CYBER BODY OF KNOWLEDGE

 1 Human, Organizational & Regulatory Aspects

Risk Management and Governance

1.1 INTRODUCTION

This knowledge Area will explain the fundamental principles of cyber risk assessment and management and their role in risk governance, expanding on these to cover the knowledge required to gain a working understanding of the topic and its sub-area. We begin by discussing the relationship between everyday risk and why this is important in today's interconnected digital world. We explain why, as humans, we need effective risk assessment and management principles to support the capture and communication of factors that may impact our values. We then move on to describe different perspectives on cyber risk assessment -from individual assets, to whole-system goals and objectives. We unpick some of the major risk assessment methods and highlight their main uses and limitations, as well as providing pointers to more detailed information.

Security metrics are an ongoing topic of debate in the risk assessment and management domain: which system features to measure for risk, how to measure risk, and why measure risk at all? These questions are framed in the context of existing literature on this topic. This links into risk governance, which explains why effective governance is important to uphold cyber security and some of the social and cultural factors that are essential to consider when developing governance frameworks. Almost all systems still include a human element of control, assessment and management plans, it is still possible that a risk will turn into reality. In such cases, incident response is required. We discuss the importance of incident response and its link to the risk governance process.

1.2 WHAT IS RISK?

Risk is at the heart of everyday life. From a child making a decision to jump out of a tree to an investment decision by the CEO of a multi-billion dollar company, we all make decisions that potentially impact us as individuals, and impact our broader social networks and surroundings. Defining risk is, therefore, a highly philosophical and contentious matter. Seminal works by Slovic [40] and Renn [39] on risk perception capture the broad-reaching issues surrounding this debate, and provide a working definition that abstracts the question to allow us to engage with the topic of risk on a socio-technical level. Renn's working definition of risk is the possibility that human actions or events lead to consequences that have an impact on what humans value. This fundamentally grounds risk in human value, which applies to both the child and CEO examples. It also applies to cyber security contexts in a world where people and technology are intrinsically linked. The failure of one to support the success of the other can lead to social, economic and technical disaster. The working definition of impact on values raises a further question of how to define the value and capture indicators that can be used to measure and manage the risk. Renn defines three basic abstract elements required for this: outcomes that have an impact on what humans value, possibility of occurrence (uncertainty), and a formula to combine both elements. These elements are at the core of most risk assessment methods. Such methods aim to provide a structured approach to capturing the entities of value and the likelihood of unwanted outcomes affecting the entities, while also bearing in mind that even something with very low probability may be realized and may have significant impact on a value. We, therefore, use Renn's working definition of risk for discussion in this KA in the context of cyber risk.

A key challenge with risk assessment and management is making assumptions explicit and finding the balance between subjective risk perceptions and objective evidence. Risk assessment is, therefore, a process of collating observations and perceptions of the world that can be justified by logical reasoning or comparisons with actual outcomes [41]. Risk management, on the other hand, is the process of developing and evaluating options to address the risks in a manner that is agreeable to people whose values may be impacted, bearing in mind agreement on how to address risk may involve a spectrum of (in) tolerance - from acceptance to rejection Risk Governance is an overarching set of ongoing processes and principles that aims to ensure an awareness and education of the risks faced when certain actions occur, and to instil a sense of responsibility and accountability to all involved in managing it. It underpins collective decision-making and encompasses both risk assessment and management, including consideration of the legal, social, organizational and economic contexts in which risk is evaluated [41]. This Knowledge Area explores all these topics and provides insights into risk assessment, management and governance from a cyber security science perspective that is accessible to individuals, SMEs and large organizations alike.

1.3 WHY IS RISK ASSESSMENT AND MANAGEMENT IMPORTANT?

Risk assessment involves three core components [41]: (i) identification and, if possible, estimation of hazard; (ii) assessment of exposure and/or vulnerability; and (iii) estimation of risk, and subsequent outcomes, while estimation is related to the relative strength of the outcome. Exposure relates to the aspects of a system open to threat actors (e.g., people, devices, databases), while vulnerability relates to the attributes of these aspects that could be targeted (e.g., susceptibility to deception, hardware flaws, software exploits). Risk estimation can be quantitative (e.g., probabilistic) or qualitative (e.g., scenario-based) and captures the expected impact of outcomes. The fundamental concept of risk assessment is to use analytic and structured processes to capture information, perceptions and evidence relating what is at stake, the potential for desirable and undesirable events, and a measure of the likely outcomes and impact. Without and of this information we have no basis from which to understand our exposure to threats nor devise a plan to manage them. An often overlooked part of the risk assessment process is concern assessment. This stems from public risk perception literature but is also important for cyber security risk assessment as we will discuss later in the document. In addition to the more evidential, scientific aspects of risk, concern assessment includes wider stakeholder perceptions of: hazards, repercussions of risk effects, fear and dread, personal or institutional control over risk management and trust in the risk managers.

