Cyber Risk Management 2024 PDF

Summary

This presentation details cybersecurity risk management in 2024, covering key components, processes, and best practices. It explores standards, frameworks, and strategic considerations.

Full Transcript

Chapter 5
Cyber Risk Management

Information Security
2024
Overview

Cyber Risk Management Standards and Frameworks
Cyber Risk Management Processes Across Levels in the Organization
Cyber Risks Mitigation Economics
Transference, Acceptance and Mitigation of Cyber Risks
Cyber Risks Policies for Technologies, Individuals and Entities
Characteristics of Organizations that Influence Cyber Risk Analysis
and Management
Communication of Cyber Risks
Cyber Risk Management Standards and
Frameworks

Cyber Risk Management Standards and Frameworks are sets of
guidelines, best practices, and regulatory requirements that help
organizations manage cybersecurity risks effectively.

They provide structured approaches for identifying, assessing, and
mitigating potential threats to an organization's digital assets.
Cyber Risk Management Standards

These are specific criteria or benchmarks used to evaluate and
improve cybersecurity risk management. They often focus on
compliance with certain industry or government regulations.
Common standards include:
ISO/IEC 27001
NIST Cybersecurity Framework (CSF)
PCI DSS (Payment Card Industry Data Security Standard)
GDPR (General Data Protection Regulation)
Cyber Risk Management Frameworks

Frameworks are comprehensive sets of practices that provide a
holistic view of cybersecurity risk management. They help
organizations assess their current cybersecurity posture, define risk
tolerance, and implement control measures.
Key frameworks include:
COBIT (Control Objectives for Information and Related
Technologies).
ISO 31000 (Risk Management Framework)
FAIR (Factor Analysis of Information Risk)
CIS Controls (Center for Internet Security)
COSO Framework
Components of Cyber Risk Management
Frameworks

Key Components of Cyber Risk Management Frameworks:
Risk Identification: Understanding what assets need protection and
identifying potential vulnerabilities.
Risk Assessment: Evaluating the likelihood and impact of cyber threats on
these assets.
Risk Mitigation: Implementing technical, organisational, and procedural
controls to minimise risks.
Risk Monitoring: Continuously observing and adjusting risk management
activities as new threats emerge.
Incident Response: Planning and executing a response to mitigate damage
and recover from cyber attacks.
Cyber Risk Management Processes Across
Levels in the Organization

Cyber risk management involves identifying, assessing, mitigating,
and monitoring cyber risks across different levels within an
organisation. To be effective, it requires collaboration between
strategic, tactical, and operational layers to align cybersecurity
efforts with business goals.
 Strategic Level
(Executive Leadership
and Board)

Levels of
Cyber Risk Tactical Level (Mid-Level
Managers and Risk
Manageme Committees)

nt
Operational Level (IT,
Security Teams, and
Employees)
1. Strategic Level (Executive Leadership
and Board)

Role: Define overall risk appetite, policies, and priorities.
Responsibilities:
Align cyber risk management with business objectives.
Approve cybersecurity budgets and ensure regulatory
compliance.
Monitor key risk indicators (KRIs) and ensure governance.
Example: The board establishes acceptable risk thresholds and
allocates resources for strategic investments.
2. Tactical Level (Mid-Level Managers and
Risk Committees)

Role: Translate strategic policies into actionable plans and oversee
implementation.
Responsibilities:
Develop risk mitigation strategies, incident response plans, and
business continuity plans.
Coordinate between departments (IT, HR, legal) to implement
controls.
Conduct regular risk assessments and internal audits.
Example: A cybersecurity manager develops security training
programs and ensures third-party vendors comply with the
organization’s policies.
3. Operational Level (IT, Security Teams,
and Employees)

Role: Implement day-to-day cybersecurity controls and respond to
incidents.
Responsibilities:
Monitor systems for vulnerabilities and anomalies.
Manage access controls, patch management, and backups.
Respond to security incidents and perform recovery activities.
Example: A security operations center (SOC) team detects and
mitigates a phishing attack targeting employees.
Coordination Across Levels

