All Roads Lead to Risk

Lisa Young, Axio

 Lisa R. Young: collaborative, forward
looking, data-driven problem solver
• Product Manager for risk quant SaaS platform development at
Axio;
• Mantra: Cyber Risk Management is a Team Sport!
• Instructor for Risk Management, Quantitative Risk Analysis,
Data Governance, Measuring What Matters: GQIM; BA
Business Administration, Marketing; M.Sc., Cybersecurity
Public Policy
• Began career in telecommunications and network engineering.
Worked in Financial services, Airline, Manufacturing,
Automotive & Marine, Telecommunications, Senior
Cybersecurity Engineer for CERT at Carnegie Mellon University
Software Engineering Institute for 11 years
• SIRA Board President 2017-2020; Past President, VP, and
Secretary ISACA West Florida Chapter (2003-2009); ISC2.org
Board member (2021-2023)
• Lead author ISACA Risk-IT Framework and Practitioners Guide
–the basis for the new ISACA Risk Fundamentals Certificate
• LinkedIn email: lyoung@brightmsi.com
• “Lisa Young @ISACA”
 All Roads Lead to Risk

InfoSec/
Risk types to consider
Cyber
Business Threats/
Cycles Vulns.

Everything
else...
Risk Business
Continuity

Market/ Strategic/
Credit Reputation
Supplier/
Third party

But not everything is a “risk”

4
 • I like heat maps as a visualization tool – provided there is some
rigor to the underlying analysis as to why the risk is in a certain
“box.”

My biases • I believe risk analysis should be performed in relation to a business

problem, a question to be answered, or a desired outcome.
• I have an extensive background in cyber-physical (transportation,
healthcare, manufacturing) and organizational dependencies/
supply chain risk (energy, water, telecom) and think that it gets too
little attention when creating risk scenarios.
Our Digital World - Cyber Physical
Systems
What’s different about Cyber Risk?

Cyber Risk
Of or relating to computers, Exposure to
information technology, electronic danger, harm, or loss
communications (especially the
internet), or virtual reality

Cyber Risk Typically involves

Exposure to danger, harm, or loss related to the use of or unauthorized access or
dependence on computers, electronic data, or electronic unauthorized use of
7

communications (including the internet) computer technology

Cyber risk increases as our dependence

on computer technology accelerates
Setting the Context for Risk
Management
High-level Risk Management
Workflow
Risk Management
• Definition: Ongoing, proactive process of adopting a
holistic approach to address uncertainty which:

• may affect the achievement of business or enterprise objectives

• leads to greater business robustness and resilience (minimizes
downside impact)
• enables efficient risk-taking for appropriate benefit
(opportunity)

Establish repeatable process to minimize and mitigate loss

 Risk Identification and Assessment
Risk assessment must help the organization identify what could
prevent the organization’s from meeting its objectives
• Conditions
• What the probability is of the threat materializing or how susceptible are you?
• Uncertainty factor
• How the realized risk will impact the organization
• Consequence/Impact

•BRAINSTORMING Analyze •RESPONSE

•AREAS OF •MITIGATION
CONCERN •ASSESSMENT
•CONTROLS
•INTERVIEWS •GROUPING LIKE
RISK
•IMPACT CRITERIA

Identify Manage
11

Risk Ecosystem
Vulnerability Management process
deals with day-to-day patching, release
management, and refer others to Risk
or Issue Management
Threat management and threat modeling
is used to detect, analyze, respond
to potential security incidents
Threat
Mgmt

Vul
Mgmt

Risk Criteria
Risk
Mgmt Risk Taxonomy
Risk Management process
Risk Register
should continually identify,
analyze, address, monitor,
and report risks
Controls Management is generally done with
compliance or audit rather than an optimization of
control design and control selection based on risk.
Enterprise Services, Products, Mission
• Outputs of an organization
• Can be internally or externally focused
• Typically align with a specific organizational unit, but can cross units
and organizational boundaries
• Collectively they enable an organization’s mission
Business Operations, Business Processes,
Productive Activities, Projects, Initiatives
• The activities that the organization (and/or its suppliers) perform to
ensure that services and products are produced
• Traverse the organization; cross organizational lines
• A service or a product is made up of one or more Business Processes,
productive activities, projects or whatever they are called in your
organization.
Assets
• Something of value to the organization
• Placed into production to deliver and support services
• Asset value relates to the importance of the asset in
meeting the enterprise mission.
Organizational Context for Risk
 Scenario Creation – Moving
from Areas of Concern to Risk
Where does Risk Analysis and Business
Impact Evaluation fit in Risk Management
 Internal Factors External Factors

Conditions, Consequences, and Risk Factors

 Example Risk Universe (Risk Landscape)

