Cyber Intelligence-Driven Risk E-Book

Table of Contents

Cover

Title Page

Copyright

Preface

NOTES

Acknowledgments

Introduction

NOTES

NOTES

CHAPTER 1: Objectives of a Cyber Intelligence-Driven Risk Program

NOTES

NOTES

CHAPTER 2: Importance of Cyber Intelligence for Businesses

NOTES

NOTES

CHAPTER 3: Military to Commercial Viability of the CI-DR™ Program

NOTES

NOTES

CHAPTER 4: CI-DR™ Security Program Components

NOTES

NOTE

CHAPTER 5: Functional Capabilities of the CI-DR

TM

Program

NOTES

NOTES

CHAPTER 6: CI-DR™ Key Capability Next-Generation Security Operations Center

NOTES

NOTES

CHAPTER 7: CI-DR™ Key Capability Cyber Threat Intelligence

NOTES

NOTES

CHAPTER 8: CI-DR™ Key Capability Forensic Teams

NOTES

CHAPTER 9: CI-DR™ Key Capability Vulnerability Management Teams

NOTES

NOTES

CHAPTER 10: CI-DR™ Key Capability Incident Response Teams

NOTES

CHAPTER 11: CI-DR™ Collection Components

NOTES

NOTE

CHAPTER 12: CI-DR™ Stakeholders

NOTES

Conclusion

Glossary

About the Author and Chapter Authors

RICHARD O. MOORE III, MSIA, CISSP, CISM, AUTHOR AND EDITOR

STEVEN JOHNSON, DSC, CISM, CISSP, CCE #1463

DEREK OLSON, CISSP, CISM

STEVEN M DUFOUR, ISO LEADER AUDITOR, CERTIFIED QUALITY MANAGER

Index

End User License Agreement

List of Illustrations

Introduction

FIGURE I.1 CI-DR's business value.

Chapter 2

FIGURE 2.1 CI-DR™ Cyber intelligence life cycle.

Chapter 4

FIGURE 4.1 CI-DR™ maturity.

FIGURE 4.2 CI-DR™ functions and capabilities.

Chapter 5

FIGURE 5.1 Vulnerability trending metrics.

FIGURE 5.2 Risk and control success.

FIGURE 5.3 Asset risk assessment.

FIGURE 5.4 Assets to architecture.

FIGURE 5.5 Assets to coordination.

FIGURE 5.6 Application threat trending.

FIGURE 5.7 Exception trending.

Chapter 7

FIGURE 7.1 Threat reporting.

Chapter 12

FIGURE 12.1 CI-DR and AI compatibility.

Guide

Cover Page

Table of Contents

Begin Reading

Pages

iii

iv

vii

viii

ix

x

xi

xii

xiii

xv

xvi

xvii

xviii

xix

xx

xxi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

135

136

137

139

140

141

142

143

144

145

146

147

149

150

151

152

153

154

155

156

157

158

159

160

161

162

Cyber Intelligence-Driven Risk

How to Build and Use Cyber Intelligence for Business Risk Decisions

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Names: Moore, Richard O., III, 1971- author.

Title: Cyber intelligence-driven risk : how to build and use cyber intelligence for business risk decisions / by Richard O. Moore III, MSIA, CISSP, CISM.

Description: Hoboken, New Jersey : John Wiley & Sons, [2021] | Includes bibliographical references and index.

Identifiers: LCCN 2020035540 (print) | LCCN 2020035541 (ebook) | ISBN 9781119676843 (cloth) | ISBN 9781119676911 (adobe pdf) | ISBN 9781119676898 (epub)

Subjects: LCSH: Business enterprises—Security measures. | Data protection. | Cyber intelligence (Computer security) | Risk management.

