How to Managing Risk in Better way (2019)
The risk is managed at every level of your business, yet it is owned in the boardroom and C-suite. As an executive, one of your primary responsibilities is to manage risk to protect your business and create an environment for it to grow and thrive. This blog explains How to Managing Risk in business and a company in an efficient manner.
It is critically important that you create and maintain a risk management program owned at the most senior levels and designed to cascade throughout the business to where each employee knows they are valued and essential stakeholders in the risk management program.
A formal and disciplined risk management program best postures you for successful identification of risk, management, and control over risk factors and sustained risk awareness.
The best risk management programs have well-defined processes, well-trained and motivated employees who understand and implement the program, and active leadership who maintain ownership over the risk management program.
You need to “know your enemy” and “know yourself” in order to have a successful risk management program.
When addressing your cybersecurity risk, it is imperative that you understand your threats, threat sources, and vulnerabilities and have as accurate a measure of the likelihood of an incident as possible.
You must consider all vulnerabilities including those presented by technical means, procedural or material defects, or human failures or deficiencies.
It is possible to measure and estimate cybersecurity risk. While cybersecurity risk estimation processes generally are not as mature as traditional risk estimations used by most corporations, cybersecurity risk can be quantified in monetary terms using the quantitative risk assessment technique.
This technique is difficult to employ due to the difficulty in assessing precise value to information and even greater difficulty in determining the likelihood of loss.
We believe that with prudent analysis and management judgment and oversight, reasonable estimates on the valuation of information are possible. Moreover, it is feasible to carefully analyze threat stream and statistical information to make informed estimates on the likelihood of events.
When these conditions exist, we believe the quantitative risk analysis methodology can be used to assess cybersecurity risk. We believe you should incorporate quantitative risk assessments into your corporate business processes, wherever possible.
Calculate your cybersecurity risk
The sad state of affairs today is that most companies do not have a clue as to what their cyber risk profile is nor do they know how to calculate it. There are many who believe that there is no means to calculate your cybersecurity risk.
We do not agree. We believe that cybersecurity risk can be calculated using some of the same techniques you use to calculate risk in other sectors.
We will show you some examples demonstrating cybersecurity risk calculations, but before we get to the formulas, let’s review with you areas that commonly are exploited by the top five sources of cyber threats.
Threats to Your Intellectual Property and Trade Secrets
Next, to your treasured workforce, your intellectual property and trade secrets are arguably your most valued assets. These are the most common targets for nation-states, organized crime, and insider threats.
Why? For the same reason, you retain ownership of your intellectual property and keep secret the special (proprietary) tools of the trade that make your business a success, because possession of intellectual property and trade secrets yields a competitive advantage.
Some nation-states and many criminals actively probe the net, looking to steal intellectual property and trade secrets. This is a lucrative market for the end consumer of the information, be it state-owned businesses or those who purchase such information.
It permits them to avoid costly research and development activities, moves to production faster, and potentially muscle you out of the market.
Recall the Interpol estimate that cyber espionage is responsible for the theft of intellectual property from businesses worldwide worth up to the US $1 trillion.1 This is a serious threat to you and your business.
So, what is the risk that your intellectual property and trade secrets may be exploited? Let’s use the following checklist to see if you are vulnerable to cyber espionage, theft, or exploitation:
Vulnerability Checklist (Cyber Espionage, Theft, and Exploitation)
1. Do you have intellectual property and trade secrets you need to protect?
2. Do you currently or in the future have market competitors who would benefit by having access to your intellectual property and trade secrets?
3. Do you store your intellectual property and trade secrets on computer systems?
4. Are your computer systems connected to the Internet?
5. Do your computer systems have Universal Serial Bus (USB) connections that enable thumb drives to be connected?
6. Do your computers have read-write DVD/compact disk drives?
7. Do you have frequent and regularly scheduled backups of your information?
8. Do you store your backup information in an off-site location?
9. Do you use any data feeds from other sources into your network?
10. Do you contract your system administration, maintenance, or software support?
How many “yes” answers did you have? If you had one or more, then you are susceptible to cyber-based risk.
“Wait!” you might ask, “Why do I have a cyber-based risk if I answered even one of the questions with a yes?” Here’s a quick rundown of how a “yes” to any of the following questions could lead to a cyber-based risk.
1.Intellectual property and trade secrets:
If you have them, you need to protect them, you are diligent in protecting your critical information. You do not have it stored on a computer, only maintain hard copies of your classified documents, and limit physical access to the documents.
Unfortunately, one of your employees has been recruited by one of your competitors to acquire your information.
They gain access to your files, photograph them with their cell phone camera, and upload the images from their phone onto a destination selected by your competitor. Fiction?
Regrettably no, as this type of exploitation has occurred multiple times around the world. If you have sensitive information, protect it. We recommend you keep cell phones and similar devices away from it.
Don’t forget meetings where you discuss sensitive information either. If someone has a phone in the room, your meeting may be broadcast to people and places you don’t want to include.
2. Manage Competitors:
Your competitors want to have a competitive advantage over you. Most are honorable and exercise fair and open competition; however, a rare few employ agents who seek access to your information (unauthorized, of course).
Nation-states, organized crime, and unscrupulous businesses all have been known to actively use cyber-based resources to steal or tamper with sensitive intellectual property and trade secrets.
Cyber espionage is a growing problem in the market-place with complaints to law enforcement officials continuing to rise. You and your business are at risk. Additionally, the better you are and the bigger you are, the bigger and more lucrative target you present.
3.Manage Computer storage:
If you store your information on a computer, you are like most other entities. Computers and their storage devices have become the preferred storage media for the world’s information, far surpassing paper copies.
This is because computer-based storage is less expensive, provides much faster search and retrieval capability, and enables near-instantaneous transmission of information to multiple locations.
The advantages of computer-based storage are many, yet this mode of storage comes with risks as well. Computers rely on electrical power and therefore must have a reliable, uninterruptible power source. They are machines that require maintenance and have components that sometimes fail.
They require software to operate effectively and software requires maintenance, regular updates, and most often licensing fees. There are ample possible points of failure that can deny you access to your critical information or present weaknesses that could be exploited by potential adversaries. This presents a risk.
4. Manage Internet access:
If your information is on a computer connected to the Internet, it is potentially exposed to anyone else on the Internet.
Certainly, you can and should implement prudent security measures such as boundary protection (i.e., firewalls, proxy servers, access control lists, etc.), encryption, and other technical measures.
But if your critical intellectual property and trade secrets reside on a system connected to the Internet, there is a risk that someone smarter than your IT team will gain access to that information.
5. Manage USB connections:
USB ports add great convenience and transportability for information. You can plug in an inexpensive high-capacity thumb drive to transfer files between the computer and the thumb drive and even launch programs from the thumb drive.
How many times have you used a thumb drive to transport a business presentation, sensitive data, or even pictures of your family?
Like us, you likely have done so. Regrettably, bad actors have taken note of the proliferation of thumb drives and other devices that connect to USB ports (such as smartphones, digital cameras, and even the author’s watch!) and are now using them for malicious purposes.
