of IDPs, and antivirus systems to protect itself and the internal network it surrounds. The internal network that is secured by the perimeter network is known as a “trusted” network.
8.2. Firewalls A firewall is a network security hardware or software application that analyses packet headers in incoming and outgoing network traffic to determine whether specific traffic should be rejected, accepted, or flagged on a set of security policies and specifications. Firewalls reject packets that do not conform to protocol types such as Simple Mail Transfer Protocol (SMTP) and predefined source or destination addresses, or source or destination ports. By creating a perimeter around an organization's internal networks, firewalls protect them from malicious intrusion, unwanted access, and untrusted connections. As a result, the perimeter-protected network is considered "trusted."
8.3. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Intrusion detection and prevention systems (IDPSs) are software or applications that detect and prevent intrusions. IDPSs are programmed to inform the network of any intrusions or attempted attacks for measures to be taken to prevent intrusions and reduce their impact on the network.
Cyber Risk Mitigation
159
Host-based IDPSs (HIDSs) are those that protect servers and host data assets. HIDSs are software programs that reside on a single computer or device and monitor it for changes. HIDSs can be employed on missioncritical systems like servers that require just minor configuration changes. Antivirus software, which works directly on the host device, can also be categorized as a sort of HIDS. This software scans files for malware signatures, which are patterns of known malware and infections. The software may also use control of some critical directories to prevent malware from being installed in the first place, thus making it more of an integrated intrusion detection and prevention system if set to do so. Network-based IDPSs or NIDSs are not installed on the hosts but rely on discrete devices known as sensors that are strategically positioned throughout the network. NIDS monitor network traffic and identify or act on packets that may be considered a threat. These systems keep track of all data that passes via a specific network point, which may include many devices.
8.4. Access Control Access control is a security protocol that keeps unauthorized users and devices out of a private network. It limits access to just those devices that have been allowed and are compliant with security policies. The two most common types of network access controls used by businesses are logical access control and physical access control. Logical access control systems such as firewalls and IDPSs protect important cyber assets like systems, networks, and data from unwanted access. Mandatory access control (MAC) is a logical access control system that restricts users' access to specified information assets based on their jobs. Physical access control systems (PACS) are a form of physical security system that restricts or enables entry to a specific area or facility. Fobs and key card entry systems, encrypted badges, mobile credentials, PIN codes, and passwords are all different forms of credentials used in physical access control.
160
Kok-Boon Oh, Bruce Ho and Bret Slade
Authentication, authorization, and accounting (AAA) refers to a network administration and security framework for intelligently restricting physical access to computer resources by enforcing policies and auditing usage. Authentication is the process of identifying a user by having the user enter a valid user name, valid password, valid code, or fingerprint before access is granted. Multifactor authentication refers to the use of more than one of these types. Authorization refers to granting the appropriate level of access to a user based on their privileges or credentials. It is the process for enforcing policies that determine what the user is permitted to access in terms of resources, activities, resources, or services. This method is related to the “principle of least privilege,” which means enforcing the minimal level of user rights, or lowest clearance level to the user to allow a user to perform essential functions only. Any authorization beyond that will opens up the chance to either unintentional or intentional malpractices. Accounting involves keeping track of what users do while signed into a system. This can involve the time spent on the system or the quantity of data sent and/or received by a user during a session. It's critical to keep track of users and their activity and accounting oversight is conducted by logging session statistics and usage data, and the information captured is used for authorization control, resource utilization, trend analysis, and capacity planning. In addition, accounting can help with tracing back to events leading up to a cybersecurity problem, which will be useful in forensics for identifying culprits and also to learn from the incident. Physical access control is another layer of access security to limit unauthorized access to premises, workstations, and physical IT assets like servers and routers. It refers to the application of security measures inside a defined structure to restrict or prohibit access to sensitive information systems or networks. To ensure the continuing operation of information systems, physical security control is a safeguard to prevent illegal physical access and physical harm. Physical security control is just as vital as cybersecurity, and the two work together in the cyber risk management process. Policies and procedures that limit users' access to vital systems, networks, and data are among the physical control measures.
Cyber Risk Mitigation
161
9. EMERGING CYBERSECURITY TECHNOLOGIES When it comes to managing the risk of cyber-attacks, cybersecurity remains a serious concern for many enterprises. on the other hand, various developing technologies can provide important tools for countering cyberattacks. Some of these cutting-edge technologies are Cloud Computing, Artificial Intelligence, Blockchain, the Internet of Things, and Big Data.
9.1. Cloud Computing Many firms can now outsource their data storage to cloud service providers who are data security experts, resulting in improved CIA from better dependability and performance. Cost savings, scalability, higher processing speed, and the flexibility for management to devote more time to core company tasks are some of the advantages of cloud computing. Firms that use cloud storage have the option to scale up or down their cloud services while maintaining a comparable degree of security in response to varying data flow volumes, all while saving money. Data stored in the cloud decreases the risk of internal hostile attacks and business interruptions caused by power failures, human error, and natural catastrophes. Employees have access to all cloud data, which are encrypted, but subject to needs restrictions and security protocols. Cloud computing solutions include security mechanisms to protect critical transactions and information from third-party data breaches. By integrating mitigation measures at many levels to prevent massive amounts of traffic intended for a business's cloud server thereby limiting the possibility of a distributed-denial-of-service attack to protect enterprises. Outsourced data storage has advantages, but it also exposes businesses to cyber hazards. For example, cloud service providers are high-value targets for cyber-attacks, and a data breach at a cloud service provider is likely to cause severe business disruption to their clients.
162
Kok-Boon Oh, Bruce Ho and Bret Slade
9.2. Artificial Intelligence Artificial intelligence (AI) has become a useful tool for facilitating cybersecurity. The potential of Natural Language Processing is one of the most compelling arguments to use AI for cybersecurity (NLP). By analyzing news, articles, and research on cyber threats, AI-powered systems can automatically collect data. These AI systems employ NLP to extract valuable information from scanned data, resulting in insights suggesting cyber-attacks, mitigation, and abnormalities, for developing risk control measures. AI can also assist businesses in developing multi-factor authentication systems to protect against cyber threats. Multi-factor authentication track user data to assess user behavior, device usage, network activity, location, and application data. This information is processed and used to validate a user's credentials and the system will immediately modify any user's access rights to ensure data security. Thus, multifactor authentication makes it difficult to pretend to be someone else. As it operates in real-time and on a worldwide basis, the system can monitor and modify access rights based on network or location.
9.3. Blockchain As peer-to-peer network technology, Blockchain records all data transfers across different networks using a shared and distributed ledger. Blockchain is a decentralized network that takes advantage of encryption advances and employs complex algorithms to authenticate data ownership and accuracy and they are different elements of a comprehensive cybersecurity strategy. The main advantage of Blockchain is that it allows anyone to make secure transactions regardless of their sector. Data breaches, cyberattacks, identity theft, and transaction fraud can all be
Cyber Risk Mitigation
163
avoided using blockchain technology36. To guarantee transparency, blockchain ensures that data remains private and secure in all the blocks it creates. Therefore, Blockchain can offer significant changes to the identity and access management process.
9.4. Big Data Big Data is a game-changer in our modern world. Big Data involves using a large amount of data to analyze irregularities in systems and networks. Using relevant and verifiable data in their growth strategy means that firms have to utilize big data analytics. Big data analytics works handin-hand with artificial intelligence to collect and collate vast amounts of data from different sources to evaluate the cyber risk for decision making. The cybersecurity-related information from Big Data can cut down on the time it takes to identify and resolve a problem. Real-time Analytics and Predictive Analytics are used to assess network vulnerabilities and dangers as well as to predict and avoid network disruptions. Hurst, Merabti and Fergus (2014) suggest big data analysis techniques detect anomalies that could pose as threats to cyberinfrastructures.
CONCLUSION In addition to adopting software as a cybersecurity mitigation approach, organizations must also have a thorough set of policies and procedures for regulating personal devices and software applications connected to company networks. Organizations should keep their systems up to date with the most recent updates, regularly backup their data, and monitor system logs and security alerts. 36
NASA is a recent example of a company that has decided to use Blockchain technology to improve its cybersecurity and avoid denial of service and other assaults on air traffic services (Security Today, 15th January 2019). https://securitytoday.com/articles/ 2019/01/15/nasa-to-boost-data-security-with-blockchain-technology.aspx.
164
Kok-Boon Oh, Bruce Ho and Bret Slade
Cybersecurity has become a major concern for businesses, devising new ways to protect against cyber-attacks has become a preoccupation for c-suite, regulators, and other stakeholders. This has spurred increased research and development around the world into developing new technologies against cybercrime. Emerging cybersecurity technologies include quantum computing, hypervisors, edge computing, and antimalware detection systems.
Chapter 8
CYBER RISK MONITORING, DETECTION AND REPORTING 1. INTRODUCTION This chapter discusses the monitor, detect & report phase (Step Four) of the operational ERM process. It covers monitoring, detecting the risk conditions, and reporting them to the relevant stakeholders. In other words, this step covers the surveillance of the cyber risk status and conditions and reporting them to the relevant parties. Companies have put more focus on both internal and external risk reporting in recent years as they have become an important corporate governance mechanism in ERM for accountability, efficiency, and transparency in the business world. Risk reports disclose information about the company's status of risk exposures, mitigation actions, and risk control processes. The focus is on existing critical or severe risks that have an immediate impact on the company, as well as emerging risks that must be monitored to avoid future losses. As a result of internal risk reporting, it may be necessary to repeat a partial or full cycle of the risk control process to properly address a risk. Some of the benefits of risk reporting are: improve strategic risk planning as more up-to-date relevant information about the risk situation is made
166
Kok-Boon Oh, Bruce Ho and Bret Slade
available for timely and confident decision making; help to heighten risk awareness and reinforce the corporate risk culture through pro-active and continuous communication; allow better and up-to-date risk monitoring and detection; reduce the probability and risk impact from risk management weaknesses due to information gap and information asymmetry; ensure growth opportunities are taken up; a good risk reporting regime will reduce information overload and help to detect any breach of the information infrastructure, and aid strategy setting and operational planning. Most firms provide a general statement of risk (Linsley & Shrives, 2006) comprising of mainly qualitative content in their annual reports (Beretta & Bozzolan, 2004). The Australian Stock Exchange’s (ASX) external disclosure guidelines published in 2014, the “Corporate Governance Council Principles & Recommendations (3rd Edition),” and taking effect from 1 July 2014, includes a new recommendation that explicitly requires that: “A listed entity should disclose whether it has any material exposure to economic, environmental and social sustainability risks and, if it does, how it manages or intends to manage those risks.”
Some countries have a better record than others of encouraging companies to report on risk. Most of the guidance and regulatory requirements for mandatory risk reporting were developed after financial crises (e.g., Sarbanes-Oxley Act 2002). The United States requires companies listed with the Securities and Exchange Commission (SEC) to describe the risks faced by the business since the 1970s. In the European Union (EU), the “EU Accounts Modernisation Directive” of 2003 requires companies to describe the risks they face, in both annual and interim reports. The EU’s “General Data Protection Regulation” (GDPR) requires a breach that compromises the rights of individuals’ data to report it within 72 hours of the organization becoming aware of the breach. The UK Financial Reporting Council in November 2013 published a consultation
Cyber Risk Monitoring, Detection and Reporting
167
paper37 that proposed a more integrated approach to risk reporting, linking risk management to internal controls and going-concern.
2. MONITORING, DETECTION, AND REPORTING RISK After risks are identified, assessed, and mitigated the organization needs to constantly monitor and detect risks, and report risk at regular intervals about the state of the exposure as well as the effectiveness of the measures to ensure the inherent nature of the risk (i.e., frequency and/or impact) has not changed and the measures are sufficient. These actions constitute the fourth phase in the ERM/ORM process (Figure 8.1). In this phase, corrective actions are necessary if the severity of the reported risk has increased and/or the measures put in place are no longer sufficient to protect the organization from potential losses within its risk tolerance or any untoward activities on the enterprise's systems, networks, and servers that may result in a breach or compromise of the CIA triad. Risk disclosure also improves communication between management and external stakeholders by mitigating information asymmetry, which results in better knowledge about the company and its risk control activity. The detection activities are facilitated by a combination of cyber and physical tools. These tools include the use of up-to-date IDPS and surveillance equipment to help detect potential security breaches and cyber-attacks. Figure 8.2 outlines the monitor and detect relationships to the reporting stage of the ERM/ORM framework. As a continuous process, the monitoring and detection tasks are likely to discover new risks that will be added to the list of critical risks and others removed. All risks on this list will need to be regularly reviewed and reprioritized to determine whether the current plans are sufficient or what new actions are required. Critical risks should be reported regularly to appropriate stakeholders as part of effective enterprise risk management
37
The UK’s Financial Reporting Council (November 2013) consultation paper on amending Actuarial Standard Technical Memorandum 1 (AS TM1) for revised disclosure regulations.
168
Kok-Boon Oh, Bruce Ho and Bret Slade
practice. On-going and effective communication and reporting between the risk management team and management on existent and potential risks are essential for it enables the sharing of all information and is the cornerstone of effective risk management.
Figure 8.1. Monitor, detect & report risk in the ERM/ORM cycle.
Internal Stakeholders
External Stakeholders
Figure 8.2. Monitoring, detecting, and reporting cyber risks.
Cyber Risk Monitoring, Detection and Reporting
169
2.1. Monitor Risk The main information security goals of an organization are protecting confidentiality, integrity, availability of systems and data, and reputation. Monitoring risk entails oversight of the implementation of the accepted risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating the effectiveness of risk management processes. The purpose is to provide a real-time view of cybersecurity risk status and triggering events to facilitate updating risk measurements whenever relevant changes occur. Corrective actions are necessary if the severity of the risk has increased and/or the measures put in place are no longer sufficient to protect the organization from potential losses within the limit of its risk tolerance. Risk monitoring requires tracking risk measurements key performance indicators (KPIs) to ensure that the risk actions are effective and being carried out as planned. Therefore, part of the risk monitoring process involves establishing KPIs or risk metrics to measure results. KPIs play an integral role in ERM as they are the organization's targets or goals that must be met to reap benefits. The best risk metrics offer valuable hints to the risk levers the company can pull to improve them. The main KPIs that information security should monitor are CIA triad performance and firm reputation. The Confidentiality KPI addresses sensitive data disclosure to unauthorized users by imposing mitigating actions to prevent data leakage. Availability KPI refers to making key infrastructure assets available and accessible to authorized end-users and potential breaches are mitigated by IT and management policies and procedures, tools, and technologies to protect availability. The Integrity KPI monitors an organization's assets' capacity to perform their expected tasks effectively and efficiently without disruptions. Mitigating factors include ensuring the appropriate architecture and utilization of any asset that stores, processes, and retrieves data are restricted to only authorized users and not permitting an unauthorized user to alter the stored data on the systems or communicate data over the network. The purpose of Reputation KPI is to ensure the public's trust and confidence in an organization remains intact. It should
170
Kok-Boon Oh, Bruce Ho and Bret Slade
also be noted that while KPIs are used to measure past performance, they also act as a useful tool for identifying emerging risks.
2.2. Detect Risk NIST Cybersecurity Framework defines the detect function as one for identifying the “occurrence of a cybersecurity event.” Detection refers to tracking a network, applications, or other assets within the network to identify threats. Early detection of any threats is crucial to minimize “dwell time” and prevent lateral movement or preventing attacks from moving from one system or department to another within an organization. The rapid pace of today's business innovation means that some threats will inevitably evade even the most stringent security safeguards, therefore requiring a shift from reactive cybersecurity detection to proactive cyber risk management to enable a more effective threat detection function (Amjad et al., 2016). Companies invest a lot of money into the latest detection technologies and automated intelligence to generate and sift through the huge amount of network security data to detect threats. Some of the technologies for detecting cyber-attacks are intrusion detection and prevention systems (IDPS) that automatically generated alerts in the event of an attack; antivirus software prevents, detects, and removes software viruses and antispam software blocks spam from entering a system; firewalls protect a network or system from unauthorized access; system and application log capture all actions on a network or system to keep track of its activity or traffic to see how they generally work, and vulnerability scanners identify and fix vulnerabilities in systems or networks and any anomalous network traffic is detected by network analyzers. The detection of a risk event may also be a trigger for activating the risk response and recovery process if the risk poses a significant threat to the firm. Detection activities are normally located in a Security Operations Centre (SOC) which is a centralized function within an organization responsible for both internal and external cyberattacks. SOC houses an
Cyber Risk Monitoring, Detection and Reporting
171
organization's IT security monitoring and incident response efforts in a single location to continually monitor and enhance the security position of an organization while preventing, detecting, analyzing, and responding to cybersecurity incidents.
