Approaching

Cyber Risk Management

Model
Simplified model for Security Governance

2015
Agenda

Introduction and Frame

The Cyber Risk Management Model

Overview

Cyber Risk Management governance approach: task analysis

Q&A

Rome | 2015 2
Summary

Introduction and Frame

The Cyber Risk Management Model

Overview

Cyber Risk Management governance approach: task analysis

Q&A

Rome | 2015 3
Introduction

Who the hell are You?????

Rome | 2015 4
Frame: the term “Cybernetics”

• Cyber is the prefix of the word “cybernetics” descending from the greek
adjective κυβερνητικός (good at address, operate )
• The term 'cybernetics' was used for the first time by Norbert Wiener,
“Cybernetics or Control and Communication in the Animal and the
Machine (MIT Press, 1948)”

Rome | 2015 5
Frame: preliminary Questions

Where is Cyberspace?

Network

Computer Systems
Data Data Data

Internet

SCADA
Telcos

Controls Controls Controls

Infrastructure / Layer

Rome | 2015 6
Frame: preliminary Questions

Why a CyberAttack?

Corporate Finance / Brand

Information theft impair Fraud

Due to: Due to: Due to:

• Unfair Competition • Unfair Competition • Unlawful moneymaking
• Information Sale • Sabotage, Vandalism

Consequences: Consequences: Consequences:

•Loss of opportunity / market •Operational interruption • Property Loss

•Law Infringement (Privacy law) •Reputational loss • Reputational loss
•Damage claim, •Corporate goods / assets loss • Reparations
•Extra expenses •Reparations, penalties

Rome | 2015 7
Frame: preliminary Questions

How a CyberAttack?

Infiltration Discovery

Target Research Capture

Adversary Defiltration

Rome | 2015 8
Frame: preliminary Questions

How to deal with a Cyber Attack?

DIGITAL Corporate Resiliency Control on real Control on Corporate

Awareness (potential breakdowns / violations sources
INVESTIGATION Threats scenarios) (are they in?)

• Crisis Management • Testing

INCIDENT Formalized and
• Incident Response • Disclosure
effective Plan on:
RESPONSE • Forensics
• Communications

Cyber Compliance Cyber Security • Cyber Security RA

CYBER framework Program: • Cyber Maturity
GOVERNANCE Report
• Cyber Roadmap

Rome | 2015 9
Frame: real cases

50%
Top 5 Global Risks
Likelyhood / Severity

Corporate respondents of a
Survey on the most critical
risk. (Global IT Security Risks:
2012 – Kaspersky)

INCIDENT
RESPONSE
Global Risk Report, 2014

$250
CYBER § “Cyber attacks should be intended as the most dangerous
GOVERNANCE
Price to loan 15.000 infected emerging risk for economy” (World Economic Forum, 2014)
laptops
10 (bot) for a cyber attack

Rome | 2015 10
Frame: real cases

JP Morgan Chase data breach (Ottobre 2014)

•Hcker on internal networks for several months
before discovered

11
Rome | 2015 11
Frame: real cases

12
Rome | 2015 12
Summary

Introduction and Frame

The Cyber Risk Management Model

Overview

Cyber Risk Management governance approach: task analysis

Q&A

Rome | 2015 13
Overview of the Management Model

Risk of the Cyberspace

Equalize risk control according to business requirements

Convenience
•Cleverness of the IT
systems
•Flexibility
•Innovation
Risks •Costs saving
• Cyber Attack
• Compliance
• Risks in operation
• Fraud
• Service Continuity
• Data Breach
• Intellectual Property