An example is the recent Stuxnet attack, where the destructive code is said to have been inserted into the isolated Iranian nuclear control systems by using an infected thumb drive. Any device connected to your computers via a USB port has the potential to insert or retrieve information. There is a risk.
6.DVD/CD read-write drives:
These older media devices pose similar risks as do USB devices. They could be the entry point for malicious code or the egress point for your critical information.
U.S. Army Private Bradley Manning confessed to having used a compact disk with read-write capabilities to exfiltrate 1.6 gigabytes of classified information that he later uploaded to WikiLeaks.
As the U.S. Army painfully discovered, any time you have the ability to download information from your computer or the network it is connected to, you have a risk that the information may lead to unauthorized personnel.
7. Manage Data backups:
This is considered a routine maintenance and risk avoidance activity in most professionally run IT departments.
Ensuring that you have duplicates of your information helps insulate you from hardware failures like crashed hard drives, software faults that occasionally corrupt files, and even “stupid users” who inadvertently delete critical information.
While many backups now are done through automated routines, it is important to find the right frequency and time to execute your backups lest you adversely affect business operations.
Because of the volume of data many businesses have, data backup often is done incrementally on a prescribed basis. Many businesses run a risk that a system failure can occur that can erase any data since the last backup. Do you know how often your IT shop backs up your data? You have a risk—do you know what it is?
8. Off-site storage:
This is a best practice within the IT community and entails maintaining backup copies of critical information at a location other than the primary location. This is designed to ensure that the data survives in the event of a catastrophe at the primary location.
As a result of the terrorist attacks on New York in 2001, many companies recognized the risk to their continuity of operations when their information was inaccessible.
Now, most businesses have robust off-site storage and data recovery plans designed to facilitate rapid restoration or capabilities from secured locations.4 They are reducing their risk by doing this. How are you addressing your storage risk?
9. Data Feeds:
Many, if not most, businesses rely on data from other sources to execute their operations. Financial institutions exchange transaction information at the speed of light. Similarly, electronic commerce flows through the Internet at ever-increasing volumes every day.
Business partners place orders through electronic data interchange (EDI) formats that are standardized around the globe. Data feeds fuel the business world and enable fast transactions at lower cost and greater precision. They also present a risk. What happens when your feeds are unavailable?
What happens if one of your data feeds is corrupted and is feeding your system with bad information? How would you know? How long would it take to fix? How much would it cost?
The integrity of your business depends on the accuracy of your information. You need to address your data feeds in your risk management planning.
10. Contracted system administration, maintenance, and software support:
Anyone who has access to your information, especially your intellectual property and trade secrets, poses a potential risk to steal or tamper with that information.
Your business likely vets each of its employees, but what provisions do you have to ensure that your contracted support is equally trustworthy?
What provisions do you have to ensure their competence? As with your own employees, be mindful that your intellectual property and trade secrets are vulnerable to theft, tampering, or destruction by contracted personnel. That is a risk worth protecting against.
We anticipate your intellectual property and trade secrets are potentially vulnerable. You want to protect them from the many cyber-based threats confronting you and your business, but what of other threats? How well do you “know yourself” and your vulnerabilities to other threats?
How to manage Technical Risks?
Technical risks are those risks presented through the operations and maintenance of the technical systems used by your business, for example, computers, processors, monitors, controllers, timers, alarms, etc. They are plentiful and can be catastrophic to your business.
If your chief information officer (CIO) is telling you that the IT staff is a crackerjack team and you don’t face a cybersecurity risk, we submit that it is time to begin your search for a new CIO.
How do you know you and your business have technical risks? They are there. Do you know what they are and have a plan to address them?
Let’s use the following checklist of questions to see if you are vulnerable to some of the most common technical risks found in organizations.
Vulnerability Checklist (Common Technical Risks)
1. Have you or your business ever been hacked?
2. Have you ever found the malicious code (such as viruses, trojans, or worms) or unauthorized software on your systems?
3. Is your network being probed by outside entities?
4. Do any of the members of your IT staff fail to maintain current industry certifications in their specialties?
5. Are there more current software versions, including patches, available for your system?
6. Do you store data “in the cloud”?
7. Does your workforce use mobile devices such as smartphones, tablet computers, and laptops to conduct your corporate business?
8. Does your business solely rely on passwords to control access to the network and information?
9. Does the business conduct annual vulnerability scans of your network?
10. Do you allow remote access to your network?
If you answered “yes” to any of these questions, you have technical risks that need to be addressed.
We recognize that most executives have neither time nor inclination to become IT experts (although we have met many executives who mistakenly thought they were already!) Nonetheless, it is important to understand the basics and how they affect you and your business.
Let’s expand a bit on the aforementioned technical risk assessment (vulnerability checklist) so you can see where you and your business may have cyber security risks that ought to be addressed:
Previous incidents of hacking:
Organizations that have been hacked before are more likely to face other hacking attempts. Hackers like the challenge of breaking into systems and often post their results on Internet message boards to show off before their peers.
This invites others to try to get into your system as well because you have been identified as vulnerable.
Additionally, many hackers who successfully penetrate into systems will create “backdoors” that will permit them to come back whenever they want, undetected by you and your security personnel.
They are very careful to cover their tracks and try to leave no trace behind that will lead law enforcement and your security personnel to them or their backdoor capabilities.
If you have been hacked before, you are at great risk of being targeted again!
Manage Malicious code:
Malicious code includes such things as viruses, trojans, worms, and remote access trojan (RAT) kits.
Suffice to say, however, malicious code can get into your system and cause significant damage to you and your business. There are numerous ways malicious code can enter your system. Malicious code can enter through an email message with an attachment or self-extracting file.
It can enter your system through a mobile device connecting with a poisoned connection point, such as a Wi-Fi spot, that has been compromised by a hacker.
It can enter through contaminated media like the thumb drives cited in the Stuxnet example. It can even enter your system when you visit websites that have been infected with the malicious code and pass it on to your system.
Even if you have the best antivirus detection software on the planet, once the malicious code gets into your system, eradicating it often is expensive and difficult.
If you’ve been infected before, there is a chance that the malicious code may have opened up your system for the planting of even more insidious and undetectable code. This is a significant cybersecurity risk!
If you are being told you aren’t being probed, you aren’t connected to the Internet or you have an incompetent IT staff. The Internet is chock-full of people scanning the net looking for vulnerabilities.
In fact, there is a cottage industry evolving where hackers look for corporate networks that are improperly configured, find the vulnerabilities, and exploit them, leaving behind RAT kits that give them remote access into the corporate networks.
They then advertise they have control of the networks and sell their services to the highest bidders, which occasionally includes the affected company, who pays to rid them of their network.
The lesson is that you will always be subject to probes looking for vulnerabilities. Ensure your defenses are adequate, properly configured, and technically current to minimize your risk.
