Stepping Through Cybersecurity Risk Management E-Book

Stepping Through Cybersecurity Risk Management

A Systems Thinking Approach

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993 or fax (317) 572‐4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging‐in‐Publication Data applied for

Hardback ISBN 9781394213955

Cover Design: WileyCover Images: © NicoElNino/Adobe Stock Photos; Courtesy of Jennifer Bayuk

Foreword

Humans have an affinity for determinism. Generally, we want to know cause and effect, and we want to know the outcomes of actions we take. Furthermore, many or most of us are not keen on surprises — especially surprises involving loss or extra work. These tendencies likely trace far back in time as evolutionary advantages. It helps survival if we know we should not eat that mushroom or wander into an unfamiliar, dark cave without a torch and thus might have an unexpected — and unpleasant — encounter.

The urge to have knowledge (and some control) of the flow of events led to the creation of myths, deities, rituals, and magic. Sometimes the consequences of these rituals were benign, such as performing a dance and a song at the solstice. But sometimes, the results were darker, as in ritual sacrifices to bring the rain. We have holdovers of many superstitions (to the detriment of black cats, for instance). We also see the creation of conspiracy theories to explain things we cannot understand. Too many people also think that changing one’s mind based on new information is a weakness despite that being a fundamental component of the scientific process. The pull of determinism is strong.

As time passed, humans have seen the rise of science and the scientific method as we found ways to test and extend our knowledge. The results of that are all around us. For a long while, the belief was that science and technology could conquer all untoward occurrences. But we have repeatedly encountered failings where determinism does not rule. Global climate change and viral evolution are two classes of phenomena we cannot fully predict because of their intricacies and factors we do not yet fully understand. The more we learn about the world and its complex systems, the more we need to use stochastic methods to understand some likely behaviors. Loki and his brethren were random, and so too, it seems, are the probability distributions underlying the fabric of our quantum reality. Probability and its application to risk analysis and management have become accepted in most engineering disciplines.

In the early days of computing, we viewed digital computers as deterministic, modulo some uncommon malfunctions. However, as technology has advanced to interconnected global networks running dozens of virtualization layers, with access to petabytes of data and by millions of humans, we left determinism firmly in the dust along with rain gods and witches’ curses. The combinatorics of interactions of all the variables coupled with the randomness and limitations of people means we can often only predict some trends and limited outcomes.

This is quite noticeable when we talk about cybersecurity. Our desire is for our systems to behave in predictable and constrained ways — to do our bidding with no harm and for us to be confident that we can engineer them accordingly. Once upon a time, the community thought that perfect security was achievable if only we followed some good practices in producing our code.1 We now know that was naive, on the order of sacrificing small animals to the deities of intrusion and denial of service!

Practitioners of cybersecurity (and associated dark arts) have undergone an evolution in thinking about the protection of systems. We have evolved from strict security to the concept of trustworthy systems, then to measuring trustworthiness in context, then to resilience, and then to understand the context of risk. This is the journey that Dr. Jennifer Bayuk describes in the first chapter. We have reached the point of applying probability and statistics to attempt to divine the behavior of our computing artifacts. That does not mean determinism has no place, but we must understand its limitations. We need to embrace probability and risk analysis in computing to understand our systems’ macro behaviors.

This book is a deep but understandable dive into the elements of cybersecurity and risk. The chapters examine the many aspects of reasoning about risk in a cybersecurity context and how to shape it. The book does not tell the reader how to build a type‐safe program or how to put intrusion prevention systems into action — there are many other books available that do that. Instead, these chapters systematically examine the people, processes, events, and policies that compose the overall risk context of managing computing resources.

This book will be helpful to the newcomer as well as to the hierophants in the C‐suite. The newcomer can read this to understand general principles and terms. The C‐suite occupants can use the material as a guide to check that their understanding encompasses all it should. The text is accompanied by informative diagrams and illustrations that help elucidate the concepts. And each chapter has references to other insightful sources of information and enlightenment. This book is a carefully thought‐out and well‐researched text that belongs on the shelves of both apprentice and mage.

Set aside your beliefs about your control over your computing, and then read this book. Jennifer is a master of this topic area, and no matter how well you know the material already, you are likely to learn something new, no matter what your horoscope and tea leaves have already revealed. Oh, and be nice to black cats when you see them — they are not the ones who will be attempting to hack into your systems.

