Cybersecurity risk management

Introduction to Cybersecurity Governance for Business Technology Management Chapter 4: Cybersecurity risk management This chapter presents cybersecurity risk management, a vital aspect of cybersecurity governance. As mentioned previously, cybersecurity governance is a continuum of three activities, called GRC, Governance, Risk Management and Compliance. Cybersecurity governance sets the framework, risk management helps support the decision-making process, and compliance is used to demonstrate that obligations are met, and that controls and risk mitigation activities are working. This chapter investigates the second activity, or the R in GRC, more specifically, risk management and risk assessments. The next chapter presents a scenario-based approach to implement was is discussed in this chapter. As mentioned in chapter 1, risk is created through the exploitation of vulnerabilities by a threat agent. This is illustrated in the risk triangle (Figure 4), showing risk components. Risk occurs when the threat exploits, or takes advantage of, a vulnerability, this resulting in a potential risk exposure becoming an actual damage, loss, or negative outcome in some way. This is when an exposure to risk becomes a materialized, negative outcome, such as financial losses or material damages. It happens when all the risk components meet in time and space. The risk triangle also illustrates that risk can be managed by reducing any of the components, such as the vulnerability or the threat agent. This highlights the need for organizations to identify and address potential vulnerabilities to reduce the risk of an attack. As well, the organizations must identify and understand potential threats and threat agents, such as malicious actors. Finally, it must seek to determine realistic scenarios of exploitation of vulnerabilities by threats with the potential damages that could occur. These four activities, vulnerabilities identification, threats identification, determination of scenarios of exploitation, and potential negative outcomes, constitute risk assessment. While this can apply to many categories of risks, cybersecurity risk management analyzes negative outcomes in relation to the organization's cybersecurity objectives and its cybersecurity governance framework. In addition to minimizing financial losses and complying to the governance framework, cybersecurity objectives are expressed in relation to the CIA triangle, or the requirements for confidentiality, integrity, and availability, presented in figure 1, in chapter 1. This helps organizations create a comprehensive risk management strategy that will protect their data, systems, and processes from malicious actors. The strategy should also include measures to mitigate any potential risks, such as implementing appropriate access control measures, updating software regularly, and conducting regular vulnerability scans. Marc-André Léger, Ph.D. 69 May 2023 Introduction to Cybersecurity Governance for Business Technology Management As risk is achieved through this exploitation process, where something bad happens. Risk management is concerned with preventing risks or implementing protections measures to minimize negative outcomes. The fraud triangle, it is linked to criminal intent, or Mens Rea, displayed by mischievous individuals. It is therefore imperative that organizations take appropriate measures to protect their data and systems from these malicious actors. Criminal intent must play a role in taking advantage of a vulnerability to make it a cybercrime, otherwise it could be accidental. When the threat agent exploits the vulnerability, risk results, as illustrated in figures 3 and 4. Negative impacts, regardless of whether they are accidental or voluntary, must still be managed by organizations. Organizations must understand and be aware of the vulnerabilities to manage the risks and prevent any potential cybercrimes. It is important to recognize and protect against the malicious intent of individuals to ensure cyber security. In this chapter we discuss how organizations should assess and manage cybersecurity risks. Another aspect of cybersecurity risk management is providing guidance to help organizations allocate human and financial resources to appropriately protects data, information systems and all business technologies that support an organization’s mission. This risk management important to help support cybersecurity operations and the selection of solutions. Cybersecurity risk management fundamentals When thinking about risks, organizations need to investigate impacts to the organizations and its stakeholders. The business impacts of cybersecurity are what most organizations would be looking at. These can be of many types. The impacts can be physical, tangible, and measurable, such as the destruction of equipment. But the impacts may also be intangible, difficult to estimate and subjective, such as the reduced performance of equipment, individuals getting hurt, or event individuals dying. Business impacts may be financial losses. Often organizations tend to focus on financial losses. These can be expressed and measured in many ways, such as loss of clientele, loss of market share, loss of reputation, loss of market capitalization, a reduction of the value of stocks, or loss of value of the business in general. Although, there has been many studies that have shown that there there's really no evidence of long-term financial loss, most financial losses tend to be