2.3. Report Risk Organizations report risks for strategic and operational reasons, as well as for compliance. The risk reporting function involves disclosure to both internal and external stakeholders (Figure 8.2) for different reasons. The impact of risk actions on individual business units and corporate risk profiles should be the focus of effective risk reporting (PwC, 2011) and reports should be precise, business-focused, and pragmatic so that those who receive them feel well-informed enough to take action (Epstein & Buhovac, 2006). Therefore, reporting mechanisms should also be in place to ensure that a cyber-attack is communicated as quickly and precisely as practical to the relevant person or authority in the incident response plan structure for action. This type of specific reporting is discussed in Chapter 9 as part of the incident response process.
2.3.1. Internal Reporting Enterprise risk management (ERM) frameworks include the reporting of risk information as a component element. While compliance risk reporting is regulated and adequate, the integration and communication of identified risks and risk performance into the internal reporting system poses a challenge to firms that wish for a reporting regime that will facilitate strategic and operational decision-making. Thus, internal risk reporting must be given more attention to providing relevant information to internal users as decision-makers need to be aware of the various organizational risks, to avoid making decisions or non-decisions, that can cause significant organizational costs. Internal audiences of cyber risk reports include the board of directors, risk committee, c-suite officers, incident response team members, internal auditors, business unit
172
Kok-Boon Oh, Bruce Ho and Bret Slade
managers, employees, business partners and, suppliers and contractors. At the SRM level, the information providing an overview of critical business risks and function-specific risk management actions are critical for management oversight, review, planning, and formulating strategy. For example, the American Institute of Certified Public Accountants (AICPA) new cybersecurity risk management assessment reporting structure offers organizations, particularly boards in their oversight function with valuable information (Deliotte, 2017). According to Lam (2006), this type of reporting may contain qualitative data like at-risk objectives and escalation of specific events, as well as quantitative data like key performance indicators (KPIs) or risk metrics and key risk indicators (KRIs). At the operational level information about the ORM cycle and crisis management processes are communicated and shared with functional process owners to conduct and maintain daily risk control activities as well as for learning and improvement initiatives. The ORM policies and procedures should spell out the type of information to be disclosed, to which party, and the purpose. Internally, companies must provide regular integrated reporting on the results of continuous monitoring and detection to gauge performance and mitigate risks as they arise. Robin et al. (2002) refer to this reporting regime as the “risk status report” and recommend that it should disclose four possible risk control scenarios for each risk, as follows:
A risk is resolved according to the action plan and no further action is needed. Risk actions comply with the risk management plan and they continue as planned. Some risk activities conflict with the risk management plan, remedial steps should be taken. Re-analyzing the risks or re-planning an activity due to changes in the risk situation.
Cyber Risk Monitoring, Detection and Reporting
173
Reporting includes using performance metrics such as impact measures (return on investment - ROI) to effectiveness and efficiency measures (i.e., the number of system-level controls that are implemented according to the cybersecurity policy), to reporting whether goals and objectives have been achieved successfully to provide management with the information necessary to make decisions, and aid in holding stakeholders accountable.
2.3.2. External Reporting Reporting to external stakeholders, such as regulators for compliance, brings benefits not only to users but adds value to a firm’s organizational reputation as “high-quality risk reporting increases investor confidence and also in the overall quality of management.”38 The need for external disclosure of risk is growing with the introduction of regulations governing information security. External stakeholders like regulators, investors, financial analysts are becoming increasingly aware of the critical role of proper cyber risk management in today’s technology-driven business environment and they want better information on cyber risk exposures and how the organizations manage them. Therefore, the scope of corporate risk reporting has gone beyond the traditional scope of just reporting financial risks. External stakeholders like shareholders and investors need risk disclosure reporting for assurance that a sound system and process is in place to identify, assess, and manage cyber risks so that they can better evaluate corporate performance to make better-informed decisions. The external stakeholders who are interested in risk disclosure are regulators, external auditors, shareholders, creditors, financial analysts, customers, suppliers, non-profit organizations (NGOs), and investors. Management and stakeholders consider annual reports to be a significant and influential source of corporate information (Beretta and Bozzolan, 2004). Company annual reports are important communication tools for management to communicate with both external stakeholders about business performance.
38
Simon Constant-Glemas of Shell.
174
Kok-Boon Oh, Bruce Ho and Bret Slade
3. NIST/CSF – DETECT FUNCTION The detect function is an important part of a strong cyber program because the quicker a cybersecurity incident is discovered, the faster the firm can minimize its consequences. The NIST “Detect” function encompasses the generic monitoring and reporting step of the generic ERM framework in performing the relevant actions to detect the existence of a cybersecurity event (see Figure 8.1). The Detect Function enables the timely discovery of cybersecurity events. Examples of outcome Categories39 within this function are to implement security continuous monitoring capabilities to observe cybersecurity events and assess the efficiency of protective measures, including network and physical activities, ensure anomalies and events are discovered and their potential impact is understood, and maintain detection processes to ensure that abnormal cyber activities are detected. Table 8.1 provides a list of outcomes and associated activities under the detect function. The NIST/CSF’s Detect function’s Anomalies and Events, Security Continuous Monitoring, and Detection Processes categories align with the operational process of the ERM as shown in Figure 8.3.
NIST/CSF Function: Detect ERM/ORM Monitor, Detect & Report Risk (Step 4)
Category:
Anomalies and Events (DE:AE) Security Continuous Monitoring (DE:CM) Detection Processes (DE:DP)
Sub-categories: All
Figure 8.3. Risk monitoring & reporting - ERM & NIST CSF alignment.
39
National Institute of Science & Technology (NIST).
Cyber Risk Monitoring, Detection and Reporting
175
Table 8.1. Detect – Outcome categories and sub-categories Detect (DE) Category Anomalies and Events (DE:AE)
Security Continuous Monitoring (DE:CM)
Sub-category A baseline of network operations and expected data flows for users and systems is established and managed (DE:AE1) Detected events are analyzed to understand attack targets and methods (DE:AE2) Event data are aggregated and correlated from multiple sources and sensors (DE:AE3) Impact of events is determined (DE:AE4) Incident alert thresholds are established (DE:AE5)
Detection Processes (DE:DP)
The network is monitored to detect potential cybersecurity events (DE:CM1) The physical environment is monitored to detect potential cybersecurity events (DE:CM2) Personnel activity is monitored to detect potential cybersecurity events (DE:CM3) Malicious code is detected (DE:CM4) Unauthorized mobile code is detected (DE:CM5) External service provider activity is monitored to detect potential cybersecurity events (DE:CM6) Monitoring for unauthorized personnel, connections, devices, and software is performed (DE:CM7) Vulnerability scans are performed (DE:CM8) Roles and responsibilities for detection are well defined to ensure accountability (DE:DP1) Detection activities comply with all applicable requirements (DE:DP2) Detection processes are tested (DE:DP3) Event detection information is communicated to appropriate parties (DE:DP4) Detection processes are continuously improved (DE:DP5)
The outcome of the Anomalies and Events (DE:AE) category is the timely identification of unusual activity and an assessment of the event’s potential impact on the firm. For users and systems, a baseline of network operations and expected data flow is built and managed. Thresholds for incident alerts must be established and implemented and event data from different sources and sensors are consolidated and correlated for all detected events for an investigation to determine attack targets and techniques and for analysis and calculation of the impact from the events.
176
Kok-Boon Oh, Bruce Ho and Bret Slade
The goals of the detect function are to monitor and detect for malicious code, unauthorized mobile code, unusual activity of external service providers and, any access by unauthorized individuals, connections, devices, and software to the organization's systems are monitored to detect potential cybersecurity incidents. The category on security continuous monitoring (DE:CM) requires organizations to monitor their information system and assets, including the physical environment, at regular intervals to identify potential cyber-attacks and check the efficiency of protective measures. Human behavior and activity are also tracked to detect potential cyber-attacks, errors, or omissions. The detection processes (DE:DP) category recommends the maintenance and regularly testing of detection systems and procedures to provide a timely and adequate awareness of abnormal events. The team will need to be trained and prepared to gather and evaluate data from numerous sources in order to detect an incident. The program will detect unusual behaviour or pattern and alert the risk team and everyone in the team will be aware of the consequences. The detect function is one of the most critical, since detecting a breach or incident early will allow a company to take the necessary actions to minimize its losses or in the worst case scenario, to ensure its survival. Following these best practices and adopting these solutions will undoubtedly assist a company in mitigating cybersecurity risk. The successful implementation of this activity requires an organization to ensure accountability, roles, and duties for detection are specified, detection efforts meet all necessary standards, regularly test the detection processes, and information about event detection is shared with the appropriate parties to help improve the detection processes.
CONCLUSION Risk transparency, both in terms of internal risk reporting and external disclosure, is a core aspect of successful risk management (Lam, 2007). Managers require effective risk reporting systems to incorporate risk
Cyber Risk Monitoring, Detection and Reporting
177
assessment into operational decisions and performance evaluation. Risk information is used by external users to assess the company's performance and make investment, compliance, or commercial decisions. With the diversity, magnitude, and complexity or interdependency of risks in the business environment, risk information users have become more sophisticated and demanding. Inadequate risk reporting has led to a failure to adequately incorporate identified risks into strategic and operational decisions in some businesses (Epstein & Buhovac, 2006). For instance, businesses need more inclusive, timely, precise, and regular reports to effectively manage risk but many firms still find this a challenging task. There is a need to find ways to integrate risk performance into a highstandard internal risk reporting framework for more timely, informed, and effective risk management decision-making. Organizations are under a lot more scrutiny and pressure from both internal and external stakeholders for their cybersecurity risk management programs to be upgraded and made more transparent (Deliotte, 2017). According to Deliotte (2017), the AICPA'S cybersecurity risk management examination reporting framework is a step in that direction as it can cater to a wide range of users' information needs by adopting just a single reporting mechanism.
Chapter 9
CYBER ATTACK RESPONSE AND RECOVERY 1. INTRODUCTION An effective risk management process does not guarantee a firm with full immunity from losses as risk events are difficult to predict and mitigate fully. There is a need to take ERM to the next level to align the ERM function to the crisis management programs. In the context of cybersecurity, it is essential to understand how crisis management dovetails with the ERM function before, during, and after a cyber breach and how the two can leverage off each other in terms of preparedness and education to prevent a similar incident from happening again in the future. An effective crisis management policy should define what constitutes a crisis, address issues such as the authority to declare an event is of crisis proportion, and convene the crisis management team (Ho, Oh, Durden & Slade, 2010). A cyber crisis management plan (CCMP) will help the enterprise respond more effectively to cyberattacks. The benefits of a CCMP are that it deals with crisis management preparation, incident response, recovery, and business continuity.
180
Kok-Boon Oh, Bruce Ho and Bret Slade
The source of a crisis comes from the risk exposure of a company when that risk is not properly addressed or managed. A crisis could be the result of a cyber-attack, a failure of an internal process, an internal or systemic financial meltdown, product or environmental contamination, destruction from natural disasters, an act of terrorism, or explosion and fire. Management of a critical risk requires planning, evaluation, prevention, testing, and monitoring to mitigate and minimize potential losses from the exposure. The effectiveness of the risk management process used by a company will determine the company's preparedness in preventing the risk from turning into a crisis, affecting employees, the company, and the community (Ho, et al., 2010). In this chapter, we will explore the importance of developing the CCMP and its elements for mitigating cybersecurity incidents.
2. CYBERSECURITY CRISIS MANAGEMENT PLAN A crisis ensues when a risk is realized, which has the potential to cause extensive damage to the organization if it is not effectively managed and on time (Ho, et al., 2010). The CCMP is an action plan that instructs the incident response team members about a comprehensive approach to managing cyber-attacks during and after the incidents to minimize disruptions to business operations. Creating a crisis response strategy ahead of time increases a company's alertness of cyber events and chances of surviving a cyber incident or breach. These occurrences are normally unpredictable and can happen quickly, often require a large number of people to manage, can deplete a company's resources, and unless handled properly they can have long-term reputational and financial consequences for a firm. A CCMP can apply to any size company and is essential for establishing the operational plan, structure, instructions, and resources for dealing with crises and managing the business during a crisis. Therefore, the CCMP outlines a series of interrelated activities and processes that
Cyber Attack Response and Recovery
181
form the organization-wide crisis management plan for use in the event of a crisis (Figure 9.1).
Cyber Crisis Management Plan
Pre-crisis Preparation
Crisis Response Plan
Post-crisis Recovery
Figure 9.1. Cyber crisis management cycle.
According to Perry and Lindell (2003), an organization's crisis preparedness is evaluated based on four criteria: a risk assessment (vulnerability assessment), a capacity assessment of the organization's ability to cope with crises (capacity assessment), the training and retention of qualified staff, and a flexible system that can be deployed quickly during a crisis. The three basic attributes for an effective CCM process are preparation (pre-crisis phase), response (crisis-response phase), and recovery (post-crisis phase). Cyber crisis management is a proactive approach to plan and implement the policies and processes on how to respond, react to and recover from an attack. The cyber crisis management plan should be a reference tool that is clearly expressed and easy to read to avoid having to read a step multiple times to understand what exactly to do. The CCMP defines what constitutes a “cyber crisis” or “cyber incident” that is consistent with the Enterprise Information Security Policy (EISP). It describes how a security incident would pose a potential crisis to the organization. It spells out the severity in terms of the loss of the CIA triad, vis-à-vis the risk tolerance of the organization, to classify an incident as a crisis. For instance, loss of CIA attributes, loss of reputation, adverse
182
Kok-Boon Oh, Bruce Ho and Bret Slade
financial consequences, and compliance or regulatory breaches are potential security incidents that can escalate to a crisis. The CCMP should outline the initial response, continued management/monitoring of the crisis, and loss minimization measures. The policy should identify the authority vested in the crisis management team leader and, pre-assign the role and responsibilities of each team member. The details of the CCMP should also be covered by the written policy and communicated throughout the corporation40 and make available relevant information for reference by team members and stakeholders. The CCMP should address and explain the remedial measures for existing as well as new cyber threats as reflected in the risk register. The risk register should be kept up-to-date when a new cyber threat is acknowledged. Copies of the plan should be kept in a secure yet easily accessible place by all business unit managers, employees, and stakeholders. Finally, the CCMP should be reviewed and updated to incorporate changes to organizational conditions as well as for improvement where necessary at least every quarter in a rapidly evolving cyber risk environment.
3. NIST/CSF – RESPOND & RECOVER FUNCTIONS The NIST/CSF Respond function’s goal helps organizations create and implement procedures that allow the response team members to "take action in response to a detected cybersecurity occurrence." The Recover function's main purpose is to build, maintain, and improve a company's resilience after a cybersecurity incident. It will assist the company in defining recovery and restoration plans as well as successfully communicating with important parties. The NIST/CSF Respond and Recover functions provide a road map for how to react to a crisis to
40
Adapted from Ho, Oh, Durden & Slade 2010, Crisis Decision Making, Nova Science Publishers, New York (p.236).