OBJECTIVES/ MISSION
RISK APPETITE STATEMENTS

DESIRED OUTCOMES
RISK TOLERANCE STATEMENTS

ASSESSMENTS/ SCOPING
SCENARIO DEV & ANALYSIS

KEY RISK INDICATORS

CAPABILITY OR PROGRAM
MATURITY REVIEWS

20
 Another Example of Risk Universe or Risk
Landscape

21
 Another Example of Risk Appetite and
Risk Tolerance

22
 Mission: To be the leading producer of premium household
products in the regions in which we operate

Strategy
Expand production of our top-
Strategic Objectives five selling retail products to Risk Appetite
meet increased demand -Accept that the company
To be in the top will consume large
quartile of product amounts of capital
sales for retailers of investing in new assets,
our products people, and process
Related Objectives
1. Increase production of Unit X by 15% in -Accept that competition
the next 12 months could increase (e.g.
2. Hire 180 qualified new staff across all through predatory pricing,
manufacturing divisions etc.) as we seek to
3. Maintain product quality of 4.0 sigma increase market share,
4. Maintain 22% staff cost per dollar order thereby reducing profit
margins
Measures
Measures -Units of production -We do not accept erosion
-Market share -Number of staff hired of product quality
-Product quality by sigma

Risk Tolerances
Measure Target Tolerances – Acceptable Range
-Market share 25th percentile 20% - 30%
-Units of production 150,000 units -7,500/+10,000
-Number of staff hired (net) 180 staff -15/+20
-Product quality index 4.0 sigma 4.0 – 4.5 sigma
 Example Risk Appetite and Risk Tolerance
Statements

24
 Example Business Impact Evaluation Criteria

25
 Considerations for threats and vulnerabilities
as inputs to loss event scenarios

Data Breach / Theft /
Spillage
Data Destruction
Physically Destructive Events
Physical Attacks on People or Property
Availability Events
26
Identities
Personally Identifiable Information Payment Card Numbers (PCI)
Health Records (PHI)
IP / Trade Secrets
Other Confidential Data
Financial Data
Ransomware
Shamoon-style attacks
Physical Theft or Sabotage
Cyber Attacks on OT Threat trees
Firmware Destruction (Bricking) derived from
OCTAVE
Denial of Service Attacks
Network Infrastructure Attacks
Cloud or Communications Outages
Sabotage or Vandalism
Physical Theft
VERIS - http://veriscommunity.net/veris-overview.html
University of Cambridge
Centre for Risk Studies

• …taxonomy of macro-catastrophe
threats that have the potential to cause
damage and disruption to social and
economic systems in the modern
globalized world.
• Contains
• 5 Primary Classes
• 11 Families
• 55 (Genus) Types
• Very high level
Operational Risk Taxonomy

Maps to 800-53R4 and supports the Basel definition

of Operational Risk
 Building a Risk Taxonomy

1. Get management commitment and collaborate with ERM (if applicable)

2. Design the form of the taxonomy (which could evolve during development)
3. Top-down approach OR 4. Bottom-up approach
a. Gather risk information from various a. Perform an affinity grouping from all
sources, include threat and risks in your risk register
vulnerability information
b. Use the affinity groups as the high
b. Study risk events that have impacted level categories of risk in your risk
other organizations like yours taxonomy

c. Review generic risk taxonomies c. Add risk categories to your risk

d. Identify high level categories of risk
that are relevant to your organization
e. Add risk categories to your risk
register contents
register contents
Using both the top-down and bottom-up
techniques might improve confidence in
the categories and the identified risks

30
Developing Scenarios and
Reporting on Risk
Considerations for Risk
Scenario Development
 Scenario brainstorming workshop

Title of the scenario shows up on the heatmap

Detailed description. You may have multiple scenarios with different

descriptions, scopes, geography, business functions, threat vectors,
assumptions, impacts, etc.

Model actual loss events for lessons learned

Business unit/
function

Threat intel inputs or vectors

Documented assumptions and

Applicable controls or mitigants
 Scenario Coverage Map

Reference back to the taxonomy to ensure coverage of threat vectors

or other operational concerns. Reference back to any assumptions to
gather full data on what people are thinking. What are people
concerned about and is it captured in one or more scenarios?
Example Board Reporting
The Need for Something Better
(Cyber or Information) security is a
risk management activity
§ Managing firewalls, SEIM, IAM,
application security
§ Access controls to systems and
facilities
§ Limiting access to intellectual property
or confidential information
§ Confirming identity and privileges

The aim of these “security” activities is ultimately to manage

risk.
Business Continuity and Disaster Recovery are
risk management activities
§ Limit unwanted effects of realized risk
§ Ensure availability and recoverability
§ Developing business continuity and
disaster recovery plans
§ Manage impact from realized risk

The aim of these “continuity” activities is also to

manage risk.
IT Operations is a risk management activity
§ Configuration management
§ Application, change, or release
management
§ Providing appropriate support to
systems & applications for staff and
external entities
§ Asset management
§ Network administration
§ Device support

The aim of these “operations” activities is to manage risk.

