DOCSLIB.ORG

Cybersecurity Strategy – Risk Management, Cyber-Warfare And

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cybersecurity Strategy – Risk Management, Cyber-Warfare And Cybersecurity strategy Risk management, cyber-warfare and incentives Gergely Biczók (some slides from Levente Buttyán and Márk Félegyházi) BME CrySyS Lab [email protected] ISSES SC meeting, Nis, Serbia October 29th, 2018 Cyber security strategy § Corporate cyber security strategy: a plan of actions designed to improve the security and resilience of corporate (cyber) infrastructures and services (def. inspired by ENISA) § This sounds very much like... ISSES 2018 | 2 Risk management § Information security = risk management § Risk = Likelihood x Impact (of attacks) § factors affecting likelihood: – threats – entities who can do you harm (a.k.a. attackers) » skill level, motive, opportunity, resources, ... – vulnerabilities – weaknesses that can be exploited » ease of discovery, ease of exploitation, awareness, ... – countermeasures – precautions you take » technical and non-technical § impact: – potential loss you may experience » direct loss (decreased revenue, cost of recovery) » indirect loss (losing reputation, fines for non-complience) § likelihood and impact are difficult to quantify and subject to change! ISSES 2018 | 3 Outline § Risk management § US Cyber Strategy § Cyber-warfare § Research on cyber-warfare modeling ISSES 2018 | 4 Risk management: goal § vulnerabilities threats incidents losses Goal: Minimize the costs associated with risks (threats) ISSES 2018 | 6 Risk management: lifecycle source: Systems Engineering Fundamentals. Defense Acquisition University Press, 2001 ISSES 2018 | 7 Risk management: standards § ISO/IEC 27000 series - Information security management systems – 27005:2011 - Information security risk management – generally accepted guidelines of implementing information management systems and also serves to perform audits – open source support: Enterprise Security Information System (ESIS) § NIST SP 800-30 § ISACA Risk IT § Open Source Security Testing Methodology Manual (OSSTMM) § ISO/IEC 15408 - Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) ISSES 2018 | 8 Risk Management: phases § risk governance (RG) § risk assessment (RA) – risk mgmt context – risk analysis – define criteria • identification » profile definition • estimation » requirements – risk evaluation – resources § risk monitoring and review § risk treatment (RT) (RM) – prevent – monitoring – mitigate – communication – awareness – transfer – accept ISSES 2018 | 9 RG Risk management planning and governance § develop an enterprise risk management strategy § establish and maintain a risk management plan – risk appetite – risk tolerance § ensure that IT risk management is embedded in the system – integrate with business processes § provide resources for risk management § establish responsibilities and accountability generic control of risk management ISSES 2018 | 5. ESSENTIALS OF RISK GOVERNANCE 5. ESSENTIALS OF RISK GOVERNANCE This chapter discusses a few essential components of the Risk Governance domain. They are discussed