Manage Staff certification:
Would you fly on a jet airliner piloted by an individual who only had flown a single-engine propeller airplane a couple of years ago?
Who would do that? You expect the pilots to maintain their commercial pilot certifications, which includes the requisite qualification training, physical and mental wellness, continuing education, simulator currency training, and actual flight time, to maintain their proficiency. You should expect the same from your IT staff.
The IT industry has numerous professional certification programs to ensure that your IT staff has the current level of expertise and talent to perform at the high levels your business needs and deserves.
If you have IT personnel who do not have or do not maintain their professional certifications, they may not be capable of adequately defending your information against increasingly sophisticated threats. As such, you may expose yourself and your company to cybersecurity risks.
Moreover, like an airline that has an accident at the hands of a pilot who lacks certification, if your network is managed by technicians who don’t have proper certification and qualifications, you may expose yourself and your company to litigation in the event that your network is breached.
Our recommendation is that whether your IT staff is comprised of direct employees or contracted personnel, you need to ensure they have the right qualifications and certifications to do their jobs properly.
This will reduce your risk of having networks and systems that are not professionally and properly configured and operated. Moreover, it will reduce your liabilities in the event your system or that of one of your customers is compromised.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
How to manage Software currency?
Did you know that Microsoft releases security patches the second Tuesday of every month? Known as “Patch Tuesday,” it has been a great help to IT staffs around the world and significantly helps improve the security of Microsoft products.
Companies like Microsoft routinely issue patches to their code to improve their products and harden them against vulnerabilities that have been discovered in their code.
Unfortunately, it takes time for the software developers to create patches to counter vulnerabilities, so the time between detection of the vulnerability and fielding of the patch is when you are most vulnerable.
Therefore, when a certified and tested patch emerges from the vendor, it is in your best interest to patch your system quickly to reduce your risk exposure.
Likewise, newer versions of software repeatedly have been found to be better constructed and more secure. Maintaining current software configurations and patches is an IT best practice that minimizes your cybersecurity risk
Manage Storage in the cloud:
The jury is still out when it comes to cloud storage and security. Cloud storage involves storing data on multiple servers often connected to the Internet and generally is hosted by third parties.
Because your data is being handled on devices managed by someone else, likely will traverse across the Internet, and is hosted on “virtual” servers on platforms that host information that belongs to other entities, what could go wrong?
We contend that cloud computing presents an attractive and economical means of storing data yet presents a cybersecurity risk worthy of a thorough risk/benefit analysis before making any commitment to put mission-critical information into “the cloud.”
How to manage Mobile devices:
They are everywhere! You likely have a smartphone and a tablet computer to complement the desktop that graces your office. After all, you need to be connected all day, every day, no matter where you are.
You need to be connected to your workforce as they execute their duties, no matter when and where they are too. It is intoxicating to see how fast the business community works when it employs mobile computing devices. Choices in devices are exploding too.
Employees clamor for the latest and greatest devices, while IT departments struggle to integrate heterogeneous devices powered by disparate operating systems from Apple, Microsoft, Google, and others into the corporate network.
Mobile devices often connect to other networks that may not be protected as well as yours and may serve as a means to introduce malicious code into your network when they “return home.” Mobile devices are great tools yet require the policies, procedures, training, and discipline to minimize your cybersecurity risk.
How to manage Passwords:
Passwords are getting easier to crack and exploit. The U.S. Department of Defense recognized this fact years ago and invested in a two-factor authentication system using Public Key Infrastructure (PKI) to verify identities prior to granting network access.
The department’s PKI system features identification cards with a chip containing electronic tokens associated with the individual. Defense personnel logging into defense networks slide their identification card into a reader that reads the electronic chip to retrieve the token and queries the user for their password.
Once that is supplied, the network domain controller polls a trusted server on the network to verify that the password and token indeed are appropriately matched before granting the user access to the network.
The commercial sector too is rapidly adopting two-factor authentication in lieu of simple passwords as a means to authenticate and grant access to network and information resources.
For example, the author’s bank offers a similar two-factor authentication system for its electronic banking to reduce its risk of theft. If you do use passwords, there are several best practices you should follow at home as well as in the office.
Try to make your password something you can and will remember.
Don’t store your password on a sticky note by your computer, in your wallet, or in your phone. Keep it as secure as the information it protects!
Don’t make your password easy to figure out, your spouse’s or child’s name, or your favorite sports team. Bad actors run password cracking programs that have thousands of passwords like these already stored in their tables.
Passwords of 14 characters or more are statistically most secure. Use the maximum strength password that your system will allow.
Never share your password with anyone.
Never reuse your username and/or password on other accounts.
Make sure your password has two upper cases, two lower cases, two special characters (e.g., @, #, $, %), and two numbers in it.
Avoid using typical character substitution in lieu of letters.
Change your passwords often. We recommend you change your passwords every quarter. Now, with automated reminders you can load in your phone, you have no excuse for forgetting to do it.
Your cybersecurity personnel should be continually scanning your network to detect suspicious behavior and to find and correct vulnerabilities. Scanning is not a once a year event.
Your CIO and chief information security officer (CISO) should have the results of vulnerability scans as one of their primary job performance metrics.
The scans should show how many vulnerabilities are present. The up-to-date software can categorize the severity of the vulnerability to aid in the risk management process.
These are your risks. You own them; they don’t just belong to the CIO and CISO. Ask to see the results regularly and incorporate them into your governance and oversight rhythm.
It is our experience that when vulnerability information makes its way to the directors and officer level, attention is paid and the number of vulnerabilities quickly drops!
Manage Remote access:
This capability provides increased employee productivity and cost savings when implemented efficiently, effectively, and securely.
When it is not properly configured, bad actors may find it to be “the information superhighway” to your corporate secrets. There are several risks that remote access poses to your cybersecurity posture:
First, the device you are using at the distant end may be infected or contaminated. You don’t know what that device has plugged into before it came to your network asking to be connected. It may have a virus just waiting to infect your network!
Second, when you permit that device to connect, you are opening up your security perimeter, making it increasingly difficult to defend against hostile threats.
Third, once you open up that hole in your defenses, you need to ensure it is sealed properly after the remote access session is concluded.
We have found a best practice is to implement a policy establishing a limit on the amount of time for the remote connection.
When the limit is up, the session is terminated unless the legitimate user on the distant end reverifies their identity to the network. Another best practice enabled by technology is to implement a “comply-to-connect” policy.
This means that when a device goes to log in to the network remotely, it is quickly scanned by your network devices to ensure it is properly configured to your standards and is free of malicious codes.
This capability is not inexpensive and slows down the log-in process, but it definitely helps prevent contamination from remote access devices. Remote access is a powerful capability for your mobile workforce, yet we advise caution in granting remote access. Not everyone needs it.
An important reminder about remote access is that it not only applies to your administrative and business computing systems but also to your specialized equipment too.
Many industrial control systems (ICS) such as your heating, ventilating, and air conditioning controls (HVAC), industrial machinery (e.g., pumps, valves, flow and speed regulators, and fuel systems), water and sewage, and power generation all rely on specialized computer controls to operate.