Moving from Risk to Resilience
§ The emergent property of an entity
• that has the ability to anticipate,
prepare for, and adapt to changing
conditions and withstand and recover
from disruptions.
§ The ability of an entity to
• Prevent disruptions from occurring;
• And when struck by a disruption, the
ability to quickly adapt, respond to
and recover from a disruption in the
primary business processes.
 Resilience Ecosystem Landscape
Threats, Exposures, Events, Conditions

Mistakes, Business and

External Weather,
Cyber, economic Terrorism,
Dependencies, errors,
Technology cycles crime Pandemic
Partners & Suppliers omissions

Products & Services

Organization Business
Specific Payments application System or Business Processes
Mission Outcomes
Supporting Assets - People, Information, Tech, Facilities, Suppliers

Business or Resilience Processes

Enterprise
Identity, Business Knowledge & Situational
and
Access & Continuity & Information Awareness &
Operational
Asset Disaster Management Partner, Incident
Audit & Risk
Management Recovery Supplier & Management
Assurance Management
Dependencies
Strategic Management
Planning and
Governance

Drawing adapted from FRBNY Management in Central Banking (MIBC) Implementation Support course 9/25/2018 by Brian Watson, used with permission

42
Resilience Example
Threats, Exposures, Events, Conditions
Cyber attack renders the Business and Terrorism or crime may
External Mistakes,
technology and economic Weather,
be the motive for the
Dependencies, errors,
information assets
omissions cycles attack but that may Pandemic
not
Partners & Suppliers
unavailable be known immediately

Products & Services

Organization Business
End-to-End Business Processes
Mission Outcomes
Supporting Assets - People, Information, Tech, Facilities, Suppliers

Business or Resilience Processes

Business
Continuity & Enterprise Situational Awareness
Identity, Knowledge &
Disaster and & Incident
Access & Information
Recovery, if Operational Management provides
Asset Management Partner,
Audit & practiced well, Risk a good capability in
Management provides authoritative Supplier &
Assurance decrease Management incident response,
sources of data to the Dependencies
downtimeStrategic business continuity evidence preservation,
Management
Planning and process & forensics
Orange indicates the conditions and corresponding Governance
practices that would need to be resilient to manage
the specific event
Gray filled areas are out of scope for this specific
scenario

43
 The objectives for operational resilience go
well beyond traditional business continuity
Operational resilience principle - The ability to anticipate, Operational resilience
prepare for, and adapt to changing conditions and withstand Key objectives
and recover from disruptions.
Alignment & Integration
Resilience includes the ability to continue to operate (even
in a degraded state) and recover from deliberate attacks, Develop an adaptive operating
accidents, and other threats or incidents.” model and integrate resilience
objectives into business strategies

Visibility & Actionability

Measure, monitor, and communicate
risk, the effectiveness of controls
and level of resilience capability

Identification & Prioritization

Identify, assess, prioritize, and
design for scenarios that can impact
the organization and its resilience

Preparation & Improvement

Implement solutions and “evergreen”
processes that optimize between
“manage the condition” and “manage
the consequence”
PRESILIENCE®
THE JOURNEY
Risk Intelligence and High-
Performance Culture in
Practice

1 Compliance

2 Resilience

3 Presilience®
So, What is Risk Intelligence

REWARD RISK
Risk Intelligence (RI) is a living skill and applied
attribute that enables better decision making
to proactively embrace opportunity and
manage negative outcomes.
RISK
INTELLIGENCE

▸ By definition, RI incorporates agility and

resilience.

▸ People with a well-developed RI are able to AGILITY RESILIENCE

lead and empower those around them to

achieve objectives and drive High Reliability
Organisational (HRO) performance.

https://risk2solution.com/
 • Manage uncertainty
Conceptual • Achieve objectives
Integration for Risk • Ability to move, think, and understand
quickly
Intelligence • Focus on change and creating more
effective processes, products, and ideas
• Improved productivity and performance
• Share information, rewards, and power,
appropriately and fairly
• Take initiative and make decisions to
solve problems and improve service
delivery and performance
• Display toughness in the face of adversity
and have the capacity to recover quickly
and respond to short term shocks
• The ability to adapt and evolve personally
and shape teams and organizational
structures to respond to long term
challenges
• Make data-driven decisions that evolve
as we learn more
Delivering the transformational change necessary to
achieve Presilience® requires addressing a number of key
challenges
Acquiring expertise
Designing and implementing a presilience program requires a deep
understanding of the internal and external conditions needed to develop
situational awareness, decision architectures, and take actions to observe,
orient, adapt, and respond nimbly to changes

Breaking silos
Presilience requires convergence of people, process, technology to achieve
resilient business outcomes

Changing culture
Presilience requires a culture shift from ‘a business line or functional area
point of view’ to ‘a holistic and ecosystem view’

Managing complexity
Presilience has to be built into the fabric of the organization which requires
fundamental changes to how the organization operates
All Roads Really do Lead to Risk
InfoSec/
Cyber
Business Threats/
Cycles Vulns.

Everything
else... Risk Business
Continuity

Market/ Strategic/
Credit Reputation
Supplier/
Third party
Questions? Comments?
Lisa Young
VP, Cyber Risk Engineering
LinkedIn: Lyoung@brightmsi.com