The risk management process involves reviewing the information collected as part of the risk (and concern) assessments. This information forms the basis of decision leading to three outcomes for each perceived risk [41]:
  • Intolerable: the aspect of the system at risk needs to be abandoned or replaced, or if not possible, vulnerabilities need to be reduced and exposure limited.
  • Tolerable: risks have been reduced with reasonable and appropriate methods to a level as low as reasonably possible (ALARP) [44] or as low as reasonably allowable (ALARA). A range of choices may include mitigating, sharing, or transferring risk [45], selection of which will depend on the risk managers' (and more general company) appetite for taking risks.
  • Acceptable: risk reduction is not necessary and can proceed without intervention. Furthermore, risk can also be used to pursue opportunities (also known as 'upside risk'), thus the outcome may be to accept and embrace the risk rather than reduce it. Hillson discusses this perspective in further detail [42].
Deciding which to select will be dependent on a number of factors, for example (as suggested in ISO 31000:2018 [46], tangible and intangible uncertainty, consequences of risk realization (good or bad), appetite for risk, organizational capacity to handle risk etc.

Beyond this decision framework Renn defines four types of risk that require different risk management plans [41]. These include:
  • Routine risks: these follow a fairly normal decision-making process for management. Statistics and relevant data are provided, desirable outcomes and limits of acceptability are defined, and risk reduction measures are implemented and enforced. Renn gives examples of car accidents and safety devices.
  • Complex risks: where risks are less clear cut, there may be a need to include a broader set of evidence and consider a comparative approach such as cost-benefit analysis or cost-effectiveness. Scientific dissent such as drug treatment effects or climate change are examples of this.
  • Uncertain risks: where broader stakeholders, such as reversibility, persistence and ubiquity become useful considerations. A precautionary approach should be taken with a continual and managed approach to system development whereby negative side effects can be contained and rolled-back. Resilience to uncertain outcomes is key here.
  • Ambiguous risks: where broader stakeholders, such as operational staff or civil society, interpret risk differently (e.g., different viewpoints exist or lack of agreement on management controls), risk management needs to address the causes for the differing views. Renn uses the example of genetically modified foods where well-being concerns conflict with sustainability options. In this instance, risk management must enable participatory decision-making, with discursive measures aiming to reduce the ambiguity to a number of manageable options that can be further assessed and evaluated.
Management options, therefore, include a risk-based management approach (risk-benefit analysis or comparative options), a resilience-based approach (where it is accepted that risk will likely remain but needs to be contained, e.g. using ALARA/ALARP principles), or a discourse-based approach (including risk communication and conflict resolution to deal with ambiguities). Without effective consideration of the acceptability of risk and an appropriate risk reduction plan, it is likely that the response to adverse outcomes will be disorganized, ineffective, and likely lead to further spreading of undesirable outcomes.

Effective risk management through structured assessment methods is particularly important because, although our working definition of risk is grounded in consequences of interest to people, we (as a society) are not very good at assessing this risk. Slovic's article on risk perception highlights that perceptions related to dread risk (e.g., nuclear accidents) are ranked highest risk by lay people, but much lower by domain experts who understand the evidence relating to safety limitations and controls for such systems. Expert risk ranking tends to follow expected or recorded undesirable outcomes such as deaths, while lay people are influenced more by their intuitive judgment (a nuclear accident could impact my whole family). There is, therefore, a mismatch between perceived vs. actual risk. As people we tend to exaggerate dread-related but rare risks (e.g., nuclear incidents and terrorist attacks) but downplay common ones (e.g., street crime and accidents in the home) -even though the latter kill far more people.

This is also why concern assessment is important in the risk management process alongside risk assessment. Schneier's book Beyond Fear [43] notes that we have a natural sense of safety in our own environment and a heightened sense or risk outside of this. For instance, we feel safe walking down a street next to our house but on edge when arriving in a new city. As a society, we rarely study statistics when making decisions; they are based on perceptions of exposure to threat, our perceived control over threats, and their possible impact. Risk assessment helps us capture quantitative and qualitative aspects of the world that enable us to put a realistic estimate of how certain we can be that adverse events will come to pass, and how they will impact on what we value most. This applies to us personally as individuals, and as groups of people with a common aim - saving the planet, running a business, or educating them, We need to capture our goals, understand what could lead to the failure to achieve them, and put processes in place to align realistic measures to reduce harms inflicted upon our objectives.