Cyber Attack Response and Recovery
183
minimize its impact on the business and for getting back to normal and minimizing the effect of a cybersecurity incident. The categories and subcategories specifying the activities and outcomes of these functions are summarized in Table 9.1. Table 9.1. Respond and recover – outcome categories/sub-categories Respond (RS) Category Response Planning (RS:RP) Communications (RS:CO)
Sub-category A response plan is executed during or after an event (RS:RP1)
Analysis (RS:AN)
Personnel know their roles and order of operations when a response is needed (RS:CO1) Events are reported consistent with established criteria (RS:CO2) Information is shared consistent with response plans (RS:CO3) Coordination with stakeholders occurs consistent with response plans (RS:CO4) Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness (RS:CO5) Notifications from detection systems are investigated (RS:AN1) The impact of the incident is understood (RS:AN2) Forensics are performed (RS:AN3) Incidents are categorized consistent with response plans (RS:AN4)
Mitigation (RS:MI)
Incidents are contained (RS:MI1) Incidents are mitigated (RS:MI2) Newly identified vulnerabilities are mitigated or documented as accepted risks (RS:MI3)
Improvements (RS:IM)
Response plans incorporate lessons learned (RS:IM1) Response strategies are updated (RS:IM2)
Recover (RC) Recovery Planning (RC:RP) Improvements (RC:IM) Communications (RC:CO)
A recovery plan is executed during or after an event (RC:RP1) Recovery plans incorporate lessons learned (RC:IM1) Recovery strategies are updated (RC:IM2) Public relations are managed (RC:CO1) Reputation after an event is repaired (RC:CO2) Recovery activities are communicated to internal stakeholders and executive and management teams (RC:CO3)
184
Kok-Boon Oh, Bruce Ho and Bret Slade
3.1. Respond Function The Respond planning category refers to crisis response preparedness before a crisis to limit harm during a crisis, and provide for post-crisis feedback for improvement to the process (RS:RP1; RS:IM1), if necessary. Response team members must be appropriately briefed, trained, and roleplayed to effectively react to a crisis (RS:CO1). Events are reported according to established guidelines and information is coordinated and disseminated to all internal stakeholders according to the crisis management plans (RS:CO2; RS:CO3; RS:CO4). Information is shared with external stakeholders like the media to provide accurate information for a better understanding of the cybersecurity situation and to avoid untoward speculations that might cause market confusion or panic (RS:CO5). On analysis of detection system notifications, warnings are closely studied to confirm an attack has in fact taken place (RS:AN1), and, if so, forensics are carried out to identify the method of the cyber-attack, the motivation of the hacker, and the ramifications (RS:AN2; RS:AN3). The incident is then classified following response strategies for carrying out the appropriate response according to the CCMP (RS:AN4). The response mitigation should ensure that the incident is fully contained and neutralized, and the damage to the organization is kept to a minimum (RS:MI1; RS:MI2). New vulnerabilities are recognized as existent risks in the organization’s business operations and documented in the risk register as risks that must be mitigated as part of the enterprise risk management process (RS:MI3). Lastly, lessons are drawn from recent crisis response incidents for review, revision of, and integration into the enterprise response strategies for updating and improvement (RSIM1 & RS:IM2).
Cyber Attack Response and Recovery
185
3.2. Recover Function The crisis recovery process can begin during or after the crisis depending on the criticality of the systems to the business operation and whether it is safe to do so (RC:RP1). Crisis recovery relates to actions normally taken in the aftermath of a crisis to restore organizational operations to pre-crisis levels and mitigate the effects of future crises from lessons drawn from the experience. Therefore, the lessons learned are incorporated into the recovery plan for updating the recovery strategies with the improvement (RC:IM1 & RC:IM2). Information regarding recovery actions and progress is disseminated to leadership and management teams to inform them of the recovery efforts (RC:CO3) and to external stakeholders (including the media) as necessary to avoid misinformation and speculations (RC:CO1). After a crisis, a firm needs to prepare a strategy to re-establish its business reputation and to respond to media reports by developing a communication strategy (RC:CO3).
4. PRE-CRISIS Pre-crisis management relates to the proactive approach taken in preparation by the company in readiness for a crisis. Preparedness entails acquiring knowledge and capabilities in advance of a disaster to effectively foresee, respond to, and recover from a crisis. The CCMP is part of the overall enterprise risk management strategy and requires the support and approval of senior management and the board of directors. The support includes a budget for the essential resources required to implement the CCMP. The first step of CCMP implementation is carried out by first putting in place a comprehensive CCMP that includes essential resources, crisis management teams, vigilance and monitoring capabilities, a crisis communication plan, an incident response plan, and a recovery roadmap. Some of the benefits of CCM planning are a state of readiness and
186
Kok-Boon Oh, Bruce Ho and Bret Slade
familiarity with the process, a coordinated and systematic response during an attack to minimize human mistakes, and the adoption of a well-thoughtout plan that may lower the organization's losses and minimize downtime. Crisis planning starts with risk assessment, which entails identifying and analyzing important risks, hazards, and related vulnerabilities. An appropriate organizational structure, accompanied by explicit policies and procedures supported sufficient budget allocations for resources are all essential for thorough disaster preparedness. Organizing resources such as technology, people, and equipment are also all requisites and part of the preparation process. For instance, early warning systems that detect these risks would trigger the activation of pre-determined crisis plans (“Detect” function). Response team members are trained and, participate in war games and role-play based on possible business scenarios to familiarize themselves with the response and recovery systems, which are all part of the preparation process. Stockpiling and maintaining appropriate equipment and supplies are also necessary for preparing for readiness to handle a crisis emergency. Firms need to be prepared to deal with a crisis event and take prompt action by identifying and assessing the issues and options, including seeking expert advice. Staff must be trained to ensure that all people concerned understand the process, in particular, which are the decisionmakers and the roles and responsibilities of participants. The maintenance of the plan is critical and staff involved in managing a crisis must be assigned their roles and be ready to respond effectively. The best chance for minimizing loss is in the early stages of a crisis or even before the crisis itself. The enterprise CCM function will require a core team of relevant ‘experts’ for the sole purpose of determining what the potential ‘crises’ are in the corporation. In this context, crisis refers to the circumstances that would not ordinarily occur and need to be prudently dealt with in the ordinary course of a business. A crisis management team should have a senior manager, who has the authority to make decisions, to lead the crisis management team. The team should also include other members who
Cyber Attack Response and Recovery
187
possess legal, public relations, finance, human resources, and technical skills (Ho, et al., 2010).
5. CRISIS RESPONSE As it is impossible to completely avoid cyberattacks, the increase in the number of cyber breaches and the magnitude of attacks is posing an even greater challenge to businesses to avoid the adverse consequences of these incidents. One measure to mitigate this situation is to create an effective response plan for the incident response team to follow in reaction to an attack. The Incident Response Plan (IRP) delivers clear and consistent communication to instruct internal and external stakeholders on how to respond to the attacks, and take timely remedial actions. The IRP is also a mitigation against the legal liability and reputational harm caused by a cyberattack. The incident response process is shown in Figure 9.2.
Figure 9.2. Incident response process.
The important goals of crisis response are to protect assets, restore critical business processes and systems, reduce the length of the interruption of business, minimize reputation damage, and maintain customer relations.
5.1. Incident Response Plan The Incident Response Plan (IRP) is a key component of an organization’s cyber risk mitigation strategy. It provides a roadmap for the
188
Kok-Boon Oh, Bruce Ho and Bret Slade
implementation of the incident response process and the responsible unit for each task. An incident response plan is relevant in both ex-ante and expost contexts of the organization’s ERM. It includes the ability of the organization to plan and allocate resources for implementing processes in anticipation of risk events (ex-ante) and to be able to react once a risk event takes place (ex-post). The focus is on the ex-post process in this chapter as the ex-ante functions are addressed in the preceding chapters of this book including the detection activity, which is explained in Chapter 8. The IRP is a structured plan to define the different processes for managing cyber incidents to protect critical information assets. A high-level network diagram and a list of critical assets are useful tools for the crisis management team to see how the various systems are linked and how an attack can jeopardize these systems and networks. The incident response process includes going through the following actions. The enterprise should first establish and implement a cybersecurity control plan in the form of an enterprise risk management framework to deal with cyber risk and also its ramifications. Next, it should be proactive in implementing the policies and processes to detect and protect against an attack on its systems, networks, and data. This requires preparing and training employees to implement the plan to protect the organization. Detection is to monitor to identify potential cyber events. Preparation and training involve scenario building and conducting war games. The preceding steps form part of the incident response process but are conducted in the pre-crisis stage (Figure 9.2). After detecting a possible cyber event, it is necessary to analyze the event to determine its impact on the company. If it is confirmed as a critical risk then the incident response process should consist of measures to contain and eradicate the attack by limiting the damage done and prevent it from spreading to another network in the organization. It is important to have separate processes for employees to respond to different types (i.e., MiM, DDOS, phishing, IoT attacks) of cyber incidents for a more targeted response as not all attack vectors or methods are similar. Remedial actions include monitoring and coordinating the process by senior management (i.e., CEOs, CISOs, CRO & CIOs) taking steps to neutralize and contain the incident,
Cyber Attack Response and Recovery
189
communicating with media and other stakeholders, and the legal team informing regulators of the incident. The final step of the CCMP is to activate those actions that will recover and restore systems to their full working state.
5.2. Incident Response Team The CCMP specifies the need for a cybersecurity Incident Response Team (IRT) to manage and supervise emergency activities in the event of a cybersecurity incident. The IRP begins with the formation of an IRT and contains reporting mechanisms to ensure that an attack is managed and communicated as quickly as possible to the right person or authority. The composition of the IRT will vary based on organization structure, available employee resources, and the nature and configuration of the information systems and networks. The CCMP must identify a pre-selected IRT consisting of a multi-disciplinary composition of personnel who can bring to bear skills in at least the following disciplines: finance, management, legal, human resources, public relations, insurance management, insurance claims, and relevant technical and operational skills (Ho, et al., 2010). The roles that different employees will need to take up are information owners. This role is normally taken up by chief information officers (CIOs) or chief information security officers (CISOs) in larger organizations. At the operating level, business unit leaders or managers lead the response actions. While human resources (HR) are responsible for informing employees, legal staff communicate with regulatory authorities on compliance matters. IT personnel provide the technical support needed to helps fix IT needs or manage security service providers (MSSP). The IPT will lead the organization by following the defined crisis management processes in responding to a cyber event and reporting and communicating the progress of the incident response efforts to different stakeholders.
190
Kok-Boon Oh, Bruce Ho and Bret Slade
A responsibility assignment matrix, also known as a RACI chart,41 helps provide personal details to internal and external stakeholders of the people responsible for managing a crisis. Listing their names, roles, responsibilities, and contact information help stakeholders to determine whom to contact or get approval from during different stages of a CCMP. Checklists are also available for use by the IR team during attacks to ensure that actions can be taken swiftly, that no tasks are duplicated or missed.
5.3. Security Operations Center & Incident Response Platform Once an incident response plan is in place, the organization needs to select an incident response platform to help it execute the plan. The security operations centers check for unusual activity that could indicate a security incident or compromise by monitoring and analyzing networks, servers, endpoints, databases, apps, websites, and other systems. The incident response platform or core technology of a security operations center collects event data from a variety of the organization's infrastructure and threat detection components, such as the firewall, IDPS, database server, email, web server, file server, endpoint monitoring software, active directory, etc. The purpose of an incident response platform is for monitoring an incident from the start to the resolution in which data or a system may be compromised. Choosing a platform that features security automation and orchestration facilitates analysis and investigation of every threat event. Security automation is the mechanism that allows components of the response plan to be automated to avoid tedious and time-consuming manual tasks, while security orchestration allows the platform to coordinate and integrate all existing security solutions and systems. By centralizing security operations, the incident response
41
RACI stands for Responsible: who is responsible for executing & completing the task; Accountable: who owns, approves, and is the final decision-maker for the task; Consulted: who will be consulted regarding decisions or task, and Informed: who will be updated or informed about the task's progress or status.
Cyber Attack Response and Recovery
191
platform increases efficiency in dealing with cyber incidents by automating a time-consuming task, gathering comprehensive data for intelligence analysis, standardizing and scaling processes, and improving mean time to resolution.
5.4. Testing the IRP The organization's incident response team should undertake regular exercises simulating a cyberattack, allowing the team to identify steps that need to be taken, test their strategy, and make modifications to the processes as needed. Regular war games based on a simulated business scenario allow members of the incident response team to put their knowledge and skills in resolving a security event to the test. Penetration testing by a third party could also help to identify vulnerabilities and weaknesses in the systems for improvement. The IRP should be tested regularly to reassure the readiness of the team and the effectiveness of the cyber crisis management plan (Augustine, 1995; Coombs, 2007). The IRP should be continually tested, rehearsed, and updated to ensure it remains relevant and the team is familiar with the incident plans. This will also ensure that employees are familiar with the processes by responding quickly and take immediate reactive steps to minimize disruptions and losses to the business.
5.5. Managing the Crisis The three common elements addressed in any corporate crisis response and recovery plan are how the corporation is going to manage the crisis, manage the business and manage the fallout.42
42
Section 5.5 is adapted from Ho, Oh, Durden & Slade 2010, Crisis Decision Making, Nova Science Publishers, New York.
192
Kok-Boon Oh, Bruce Ho and Bret Slade
5.5.1. Managing the Crisis The incident response team must first determine the nature of the issue, as well as the scale of the interruption and the harm it may create. The Incident Response Team (IRT) must identify and manage crisis responses and resources, as well as maintain continuous communication with top business management, relevant regulators, and other stakeholders. When interacting with the news media during a crisis, a spokesperson with good communication skills is crucial (Argenti, 2002). In addition, people with experience in cybersecurity, IT, customer service, supply chain management, law and regulations, and human resource management are all essential elements of effective crisis management. A well-documented review and evaluation of the causes of and extent of the damage or losses from the crisis and the corporate response to the crisis is also important to appreciate the effectiveness of the incident response plan. The process of reviewing and evaluating crisis response is essential to ensure the CCMP remains relevant and effective. 5.5.2. Managing the Business A crisis can divert a company's attention, time, and resources away from its core business, causing it to neglect its operations and, as a result, deepening the crisis. As a result, it is critical to guarantee that the company is not destabilized by the crisis as a result of a lack of managerial attention and corporate resources. This can be avoided by delegating primary responsibility for the day-to-day management of a crisis to specialized managers while the business is actively managed by others. The emphasis on "business as usual" reduces the risk of corporate paralysis as a result of the crisis and instills confidence both within and externally. This ensures continued customer service, employee retention, and the maintenance of regulatory and financial obligations during the crisis period. 5.5.3. Managing the Fallout A significant function of an IRT is to gather evidence about the crisis's roots and repercussions, particularly the damages and losses it has incurred. This would make it easier to file insurance claims and receive
Cyber Attack Response and Recovery
193
payments on time. To achieve the best potential outcome throughout the crisis management period, it is also critical to ensure that the right risk management systems stay functional during the crisis occurrence.
6. POST-CRISIS Recovery refers to the steps taken for the enterprise to return to normal operations after neutralizing or eliminating a cyber-attack. In the postcrisis phase of recovery, the response team and those parties involved in the incident will also be responsible for reviewing and updating the CCMP from the experiences gained in the recent incident. This review should be conducted immediately after the attack occurred. The steps involved are an analysis of the causes leading to the events and reviews of the effectiveness of the management of the incident or crisis. The purpose of recovery activities is to learn from how the incident or crisis has been handled in the detection and eradication of the attack to implement more robust defenses or responses to enhance the organization’s readiness in confronting a similar crisis in the future. Responses include measures that should be taken to regain trust with employees, customers, suppliers, and regulators.
6.1. Impact Analysis The business impact analysis (BIA) method is a useful tool to identify and estimate the monetary losses or costs inflicted by a crisis as part of the post-crisis action plan. Such cost or loss estimates could include those relating to the loss of revenue or profits, replacement of assets, staffing, and SND recovery. A BIA assessment report could recognize the critical information assets in a digital failure crisis and direct the allocation of resources to protect them. Business areas that the BIA could focus on in a post-crisis cost analysis include the financial impacts of SND recovery, compliance, public relations, earnings, reputational liability, and capital.
194
Kok-Boon Oh, Bruce Ho and Bret Slade
The BIA-based crisis impact study will help to enhance the CCMP in terms of pre-crisis response and post-crisis strategies as well as prioritizing the allocation of resources.
6.2. Incident Report The information from the lessons learned meetings together with the BIA assessment should be incorporated into an Incident Report (IR), which is a post-mortem report that is prepared after systems have been fully recovered. The report should contain information about the type and nature of the incident; how and when the incident was detected; the digital assets affected by the attack; whether the incident was preventable; the organization’s response and recommendations to improve the response process including the use of better detection tools and what could have been done better during the incident response process. The purpose of the IR is to document the experiences and effectiveness of the general recovery process for the organization to implement the recommendations to enhance its cyber operational resilience and use as a reference for future attacks and training. Changes to rules, processes, and procedures, as well as tools and equipment, and even the behavior of the individuals participating in the process, are all examples of implementation. Information on responsible parties, due dates, and deliverables should be recorded for both short- and long-term changes. Before being sent out, the updated and improved incident response plan should be tested to see if the improvements made are adequate.