generally more. Short term, we look at examples of major cybersecurity issues. That have happened. And we look at it. You know, in the in a year later, then yes. But you look at it 2-3 years or more down the line, then things generally get back to normal at that point. the financial losses in many cases tend to be more. More short term than long term. And then finally psychological aspects or loss of confidence in the organization, psychological distress, perhaps social unrest as well. Marc-André Léger, Ph.D. 70 May 2023 Introduction to Cybersecurity Governance for Business Technology Management When we look at the different types of cyber-harms that may occur, or bad things towards the organization in the connected world, we can categorize them using a taxonomy or an ontology. These are tools that we can use to catalogue them to help us better understand them. When trying to identify threats, these tools are going to be useful. Taxonomies, ontologies, and other systematic classification schemes of how different components of risk can be organized, will save time and effort. As well, it will be useful to identify risk mitigation opportunities. There are many examples of these that are available online, so we will not cover them at length here, as this topic should be covered in a more advanced level. What risk management is NOT A fundamental aspect of risk is the potentiality for an undesirable outcome. Risk can only exist if the is possibility for some kind of loss, reduction of some future expected benefit, or loss of utility. If an outcome is certain, or let’s say 99% to 100% sure, then there is no risk. This level of certainty will not be manageable with risk management. In such a scenario it is an operational problem. It must be managed through a normal business activity. This is not just true for cybersecurity risks but all categories of risk. For example, in the cybersecurity domain, if there is a 100% chance that you will get a virus on your computers, then installing, managing, and supporting an enterprise anti-virus system should be a default function of your IT department. There is no need for risk management if the outcome is certain in the virus scenario that was presented. Similarly, is the probably of an outcome is so infinitely small that it can’t be evaluated, then it should not be addressed as a risk management problem as it won’t be manageable. Even if the impacts are incredibly large, considering that organizations have so much to deal with already and limited resources, it would make little business sense to implement specific risk mitigation measures. For this last possibility, what organizations need is an incidents management program (IM), a business continuity plan (BCP) for mission critical and strategic activities and a disaster recovery plan (DRP) for the organization. They will allow organizations to prepare and deal with totally unexpected events, as well as scenarios that have a very small likelihood. For example, the likelihood of an asteroid falling on Earth is pretty much 100%, but the likelihood of an asteroid falling on or near your IT Datacenter in impossible to assess. This trio of IM-BCP-DRP, are discussed in detail in a later chapter of this book. It is important to understand that risk management happens when there is a reasonable possibility to put a probabilistic value on risk, even if this is highly subjective, if it is reasonably justifiable. Should students absolutely need numbers for this, then let’s say that somewhere between 5% and Marc-André Léger, Ph.D. 71 May 2023 Introduction to Cybersecurity Governance for Business Technology Management 95% might be reasonable thresholds for risk management. More than that it is certainty, which is not risk. Less than that is uncertainty, sometimes referred to as epistemological uncertainty in scientific literature, and that too is not risk. Of course, we can have endless discussions on the best minimum and maximum threshold to use in a particular context. An acceptable minimum might be anywhere from 0.01% to 10% and the maximum might be anywhere above 90%. For this introduction we set them arbitrarily at 5% and 95%. The exact cut-off is not that important. The IPM process The risk management process can be defined by the acronym IPM. This stands for identification, prioritization, and mobilization. It is presented on figure 13. In the identification phase, organizations are going to try to identify potential threats, potential vulnerabilities, their potential exposure to risk should these vulnerabilities be exploited, and what would be the business consequences if the risk materialized. This can be difficult to achieve in an organizational setting as individuals in BTM and cybersecurity roles often do not know how to get started. As well, there are many cognitive biases that can interfere with this activity, as discussed later in this chapter. Often, various individuals have different strategies to identify threats and vulnerabilities based on their past-experience, beliefs, or because of their skill sets. One way to do this do this, which is what is proposed in this book, is to use risk scenarios as a tool to facilitate the identification phase. Figure 13: IPM process Marc-André Léger, Ph.D. 72 May 2023 Introduction to Cybersecurity Governance for Business Technology Management Students need to understand that scenarios are stories. They are descriptions of things that could happen when threats exploit vulnerabilities, which would potentially result in a negative