When done well, risk assessment and management enables decision makers, who are responsible, to ensure that the system operates to achieve the desired goals as defined by its stakeholders. It can also ensure the system is not manipulated (intentionally or otherwise) to produce undesired outcome, as well as having processes in place that minimize the impact should undesirable outcomes occur. Risk assessment and management is also about presenting information in a transparent, understandable and easily interpreted way to different audiences, so that accountable stakeholders are aware of the risks, how they are being managed, who is responsible for managing them, and are in agreement on what is the acceptable limit of risk exposure. This is absolutely crucial to successfully managing risk because, if the risks are not presented clearly to decision makers (be they technical, social, economic or otherwise), the impact of not managing them will be overlooked, and the system will remain exposed. Likewise, if the purpose of risk management is not made clear to the people at the operational level, alongside their own responsibilities and accountability for risk impacts, they will not buy in to the risk management plan and the system will remain exposed. More broadly, if wider stakeholder concerns (e.g., civil society) are not heard or there is lack of confidence in the risk management plan, there could be widespread rejection of the planned system being proposed.

As important as it is to convey risks clearly to stakeholders, it is equally as important to stress that risks cannot always be removed. There is likely to be some residual risk to the things we value, so discussions must be held between decision makers and those who are involved with the operations of a system. Ultimately, decision makers, who will be held to account for failure to manage risk, will determine the level of risk tolerance - whether risk is accepted, avoided, mitigated, shared, or transferred. However, it is possible that wider stakeholders such as those involved with system operations may have differing views on how to manage risk given thy are likely to have different values they are trying to protect. Fro some, saving money will be key. For others, reputation is the main focus. For people working within the system it may be speed of process or ease of carrying out daily tasks. The purpose of risk assessment and management is to communicate these values and ensure decision are taken to minimize the risks to an agreed set of values by managing them appropriately, while maximizing 'buy in' to the risk management process. In the broader health and safety risk context, this concept relates to the notion of ALARP (as low as reasonably practicable) [44] being able to demonstrate that significant efforts and computation have been made to calculate the balance between risk acceptance and mitigation, in the favor of security and safety. Again it is important to highlight here that concern assessment is an important part of risk assessment to ensure the risk assessment policy (the agreed approach to risk assessment) is informed by those responsible for, and impacted by risk, and those who are required to act in a way that upholds the management plan day-to-day. Crucially, it must be recognized that the impact of single events can often extend beyond direct harms and spread far wider into supply chains. As Slovic puts it, the results of an event act like ripples from a stone dropped into a pond, first directly within the company or system in which it occurred, and then into sub-systems and interdependent companies and components [40].

One of the major drivers for risk assessment and management is to demonstrate compliance. This can be result of the need to have audited compliance approval from international standards bodies in order to gain commercial contracts; to comply with legal or regulatory demands (e.g., in Europe the Network and information Systems (NIS) directive [47] mandates that operators of essential services (such as critical national infrastructure) follow a set of 14 goal-oriented principles [48]; or to improve the marketability of the company through perceived improvements in public trust if certification is obtained. This can sometimes lead to 'tick-box' risk assessment whereby the outcome is less focused on managing the risk, and more about achieving compliance. This can result in a false sense of security and leave the organization exposed to risks. This bring us back to Renn's working definition of risk. These examples focus on managing risk of failing compliance with various policy positions, and as a result, they may neglect the broader focus on impact on values held by wider organizational, societal or economic stakeholders. The context and scope of risk management must take this broader outcomes-view in order to be a useful and valuable exercise that improves preparedness and resilience to adverse outcomes.

Based on these factors, risk assessment and management is most certainly a process not a product. It is something that, when done well, has the potential to significantly improve the resilience of a system. When done badly (or not at all) it can lead to confusion, reputational damage, and serious impact on system functionality. It is a process that is sometimes perceived to be unimportant before one needs it, but critical for business continuity in a time of crisis. Throughout the process of risk assessment we must remain aware that risk perception varies significantly based on a variety of factors, and that despite objective evidence, it will not change. To use an example from [40], providing evidence that the annual risk from living next to a nuclear power plant is equivalent to the risk of riding an extra 3 miles in an automobile, does not necessarily reduce the perception of risk given the differences surrounding the general perception of the different scenarios. Intuitively, communication and a respect for qualitative and quantitative measures of risk assessment are core to its practice. Bot measures exhibit ambiguity (e.g., [49]) and often we lack quality data on risk so evidence only goes so far. There will always be a need for subjective human judgment to determine relevance and management plans [50], which in itself comes with its own limitations such as lack of expert knowledge and cognitive bias [51]

1.4 WHAT IS CYBER RISK ASSESSMENT AND MANAGEMENT?

The introductory sections have made the case fro risk assessment and management more generally, but the main focus of this document is to frame risk assessment and management in a cyber security context. Digital technology is becoming evermore pervasive and underpins almost every facet of our daily lives. With the growth of the Internet of Things, connected devices are expected to reach levels of more than 50 billion by 2022[53]. Further, human decision=based tasks such as driving and decision-making are being replaced by automated technologies, and the digital infrastructures that we are increasingly reliant upon can be disrupted indiscriminately as a result of, for example, ransom ware[54]. Cyber security risk assessment and managements, therefore, a fundamental special case that everyone living and working within the digital domain should understand and be a participant in it.

