– Investments in cyber security are driven by risk and how certain controls may reduce it
– Some risk will always remain
– How can risk be assessed?
Risk exposure = Prob. [Adverse security event]* Impact[ adverse event ]
Risk Leverage = Risk exposure before/without a certain control – risk exposure after the control / cost of control
Risk leverage > 1 for the control to make sense
How do we assess and reduce cyber risk?
impact
– expected loss(reputational, recovery and response, legal, loss of business etc.)
Risk management
– accept, transfer(insurance) and reduce
– reduction via technology solutions, education and awareness training
Enterprise Cyber Security Posture
– Reactive
– regulation/compliance
– customer demands
– in response to a breach(Target or Home Depot)
– In response to events
Proactive:
– champion of an organization who has influence
– board level conversation about cyber security and risk
Economic value argument:
– return on investment(RoI)
– Estimating costs and benefits is tricky
– Perception vs. data-driven risk
Values at risk
– assets, reputation etc.
Threats and attack vectors
Plan, implement and manage
– Deploy appropriate controls
– Empower people and hold them responsible
– Plan for response and remediation (do not be surprised)
– User awareness
Understand and proactively address risk