Note

1

This ignores that never had a common definition of what cybersecurity

is

. See

Cybersecurity Myths and Misconceptions

by Spafford, Mercalf, and Dystra, Pearson, 2023, for more details.

Acknowledgements

I started my career in cybersecurity when it was called Computer Security, lived through its transition to Information Security, and emerged as one of the small minority of Cybersecurity Risk Management professionals who have been in the field since before its recognition as a promising career choice. At first, I referred to the members of our profession, including myself, as “jacks of all trades, masters of none.” But now I recognize that that we who practice cybersecurity have a very specific expertise: the instinct to recognize patterns of potential misuse of technology. While most people appreciate technology for the convenience it offers, cybersecurity professionals recognize its inherent potential to cause harm. For this expertise, I am indebted to the camaraderie of that entire community, as well as the leadership and coaching of computer security expert Ed Amoroso in my days at Bell Laboratories, information security expert Pat Ripley in my days at Bear Stearns, and risk management experts Mike Donahue and John Davidson in my days at Price Waterhouse and Citi, respectively. I am also indebted to those who contributed to this work via proofreading, questioning, and other invaluable support: Jeanne Apryaz, Rachel Chernati, Andy McCool and my editor at Wiley: Brett Kurzman. Thank you all for your time and patience. Notwithstanding, my deepest debt is to my husband Michael for his loving patience throughout the endeavor.

About the Companion Website

This book is accompanied by a companion website.

www.wiley.com/go/STCRM 

This website includes:

Professor Guide

Color Figures

1Framework Elements

In the realm of risk, cybersecurity is a fairly new idea. Most people currently entering the cybersecurity profession do not remember a time when cybersecurity was not a major concern. Yet, at the time of this writing, reliance on computers to run business operations is less than a century old. Prior to this time, operational risk was more concerned with natural disasters than human‐induced disasters. Fraud and staff mistakes are also part of operational risk, so as dependency on computers steadily increased from the 1960s through the 1980s, a then‐new joke surfaced: To err is human, but if you really want to screw things up, use a computer.

Foundational technology risk management concepts have been in place since the 1970s, but the tuning and application of these concepts to cybersecurity were slow to evolve. The principles are the same, but they have been applied differently over the years to adapt to changing technology. There is no doubt that cybersecurity risk management tools and techniques have continuously improved. While in the 1980s, an inspection of system capabilities to restrict access to data was enough to earn a system a gold star, in the 1990s, full data inspection of user records and comparison with job functions augmented the inspection of the system’s capabilities. That is, even a well‐defined system can be misused by unauthorized or unintentional entry of data that allows excessive privileges. In the 2000s, the assumption that a system could maintain data integrity by separating operating system and database access was challenged by viruses and hacks targeting networked databases. In the 2010s, the assumption that a system could maintain data availability by well‐tested backup and fail‐over procedures was shattered by distributed denial of service attacks. In all cases, the technology industry stepped in to provide a new set of automated security controls to be integrated into existing systems and built into new systems going forward. Although the consequences of cybersecurity incidents have become dramatically more profound over the decades, available controls have also become more comprehensive, more ubiquitous, and more effective.

This book shares that perspective. It is intended to help anyone who works in cybersecurity understand how their own cybersecurity job function helps contribute to that continuous lifecycle of improvement. It should also help those considering working in cybersecurity decide in which cybersecurity functions they are most interested. FrameCyber® is intended to make cybersecurity risk management visible to those who are contributing to it and comprehensible to those looking in from the outside. Like any effort to increase visibility, increasing transparency in cybersecurity requires clearing out some clouds first. Like any effort to increasing visibility, increasing transparency in cybersecurity requires clearing out some clouds first. Unfortunately, there are a plethora of myths that currently cloud management thinking about cybersecurity (Spafford et al. 2022).

