Presented by: Russell Thomas, George Mason University
Abstract: Two aspects of cyber security that everyone struggles with are metrics and business impact. How do we measure it to improve and how do we make it meaningful to business decision makers? This gap appeared again recently in the NIST Cyber Security Framework (CSF) process RFI responses. But there is no need to wait for NIST CSF or anything else because there is a viable method available now that you can use to build your own CSF. Namely the “Balanced Scorecard” method.
The key idea is to focus on performance against measurable objectives in all critical dimensions that, taken together, will lead to better security, privacy, and resiliency outcomes, even in a dynamic and highly uncertain threat environment. In this presentation, we’ll explain the ten critical dimensions of cyber security performance, explain how they are interrelated and feed off each other, show how to create a performance index in each dimension, and describe how the balanced scorecard can be used to drive executive decisions. This presentation should be valuable to managers and executives in every type of organization in the energy sector, including the supply/service chain. Consultants, regulators, and academics should also find it interesting and useful.
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
1. How to Build Your Own
Cyber Security Framework
using a Balanced Scorecard"
Russell Cameron Thomas!
EnergySec 9th Annual Security Summit!
September 18, 2013!
Twitter:
@MrMeritology!
Blog:
Exploring Possibility Space!
10. “Cyber security performance” is… "
… systematic improvements in an
organization's dynamic posture
and capabilities relative to its
rapidly-changing and uncertain
adversarial environment.”!
43. Our New Capability:
Attack-driven Defense
1. Raise cost to attackers
2. Increase odds of detection
3. Iterate defense based on real attack patterns
24
months
earlier
source:
Etsy
h7p://www.slideshare.net/zanelackey/a7ackdriven-‐defense
46. Sensors Pattern Detection for
Anomalous User Behavior
24
months
earlier
Any
Non-
Tech. Tech.
source:
Etsy
h7p://www.slideshare.net/zanelackey/a7ackdriven-‐defense
User
Class
53. The Crime:
ArDficially
Congested
Subsided
Generators
Manipulation of
Wholesale Market
Subsidies
Conges'on
pa+erns,
July
14,
2017
54. Losers: You and hundreds of other microgrids forced to
generate spot market bids during price spikes.
(Botnet-style. Each loses a little $$)
Scam: Generate losing trades in one market
to make money in another market