Often referred to as Supervisory Control and Data Acquisition (SCADA) systems, these embedded computing devices control and regulate the critical systems that support the technology we have grown highly reliant upon.
Many SCADA systems are connected to the Internet and have been fielded without adequate cybersecurity controls. Frankly, when many were fielded years ago, the cybersecurity threat was so small that many people did not notice the threat to SCADA systems.
As we saw with the recent Stuxnet attack, SCADA systems indeed are vulnerable and cyber attacks on them can have a catastrophic effect. Physical security of these systems is important too.
Even if the device is not connected to the Internet, if it is accessible to someone physically connecting to it, you are at risk. We recommend you minimize your risk by only granting access to those who truly need it and only during those times when they need to.
The risks identified earlier are just a few of the technical risks that are out there. Fortunately, technical risks can be reduced significantly by the professional management of your information technologies, regular independent auditing, and prudent investments to maintain system currency.
These are core competencies of your CIO and CISO, yet they need your help and support to ensure that the appropriate mix of plans, policies, and resources is applied to provide the optimum cybersecurity posture to meet your business objectives. It is a team effort!
Manage Human Risks
Because cybersecurity is a team effort, as an executive, you need to recognize the strengths and weaknesses of your team. Not everyone on your team is a superstar when it comes to cybersecurity.
Human risks to your cybersecurity posture are profound. From the top of your organization to the bottom, your workforce presents significant risks that you need to address.
Wonder what kinds of human risks you and your company may face in the cybersecurity realm? Here are a few common ones (and they may look familiar in non cybersecurity settings too) that you need to address deliberately before they yield catastrophic results:
Spear phishing and whaling:
In a spear-phishing attack, a target receives a carefully crafted email that looks like it came from a legitimate source. It has the right look and feels to make the recipient think it is an ordinary email.
The recipient has lured to either download a seemingly harmless file attachment or to click a link to a malware- or an exploit-laden site. The file, often a vulnerability exploit, installs malware in a compromised computer.
The malware then accesses a malicious command and control server to await instructions from a remote user. At the same time, it usually drops a decoy document that will open when the malware or exploit runs to hide malicious activity.
Are you and your workforce susceptible to these email-based attacks? Absolutely! We all are. How can you reduce your risk? Before opening any email, look at the message information in your inbox and ask the following questions.
Manage Email Queries
Relevant: Is this message relevant to me and what I am doing?
Expected: Did I expect this message?
Authenticated: Did this really come from the person that it says it came from? Is it from a different email address than I am used to?
Digitally signed: Is this digitally signed? Digital signatures are increasing in use and help verify the identity of the sender. Look to see if the sender signed it to verify their identity.
If you answer “no” to any of these questions, you need to be on alert that the email may be tainted. Never click on an embedded link without knowing for sure where it is going! Never click to open an attachment that comes from a suspicious source! READ your mail carefully!
Social media is a great means of communicating quickly and effectively to a wide variety of people. When used as part of a well-managed business strategy, it can be a boon to your market presence and give you a decisive advantage over your competitors.
It can also be a huge cybersecurity risk that can sink your reputation and open your business to attack. Don’t believe that your Facebook or Twitter account could open you to attack when not used properly?
Think again. Look up “Koobface” on the Internet (yes, it is an anagram of Facebook.) It is a computer worm that appeared on social media sites including Facebook, MySpace, and Twitter.
It was designed to gather log-in information, set up botnets to do the bidding of the bad actor behind the malicious code, and open the user’s computer up to further exploitation. It originally spread quickly through friend requests on the social network.
When the user clicked a link, it sent them to a poisoned site where the malicious payload was delivered and installed on the user’s system. Despite the strengthening of security at Facebook and other social media sites, Koobface versions still abound in 2013. Koobface is an example of how malicious code promulgated through social media presents a risk.
What about other known cybersecurity risks of using social media? Bad actors have been known to use social media to map organizations by making hierarchical associations using the friend's feature of the social media tool.
It is not unusual for people to “friend” their boss and subordinates on social media sites. Bad actors know that and with a little work are able to ascertain from the social media site, web searches, and other sleuthing who does what in organizations.
They then take that information and invest it into their spear-phishing efforts. Aren’t you more likely to respond when you get an email from your boss correctly referencing his boss as well as members of your workgroup?
Most people would and bad actors seek to leverage this fact to use a variety of technical and social engineering techniques to gain access to your information.
What about instances where employees in your company go onto their social media site and bad-mouth you and your company?
In some instances, employee disclosures of corporate impropriety and trade secrets have occurred over social media outlets, resulting in great embarrassment to the business, dismissals, and temporary loss of value in the marketplace.
Our advice to reduce your social media cybersecurity risk is to regularly and thoroughly train your workforce on how to use the tools safely and responsibly.
Consider conducting internal exercises such as seeing if they are able to identify a potentially malicious email or malicious social media activity.
This will help you fine-tune your training program as you discover where your weaknesses are. Also, don’t be afraid of using social media just because there are threats.
You and your business should not be strangers to social media. Social media enables business growth through market presence and visibility, rapid communication to prospective clients and yields valuable feedback from your customers.
Ensure someone on your team has responsibility for posting your message and monitoring social media sites to ensure your valued brand remains in good stead.
Your employees may inadvertently disclose sensitive information without even realizing it.
Numerous examples abound where unwitting employees post information to websites, send out letters and emails, and even conduct press conferences revealing sensitive material that senior leaders in the organization want to be protected and withheld.
Such sensitive material is not limited to just trade secrets. It can just as easily be personally identifiable information protected under the Privacy Act, or it could be copyrighted material you do not have rights to use. Just the other day, my college-aged son received a note from
Netflix informing him that the next season of “Fringe” would have to be pulled from their site as they did not yet have rights to show it. We already watched the first episode but will have to wait another month to resume the series.
Imagine what happened behind the scenes at Netflix when they found they had a problem. Imagine what the liability implications are behind such an inadvertent disclosure. Training is essential to reduce the likelihood you will have inadvertent disclosures and thus reduce your risk.
Some may argue that inadvertent disclosure and ignorance are one and the same. We disagree. While there is some overlap and they often share common results, ignorance is the result of not knowing something, while inadvertent disclosure is the result of a mistake made contrary to a known policy or procedure.
People often are ignorant of rules, procedures, concepts, and even of the effects of their actions, yet we believe that the vast majority of people try to do the right thing. Take the following cybersecurity incident into account and see if ignorance had a hand in how the situation developed:
In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service.
A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice.
The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker. The supposed invoice actually was a Remote Access Trojan (RAT) that was configured to contact a C2 server located in Ukraine.
Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files.
Would you think that the administrative assistant was ignorant of policy and procedures? Should the administrative assistant have confirmed the call prior to processing the invoice?
Was it unusual for the administrative assistant to receive a phone call from another vice president in the company instructing her to process the invoice?