outcome. The negative outcomes are in relation to what was included in the cybersecurity governance framework, which was discussed in previous chapters. As well, negative outcomes are in relation to the CIA triangle, or to the cybersecurity objectives expressed in relation to the organizational requirements for confidentiality, integrity, and availability. To create scenarios organizations, create storyboards of ways that this could potentially happen. This is all happening in the identification phase. Once these scenarios are created, and the threats and vulnerabilities are identified, we move on to the next phase, prioritization. In the prioritization phase of risk management, organizations are going to try to prioritize the risk scenarios. This is necessary because resources are always limited and so they want to deal first with the things that are more urgent or where there are more significant impacts. These are the priorities. Of course, priorities are set based on requirements of an organization and the preferences of its leadership. Organizations also need to determine what is acceptable and unacceptable. Coming back to the definition of security and risk in chapter 1, we remember that security is the absence of unacceptable risks. In the prioritization phase of risk management organizations are going to try to identify what is acceptable and what is unacceptable. Based on the results of prioritization the organization will make decisions about risk and then mobilize resources. In the mobilization phase, the organization will allocate resources, such as money and individuals towards making unacceptable risks acceptable. This in a continuous cycle, a never-ending thing, regularly identifying and updating and prioritizing and reviewing priorities, and then mobilizing and implementing solutions, processes and providing training. Through the mobilization effort and then the operations and management of the business technologies used in the organization, risk will be managed appropriately by the organization. Security operations are presented in another chapter. As well, risk management is supported by checks and balances to make sure that the organization is doing a good job. This is the role of internal and external audit, also shown on figure 13. Organizations have two risk management feedback loops through BTM operations, such as the IT department, and through the audit process, such as provided by the Compliance department. These feedback loops are used to ensure that risk management procedures or practices are done correctly. Biases and other factors There are many biases that impact risk management in general and risk assessment in particular. An individuals' risk tolerance influences their decision-making when it comes to risk-related decisions. Marc-André Léger, Ph.D. 73 May 2023 Introduction to Cybersecurity Governance for Business Technology Management People who are risk-averse tend to make decisions that favor safety and security over the potential of reward. Risk-seeking individuals, on the other hand, are more likely to take more risks in pursuit of higher rewards. Both decision-making postures have merits and limitations. In an organizational role however, this will become a significant factor if individual risk postures are not coherent with the organization’s risk management strategy. For some individuals, their risk posture can contribute to irrational decisions when there is an important disconnect with the organization. Other factors can also influence the individual involved in risk decisions. For example, a person's ability to understand risk, their access to resources, and their confidence in their own decisions can all play a role in their risk-taking behavior. Additionally, their understanding of the rewards and consequences of their decision-making will also influence their risk-taking behavior. Because a non-scientific risk management is necessarily based on experience and intuition. As a result, this type of risk management tends to be subjective and emotional, as it is based on an individual's own beliefs, values, and limitations. An individual's experiences and biases, and their own recognitions of risk, play an increasingly important role in risk management because of this approach. There are many factors that can influence the interpretation of risk and its outcomes, and this interpretation can be influenced by both culture and upbringing. Psychology teaches us that this information, while seemingly accurate from the point of view of the individual as a particular actor, is biased. These biases can cause us to overlook certain facts, draw incorrect conclusions, or jump to inaccurate conclusions. To accurately interpret information and make decisions, it is important to be aware of cognitive biases and take steps to mitigate them. Some of the most common cognitive biases include confirmation, optimism, and many others. The biases in risk management can have a significant impact on decision-making processes, potentially leading to sub-optimal or incorrect results. To address these biases effectively, it is important to recognize them. The following are some of the most common types of bias that affect risk management: • In overconfidence bias, individuals or teams overestimate their knowledge, abilities, or prediction accuracy. As a result, they may take inadequate precautions because they believe they understand risks better than they do. • Decision-makers can become overly dependent on the first piece of