WEF framework on Quantification of Cyber Threats

The World Economic Forum (WEF) proposed framework can be said to be a move in the right direction, albeit it stops short of being readily implementable.

 

After having a good look at the framework, here are some findings/observations:

1. The framework speaks of cyberrisk measurement akin to a financial risk measurement concept called 'Value at Risk' or VaR. It may take some time for someone not used to financial risk management to grasp the concept of VaR - essentially it’s about probability of a specific amount of loss in a specifictimeframe.

2. But the report clarifies that it does not specify how to compute cyber risk; it says “It is important to note that in this report we specify properties that VaR should have, but not specifically how to compute it.”

3. So essentially, it refers to these three Components of Cyber VaR, but leaves the computation of cyber risk to individual enterprises:

(a) Vulnerabilities: Vulnerabilities in existing systems, effectiveness of patching them, and successful incidents/breaches that have happened

(b) Assets: Tangible (costs of business interruption, regulatory fees etc.) and intangible assets (costs of lost IP, reputation loss etc.)

(c) Profile of attacker: Type of adversaries (nation-state, hacker, amateur etc.), their level of sophistication, and their tactics/motivation

4. Summary assessment:

(a) The framework is not definitive as regards how exactly we would compute cyber risk from the components. However, it points out to some key areas where each of us responsible for cyber risk management in an enterprise/entity may not have not focussed at all or not made much progress:

(i) Vulnerability management: our vulnerability and patch management efforts should be formalized and standardized, and data from them should be incorporated into a cyber-risk dashboard

(ii) Asset mapping: our understanding of IT assets (applications + related infrastructure) and their business aligned criticality should be comprehensively documented through a business aligned Risk assessment

(iii) Attacker profiling:  we should deliberate on the specific types of adversaries who would target us their tactics/motivations and their level of sophistication

5. What I was hoping to find is a linkage of these threee (and perhaps other key aspects such as key business risks, existing effective controls) into a dashboard/score card which could be readily used to measure our respective posture and benchmark ourselves against peers in industry/region etc. The framework stops short of any such attempts; but I can understand the wisdom in that.

http://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf

A Risk Based perspective on PCI-DSS Compliance

Compliance regimes usually make us do a lot of work towards demonstrating effectiveness of controls without justifying the risk perspective of such activities. As risk based approaches to cyber security management have gained favour over a compliance based approach in this next phase of Information (or Cyber) Security maturity, we need to look at a risk based approach even for implementing compliance frameworks. This essay is about a risk based approach for PCI compliance.

PCI-DSS is a framework espoused by the PCI industry body to help processors of credit card data adopt equivalent control implementation to safeguard secure storage and transmission of such data.
about  have recently engaged a company called to assist us with a review of our use of credit cards across the company and determination of our compliance with PCI standards. PCI = payment card industry and are standards required to be followed when a company uses credit cards. These include things like segregation and storage of credit card numbers for example.

--has worked through a review of our systems and is now looking at unstructured data (i.e. mail, over the phone, online, etc) where credit card information may have been captured. I have identified you as business SME’s that may know how and where credits cards are processed. Below are the processes areas that I have identified. This list is by no means complete and -- is working to develop a complete list.

Over the next couple weeks, -- will be reaching out to each of you to set up a quick meeting to discuss. Please share with him any information you have on the use of credit cards so that he can appropriately capture and investigate this for the Group of companies (this includes what systems they are processed into so that -- can cross reference back to the work he has already performed).