The first myth is that people who work in cybersecurity risk analysis are less influential in solving hard cybersecurity problems. Because they are not contributing to cyber defense tools and techniques with technology operations and engineering teams, sometimes they are dismissed as paper‐pushers. The truth is that it is not technology implementation, but rather constant analysis that makes cybersecurity risk management most effective, specifically the analysis of aggregate cybersecurity events, cybersecurity issues, and cybersecurity assessments. Data gleaned from these analyses are consolidated into a framework for decision‐making. This framework in turn prompts decisions on defensive tactics and technologies that allow the profession of cybersecurity risk management to evolve. To borrow a phrase from the DevOps community, starting with technology and then backing into analysis is to shift right, a derogatory term for building technology before knowing what its validation test looks like. In the cybersecurity analogy, to shift left means to populate the defense team with people who are capable of testing whether the control objective of being resilient to cyberattack is met. This exposes another myth about cybersecurity, namely, that cybersecurity risk is a pure technology problem.

In any risk discipline, it is appropriate to be guided by the expectations of management from an enterprise perspective, i.e., what executives expect cybersecurity risk managers to actually produce. A lot of people working in cybersecurity risk management are producing risk assessment reports intended to be consumed by executive management. The topics on these reports range from assessment of regulatory compliance to assessment of enterprise ability to thwart the latest attack to hit the headlines. Thus, the paper‐pusher analogy. This reporting activity sometimes takes place in the absence of answers to basic questions, such as:

What do executives do with the reports?

In what operational process, if any, are the reports expected to be utilized?

What behavior should be influenced by information in the reports, and does it differ from what is actually done?

Are the reports the most effective way to communicate the results of cybersecurity risk analysis?

Such reports produced in the absence of a process designed to produce a continuous cycle of improvement in decision‐making are headed for the recycle bin, or worse, retaliation against their authors for exposing vulnerabilities without offering solutions.

It is easy to forget that the role of Chief Information Officer (CIO) has only been around for less than half a century and the role of a Chief Information Security Officer (CISO) for a few decades. (Note, herein, we refer to the highest‐ranking person whose sole job is information security as the CISO, although of course the title may differ depending on the organization). The pace of technology change has been skyrocketing within that timeframe. The likelihood that any cybersecurity risk management process is fully mature cannot conceivably be high, and the likelihood that cybersecurity continuous improvement processes are mature is even lower. Admittedly, progress has been made in maturing security operations, investigation, and forensics. However, these processes have evolved in response to successful cyberattacks, that is to realized risk, then been adopted as industry best practices. We are not yet ahead of the game.

It is revealing that cybersecurity professionals have labeled many of their operational activities as “cybersecurity risk management” activities. For example, it is obvious that running an antivirus (AV) system is a risk management activity, as it is meant to reduce the risk of a specific risk category of events, namely, harm to systems from malicious software. However, this narrow usage is limited to specific risk categories and does not address the aggregation issue. Questions at the aggregate level are:

Do cybersecurity management activities cover the full spectrum of cybersecurity risks within business process?

If cybersecurity management activities cover the technology environment, does this cover all cybersecurity risks to business process?

Risk management concepts are much older than technology. Risk management is the art, not the science, of identifying potentially negatively impacting events and avoiding them. It also includes an interpretation, popular in gambling and investing, which involves opportunity. That is, the term “risk” is not always used to characterize events that have negative impact but may also be applied to events that have a positive impact. In this sense, risk means opportunity, or the flip side of the probability of a negative event. However, that interpretation draws gasps of disbelief from cybersecurity professionals because in the domain of cybersecurity, the use of the term risk ubiquitously applies to negative events, so herein, we safely let that opportunity concept go. As cybersecurity risk management professionals, we are expected to estimate the probability of negative impacts due to cybersecurity events.

To do that, we need data that we can gather on these events that we can analyze. A famous example of how to estimate the probability of negative impacts was provided by Peter Bernstein in his book: “Against the Gods, The Remarkable Story of Risk.” Bernstein described how Edward Lloyd, the owner of a coffee house in London in the late 1600s, started recording the arrivals and departures of ships in combination with observations of conditions abroad, major ship auctions, and marine route hazards (Bernstein 1996). Lloyd’s coffee house became a gathering place for marine insurance underwriters, and his list was eventually expanded to provide news on foreign stock markets, ship accidents, and sinkings. One hundred years later, this brand of risk analysis became the Society of Lloyd’s and eventually the insurance company we know today as Lloyd’s of London. They were trying to gather data about the past to predict the future. That is what risk management is all about.

Today, it is a fundamental principle of risk management that the ability to successfully predict the future based on past events requires historical data. Unfortunately, we do not have a lot of historical data on cybersecurity, and technology changes so rapidly that by the time we collect it, it may be obsolete. Nevertheless, we experience events, and recording them adds to our ability to recognize patterns of activity that may increase cybersecurity risk.

