In February 2009, researcher David Budescu published his study on “improving the communication of uncertainty;” in it, he discussed his study, which he gave subjects phrases from the Intergovernmental Policy on Climate Change (IPCC) report. Budescu then asked each subject to interpret the probability in the statement, for example, “it is very likely that extremely hot temperatures will become more frequent.” Budescu found that individuals varied considerably in how they interpreted the probability implied in the phrase.
Budescu found that “very likely” was interpreted as anything from 43% to 99%, and “unlikely” could mean as low as 8% or as high as 66%, depending on whom you ask.
There’s no evidence that cybersecurity would be any different when cybersecurity subject matter experts evaluate the probability of cybersecurity events in the risk register. One way to avoid some of these fallacies is to use financial impact analysis,...
Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved.
A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.
Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome?
Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices.
Focus on reducing risk; are your...
Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.
ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program.
Some factors to keep in mind when developing a priority methodology:
There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.
The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:
Cyber attacks targetting small businesses that often do not have the resources to defend against devastating attacks like ransomware have grown. As a small business CEO or CIO, you have likely come across outdated security advice that does not help prevent the most common attacks. The security landscape has changed, and your cybersecurity knowledge needs to evolve with it. Here are 5 tips to get you started:
Establish a culture of [cyber] security
Talk about cybersecurity to leadership and staff, communicate cybersecurity program initiatives in your regular communications, and set measurable quarterly cybersecurity goals are just a few examples.
Hire a vCISO or part-time CISO
Due to the ever-changing nature of the cybersecurity threat environment, consider having a part-time CISO (vCISO) on a retainer to assist your organization with all cybersecurity initiatives. A vCISO can lead your staff in developing DRP, IRP, Acceptable Use Policy, Cybersecurity Policy, Remote Access...
The third-party outsourcing trend will continue to grow in the coming years, which places third-party risk as a significant concern for organizations, large or small. Depending on which statistics you read, 39-63% of breaches are caused by third parties. One of the most notorious breaches is the case of Target, where the HVAC vendor’s credential was stolen, resulting in the retailer's breach of 40 million credit and debit card numbers and 70 million records of personal information stolen.
How you manage this risk vector is the inspiration of several books and articles; however, it will all start in the contract and what you were able to negotiate upfront; then a mixed methodology assessment, where you use qualitative and quantitative elements to assess the vendor based on industry-accepted standards, such as NIST CSF or ISO 27001.
I would use caution in leveraging Service Organization Control (SOC) 2 reports; these reports vary by organization and may not cover all...
Amid a global financial crisis and potentially facing cybersecurity budget challenges, you are now facing a tough decision; how to do more with less. What if I told you that you can; change the focus of your cybersecurity risk management program from a threat/vulnerability-centric focus to a mission-centric focus.
Using the same people, processes, and technologies you have but targeting critical systems in your organization. This change in strategy will allow your cybersecurity organization to provide valuable services by redirecting the same resources to a mission-centric approach, hence, innovating your cybersecurity strategy while being a good steward of your financial resources.
Author: Dr. Bill Souza...
First, you must establish agreement among your leadership on the actual risk(s) to measure, then select which data will provide the most accurate representation of the risk.
The following are 5 fundamental rules for measuring cybersecurity risk:
Bonus rule: Gain buy-in from your stakeholders.
Author: Dr. Bill Souza | Jul 14, 2022
In a mission-based risk assessment, the question is, how do you perform one?
A four-layer approach will be a good start:
Author: Dr. Bill Souza | Jul 13, 2022
When measuring risk in your organization, you’ll typically discover two challenges: First, top key risk measures that do not have supporting data (aspirational). Second, you’ll be developing middle to low measures with supporting data that do not entirely address the risk.
The lack of data to calculate a particular measure is no reason not to measure the risk; these are your aspirational measures; setting an organizational ambition or goal for your cybersecurity program to report over time is a good strategy; allow your cybersecurity program mature.
To calculate the percentage of assets identified as critical will require two data points, first, the total number of assets, and second, the total number of critical assets; if you don’t have these numbers, you can start by collecting secondary data and establishing secondary measures that will drive towards the aspirational goal of calculating the percentage of assets identified as critical.