‘Future-Proofing’ against Converged Information Risk

A well maintained risk register can be indicative of how well a company manages its risks, if it contains relevant information on the risks and responses supported by both qualitative and quantitative analyses. However there is a danger that the register becomes too much of a management tool for checking on progress, and less a tool for analysts monitoring changes in threats, vulnerabilities and probabilities. To start ‘future-proofing’ an organisation requires methods that will build awareness and preparedness for future threats, and a basis for investing to mitigate the risks. To be effective, risk management needs a methodology to identify the appropriate mitigating steps that control the probability & impact of an event, but also to highlight issues, or security capabilities that need to be verified, and test them. It should therefore create focus on preparedness for priority threats, and give early warning of emerging scenarios that executive management should be aware of.

Potentially the more valuable element to an organisation is the process of creating and maintaining a risk register, if firms can dynamically consider threats and vulnerabilities, based on scenarios, and built on a real quantitative foundation. This process contributes significantly to a real shift in organisational attitudes towards risk awareness, focus board attention on vulnerabilities, and emphasis the ‘business resilience’ rationale for investment in remediation. It therefore needs to incorporate is a financial mapping of assets & processes, the technical identification of vulnerabilities, and a financial model that informs scenario considerations.

Cyber risk scenarios present a new challenge to security and risk planners. The key to developing converged security risk strategy through scenarios is that the outcomes must lead to decisions that effectively mitigate information risk from physical, human, and cyber threats. In order to achieve this, scenarios should demonstrate the manifestation of one specific ‘element’ of a converged threat, and illustrate several ways that one threat can evolve and develop into different plausible outcomes. Without this key aspect, the quantitative evaluation of probable impacts will always be understated and inaccurate.

Developing scenarios for future threats should focus on issues that are more likely to expose current levels of preparedness, and uncertainties that are critical but most difficult to predict. In doing so the scenario process creates awareness of how changes in underlying factors affect security failures, and better understand the relationship between different factors.

Factor Analysis of Information Risk [FAIR] is the recommended methodology for achieving this, particularly when used to illustrate scenarios outcomes. The unique aspect to the consideration of converged risk is the type of vulnerability that is uncovered specifically because of the compounding and multifaceted nature of sophisticated threats. As there are multiple ways in which specific converged threats can present themselves, an effective scenario-building process should dynamically address threats and vulnerabilities in a way that can feed usefully into risk assessment.

A ‘what-if’ scenario approach to quantifying risk using FAIR, can be applied for introducing, removing, or modifying controls over information assets, as well as processes, and to see how they reflect on the overall future risk posture of the business. Risk-modelling generates the quantitative outputs that allow business oriented decision-making by informing managers of where to short-list options for investment planning, and security risk implications for the trade-offs they may need to consider. The advantage of introducing these quantitative inputs to the scenario process is to balance investment between technology, processes, and management across the organisation, based on an accurate appreciation of sophisticated threat scenarios, against proven & tested vulnerability.

Each vulnerability and exposure should include assessment of the ability to generate & exploit opportunity to gain access to the information assets. This must include physical access, and human vulnerability to social engineering as well as access through less standard devices such as mobile equipment, custom systems and applications, control systems, and embedded devices – mimicking the approach of an advanced attacker. This phase of FAIR is not limited to technical vulnerabilities of some application or server, but also must include risks to business processes, 3rd party providers involved in a business process, and any other aspect of the asset lifecycle. The human factor must also be evaluated based on the level of education in relation to the criticality of the assets, and the awareness to risks related to the business process at stake.

While many firms do not systematically invest time & resources in scenario-building exercises, they need to consider their readiness to deal with different threats, and manage a variety of potential consequences. As the scenario-building process brings together managers from different security disciplines in order to consider the converged aspects your human firewall, physical security, and IT, well-prepared scenarios examine the converged nature of uncertainties and cater for the broad range of opinions that a cross-discipline approach will uncover around cyber threats.

For more information about cyber scenario building visit http://www.optimalrisk.com/Risk-Security-Consulting/Risk-Scenario-Building