information they encounter, the anchor, when making decisions. The anchor bias will affect subsequent information may not be weighed appropriately because of this. • A confirmation bias occurs when people favor information that confirms their existing beliefs or values. This can lead to decision-makers selectively seeking out or giving more credence to information that aligns with their preconceptions in risk management. Marc-André Léger, Ph.D. 74 May 2023 Introduction to Cybersecurity Governance for Business Technology Management • The availability bias arises when decisions are based on immediate and easily recalled information rather than comprehensive information. Due to their ease of recall, recent or dramatic events can disproportionately influence risk assessments. • Optimism bias occurs when individuals believe they are less likely to experience negative events than others. Inadequate safeguards or inadequate risk management can result in under-preparation. • A status quo bias is a preference for the current situation. In general, people are resistant to change, which can make it difficult to adopt effective risk management strategies. There are other factors that may also influence risk management. For example, because of groupthink, decisions may be made without thorough consideration or that don't account for all potential risks in a group's desire for harmony and conformity. Risks will also be influenced by the language used. The choice of words influences how individuals perceive risk, and more specifically, how they evaluate the chances of loss and gain. According to Prospect Theory, the framing of the problem, called framing effect, the way it is presented, and the scenario influence the construction of risk, decision-making, and outcomes. People take risks based on the reference point they use when estimating risk situations. Even if the underlying data are the same, presenting them as potential losses instead of potential gains can lead to different risk management decisions. In addition to these elements, cultural aspects, propensity to risk, and language will affect individual behavior. There will be an underestimation or overestimation of the probability of an element's vulnerability to hazards, damage, and risk. An individual filters subjective, unscientific estimations. In terms of risk management, it cannot meet the needs of organizations. As it is difficult to eliminate the subjective aspect of certain decisions, it cannot be completely ignored. Additionally, it is not always possible to obtain reliable evidence sources that cover all possible risks. Finally, it is difficult to see the situation due to the complexity of the organizational ecosystem. It is almost impossible for organizations to completely rely on a science-based approach to risk management. As a result, it is necessary to implement mechanisms to limit the impact of subjectivity inherent in non-scientific approaches. Other components of the risk management process Best practices and international standards, such as COBIT and ISO 27005, provide additional guidance as to what the cybersecurity risk management process should entail. For example, ISO 27005, presented in figure 14, includes the IPM process in an eight-step business process, providing more specific guidance as to what should be included. In the identification phase of the IPM process, Marc-André Léger, Ph.D. 75 May 2023 Introduction to Cybersecurity Governance for Business Technology Management ISO27005 includes Context establishment and Risk Identification. In the Priorization phase, we find Risk Analysis and Risk Evaluation. Finally in the Mobilization phase, there is Risk treatment, Risk acceptance, Communication and consultation and Monitoring and review. Monitoring and review is also supported by Business Technology Operations and by the Audit process of the IPM model. Using ISO 27005 provides a more detailed description of the cybersecurity risk management process. Formal methodologies will proposed detailed steps that should integrate the IPM process at a high level and ISO 27005 when looking into a more detailed description. Figure 14: ISO27005 risk management process Decisions about risk The priorization phase leads to making decisions about risks. Decisions about risk encompass a range of strategic choices and actions that organizations make to effectively manage and address potential risks. These decisions are critical for creating a comprehensive risk management strategy. Here are some key decisions that organizations need to make about risk. The different risk strategic are used as part of a comprehensive risk management strategy. The organization might mitigate some risks and accept others, while it might choose risk transfer, avoidance, reduction, and other approaches for other risks. There are no one size fits all solutions. Any decision must be supported by a diligent risk assessment. Marc-André Léger, Ph.D. 76 May 2023 Introduction to Cybersecurity Governance for Business Technology Management Risk acceptance Risk acceptance is a strategic decision made by an organization to acknowledge and tolerate a certain level of risk without implementing specific measures to mitigate it. In other words, the organization acknowledges that a particular risk exists, but consciously chooses not to take further actions to reduce its impact or likelihood. This decision needs to be based on a thorough assessment of the risk's potential impact, the cost and feasibility of mitigation measures, and the