One certainly can make the case that there were warning signs of a potential cyber-security threat that a well-trained employee could have caught.
Ensuring your employees are well trained, understand and employ policy and procedures, and act as fully empowered members of the team are core attributes of executive leadership.
Look within your own organization with this type of cyber attack in mind. What should you do to train your workforce to ensure something like this never happens to you? How will you change the ignorant to the informed and thus reduce your risk?
Many lawyers will tell you that negligence and liability are often spoken in the same sentence in courtrooms. Here is an important definition to remember: “A person has acted negligently if he or she has departed from the conduct expected of a reasonably prudent person acting under similar circumstances.”
Increasingly, lawsuits are emerging in the courts as plaintiffs allege negligence against organizations that fail to protect their personally identifiable information such as social security numbers.
Other lawsuits allege negligence to properly follow their own policies to maintain their cybersecurity posture. Consider the following case:
In Baidu, Inc. v. Register Domain Names at Register.com, Inc., a search-engine operator, Baidu, Inc., sued Register Domain Names at Register.com, its traffic-routing services provider, after a hacker gained access to Baidu’s account and directed its web traffic elsewhere. Imagine the business next door diverting all of your phone calls to it. Baidu sued.
Baidu asserted a breach of contract, negligence and gross negligence claims. Register. commoved to dismiss, arguing that its security policy contained a broad limitation of liability provision.
And it did. But it also contained statements about how Register Domain Names at Register.com protected its customers’ information and employed security measures to guard against data breaches.
Baidu argued that Register Domain Names at Register.com’s failure to follow its own policies constituted a breach of contract and gross negligence. The Southern Distinct of New York agreed.
The court held that the limitation of liability provision barred an ordinary negligence claim, but not the breach of contract and gross negligence claims.
The court stated that if Baidu proved what it had alleged, “then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized intruder, who engaged in cyber vandalism. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner.”
A few months later, the case settled for an undisclosed sum.
Can you and your business afford to be negligent when it comes to cybersecurity? What is your liability risk if the information in your care is compromised through the negligence of your employees? What mechanisms do you have to detect and mitigate negligent behavior?
Apathy is a dangerous condition under any circumstance but especially when it comes to cybersecurity. When people have been trained, informed of the threat, understand the impacts, but don’t care, then you have a recipe for cyber disaster. Apathy is a leading (and frustrating) cause of cybersecurity incidents.
For example, hackers and identity thieves increasingly target small businesses, yet only 28% of small businesses consider cybersecurity a priority, according to an AT&T report.
The National Cybersecurity Alliance (NCSA) warns that this “cyber apathy” can be costly to both small businesses and consumers. We agree. The best cure for apathy is prevention and strong positive leadership is essential.
Look for signs of apathy such as failure to follow policy and procedures, resistance and failure to complete cybersecurity training, and other behaviors that point to lack of support for your cybersecurity program.
If you make cybersecurity a priority, reinforce its importance with your words and deeds, and hold employees accountable, apathy likely will fade away.
This is a controversial topic. Calling someone stupid is politically incorrect. Nobody likes to be accused of being stupid, but people do stupid things. Even intelligent people make mistakes, especially in the cybersecurity realm. Nonetheless, this is a discussion of risk and the threat of stupidity is real, making you and your business vulnerable.
You have to address stupidity. Don’t ignore the possibility that you or your people may do stupid things! Penetration testers (the folks who specialize in testing your cyber defenses, also known as Pen-testers).
find that stupidity is a HUGE threat vector they can exploit to gain access to systems. Take for example a recent exercise conducted by the DHS.
They deliberately planted several USB thumb drives and data disks in the parking lots of federal agencies and their contractors.
Despite the requirement for comprehensive cybersecurity training among the workforce at those agencies and their contractors and the known possibility that the drives and disks could be infected, 60% of those drives and disks ended uploaded on government computers in contravention of existing policy and training.
DHS found that if the drive or disk had “official” government markings, the “success rate” for it being inserted in the computer rose to 90%.12.
In the aftermath of the test results’ public release, the usual sniping of the government briefly rose, yet criticism was oddly muted as corporate America found they too were susceptible to similar tests.
We imagine that many who read the stories of the testing were uncomfortable as they thought about how they and their colleagues would react if they were part of the test.
How should a business executive address stupidity to reduce their risk? We think John Verry, principal enterprise consultant of Pivot Point Security, says it best: “You can’t fix stupid. You can only try to make people more aware.”
Curiosity is essential for creativity and is the type of trait we seek in our employees. The curious are the people who find new and better ways of doing things and who develop the new products and services that yield the best profit and growth in your business. They also are the most susceptible to social engineering by cybercriminals.
Cybercriminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How? The most common method is via email. It doesn’t matter if the email is part of a widespread spam mailing or a targeted spear-phishing message as long as it is well-crafted and interesting.
People tend to click on links that promise to lead them to appealing locations.
Techniques successfully used by cyber criminals include alarming the recipient about problems with their credit or banking information and providing them with a link that alleges to take them to a location where they can learn more about what the problems are and how to resolve them.
When the link is clicked, a remote access toolkit or other malicious code is downloaded onto the recipient’s computer and the criminal now has control.
Other appeals that sucker even the most discerning of users include links that promise imagery of recent catastrophes or sporting events, political controversies, or business insider information.
Emails containing attachments are among the most dangerous to the curious. Recently, after Mandiant Corporation had released its report on Chinese computer espionage, emails containing an attachment alleging to contain a copy of the report made the rounds on the Internet.
Everyone wanted to read the Mandiant report, and here, someone presents it for recipients to open and read without having to search for it.
How convenient! While many people opened the attachments and eagerly read the report, they also exposed themselves and their businesses to danger as the attachment contained hidden malicious code that allowed bad actors to access the recipient’s computer and its information.
The lesson? If you are curious about a topic, get your information directly from the trusted source. How do executives reduce risk by addressing curiosity? Set your policies, explain them, train your employees, test your employees, and stay on message.
Mark Rasch, director of network security and privacy consulting for Computer Sciences Corporation (CSC), advises, “Rule No. 1 is, don’t open suspicious links.” Rasch continues, “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.” We agree. Curiosity killed the cat.
It can also kill your business. While we strongly encourage and foster curiosity in our business, you need to channel it away from activities proven to be deleterious.
Lack of leadership:
Have you ever noticed how leadership sets the tone for an organization? I once had a boss who came to work every morning angry, and that anger spawned fear and angst that rippled throughout the organization.
Fortunately, his boss saw it too and replaced him with a positive leader who rejuvenated and inspired our organization to do great things.
Your leadership makes a difference, both positively and negatively. When it comes to your cybersecurity risk management program, if you aren’t leading it, it will fail. Why?
Because if you don’t make it a corporate priority and delegate it to your technical staff, others in the company will see that it is not one of your priorities and will not support it either.
Many executives exclude themselves from cybersecurity training, citing that. Every time you order an exception to policies for yourself, the word gets out that the boss is not serious about cybersecurity.