There are a number of global standards that aim to formalize and provide a common framework for cyber risk assessment and management, and, in this section, we will study some of them. We will begin with high level definitions of some of the foremost positions on risk. The United Kingdom was ranked first in the 2018 Global Cyber security Index (GCI) [55], a scientifically grounded review of the cyber security commitment and situation at a global country-by-country level. The review covers five pillars: (i) legal, (ii)technical,(iii) organizational, (iv)capacity building, and (v)cooperation - and then aggregates them into an overall score. As the lead nation in the GCI, the technical authority for cyber security, the UK National Cyber Security Center (NCSC) has published guidance on risk management [52], Importantly, the NCSC is clear that there is no one-size-fits-all for risk assessment and management. in-deed conducting risk assessment and management as a tick-box exercise produces a false sense of security, which potentially increases the Vulnerability of the people impacted by risk because they are not properly prepared. Cyber security is such a rapidly evolving domain that we must accept that we cannot be fully cyber secure. However, we can increase our preparedness. The Potomac Institute for Policy Studies provides a framework for studying cyber readiness along with a country-specific profile for a range of nations (Inc. USA India, South Africa, France, UK) and an associated cyber readiness index[56].

1.5 RISK GOVERNANCE

1.5.1 What is risk governance and why is it essential?

Risk assessment and developing mitigation principles to manage risk is only likely to be effective where a coordinated and well communicated governance policy is put in place within the system being managed. Millstone et al. [57] proposed three governance models:
  • Technocratic: where policy is directly informed by science and evidence from domain expertise.
  • Decisionistic: where risk evaluation and policy are developed using inputs beyond science alone. For instance, incorporating social and economic drivers.
  • Transparent (inclusive): where context for risk assessment is considered from the outset with input from science, politics, economics and civil society. This develops a model of 'pre-assessment' - that includes the views of wider stakeholders - that shapes risk assessment and subsequent management policy.
  • None are correct or incorrect. There is a fine balance between the knowledge and findings of scientific experts, and perceptions of the lay public. While the technocratic approach may seem logical to some risk owners who work on the basis of reasoning using evidence, it is absolutely crucial for effective risk governance to include the wider stakeholder view. Rohrmann and Renn's work on risk perception highlights some key reasons for this [58]. They identify four elements that influence the perception of risk:
  • intuitive judgment associated with probabilities and damages;
  • contextual factors surrounding the perceived characteristics of the risk (e.g., familiarity) and the risk situation (e.g., personal control);
  • semantic associations linked to the risk source, people associated with the risk, and circumstances of the risk-taking situation;
  • trust and credibility of the actors involved in the risk debate.
These factors are not particularly scientific, structured or evidence-based but, as noted by Fischoff et al. [59], such forms of defining probabilities are countered by the strength of belief people have about the likelihood of an undesirable event impacting their own values. Ultimately, from a governance perspective, the more inclusive and transparent the policy development, the more likely the support and buy-in from the wider stakeholder group - including lay people as well as operational stall - for the risk management policies and principles.

There are several elements that are key to successful risk governance. Like much of the risk assessment process, there is no one-size solution for all endeavors. However, a major principle if ensuring that the governance activity (see below) is tightly coupled with everyday activity and decision-making. Cyber risk is an important as health and safety, financial processes, and human resources. These activities are now well established in decision-making. For instance, when hiring staff, the HR process is at the forefront o the recruiter's activity. When travelling overseas, employees will always consult the financial constraints and processes for travel. Cyber security should be thought of in the same way - a clear set of processes that reduce the risk of harm to individuals and the business. Everyone involved in the daily running of the system in question must understand that, for security to be effective, it must be part of everyday operational culture. The cyber risk governance approach is key to this cultural adoption.