organization's risk tolerance level. A few key points that organizations need to understand about risk acceptance: • Risk tolerance: Risk acceptance is closely tied to an organization's risk tolerance level, or the amount of risk the organization is willing to tolerate before acting. Some risks may fall within the acceptable range and not warrant immediate or extensive mitigation efforts. • Business Considerations: Organizations may choose to accept certain risks when the cost of implementing controls or mitigation measures outweighs the potential impact of the risk itself. This could be due to budget constraints, technical limitations, or other business priorities. Managers need to be diligent about this, as their will be blamed if they decided based on business considerations that later is shown to be an error. • Informed decision: Risk acceptance is not a passive or negligent approach. It involves a wellinformed decision-making process where the organization understands the risks, potential consequences, and potential benefits of accepting the risk. • Ongoing Monitoring: Even when a risk is accepted, it's important for the organization to continue monitoring the risk's impact and reassessing the decision periodically. Changing circumstances or new information may lead to a re-evaluation of the risk acceptance decision. • Document accepted risks: When an organization decides to accept a certain risk, it should document the decision-making process in a risk registry. This documentation helps maintain transparency and accountability and serves as a reference for future risk assessments. Documentation of accepted risks may often be a compliance and legal requirement. • Communication: Effective communication is crucial when it comes to risk acceptance. Stakeholders, including senior management, the board of directors, and relevant teams, should be aware of the decision to accept a particular risk. It's important to note that risk acceptance should be a deliberate and well-considered choice. It should not be mistaken for negligence or a lack of concern for security. Instead, it reflects a Marc-André Léger, Ph.D. 77 May 2023 Introduction to Cybersecurity Governance for Business Technology Management thoughtful analysis of risks and their alignment with the organization's overall governance framework, compliance obligations, business objectives and risk management strategy. Risk avoidance Risk avoidance is a risk management strategy in which an organization takes deliberate actions to eliminate or minimize exposure to certain risks. In essence, the organization makes decisions and implements measures to completely steer clear of situations or activities that could lead to the identified risks. The goal of risk avoidance is to prevent the occurrence of adverse events or outcomes that could negatively impact the organization. Risk avoidance could include decisions like not entering a specific market due to political instability, not adopting a certain technology that is vulnerable to cyberattacks or discontinuing a product line with significant regulatory compliance challenges. Key points to understand about risk avoidance: • Preventive approach: Risk avoidance focuses on preventing risks from materializing rather than managing their consequences after they occur. Organizations need to be proactive, not reactive. This strategy aims to eliminate the possibility of the risk occurring altogether. • Proactive decision-making: Organizations that adopt risk avoidance assess potential risks and decide not to engage in activities or situations that pose an unacceptable level of risk. This could involve refraining from certain business practices, technologies, or partnerships. • Cost-benefit analysis: Organizations consider the cost of avoiding a risk versus the potential benefits of doing so, or the potential benefits of the opportunities that are linked to this potential risk. If the cost of avoiding the risk is justified by the potential harm it could cause, risk avoidance may be deemed appropriate. • Alternatives and substitutes: In some cases, risk avoidance might involve finding alternative approaches, technologies, or strategies that achieve the organization's objectives without exposing it to the identified risk. • Trade-offs: While risk avoidance can be effective in preventing certain risks, it may also come with trade-offs, such as missed business opportunities or potential innovation. Organizations need to carefully consider these trade-offs when choosing risk avoidance as a strategy. • Transparency: Decisions related to risk avoidance should be communicated clearly within the organization, especially to key stakeholders such as senior management and the board of directors. Transparency helps ensure that everyone understands the rationale behind the decisions. Marc-André Léger, Ph.D. 78 May 2023 Introduction to Cybersecurity Governance for Business Technology Management • Periodic re-evaluation: Over time, the organization should periodically reassess its risk avoidance decisions to determine if circumstances have changed or if new information has emerged that could alter the risk landscape. Risk avoidance is one of several strategies within the broader context of risk management. Risk avoidance is a good decision in situations where the potential negative impact of a risk is deemed too severe or costly, and where the benefits of avoiding the risk outweigh the potential rewards of taking it. It is particularly useful for addressing risks that have high