information risk management and frameworks security risk management risk acceptance risk acceptance...
TRANSCRIPT
Information Risk Management and Frameworks
Tyler Moore
CSE 5/7338Tandy School of Computer Science, University of Tulsa
Outline
1 Information security risk managementRisk acceptanceRisk mitigationRisk avoidance
2 Frameworks
2 / 23
Information security risk management
Information security risk management
Just as it can be useful to translate infosec risks and defenses into thelanguage of investment (ROSI, NPV, etc.), one must also be aware ofterminology from risk management
As IT becomes essential to many businesses, border betweeninformation security investment and general risk management hasblurred
4 / 23
Information security risk management
Risk management terminology overview
Riskanalysis
identification
quantification
Riskmanagement
acceptance
mitigation
avoidance
transfer
Riskmonitoring
validation
documentation
Cyberinsurance
5 / 23
Notes
Notes
Notes
Notes
Information security risk management Risk acceptance
Risk acceptance
After risks are identified and quantified, they must be “managed”
The simplest option is to do nothing
Such “risk acceptance” is prudent when:1 Worst-case loss is small enough to be paid from proceeds or reserves2 Probability of occurrence is smaller than other business risks that
threaten the organization’s survival
This is why the security policies for start-ups are often weaker thanfor entrenched firms
6 / 23
Information security risk management Risk mitigation
Risk mitigation
If risk is too big and probable to be accepted, risk mitigation aims toreduce the probability and severity of a loss
This is where security investment comes in
Recall that the optimal level of investment normally leaves residualrisk that must be dealt with using acceptance, avoidance, or transfer
7 / 23
Information security risk management Risk avoidance
Risk avoidance
Aims to reduce the probability and severity of loss, as in riskmitigation
However, rather than use technology, here one forgoes risky activities
This introduces opportunity costs of lost business opportunities
Example: online merchant refusing overseas orders due to high fraudrisk
Example: company disconnects database with customers’ personalinformation online
Question: what are the opportunity costs in these cases?
8 / 23
Information security risk management Risk avoidance
Risk transfer
The final option is to buy an insurance contract to recover any futurelosses incurred
This is only available in limited circumstances
Why has the cyber-insurance market remained small?
Difficulty in quantifying lossesEven when possible, many firms would rather keep quiet than sharewith an insurance companyExternalities mean that the costs of insecurity are often borne by othersCorrelated risk is prevalent
9 / 23
Notes
Notes
Notes
Notes
Information security risk management Risk avoidance
Risk management example: credit card issuers
Credit card issuers regularly manage fraud
1 Risk acceptance: fraud is paid from the payment fees charged tomerchants
2 Risk mitigation: install anti-fraud technology (raises costs of security)
3 Risk avoidance: downgrade high-risk cardholders to debit or requireonline verification (leads to lost business)
4 Risk transfer: structure consumer credit risk and sell it on the market
10 / 23
Frameworks
The rise of frameworks
Quantitative investment metrics can be difficult to calculate
Often depend on figures that are not readily available (e.g.,probability of loss, loss amount)
Frameworks emphasize the process of managing cybersecurity withoutexplicit regard to loss, likelihood of attack
12 / 23
Frameworks
A simple early framework: SANS 20 Critical Controls
Source: https://www.sans.org/critical-security-controls/controls13 / 23
Frameworks
NIST Cybersecurity Framework
NIST has created a standardized cybersecurity framework1 Framework Core: common activities and outcomes2 Framework Implementation Tiers: 4 levels that capture
sophistication of risk management approach3 Framework Profile: organization-specific configuration of the core
14 / 23
Notes
Notes
Notes
Notes
Frameworks
NIST Cybersecurity Framework Core
Organized around 5core functions: identify,protect, detect,respond, recover
Each function hascategories andsubcategories
15 / 23
Frameworks
NIST framework details
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf16 / 23
Frameworks
NIST framework details
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf17 / 23
Frameworks
NIST Cybersecurity Framework Implementation Tiers
1 Partial: no formalized risk managment, limited organizationalawareness, no external collaboration
2 Risk Informed: Risk management practices approved andprioritization informed by threat and mission requirements,organizational awareness but no organization-wide approach to risk,and no formal external collaboration
3 Repeatable: Formalized risk management in policy, organization-widerisk management approach, some external collaboration
4 Adaptive: Practices adapted based on prior experience and gatheredindicators, organization-wide risk management approach embedded inculture, external collaboration including active sharing with others
NIST encourages everyone to reach level 2, beyond that depends onrisk reduction and cost-effectiveness
18 / 23
Notes
Notes
Notes
Notes
Frameworks
How NIST envisions the framework to fit in an organization
Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
19 / 23
Frameworks
Use Case #1: Review of Cybersecurity Practices
While they do not replace a risk management process, these fivehigh-level Functions will provide a concise way for seniorexecutives and others to distill the fundamental concepts ofcybersecurity risk so that they can assess how identified risks aremanaged, and how their organization stacks up at a high levelagainst existing cybersecurity standards, guidelines, andpractices. The Framework can also help an organization answerfundamental questions, including “How are we doing?” Thenthey can move in a more informed way to strengthen theircybersecurity practices where and when deemed necessary
http://www.nist.gov/cyberframework/upload/
cybersecurity-framework-021214.pdf
20 / 23
Frameworks
Use Case #2: Establish or Improve a CybersecurityProgram
NIST lays out a 7-step plan
1 1: Prioritize and Scope
2 2: Orient
3 3: Create a Current Profile
4 4: Conduct a Risk Assessment
5 5: Create a Targe Profile
6 6: Determine, Analyze and Prioritize Gaps
7 7: Implement Action Plan
21 / 23
Frameworks
Use Case #3: Communicating Cybersecurity Requirementswith Stakeholders
NIST envisions that the framework can serve as a “common languateto communicate requirements”
For example, if evaluating outsourcing partners, asking for theirframework profile could help assess security practices
Offers the potential to mitigate information asymmetries betweenfirms
22 / 23
Notes
Notes
Notes
Notes
Frameworks
Frameworks: wrapping up
Frameworks formalize best practices and structure how organizationsthink about cybersecurity implementation
How do frameworks compare to the metric-based approaches (ROSI,ENBIS, etc.) described in the course?
Can they coexist? Should they?
23 / 23
Notes
Notes
Notes
Notes