I am honored and humbled to have been given the opportunity to discuss practices to address cyber risks at the 2021 STRONGER conference hosted by CyberSaint Security (Sep 28, online). I will discuss the building blocks to quantify and communicate risks to protect IT assets, processes, and services. Thanks to Ethan Bresnahan for the flawless preparation of the event.
You are welcome to register here https://lnkd.in/eitKYDsX
#cybersecurity #security #datasecurity #infosec #riskmanagement #ciso #stronger2021
3. Data to Performance
You need to obtain
good data to quantify
your cyber security
risks
Good data will help you
to decide priorities and
investments today to
maximize the
performance tomorrow
4. Business impact assessment
You need to assess the financial
impact on the confidentiality,
integrity and availability
objectives if a cyber risk
materializes
The financial impact should be
broken down into number of
records, affected parties and
downtime hours
5. Business impact assessment
Confidentiality Integrity Availability
IT Asset
IT Process
IT Service
Record
.
Cost
Record
.
Cost
Downtime
.
Cost
You can model multiple scenarios with their own distribution
Triangular Lognormal Discrete
Uniform Paretto
Normal
6. Business impact assessment
Profitability losses of potential
and current clients
Regulatory fines
IP and competitive losses
Cost of changing the CISO
Secondary
impact
Downtime costs
Notification and response
costs
Damage on IT assets
Contractual penalties
Fraud losses
Primary
impact
7. Statistical analysis
You can use external data
by adjusting significant
variances between
industries, geographies,
organization sizes, and
business models for your
organization
8. Statistical analysis
Threat attacks statistics
• Budget vs. actual by project
• Incident database
• Fraud and social engineering
• Penetration testing findings
• Discovered security
vulnerabilities
• Malware logs
9. Statistical analysis
Threat attacks statistics
• KPIs for SLAs and outsourcing
contracts
• Ongoing due diligence results
• Lost and early disposed IT
assets
• Maintenance analysis
11. Model backtesting
You can measure the
impact of risk
incidents and compare
plans against actual
outcomes to improve
your risk data and use
regression‐based
methods
14. Scoring and data cocktails
If you assess cyber risks using
scores or data cocktails with
useless formulas for inherent risks,
general data and control efficiency
scores disconnected from the
concrete objectives for the IT
assets, you are just wasting time
and inciting wrong decision making
19. Heat maps and risk matrices
If you assess and
communicate your
cyber risks with
colors and
adjectives, you are
just committing
malpractice and
creating liabilities for
your organization