CONCLUSION The digital world is fraught with ever-changing threats from technology and the management challenge is to have in place the appropriate preparations needed to manage situations that may affect the organization’s future. The introduction of a cyber crisis management
Cyber Attack Response and Recovery
195
process is an important measure to minimize the organization’s cyber risk exposure. This chapter emphasizes the importance of planning what to do in the case of a cyberattack is just as crucial as preventing one from occurring because all companies are likely to be victims of a cyberattack at some point. Several actions as described in this chapter need to be taken to ensure that an organization can respond to and recover from a cyberattack as rapidly as feasible to limit the damage caused by an attack.
Chapter 10
STRATEGIC CYBERSECURITY RISK MANAGEMENT 1. INTRODUCTION The enterprise risk management strategy is aimed at identifying, measuring, reducing, and reporting the risks to which the organization is exposed. It outlines a comprehensive approach to protecting the corporation’s people and assets from all sources of risk, be it internal or external. The corporate risk manager would work out the different risk exposures of the corporation. The nature of risk exposures depends on the corporation’s business and industry (Ho et al., 2010). This book defines strategic risk management as the strategy measures taken by a company to reduce the risks associated with uncertainties by focusing on its written strategic plan and how policies, processes, and execution influence the firm's value. This chapter explains and summarizes the organizational framework to deal with cyber threats from a strategic cybersecurity risk management perspective. Enterprise risk management is a key component of corporate governance responsibility and it comprises strategies and processes that firms use to manage the risk that is consistent with expected returns and
198
Kok-Boon Oh, Bruce Ho and Bret Slade
organizational goals. As we become more dependent on information technology, the risks related to these technologies increase. Implementing an efficient cyber risk management system that aligns with organizational strategy within an ERM framework is always challenging to most organizations. The emphasis will be on establishing a holistic framework that incorporates strategic and operational cyber risk control mechanisms consistent with the organization’s vision, mission, strategy, and objectives. In this chapter, we highlight the need to prioritize strategic planning as a critical component for dealing with cybersecurity risk exposure to enable the right strategy and focus on protecting the security of related digital investment and resources. Firms with strategic response and renewal capabilities are better equipped to adjust and adapt to abrupt environmental changes (Agarwal & Helfat, 2009). A risk mitigation strategy helps an organization set the underpinning philosophy for managing enterprise risk that helps to instill a strong corporate risk culture, formulate clear policies and processes and establish a risk tolerance threshold for prioritizing its risks so it can allocate resources efficiently. The most important aspects that need to be addressed are to identify the potential threats and, the method and target of the attack to recognize and evaluate the valuable data assets in the corporate environment. Next is on how to mitigate the cybersecurity exposure of these assets and provide for continuous monitoring and detection to safeguard corporate interests employing both physical security and cybersecurity measures and protective technologies. There is a need for cooperation and communication across functions during cybersecurity planning and operations to address considerations around effective leadership and governance structures, legal compliance, and preparing an incident response strategy for cyber-attack mitigation and recovery. As an integral part of enterprise risk management, managing cyber risk is the responsibility of a corporate risk management team consists of representatives from different functions of the organization. Strategic cyber risk management requires the management and other employees in an organization to work together to mitigate and neutralize cyber threats and protect business value. Companies in different industries are bound by
Strategic Cybersecurity Risk Management
199
different corporate objectives and operating conditions so they are likely to experience different cyber threats. Hence, companies need to design a specific cyber risk management plan that suits their business conditions. This chapter highlights the need to prioritize and customize the strategic cyber plan as a critical component for dealing with cybersecurity risk exposure. First, there is the need to identify and evaluate valuable digital assets in the corporate environment. Next is how to mitigate the cybersecurity exposure of these assets and provide for continuous monitoring to safeguard corporate interests. Emphasis will be on planning and operations management to enable the right strategy and focus on protecting the security of related investment. The need for cooperation and communication across functions during cybersecurity planning and cyberattack recovery is also discussed. ISO 31000 provides a high-level overview of risk management, its components, and how to implement risk management in an enterprise, we follow the International Organization for Standardization’s ISO 31000:2009, Risk Management, Principles, and Guidelines, for guiding the cybersecurity SRM initiatives in our proposed framework. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is used as a reference benchmark for ORM as it is pragmatic, operative, and functional. Both standards allow flexibility and adaptability in their processes to customize unique and precise frameworks that consider different organizational conditions. Even with a standard framework like the NIST/CSF, with its proposed structure and comprehensive details of cybersecurity, it is still recommended for companies to tailor their security controls and processes to the specific needs of their businesses or industries. For example, the education sector is vulnerable to cyber-attacks as universities possess valuable intellectual property from their research and also a large pool of personally identifiable information (PII) of their employees and students that a hacker can steal and sell on the online black market. The healthcare business is another that faces specific threats such as cyber-attacks on computer-controlled medical devices (e.g., pacemakers, insulin pumps, continuous blood pressure, and glucose monitors, etc.) and protected health information (PHI). Medical devices
200
Kok-Boon Oh, Bruce Ho and Bret Slade
that require network connectivity to function expose them to network vulnerability. This is why the cybersecurity framework must be tailor-fit to every specific need of an industry or a business, so that critical concerns or provisions like these will be addressed.
2. A HOLISTIC & STRATEGIC ERM The ERM framework consists of three processes, which are strategic risk management (ERM planning), operational risk management (risk awareness & risk reduction), and crisis management (crisis management readiness & crisis response & recovery) that constitute a holistic ERM for managing cybersecurity risk (Figure 10.1). The ISO 31000 standard consists of three components, principles, framework, and process. Principles outline the features of effective and efficient risk management, as well as communicating its value and risk protection attributes to stakeholders. The principles specify what must be accomplished, whereas the framework explains how to accomplish an integrated risk management structure. The structure should support an organization's risk management actions. This is also known as the organization's risk architecture, strategy, and protocols (IRM, 2018). The risk management process is defined as a series of iterative processes that are carried out in a coordinated but not necessarily sequential manner. The SRM function is akin to the elements in the ISO 31000's Principles and Framework, whereas the activities in the Process match those in the ORM and CCM, albeit from a strategic perspective. As a high-level guideline for the management of risk, the ISO 31000 standard is a valuable tool for guiding the strategic planning phase on the activities needed in the ERM. As discussed in Chapter 4, these activities include formulating risk strategies according to business vision, goals, and objectives, appointing key risk officers, defining the enterprise risk philosophy and culture, setting the risk tolerance threshold, allocating budgets for resources to implement the ERM function, and developing ERM implementation policies and processes. The ERM is a process of
Strategic Cybersecurity Risk Management
201
planning the control of any risk that affects a company's business strategy, strategic objectives, and strategy execution. It involves oversight, identifying, assessing, and managing the risk in the organization's business strategy. At the strategic level, it includes establishing the Cybersecurity Strategic Plan and Enterprise Information Security Policy, planning and establishing budgets, and risk tolerance for implementing the operational risk program. This is conducted at the board and senior management (csuite) level, in conjunction with the risk committee or the CRO. The proposed integrated cybersecurity ERM model consists of three distinct layers consisting the strategic process (SRM), operational process (ORM), and crisis management process (CM) as depicted in Figure 10.1. The SRM is a high-level planning function for establishing the CSP and EISP for a company's cybersecurity risk management program guided by the ISO 31000's Principles, Framework, and Process constructs. At the ORM level, the day-to-day activities relating to the operational cyber risk functions are implemented and maintained. The ORM structure is based on the conventional ERM approach with cyber risk control measures that draw on the constructs from the NIST/CSF’s Framework Core. The CCM function encompasses pre-crisis management planning and preparation for responding to an attack and, crisis response and recovery. Similar to ORM, the CCM function in our proposed model is guided by the relevant functions in NIST/CSF. The proposed model adopts a risk-based approach that identifies, assesses, and prioritizes the cybersecurity threats to an organization's vision, goals, and objectives. It's a flexible approach that allows businesses to adjust their cybersecurity strategy based on their knowledge of their individual organizational needs and operational vulnerabilities and weaknesses. To reduce enterprise risk, an organization’s leadership and governance effort should focus on identifying and targeting those elements of cyber risk that pose the greatest risk to its business objectives. A definitive risk tolerance policy is important for pursuing a set of risk-based objectives. It describes the amount of variability that can be tolerated in terms of how much of a loss an organization is ready to accept in light of its current assets and other risks. Finally, a strong risk-based culture is
202
Kok-Boon Oh, Bruce Ho and Bret Slade
necessary for the success of ERM and corporate risk culture describes the shared values, knowledge, practices, and awareness of cybersecurity risk in an organization. These ERM imperatives are discussed in the following sections and constitute crucial elements of our proposed cybersecurity model.
CSP & EISP
SRM – ISO 31000
ERM planning
Identification Risk awareness
Mitigation Risk reduction & monitoring
ORM – NIST/CSF
Assessment
Monitor, Detect & report
Cyber Crisis Management
Crisis response & recovery
Planning & preparation Consider all crises Identify critical crises Prioritize crises Plan preventive & response measures Implement measures
Managing the crisis Managing the business Managing the fallout Managing the recovery
CCM – NIST/CSF
Crisis management readiness
Figure 10.1. Integrated cybersecurity ERM43.
43
Adapted from Ho, Oh, Durden, & Slade, 2010, Crisis Decision Making, Nova Science Publishers, New York and Oh, Ho, Pham, Huang & Wang 2018, The Process of Enterprise Risk Management, Nova Science Publishers, New York.
Strategic Cybersecurity Risk Management
203
3. VISION, GOALS, AND OBJECTIVES The Cybersecurity Strategic Plan defines the vision, goals, and objectives of the organization's cybersecurity program and how the vision of the strategy links to the overarching corporate mission and vision (Figure 10.2). The vision statement sets out what the organization wants to achieve or the ideal state of affairs with the implementation of the risk mitigation strategy (e.g., to develop a mature and effective cybersecurity practice that fosters a secure and resilient cybersecurity environment to support all company operations and mitigate all attempts at cyber-attack or data leak).
Figure 10.2. Cybersecurity strategic plan, vision, goals, and objectives.
After the organization has identified its critical risks, the strategic goals are framed in which to articulate and prioritize the key goals that must be achieved to reduce its risks to an acceptable level or within the organization's risk tolerance. These goals are high-level descriptions of the
204
Kok-Boon Oh, Bruce Ho and Bret Slade
activities to be undertaken by the organization to mitigate the risks it is exposed to, such as improving employees' knowledge of cybersecurity or creating a culture of cybersecurity awareness in the organization. The CIA triad is a good reference to frame goals to include more specific elements in the CSP. Once the strategic goals are identified and prioritized, objectives for each goal are set. The objectives are the specific items that must be accomplished to achieve the overarching strategic goals. For example, an objective of a strategic goal of an organization to protect its systems using technology could be to implement an intrusion detection and prevention system or a strategic goal to restrict onsite access to servers using physical security by implementing strict access security protocol such as personal verification code and close circuit television monitor.
4. LEADERSHIP AND GOVERNANCE Managing risk is an integral part of leadership and governance (IRM, 2018). The board of directors and management are tasked with providing leadership in aligning risk management with the organization's strategy, objectives, and culture; establishing an effective cybersecurity strategic plan and enterprise information security policy, setting the risk tolerance threshold, and allocating essential resources for risk management. Integration of risk management into corporate governance is a key ERM principle where the board of directors and senior management are responsible for ensuring consistency in strategic initiatives and day-to-day operational performances. For corporate governance and performance, the board should place a high priority on cyber risk management in today’s highly businessdependent and rapidly changing technological environment (Weill, & Ross, 2004). It entails factoring cyber risk consideration into decisionmaking when implementing a company's strategy to meet its goals. Risk governance refers to the decisions on the overall standards, policies, practices, and processes about risks to be established and
Strategic Cybersecurity Risk Management
205
implemented at the strategic ERM level to guide a business. The risk management strategy provides a structured and coherent approach to manage the risk that reflects the company's risk governance spirit and expectations. The strategic risk management process entails the formulation of an overall corporate risk strategy encompassing policies and budgets for implementation. To ensure the continuity of the firm, an effective risk management strategy must be incorporated into all functions within the organization where risk exists (Ho, et al. 2010). The recognition that cyber risk management is a key component of the organization’s enterprise risk management system and is a precursor to its successful implementation. As discussed in Chapter 5, the risk management strategy represents the company's structured and integrated approach to risk management representing the company's risk governance requirements. The NIST/CSF framework core recognizes the nexus between governance (ID:GV) and risk management strategy (ID:RM) in the identify (ID) function and emphasizes that risk management and governance processes cover cybersecurity risks (ID:GV4). Organizations need to understand that many determinants will influence the implementation of the ERM function. They include board implications, leadership, corporate culture, technology, business model, regulatory environment, industry-specific standards, internal control, and shareholders’ influence. The management of a firm is primarily responsible for its cyber risk management process but the board must also be informed about and appreciate the cyber risks facing the firm and maintain oversight of the risk management process. The chief executive officer (CEO) is ultimately responsible for a firm’s business success and must ensure that adequate cyber risk management policies are in place at the firm. The firm has numerous and varied digital resources that it relies on to generate its earnings. They are prone to cyber-attacks resulting in losses to the firm. A prudent, comprehensive, and integrated risk management program can help to stabilize earnings (Ho, et al., 2010). Adopting a risk-based approach provides a strong foundation for effective cyber risk management. Cybersecurity requires a ‘multi-tiered
206
Kok-Boon Oh, Bruce Ho and Bret Slade
approach’ (Ernst and Young, 2014). Organizations are increasingly becoming aware of the threats posed by cyber risk in today’s digital world. Many have started to treat cybersecurity as part of a strategic enterprisewide risk management function, under the purview of the chief executive officer, the chief information security officer, the chief information officer (CIO), the chief risk officer (CRO), and the chief information security officer working together with the business units as a team to gain knowledge and a complete profile of the corporate cyber landscape. Invariably, they need to work together to manage the multidimensional challenges of cyber threats, from both internal and external environments, in a complex and dynamic cyber landscape. Every organization should have a Cybersecurity Strategic Plan (CSP) that outlines the goals and objectives of the organization’s cyber security program for protecting its digital assets. The CSP is a high-level document written by senior management for guiding the EISP in setting the operational policies and procedures for the implementation of the organization's security activities. While the CSP provides a tactical setting for cybersecurity, the EISP is operative in nature and as they are complementary, information is likely to overlap (Figure 10.1). The important components in a cybersecurity strategic plan (CSP)44 are: Explain the organization's cybersecurity program's vision, aims, and objectives for safeguarding information assets and ensuring the confidentiality, integrity, and availability (CIA) of vital information to execute its missions; Describe how the organization communicates information, responds to emerging and growing risks, and develops new techniques for protecting information and information systems, which will aid in the development and definition of policies; Cybersecurity aims and strategic objectives are clearly stated with each strategic objective classified into near-term, mid-term, and long-term elements, and
44
Adapted from “Cyber Security Strategic Plan - 2007,” Department of Energy, USA & “Cyber Security Strategic Plan 2018-2021,” South Australian Government, https://www.dpc.sa.gov.au/__data/assets/pdf_file/0006/47535/Cyber-Security-StrategicPlan2018-21_FINAL-RELEASED-Feb2018.pdf (accessed 19/9/2021).
Strategic Cybersecurity Risk Management
207
Compliant with one or more of the industry's standards and complies with all applicable laws and regulations.