However, even when the risks of dependency on computers became blatantly obvious in the 1980s, computer security was largely a technology control exercise, not one populated with risk management professionals. Controls adequate to reduce risk to an acceptable level were almost nonexistent. Computer security professionals hopelessly stood by as Microsoft Windows allowed access to data through networks without logins, as the Internet allowed software to be downloaded onto people’s personal computers without their knowledge, and as viruses had cascading effects on business processes. Only after 9/11 was computer risk management elevated to executive levels, and then although it became more and more obvious, the control side still failed to catch up.

More recent events, however, have elevated cybersecurity risk management concerns even higher. For example, the massive organized criminal industry that feeds on identity theft, the devastating impact of cyberwarfare attacks against Estonia and Sony Corporation, and the post‐9/11 escalation of cyber espionage to cyberwar made cybersecurity risk management a Board‐level conversation. However, some methods by which cybersecurity risk is managed still lag far behind the best practices in the broader field of operational risk management. It is often seen as a technical exercise whose professionals are not required to have insight into business process supported by the technology in scope. There has been a lot of effort to normalize and standardize cybersecurity tools and techniques, when in reality the controls required by different businesses can be very diverse. This situation calls for a hard look at how we make cybersecurity decisions at both the enterprise and the organization level.

For a start, it is helpful to acknowledge that cybersecurity decisions are indeed made at multiple levels within an enterprise, where enterprise refers to an entity, whether corporate, government, or nonprofit. Enterprises may comprise a wide variety of organizations, from holding companies and business units to corporate support functions and financial services. A key element of the definition for the purposes of risk management is that enterprises are bound by due diligence obligations, whether legal or ethical, to provide oversight to ensure the strength and stability of the organizations of which they are composed. To this end, an enterprise will often establish a risk management framework to be shared across and within its constituent organizations. These include suppliers, service providers, affiliates, newly acquired companies, regulators, and media outlets. The framework is intended to provide transparency at the enterprise level to the activities and decisions made within each organization. Where such activities and decisions concern the use of technology, the framework extends to transparency of systems support for business activities.

The International Standards Organization considers information security management itself a system, Information Security Management System, or ISMS (ISO 2022). The word system is used in the context of the field of systems engineering, wherein a system is an arrangement of parts or elements that together exhibit behavior or meaning that the individual constituents do not (INCOSE 2023). The systems engineering profession has also produced a tool used for defining systems called a systemigram, merging the terms “system” and “diagram” (Boardman and Sauser 2008). In a systemigram, even complex systems are defined in one simple sentence focused on the system mission. This is called the mainstay. Considering FrameCyber®, a cybersecurity risk system in the same manner as an ISMS, its definition in a single sentence might be “FrameCyber® empowers enterprises to oversee organizations that evaluate cybersecurity risk to support decisions.” This is the mainstay of the systemigram in Figure 1.1. A systemigram places the system to be defined at the top left and the system’s value proposition at the bottom right. The mainstay connects system components (nouns) with activities (verbs) that define relationships between them. A sentence formed by the mainstay is the system mission of statement. The idea is that the system is defined by its purpose, and the purpose should be clear by demonstrating how its main components contribute to its expected deliverable. Figure 1.1 therefore defines a tool for creating a cybersecurity risk framework. Nonetheless, just as in any complex system, there are many other perspectives that people understand about it.

A systemigram allows for multiple threads connecting to its mainstay to flesh out the context in which the system is expected to work. The most obvious context, depicted in Figure 1.2, is that cybersecurity risk is concerned with the activities of bad actors who threaten the enterprise. The full set of cyber actors that threaten an organization is often referred to as its “Threat Catalog.” Threats are of primary importance because without a clear understanding of who will probably attack and what the methods they are likely to use to enact cyber threats, it is highly unlikely that an enterprise will be prepared to thwart the attack. Notice that the who and what of a threat are different. The existence of a bad actor does not imply that the threat will be enacted or that it will succeed. So although threat is of primary importance in analyzing risk, it is nevertheless a small piece of a larger puzzle.

Figure 1.1 Cybersecurity Framework Systemigram Mainstay

Figure 1.2 Cybersecurity Risk Framework Threat Perspective