briefly, and more information and practical guidance can be found in The Risk IT Practitioner Guide. The topics discussed here include: Risk Appetite and Tolerance COSO Definition Risk appetite and tolerance are concepts that are frequently used, but the potential for misunderstanding is high. Some people use the 10 RG Establish and maintain a common risk view. Behavior towards risks Risk Appetite § risk appetite: the property of engaging with risks – risk-averse – risk-neutral – risk -taking accept to pursue a return? § risk tolerance: tolerance towards the difference from the risk Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be level as defined in risk appetite Risk appetite can be defined using risk maps. Different bands of risk Figure 7—Risk Map Indicating Risk Appetite Bands significance can be defined, indicated by coloured bands on the risk map shown in figure 7. Really Unacceptable e d tu this band might trigger an immediate risk response. i n Unacceptable ag The enterprise might, as a matter of policy, require mitigation or another M adequate response to be defined within certain time boundaries. Acceptable responses Opportunity found by decreasing the degree of control or where opportunities for Frequency assuming more risk might arise ISACA, “Risk-IT framework,” 2009 ISSES 2018 | opportunity seeking. There is no universal right or wrong, but it needs to be defined, well understood and communicated. Risk appetite and Risk Tolerance © 2009 ISACA. ALL RI GHTS RE S E R VED. 17 11 Key factors for success RG § continuous support from top management § central management – common strategy § successful integration with business processes § optimize tasks and controls (avoid over-control) § compliant with company’s business philosophy § continuous training § never-ending process! European Network and Information Security Agency (ENISA), “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools,” June 2006 ISSES 2018 | 12 Risk assessment RA # § Risk assessment !"#$% &'()*+((,((-,"%*+.%'/'%',( 0$%#$% =E(46F(4* =!B./*:#M0356(4B# =!01/F(4* <2&='*+'' =!B./*:#N35C/-05. =!B./*:#-5/*41(C*. <8-2&0'?4;%;:2&%"F;2"51 =!B./*:#(56#G(/(# =G(/(#(56#-5104:(/-05 24-/-C(7-/B ="*0?7* =!B./*:#(56#G(/(# – identification =!B./*:#:-..-05 !*5.-/-H-/B =E-./04B#01#.B./*:#(//(C@ <2&='@+'' =G(/(#140:#-5/*77-)*5C*# A4%&;2'B6&12"C":;2"51 894*(/#!/(/*:*5/ ()*5C-*.O#IJ"2O#PJQO » persons, assets and system info N*62J>2O#:(..#:*6-(O# =>*?04/.#140:#?4-04#4-.@# (..*..:*5/. <2&='(+'' ,-./#01#"0/*5/-(7# » technical / mgmt / operational controls =A5B#(36-/#C0::*5/. D$71&%;E"7"28'B6&12"C":;2"51 ;375*4(<-7-/-*. =!*C34-/B#4*D3-4*:*5/. =!*C34-/B#/*./#4*.37/. » information gathering – info sources =2344*5/#C05/407. <2&='>+''?512%57'/1;78-"- ,-./#01#2344*5/#(56# ="7(55*6#C05/407. "7(55*6#205/407. » threat sources – attacker model = 894*(/&.034C*#:0/-H(/-05# =894*(/#C(?(C-/B <2&='G+'' ,-@*7-9006#>(/-5) » vulnerability identification =I(/34*#01#H375*4(<-7-/B H".&7"4556'I&2&%0"1;2"51 =2344*5/#C05/407. – <2&='K+''B0=;:2'/1;78-"- analysis / estimation = K-..-05#-:?(C/#(5(7B.-.# =A..*/#C4-/-C(7-/B#(..*..:*5/ = ,0..#01#J5/*)4-/B# J:?