Challenges in Working with Converged Scenarios

Challenges in Working with Converged Risk Registers

Few companies work effectively with risk registers, either as a process or as tool. The common failure of registers is that they become nothing more than a register, in which risks are recorded and then not acted upon, particularly in regard to cyber threats.

The utility of risk registers as a tool to enable proactive management of risk control measures, is typically lost in the nature of the ‘register’. Even the larger companies typically need to take a more rigorous approach to recording both risks and events, but ensure that the register plays a relevant role in an effective risk management process. This highlights the dual characteristic of a risk register as a tool as well as a process that generates the records, and actionable outcomes.

The majority of firms could benefit from a register to underpin their risk assessment methodology, and the lack of a register is often a contributory factor for not engaging in a comprehensive risk assessment process.

If companies extend their consideration of more plausible risks, they would be able to adopt a more systematic approach to tackling a broader range of emerging converged threats.

As with other ‘tools’, in the majority of cases, risk registers are not fully referenced in risk management decision-making because of some of the deficiencies in the construct of the register. In most cases there is a reticence to build and maintain an in-house register, often and partly due to a lack of vision at senior management level in considering risk holistically and strategically, as much as the resourcing of an in-house open source risk intelligence capability. Aside from the challenges of gathering the requisite intelligence, the potentially more valuable element to an organisation is the process of creating and maintaining a risk register, if firms can objectively consider the risks and their own vulnerabilities to cyber threats.

This process contributes significantly to a real shift in organisational attitudes towards risk awareness which is the greatest weakness in the current risk climate. Allocating management time is most commonly quoted as the greatest organisational barrier to developing awareness and consensus among stakeholders around where attention needs to focus, and required changes in attitudes.

Therefore the process of creating a risk register, is most usefully achieved by bringing together stakeholders to prioritize the risks as they see them, the vulnerabilities that they are most aware of, and the priorities for contingency planning. This invariably will draw out priorities for risk intelligence & analysis, and the acceptance that a ‘register’ is important, as well as an understanding of why different elements are usefully and relevantly included in the register.

Given the rise in awareness of cyber threats, and the challenges in identifying cyber threats, it may prove more challenging to create a comprehensive register of converged risk, but any process that will focus board attention on vulnerabilities, and emphasis the ‘business resilience’ rationale for mitigation is an important justification for a risk register process.

In some cases this may deliver a register of vulnerabilities as a final deliverable which in the case of cyber threats, is a core fundamental that is commonly lacking in most companies.

Challenges in Working with Converged Scenarios

A well maintained risk register can be indicative of how well a company manages its risks, if it contains relevant information on the risks, their status, qualitative/quantitative analysis and the risk responses. It is important to note that the development of a register of risks should be seen as the beginning of a continuous improvement cycle driven by senior management, if the register identifies performance standards, and provides indicators that management can review & monitor.

However there is a danger that the register becomes too much of a management tool for checking on progress, and less a tool for analysts monitoring changes in threats, vulnerabilities and probabilities, which significantly reduces the value of a register within a continuous cycle.

To contribute to an effective risk management process a register needs to inform preparation to respond to events. Firstly to identify the appropriate mitigating steps that control the probability & impact of an event, but also to raise issues highlight issues or security capabilities that need to be tested & verified. It should therefore drive focus on priority threats, and give early warning of emerging scenarios that executive management should be aware of.

When considering converged threats, it should also allow analysts to cluster different types of threat according to specific characteristics which can then be ‘clustered’ to create scenario variations as a method of developing greater understanding of potential consequences. Applying clusters of risks to generate scenarios can be problematic for many firms that lack the analysis and experience to do so effectively.

Cyber and converged risk scenarios present a new challenge to security planners. Scenario planning is more suited than any other approach for developing a better appreciation of converged threats, because it is difficult to identify precisely how future threats will manifest themselves in a cyber domain.

The key to developing security risk strategy through scenarios is that the outcomes lead to decisions that effectively mitigate risk across several possible future threats or attack vectors.

In order to achieve this, scenarios are created in batches that demonstrate the manifestation of one specific ‘element’ of a converged threat, such as a cyber attack to disable access control systems. These batches of scenarios illustrate several ways that one threat can evolve and develop into different plausible outcomes, that planners need to be able to cope with, and provide a useful basis for security exercises.

However, the main goal of scenario planning is NOT to confirm or simulate future events, in the way that an exercise would, because scenario planning is a precursor to conducting effective exercises. Scenario planning should help managers recognise when assumptions are being challenged by events, while exercises will develop the ability to respond appropriately. In creating greater managerial ‘agility’, scenarios should aim to target factors or vulnerabilities that would justify future focus and investment.

The unique aspect to consideration of converged risk, is the type of vulnerability that is uncovered specifically because of the compounding effect of a threat. As there are countless ways in which specific cyber threats can present themselves, an effective risk register process should collate threats and vulnerabilities in a way that can feed usefully into scenario-building.

Developing scenarios for emerging converged threats should begin with the identification of focus issues that tend to fall outside the scope of most current fears, and therefore more likely to expose current levels of preparedness. Some will be currently outside the sphere of influence or control, so the focus for scenario analysis should be uncertainties that are critical to the focus issue, and yet the most difficult to predict. This is relevant to cyber elements within the overall security landscape, and are best prioritized from the risk register.

One of the main objectives of the scenario process is to create awareness of how changes in underlying factors can change the way events unfold during a crisis, and better understand the relationship between different factors.

To help security managers identify and interpret risk intelligence, whether to model security risk or for other planning purposes, scenarios can provide a more insightful understanding of the context in which they operate and how it may evolve.

By creating new awareness among all decision-makers, scenarios therefore create the recognition of vulnerabilities, and inform managers of where to short-list options for investment planning, and implications for the trade-offs they may need to consider.

As the scenario-building process needs to bring together managers from different security disciplines in order to consider converged threats, well-prepared scenarios acknowledge & examine the nature of uncertainties and cater for the broad range of opinions that this converged risk thinking, will uncover around cyber threats.

The most apparent advantage to scenarios, is that there can be more avenues to mitigating converged risk than other ‘pure’ fields. So rather than seeking a single outcome based on a consensus:, scenario planning is a process designed to accommodate both qualitative and quantitative inputs, and most pertinent to converged risk: reconsider multiple views and priorities across different disciplines of physical and cyber security.

While many firms do not systematically invest time & resources in scenario-building exercises, they nevertheless recognise that they need to consider and compare the readiness to deal with different threats, and manage a variety of potential consequences. The cross-discipline complexity of converged threats almost demands that risk registers develop and illustrate this, and a valuable derivative of a risk register can be range of priorities for threat modelling & exercising.

Posted: 4 April 2013 by Optimal Risk Administrator | with 0 comments