Classification: LCC HD61.5 .M66 2021 (print) | LCC HD61.5 (ebook) | DDC 658.15/5–dc23

LC record available at https://lccn.loc.gov/2020035540

LC ebook record available at https://lccn.loc.gov/2020035541

Cover Design: Wiley

Cover Image: © whiteMocca/Getty Images

Preface

OVER THE past decade, organizations have continued to acquire technologies and monitoring systems, and have focused technology personnel only on protecting the organization's external perimeters and forgetting simple cyber hygiene. What is missing from many organizations is how cyber intelligence knowledge is leveraged to enhance business risk decision-making processes. This book is a body of work that is consistently evolving to meet new cyber risks, address the lack of cyber-skilled individuals, and provide more efficient processes to enhance the cyber defensive posture of an organization. The CI-DR™ program we will be discussing here is about building or enhancing an “intelligence capability” (i.e. cyber) that is traditionally missing during risk management conversations and business strategies. Where business risk management is a common practice, the cyber intelligence component is emergent in how operational risk can discuss the velocity and impact to business risk management and provide a distinctive outcome regarding strategy. We believe that building the connective tissues of cyber intelligence and business risk management by outlining capabilities and functions into a cohesive program creates significant business value. We call that collection the Cyber Intelligence–Driven Risk (CI-DR™) methodology.

CI-DR is a proven methodology in building cyber programs, as it not only defines the connectivity between functions and capabilities but creates a different view of how cyber information is used, and improves the business risk processes that plague many organizations. The CI-DR program methodology is essential to any sized organization looking to build, enhance, understand, and grow their cyber defensive capabilities and cyber operational risk programs. The CI-DR program framework can provide guidance and direction that will mitigate consistent failures to respond and react appropriately to emerging cyber risks. The CI-DR methodology is designed to provide business leaders with clear information to make decisions and understand the impact a cyber incident can have on the business. A CI-DR program is very different from the traditional application of cyber threat intelligence, which is a subcomponent where technical details are passed from a managed security service provider (MSSP) or a security operations center (SOC) and are used by internal leaders of technology or cybersecurity. A CI-DR program enhances the traditional approach of intelligence, cybersecurity, and risk management by using a collaborative fused program consisting of dedicated intelligence analysts from both the business and cybersecurity disciplines who can turn information into a business risk decision.

CI-DR does not change how traditional business intelligence (BI) operates but provides a framework for cyber intelligence enhancements that benefits current BI functions and provides the intersection with operational risk management. Having each of these capabilities operating as part of the connective tissue ecosystem enhances business decision structures. Terms such as “risk intelligence,” “network intelligence,” and “cyber threat intelligence” have been around since 2008. However, these concepts have not been consistently implemented to harness and leverage the information required for today's business decisions. Excluding some of the Fortune 100 companies, many have done little to adopt cybersecurity risks or cyber intelligence “knowledge” into their business risk management objectives. Those companies continue to focus the majority of budgets on purchasing new technology to try and enhance their security posture, but are consistently finding failure in that process.

This book references and is built on military intelligence lessons learned and processes that have been proven by best practices used for giving military commanders the ability to understand their area of operations and key strategic objectives. The CI-DR program leverages these key concepts and adopts them for business leaders to enhance their business operational risk objectives. This is the first book of a series designed for visionary cyber professionals striving to develop and improve outdated cyber defense systems and design a future-proof cyber program that contributes to enhanced business risk decision-making. This initial book provides the foundations for the creation of an actionable (i.e. build and use) CI-DR program that can be applied tomorrow to solve the gap between enterprise risk management, security architecture, and the current management of cyber risks in use today. Additionally, this book leaves out specific vendor technology solutions, as we want to focus the reader on how cyber intelligence functions and capabilities can drive better risk decision structures in today's digital age. By mentioning technology solutions we mask the foundational cyber concepts needed to drive decisions to keep up with the velocity of business changes. Additionally, this book can be used by cybersecurity professionals, software architects, mergers-and-acquisitions teams, government “think tanks,” academics, and students looking to help businesses make better choices about risk by building a proper program focused on delivering risk options to the decision-maker.

NOTES

Every industry can benefit by creating or enhancing their business risk management program. Our CI-DR framework provides you, the reader, with the opportunity to build these capabilities, whether internally built, acquired through merger or acquisition, or sourced from the many service providers; this handbook provides the tools and the framework needed to ensure that it is effective. By the end of this book, the reader should understand what functional capabilities are needed to build a CI-DR program; the importance of why the “connective tissue” between the functions and capabilities is so valuable, and how the CI-DR program can be adequately leveraged to assist leaders in making more informed business decisions in the era of increased emergent cyber threats and attacks. Depending on the level of business understanding, the reader will be able to:

Build, buy, or outsource certain functions of the cyber intelligence–driven risk program.

