Cybersecurity strategy Risk management, cyber-warfare and incentives
Gergely Biczók (some slides from Levente Buttyán and Márk Félegyházi) BME CrySyS Lab [email protected]
ISSES SC meeting, Nis, Serbia October 29th, 2018 Cyber security strategy
§ Corporate cyber security strategy: a plan of actions designed to improve the security and resilience of corporate (cyber) infrastructures and services (def. inspired by ENISA)
§ This sounds very much like...
ISSES 2018 | 2 Risk management
§ Information security = risk management § Risk = Likelihood x Impact (of attacks)
§ factors affecting likelihood: – threats – entities who can do you harm (a.k.a. attackers) » skill level, motive, opportunity, resources, ... – vulnerabilities – weaknesses that can be exploited » ease of discovery, ease of exploitation, awareness, ... – countermeasures – precautions you take » technical and non-technical § impact: – potential loss you may experience » direct loss (decreased revenue, cost of recovery) » indirect loss (losing reputation, fines for non-complience) § likelihood and impact are difficult to quantify and subject to change!
ISSES 2018 | 3 Outline
§ Risk management § US Cyber Strategy § Cyber-warfare § Research on cyber-warfare modeling
ISSES 2018 | 4 Risk management: goal
§ vulnerabilities threats incidents losses
Goal: Minimize the costs associated with risks (threats)
ISSES 2018 | 6 Risk management: lifecycle
source: Systems Engineering Fundamentals. Defense Acquisition University Press, 2001
ISSES 2018 | 7 Risk management: standards
§ ISO/IEC 27000 series - Information security management systems – 27005:2011 - Information security risk management – generally accepted guidelines of implementing information management systems and also serves to perform audits – open source support: Enterprise Security Information System (ESIS) § NIST SP 800-30 § ISACA Risk IT § Open Source Security Testing Methodology Manual (OSSTMM) § ISO/IEC 15408 - Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC)
ISSES 2018 | 8 Risk Management: phases
§ risk governance (RG) § risk assessment (RA) – risk mgmt context – risk analysis – define criteria • identification » profile definition • estimation » requirements – risk evaluation – resources
§ risk monitoring and review § risk treatment (RT) (RM) – prevent – monitoring – mitigate – communication – awareness – transfer – accept
ISSES 2018 | 9 RG Risk management planning and governance
§ develop an enterprise risk management strategy § establish and maintain a risk management plan – risk appetite – risk tolerance § ensure that IT risk management is embedded in the system – integrate with business processes § provide resources for risk management § establish responsibilities and accountability
generic control of risk management
ISSES 2018 | 5. ESSENTIALS OF RISK GOVERNANCE
5. ESSENTIALS OF RISK GOVERNANCE
This chapter discusses a few essential components of the Risk Governance domain. They are discussed briefly, and more information and practical guidance can be found in The Risk IT Practitioner Guide. The topics discussed here include:
Risk Appetite and Tolerance
COSO Definition Risk appetite and tolerance are concepts that are frequently used, but the potential for misunderstanding is high. Some people use the 10 RG Establish and maintain a common risk view. Behavior towards risks Risk Appetite § risk appetite: the property of engaging with risks – risk-averse – risk -neutral – risk -taking accept to pursue a return? § risk tolerance: tolerance towards the difference from the risk Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be level as defined in risk appetite
Risk appetite can be defined using risk maps. Different bands of risk Figure 7—Risk Map Indicating Risk Appetite Bands significance can be defined, indicated by coloured bands on the risk map shown in figure 7.