Information Flow:
Top-down: Executive leadership sets policies and communicates risk
appetite to managers and teams.
Bottom-up: Operational teams report incidents and risks, which are
aggregated and escalated to leadership for decision-making.
Governance Frameworks:
Common frameworks (e.g., COBIT, NIST CSF) guide risk management
activities across levels.
Continuous Improvement:
Risk management must be dynamic, incorporating lessons learned from
incidents and emerging threats.
Cyber Risks Mitigation Economics

Cyber risks mitigation economics focuses on understanding the
costs, benefits, and trade-offs of implementing cybersecurity
strategies.
Organisations must balance between spending on preventive
measures and potential losses from cyber incidents.
This field blends economics, risk management, and cybersecurity to
develop optimal resource allocation strategies.
Cyber Risks Mitigation Economics

Key Concepts
Cost-Benefit Analysis in Cybersecurity.
Risk Reduction Models.
Cyber Insurance as Risk Transfer.
Trade-offs in Cybersecurity Spending.
Cost-Benefit Analysis in Cybersecurity

Cybersecurity investments involve upfront costs (e.g., firewalls,
employee training) and operational costs (e.g., monitoring).
A cost-benefit analysis helps in determining the optimal spending
by comparing the costs of mitigation against the expected loss from
cyber incidents.
Formula:
Net Benefit = (Probability of Attack x Potential Loss) - Mitigation Cost
Risk Reduction Models

Organizations aim to reduce the probability of cyberattacks and
minimize damage when breaches occur.
Models like Return on Security Investment (ROSI) help in
evaluating whether cybersecurity spending justifies its potential
returns.
ROSI Formula:
ROSI = (Risk Reduction Value - Mitigation Cost) / Mitigation Cost
Cyber Insurance as Risk Transfer

Cyber insurance allows businesses to transfer part of the
financial risk to insurers by covering damages from incidents like
data breaches or ransomware.
Insurance premiums are based on cybersecurity posture, sector-
specific risks, and company size.
Trade-offs in Cybersecurity Spending

Over-investing can lead to resource wastage, while under-
investing increases exposure to attacks.
The 80/20 Rule (Pareto Principle) often applies—80% of risk
reduction can come from 20% of key security measures.
Best Practices

Conduct Regular Risk Assessments: Identify high-risk assets and
prioritise protection.
Use Multi-Layered Defense: Combine technical, organizational,
and insurance measures.
Involve Stakeholders: Engage executives and departments to
align risk management with business goals.
Monitor and Update Policies: Cyber threats evolve rapidly,
requiring dynamic risk management strategies.
Transference, Acceptance and Mitigation
of Cyber Risks

Organisations face various cyber risks, ranging from data breaches to
ransomware attacks.
To manage these risks, businesses adopt strategies such as risk
transference, acceptance, and mitigation.
Each strategy addresses risks differently, based on the organisation’s
resources, risk appetite, and business goals.
Risk Transference

Definition: Shifting the financial burden of a cyber risk to a third
party.
Examples:
Cyber Insurance: Policies cover financial losses from data
breaches, ransomware, and business interruptions.
Outsourcing Security Services: Transferring risk by hiring
managed security service providers (MSSPs) to monitor systems.
Risk Acceptance

Definition: Acknowledging a risk and choosing not to take any
immediate action. This strategy is used when the risk is low impact
or the cost of mitigation outweighs the potential loss.
Examples:
Not securing a low-priority system because the impact of an attack is
minimal.
Delaying updates for non-critical software to align with business
operations.
Risk Mitigation

Definition: Implementing measures to reduce the probability or
impact of cyber risks.
Examples:
Technical Controls: Firewalls, encryption, and multi-factor
authentication (MFA).
Organizational Controls: Employee training, access control
policies, and incident response plans.
Selecting the Right Strategy

Risk Appetite: Organisations with a low tolerance for risk may
invest more in mitigation and insurance.
Resource Availability: Smaller organisations might accept certain
risks due to limited budgets.
Regulatory Requirements: Some industries (e.g., finance,
healthcare) mandate strict controls and risk mitigation measures.
Cyber Risk Policies for Technologies,
Individuals, and Entities

Cyber risk policies provide frameworks and guidelines to manage
risks across technologies, individuals, and entities (e.g.,
vendors, partners).
These policies are essential to minimise security vulnerabilities,
ensure compliance, and align cybersecurity efforts across an
organisation.
Cyber Risk Policies for Technologies