Rome | 2015 14
Overview of the Management Model
Cyber Risk Management Framework
Assess
IDENTIFY I QUANTIFY I ANALYZE
A thorough understanding of your risk
profile is critical, and that means more
than the typical compliance audit. You
need to inventory cyber-vulnerable
assets, identify new and emerging
threats — internal and external — and
model an event's potential impact.
The evolving nature of cyber risk
requires you to continuously monitor
changes in your organization's risk
profile — then adapt.
Rome | 2015
Manage
PREVENT I PREPARE I TRANSFER
Cyber risk management typically
requires a balance of:
• Prevention — to stop cyber-attacks
from succeeding
• Preparation — to make sure you are
ready when an event happens.
• Risk transfer— to transfer the
exposure off your balance sheet
Respond
REACT I RECOVER I COMMUNICATE
You likely cannot stop a cyber-attack
from occurring, but you can control how
you respond to them. A quick, effective
reaction is essential, and the decisions
you make after an event can have
lasting implications
15
Overview of the Management Model
Cyber Risk Management Framework
Assess
IDENTIFY I QUANTIFY I ANALYZE
A thorough understanding of your risk
profile is critical, and that means more
than the typical compliance audit. You
need to inventory cyber-vulnerable
assets, identify new and emerging
threats — internal and external — and
model an event's potential impact.
The evolving nature of cyber risk
requires you to continuously monitor
changes in your organization's risk
profile — then adapt.
Rome | 2015
Manage
PREVENT I PREPARE I TRANSFER
Cyber risk management typically
requires a balance of:
• Prevention — to stop cyber-attacks
from succeeding
• Preparation — to make sure you are
ready when an event happens.
• Risk transfer— to transfer the
exposure off your balance sheet
Risk Management
Respond
REACT I RECOVER I COMMUNICATE
You likely cannot stop a cyber-attack
from occurring, but you can control how
you respond to them. A quick, effective
reaction is essential, and the decisions
you make after an event can have
lasting implications
16
Summary

Introduction and Frame

The Cyber Risk Management Model

Overview

Cyber Risk Management governance approach: task analysis

Q&A

Rome | 2015 17
Overview of the Management Model

Cyber Risk Management Framework

Assess Manage Respond

Info Gathering

Risk Identification Every risk management model

Risk Assessment

refers to the internation standard:

Risk Analysis
Monitoring ISO 31000 – RISK
& Review
MANAGEMENT
Risk Evaluation

Risk Treatment

Rome | 2015 18
Cyber Risk Management Methodology
Information gathering

Info Gathering
Domain Control Notes

Info Gathering Domain 1 Control 1.1

Owner Answers Criticality

§…
§ Requirements identification Control 1.n
§…

§ Definition of the evaluation criteria Standard Controls

§ Detailed planning Control … ISO 27001 (Annex A)
§ Process
§ Checklist implementation § Technologies 1 2
§ documentation analysis Domain x Control x.1 § Sites
§ Personnel
§ interview with the process/system owner § Third parties
Control x.n
§ Identification of the assets (primary and
supporting assets or groups of assets) Control …
§ Identificatione of existing controls
Custom Checklist
§ Customer Review
Corporate Guidelines
ITIL v.3 1 2
SANS Critical Controls
…
Note
q Adopting an Overview and Standard approach, the Process/System Owner
is the focal point of the analysis
ð Documentation analysis + interviews

Rome | 2015 19
Cyber Risk Management Methodology Cyber Risk Management Framework

Risk Assessment – ISO 27005 Analisi Gestione Response

Risk Assessment Process

Threats and vulnerabilities Level of Risk determination
Context establishment Evaluation of the assets
Assessment (Risk Scenario)

§Preliminary Assessment Evaluation of the criticality Evaluation of both Threats Likelihood (L) ð probability a
identification of primary level of the information , and Vulnerabilities for each threat harm an asset
assets, including considering several asset identified in the
typologies of events that Vulnerability (V) ð
organzation, processes and previous step:
can accomplish losses of: Vulnerability level of an asset
activities able to provide
exposed to a threat
services §Confidentiality §Threat ð potential event
§IT Assessment §Integrity that may cause an unwanted Impact (I) ð Potential
identification of supporting incident that harm an consequences (connected to
§Availability organization or system the asset criticality)
assets, in terms of hardware,
software and network §Vulnerability ð exposure
devices level of an asset to a
§Phisical Assessment potential threat Risk Scenario (R) ð Level of
description of the physical Risk of a specific asset and the
components used to related threat
provide services
(infrastructures, working
areas, environment, etc.)
R = L x V x I

Rome | 2015 20
Cyber Risk Management Methodology Cyber Risk Management Framework

Risk Assessment – ISO 27005 Analisi Gestione Response

Risk Assessment Process

Threats and vulnerabilities Level of Risk determination
Context establishment Asset Evaluation
Assessment (Risk Scenario)

Organization evaluation
Identify the process and the activity needed for
delivery of business services Asset ID Asset Description

IT Assessment:
Identify the ICT assets, in terms of hardware,
software and network devices

Phisical Assessment
Identify the physical components used to provide
services (infrastructures, working areas, environment,
etc.)