1.5.2 The human factor and risk communication

Sasse and Flechais[60] identified human factors that can impact security governance, including people: having problems using security tools correctly; not understanding the importance of data, software, and systems for their organization; not believing that the assets are at risk (i.e., that they would be attacked); or not understanding that their behavior puts the system at risk. This highlights that risk cannot be mitigated with technology alone, and that concern assessment is important. If risk perception is such that there is a widely held view that people do not believe their assets will be attacked (as noted by [60], despite statistics showing cyber security breaches are on the rise year-on-year, then there is likely to e a problem with the cyber security culture in the organization. Educating people within an organization is vital to ensuring cultural adoption of the principles defined in the risk management plan an associated security governance policy. People will generally follow the path of least resistance to get a job done, or seek the path of highest reward. As Sasse and Flechais note, people fail to follow the required security behavior for one of two reasons: (1) they are unable to behave as required (one example being that it is not technically possible to do to; another being that the security procedures and policies available to them are large, difficult to digest, or unclear), (2) they do not want to behave in the way required (an example of this may be that they find it easier to work around the proposed low-risk but time consuming policy; another being that they disagree with the proposed policy).

Weirich an Sasse studied compliance with password rules as an example of compliance with security policy [61] and found that a lack of compliance was associated with people not believing that they were personally at risk and or that they would be held accountable for failure to follow security rules. There is thus a need to ensure a sense of responsibility and process for accountability, should there be a breach of policy. This must, of course, be mindful of legal and ethical implications, as well as the cultural issues around breaching rules, which is a balancing act. Risk communication, therefore, plays an important role in governance [62] [39] including aspects, such as:
  • Education: particularly around risk awareness and day-to-day handing of risks, including risk and concern assessment and management;
  • Training and inducement of behavior change: taking the awareness provide by education and changing internal practices and processes to adhere to security policy;
  • Creation of confidence: both around organizational risk management and key individual - develop trust over time, and maintain this through strong performance and handling of risks.
  • Involvement: particularly in the risk decision-making process -giving stakeholders an opportunity to take part in risk and concern assessment and partake in conflict resolution.
Finally, leading by example is of paramount importance in the risk communication process. People are likely to be resentful if it appears that senior management are not abiding by cultural aspect of risk communication.

1.5.3 Security culture and awareness

Dekker's principles on Just Culture [63] aim to balance accountability with learning in the context of security. he proposes the need to change the way in which we think about accountability so that it becomes compatible with learning and improving the security posture of an organization. It is important that people feel able to report issues and concerns, particularly if they think they may be at fault. Accountability needs to be intrinsically linked to helping the organization, without concern of being stigmatized and penalized. There is often an issue where those responsible for security governance have limited awareness and understanding of what it means to practice it in the operational world. In these cases there needs to be an awareness that there is possibly no clear right or wrong, and that poorly thought-out processes and practices are likely to have been behind the security breach, as opposed to malicious human behavior. If this is the case, these need to be addressed and the person at fault needs to feel supported by their peers and free of anxiety. One suggestion Dekker makes is to have an independent team to handle security breach reports so people do not have to go through their line manager. If people are aware of the pathways and outcomes following security breaches it will reduce anxiety about what will happen and, therefore, lead to a more open security culture.

Given that security awareness and education is such an important factor in effective governance, Jaquith [64] links security awareness with security metrics through a range of questions that may be considered as useful pointers for improving security culture:
  •  Are employees acknowledging their security responsibilities as users of information systems? (Metric: % new employees completing security awareness training).
  • Are employees receiving training at intervals consistent with company policies? (Metric: % existing employees completing refresher training per policy).
  • Do security staff members possess sufficient skills and professional certifications? (Metric: % security staff with professional security certifications).
  • Are security staff members acquiring new skills at rates consistent with management objectives? (Metrics: # security skill mastered, average per employee and per security team member, fulfilment rate of target external security training workshops and class room seminars).
  • Are security awareness and training efforts leading to measurable results? (Metrics: By business unit or office, correlation of password strength with the elapsed time since training classes; by business unit or office, correlation of tailgating rate with training latency).
Metrics may be a crude way to capture adherence to security policy, but when linked to questions that are related to the initial risk assessment, they can provide an objective and measurable way to continually monitor and report on the security of a system to the decision makers, as well as those responsible for its governance in an understandable and meaningful way. However, it is worth noting the complexity of metrics here with the use of the term 'acknowledge their responsibilities merely by completing awareness training. This reinforces the points already made about the importance of human factors and security culture, and the following section on enacting security policy.

1.5.4 Enacting Security Policy

Overall, effective cyber risk governance will be underpinned by a clear and enact able security policy. This section focuses on the elements of risk assessment and management that are relevant to achieving this. From the initial phase of the risk assessment there should be a clear focus on the purpose and scope of the risk assessment exercise. During this phase, for more complex systems or whole system security, there should be a focus on identifying the objectives and goals of the system. These should e achievable with clear links from objectives to the processes that underpin them. Risks should be articulated as clear statements that capture the interdependencies between the vulnerabilities, threats, likelihoods and outcomes (e.g., causes and effects) that comprise the risk. Risk management decisions will be taken to mitigate threats identified for these processes, and these should be linked to the security policy, which will clearly articulate the required actions and activities taken (and by is expected to happen as a consequence of this risk becoming a reality.
Presentation of risk assessment information in this context is important. Often heat maps and risk matrices are used to visualize the risks. However, research has identified limitations in the concept of combining multiple risk measurements (such as likelihood and impact) into a single matrix and heat map [68]. Attention should, therefore, be paid to the purpose of the visualization and the accuracy of the evidence it represents for the goal of developing security policy decisions.