As a result, your risk goes up as your cybersecurity posture erodes. Our recommendation is that you make it clear throughout your organization that you feel strong personal ownership in your cybersecurity risk management program. Lead by example. Put it on agendas.
Include cybersecurity messages in your interactions and correspondence with your employees. Take the same training as your employees to ensure it is up-to-snuff and meeting your corporate objectives.
It is expected that you will delegate the administration of your cybersecurity risk management program to subordinates, but you never delegate responsibility and ownership. The moment you delegate responsibility and ownership, you fail—every time.
Lack of accountability:
Lack of accountability is one reason why organizations fail. When things go wrong, what happens if nobody is responsible?
If nobody is responsible, then the wrong things keep happening. How do you handle situations where things go wrong? Do you have guidelines that outline consequences for certain actions? Are they well known to all employees?
Are they published? Are they followed?
Like other critical business functions, cybersecurity must be viewed with the same rigor as traditional profit-generating activities. People need to know what their responsibilities are and be held accountable to deliver upon them.
When they fail, there have to be consequences; otherwise, you risk that others in the organization will see there is no incentive to uphold their own responsibilities.
When this happens, morale wanes, discipline erodes, and you find yourself the captain of a sinking ship. You already know good people make mistakes. Nonetheless, there have to be consequences for improper conduct. The consequences ought to be commensurate with the conduct and the impacts.
When it comes to cybersecurity, the stakes are high as the average cost to clean up a cyber incident in 2013 is reportedly the US $616,000.17 If someone clicks on a link in an email that brings a virus into your network that costs significant amounts of money to remedy, what do you do?
Your directors and officers, your employees, and shareholders expect you to provide decisive leadership and hold people accountable. cybersecurity has evolved into a critical business imperative. You must hold people accountable to manage and control your risk.
CALCULATING YOUR RISK
In the preceding discussion, we raised some questions you should ask as you evaluate your cybersecurity risk. Exposure of your intellectual property and trade secrets, as well as technical and human risks, are all critical items of interest you should factor into your risk analysis.
You should ask your staff tough questions and verify their answers. Your business is at stake!
Average cyber-attack clean-up totals $616K, Infosecurity Magazine, Accessed on September 10, 2013. Author’s note: there are various reports that show a range of costs on cyber incidents that range from a low of near US $300,000 to a high of US $8.9 million per incident.
We selected a contemporary figure from a trusted source that is backed by solid data to represent the costs associated with loss and cleanup generated by cyber incidents.
There is no universally agreed-upon prescriptive formula to calculate risk. Actuarial science has evolved to where several risk specialists are available to help you using some well-researched complex proprietary formulas backed by empirical data.
You are well advised to investigate insurance and actuarial advice when selecting options to address the risks you possess and the costs they might entail. But where do you start when calculating your risk?
Do you call in one of the expensive actuary experts? Perhaps. But before you do, you can begin framing your analysis yourself by doing your own calculations based on “knowing your enemy and knowing yourself.”
Hopefully, previous sections got you thinking about your vulnerabilities and threat sources we’ve discussed thus far. Understanding the threats, from whom and where they may come, and your vulnerabilities are essential to calculating your cybersecurity risk. The next step is determining what is actually at risk.
There are two popular techniques in calculating risk. The first is quantitative risk analysis, which is based on assigning real and meaningful numbers to all elements in your risk analysis. The second, qualitative risk analysis, does not use calculations. It is based on scenarios. We’ll demonstrate how to use both by citing examples.
Quantitative Risk Assessment
Quantitative risk analysis is a mathematically complex subject that is the hallmark of insurance companies and financial institutions, but it is rarely used in the context of information technologies and cybersecurity because of the difficulty in assigning a value to information and even greater difficulty in determining the likelihood of loss.
Both areas, value assessment and the probability of loss, tend to be approached subjectively and do not lend themselves to objective and quantitative analysis.
Nevertheless, we believe that with prudent judgment and management oversight, reasonable estimates on the valuation of information are feasible. Thus, it is possible to carefully analyze threat stream and statistical information to make informed estimates on the likelihood of events.
When these conditions exist, we believe the quantitative risk analysis methodology can be used to assess cybersecurity risk. We believe you should incorporate quantitative risk assessments into your corporate business processes, wherever possible.
Let’s walk through a high-level example calculation to illustrate how you can use the quantitative technique to assess your risk to a cybersecurity threat.
We submit that your intellectual property and trade secrets are your principal valued assets at risk to cyber incidents. Further, we submit that like hard assets, your intellectual property and trade secrets have a value that can be calculated and factored into your risk equations.
Think about it for a moment. If you were contemplating the sale of your company, you would have to estimate the value of all of your assets, and we are certain that you would come up with a number that would be credible both to you and to the potential buyer.
Moreover, in all likelihood, the buyer would require the segmentation of asset valuations in order to turn his “due diligence” accountants loose.
They, in turn, would use accepted accounting techniques to validate (or invalidate) your estimates. What we are suggesting here is that you use the same methodology to establish a value for your intellectual property.
How much is your intellectual property worth to you?
How much is that secret family recipe worth? Often, you’ll hear executives touting that their secrets are priceless, but nobody really believes that. Everything, including information, has value and value is the principal concern when calculating risk and making investment decisions.
We submit that one way to establish the value of your intellectual property and trade secrets is a summation of the following costs:
1. Profit value:
Your intellectual property and trade secrets give you a competitive advantage that translates to increased profits. Do you know the impact that your intellectual property and trade secrets have on your bottom line?
Do you have statistics that indicate before and after effects? Can you put a value on what they mean to your business?
2. The cost to acquire or develop:
How much did the acquisition or development of the information cost? Whether you did an outright purchase or developed it from in-house resources, your information represents an investment with a tangible value. You should know how much you have invested.
3. The cost to maintain:
Maintenance costs for information often are camouflaged in budget sheets yet they are noteworthy. First, you have to store the information you already have. Hardware to host it, software to manage and read it, and staff to maintain it are all costs. Information itself often is perishable and needs to be maintained.
An example is financial data that is continually updated and added to models that calculate opportunities and trends used by investment specialists.
The addition and integration of that data, maintenance of the data feeds, and the periodic addition of additional storage as the volume of information increases all ought to be factored into your cost to maintain figures.
Similarly, the expenses associated with securing the information and providing adequate system redundancy to keep it available should be included in your cost to maintain calculations.
4. The cost to replace:
This is not as straightforward as it may seem. In calculating this cost, don’t forget you need to factor in all the costs to replace your information.
Cost items to consider include the loss you incur while the information is being replaced, the cost to acquire or develop the replacement, and costs associated with any substitutes or proxies used in lieu of the lost information.
For example, suppose that all of the data from your quality control analyses for your main chemical product were lost or completely compromised. How much would it cost to repeat all of the chemical analyses?
5. Managing Cost
This represents the cost to you and your business if the information is unavailable.
For example, if you rely on your information to create or generate business, not having it available through theft, alteration, or other malicious or unintentional activity deprives you and your business of revenue. This is a cost that ought to be factored into your calculations.