potential for severe impact or where the cost of mitigation outweighs the benefits. However, like any risk management strategy, risk avoidance should be aligned with the organization's overall goals and risk appetite. Here are some scenarios where risk avoidance might be a prudent choice: • Highly severe consequences: If the potential consequences of a risk event are catastrophic and could significantly harm the organization's reputation, financial stability, or ability to operate, risk avoidance may be the best option. This is particularly relevant for risks that could lead to legal liabilities, regulatory penalties, or massive financial losses. • Unacceptable risk tolerance: When an organization's risk tolerance is very low, it may choose to avoid risks that fall outside the acceptable threshold, even if the likelihood of occurrence is low. This is often the case with risks that could lead to irreversible damage or are considered morally or ethically unacceptable. • Limited ability to mitigate: If there are limited or ineffective ways to mitigate a particular risk, avoiding it altogether may be the most feasible approach. This is especially true for risks that cannot be adequately controlled through technical, administrative, or operational measures. • Regulatory compliance: When certain risks are associated with non-compliance with industry regulations or legal requirements, risk avoidance may be necessary to ensure adherence to the law and avoid legal consequences. • High costs of mitigation: If the cost of implementing risk mitigation measures significantly outweighs the potential benefits, risk avoidance may be a more cost-effective choice. This could be the case for risks that require extensive investments in technology, personnel, or infrastructure. • Unpredictable risks: In situations where the likelihood of a risk event occurring cannot be reliably predicted or where the risk landscape is constantly changing, risk avoidance might be preferred over relying on uncertain mitigation strategies. Marc-André Léger, Ph.D. 79 May 2023 Introduction to Cybersecurity Governance for Business Technology Management • Strategic business decisions: Risk avoidance can align with broader strategic decisions. For example, if entering a new market or launching a new product presents significant risks that could harm the organization's core business, avoiding those risks may support overall business objectives. • Preservation of reputation: Risks that could damage an organization's reputation or brand equity are often prime candidates for avoidance, as reputation is a critical intangible asset that can be difficult to repair once damaged. • Public safety: Risks that pose threats to public safety, health, or the environment may necessitate risk avoidance to prevent harm to individuals, communities, or the ecosystem. Risk transfer Risk transfer is a risk management strategy in which an organization externalizes the risk by shifting the financial burden or responsibility to another party. This is done through contractual arrangements, outsourcing, insurance policies, or other financial mechanisms. By transferring risk, the organization aims to reduce its exposure to potential losses or liabilities and ensure that another entity bears the financial consequences if the risk event occurs. Some of the key points to understand about risk transfer: • Benefits and Costs: While risk transfer can provide financial protection, it comes with costs such as insurance premiums or potential limitations in coverage. Organizations must weigh the benefits of risk transfer against the costs. • Risk Distribution: Risk transfer can also distribute risk across multiple parties, reducing the concentration of risk on a single entity. This can enhance overall risk management within an industry or ecosystem. • Risk Sharing: In some cases, risk transfer might involve sharing the financial burden of a risk with another party, rather than fully transferring it. This can be achieved through coinsurance or other arrangements. • Risk Retention: Even when risk is transferred, organizations may retain a portion of the risk. This is known as risk retention. It's common for insurance policies to include deductibles or self-insured portions that the organization must cover. • Legal and Regulatory Considerations: Organizations should be aware of any legal or regulatory requirements related to risk transfer in their industry or jurisdiction. • Insurance Policies: One common method of risk transfer is purchasing insurance coverage, such as a cybersecurity risk insurance, identity theft insurance or ransomware insurance. Marc-André Léger, Ph.D. 80 May 2023 Introduction to Cybersecurity Governance for Business Technology Management Organizations pay insurance premiums to an insurer, which agrees to compensate the organization for covered losses or liabilities in the event of a specified risk occurring. • Contractual Agreements: Organizations can transfer certain risks to vendors, suppliers, or partners through contractual clauses. These clauses might outline the responsibilities of each party in the event of a risk occurrence and specify who is liable for associated costs. • Due Diligence: Organizations should conduct due diligence when selecting insurance policies or entering contractual agreements for risk transfer. It's important to understand the terms, conditions, and coverage limits to ensure they align with the organization's needs. Risk transfer is particularly valuable for risks that are difficult