(C/#>(/-5) =G(/(#C4-/-C(7-/B# =,0..#01#AH(-7(<-7-/B =G(/(#.*5.-/-H-/B » control analysis – security options (ROSI) =,0..#01#2051-6*5/-(7-/B =,-@*7-9006#01#/94*(/# *L?70-/(/-05 >-.@.#(56# » =K()5-/36*#01#-:?(C/ <2&='L+'',"-.'I&2&%0"1;2"51 A..0C-(/*6#>-.@# categorize threats by likelihood =A6*D3(CB#01#?7(55*6#04# ,*H*7. C344*5/#C05/407.# <2&='M+'' >*C0::*56*6# » impact analysis – system critical incidents ?512%57',&:500&16;2"51- 205/407. <2&='J+'' >-.@#A..*..:*5/# – evaluation ,&-$72-'I5:$0&12;2"51 >*?04/ # » risk determination !"#$%&'()*+'',"-.'/--&--0&12'3&2456575#8'!759:4;%2'' !"#$%%&'%## ########### "()*#+ NIST SP800-30, “Risk Management Guide for Information Technology Systems,” July 2002 ISSES 2018 | !"#$ %&'($)&*&+,*&-.$'*%,*/+0$ !*,-./#0(,()*0*,12#13*#0-44-.,#.5,*/42#6,.5-,)#13*#7.1*,1-(8#/-464#(,9#/*:.00*,9*9#:.,1/.842# 0(;#(462#<=3*,#(,9#>,9*/#53(1#:-/:>041(,:*4#43.>89#?#1(6*#(:1-.,@##=3*,#43(88#?#-078*0*,1# 13*4*#:.,1/.84#1.#0-1-)(1*#13*#/-46#(,9#7/.1*:1#.>/#./)(,-A(1-.,@B# # 13 C3*#/-46#0-1-)(1-.,#:3(/1#-,#D-)>/*#E&F#(99/*44*4#13*4*#G>*41-.,4H##I77/.7/-(1*#7.-,14#J./#Risk analysis RA -078*0*,1(1-.,#.J#:.,1/.8#(:1-.,4#(/*#-,9-:(1*9#-,#13-4#J-)>/*#K;#13*#5./9#LM!H# # *D?4@3 ':=?B4 0/' <=>94?@A7>731 '12345 $<=>94?@A>4M 0/' 642789 /CE>:73@A>4M 3:$,33@B; /C7232 ! .- .- .:$%72; .:$%72; J:22 %72; ,33@B;4?G2 0/' ,937B7E@34K 0/' F9@BB4E3@A>4 /C7232 H:23$I$+@79 L$*D?42D:>K %72; .- .- %72;$,BB4E3 %72;$,BB4E3 # NIST SP800-30, “Risk N78=?4$!OP"$$%72;$)7378@Management Guide for Information37:9$,B37:9$Q:7932$ Technology Systems,” July 2002 # ISSES 2018 | C3-4#41/(1*);#-4#J>/13*/#(/1-:>8(1*9#-,#13*#J.88.5-,)#/>8*4#.J#13>0K2#53-:3#7/.N-9*#)>-9(,:*#.,# (:1-.,4#1.#0-1-)(1*#/-464#J/.0#-,1*,1-.,(8#3>0(,#13/*(14O# # RD49$S=>94?@A7>731$T:?$U>@VW$V4@;9422X$4C7232$!$-078*0*,1#(44>/(,:*#1*:3,-G>*4# 1.#/*9>:*#13*#8-6*8-3..9#.J#(#N>8,*/(K-8-1;P4#K*-,)#*Q*/:-4*9H# RD49$@$S=>94?@A7>731$B@9$A4$4C4?B724K$!$(778;#8(;*/*9#7/.1*:1-.,42#(/:3-1*:1>/(8# 9*4-),42#(,9#(90-,-41/(1-N*#:.,1/.84#1.#0-,-0-A*#13*#/-46#.J#./#7/*N*,1#13-4# .::>//*,:*H# RD49$3D4$@33@B;4?G2$B:23$72$>422$3D@9$3D4$E:34937@>$8@79$!$(778;#7/.1*:1-.,4#1.# 9*:/*(4*#(,#(11(:6*/P4#0.1-N(1-.,#K;#-,:/*(4-,)#13*#(11(:6*/P4#:.41#R*H)H2#>4*#.J#4;41*0# :.,1/.84#4>:3#(4#8-0-1-,)#53(1#(#4;41*0#>4*/#:(,#(::*44#(,9#9.#:(,#4-),-J-:(,18;# /*9>:*#(,#(11(:6*/P4#)(-,SH# RD49$>:22$72$3::$8?4@3$!$(778;#9*4-),#7/-,:-78*42#(/:3-1*:1>/(8#9*4-),42#(,9#1*:3,-:(8# (,9#,.,1*:3,-:(8#7/.1*:1-.,4#1.#8-0-1#13*#*Q1*,1#.J#13*#(11(:62#13*/*K;#/*9>:-,)#13*# 7.1*,1-(8#J./#8.44H#### ## C3*#41/(1*);#.>18-,*9#(K.N*2#5-13#13*#*Q:*71-.,#.J#13*#13-/9#8-41#-1*0#R<=3*,#13*#(11(:6*/P4#:.41# -4#8*44#13(,#13*#7.1*,1-(8#)(-,BS2#(84.#(778-*4#1.#13*#0-1-)(1-.,#.J#/-464#(/-4-,)#J/.0#*,N-/.,0*,1(8# !"#$%%&'%## ########### "()*#+$ 14 RT Risk treatment: options RT § avoidance § mitigation – eliminate incidents – testing determine the – reduce impact appropriate controls § sharing / transfer – disclaimer: no party is responsible – agreement: responsibility transferred – compensation » risk pooling: share losses » risk hedging: bet for losses § acceptance / retention – self-insure partially from: – accept losses Blakley, B.