6. Liabilities if compromised:
You and your company may find yourself open to liability if your information is compromised.
For example, as a director or senior executive, you likely are familiar with indemnification insurance that protects officers of the corporation against lawsuits from shareholders.
If your intellectual property is stolen by a cybercriminal, it is not unreasonable to expect that a lawsuit may be filed, alleging lack of adequate management controls to protect the business’ vital information.
Other potential liabilities come from lawsuits filed by partners with whom you may share portions of the intellectual property or even clients for whom you were developing the intellectual property.
Once you have summed all of these costs, the result represents what it would cost for you to replace the intellectual asset. It does not represent the true value of the asset. The true value is the cost plus what a buyer would be willing to pay over and above the replacement cost.
Your customers are delighted with your product, and word-of-mouth advertising is causing orders to soar. You have three shifts working around the clock and have expanded your facilities twice to keep up with demand. You now are contemplating opening another facility to handle further increases in demand.
Such exceptional growth has caught the eye of investors and competitors alike. Industry associations are praising Thesis_Scientist for revitalizing the regional steel industry.
You are getting a lot of positive media attention too with numerous requests for interviews. University professors have contacted you asking for permission to do case studies analyzing your success.
Competitors have made it known quietly they intend to soon offer special alloys to compete against your product. You aren’t overly concerned as they haven’t been able to duplicate your formula and manufacturing process in three years. You have a big head start and momentum. Life is good!
But you realize the good times may not always be there. You recognize there are many risks facing your business and you need contingency plans.
You mentally walk down some of the risks you face: the reduced market for your steel, someone introduces a better product or undercuts your prices, labor and material shortages or interruptions, and flooding on the Monongahela River (your facility sits along the river).
Absolutely! You already have plans in place that analyze the risks in each of these areas and how your company would respond. Moreover, you feel comfortable you have the right kind and amount of insurance to cover the greatest threats to your business.
But wait, the local reporter interviews a professor from Carnegie Mellon University who is a cybersecurity specialist. The professor says that retail establishments aren’t the only businesses vulnerable to cyber attack.
In fact, she advises, all businesses are vulnerable in one way or another and should take proactive measures to protect themselves. You finish off your beer, planning to look at your cybersecurity risk the next day.
You start by meeting with the head of your IT department. He serves as your de facto chief information officer (CIO). You consider him your resident “geek.”
You haven’t considered him part of your senior executive team, although he has been very effective in integrating new technologies to help accommodate the growing business.
He oversees the operation of business unit networks, the telephone system, web presence, and mobile devices. He manages the electronic data exchange between your procurement department and your suppliers.
He even works with the manufacturers of your milling equipment to ensure your business unit networks get reliable data directly from the milling equipment’s smart controls. You tell him you are concerned about cybersecurity risks and want to know where you are most vulnerable.
“Boss,” he tells you, “You are vulnerable everywhere.”
You bring in your chief financial officer (CFO), your chief operating officer (COO), and your general counsel to continue the discussion. Together, the five of you determine the most damaging threat to your business is someone getting your alloy’s formula and using it in direct competition against you.
You decide you want to know what the cybersecurity risk is of someone taking your alloy’s formula. Because you’ve used it to calculate other risks, such as calculating potential loss of the mill to fire, you order a quantitative risk assessment.
Quantitative risk can be expressed as annualized loss expectancy (ALE), which is the expected monetary loss for an asset due to a risk being realized over a one-year period.
ALE is the product of the impact of the loss (expressed as the single loss expectancy or SLE) and the likelihood of how often the loss occurs (expressed as an annualized rate of occurrence or ARO):
ALE = SLE × ARO
Your team follows a disciplined process to evaluate the cybersecurity risk scenario.
Let’s begin with Step 1: assigning a value to assets.
Assigning Value to Assets.
Recall our discussion earlier that everything has a value, including information. It is important that you have a thorough understanding of the value of your assets. The key valuation figures your team will look at in this scenario are:
PV = profit value
CAD = cost to acquire or develop
CM = cost to maintain
CR = cost to replace
CU = cost if unavailable
L = liabilities if compromised
The team starts with a look at the value of the alloy formulation. It is at the heart of your process and is largely responsible for your profits rising tenfold. There is great debate among the team members as to its value.
Your COO believes it is priceless. After hours of fruitless discussions, your CFO proposes that the value is equal to the difference between your profit before implementing the formula and the current profit level ( $100 million – $10 million = the US $90 million). You and your team accept his proposal and assign PV = US $90 million.
Your CAD is a sunk cost. Your team knows that it took five years of research to develop the formula for your alloy and kept meticulous records. Factoring in materials, equipment, salaries, and other direct and indirect costs, your CFO validates CAD = $20 million.
Compared to CAD, the cost to maintain your formula is relatively low. It is stored on the company’s central server with off-site storage at a commercial vendor facility in West Virginia. A tertiary copy is kept on a drive stored in a safe deposit box in a local bank.
Because the IT staff spreads their time across multiple systems and your software is licensed as part of a corporate licensing agreement, your CFO and the IT chief base their estimates on staff costs, software licensing.
And network and computer hardware on a pro rata basis supporting the storage and use of the formula in the manufacturing process. Based on their analysis, CM = $2 million per year.
The cost to replace (CR) is hotly debated by your team. Given that your team has carefully provisioned for both on- and off-site storage of the formula, it is relatively easy to get a backup copy and reload.
Your CFO argues that auditors could make the case that the cost to replace is zero. Your COO disagrees. He was part of the technical team that developed it and knows all that went into developing it.
He believes that once your formula is revealed, its value plummets to zero as your competitors adopt it and you lose your competitive advantage. He makes the compelling case that it will need to be replaced with a better formula.
Based on his experience and knowledge of the technology, he estimates it will take three years to develop at a CR = $50 million. The team agrees to accept the figure in this calculation.
Determining cost if unavailable (CU) is easier for your team. Your business produces $500 million over the year.
You have 300 production days per year with other days being consumed by holidays and Sundays (you believe the only steel production in Pittsburgh on Sundays should be football at Heinz Field). Given this, your team determines a daily cost of US $1.67 million if the alloy formula is unavailable.
Finally, your team addresses the liabilities (L) issue. Your general counsel and the marketing director advise that you have numerous contracts in place that specify on-time deliveries to customers with significant penalties for delays. Most contracts have a cushion of a mere three days before monetary penalties kick in.
Additionally, your contracts for the transportation of finished products are firm fixed price regardless if you have a delay in production. Your logistics director advises that delays will affect the supply chain of raw materials used to manufacture the steel;
you do not have on-site storage to absorb an interruption of more than six days. You determine if the interruption is less than three days, L = $0. If it between three and six days, L = $1 million per day. If it is over six days, L = $5 million per day.
With values assigned to assets, the team turns its attention to Step 2: estimate the potential loss.
Estimate the Potential Loss.
