The Lexicon, Risk Management, and You John McCumber

The Lexicon, Risk Management, and You John McCumber

The Lexicon, Risk Management, and You John McCumber (ISC) Director of Cybersecurity Advocacy, North America 2 Whos this guy?

Cybersecurity Advocate? Fellow of (ISC) Retired Air Force Public and Private Sector Experience 3 What Are We Talking About?

What is a lexicon? Why do we need one? Why is it important? Relationships in risk management How you can use this information? 4 The new lexicon 5 But First

Why 6 Cybersecurity Find out the cause of this effect, Or rather say, the cause of this defect, For this effect defective comes by cause. - William Shakespeare, Hamlet 7

Thoughts on measurement "When you can measure what you are speaking about, and express it in numbers, you know something about it; But when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind: It may be the beginning of knowledge, but you have scarcely in your thoughts advanced to the stage of science." William Thomson Lord Kelvin (1824-1907) 8

Wheres the disconnect? Break Image Slide 9 Traditional cybersecurity

Technical issues only Vulnerability-centric Probes exterior boundaries Little actual analysis Based on a state Recommends point solutions tied to specific vulnerabilities based on consultants experience 10 Risk management definition The process of designing, developing, sustaining, and modifying operational processes and systems

in consideration of applicable risks* to asset confidentiality, integrity, and availability. *Applicable risks are those reasonably expected to be realized and to cause an unacceptable impact. 11 Risk management principles Incorporates an analytical, systems approach into the entire operational and support cycle. Provides systems and operational leaders a reliable decision support process. Encourages protection of only that which requires protection. Manages cost while achieving significant

performance benefits. 12 Empirical Objective Cost Performance Risk Applying Safeguards 13 Essential Elements of Risk

Threats Assets Vulnerabilities Safeguards Products Procedures People

14 The Risk Equations 1: 2: T x V x A = Rb T x V x A = Rr S 15

Risk = Volume of a Cube 16 Risk Assessment Process Threat Threat Assessment Assessment Asset Asset Valuation Valuation

Risk Risk Determination Determination Safeguard Safeguard Assessment Assessment Decision Decision Support

Support Analysis Analysis Vulnerability Vulnerability Assessment Assessment 17 Asset Valuation Information is more than data

information is data placed in context - related to other data - processed into a consumable resource or asset Data Information small amount of information can have more value than a large amount of data 18 Bases of Value Development basis Operational basis Market basis

Collection basis 19 Defining Operational Requirements Capture the users needs - such as performance, mission requirements, and constraints. Collect user perception of incident/unacceptable impact. Have owners, consumers, and maintainers of the assets rate the areas of operational concern (confidentiality, integrity, and availability). Asset value is the first component of risk. 20

Threat Determination Threat factors are a product of historical data and trend projections. Statistical and expert analysis provide default threat factor ratings. Purpose is to identify and rank those threats that apply specifically to the assets or organization. 21 Threat Classifications Threat Threat

Environmental Environmental Man-Made Man-Made Internal Internal Hostile Hostile Structured Structured Unstructured

Unstructured External External Non-Hostile Non-Hostile Structured Structured Unstructured Unstructured 22

Vulnerability Determination Vulnerabilities are those specific technical weaknesses which can be exploited to impact an asset. System and network hardware System and network operating systems System and network applications Network protocols Connectivity

Current safeguards Physical environment Necessary to identify and rank vulnerabilities 23 Risk Measure Formula Risk Measurei (RMi) = Threat Measureh * Vulnerability Measurej * Asset N Measurek RM

i Risk MeasureTotal =i 1 T x V x A = Rb or 24 Safeguard Determination Identify applicable safeguards by considering system specific threats, vulnerabilities, assets and components. Produce a list of valid safeguards to support the decision support cycle.