Load more

Recommended publications
  • Mitigate Cyber Attack Risk Solution Brief
    SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations extend technology deeper into their day-to-day business HIGH operations, their risk profiles evolve. DIGITAL RISK New digital risks—those unwanted and often unexpected outcomes that stem MEDIUM from digital transformation, digital business processes and the adoption RISK of related technologies—represent a LOW larger portion of potential obstacles to TRADITIONAL BUSINESS RISK achieving business objectives. While the digital technology creates new DIGITAL ADOPTION business opportunities, it frequently leads to higher levels of cybersecurity, FIGURE 1: Digital risk increasing the overall business risk as organizations embrace digital transformation. third-party, compliance and business resiliency risk. The impacts from these growing digital risks may be more disruptive than the operational risks that businesses have historically managed. In fact, many organizations are finding that as digital adoption accelerates, digital risk becomes the greatest facet of risk they face, especially growing cyber risks. AS ORGANIZATIONS EXPAND DIGITAL OPERATIONS, CYBER SECURITY RISKS MULTIPLY Organizations need to evolve to stay in front of rising cyber threats and their wide-reaching impact across increasingly digitized operations. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. At the same time, responsibilities for detecting and responding to security It’s arguably impossible incidents are expanding beyond the security operations center (SOC). Business stakeholders continue to digitize their operations, elevating the risk and potential to prevent all cyber impact of cyber attacks.
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • The Reputational Impact of It Risk
    FALLOUT THE REPUTATIONAL IMPACT OF IT RISK IN ASSOCIATION WITH: CONTENTS Executive Summary ..............................................................................................................................................2 Introduction: The Black Friday data breach .................................................................................................3 Where the Risks Are: From Human Error to System Failure ................................................................ 5 Sidebar: The Promise and Perils of the Cloud............................................................................................11 Protecting Your Reputation in the Always-On World ............................................................................12 Conclusion ..............................................................................................................................................................18 Acknowledgments...............................................................................................................................................19 EXECUTIVE SUMMARY U.S. retailers were not the first to su!er a massive data breach. Nor will they be the last, as cyber attacks, security breaches and system outages proliferate. Shadow technology and expanding supply chains bring more risks. How can companies better protect their reputation by ensuring the continuous—and secure—flow of information to support their business? After all, a major part of the brand experience for most customers comes through the
    [Show full text]
  • Privacy As a Risk Management Challenge for Corporate Practice
    Privacy as a Risk Management Challenge for Corporate Practice By Kathleen Greenaway, Susan Zabolotniuk and Avner Levin Research Assistance provided by Judit Langhammer, Colin Rogers and Melanie Torrie March 2012 This is a work in progress which will be updated frequently. It is not for public use, duplication, citation, linking or other reference without the express written permission of the authors. PRIVACY AND CYBER CRIME INSTITUTE Acknowledgements This project has been funded through the Contribution Program of the Office of the Federal Privacy Commissioner and in-kind contributions from the Office of the Dean of the Ted Page | 2 Rogers School of Management, Ryerson University. We are grateful to both organizations for supporting research into the privacy practices of Canadian organizations. We also thank the companies and privacy experts who gave of their time and lent their expertise to assist us with this study. It is reassuring to meet Canadian business people who value research sufficiently to participate in our project. Finally, we thank our student researchers, Judit Langhammer, Colin Rogers and Melanie Torrie for their enthusiastic and able assistance. Table of Contents Acknowledgements Page | 3 Introduction Privacy Risk Management in context Project Goals and Objectives Methodology Literature Review Academic LIT Practitioner LIT Regulatory LIT The Concept of STILL TO BE SORTED Privacy as a Risk Management Privacy Risk Discipline Privacy risk as operational risk Governance considerations & etc. PRM in action in STILL TO BE SORTED Canadian Organizations & etc. CONCLUSION Summary of Findings Recommendations Future Research REFERENCES APPENDICES Lit Review tables PRM – Review of available models Page | 4 Risk/RM in Guidance Documents Research protocols Introduction Privacy Risk Management in context Organizations appear to have entered a “third phase” in their approach to the provision of Page | 5 information privacy to their customers.