Estimating your loss is difficult and has to be predicated on making some key assumptions. In this case, the key assumptions you make that drive your next steps include:
Your formula is stolen and gets into the hands of a competitor. The competitor uses your formula to create an identical product to compete against you. It takes the competitor one year from receipt of the formula to bring their copycat alloy to market.
The type and degree of analysis to estimate the potential loss due to an event depends on the types of threats encountered. Analysis of the threat of a massive fire at your facility varies greatly from that of a zombie epidemic, meteor strike, mudslides, or even a cyber-based attack. Each asset faces potential loss based upon the threats that they face.
This is where the mathematics get complicated very quickly, involving complex statistical modeling as you want to evaluate each and every possible scenario.
Regardless of what threat you confront in your risk analysis, remember that it is important to address all the potential courses of actions and impacts.
For the purpose of brevity and to illustrate the methodology, we will only look at one specific line of threat.
To analyze the potential loss from a cybersecurity incident, your team makes additional assumptions to bound the analysis:
You are evaluating the loss associated with a hacker gaining access to your formula. You are still able to operate using your formula and meet your production and delivery objectives.
Your team continues its analysis to calculate the potential loss (SLE). The SLE is expressed as a dollar amount representing the potential loss if a specific threat takes place. It is calculated as
SLE = asset value(AV)× risk exposure (RE)
Your team assumes that in the event a hacker accesses their data to steal the formula, they quickly will use backup software to restore full operations within one day. They determine that in this scenario the asset value is the sum of the aforementioned values:
AV = PV + CAD + CM + CR + CU + L
PV = US $ 90M
CAD = US $ 20M
CM = US $ 2M
CR = US $ 50M
CU = US $ 1.67M
L = US $ 0
Therefore, they determine the value of the company’s secret formula to be
AV = US $163.67million
Risk exposure (RE) represents the percentage of loss the threat will have on a certain asset if it occurs. With many assets, this is fairly straightforward to calculate.
For example, if you are a car dealer with a million dollar inventory of vehicles and a damaging hailstorm hits but 30% of the vehicles are protected by being inside your facility, then you face an exposure factor of 0.70 because 70% of your assets are exposed to the risk of hail damage.
Calculating risk exposure for information regrettably often is a binary data point.
There doesn’t readily appear to be any such thing as a partial loss when it comes to information; either you have a total loss or no loss.
If someone has destroyed your data and you have no backup, then you have a total loss and your RE = 1. If you do have a backup, then you have no loss and your RE = 0.
What’s your risk exposure in this scenario? While you do have solid and reliable backup procedures, because of the impact of the formula ending up in the hands of a competitor, your team believes it would be a total loss where RE = 1.0.
But wait! If your competitor can’t bring their hijacked product to market until a year after receipt of the formula and it will take you three years to replace it with your new formula, can you make the case that your RE actually is a loss of two out of the next three years? Absolutely.
After all, you do not have an expected loss for the first year after the incident but do for the two subsequent years until your expected replacement arrives where you anticipate you will resume your market dominance. Given that assumption, RE = 0.67.
The team accepts that assumption and calculates the expected loss of an incident (SLE):
SLE = asset value (AV)× risk exposure (RE)
AV = US $163.67M
RE = 0.67
Therefore, they determine the expected loss to be:
SLE = US$109.66 million
Estimate Threat Likelihood.
The team next evaluated the ARO, which is a measure of how likely the threat will take place in a 12-month period. In calculating the ARO, the team started by looking at availability rates on their computer systems.
They had been prudent in their planning and implementation of their computer systems and invested well in their production equipment and software. As a result, they maintained a 99.95 operationally ready rate over the last three years.
They also consulted with a cybersecurity intelligence specialist, who conducted a thorough anonymous search of Internet resources to see if there were any indications that an entity was expressing interest in your company on hacker forums or other potentially dangerous venues.
The results surprised you and your team as the specialist found that indeed there had been discussions in a popular forum referring to a company that was a near dead ringer for your business.
Upon deeper digging, your specialist found that the query came from a country where one of your overseas competitors has their headquarters. You are suspicious.
The specialist’s search could have been chalked up to coincidence, but your IT chief comes back with some disturbing news. After seeing the initial report about the hacker forum, he had his boundary protection team check the firewall and router logs to see if there was any unusual traffic hitting your network.
There was! In fact, over the last five months, there had been a growing number of probes and scans against your network with two failed login attempts in the last month.
Many of those scans and probes originated in the country where your competitor is headquartered. Whoever was behind it is executing a “low and slow” strategy. Had you not been looking for the specific evidence, it would have been very difficult to find them. Now, you had evidence that someone was indeed trying to access your network.
Your IT chief advises you that this month’s vulnerability scans indicate there are several software and configuration vulnerabilities that exist on your network. They’ve been there for a couple of months but have been low priorities for correction.
Now, given the increased threat, he recommends they be remedied as soon as possible. He says he needs additional resources to complete the task and will come to you with details the next day after he consults further with his staff.
You have your IT chief contact the professor at Carnegie Mellon to help estimate how many times the threat can take place in a 12-month period.
She is very helpful and points out that data collected by the government and insurance companies indicates that a company like yours with comparable defenses has only been successfully attacked once every two years.
She also refers you to DHS and FBI programs that can help identify threats and tactics bad actors use. You authorize your IT chief to sign your company up for the next FBI InfraGard meeting in Pittsburgh as well as to join the manufacturing sector’s Information Sharing and Analysis Center that partners with the DHS.
Given the information you have, you know that you are at risk, yet the data indicates the estimated frequency of a successful cyber attack is one every two years. Therefore, you and your team calculate the ARO = 1/2 = 0.50.
Calculate the Annual Loss Potential.
Now that you have your SLE and predicted ARO, you calculate the entire equation:
ALE = SLE × ARO = US$109.67 million × 0.50 = $54.83million
This means that you can expect an annual loss of US $54.83 million in the event of a cyber attack that compromises your intellectual property and trade secrets. This is your risk in this scenario.
It is important to note that the quantitative risk assessment method is the standard method of measuring risk in many fields such as insurance and manufacturing, but is not commonly used to measure risk in IT.
As you measure your cybersecurity risks, this method may prove challenging. It is very difficult to measure the value of information, but we submit that it is possible. Moreover, the valuation of shared assets such as networked systems, virtual devices, and software used across an enterprise poses a challenge to actuarial computations.
Additionally, while you can use statistics to determine the anticipated failure rate of an information system, it is nearly impossible to accurately predict the likelihood, frequency, or severity of cyber attacks against your organization.
We believe the vagueness surrounding calculation of the likelihood of a cyber attack drives many to use an alternative method of measuring risk: the qualitative risk assessment.
Nonetheless, you look over the quantitative risk assessment again. You may think, “Holy Smokes! Our cybersecurity risk is huge! What do we do next?”
Before we advance to a discussion of the next steps such as risk mitigation, avoidance, acceptance, and other post analysis decisions, let’s turn our attention to this other method of determining cybersecurity risk: qualitative risk assessment.