25 Residual Risk Calculation Residual Risk Measurei (RRMi) = (f(Threat Measureh, CV) * g(Vulnerability Measurej, CV) * h(Asset Measurek, CV)) N Residual Risk MeasureTotal = T x V x A S

RRM i i 1 = Rr 26 Risk Assessment Process Threat Threat Assessment Assessment

Asset Asset Valuation Valuation Risk Risk Determination Determination Safeguard Safeguard Assessment

Assessment Decision Decision Support Support Analysis Analysis Vulnerability Vulnerability Assessment Assessment

27 Decision Support Methodologies Weak Link Analysis Cost Benefit Analysis Linear Programming Goal Oriented Programming

Combinations of the above 28 Conclusion If you can measure, you can: justify target control predict If you can measure, you can MANAGE, and move cybersecurity from art to science. 29

What did we learn? Break Image Language is important to our 1. 2. 3. 4. 5. understanding.

We need to use terms accurately. Many common risk terms have mathematical relationships. Threats should be categorized. You have an important role. 30 Learn More & Get Involved Get the full report Hiring and Retaining Top Cybersecurity Talent at www.isc2.org Engage a local (ISC) Chapter Join community.isc2.org Help make a difference at

www.isc2.org/cybersecurity-advocates 31 The End 32

Recently Viewed Presentations

  • Seminario Experiencial De Liderazgo

    Seminario Experiencial De Liderazgo

    COMUNICA. Como no existen líderes sin colaboradores o seguidores ( equipos), la comunicación. es el vehículo esencial para trasladar la visión, cautivar el corazón y la mente de las personas para mantener una buena disposición en seguir consignas, acuerdos, etc....
  • A.p. Statistics Lesson 6.3 (Day 1)

    A.p. Statistics Lesson 6.3 (Day 1)

    AP STATISTICS LESSON 6.3 (DAY 1) ... Addition rule: If A and B are disjoint events, then P(A or B ) = P(A) + P(B) Rule 5: Multiplication rule: If A and B are independent events, then P(A and B)...
  • Opioid Prescribing: Many Questions and Few Answers

    Opioid Prescribing: Many Questions and Few Answers

    Director of Pre-doctoral OMS Studies, OUCOD ... Professional resume, ab. Board Certified: American Board of Oral and Maxillofacial Surgery. ... Oklahoma Dental Association has been proactively working with the Oklahoma Board of Dentists to be a positive force in meeting...
  • CAP6938 Neuroevolution and Artificial Embryogeny Evolutionary ...

    CAP6938 Neuroevolution and Artificial Embryogeny Evolutionary ...

    Results Adaptive synapse networks evolved straighter and faster trajectories Rapid and appropriate weight modifications occur at the moment of change However, other early experiments (e.g. dangerous food foraging with NEAT) showed recurrence alone doing better Still, almost surely plasticity matters...
  • preview.thenewsmarket.com

    preview.thenewsmarket.com

    Overview. Never Made is an interactive future maker lab + cobbler where soles and uppers of adidas Originals footwear are swapped in real time. Celebrating the past whilst looking to the future, adidas Originals brings innovation to life, empowering our...
  • International Financial Reporting Standards

    International Financial Reporting Standards

    The AASB has retained a difference in the definition of a reporting entity. Under AIFRS a reporting entity is an entity in respect of which it is reasonable to expect the existence of users. The IFRS 3 definition refers to...
  • Watershed Hydrology - Google Sites

    Watershed Hydrology - Google Sites

    Conserving freshwater aquatic ecosystems requires consideration of 1. Flow regime 2. Water quality Land cover in a catchment affects both Rice field terraces on hillslopes in Yangshuo, China Fluvial geomorphology, stream restoration Channelized streams for flood control, irrigation, development Negatives...
  • mscasselmansclass.weebly.com

    mscasselmansclass.weebly.com

    Theme Project - Day 2 . Meet with your group to complete the first task. Theme in Novel: Dot jot a list of places in the novel where the plot or something a character says or does clearly shows this...