Understand the functional capabilities needed to have an active program.

Turn cyber intelligence “knowledge” into business risk decisions.

Effectively use cyber intelligence to support enterprise and operational risk management programs.

Reduce the impact of cyber events through cyber intelligence “knowledge” for many business operations and not just through purchasing of new technologies.

Leverage a cyber intelligence–driven risk program to support mergers and acquisitions and collect the benefits of predictive cyber intelligence analytics.

Understand how the CI-DR program can reduce loss from cyber events for the organization and provide a proactive cyber defensive posture needed to meet emerging threats.

If this book inspires you to create new technologies, build a company to support these capabilities, or reduce risk and costs to your organization, please drop us a note on social media (@cybersixactual) or send us an email (https://www.cybersix.com), we would love to hear from you.

Acknowledgments

AS WE come out of the 2020 pandemic, many of us give pause to think about who we are, where we came from, and where we are going. This book would not be possible to complete and keep consistent without the assistance and support of colleagues, students, friends, and contributing authors. I would like to thank the United States Marine Corps for giving me drive, direction, skills, and a brotherhood that has been forged by combat. I would also like to thank SPAWAR (now NAVWAR) for giving me the information security skills to make my career possible. To Norwich University's Graduate MSIA program for providing an education second to none. To Northeastern University and Salve Regina University for providing me the opportunity to give back to the information security community and educate the next generation of cybersecurity professionals. I also want to thank those who supported my career growth and provided mentorship throughout my years in the cybersecurity profession. My first mentor and first Chief Information Security Officer (CISO), John Schramm, who was at the time leading the Investor's Bank and Trust Information Security group. John, as a prior US Army Officer, led me to take a position in KPMG's Information Protection group in lieu of rejoining the US government. My second mentor and the CISO who challenged me to succeed is Jim Routh. Jim was the first CISO I worked for who had transformational programs and business objectives tied to moving cyber activities into the forefront of business decisions. My last CISO, who mentored me in patience and helped develop my transformational concepts, is Steve Attias. Steve had been a CISO at New York Life since the declaration of that industry title, and continues to advise companies on cybersecurity programs in his retirement. Finally, to my mentor-friend, Marc Sokol. Marc was the Chief Security Officer at Guardian Life when I was at New York Life but had a good decade of experience in leading an insurance company's cybersecurity programs. Marc was instrumental in my growth, executive experiences, and still assists today where I need additional help or support.

To the contributing authors, my colleagues, and friends, you all have been a part of my journey in building these programs, listened to my ideas and concepts over social gatherings, working hours, and late-night meetups. Without your direct feedback, opinions, and execution, I would have never been able to see these programs work firsthand. We have built these programs in two Fortune 100 companies to great success, and many of you are still working on those programs or have modified them to support your current environments.

There were many throughout my career who have been a part of building out these concepts into reality and there were people who gave me the support and freedom to build these programs. I would like to directly name and thank the following individuals who had a direct impact in helping to build and refine many of my concepts into programs over the last two decades. From my time at KPMG I wish to thank Neil Bryden, Barbara Cousins, Greig Arnold, and Prasad Shenoy; it was the time when the CI-DR™ concepts began to originate. I wish to thank those individuals at the Royal Bank of Scotland, Americas, who instituted and implemented the first of the CI-DR program's capabilities: Dr. Stephen Johnson (one of the co-authors of this book), Todd Hammond, David Griffeth, Chuck Thomas, Steven Savard, Robert Fitz, James McCoy, Chris Piacitelli, Frank Susi, Jack Atoyan, and David Najac. I wish to thank those responsible for implementing CI-DR version two of capabilities and functions at New York Life: Dr. Stephen Johnson, Robert Sasson, Karen Riha, Eric Grossman, Willard Dawson, and Lee Ramos. Finally, I wish the thank the following individuals at Alvarez and Marsal for creating the documentation behind these programs and putting to paper standard operating procedures, guides for building, and guides for assessing the maturity of these programs: Derek Olson (one of the co-authors of this book), Adele Merritt, Tom Stamulis, Brady Willis, Joe Nemec, Terence Goggins, Dominic Richmond, and Cassidy Lynch.

