Lost in the Vulnerability Fog

With laws and regulations increasingly requiring organizations to demonstrate that mission or business-critical information systems and IT infrastructures are protected; the challenge becomes, with over 164,000 known vulnerabilities in the Common Vulnerability Exposure (CVE) database and 546 attack patterns, so far identified and documented by Common Attack Patterns Enumeration and Classification (CAPEC), where do you start?

In a study that became known as the “Jam Experiment,” Iyengar and Lepper (2000) were the first to demonstrate the choice overload effect, referring that large choice sets attract people. Still, at the same time, these wide choice sets increase the choice difficulties. As we draw a parallel, cybersecurity professionals face many vulnerabilities (>164,000) and many assets to protect against, leading to unsatisfactory solutions. 

Most guidance offered to Subject Matter Experts (SMEs) or organizations for that matter, lead them to identify the risks to the organization by using the Threat, Vulnerability, and Consequences (TVC) model, also known as Risk = T x V x C; however, regardless of all dynamic decision-making approaches, fuzzy probability Bayesian networks, and adversarial risk analysis, the fundamental challenge remains, organizations fail to identify the systems (people, process, and technologies) that support their mission, vision, and services provided to their customers and shareholders. These business-critical systems require immediate protection.

Mission-based cybersecurity - you are here to protect the organization’s interests, so become familiar with it. When the fog lifts, you should be standing with a clear cybersecurity strategy, KPIs, and KRIs that are Board of Directors ready and with a compelling argument that your plan will align with the organization's mission and vision.

Author: Dr. Bill Souza | Apr 26, 2022 |