Human factors (see the Human Factors Knowledge Area (Chapter 4)), and security culture are fundamental to the enactment of the security policy. As discussed, people fail to follow the required security behavior because they are unable to behave as required, or they do not want to behave in the way required [60]. A set of rules dictating how security risk management should operate will almost certainly fail unless the necessary actions are seen as linked to broader organizational governance, and therefore security policy, in the same way HR and finance policy requires. People must be enabled to operate in a secure way and not be the subject of a blame culture when things fail. It is highly likely that there will be security breaches, but the majority of these will not be intentional. Therefore, the security policy must be reflective and reactive to issues, responding to the just Culture agenda and creating a policy of accountability for learning, and using mistakes to refine the security policy and underpinning processes - not blame and penalize people.

Security education should be a formal pat of all employees' continual professional development, with reinforced messaging around why cyber security is important to the organization, and the employee's role and duties within this. Principles of risk communication are an important aspect of the human factor in security education, We have discussed the need for credible and trustworthy narratives and stakeholder engagement in the risk management process. There are additional principles to consider such as early and frequent communication, tailoring the message to the audience, pretesting the message and considering existing risk perceptions that should be part of the planning around security education. Extensive discussion of such risk communication principles that are particularly relevant for messaging regarding risk can be found in [67].

Part of the final risk assessment and management outcomes should be a list of accepted risks with associated owners who have oversight for the organizational goals and assets underpinning the processes at risk. These individuals should be tightly coupled with review activity and should be clearly identifiable as responsible and accountable for risk management.

The core elements of the risk governance process as discussed so far. This model from the international Risk Governance Council (IRGC) [66], which is heavily inspired by Renn's work [41], highlights that risk communication sits at the heart of the governance process and draws on problem framing, risk and concern assessment, risk evaluation, and risk management. The governance process is iterative, always seeking awareness of new problems and evolving threats, and continually reflecting on best practice to manage new risks.

1.6 RISK ASSESSMENT AND MANAGEMENT PRINCIPLES

1.6.1 Component vs. Systems Perspectives

The UK NCSC guidance [52] break down risk management into Component-driven risk management, which focuses on technical components, and the threats and vulnerabilities they face (also known as bottom up); and System-driven risk management, which analysis systems as a whole (also known as top down). A major difference between the two is that component-driven approaches tend to focus on the specific risk to an individual component (e.g., hardware, software, data, staff), while system-driven approaches focus more on the goals of an entire system -requiring the definition of a higher level purpose and subsequent understanding of sub-systems and how various parts interact.

Rasmussen's work [69] enables us to consider a hierarchy of abstraction and show how system-driven and component-driven risk assessment technique are complementary. As the goals and purposes of the system can be considered at the higher level. Notably, this includes a focus on dependencies between sub-goals and also what the system must not do (pre-defined failure states). These are important to design into the system and, if omitted, lead to having to retrofit cyber security into a system that has already been deployed. The lower levels then consider capabilities and functionality needed to achieve the overarching goals. At this level component-driven risk assessments of real-world artefacts (e.g., hardware, software, data, staff) consider how these may be impacted by adverse actions or events.

System-driven approaches can help to better understand the complexity between sub-components and their components. These may include people, technology, and organizational processes for which the interactions and dependencies are non-trivial. Taking such an approach (which may perhaps prove more resource intensive than component based approaches, due to identification of inter-dependencies is only necessary where complexity actually exists. I interactions and dependencies are clear and the system is less complex (e.g., a simple office-based IT infrastructure) then a component-driven approach may be more appropriate.

The NCSC guidance provides a summary table that is help full in guiding the selection of component-driven or system-driven methods based on the kind of risk management problem being addressed. The major differentiator is that the component view is individual asset-based, where complexity is well-understood and expected functionality is clear. The system view supports an analysis of risk in situations of greater complexity, before physical function is agreed and implemented, and to support discussions by key stakeholders on what the system should and should not do. These discussions are crucial in finding the balance between component-level and system-level failure and how best to manage the risk. Component-risk is likely to be more important to operational employees who need to component to be functioning in order for their part of a bigger system to perform (e.g., staff, data, devices). System-level risk is likely to be more important to higher-level managers who have a vested interest in the strategic direction of the system. For them a component further down the value/supply chain may not be perceived to be important, while for the operational employee it's the number one risk. The challenge is to work with both perspectives to develop a representation of risk and an associated risk management policy enacted by all parties.