to mitigate or for which the potential financial impact is too significant for the organization to absorb on its own. It allows organizations to leverage the expertise and financial resources of external entities to manage and mitigate specific risks. However, risk transfer decisions should be made carefully, considering the organization's overall risk management goals and financial capabilities. Risk transfer is often considered the best strategy in specific scenarios where it makes practical and financial sense to shift the burden of potential losses or liabilities to another party. Here are other situations where risk transfer can be the most effective strategy: • Limited Risk Appetite: Organizations with a low tolerance for specific risks may choose to transfer those risks to external parties to maintain their desired risk exposure level. • Lack of Expertise: When dealing with complex or specialized risks that the organization lacks the expertise to manage effectively, transferring the risk to a more knowledgeable third party, such as an insurance company, can be a sensible option. • Known and Calculable Risks: For risks that are well-understood and quantifiable, risk transfer through insurance can provide a predictable and manageable way to allocate potential losses. • Pooling of Risks: Insurance mechanisms allow organizations to pool their risks with a larger group of policyholders, spreading the financial burden and reducing the impact of individual risk events. Insured risks can also be re-insured (insurance for the insurance), spreading the risk over multiple insurers, thus adding a level of financial security, and making sure that an eventual coverage would be possible. • Regulatory Compliance: If certain risks are associated with legal or regulatory requirements, transferring the risk through contractual agreements or insurance can help ensure compliance and mitigate potential penalties. Marc-André Léger, Ph.D. 81 May 2023 Introduction to Cybersecurity Governance for Business Technology Management • Resource Constraints: When an organization has limited resources to address certain risks effectively, transferring the risk to a third party with greater resources and capabilities can provide a practical solution. • Strategic Outsourcing: Organizations that engage in strategic outsourcing of specific functions or processes can transfer certain risks to their outsourcing partners through welldefined contractual agreements. • Supply Chain Risks: Transferring risks associated with suppliers, vendors, or business partners can help ensure business continuity and reduce potential disruptions. • Global Operations: For multinational organizations operating in different countries with varying legal and regulatory environments, risk transfer can help navigate complexities and ensure consistent risk management. • Emerging Technologies: In sectors with rapidly evolving technologies or emerging risks, transferring risk through specialized insurance products can provide coverage for unique challenges. • Catastrophic Events: In situations where the consequences of a risk event could be catastrophic, transferring the risk through insurance can provide a safety net to help the organization recover and rebuild. It's important to note that risk transfer should be based on a thorough analysis of the risks, the terms and conditions of insurance policies or contracts, and the financial implications for the organization. Risk transfer is not always a one-size-fits-all solution and should be integrated into an organization's comprehensive risk management strategy. Careful consideration of potential costs, benefits, and any potential limitations of risk transfer is crucial before deciding. Risk mitigation Risk mitigation is a proactive strategy employed by organizations to reduce the potential impact or likelihood of identified risks. These basically correspond to the two red arrows seen in the risk triangle, in figure 4, in chapter 1. Effective risk mitigation starts with a thorough risk assessment to identify potential risks, evaluate their potential impact, and determine their likelihood. Risk mitigation involves implementing measures, technologies, controls, business processes and other actions to minimize the adverse consequences of risks should they occur. Examples of risk mitigation measures include implementing firewalls and intrusion detection systems to prevent cyberattacks, conducting regular equipment maintenance to prevent failures, establishing backup systems and data recovery plans, and providing training to employees to prevent human error. The goal of risk Marc-André Léger, Ph.D. 82 May 2023 Introduction to Cybersecurity Governance for Business Technology Management mitigation is to limit the extent of harm or loss and enhance the organization's ability to effectively manage and recover from unexpected events. Many solutions that can be used for risk mitigation and for controls are presented in mode details in other chapters of this book. Some of the key points to understand about risk mitigation: • Proactive approach: Risk mitigation focuses on taking preventative measures before a risk event occurs, rather than solely dealing with its aftermath. It aims to reduce the probability of a risk event happening or minimize its impact. • Control implementation: Organizations develop and implement control measures to address identified risks. These controls can be technical, administrative, or physical in nature and are designed to either prevent or