To my students and those asking me to be their mentors, thank you for listening to my rantings and ravings about our profession. You challenge me daily to be operational, effective, and creative about transformational solutions to meet the demands of the profession and industries you all strive to protect.

To my CyberSix advisors, specifically Sean Cross, who not only has looked out for the best interest of the company but has become a great friend, business partner, mentor, and coach. Your friendship and advice are what all startup organizations need to succeed from running the Founders' Roundtable, bringing startup CEOs to learn from each other, to the exhaustive time and effort you put into all those who need your services. To Steve Dufour, thank you for your strategic guidance and help in solidifying my concepts into business plans and paving the way for future services for my company. I look forward to continuing partnering, collaborating, and working together.

To my dad, whom we lost during the pandemic in 2020, due to underlying conditions. His passing placed a long pause on completing this book.

Finally, to my wife, Jennifer, who encouraged me to pursue this cybersecurity profession against many objections, before this profession became so popular. Those years of having to live above a garage raising our children while attending my undergraduate degree and continued service in the U.S. Marine Corps Reserve, through working full-time and completing my graduate degree, to becoming a professor and then moving the family for unknown adventures in this cyberworld; it could not be done without your continued support and love.

Introduction

THIS BOOK is designed for business leaders who are looking to unwrap the “cyber black box” and understand how cyber intelligence can improve their business decisions. For the cybersecurity professional who is trying to find an entry point to provide value to executives, and for the cybersecurity teams looking to raise their level of sophistication, this book will address the fundamental issues facing businesses and individuals today. First, organizations are still failing to respond to cyber threats due to inconsistent decisions and poor cyber hygiene. Second, both organizations and cybersecurity professionals are struggling with compliance frameworks, international legislation, and local legislative and other privacy requirements while still trying to make revenue through technology advantages. All of the frameworks, compliance, and privacy items are focused on the technology and not on how the organization should be looking at operational risk. By the end of this book, we will explain to the reader why the CI-DR™ is the center of gravity for decisions that business leaders should be taking advantage of. Business leaders in every organization are consistently being asked how the organization is dealing with cybersecurity issues, whether it can respond to cyber losses, and what the shareholders need to know should a cybersecurity breach or cyber loss leading to financial consequences occur. Most of the cybersecurity issues that current business models outline are reactive in nature and are usually actioned without much analysis or debate, leaving biased opinions and hasty approaches that ultimately detract from logical decisions.

Operational risk losses or consequences are defined in the IEC/ISO 310101 documentation and is where we begin to leverage the language needed to bring the CI-DR “knowledge” to the risk management professionals. To have a seat at the table as cyber professionals we need to be able to speak the same taxonomy as our business risk managers. Throughout the book we provide some real-world examples of how a CI-DR program assisted organizations where these capabilities were implemented and matured to assist in the business decision-making process. As you read the examples, our intent is to have you think about the role you hold at your company, or your next role, and the types of information you would want to assist you in making decisions. To be successful, it is key to have the data and knowledge, coupled with curiosity and the desire to be of value that will ultimately lead to being granted access to the internal decision-making for your organization.

With every chapter we provide the business need for a CI-DR program with a real-world example of the cybersecurity issues that many organizations have faced in the past. As you may recall, the year 2012 was very troubling for the financial services, banking, and cybersecurity practitioners. Starting in the month of September and continuing into the new year, a sympathetic nation-state of malicious actors known as QCF (Cyber Fighters of Izz ad-Din al Qassam, also known as Qassam Cyber Fighters) began to methodically stop banks from financially transacting with customers, through an attack known as a Distributed Denial of Service (DDoS). This is essentially a technical mechanism that consumes and overwhelms systems and networks, rendering them unavailable or useless for the purposes they were designed for. Many of these banking institutions leveraged their membership in the Financial Services Information Sharing and Analysis Center (FS-ISAC)2 to gain an understanding of how the attack started and to provide a secure forum for discussing best strategies to defend the banks against this adversary, helping to set the foundations for many cyber programs and processes in use today.