2.6.2 Elements of Risk 

While it is useful to avoid creating a universal definition of risk, to support inclusivity of different views and perspectives, it is important to have agreed definitions of the concepts that underpin risk assessment and management. This ensures a common language throughout the process and avoids talking at cross purposes. These are four concepts that are core to a risk assessment in most models - vulnerability, threat, likelihood and impact.

A Vulnerability is something open to attack or misuse that could lead to an undesirable outcome. If the vulnerability were to be exploited it could lead to an impact on a process or system. Vulnerabilities can be diverse and include technology (e.g., a software interface being vulnerable to invalid input), people (e.g., a business is vulnerable to a lack of human resources), legal (e.g., databases being vulnerable and linked to large legal fines if data is mishandled and exposed) etc. This is a non-exhaustive list, but highlights that vulnerabilities are :

Component-driven methods
  • Analyzing the risks faced by individual technical components. 
  • Deconstructing less complex systems, with well-understood connections between component parts.
  • Working at levels of abstraction where a system's physical function has already been agreed amongst stakeholders.

System-driven methods:
  • Exploring security breaches which emerge out of the complex interaction of many part of your system.
  • Establishing system security requirements before you have decided on the system's exact physical design.
  • Bringing together multiple stakeholders' views of what a system should and should not do (e.g., safety, security, legal views).
  • Analyzing security breaches which cannot be tracked back to a single point of failure.

socio-technical
A Threat is an individual, event, or action that has the capability to exploit a vulnerability. Threats are also socio-technical and could include hackers, disgruntled or poorly trained employees, poorly designed software, a poorly articulated or understood operational process etc. To give a concrete example that differentiates vulnerabilities from threats - a software interface has a vulnerability in that malicious input could cause the software to behave in an undesirable manner (e.g., delete tables from a database on the system), while the threat is an action or event that exploits the vulnerability (e.g., the hacker who introduces the malicious input to the system).

Likelihood represent a measure capturing the degree of possibility that a threat will exploit a vulnerability, and therefore produce an undesirable outcome affecting the values at the ore value (e.g., a scale of 1-10 or a percentage).

Impact is the result of a threat exploiting a vulnerability, which has a negative effect on the success of the objectives for which we are assessing the risk. From a systems view this could be the failure to manufacture a new product on time, while from a component view it could be the failure of a specific manufacturing production component.

1.6.3 Risk assessment an management methods

The purpose of capturing thee four elements of risk is for use in dialogue that aims to represent how best to determine the exposure of a system to cyber risk, and how to mange it. There are a range or methods, some of which have been established as international standards and guidelines, that provide a structured means to transform vulnerability, threat, likelihood and impact into a ranked list in order to be able to priorities and treat them. While each method has its own particular approach to risk assessment and management, there are some features common to a number of the most widely used methods that are useful for framing risk assessment and management activities, which can be mapped back to Renn's seminal work on risk governance [41] as discussed in earlier sections. The international Risk Governance Council (IRGC) capture these in its risk governance framework (developed by an expert group chaired by Renn). which includes four core areas and crosscutting components. Pre-assessment includes the framing of risk, identification or relevant actors and stakeholders, and captures perspectives on risk. Appraisal includes the assessment of causes and consequences of risk (including risk concern), developing a knowledge based of risks and mitigation options (e.g., preventing, sharing etc). Characterization involves a decision process, making a judgment about the significance and tolerance of the risks. Appraisal and Characterization forms the basis of the implementation of Renn's three core components of risk assessment [41]. Management processes include deciding on the risk management plan and how to implement it, including risk tolerance (accepting, avoiding, mitigating, sharing, transferring). Cutting across all four is communication, engagement and context setting through open and inclusive dialogue.

The US Government NIST [70] guidance capture the vulnerability, threats, likelihood and impact elements inside the prepare (pre-assessment), conduct (appraisal and characterize), communicate (cross-cutting), maintain (management) cycle (see Figure 2.4). A step-by-step detailed guide can be found in the full document, but we summarize the actions here.