Objective: Ensure the security and resilience of IT systems, applications, and networks.
Key Policies:
Patch Management Policy: Regular updates to software and hardware to fix
vulnerabilities.
Access Control Policy: Implements least privilege principles, ensuring only
authorised users can access systems.
Encryption Policy: Mandates encryption for sensitive data both in transit and at
rest.
Backup and Disaster Recovery Policy: Defines protocols for data backups and
recovery in case of incidents.
Example: A cloud security policy requires encryption of all data stored in cloud
environments and multi-factor authentication (MFA) for cloud access.
Cyber Risk Policies for Individuals

Objective: Ensure employees and users are aware of cybersecurity risks and follow best
practices.
Key Policies:
Acceptable Use Policy (AUP): Defines acceptable ways employees can use corporate
assets (e.g., email, internet).
Security Awareness Training Policy: Requires regular training for employees on
recognising phishing and other cyber threats.
Password Policy: Specifies password complexity, expiration, and reuse rules.
Incident Reporting Policy: Provides guidelines on how employees should report
suspected security incidents.
Example: Employees must attend annual security training and immediately report phishing
attempts to the IT department.
Cyber Risk Policies for Entities (Third
Parties and Partners)

Objective: Manage risks associated with vendors, contractors, and business
partners.
Key Policies:
Third-Party Risk Management Policy: Requires risk assessments of
vendors to ensure they follow security standards.
Service-Level Agreement (SLA) Security Requirements: Specifies
security expectations in contracts with third parties.
Data Sharing and Privacy Policy: Regulates how data is shared with
external entities to comply with regulations (e.g., GDPR).
Supply Chain Security Policy: Mandates that all suppliers follow
cybersecurity best practices to prevent supply chain attacks.
Example: A vendor must undergo an annual cybersecurity audit and meet ISO
27001 compliance to continue providing services.
Characteristics of Organisations that Influence
Cyber Risk Analysis and Management

Cyber risk analysis and management are influenced by various
characteristics of an organization, including its size, industry,
regulatory environment, and internal culture.
These factors shape how an organization identifies, assesses,
mitigates, and responds to cyber risks.
Characteristics of Organisations that Influence
Cyber Risk Analysis and Management

Organisations Size: Larger organisations typically have more
complex IT infrastructures and a broader attack surface, requiring
sophisticated risk management approaches.
Industry and Sector: Different industries face varying levels of
cyber risk based on the sensitivity of their data and the
attractiveness to attackers.
Regulatory and Compliance Requirements: Compliance with
cybersecurity regulations influences the scope and priority of risk
management activities.
Characteristics of Organisations that Influence
Cyber Risk Analysis and Management

Organisational Culture and Cybersecurity Awareness: A strong
security culture ensures employees understand and actively
participate in cyber risk management efforts.
Use of Technology and Digital Maturity: The degree of reliance
on technology and digital transformation initiatives affects cyber risk
exposure.
Vendor and Supply Chain Dependencies: The extent of reliance
on third-party vendors influences cyber risk management practices.
Communication of Cyber Risks

Effective communication of cyber risks ensures that stakeholders
across an organization understand the potential impact of
cybersecurity threats. It bridges the gap between technical experts
and decision-makers, fostering informed risk management and
proactive decision-making.
Key Elements of Cyber Risk
Communication

Clarity: Use clear and non-technical language when addressing non-
technical audiences (e.g., executives, employees).
Relevance: Focus on risks that directly affect the audience, such as
regulatory compliance for legal teams or phishing for employees.
Timeliness: Provide timely updates on emerging threats and
incidents to enable swift action.
Consistency: Use a standardized framework (e.g., NIST CSF) for
communicating risks across departments.
Best Practices for Cyber Risk
Communication

Use Risk Metrics: Incorporate metrics like key risk indicators (KRIs)
to provide measurable insights.
Establish a Common Language: Create a glossary of key terms to
ensure everyone understands the terminology.
Encourage Two-Way Communication: Allow stakeholders to ask
questions and provide feedback.
Review and Update Plans Regularly: Continuously improve
communication strategies based on feedback and evolving threats.