    [Show full text]
  • Cyber Benefits and Risks: Quantitatively Understanding and Forecasting the Balance
    Cyber Benefits and Risks: Quantitatively Understanding and Forecasting the Balance Extended Project Report from the Frederick S. Pardee Center for International Futures Josef Korbel School of International Studies University of Denver www.pardee.du.edu September 2015 Barry B. Hughes, David Bohl, Mohammod Irfan, Eli Margolese-Malin, and José Solórzano In project collaboration with and the Table of Contents Executive Summary 4 Conceptualizing Benefits and Costs 4 Using the IFs System for Analysis 4 Background Research Foundations 5 Forecasts and Findings 9 Conclusion 11 A Final Note on Study Contributions 12 1. Introduction: Understanding and Anticipating Change in the Benefits and Costs of Cyber Technology 13 2. ICT and Cyber Development Indices 18 Indices Replicated in the IFs Forecasting System 18 ICT Development Index 18 Global Cybersecurity Index 19 Additional Indices of Importance in Cyber Security Analyses 21 Digitization Index 21 Digital Economy Ranking Index 21 Networked Readiness Index 22 3. Benefits 23 Competing Schools of Thought on Economic Benefits 23 Pessimism Versus optimism concerning ICT’s economic production impacts 23 ICT as a general-purpose technology 25 ICT’s Economic Impact: The Production Side 26 ICT as a growth sector in the economy 26 ICT investment and capital services 29 ICT and multifactor productivity 32 Comparing the Productivity Impacts of GPTs: Steam, Electricity, ICT 33 Variation in ICT Impact across Time/Pervasiveness and Countries 36 Drivers of variation in ICT impact: ICT (especially broadband) pervasiveness 36 Drivers of variable ICT impact: Beyond PCs and broadband 39 Drivers of variable ICT impact: Country development level 41 Consumer Surplus 42 Consumer surplus forecasts 46 Summary of Knowledge Concerning Cyber Risk Benefits: Modeling Implications 47 4.
    [Show full text]
  • Risk Management Guide for Information Technology Systems
    Special Publication 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, and Alexis Feringa NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen1, and 1 Alexis Feringa C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 1Booz Allen Hamilton Inc. 3190 Fairview Park Drive Falls Church, VA 22042 July 2002 U.S. DEPARTMENT OF COMMERCE Donald L. Evans, Secretary TECHNOLOGY ADMINISTRATION Phillip J. Bond, Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Arden L. Bement, Jr., Director SP 800-30 Page ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of- concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. The Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-30 Natl.