Rome | 2015 21
Cyber Risk Management Methodology Cyber Risk Management Framework

Risk Assessment – ISO 27005 Analisi Gestione Response

Risk Assessment Process

Threats and vulnerabilities Level of Risk determination
Context establishment Asset Evaluation
Assessment (Risk Scenario)

Information Confidentiality Asset Value

Assess the criticality level of the information typology Integrity
Availability
with drivers (Confidentiality, Integrity and Issues
Availability)
• Bind the tiplogy of the information and the
assets
• Associate the asset with worst impact
scenario

Rome | 2015 22
Cyber Risk Management Methodology Cyber Risk Management Framework

Risk Assessment – ISO 27005 Analisi Gestione Response

Risk Assessment Process

Threats and Vulnerabilities Level of Risk determination
Context establishment Asset Evaluation
Assessment (Risk Scenario)

Threats Vulnerability

Threats may be deliberate, accidental or Each asset has their own particula vulnerability
environmental (natural) and may result, for such as:
example, in damage or loss of essential services. § Hardware (ei: Insufficient maintenance/faulty
§ Deliberate: all deliberate actions aimed at installation of storage media)
information assets § Software (ei: No or insufficient software
§ Accidental: all human actions that can testing)
accidentally damage information asset § Network (ei: Insecure network architecture,
§ Environmental: all incidents that are not based Transfer of passwords in clear)
on human actions. § Personnel (ei: Unsupervised work by outside or
cleaning staff, Lack of policies for the correct
use of telecommunications media and
messaging)
§ Site (ei: Lack of physical protection of the
building, doors and windows)

Rome | 2015 23
Cyber Risk Management Methodology Cyber Risk Management Framework

Risk Assessment – ISO 27005 Analisi Gestione Response

Risk Assessment Process

Evaluation of threats and Level of Risk determination
Context establishment Asset Evaluation
vulnerabilities (Risk Scenario)

Risk Level

LR(i;j) = Pi x Aj x Vij
Impact

Likelihood
LR (i;j) = asset Risk Level for each threat
Pi = probability of threat could harm the asset “i”
Aj = Criticality of the asset “j”

Vij = Exposure level of an asset “j” to a potential

threat“i”

Rome | 2015 24
Cyber Risk Management Methodology Cyber Risk Management Framework

Analisi Gestione Response

Risk Treatment
Risk treatment plans should describe how assessed risks are to be treated to meet risk
acceptance criteria.
RISK MODIFICATION: The level of risk should be managed by
introducing, removing or altering controls so that the residual risk
can be reassessed as being acceptable

RISK RETENTION: the decision on retaining the risk without further

action should be taken depending on risk evaluation

RISK AVOIDANCE: The activity or condition that gives rise to the

particular risk should be avoided

RISK SHARING: The risk should be shared with another party that
can most effectively manage the particular risk depending on risk
evaluation

It is important for responsible managers to review and approve

proposed risk treatment plans and resulting residual risks, and record
any conditions associated with such approval

Rome | 2015 25
Analisi della metodologia di Cyber Risk Management

Reporting

RISK MANAGER/CISO/CSO: – Ensure connectivity

between stakeholders.

CFO: – Potential costs of a cyber event and what the

impact could be on the bottom line. – Security of the
sensitive information that the office controls.

CEO/BOARD: – Accountable for overall business and

company performance. – Fiduciary duty to assess and
manage cyber risk. Regulators expect top leadership to be
engaged.

LEGAL/COMPLIANCE: – Keep stakeholders informed and

compliant. – If a cyber incident occurs, lawsuits often
follow within hours.

Rome | 2015 26
Summary

Introduction and Frame

The Cyber Risk Management Model

Overview

Cyber Risk Management governance approach: task analysis

Q&A

Rome | 2015 27
Q&A

??

Rome | 2015 28