Prepare involves identifying the purpose (e.g., establishing baseline of risk or identifying vulnerabilities, threats, likelihood and impact) and scope (e.g., what parts of a system/organization are to be included in the risk assessment? What decisions are the results informing?). It also involves defining assumptions and constraints on elements such as resources required and predisposing conditions that need to inform the risk assessment. The assessment approach and tolerances for risk are also defined at this stage along with identifying sources of information relating to threats, vulnerabilities and impact.
Conduct is the phase where threats, vulnerabilities, likelihood and impact are identified. There are a range of ways that this can be conducted, and this will vary depending on the nature of the system being risk assessed and the results of the prepare stage. NIST has a very specific set of tasks to be performed. These may not be relevant to all systems, but there are some useful tasks that generalize across multiple system perspectives, including identifying: threat sources and adversary capability, intent and targets; threat events and relevance to the system in question; vulnerabilities and predisposing conditions; likelihood that the threats identified will exploit the vulnerabilities; and the impacts and affected assets. Note that the ordering of actions in the NIST approach puts threat identification before vulnerabilities, which presupposes that all threats can be identified and mapped to vulnerabilities. It is worth highlighting that risk assessment must also be effective in situations where threats are less obvious or yet to be mainstream (e.g., IoT Botnets) and, therefore, some organizations that are particularly ingrained in digital adoption may also wish to consider conducting a vulnerability assessment independently or prior to the identification of likely threats to avoid making assumptions on what or who the threats actors may be.

Communicate is one of the most important phases, and one often overlooked. Conducting the risk assessment gives one the data to be able to inform actions that will improve the security of the system. However, it is crucial this is communicated using an appropriate method. Executive boards we expect and need information to be presented in a different way to operational team members, and general organizational staff will need educating and guiding in an entirely different way. The results and evidence of the risk assessment must be communicated in a manner accessible to each stakeholder and in a way that is likely to engage them in risk management planning and execution.

Maintain is an ongoing phase that is essential to continually update the risk assessment in the light of changes to the system environment and configuration. Security postures change regularly in digital environments. This kind of rapid integration of devices into corporate IT systems is likely to change the exposure to risk and, therefore, the scope would need to be refined, new risk assessments carried out, and action taken and communicated to all stakeholders to ensure that the new risk is managed. This scenario indicates that (i) risk assessment maintenance must be proactive and undertaken much more regularly than an annual basis, and (ii) conducting risk assessment for compliance purposes (possibly only once a year) will leave the organization wide open to new technological threats unless the maintain phase is taken seriously. Risk factors should be identified for ongoing monitoring( e.g., changes in technology use within the system, frequently of risk factor monitoring should be agreed, and change triggered reviews should revisit and refine the scope, purpose and assumptions of the risk assessment remembering to communicate the result each time new risks are identified.

The international standard ISO/IEC 27005 for risk management [71] contains analogous activities to the NIST guidance (see Figure 2.6). It includes and Establish Context phase, which is broadly aimed at achieving the outcomes of the Prepare phase of NIST and the IRGC Pre assessment phase. The Risk Assessment phase is multi-;layered, with identification, estimation, evaluation stages. This aligns with the IRGC's appraisal and characterization phases. ISO 27005 also has Risk Communication and Risk Monitoring and Review phases, which relate broadly to the aims of the NIST Communicate and Maintain phases, and IRGC's cross cutting communication, context and engagement phases. ISO/IEC 27005 has additional elements that explicitly capture risk management decision processes but it is not prescriptive on how to implement them. The inclusion of the treatment and acceptance phases linked to communication and review capture some of the fundamental management aspect, offering the choice of treatment of acceptance as part of the assessment process. This aspect of the ISO/IEC 27005 approach is analogous to the risk response element of the NIST-SP80039 guidance on risk management [45], where the risk response options include acceptance, avoidance, mitigation, or sharing/transfer. The take-away message from this comparison is that, while the risk assessment methods may differ at the risk assessment phase (depending on the type of system being analyzed and the scope of the study), the preparation, communication, and continual monitoring phases are must-haves in both widely-used international guidelines, as are the important decisions around risk tolerance. ISO/IEC 27005 is less prescriptive than NIST so offers the option to include a range of assessment and management approaches within the overall process.
62


Comments

Post a Comment

Popular posts from this blog

CISSP TERMS AND DEFINITIONS

 Domain 1: Security & Risk Management  CIA Traid   Confidentiality  Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Note-Encryption (At transit - TLS)(At rest -AES-256).   Integrity Guarding against improper information modification or destruction and includes ensuring information or destruction and includes ensuring information or destruction and includes ensuring information non-repudiation and authenticity.   Availability Ensuring timely and reliable access to and use of information by authorized users.  D.A.D   Disclosure, Alteration and Destruction  Disclosure: Opposite of Confidentiality Alteration: Opposite of Integrity Destruction: Opposite of Availability Achieving CIA Best Practices Separation of Duties Mandatory Vacations Job Rotation Least Privileges Need to know Need to know Dual Control What is IAAAA? Identification: Unique user identification Authentication: Validati
Read more