    [Show full text]
  • Guide to Conducting Cybersecurity Risk Assessment for Critical Information Infrastructure December 2019 Contents
    GUIDE TO CONDUCTING CYBERSECURITY RISK ASSESSMENT FOR CRITICAL INFORMATION INFRASTRUCTURE DECEMBER 2019 CONTENTS 1 INTRODUCTION ................................................................................................................ 2 1.1 Importance of Cybersecurity Risk Assessment ........................................................................... 2 1.2 Common Problems Observed ........................................................................................................... 2 2 PURPOSE, AUDIENCE & SCOPE ....................................................................................... 4 2.1 Purpose of Document .......................................................................................................................... 4 2.2 Audience & Scope ................................................................................................................................. 4 3 ESTABLISH RISK CONTEXT ............................................................................................... 5 3.1 Define Risk ................................................................................................................................................ 5 3.2 Determine Risk Tolerance ................................................................................................................... 6 3.3 Define Roles and Responsibilities .................................................................................................... 7 4 CONDUCT RISK ASSESSMENT ........................................................................................
    [Show full text]
  • Ten Key Questions on Cyber Risk and Cyber Risk Insurance the GENEVA ASSOCIATION
    Ten Key Questions on Cyber Risk and Cyber Risk Insurance THE GENEVA ASSOCIATION November 2016 The Geneva Association The Geneva Association is the leading international insurance think tank for strategically important insurance and risk management issues. The Geneva Association identifies fundamental trends and strategic issues where insurance plays a substantial role or which influence the insurance sector. Through the development of research programmes, regular publications and the organisation of international meetings, The Geneva Association serves as a catalyst for progress in the understanding of risk and insurance matters and acts as an information creator and disseminator. It is the leading voice of the largest insurance groups worldwide in the dialogue with international institutions. In parallel, it advances— in economic and cultural terms—the development and application of risk management and the understanding of uncertainty in the modern economy. The Geneva Association membership comprises a statutory maximum of 90 chief executive of officers (CEOs) from the world’s top insurance and reinsurance companies. It organises international expert networks and manages discussion platforms for senior insurance executives and specialists as well as policymakers, regulators and multilateral organisations. Established in 1973, The Geneva Association, officially the ‘International Association for the Study of Insurance Economics’, is based in Zurich, Switzerland and is a non-profit organisation funded by its Members. 2 www.genevaassociation.org
    [Show full text]
  • IT Risk Assessment – a Practical Holistic Approach
    BAKER TILLY AND ACUA WEBINAR IT risk assessment – a practical holistic approach The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2019 Baker Tilly Virchow Krause, LLP 1 INTRODUCTIONS Today’s webinar moderator Amy Hughes ACUA Distance Learning Director Director of Internal Audit Michigan Technological University 2 INTRODUCTIONS GoToWebinar guide — Everyone is muted to avoid background noise. — Asking questions: Ask questions by clicking on the Questions panel on the right side of your screen, type your question and submit to all organizers. — If disconnected: If audio is disconnected, click on the Audio panel on the right side of your screen, or refer back to your e-mail for the dial-in number. — Support #: If you have any technical problems, call GoToWebinar support at 1 888 646 0014.
    [Show full text]
  • The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework
    100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 40 FEATURE The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework The tremendous rise of cybersecurity attacks, have their own proprietary frameworks or use a coupled with organizations’ exploration of new hybrid of frameworks. Do you have something technologies such as artificial intelligence (AI) and to say about this blockchain to expand their business or better Selecting a Risk Management Method or article? secure their controls, gives cause to review the Framework foundational framework that is being used to Visit the Journal pages identify, assess and action IT risk impacting What criteria are firms using to select the frameworks of the ISACA® website business objectives. This is a perpetual struggle: they use? How often are these frameworks and their (www.isaca.org/journal), reviewing the use of new technologies and their basic tenets reviewed? Is the selected framework find the article and click communicated to the employees of the firm? Is the on the Comments link to impact to the organization’s objectives, profit framework or methodology selected by the firm share your thoughts. mentality and revenue streams. With Apple and Goldman reviewing the feasibility of issuing a new understood by all? Do these frameworks use https://bit.ly/2RCieXY credit card or the old news of Internet of Things quantitative factors or qualitative factors to evaluate (IoT) or driverless cars, enterprise risk and cyberrisk risk? Short of performing a scientific survey of departments or groups must be working overtime organizations to inventory and evaluate the to evaluate and drive the analysis of risk.