The ISAC provided the necessary connections among cybersecurity professionals, many of whom came from the military intelligence profession, with a forum and location to share threat intelligence as well as the ability to discuss new capabilities and mitigation process to reduce the attacks against their financial institutions without retribution for competitive interests. The Security and Exchange Commission later issued a statement that cybersecurity and threat intelligence cannot be a competitive advantage.3 The larger member institutions had begun building cyber intelligence programs and sharing information on attacks through the membership's cyber intelligence leaders. As executives continued to hear through headlines and peers throughout the banking community, their concerns were how much money they would need to spend to protect their organizations and whether they had the proper staffing and expertise on hand to do that. The action and outcomes of this specific attack played a significant role in the development of the CI-DR program. One of the important processes that was implemented from the sharing of information through the ISAC was the need for cyber intelligence teams to collect, analyze, and produce reporting of attack vectors to the banking management teams for decisions on how to deploy resources.

At different phases of the attack other institutions were doing similar activities, and after months of analysis and the velocity and growth of the attacks, teams using the initial vision of the CI-DR program were able to create a predictive analysis when the attack might occur. Most conversations that were happening in business leadership were not the old similar technology mitigation discussions; the conversations quickly changed focus to discuss whether this attack would impact capital reserves, what other risks might be encountered during this unprecedented cyberattack, and what amount of financial transactions and revenue losses would online banking systems and internet-facing systems incur. As these conversations grew and expanded, our organization had a plan to have the accountants and business analysts review the systems and provide transactional and revenue estimations for eight, sixteen, and twenty-four hours to determine the amount of loss each critical system could incur. Much of this information was derived from work done by the risk management team during their Business Impact Analysis reviews, and the “crown jewels” asset risk assessments conducted by the information security and business technology teams. One of the most difficult assessments that the accountants had to deal with was figuring out potential revenue loss and the number of hours it would take to lose it. This process that was incorporated after the attacks subsided is the original iteration of what is commonly called today a fusion center. A CI-DR fusion center can exist when bringing business owners, accountants, technologists, risk managers, cyber intelligence analysts, and cybersecurity personnel together to solve an organizational problem.

Having generated all available intelligence through the fusion of stakeholders, combined with our analysis of all data brought from the fusion teams, a decision model was presented to the Board of Directors for their agreement that we were doing the right thing. That “knowledge” package painted key cyber intelligence decision points and pinpointed that the organization would be attacked somewhere around January 7 at 14:00, and that the financial loss would be over a million dollars for eight hours of outage time. Additionally, the decision points included mitigation technologies the organization could deploy to remediate the attack and the cost comparison against the impact of loss. The cost-benefit decision weighed with risk options provided two courses of recommended actions. The decision points were to either allow our systems to be overwhelmed and let the attackers think they took us offline, or implement this new unproven Anti-DDoS scrubbing technology, which could still potentially lose some real transactions with an additional cost for ineffective technology. With agreement that executive management had the situation well understood, the decision was made to allow the attackers to shut down our online banking platform and allow it to be unavailable during our anticipated 14:00 to 17:00 outage.

To add additional scrutiny and anxiety for the executives, these plans had to be presented to the US Treasury and our financial regulators, which gave the executive team concern that we would be placed under supervisory letters if our decisions were steadfast. The cyber intelligence analysis from months of attack data was also provided to the Treasury and Regulators so they too could understand that the attackers usually turned off their attacks at 17:00 and that our exposure and loss rate was consistent with our risk models. It was the first time the organization's executives and management felt like they were making cybersecurity decisions and this grew my cyber intelligence program by leaps and bounds. Our intelligence estimates were off by thirty minutes, and we were back online transacting by 17:15 the same day. As the attacks were not subsiding through the spring of that year, the executive team, armed with the information from the collaborative efforts of the fusion team and the cyber intelligence analysis, made the decision to purchase the technology and reduce the financial losses even further. That organization is still using that same approach to mitigating other risks and how they purchase technology today as part of their risk management strategy. By leveraging this proven CI-DR framework it will enhance your cyber program from a pure technology thought to an operational risk program.

