Professional Documents
Culture Documents
Cyber Risk Management
Cyber Risk Management
2015
Agenda
Overview
Q&A
Rome | 2015 2
Summary
Overview
Q&A
Rome | 2015 3
Introduction
Rome | 2015 4
Frame: the term “Cybernetics”
• Cyber is the prefix of the word “cybernetics” descending from the greek
adjective κυβερνητικός (good at address, operate )
• The term 'cybernetics' was used for the first time by Norbert Wiener,
“Cybernetics or Control and Communication in the Animal and the
Machine (MIT Press, 1948)”
Rome | 2015 5
Frame: preliminary Questions
Where is Cyberspace?
Network
Computer Systems
Data Data Data
Internet
SCADA
Telcos
Infrastructure / Layer
Rome | 2015 6
Frame: preliminary Questions
Why a CyberAttack?
Rome | 2015 7
Frame: preliminary Questions
How a CyberAttack?
Infiltration Discovery
Adversary Defiltration
Rome | 2015 8
Frame: preliminary Questions
Rome | 2015 9
Frame: real cases
50%
Top 5 Global Risks
Likelyhood / Severity
Corporate respondents of a
Survey on the most critical
risk. (Global IT Security Risks:
2012 – Kaspersky)
INCIDENT
RESPONSE
Global Risk Report, 2014
$250
CYBER § “Cyber attacks should be intended as the most dangerous
GOVERNANCE
Price to loan 15.000 infected emerging risk for economy” (World Economic Forum, 2014)
laptops
10 (bot) for a cyber attack
Rome | 2015 10
Frame: real cases
11
Rome | 2015 11
Frame: real cases
12
Rome | 2015 12
Summary
Overview
Q&A
Rome | 2015 13
Overview of the Management Model
Convenience
•Cleverness of the IT
systems
•Flexibility
•Innovation
Risks •Costs saving
• Cyber Attack
• Compliance
• Risks in operation
• Fraud
• Service Continuity
• Data Breach
• Intellectual Property
Rome | 2015 14
Overview of the Management Model
A thorough understanding of your risk Cyber risk management typically You likely cannot stop a cyber-attack
profile is critical, and that means more requires a balance of: from occurring, but you can control how
than the typical compliance audit. You • Prevention — to stop cyber-attacks you respond to them. A quick, effective
need to inventory cyber-vulnerable from succeeding reaction is essential, and the decisions
assets, identify new and emerging • Preparation — to make sure you are you make after an event can have
threats — internal and external — and ready when an event happens. lasting implications
model an event's potential impact. • Risk transfer— to transfer the
The evolving nature of cyber risk exposure off your balance sheet
requires you to continuously monitor
changes in your organization's risk
profile — then adapt.
Rome | 2015 15
Overview of the Management Model
A thorough understanding of your risk Cyber risk management typically You likely cannot stop a cyber-attack
profile is critical, and that means more requires a balance of: from occurring, but you can control how
than the typical compliance audit. You • Prevention — to stop cyber-attacks you respond to them. A quick, effective
need to inventory cyber-vulnerable from succeeding reaction is essential, and the decisions
assets, identify new and emerging • Preparation — to make sure you are you make after an event can have
threats — internal and external — and ready when an event happens. lasting implications
model an event's potential impact. • Risk transfer— to transfer the
The evolving nature of cyber risk exposure off your balance sheet
requires you to continuously monitor
changes in your organization's risk
profile — then adapt.
Risk Management
Rome | 2015 16
Summary
Overview
Q&A
Rome | 2015 17
Overview of the Management Model
Info Gathering
Risk Analysis
Monitoring ISO 31000 – RISK
& Review
MANAGEMENT
Risk Evaluation
Risk Treatment
Rome | 2015 18
Cyber Risk Management Methodology
Information gathering
Info Gathering
Domain Control Notes
§…
§ Requirements identification Control 1.n
§…
Rome | 2015 19
Cyber Risk Management Methodology Cyber Risk Management Framework
§Preliminary Assessment Evaluation of the criticality Evaluation of both Threats Likelihood (L) ð probability a
identification of primary level of the information , and Vulnerabilities for each threat harm an asset
assets, including considering several asset identified in the
typologies of events that Vulnerability (V) ð
organzation, processes and previous step:
can accomplish losses of: Vulnerability level of an asset
activities able to provide
exposed to a threat
services §Confidentiality §Threat ð potential event
§IT Assessment §Integrity that may cause an unwanted Impact (I) ð Potential
identification of supporting incident that harm an consequences (connected to
§Availability organization or system the asset criticality)
assets, in terms of hardware,
software and network §Vulnerability ð exposure
devices level of an asset to a
§Phisical Assessment potential threat Risk Scenario (R) ð Level of
description of the physical Risk of a specific asset and the
components used to related threat
provide services
(infrastructures, working
areas, environment, etc.)
R = L x V x I
Rome | 2015 20
Cyber Risk Management Methodology Cyber Risk Management Framework
Organization evaluation
Identify the process and the activity needed for
delivery of business services Asset ID Asset Description
IT Assessment:
Identify the ICT assets, in terms of hardware,
software and network devices
Phisical Assessment
Identify the physical components used to provide
services (infrastructures, working areas, environment,
etc.)
Rome | 2015 21
Cyber Risk Management Methodology Cyber Risk Management Framework
Rome | 2015 22
Cyber Risk Management Methodology Cyber Risk Management Framework
Threats Vulnerability
Threats may be deliberate, accidental or Each asset has their own particula vulnerability
environmental (natural) and may result, for such as:
example, in damage or loss of essential services. § Hardware (ei: Insufficient maintenance/faulty
§ Deliberate: all deliberate actions aimed at installation of storage media)
information assets § Software (ei: No or insufficient software
§ Accidental: all human actions that can testing)
accidentally damage information asset § Network (ei: Insecure network architecture,
§ Environmental: all incidents that are not based Transfer of passwords in clear)
on human actions. § Personnel (ei: Unsupervised work by outside or
cleaning staff, Lack of policies for the correct
use of telecommunications media and
messaging)
§ Site (ei: Lack of physical protection of the
building, doors and windows)
Rome | 2015 23
Cyber Risk Management Methodology Cyber Risk Management Framework
Risk Level
LR(i;j) = Pi x Aj x Vij
Impact
Likelihood
LR (i;j) = asset Risk Level for each threat
Pi = probability of threat could harm the asset “i”
Aj = Criticality of the asset “j”
Rome | 2015 24
Cyber Risk Management Methodology Cyber Risk Management Framework
Risk Treatment
Risk treatment plans should describe how assessed risks are to be treated to meet risk
acceptance criteria.
RISK MODIFICATION: The level of risk should be managed by
introducing, removing or altering controls so that the residual risk
can be reassessed as being acceptable
RISK SHARING: The risk should be shared with another party that
can most effectively manage the particular risk depending on risk
evaluation
Rome | 2015 25
Analisi della metodologia di Cyber Risk Management
Reporting
Rome | 2015 26
Summary
Overview
Q&A
Rome | 2015 27
Q&A
??
Rome | 2015 28