    [Show full text]
  • Effects of IT Governance Measures on Cyber-Attack Incidents
    The International Journal of Business Management and Technology, Volume 3 Issue 1 January - February 2019 ISSN: 2581-3889 Research Article Open Access Effects of IT Governance Measures on Cyber-attack Incidents Nick J. Rezaee, Student University of California, Santa Cruz 1156 High Street Santa Cruz, CA 95064, Kingsley O. Olibe, PhD Department of Accounting College of Business Administration Kansas State University Manhattan, KS 66506-0113 Zabihollah Rezaee* PhD, CPA, CMA, CIA, CGFM, CFE, CSOXP, CGRCP, CGOVP, CGMA, CRMA Thompson-Hill Chair of Excellence & Professor of Accountancy Fogelman College of Business and Economics 300 Fogelman College Admin. Building The University of Memphis Memphis, TN 38152-3120 ABSTRACT: Growing incidents of cyber hacking and security breaches of information systems (e.g., Sony, Target, JPMorgan Chase, Home Depot, Cathay Pacific Airlines) threaten the sustainability of many firms and costs the U.S. economy more than $100 billion annually. Business organizations should take these threats seriously and improve their Information Technology (IT) governance and compliance, and cybersecurity risk assessment and controls to effectively prevent cyber hacking and cybersecurity breaches. The existence and persistence of cyber-attacks has elevated expectations for boards of directors to exert greater risk and compliance oversight and for executives to develop and implement managerial strategies for risk management processes to combat cyber-attacks. This paper examines the importance and relevance of IT governance measures including the board oversight function and managerial risk assessment strategies in preventing cyber-attacks. This paper provides policy, practical and research implications. Keywords: Cybersecurity; IT Governance; Board Oversight; Risk Assessment and management; IT investment and budget.
    [Show full text]
  • Cyber Risk in Advanced Manufacturing Cyber Risk in Advanced Manufacturing
    Cyber risk in advanced manufacturing Cyber risk in advanced manufacturing 1 2 3 4 5 6 7 8 9 10 11 Contents 1 Executive summary 3 2 Executive and board-level engagement 14 3 Talent and human capital 22 4 Protecting intellectual property 30 5 Inherent risks in industrial control systems 34 6 Implications of rapidly evolving connected products 40 7 Cyber risk in the industrial ecosystem 44 8 The changing nature of the cyberthreat landscape 46 9 Conclusion 50 10 Endnotes 51 11 Authors and acknowledgements 52 2 Cyber risk in advanced manufacturing Executive summary 1 2 3 4 5 6 7 8 9 10 11 Technologies utilized to drive the business are likely • Emerging risks likely to materialize as a result of rapid Manufacturers drive to include complex global networks, a myriad of back technology change office business applications, generations of different • An assessment of leading strategies manufacturers are extensive innovation in industrial control systems (ICS) controlling high-risk employing to address these types of cyber risks products, manufacturing manufacturing processes, and a variety of technologies directly embedded into current and emerging products. To that end, Deloitte and MAPI launched the Cyber Risk process, and industrial Further, manufacturers continue to drive extensive in Advanced Manufacturing study to assess these trends. innovation in products, manufacturing process, and We conducted more than 35 live executive and industry ecosystem relationships industrial ecosystem relationships in order to compete organization interviews, and in collaboration with Forbes in a changing global marketplace.1 As a result, the Insights, we collected 225 responses to an online survey in order to compete manufacturing industry is likely to see an acceleration in exploring cyber risk in advanced manufacturing trends.
    [Show full text]