5. RISK CULTURE & TOLERANCE An efficient ERM relies on strong leadership to communicate and instill a clear risk strategy, corporate culture, and risk appetite with alignment to business objectives and strategy. The alignment of corporate strategy with RM and culture remains a current challenge (PwC, 2018). The increase and sophistication of cyberattacks require organizations to adopt an integrated approach of risk strategy and culture (Ernst and Young, 2018). Shao (2019) argues that a well-defined and flexibility-oriented corporate culture is an important moderator between strategic leadership behaviors and information-system business strategic alignment for the successful implementation of enterprise systems. One of the most important aspects of creating a strong corporate risk culture is effective leadership. A leader is anyone with influence or power, and leaders can inculcate corporate culture by reinforcing values while also holding others accountable. Leaders should be purposeful in developing a risk culture that allows people to thrive (Shao, 2019) and failure to establish a strong risk culture is harmful to both employees and the company's performance. A strong corporate risk culture that fosters a riskbased approach fortifies employees' commitment to observing risk appetite philosophy and practice. Risk appetite represents the risk parameters the board and senior management are willing to tolerate and a risk appetite statement formally articulates, clarifies, and communicates the organization's acceptable risk parameters. Risk appetite is aligned with business objectives and exposure to determine the organization's strategic directions. Cyber risk appetite and strategy are closely related concepts in enterprise risk management because the risk tolerance threshold an enterprise is willing to accept determines how achievable the strategic goals and objectives are. A cyber risk appetite statement outlines the organization's risk profile, capacity, tolerance, and oversight. Therefore,
208
Kok-Boon Oh, Bruce Ho and Bret Slade
organizations should align their strategic cyber vision to their cyber risk tolerance policy as the established risk tolerance defines the strategic goals and objectives. Adherence to corporate risk tolerance policy in setting strategy and operating procedures assures staff that a coherent risk control process is in place that is consistent throughout the organization. Risk tolerance should be reviewed regularly to ensure it remains relevant by keeping up with changing dynamics in the rapidly evolving cyber risk environment. All employees should acknowledge the risk appetite statement. Regulators keep a close check on a formal cyber risk tolerance statement, especially in organizations operating in highly regulated industries, like healthcare, education, and financial services, to ensure these organizations have in place a set of comprehensive policies and procedures that can effectively safeguard confidential and personal information.
6. RISK-BASED APPROACH Cyber risk is an inalienable part of modern organizations and senior management should focus on the importance of risk mitigation and the value companies can derive from implementing a risk mitigation strategy to improve organizational resilience and manage risks effectively. Therefore, corporate cyber risk leadership and governance should ensure that cyber threats and their multiple components are identified, understood, managed, and communicated. A cybersecurity program can be developed and managed in a variety of ways. The two key options businesses can choose are maturity-based or risk-based approaches. The traditional method to managing cyber risk is the maturity-based approach, in which businesses deploy certain risk management capabilities and controls to reach a desired level of maturity. Hillson (1997) suggests a risk maturity model that helps organizations enhance their risk management approach by allowing them to assess their current degree of maturity, set realistic improvement goals, and develop action plans to
Strategic Cybersecurity Risk Management
209
improve their risk capability. The model is divided into four stages, which are labeled as "naive," "novice," "normalized," and "natural" in progressive order. The naive risk organization is unaware of the importance of risk management and lacks a well-defined strategy for coping with uncertainty. The novice risk organization is aware of the potential benefits of risk management but is still experimenting with risk management, usually through a small group of nominated persons, but it lacks a formal or structured generic approach. Risk management is built into ordinary business processes and applied extensively in the normalized risk organization. The organization recognizes the benefits of risk management. The natural risk company has a risk-aware culture and takes a proactive approach in applying risk management best practices across the organization. One of the disadvantages of this method is the focus on building a multi-layer of security against everything, which may need a significant financial commitment for some firms. However, the "maturitybased" approach remains a popular choice as it helps an organization to evaluate and monitor the effectiveness and adequacy of its enterprise risk management program for improvement. It is a useful assessment and monitoring tool. Some of the metrics adopted for measuring maturity include the appointment of CISO, risk committee, existence of a security operations center (SOC), integration with strategic planning, and measure performance of ERM effectiveness. Alternatively, the "risk-based" approach aligns the organization's business objectives with a cyber risk strategy to target risk reduction through definitive policies and pragmatic implementation programs. Therefore, it is geared towards identifying and mitigating the critical risks in the business's most critical systems, networks and data. Risk-based approaches are significantly more cost-effective than maturity models because they allow the risk manager to allocate more resources in defenses for the vulnerabilities that affect the business's most critical systems. Collier, Linkov, & Lambert (2013) recommend that firms should adopt a risk-based systems approach that integrates the “physical, information, cognitive, and social domains” to better understand and manage cybersecurity. A risk-based approach recognizes risk-taking as
210
Kok-Boon Oh, Bruce Ho and Bret Slade
fundamental to a business to achieve a return from an investment. For cybersecurity, this means investing in technology, with its implicit danger, and leveraging it in key business activities to increase productivity with the sight of balancing the risk. McKinsey (2019) suggests that a maturity-based approach is still essential as a foundation to build a risk-based strategy. Instead of maturity, management should focus on identifying and mitigating those gaps and vulnerabilities that pose a critical risk to the business consistent with a riskbased approach.
7. A STRATEGIC CRM USING NIST/CSF When setting up an information security program a company should refer to the relevant RM standards to provide a useful guide for incorporating best practices into the CRM framework. A standard offers a set of technical rules or specifications that apply to a given system and are usually documented to represent dependable practices, criteria, methodologies, and processes. The rules and specifications are intended to be applied consistently as a guideline or definition for establishing a reliable and effective system. The following describes the elements and actions for establishing a strategic cybersecurity ERM structure based on the NIST/CSF standards.
7.1. Framework Core The enterprise cybersecurity program starts with the framework core to establish the firm’s vision, goals, and objectives (ID:BE3) by conducting those activities in the ERM/SRM (see Figure 4.2 & Table 10.1). The cyber risk strategy and policy (ID:GV1; ID:GV4 & ID:RM1) should complement the business strategy, business requirements, and the firm’s risk tolerance (ID:RM2 & ID:RM3).
Strategic Cybersecurity Risk Management
211
Table 10.1. Identify – outcome categories/subcategories Category Asset management (ID:AM)
Sub-category Asset inventory (ID:AM1) Software inventory (ID:AM2) Organization ICT map (ID:AM3) External ICT catalog (ID:AM4) Resources priority list (ID:AM5) Cybersecurity roles & responsibilities (ID:AM6)
Business Environment (ID:BE)
Supply chain role (ID:BE1) Organization IT & Industry position (ID:BE2) Organizational mission, objectives & activities (ID:BE3) Dependencies & critical functions for service delivery (ID:BE4) Resilience requirements for service delivery (ID:BE5)
Governance (ID:GV)
Information security policy (ID:GV1) Information security roles & responsibilities coordination (ID:GV2) Legal and regulatory requirements (ID:GV3) Governance and risk management processes (ID:GV4)
Risk assessment (ID:RA)
Critical assets identified & documented (ID:RA1) Shared information on threats & vulnerabilities (ID:RA2) Internal and external threats are documented (ID:RA3) Likelihoods & impacts analysis (ID:RA4) Threats, vulnerabilities, likelihoods, and impacts are used to determine risk (ID:RA5) Risk responses identified and prioritized (ID:RA6)
Risk management strategy (ID:RM)
Risk management processes (ID:RM1) Risk tolerance (ID:RM2) Informed risk tolerance (ID:RM3)
Supply chain (ID:SC)
Cyber supply chain RM processes defined and agreed upon by organization stakeholders (ID:SC1) Suppliers and third-party partners of information systems, components, and services are assessed & documented (ID:SC2) Supplier and third-party contracts implement measures to meet the organization’s cybersecurity objectives & plan (ID:SC3) Suppliers and third-party partners are routinely assessed to confirm satisfactory contractual obligations (ID:SC4) Recovery planning and testing and response are conducted with both suppliers and third-party providers (ID:SC5)
As we alluded to in Chapter 6 (“Risk Identification”), many of the subcategories under the Identify function in the business environment (ID:BE), governance (ID:GV), and risk management strategy (ID:RM)
212
Kok-Boon Oh, Bruce Ho and Bret Slade
categories are activities that are more closely aligned to the strategic initiatives (i.e., strategic level) of the ERM model. As the supply chain plays a strategic role in modern businesses for growth and sustainability by linking a company with its suppliers and customers, concerns about cybersecurity risk in the supply chain have become a top management priority. Table 10.1 shows NIST/CSF’s Identify function’s categories and sub-categories that reflect the actions relevant to the organization's initiatives for establishing the strategic cybersecurity program. The following sections discuss the alignment of the NIST/CSF actions vis-àvis the initiatives for developing an enterprise cybersecurity strategic plan that is consistent with the ERM model.
7.1.1. Asset Management Cybersecurity asset management is the act of identifying an organization's IT assets and the possible security threats or gaps that each one poses on a continuous, real-time basis. Conducting documentation and assessment of the firm's information assets and systems (ID:AM1 & ID:AM2) to identify any threats, vulnerabilities, or gaps to which the organization may be vulnerable (ID:AM1 to ID:AM5) are necessary for formulating risk management strategies and processes (ID:RM1). The focus of such an exercise should be on the operational environment (ID:BE1; ID:BE2; ID:BE4; ID:BE5 & ID:RA3) and cybersecurity threat information (ID:RA1 to ID:RA3) to determine the likelihood and severity of a cybersecurity event (ID:RA4) that could affect the firm. 7.1.2. Business Environment The ability of an organization to inform its cybersecurity roles, responsibilities, and risk management decisions with a thorough understanding and prioritization of its corporate mission, objectives, stakeholders, and business is referred to as the business environment. Concerning the business environment, employees must understand and prioritize the organization's mission, objectives, activities, and stakeholders and their underlying implications in terms of decisions, roles, and duties involved in managing cybersecurity risk (ID:BE). The actions
Strategic Cybersecurity Risk Management
213
for completing this are to determine and communicate to relevant stakeholders the organization's involvement in its supply chain (ID:BE1), role in its industry sector and key infrastructure (ID:BE2), and its mission, objectives, and activities (ID:BE3) to establish resilience benchmarks and practices for all operational functions that support critical service delivery (ID:BE4; ID:BE5).
7.1.3. Governance The policies and practices that dictate how businesses identify, prevent, and respond to cyber incidents are referred to as governance in cybersecurity. They constitute the means through which an organization regulates and directs its approach to information security. Cybersecurity governance enables an organization's security initiatives aimed at allowing the uninterrupted flow of information throughout an organization. Organizational governance for the cybersecurity risk management function necessitates all organizational risk, legal, regulatory, operational, and environmental requirements to be monitored and managed (ID:GV) using policies, processes, and procedures (as spelled out in the CSP & EISP) that are precise and well-understood (ID:GV1). This process entails alignment and coordination of cybersecurity duties and responsibilities with internal strategic and operational functions (ID:GV2), the establishment and communication of the organization's cybersecurity policy to all employees including external partners (ID:GV2), and cybersecurity legal and regulatory standards are observed, complied and managed, including privacy and civil liberties (ID:GV3). This process must include risk management and governance mechanisms in the organizational structure or hierarchy to complement and support cybersecurity risk mitigation (ID:GV4). 7.1.4. Risk Management Strategy A cybersecurity strategy is a set of actions aimed at enhancing the security and resiliency of information infrastructure and services. It's a topdown, high-level approach to cybersecurity that identifies a set of business objectives and priorities that must be met. Risk management strategy
214
Kok-Boon Oh, Bruce Ho and Bret Slade
relates to developing the priorities, risk tolerances, restrictions, and assumptions to aid operational risk decisions (ID:RM). A cybersecurity strategic plan (CSP) and an enterprise information security policy (EISP) should be made available at the strategic level, as agreed on by the board and senior management, to guide the establishment of risk management processes that are controlled (ID:RM1), that are agreed upon by all organizational stakeholders. Subject to an industry-specific risk analysis and its position in critical infrastructure as a business tool (ID:RM3), the risk tolerance level for the organization is established and, precise and explicit (ID:RM2).
7.1.5. Supply Chain Cyber Risk Management Cyber supply chain risk management ensures that a company's products and services are delivered on time. As a result, cyber supply chain risk management, which includes design, research & development, logistics, manufacturing, warehousing, distribution, and maintenance, is an important part of any company's entire cyber security strategy. To support decisions related to managing supply chain risk, organizational priorities, limits, risk tolerances, and assumptions about the supply chain are defined and applied (ID:SC). This information is used to devise and implement the company's processes for identifying, assessing, and managing supply chain risks that organization stakeholders agree on (ID:SC1). The processes include a cyber supply chain risk assessment function which is used to identify, prioritize, and assess suppliers and third-party partners of their information systems, components, and services (ID:SC2). Contractual arrangements are made between the organization and suppliers, and thirdparty partners, to put in place appropriate measures that comply with the organization's cybersecurity program objectives and Cyber Supply Chain Risk Management Plan - CSCRMP (ID:SC 3). The organization will routinely evaluate suppliers and third-party partners using test results, audits, and other evaluation methods to ensure they are meeting their contractual commitments (IB:SC4). Finally, it is important to conduct recovery planning, testing, and reaction with both suppliers and third-party providers for readiness and effectiveness of the CSCRMP (ID:SC5).
Strategic Cybersecurity Risk Management
215
7.2. Framework Profile The current profile of the organization’s risk management capability is prepared by adopting NIST/CSF’s Framework Profile (FP) process for indicating the current cybersecurity outcomes by the “unique alignment” of these outcomes with an organization's business requirements, vision, objectives, goals, risk tolerance, risk landscape and resources (ID:AM; ID:BE; ID:GV; ID:RA; ID:RM; & ID:SC). The objective of the FP is to demonstrate how cybersecurity initiatives help the firm achieve its business vision, goals, and objectives while also meeting cybersecurity standards and mitigating threats in the organization’s risk environment (ID; PR; DE; RS & RC). The primary objective of the risk profile is to identify and prioritize opportunities, and review for implementing risk responses for improvement based on identified weaknesses to achieve a target profile.
7.3. Framework Tiers The Framework Tiers (FT) help enterprises put their perspective on cybersecurity risk management into context. The Tiers categorize companies based on how thoroughly risk management procedures are implemented in an organization. The Tiers are a set of guidelines that help organizations choose the proper amount of rigor for their cybersecurity program. The following is a list of the four Tiers:
Tier 1 – Firms are ineffective in their approaches to risk management. Their risk management programs and processes are fragmented and unreliable, unsystematic, and lack management participation (“Naive” – Hillson, 1997). Tier 2 – Firms use ad hoc risk management techniques that are inadequate and, based on poorly design and implemented risk management policies and procedures (“Novice” – Hillson, 1997).
216
Kok-Boon Oh, Bruce Ho and Bret Slade
Tier 3 – Firms have a structured risk management program with effective risk management programs and systems with continuous management oversight and participation (“Normalized” – Hillson, 1997). Tier 4 – Firms use dynamic and sophisticated proactive risk management approaches, with frequent communication about strategic objectives, culture, risk appetite, and funding (“Natural” – Hillson 1997).
The Tiers are consistent with Hillson’s Risk Maturity Model of "naive," "novice," "normalized," and "natural." Like the Risk Maturity Model, an organization can use the NIST/CSF’s Tiers system to monitor and evaluate the performance of its enterprise risk management strategies for improvement. The process for using the Tiers system is to determine an organization’s “Current Tier” from the four groups, i.e., one which best describes an organization's current risk management processes. The next step is to identify the “Target Tier” that best defines the risk management techniques that the organization wishes to implement. Management may opt to select aspects from all of the Tiers or incorporate its items to provide accurate descriptions of the present or preferred target risk management practices. The design of the target Tier requires consideration of the organization’s vision, goal, business objectives, threat environment (ID:BE), risk tolerance, legal and regulatory requirements (ID:GV), information sharing protocol (ID:RA), supply chain cybersecurity deliverables ID:SC), and budgets (ID:AM). The purpose of the target Tier is to provide a road map to how an organization can reduce its aggregate risk exposure. The gap between the current state of risk management (current Tier) and the target risk management position (target Tier) identifies the risk management gaps that need to be addressed to reach the target.
