Cyber Security Risk Management in Context

by Robyn Bailey

_____________________________________________

A good cyber security program requires good management of risk, usually in accordance with Risk Management Standard ISO31000, although there’s almost always one critical step that is overlooked.

Setting the context of a risk assessment is the first and one of the most important steps – if all participants of the assessment are not working and analyzing at the same context then there is bound to be a mismatch and incorrect risk ratings assigned. This can lead to over-application of controls (and a lack of return on security investment leading to reputational issues for the cyber security specialists) or under application.

The following diagram represents the multi layered approach to cyber security risk management and examples of key stakeholders for input to a risk assessment within each context.   

Each layer should then be further broken down into vulnerabilities and threats.

An example I often use to explain these layers and contextual awareness (or lack of) is the identification of a vulnerability in a browser on a server by an operational staff member. Whilst industry vulnerability ratings (eg http://cve.mitre.org/) may identify the vulnerability as High, the threat may be low (no or minimal human threat actors as there is very minimal use of the browser) therefore the risk, even at the Operational context, is not High. Once we “roll-up” the risk to the layer layers, this particular risk should get consumed within more important business cyber risks – the CEO and Audit and Risk are not concerned with one vulnerability on a server. 

Delving deeper into individual risks, as a risk practitioner of many years, I often see a lack of contextual alignment in the likelihood and impact. For instance, using a basic risk of Weather event causes data centre outage, we can assume that a weather event may be Possible and a data centre outage could have a Severe impact when the factors of the risk are treated separately – perhaps giving a Very High risk rating. However, when the full context of the risk is documented – for example, Weather event causes data centre outage beyond 3 days, we can see that the likelihood is probably Rare, the Impact remains as Severe, giving a Medium risk rating (depending on your risk matrix of course).

Robyn has worked as a technologist and strategist in the cyber security industry for over 20 years. She established the first Australasian Chapter of the Information Systems Security Association (ISSA) around the year 2000, and bought the first CISSP exam to Australia in 2002. She has worked for Business Aspect for the past 10 years as a Principal Consultant and she also leads their Security Testing team. A quiet achiever, Robyn constantly challenges the status quo through analyzing and asking the right questions.   Largely self-educated, she has a passion for learning about technology and has extensive technology knowledge including communications, app dev, databases, cloud and integration platforms. In her “spare” time, Robyn is a mother of two teenage boys and a pre-teen girl and also volunteers for code.org (teaching coding to teachers and students in Primary schools); Mensa (co-ordinating events for, and teaching technology and cyber security skills to gifted children); CSIRO STEM Professionals in Schools (explaining Comp Sci to teachers); Tech Girls are Superheroes; and various other non-profit organisations.  Robyn’s experience of 25 years as a female technologist drives her to especially provide support to other analytical girls and women with outstanding capacity to succeed as a technologist.

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.