Psychology of Risk Scales

In February 2009, researcher David Budescu published his study on “improving the communication of uncertainty;” in it, he discussed his study, which he gave subjects phrases from the Intergovernmental Policy on Climate Change (IPCC) report. Budescu then asked each subject to interpret the probability in the statement, for example, “it is very likely that extremely hot temperatures will become more frequent.” Budescu found that individuals varied considerably in how they interpreted the probability implied in the phrase.

Budescu found that “very likely” was interpreted as anything from 43% to 99%, and “unlikely” could mean as low as 8% or as high as 66%, depending on whom you ask.

There’s no evidence that cybersecurity would be any different when cybersecurity subject matter experts evaluate the probability of cybersecurity events in the risk register. One way to avoid some of these fallacies is to use financial impact analysis,...

Continue Reading...

Victims of our Own Advice

The National Cybersecurity Alliance recommends focusing on four risk management practices: 

  • Multi-factor authentication
  • Strong passwords and password managers 
  • Software updates 
  • Recognizing and reporting phishing

However, this advice may be a bit overwhelming to small and midsized businesses without context and guidance. Starting with the fact that these are not necessarily risks but rather vulnerabilities and process advice (reporting phishing). 

Additionally, without a strategy, companies will be overwhelmed trying to boil the ocean and spend most of their time and resources on low mission impact systems. 


*** FREE GUIDE ***


Continue Reading...

Cybersecurity Confidence vs. Performance

Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved. 

A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.

Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome? 

Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices. 

Focus on reducing risk; are your...

Continue Reading...

The MOST Important Cybersecurity Principle

Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.

ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program.
Some factors to keep in mind when developing a priority methodology:

  • The role the asset plays in generating revenue
  • The asset's importance to ongoing operations
  • The asset's cost to replace or protect
  • ...
Continue Reading...

5 Focus Areas - Third-Party Risk Measurements

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

  1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
  2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to...
Continue Reading...

5 Must-Have Cybersecurity Strategies for Small Businesses

Cyber attacks targetting small businesses that often do not have the resources to defend against devastating attacks like ransomware have grown. As a small business CEO or CIO, you have likely come across outdated security advice that does not help prevent the most common attacks. The security landscape has changed, and your cybersecurity knowledge needs to evolve with it. Here are 5 tips to get you started:
Establish a culture of [cyber] security
Talk about cybersecurity to leadership and staff, communicate cybersecurity program initiatives in your regular communications, and set measurable quarterly cybersecurity goals are just a few examples.
Hire a vCISO or part-time CISO
Due to the ever-changing nature of the cybersecurity threat environment, consider having a part-time CISO (vCISO) on a retainer to assist your organization with all cybersecurity initiatives. A vCISO can lead your staff in developing DRP, IRP, Acceptable Use Policy, Cybersecurity Policy, Remote Access...

Continue Reading...

Chasing Perfection

Pursuing perfection takes a lot of resources, financially and people. In Cybersecurity risk management, there are two key questions: 

  • When will enough be enough? 
  • What is the correct amount of time and effort should your organization spend to achieve a reasonable level of cybersecurity against an attacker?

The answer to these questions will be your risk tolerance. Chasing perfection has challenges and may not get you where you want to be. Chasing perfection may also risk missing the big picture, leaving security gaps in other areas of your organization, and burning out your staff.

A holistic and mission-driven approach to cybersecurity, with reasonable and measurable goals, will help secure your organization. To get you started, keep in mind three questions:

  1. What are your organization’s cybersecurity risks?
  2. How are you managing the organization’s cybersecurity risks?
  3. How are you measuring your cybersecurity risk reduction?


Continue Reading...

Cybersecurity Risk & Budget Challenges

Amid a global financial crisis and potentially facing cybersecurity budget challenges, you are now facing a tough decision; how to do more with less. What if I told you that you can; change the focus of your cybersecurity risk management program from a threat/vulnerability-centric focus to a mission-centric focus.

Using the same people, processes, and technologies you have but targeting critical systems in your organization. This change in strategy will allow your cybersecurity organization to provide valuable services by redirecting the same resources to a mission-centric approach, hence, innovating your cybersecurity strategy while being a good steward of your financial resources.


Author: Dr. Bill Souza...

Continue Reading...

Top 2 Measurement Challenges

When measuring risk in your organization, you’ll typically discover two challenges: First, top key risk measures that do not have supporting data (aspirational). Second, you’ll be developing middle to low measures with supporting data that do not entirely address the risk. 

The lack of data to calculate a particular measure is no reason not to measure the risk; these are your aspirational measures; setting an organizational ambition or goal for your cybersecurity program to report over time is a good strategy; allow your cybersecurity program mature.

To calculate the percentage of assets identified as critical will require two data points, first, the total number of assets, and second, the total number of critical assets; if you don’t have these numbers, you can start by collecting secondary data and establishing secondary measures that will drive towards the aspirational goal of calculating the percentage of assets identified as critical.


Continue Reading...

Cybersecurity Report - Board of Directors

There is a three-point framework to keep in mind when preparing a report to the Board, especially if you are a small to medium-size business with annual revenue between $100M to $700M with [potentially] no CISO in your organization.

  1. What are key risks the Board should be aware of at a high level? What should they be offered a deeper understanding of?
  2. How do these risks align with the organization's strategic initiatives?
  3. What is your opinion? What do you recommend? - A solution.

One key factor to remember is to be prepared to answer how your organization compares to others in the industry. I suggest discussing with other organizations in the same industry and of similar size.


Author: Dr. Bill Souza | Jul 8,...

Continue Reading...

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.