Strategic Cybersecurity Risk Management
217
CONCLUSION We proposed a strategic framework based on ISO 31000 and NIST Cybersecurity Framework in this chapter for managing cybersecurity performance. As a summary of the framework, we highlight some strategic cybersecurity risk management dimensions that we consider are important for organizations to include in their CSP and EISP to develop an effective enterprise cyber risk control process. The CSP should be tailored to individual organizations and deliberate in design and development to effectively deal with the CIA triad attributes in their specific risk environment. That entails optimizing the cyber risk exposure by employing state-of-the-art technology to reduce the attack surface and vulnerabilities of SND. Cybersecurity SRM activities and ORM policies and procedures must be guided by industry standards and best practices to precisely target the intrinsic risks of the organization, augmented by quality protection and controls. Companies should keep up-to-date on the latest cyber threats, the threat agents, and their motivations to execute timely and effective mitigation measures to protect their digital assets. This requires pertinent cyber threat information gathered from a diversity of sources such as regulators, analysts, experts, media, industry peak bodies, professional organizations, and government cybersecurity organizations. It is imperative that all relevant stakeholders, both internal and external, must be consulted and participants must agree with the strategic and operational framework design and implementation plan for the cybersecurity program for effective and efficient rollout. Roles and responsibilities must be assigned to risk owners who shall be held responsible and accountable for the efficient execution and operation of the policies and procedure. The organization should implement an effective crisis response and recovery plan whose processes are familiar to all employees and tested regularly to reinforce corporate resilience for business continuity in the event of an attack. The company should adopt the principles of a learning organization when it comes to cybersecurity where lessons are derived from cybersecurity incidents or events for continuous improvement (Garvin, 1993).
218
Kok-Boon Oh, Bruce Ho and Bret Slade
Finally, we acknowledge the importance of continuing and growing trend in research on the technical aspect of cyber risk relating to software protocol design (Ryan, Schneider, Goldsmith, Lowe, & Roscoe, 2000; Roscoe and Goldsmith, 1997), risk identification, and temporal element of attack motivations (Howard and Longstaff, 1998), cyber kill chain (Hutchins, Cloppert, & Amin, 2011), event-driven response model (Happa, Fairclough, Nurse, Agrafiotis, Goldsmith, & Creese, 2016) and cyberattack modeling (Happa & Fairclough, 2017). The results from these areas of study will undoubtedly contribute to the pool of knowledge on cybersecurity and enable more effective cyber risk management.
REFERENCES ACSC (Australian Cyber Security Centre) 2020. ACSC Annual Cyber Threat Report: July 2019 to June 2020. http://www.cyber.gov.au/ sites/default/files/2020-09/ACSC-Annual-Cyber-Threat-Report2019-20.pdf. AFR - Australian Financial Review (Dunn, J.) 2015. Business risks are getting bigger and faster: KPMG Australia. 13 April 2015. https://www.afr.com/companies/business-risks-are-getting-biggerand-faster-kpmg-australia-20150409-1mhr4n#ixzz4ki1TyCfa. Agarwal, R., & Ansell, J. 2016. “Strategic change in enterprise risk management.” Strategic Change, 25(4), pp. 427-439. Agarwal, R, & Helfat, C. 2009. “Strategic renewal of organizations.” Organization Science, No. 20, pp.281–293. AGCS - Allianz Global Corporate & Specialty 2015. A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity. London/New York/Munich. Released on 9 September 2015. https://www.agcs.allianz.com/news-and-insights/reports/a-guide-tocyber-risk.html. Ahmad, S., Ng, C., & McManus, L. A. 2014. “Enterprise risk management (ERM) implementation: Some empirical evidence from large Australian companies.” Procedia-Social and Behavioral Sciences, 164, pp. 541-547.
220
References
Altenbach, T. 1995. A Comparison of Risk Assessment Techniques from Qualitative to Quantitative. Lawrence Livermore National Laboratory. https://www.osti.gov/scitech/servlets/purl/67753/. Amjad, A., Nicholson, M., Stevenson, C. & Douglas, A. 2016. “From security monitoring to cyber risk monitoring.” Enabling businessaligned cybersecurity. Deloitte Review, Issue 19. Ammar, J., & Xu, S. 2018. “Extreme groups and the militarization of social media.” in When Jihadi Ideology Meets Social Media, Springer, pp. 25-59. Anderson, R., & Moore, T. 2006. “The economics of information security.” Science, 314(5799), pp. 610–613. Andersen, T. and Roggi, O. 2012. “Strategic Risk Management and Corporate Value Creation.” Proceedings of the Strategic Management Society. 32nd Annual International Conference Prague. October 7-9, 2012. Ansell, J. and Wharton, F. 1992. Risk: Analysis, Assessment and Management. Wiley, New York. Aon Corporation 2017. Global Risk Management Survey 2017. (Accessed 15/10/2020). http://www.aon.com/2017-global-risk-managementsurvey/pdfs/2017-Aon-Global-Risk-Management-Survey-FullReport-062617.pdf (accessed 15/10/2020). Argenti, P. 2002. ‘Crisis communication: Lessons from 9/11.’ Harvard Business Review, 80(12), (December), pp. 103-109. Augustine, N. R. 1995. ‘Managing the crisis you tried to prevent.’ Harvard Business Review, 73(6), November/December, pp. 147-158. Babbie, E. R. 2008. The Basics of Social Research. Belmont, Thompson Wadsworth. Baiardi, F. and D. Sgandurra 2013. "Assessing ICT risk through a Monte Carlo method." Environment Systems and Decisions, 33(4), pp. 486499. Bamakan, S. M. & Dehghanimohammadabadi, M. 2015. ‘A weighted Monte Carlo simulation approach to risk assessment of information security management system.’ International Journal of Enterprise Information Systems, 11(4), pp. 63-78.
References
221
Bashir, M. A. and Christin, N. Three Case Studies in Quantitative Information Risk Analysis. Carnegie Mellon University, INI/CyLab Japan. https://www.andrew.cmu.edu/user/nicolasc/publications/ash. pdf. Beasley, M. S., Pagach, D. P., & Warr, R. S. 2008. “Information conveyed in hiring announcements of senior executives overseeing enterprisewide risk management processes.” Journal of Accounting, Auditing, & Finance, 23, pp. 311–332. Beasley, M., Branson, B. and Hancock, B. 2020. The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. AICPA. Available at: 2020 The Current State of Enterprise Risk Oversight | Professional Insights | AICPA (Accessed: 30 June 2021). Belani, G. 2020. Cybersecurity Threats to be Aware of in 2020. IEEE Computer Society (online). https://www.computer.org/publications/ tech-news/trends/ 5-cybersecurity-threats-to-be-aware-of-in-2020. Beretta, S. and Bozzolan, S. 2004. “A framework for the analysis of firm risk communication.” The International Journal of Accounting, 39(3), pp. 265-288. Biener, C., Eling, M. & Wirfs, J. H 2015. “Insurabiity of cyber risk: An empirical analysis.” The Geneva Papers on Risks and Insurance Issues and Practice, 40(1), pp. 131-158. Black, F. 1995. “Hedging, Speculation, and Systemic Risk.” Journal of Derivatives, 2, (Summer), pp. 6-8. Borker, D. R. & Vyatkin, V. N. 2012. “Toward a general holistic theory of risk.” Journal of American Academy of Business, Cambridge, 18(1), pp. 33-38. Bose, I., & Leung, A. C. M. 2014. “Do phishing alerts impact global corporations? A firm value analysis.” Decision Support Systems, 64, pp. 67-78. Support Systems, 64, 67–78. Brewer, J., & Hunter, A. 2006. Foundations of Multi-method Research: Synthesizing Styles. Thousand Oaks, Sage. Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. 2015. “Enterprise risk management: Review, critique and research directions.” Long Range Planning, 48(4), pp.265-276.
222
References
Burch, J. G., Strater, F. R., & Grudnitski, G. 1979. Information Systems: Theory and Practice. 2nd Edition,Canada: John Wiley & Sons, Inc. Burtescu, E. 2012. ‘Decision assistance in risk assessment – Monte Carlo simulations.’ Informatica Economică, vol. 16, no. 4/2012, pp. 86-92. Cambridge Centre for Risk Studies, 2016. Cambridge Global Risk Index 2017. Cambridge Centre for Risk Studies. University of Cambridge. https://www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/ris k/downloads/cambridgeglobalriskindex2017.pdf. Cavusoglu, H., Mishra, B., and Raghunathan, S. 2004. “A model for evaluating it security investments.” Communications of the ACM, 47(7), pp. 87-92. Cayirci, E. & Ghergherehchi, R. 2011. “Modelling cyber-attacks and their effects on decision process.” Proceedings of the 2011 Winter Simulation Conference, S. Jain, R.R. Creasey, J. Himmelspach, K.P. White, and M. Fu, eds. Chacko, L., Sekeris, E., & Herbolzheimer, C. 2016. “Can You Put a Dollar Amount on Your Company’s Cyber Risk?” Harvard Business Review. (Accessed 5/8/2021) Can You Put a Dollar Amount on Your Company’s Cyber Risk? (hbr.org). Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., Stoddart, K. 2016. “A Review of Cyber Security Risk Assessment Methods for SCADA Systems.” Computers & Security, 56 (2016), pp.1–27. http://ac.els-cdn.com/S0167404815001388/1-s2.0-S016740 4815001388-main.pdf?_tid=f39f116e-6c51-11e7-99ec-00000aab0f01 &acdnat=1500448669_023f9d43f76e51f0114302e65ae4f19f. Chileshe, N. & Kikwasi, G. J. 2014. “Critical success factors for implementation of risk assessment and management practices within the Tanzanian construction industry.” Engineering, Construction and Architectural Management, 21(3), pp. 291-319. Collier, Z. A., Linkov, I., & Lambert, J. H. 2013. “Four domains of cybersecurity: A risk-based systems approach to cyber decisions.” Environment Systems and Decisions, 4(33), pp. 469–470.
References
223
Conrad, J. R. 2005. Analyzing the risks of information security investments with Monte-Carlo simulations. http://infosecon.net/workshop/pdf/ 13.pdf. Coombs, W. 2007. Ongoing Crisis Communication: Planning, Managing and Responding. (2nd ed.), Sage, Los Angeles. Corbin, Juliet M., & Strauss, A. 2008. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Thousand Oaks, CA, Sage. COSO (Committee of Sponsoring Organizations of the Treadway Commission) 2009. Effective ERM Oversight: The Role of the Board of Directors. https://www.coso.org/Documents/COSOBoardsERM4 pager-FINALRELEASEVERSION82409_001.pdf. COSO (Committee of Sponsoring Organizations of the Treadway Commission) 2012. Enterprise risk management: Understanding and communicating risk appetite. https://www.coso.org/Documents/ ERM-Understanding-and-Communicating-Risk-Appetite.pdf. COSO (Committee of Sponsoring Organizations of the Treadway Commission) 2009. Strengthening ERM for Strategic Advantage. https://www.coso.org/documents/COSO_09_board_position_final10 2309PRINTandWEBFINAL_000.pdf. Creswell, John W. 2008. Qualitative Inquiry and Research Design: Choosing Among Five Traditions. Thousand Oaks, California, SAGE. Crouchy, M., Galai, D. & Marck, R. 2006. The Essentials of Risk Management. McGraw Hill, New York. D'Arcy, S. P. 2001. “Enterprise risk management.” Journal of Risk Management of Korea, 12(1), pp. 207-228. Dawkins, R. 1998. Unweaving the Rainbow. New York: Penguin. De Jong, M. 2008. Survival of the institutionally fittest concepts. A Memetics Compendium, 394. Deliotte, 2013. “Exploring Strategic Risk 300 executives around the world say their view of strategic risk is changing.” Deloitte and Forbes Insights.
224
References
Deliotte, 2013. Risk Culture: Three Stages of Continuous Improvement. http://deloitte.wsj.com/riskandcompliance/2013/05/21/risk-culturethree-stages-of-continuous-improvement/. Deliotte, 2017. Cybersecurity Risk Management Oversight and Reporting. Deloitte Development LLC. https://www2.deloitte.com/content/dam/ Deloitte/us/Documents/risk/us-cybersecurity-risk-managementoversight-and-reporting.pdf (accessed 19/9/2021). Didraga, O. 2013. “The role and effects of risk management in IT project success.” Informatica Economica, 17(1), pp.86-98. Dodel, M. & Mesch, G. 2019. “An integrated model for assessing cybersafety behaviours: How cognitive, socio economic and digital determinants affect diverse safety practices.” Computers & Security, 86, pp. 75-91. Dowd, K. 1998. Beyond Value at Risk: The New Science of Risk Management. Wiley. Duffie, D, & Pan, J. 1997. “An Overview of Value at Risk.” The Journal of Derivatives, Spring, 4 (3), pp. 7-49; DOI: https://doi.org/10. 3905/jod.1997.407971 Elliott, M. W. 2019. Risk in an Evolving World. 1st edition. The Institutes. Epstein, M. J. & Buhovac, A. R. 2006. The Reporting of Organizational Risks for Internal and External Decision-Making. The Society of Management Accountants of Canada and The American Institute of Certified Public Accountants. Ernst and Young 2014. Cyber Program Management: Identifying Ways to Get Ahead of Cybercrime. 0055f20160429_009_Studie_2014_EY _cyber-program-management.pdf (acfe.de) (Accessed: 3 March 2020). Ernst and Young 2018. Cybersecurity for industry 4.0: Cybersecurity implications for government, industry and homeland security. Ettredge, M., Guo, F., & Li, Y. 2018. “Trade secrets and cyber security breaches.” Journal of Accounting and Public Policy, 37(6), pp. 564– 585. Fagade, T., Maraslis, K., & Tryfonas, T. 2017. “Towards effective cybersecurity resource allocation: the Monte Carlo predictive
References
225
modelling approach.” International Journal of Critical Infrastructures, 13(2-3), pp. 152-167. https://doi.org/10.1504/ IJCIS.2017.088235. Falco, G., Eling, M., Jablanski, D., Weber, M., Miller, V., Gordon, L., Wang, S., Schmit, J., Thomas, R., Elvedi, M., Maillart, T., Donavan, E., Dejung, S., Durand, E., Nutter, F., Scheffer, U., Arazi, G., Ohana, G. & Lin, H. 2019a. A research agenda for Cyber risk and cyber insurance. (Accessed 27 July 2021). ResearchAgendaforCyber RiskandCyberInsurance.pdf. Falco, G., Eling, M., Jablanski, D., Weber, M., Miller, V., Gordon, L., Wang, S., Schmit, J., Thomas, R., Elvedi, M., Maillart, T., Donavan, E., Dejung, S., Durand, E., Nutter, F., Scheffer, U., Arazi, G., Faris, C. Gilbert, B, LeBlanc, B., Ballou, B. & Heitger, D. L. 2013. Demystifying Sustainability Risk – Integrating Triple Bottom Line into A ERM Program. https://www.coso.org/documents/COSOERM%20Demystifying%20Sustainability%20Risk_Full%20WEB. pdf. Feurer, R., and Chaharbaghi, K., 1995. “Performance Measurement in Strategic Change.” Benchmarking for Quality Management & Technology. 2(2), pp. 64-83. Frosdick, S. 1997. “The techniques of risk analysis are insufficient in themselves.” Disaster Prevention and Management, 6(3), pp.165-177. Management, 6(3), 165–177. Froot, K. A., Scharfstein, D. S., Stein J. C. 1993. “Risk management: coordinating corporate investment and financing policies.” Journal of Finance, 48, pp.1629-1658. Foltz, C. B. 2004. “Cyberterrorism, computer crime, and reality.” Information Management & Computer Security, 12, no. 2, 154-166. Fowler, K. 2016. Data Breach Preparation and Response: Breaches are Certain, Impact is Not. 1st Edition. Syngress/Elsevier. Frigo, M. and Anderson, R. 2011. Embracing ERM: A Practical Approach for Getting Started. https://www.coso.org/Documents/EmbracingERM-Getting-Started.pdf.