Figure I.1 shows how the CI-DR framework is designed and organized to address and provide reporting to directors and executives, to the risk officers and auditors, and of course to the leadership of the technology and cybersecurity functions within the company. The reporting to the directors and executives mostly covers the areas of what the cyber program is doing to enhance or contribute to how the organization governs and responds to risk. In many organizations the business objectives drive how the organization handles risk and are key to how the CI-DR framework ties its goals and missions to assisting the business in meeting those objectives. Committees are another area where the CI-DR program provides analysis and input for reporting. As we mentioned, consequences of loss are listed in the International Standards Organization's Risk Management standard and that taxonomy can be used to provide a one-to-many or many-to-many from CI-DR capabilities and functions to a risk mitigation process, technology, or exposure. Risk management and compliance professionals are businesspeople, and they need to have technologists speak a common language to help them also protect the organization against risk. The CI-DR also provides for compliance, internal auditors, and technology leadership with the ability to report on the maturity and performance of the functions and capabilities. Maturity reporting within the CI-DR framework gives the various organizations using this framework the confidence to not have to compare themselves to others, to determine their needs based on size and budget and skills available in the area, as well as providing the overall understanding that cybersecurity is an operational risk that can be understood by non-technologists.

FIGURE I.1 CI-DR's business value.

We are positive that after reading this body of work the reader could confidently address the committees, the boards, and the executives when they ask about how the organization is governing its cyber risks. We know this framework has been able to address questions from regulators about the processes and the strategy for identifying, containing, and mitigating emergent cyber threats. Finally, if you are a director and an officer of a company implementing a CI-DR, the framework provides the formalization necessary to show that the organization's risk response and process and the directors and officers have done their due care to protect the company.

NOTES

During a cyber incident is not the time to prepare your actions. Preparations are necessary; just as you prepare for financial loss, cyber incidents impact both operations and financial losses.

Cybersecurity decisions with CI-DR “knowledge” become sophisticated business decisions.

When cybersecurity leaders speak of business risks coupled with cyber intelligence analysis, any leader can make informed decisions.

Any cyberattack can be thought of using deprived values and costs, which makes it an operational risk, which is ultimately a business risk. In this case, it was potential market risks, credit risks, and liquidity risks that could be lost due to operational loss. The organization wanted to keep our AA rating, and it didn't want to have customers leave to go to other institutions for banking, and it certainly did not want to take a substantial financial loss from either revenue, fines, or litigation.

A CI-DR program can have massive impacts and outcomes, as it is built with the purpose of delivering decisions to business leaders. Throughout this book, you will see the terms “information security” or “cybersecurity” used, and in CI-DR there are distinct differences, but for the purposes of this book these terms will be synonymous.

NOTES

1

   International Electrotechnical Commission, Risk Management – Risk Management Techniques, 2009–2011,

www.iec.ch/searchpub

2

   Financial Services – Information Sharing and Analysis Center, 1999, located on the internet at

https://www.fsisac.com/who-we-are

3

   SEC memo

CHAPTER 1Objectives of a Cyber Intelligence-Driven Risk Program

ANY FRAMEWORK, methodology, or process has to have objectives and outcomes. The CI-DR™ program strives to achieve two objectives. First, the program provides accurate, timely, and relevant knowledge about cyber adversaries and the digital environment in which it operates. Adversaries within the cyber ecosystem are internal or external. An internal cyber adversary could be an employee, contractor, or someone with an objective and the physical or logical access to information otherwise not known to the public. External cyber adversaries include malicious actors, nation-states, competitors, or even outsourced platforms or processing environments and those employed or influenced there.

To achieve the first objective of the CI-DR program, there are four tasks that are required to be performed. First, the program must evaluate the existing cyber conditions, cyber risks, and potential operational losses from cyber events and incidents while taking into account the many internal or external adversarial capabilities holistically. Second, based on existing cyber conditions and cyber capabilities, the program estimates possible cyber adversarial courses of action and provides insight into possible future actions. Third, the program aids in identifying vulnerabilities that could be exploited by adversaries and the operational impact it can have on the organization. Fourth, the program and the “knowledge” created assists in the development and evaluation of the organization's courses of action for decisions based on the first three tasks.