226
References
Garvin, D, 1993. “Building a learning organization” Harvard Business Review, Organisational Learning Series, July-August 1993. Gerber, M., & Von Solms, R. 2005. “Management of risk in the information age.” Computers & Security, (24), pp. 16–30. Gregersen, H. 2018. “Better brainstorming.” Harvard Business Review, (March–April 2018). https://hbr.org/2018/03/better-brainstorming. George, T. 2017. Cyber Risk, Cyber Threats, and Cyber Security: Synonyms or Oxymorons? https://www.securityweek.com/cyber-riskcyber-threats-and-cyber-security-synomyms-oroxymorons%20[2017,%20August%2029]. Gisladottir, V., Ganin, A. A., Keisler, J. M., Kepner, J. & Linkov, I. 2017. “Resilience of cyber systems with over- and underregulation.” Risk Analysis, 37(9), pp. 1644-1651. Gordon, L. A., & Loeb, M. P. 2002. “The economics of information security investment.” ACM Transactions on Information and System Security (TISSEC), 5(4), pp. 438–457. Gordon, L. A., Loeb, M. P., & Sohail, T. 2003. “A framework for using insurance for cyber risk management.” Communications of the ACM, 46(3), pp. 81–85. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. 2015a. “The impact of information sharing on cybersecurity underinvestment: A real options perspective.” Journal of Accounting and Public Policy, 34(5), pp. 509–519. Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Zhou, L. 2015b. “Externalities and the magnitude of cyber security underinvestment by private sector firms: A modification of the Gordon-Loeb Model.” Journal of Information Security, 6, pp. 24-30. Grabowski, M. and Roberts, K.H. 1999. “Risk mitigation in virtual organizations.” Organization Science, 1999, pp.704-721. Crouchy, Galai, & Marck, 2006. The Essentials of Risk Management. McGraw-Hill, New York. Hadlington, L. 2017. “Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards
References
227
cybersecurity, and risky cybersecurity behaviours.” Heliyon, 3, Article No~e00346. Hansel, M. 2018. “Cyber-attacks and psychological IR perspectives: explaining misperceptions and escalation risks.” Journal of International Relations and Development, 21(3), 523-551. doi:10. 1057/s41268-016-0075-8. Happa, J. and Fairclough, G. 2017. “A model to facilitate discussions about cyber attacks.” Ethics and Policies for Cyber Operations, Springer International Publishing, pp. 169-185. Happa, J., Fairclough, G., Nurse, J.R., Agrafiotis, I., Goldsmith, M. and Creese, S. 2016. “A pragmatic system-failure assessment and response model.” International Conference on Information Systems Security and Privacy, SCITEPRESS Digital Library. Hectus, J. 2016. Cybersecurity beyond traditional risk management. Inside Counsel, New York (Sep 15, 2016). http://www.kyl.com/wpcontent/uploads/2016/12/Inside-Counsel-Article-Hectus.pdf (accessed 22/10/2020). Henshel, D., Sample, C., Cains, M. & Hoffman, B. 2016. “Integrating cultural factors into human factors framework and ontology for cyber attackers.” in Advances in Human Factors in Cybersecurity, Advances in Intelligent Systems and Computing, ed. D. Nicholson. Cham: Springer International Publishing, pp. 123-137. Higgs, J. L., Pinsker, R. E., Smith, T. J., & Young, G. R. 2016. “The relationship between board-level technology committees and reported security breaches.” Journal of Information Systems, 30(3), pp. 79-98. Hillson, D. 1997. “Towards a risk maturity model.” International Journal of Project and Business Risk Management, 1 (Spring), pp. 35–45. Hiscox 2017. The Hiscox Cyber Readiness Report 2017, Hiscox, London. https://www.hiscox.com/documents/brokers/cyber-readinessreport.pdf (accessed 17/10/2020). HM Government & Marsh 2015. The Role of Insurance in Managing and Mitigating the Risk. UK Cyber Security, London. Ho, B. C., Oh, K. B., Durden, G. & Slade, B. 2010. Crisis Decision Making. Nova Science Publishers, New York.
228
References
Hofstede, G. 2001. Culture's Consequences: Comparing Values, Behaviors, Institutions and Organizations across Nations. Sage publications. Hollmann, J. K. 2012. “Estimate accuracy: Dealing with reality.” Cost Engineering, 54(6), 17. Holt, T. J. 2012. “Exploring the Intersections of Technology, Crime, and Terror.” Terrorism and Political Violence, 24, no. 2, pp. 337-354. Holton, G. A. 2004. “Defining Risk.” Financial Analysts Journal, Volume 60, Number 6, CFA Institute. https://www.glynholton.com/wpcontent/uploads/papers/risk.pdf (accessed 22/10/2020). Howard, J. D. and Longstaff, T. A. 1998. A Common Language for Computer Security Incidents. Sandia National Laboratories. Hoyt, R. E., & Liebenberg, A. P. 2011. “The value of enterprise risk management: Evidence from the U.S. insurance industry.” Journal of Risk and Insurance, 78(4), pp. 795–822. Hurst, W., Merabti, M. & Fergus, P. 2014. “Big data analysis techniques for cyber threat detection in critical infrastructures.” In Proceedings of the 2014 28th International Conference Advanced Information Networking and Applications Workshops, pp. 916-921, IEEE. Hutchins, E. M., Cloppert, M. J. and Amin, R. M. 2011. “Intelligencedriven computer network defense informed by analysis of adversary campaigns and intrusion kill chains.” Leading Issues in Information Warfare & Security Research. IRM (Institute of Risk Management) 2018. A Risk Practitioners Guide to ISO 31000: 2018. London. ISO/IEC Guide 73:2002. Risk Management – Vocabulary – Guidelines for use in Standards. International Organization for Standardization/ International Electrotechnical Commission (ISO/ IEC), Geneva. ISO 31000:2009. Risk Management, Principles and Guidelines. International Organization for Standardization, Geneva, 2009. ISO 27000:2014. Information Technology - Security Techniques – Information Security Management Systems - Overview and Vocabulary. International Organization for Standardization/ International Electrotechnical Commission, Geneva.
References
229
James DeLoach and Jeff Thomson 2014. “Improving Organisational Performance and Governance: How the COSO Framework Can Help?” COSO (Committee of Sponsoring Organizations of the Treadway Commission). https://www.coso.org/Documents/2014-210-COSO-Thought-Paper.pdf. Jasper, S. 2020. Russian Cyber Operations: Coding the Boundaries of Conflict. Georgetown University Press. Jorion, P. 1997. Value at Risk: The Benchmark for Controlling Market Risk. McGraw-Hill, Chicago. Jorion, P. & Khoury, S. 1996. Financial Risk Management: Domestic and International Dimensions. Cambridge, Mass.: Blackwell Business. Kamiya, S., Kang, J., Kim, J., Milidonis, A. & Stulz, R. 2021. “Risk management, firm reputation, and the impact of successful cyberattacks on target firms.” Journal of Financial Economics, 139, pp. 717-749. Kaplan, R. S. and Mikes, A. 2012. “Managing Risks: A new framework.” Harvard Business Review, June (2012). https://hbr.org/2012/ 06/managing-risks-a-new-framework (accessed 23/10/2020). Kardile, A. B. 2017. Crypto Ransomware Analysis and Detection Using Process Monitor. Thesis. University of Texas, Arlington. Kerzner, H. 2009. Project Management Systems Approach Planning, Scheduling, and Controlling (10th ed.). Hoboken, NJ: John Wiley. Kleffner, A. E., Lee, R. B. & McGannon, B. 2003. “The effect of corporate governance on the use of ERM: Evidence from Canada.” Risk Management and Insurance Review, 6(1), pp. 53-73. Klimoski, R. 2016. "Critical success factors for cybersecurity leaders: Not just technical competence." People and Strategy, vol. 39, no. 1, pp. 14. Knight, F. H. 1921. Risk, Uncertainty and Profit. New York: Harper. Koski, A. & Mikkonen, T. 2015. Requirements, Architecture, and Quality in a Mission Critical System: 12 Lessons Learned. T. ESEC/FSE’15, August 30 – September 4, 2015, Bergamo, Italy. http://dx.doi.org/ 10.1145/2786805.2804436. KPMG, Glover, S. and Prawitt, D. 2012. Enhancing Board Oversight: Avoiding Judgment Traps and Biases. COSO (Committee of
230
References
Sponsoring Organizations of the Treadway Commission). https://www.coso.org/documents/COSO-EnhancingBoardOversight_ r8_Webready%20%282%29.pdf. Kwak, Y. H., & Ingall, L. 2007. “Exploring Monte Carlo simulation applications for project management.” Risk Management, 9(1), pp. 44– 57. Lam, J., 2001. “The CRO is here to stay.” Risk Management, April, pp. 1620. Lam, J. 2006. Emerging Best Practices in Developing Key Risk Indicators and ERM Reporting. James Lam & Associates, Inc. Lam, J. 2007. Enterprise risk management at Asian banks: From challenges to strategies. Executive White Paper, Asia Risk Management Institute (ARMI). Lau, N., Pastel, R., Chapman, M. R., Minarik, J., Petit, J. & Hale, D. 2018. "Human Factors in Cybersecurity – Perspectives from Industries." Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 62, no. 1, pp. 139-143. Lerbinger, O. 1997. “The crisis manager: Facing risk and responsibility.” in Mahwah, N. J., Lawrence Erlbaum Associates, NY. Les Coleman 2009. Risk Strategies: Dialing up Optimum Firm Risk. Gower e-Book Publishing, Burlington, USA. Lewis, J. 2002. Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies, Washington D. C. Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats (csis-website-prod.s3.amazonaws.com) (Accessed 8 July 2021). Liebenberg, A. P., & Hoyt, R. E. 2003. “The determinants of ERM: Evidence from the appointment of CRO.” Risk Management and Insurance Review, 6(1), pp. 37-52. Linsley, P. M. & Shrives, P. J. 2006. “Risk reporting: A study of risk disclosures in the annual reports of UK companies.” British Accounting Review, 38(4) pp. 387-387.
References
231
Lowe, D. J., Emsley, M. W., & Harding, A. 2006. “Predicting construction cost using multiple regression techniques.” Journal of Construction Engineering and Management. Madnick, S. E. 1978. “Management policies and procedures needed for effective computer security.” Sloan Management Review, 20(1), pp. 61-74. Maia, I. & Chaves, G. 2016. “Integration of Risk Management into Strategic Planning: A New Comprehensive Approach.” Society of Actuaries 2016 Enterprise Risk Management Symposium April 6–8, 2016, Arlington, Virginia. Mak, S., Wong, J., & Picken, D. 1998. “The effect on contingency allowances of using risk analysis in capital cost estimating: A Hong Kong case study.” Construction Management & Economics, 16(6), 615–619. Markowitz, H. 1952 “Portfolio Theory.” The Journal of Finance, Vol. 7, No. 1. (Mar., 1952), pp. 77-91. Marotta, A., & McShane, M. 2018. “Integrating a proactive technique into a holistic cyber risk management approach.” Risk Management and Insurance Review, 21(3), pp. 435–452. Marsh, 2015. UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk. Marsh LLC,” Marsh. McKinsey & Company 2017. Protecting your critical digital assets: Not All Data and Systems are Created Equal. | McKinsey (accessed 11/9/2021). McKinsey & Company 2019. The Risk-based Approach to Cybersecurity. | McKinsey. McShane, M. 2018. “Enterprise risk management: History and a design science proposal.” The Journal of Risk Finance, 19(2), pp. 137–153. McShane, M., & Nguyen, T. 2020. “Time varying effects of cyberattacks on firm value.” The Geneva Papers on Risk and Insurance – Issues & Practice, 45(4), pp. 580-615. Meulbroek, L. K. 2002. "Integrated Risk Management for the Firm: A Senior Manager's Guide." Harvard Business School Working Paper, No. 02-046, March 2002.
232
References
Miller, K. D. 1992. “A Framework for integrated risk management in international business.” Journal of International Business Studies, vol. 23, issue 2, pp. 311- 331. Miller, S., Wagner, C., Aickelin, U. & Garibaldi, J. 2016. “Modelling cyber-security experts’ decision making processes using aggregation operators.” SSRN Electronic Journal, January 2016. Modi, S. B., Wiles, M. A., & Mishra, S. 2015. “Shareholder value implications of service failures in triads: The case of customer information security breaches.” Journal of Operations Management, 35, pp. 21-39. Modigliani, F. and Pogue, G. 1973. An Introduction to Risk and Return: Concepts and Evidence. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. 2013. “Cyber-risk decision models: To insure IT or not?” Decision Support Systems, 56, pp.11-26. Nifakos, S.; Chandramouli, K.; Nikolaou, C. K.; Papachristou, P.; Koch, S.; Panaousis, E.; Bonacina, S. 2021. “Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review.” Sensors, 21, 5119. https:// doi.org/10.3390/s21155119. NIST 2002. Risk Management Guide for Information Technology Systems. Technical Report, National Institute of Standards and Technology (NIST). NIST 2014. Framework for Improving Critical Infrastructure Cybersecurity. Technical Report, National Institute of Standards and Technology (NIST). Nocco, B. W., & Stulz, R. M. 2006. “Enterprise risk management: Theory and practice.” Journal of Applied Corporate Finance, 18(4), pp.8-20. OECD 2015. Digital Security Risk Management for Economic and Social Prosperity OECD Recommendation and Companion Document. Digital Economy Policy Legal Instruments. digital-security-riskmanagement.pdf (oecd.org) (Accessed 29/7/2021). OECD 2017. Enhancing the Role of Insurance in Cyber Risk Management. OECD Publishing, Paris. http://dx.doi.org/10.1787/9789264282148en.
References
233
OECD 2014. Risk Management and Corporate Governance, Corporate Governance. OECD Publishing. http://dx.doi.org/10.1787/978926420 8636-en; http://www.oecd.org/daf/ca/risk-management-corporategovernance.pdf. Oh, K. B. & Ho, B. C. T. 2010. Innovation and Technology Finance. Nova Science, New York. Oh, K., Ho, C., Pham, L., Huang, Y. and Wang, J. 2018. The Process of Enterprise Risk Management. Nova Science, New York. Ohana, G. & Lin, H. 2019b. “Cyber risk research impeded by disciplinary barriers.” Science, 366(6469), pp. 1066-1069. Olsen, R. (Accessed 29/9/2021). “Is Your Business Ready for the Changing Cybersecurity Landscape?” CIO Review. https://cyber security.cioreview.com/cxoinsight/is-your-business-ready-for-thechanging-cybersecurity-landscape-nid-27270-cid-145.html. Oracle.com 2020. The Oracle and KPMG Cloud Threat Report 2020. Oracle (online). https://www.oracle.com/cloud/cloud-threat-report. html. Pandey, P. & Snekkenes, E. 2014. “Using Prediction Markets to Hedge Information Security Risks.” Conference: 10th International Workshop on Security and Trust Management, Wroclaw, Poland Volume: Springer Lecture Notes in Computer Science 8743. Peltier T. R. 2001. Information Security Analysis. Auerbach, New York. Perry, R. and Lindell, M. K. 2003. “Preparedness for emergency response: Guidelines for the emergency planning process.” Disasters, 27(4), pp. 336–350. Pfleeger, S. L., Predd, J., Hunker, J. & Bulford, C. 2010. “Insiders behaving badly: Addressing bad actors and their actions.” IEEE Transactions on Information Forensics and Security, 5(2), March. Pham, L. & Oh, K. B. 2021. State on Board! Navigating Corporate Governance in Emerging Market Business. Palgrave MacMillan, London. Predd, J., Pfleeger, S. L., Hunker, J. & Bulford, C. 2008. “Insiders Behaving Badly.” IEEE Security and Privacy, 6(4), July/August, pp. 66-70.
234
References
PricewaterhouseCoopers 2018. Enterprise Risk Management. Available at: https://www.pwc.co.uk/audit-assurance/assets/pdf/enterprise-riskmanagement.pdf (Accessed 30 June 2021). PwC 2011. In Times of Uncertainty: An Insight into Effective Risk Reporting in a Changing Market. PwC Australia. https://www. pwc.com.au/industry/banking-capital-markets/assets/insight-intoeffective-risk-reporting-sep11.pdf (accessed 19/9/2021). Quarantelli, E. L. 1988. “Disaster crisis management: A summary of research findings.” Journal of Management Studies, 25(4), pp. 373– 385. Quintana, P. G. 2012. “Risk and Uncertainty.” Business Review, Q1 2012. https://www.phil.frb.org/-/media/research-and-data/publications/business-review/2012/q1/brq112_risk-and-uncertainty.pdf. Reagan, J. R., Raghavan, A. & Thomas, A. 2015. “Quantifying risk: What can cyber risk management learn from the financial services industry?” In New Perspectives on How Cyber Risk Can Power Performance. Delloitte University Press. Rescher N. 1983. Risk: A Philosophical Introduction to the Theory of Risk Evaluation and Management. University Press of America. Robin, A., Campbell, D., Preedy, D. Paschino, E., Born, M., Haynes, P., Kazmi, P. Oikawa, R. & Getchell, S. 2002. “Microsoft Solutions Framework Risk Management Discipline.” Researchgate. (5) (PDF) Microsoft Solutions Framework Risk Management Discipline (researchgate.net). Roscoe, B. and Goldsmith, M. 1997. The Perfect Spy for Model–Checking Crypto–Protocols. Rutgers University, Piscataway, NJ. Rot, A. 2008. “IT Risk Assessment: Quantitative and Qualitative Approach.” Proceedings of the World Congress on Engineering and Computer Science 2008, October 22 - 24, 2008, San Francisco, USA. Rouse, M., 2014. What is confidentiality, integrity, and availability (CIA triad)? Definition from WhatIs.com. [online] WhatIs.com. Available at: .
References
235
RSA Security 2016. Cyber risk appetite: Defining and understanding risk in the modern enterprise. White Paper. https://www.rsa.com/ content/dam/en/white-paper/cyber-risk-appetite.pdf. Rubino, M. 2018. “A Comparison of the main ERM frameworks: How limitations and weaknesses can be overcome implementing IT governance.” International Journal of Business and Management, 13(12), pp. 203-214. Ryan, P., Schneider, S.A., Goldsmith, M., Lowe, G. and Roscoe, A. 2000. The Modelling and Analysis of Security Protocols: The CSP Approach. Addison-Wesley Professional, Boston, MA. Sasse, M., & Flechais, I. 2005. “Usable Security: Why Do We Need It? How Do We Get It?” In L. F. Cranor and S. Garfinkel (Eds.), Security and Usability. O’Reilly Publishing, pp. 13–30. Segal, S. 2011. Corporate Value of Enterprise Risk Management. Wiley. Siegel, C. A., Sagalow, T. R., & Serritella, P. 2002. “Cyber risk management: Technical and insurance controls for enterprise level security.” Information Systems Security, 11(4), pp. 33–49. Shao, Z. 2019. “Interaction effect of strategic leadership behaviors and organizational culture on IS-Business strategic alignment and Enterprise Systems assimilation.” International Journal of Information Management, 44, pp. 96-108. Singer, P.W. & Friedman, A. 2014. Cybersecurity and Cyber War: What Everybody Needs to Know. New York, Oxford University Press. Siponen, M. & Oinas-Kukkonen, H. 2007. “A review of information security issues and respective research contributions.” ACM SIGMIS Database: The database for Advances in Information Systems, 38(1), pp. 60-80. Slagmulder, R. and Devoldere, B. 2018. “Transforming under deep uncertainty: A strategic perspective on risk management.” Business Horizons, 61(5), pp. 733-743. Standards Australia and Standards New Zealand 2009. AS/NZS ISO 31000:2009: Risk management - Principles and guidelines, 20 November 2009.
236
References
Starr, R., Newfrock, J., & Delurey, M. 2003. “Enterprise resilience: managing risk in the networked economy.” Strategy and Business, 30, pp. 70–79. Stavrou, A., Fleck, D., & Kolias, C. 2016. “On the Move: Evading Distributed Denial-of-Service Attacks.” IEEE Annals of the History of Computing, 49(03), 104-107. Stine, K., Quinn, S., Witte, G., Scarfone, K., & Gardner, R. 2020. “Integrating Cybersecurity and Enterprise Risk Management (ERM).” NIST Internal or Interagency Report (NISTIR) 8286 (Draft), National Institute of Standards and Technology. Taveras, P. 2019. “Cyber risk management, procedures and considerations to address the threats of a cyber-attack.” Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019. https://www.researchgate.net/ publication/332411201_Cyber_Risk_Management_Procedures_and_ Considerations_to_Address_the_Threats_of_a_Cyber_Attack (accessed 19/10/2020). Toma, S. & Alexa, I. 2012. “Different Categories of Business Risk.” Annals of Dunarea de Jos. University of Galati Fascicle I. Economics and Applied Informatics Years XVIII – no2/2012. http://www.ann. ugal.ro/eco/Doc2012.2/Toma_Alexa.pdf. UNECE 2012. Risk Management in Regulatory Frameworks: Towards a Better Management of Risks. UN New York & Geneva. https://www.unece.org/fileadmin/DAM/trade/Publications/WP6_EC E_TRADE_390.pdf. Von Solms, R. and Van Niekerk, J. 2013. “From information security to cyber security.” Computers and Security, 38, pp. 97–102. Watsham, T. J. & Parramore, K. 1997. Quantitative Methods in Finance. Volume 1, International Thomson Business Press. Weick, K. and Suncliffe, K. 2007. Managing the Unexpected: Resilient Performance in an Age of Uncertainty. Jossey-Bass Publishers, San Francisco, CA.
References
237
Weill, P., & Ross, J. W. 2004. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press. Woods, D. W. & Simpson, A. C. 2020. Monte Carlo methods to investigate how aggregated cyber insurance claims data impacts security investments. Department of Computer Science, University of Oxford. Monte-Carlo-methods-to-investigate-how-aggregated-cyberinsurance-claims-data-impacts-security-investments.pdf (researchgate.net) (Accessed 16/8/2021). World Economic Forum (WEF) 2017. The Global Risks Report 2017. 12th Edition, Geneva. Young, S. D. & O'Byrne, S.F. 2000. EVA and Value-Based Management: A Practical Guide to Implementation. McGraw-Hill. Zhao, X., Hwang, B. -G., & Low, S. P. 2013. “Critical success factors for enterprise risk management in Chinese construction companies.” Construction Management and Economics, 31(12), pp. 1199-1214.
ABOUT THE AUTHORS Kok-Boon Oh is a director of eGalaxy Proprietary Limited in Melbourne, Australia. He is a CPA member of Certified Practising Accountants (Australia) and Chartered Accountant of the Malaysian Institute of Accountants (MIA). KB taught enterprise cyber risk management at the undergraduate and postgraduate levels in the cybersecurity program at La Trobe University, Australia. He was responsible for developing the cybersecurity ERM subjects for both the Bachelor of Cybersecurity and Master of Cybersecurity courses at La Trobe University. He has extensive industry experience in risk management, both through his work as a corporate executive, academic and, through his regular conference presentations and publications. He has co-published over 70 peer-reviewed papers and 12 reference books in the areas of finance and management, including books on crisis management and enterprise risk management. He completed the Harvard’s VPAL Cybersecurity: Managing Risk in the Information Age program in 2018.
240
About the Authors
Bruce Chien-Ta Ho is a professor in the Institute of Technology Management at National Chung Hsing University in Taiwan. He is also a director of Electronic Commerce & Knowledge Economics Research Center. His current research interests include E-Commerce and performance evaluation. Bruce has over 150 publications in the forms of journal papers, books, edited books, edited proceedings, edited special issues, and conference papers. Sample of his work could be found in Computers & Operations Research, Journal of the Operational Research Society, International Journal of Production Research, Online Information Review, Industrial Management and Data System, Production Planning and Control. He is also the Editor of the International Journal of Electronic Customer Relationship Management. Bret Slade taught at La Trobe University, Australia and has experience in organisational headquarters and strategic management consulting roles. His areas of expertise are leadership, strategy, decision making, emergency management and security. He has worked extensively in management with Australian national and state government organisations, including the Australian Defence Force, the Australian Securities and Investment Commission, and the Victoria Country Fire Authority. Bret also has experience working in Asia, including China, Vietnam and Malaysia. Bret has a PhD in Strategic Management. His doctorate focused on national defence within a diagnostic framework designed to identify organisational effectiveness in high tempo, mission critical environments.
INDEX
# 4Ts, 5, 140
A artificial intelligence (AI), 28, 95, 161, 162, 163
B Basel Committee on Banking Supervision, 65, 90 Basel III, 73, 80, 90 big data, 29, 113, 161, 163, 228 blockchain, 95, 161, 162, 163 board and senior management, 50, 56, 115, 201, 207, 214 botnet, 35, 38 bow-tie method, 108, 109 business impact analysis (BIA), xv, 30, 109, 110, 135, 193, 194 business-critical system, 30
C chief information security officer (CISO), xv, 20, 21, 57, 62, 64, 66, 140, 189, 206, 209 chief risk officer (CRO), xv, 20, 45, 57, 63, 66, 78, 96, 152, 188, 201, 206, 230 cloud computing, 29, 95, 143, 161 COBIT, 73, 88, 89 confidentiality, integrity, and availability (CIA), xv, xvi, 6, 7, 11, 12, 29, 33, 49, 57, 87, 97, 99, 102, 104, 149, 161, 167, 169, 181, 204, 206, 217, 234 conventional risks, 50, 151 convergence, vii, 49, 50, 51 corporate cyber risk, 25, 208 corporate risk environment, v, vii, 23, 24, 25, 26 corporate vision, goals, and objectives, 4, 49 COSO ERM, 9, 73, 79 crisis management function, 54, 67
242 crisis response, xv, 87, 180, 184, 187, 191, 192, 194, 200, 201, 217 critical data, 31 critical information assets, 2, 29, 93, 96, 102, 188, 193 cyber crisis management plan (CCMP), xv, 179, 180, 181, 182, 184, 185, 189, 190, 191, 192, 193, 194 cyber insurance, 130, 150, 151, 152, 153, 225, 237 cyber insurance market, 150 cyber risk, v, vii, viii, ix, xi, xii, xvi, 1, 2, 3, 5, 6, 7, 11, 12, 15, 16, 17, 18, 20, 21, 23, 25, 27, 28, 29, 32, 33, 34, 44, 46, 50, 51, 55, 57, 58, 59, 61, 62, 63, 65, 66, 68, 69, 70, 72, 75, 80, 91, 93, 94, 95, 96, 99, 102, 105, 106, 112, 113, 115, 116, 117, 118, 125, 126, 127, 128, 134, 135, 137, 139, 140, 141, 143, 145, 150, 151, 152, 153, 155, 160, 163, 165, 168, 170, 171, 173, 182, 187, 188, 195, 198, 201, 204, 205, 207, 208, 209, 210, 214, 217, 218, 219, 220, 221, 222, 225, 226, 231, 232, 233, 234, 235, 236, 239 cyber risk management standards, 70, 80 cyber threats, v, ix, xii, xviii, 1, 2, 11, 12, 13, 23, 24, 26, 28, 33, 35, 36, 37, 42, 44, 45, 49, 50, 55, 62, 65, 66, 73, 81, 94, 95, 96, 97, 105, 108, 112, 115, 117, 120, 121, 122, 126, 127, 128, 134, 135, 155, 162, 182, 197, 198, 206, 208, 217, 226, 230 cybercrime and cyber-terrorism, 7 cybercriminals, 33, 36, 39, 40, 41, 98, 144 cybersecurity frameworks, 73 cybersecurity investment, 16 cybersecurity risk and return, 16 cybersecurity standards, xvi, 72, 73, 215 cyber-terrorist attacks, 8
Index D decision tree, 127, 132, 133 digital economy, 5, 23, 33, 232 digital world, 13, 28, 72, 127, 145, 194, 206
E effective enterprise risk management, 4, 23, 140, 167 effective identification function, 98 EMV, viii, xvi, 127, 128, 129 endogenous mitigation, 141 enforceable cybersecurity regulations, 71 enterprise Information Security Policy (EISP), xvi, 57, 60, 77, 181, 201, 206, 213, 214, 217 enterprise risk, v, xi, xii, xiii, xvi, 1, 2, 5, 6, 8, 9, 10, 13, 18, 19, 21, 24, 43, 44, 45, 46, 47, 49, 50, 51, 52, 53, 54, 58, 59, 63, 66, 68, 69, 73, 74, 75, 77, 78, 79, 85, 93, 94, 107, 116, 118, 130, 133, 134, 140, 171, 184, 185, 188, 197, 198, 200, 201, 202, 205, 207, 209, 216, 219, 221, 223, 228, 230, 231, 232, 233, 234, 235, 236, 237, 239 enterprise risk management strategy, 185, 197 equity market, 45 European Data Protection Regulation, 89
F framework implementation, 81, 84 framework profile, 81, 83, 215
G global economy, 28
Index
243
H
N
heat map, viii, 121, 122, 123, 124, 136 hedging, ix, 140, 141, 144, 150, 153, 154, 155, 221 holistic approach, 9, 10, 44, 49, 51, 64 human factors, 6, 7, 24, 32, 226, 227, 230, 232
network diagram, 101, 110, 112, 188 NIST (2002), 35 NIST framework, 71, 80, 99 NIST/CSF, viii, xvii, 27, 32, 71, 80, 81, 82, 83, 84, 97, 99, 101, 102, 104, 119, 120, 146, 174, 182, 199, 201, 205, 210, 212, 215, 216 NIST/CSF framework core, viii, 81, 82, 99, 205 NIST/CSF functions, 99 non-human factors, 6, 32
I ICT processes, 25 industries, 20, 29, 31, 40, 41, 96, 134, 152, 198, 199, 208, 230 information network, 31, 101, 228 intrusion detection and prevention systems (IDPS), 144, 158, 167, 170, 190 IoT devices, 35 ISO 27000 series, viii, 75, 85, 88 ISO 31000, vii, 2, 8, 12, 52, 65, 73, 75, 76, 77, 78, 199, 200, 201, 217, 228, 235
O operational risk management (ORM), vii, viii, xii, xvii, 2, 4, 43, 47, 52, 53, 54, 55, 60, 63, 64, 65, 66, 67, 71, 77, 78, 79, 81, 93, 94, 95, 101, 102, 109, 113, 118, 119, 120, 135, 139, 140, 141, 146, 167, 168, 172, 199, 200, 201, 217
K P key performance indicators (KPIs), xvii, 19, 53, 60, 169, 172
L leadership and governance, 63, 198, 201, 204, 208 leveraging technology, 29
M malicious external threat, 36, 98, 99 malicious internal threats, 36, 98 mission-critical systems, 30, 159 Monte Carlo simulation, 130, 131, 134, 220, 222, 230
penetration testing, 105, 111, 191 portfolio risk, vii, 18, 46 portfolio theory approach, 45 post-crisis phase, 181, 193 pre-crisis management, 185, 201 predictive risk control, 54 pre-emptive steps, 54
Q qualitative assessment, 121, 126 quantification, xvii, 55, 99, 116, 117, 126, 134, 135, 136 quantitative assessment, 126, 154
244
Index R
ransomware software, 41 reactive actions, 54 regulatory compliance, 21, 71, 78 risk assessment, viii, xii, xvii, xviii, 47, 49, 52, 56, 66, 78, 82, 85, 87, 88, 94, 98, 100, 101, 110, 113, 116, 117, 118, 119, 120, 121, 122, 123, 125, 126, 127, 135, 136, 140, 143, 146, 177, 181, 186, 211, 214, 220, 222, 234 risk culture, 47, 59, 166, 198, 202, 207, 224 risk data quality assessment, 125 risk entity or committee, 63 risk identification, viii, xii, xvii, xviii, 4, 13, 47, 66, 93, 94, 95, 96, 97, 99, 101, 102, 104, 107, 110, 112, 113, 117, 122, 135, 140, 211, 218 risk mapping, 135, 136 risk mitigation objective, 139 risk monitoring, viii, xvii, xviii, 62, 70, 166, 169, 174 risk register, 99, 105, 112, 113, 120, 182, 184 risk reporting, xviii, 165, 166, 171, 173, 176, 230, 234 risk tolerance, 9, 18, 19, 20, 47, 51, 68, 77, 83, 87, 100, 116, 129, 140, 144, 153, 167, 169, 181, 198, 200, 201, 203, 204, 207, 210, 211, 214, 215, 216 risk-based approach, 65, 201, 205, 207, 208, 209, 210
security incident, ix, 35, 36, 39, 41, 153, 181, 190, 228 self-regulation, 71 social engineering, 29, 33, 37, 39, 42, 111, 112, 156 standalone risk, 18 strategic cyber risk management, 46, 198 strategic objectives, xviii, 47, 52, 53, 56, 57, 96, 113, 121, 130, 139, 201, 206, 216 strategic risk management (SRM), vii, xvii, xviii, 2, 4, 43, 47, 52, 53, 54, 60, 63, 64, 65, 71, 74, 75, 77, 78, 94, 101, 136, 140, 172, 197, 199, 200, 201, 205, 210, 217, 220 supply chain risk management, 82, 214 SWOT (strengths-weaknessesopportunities-threats) analysis, 105, 106, 122 systematic risk, 17, 18, 24, 25, 126
T threat actors, ix, 36, 39, 98 threat identification questions, ix, 97 traditional risk management (TRM), xviii, 3, 8, 9, 102, 227
U unsystematic risk, 17, 18, 24, 25
V S safety-critical system, 30, 31
VaR methodology, 133