mitigate the risk. • Monitoring and evaluation: Risk mitigation efforts should be continuously monitored and evaluated to ensure their effectiveness. Adjustments may be necessary based on changing circumstances or new information. • Cost-benefit analysis: Organizations assess the costs of implementing mitigation measures against the potential benefits of risk reduction. This analysis helps determine the most appropriate and cost-effective strategies. • Risk reduction: The goal of risk mitigation is to reduce the severity of potential losses. This can involve measures to decrease the likelihood of a risk event (risk reduction) or decrease the potential impact if the event occurs (impact reduction). • Residual Risk: Zero risk does not exist. Even after implementing risk mitigation measures, some level of residual risk will most likely remain. Residual risk is the risk that still exists after all mitigation efforts have been applied. Organizations should determine their level of comfort with residual risk and decide if further actions are needed. • Compliance and Regulations: Organizations must consider industry-specific regulations and compliance requirements when designing and implementing risk mitigation measures. • Integration with overall strategy: Cybersecurity risk mitigation is a key component of an organization's overall risk management strategy. • Communication: Effective communication of risk mitigation measures is important to ensure that all relevant stakeholders, including employees and management, understand their roles and responsibilities in executing these measures. Risk mitigation is an ongoing and dynamic process that requires vigilance and adaptability. It helps organizations enhance their resilience and ability to navigate challenges while safeguarding their assets, reputation, and continuity of operations. Marc-André Léger, Ph.D. 83 May 2023 Introduction to Cybersecurity Governance for Business Technology Management Risk tolerance and risk appetite A key aspect of risk management is going to be the balancing of security needs, the inconvenience of security measures, and the costs. Organizations have a requirement for security, a need for protection and need to protect how legitimate users are accessing data. On the other side, the cost of doing that, because there's always going to be a cost issue, is going to vary depending on the risk appetite of the organization, that is why this whole concept of risk tolerance and risk appetite are so important. Risk tolerance refers to the specific level of risk an organization or individual is willing to accept or tolerate in pursuit of its objectives. It is the degree of uncertainty or potential loss that an entity is comfortable with. Risk tolerance is often expressed numerically or descriptively, and it helps guide decision-making about risk management strategies and actions. For example, if an organization determines that it is willing to tolerate a 10% decrease in annual revenue due to market fluctuations, its risk tolerance for revenue loss is 10%. This guides the organization in making decisions about investments, strategies, and safeguards to manage risks that could lead to such a revenue decline. Risk appetite, on the other hand, is a broader, high-level statement or guideline that articulates the amount and type of risk an organization is willing to take on to achieve its strategic objectives. It is a qualitative statement that helps align the organization's risk management efforts with its overall mission and goals. For instance, a financial institution might have a risk appetite statement that expresses its willingness to take moderate risks in pursuit of growth opportunities but with a strong focus on maintaining the safety and security of customer data. This guides the organization's risk management strategies and provides a framework for decision-making. The main differences between risk tolerance and risk appetite are: • Nature: Risk tolerance is more quantitative, specifying specific levels of risk that are acceptable. Risk appetite is more qualitative, providing a general framework for risk-taking aligned with strategic objectives. • Granularity: Risk tolerance is often expressed in specific numerical terms, such as percentages or monetary amounts, while risk appetite is expressed in broader, qualitative terms. • Role: Risk tolerance guides the implementation of risk management measures and actions based on specific thresholds. Risk appetite provides a broader context for decision-making and helps set the tone for the organization's approach to risk. Marc-André Léger, Ph.D. 84 May 2023 Introduction to Cybersecurity Governance for Business Technology Management • Scope: Risk tolerance is more focused on specific risks and scenarios. Risk appetite encompasses a wider range of risks and is related to the organization's overall risk culture. Both risk tolerance and risk appetite are important tools in risk management, helping organizations strike a balance between pursuing opportunities and protecting against potential negative outcomes. They work together to shape an organization's risk management strategy and actions. Risk averse or risk seeking Risk averse and risk seeking are terms used in economics and decision-making to describe different attitudes or preferences toward taking risks. This can be used to describe individuals and organizations. Risk averse individuals tend to avoid or minimize risks. In other words, they prefer scenarios where the outcome is more certain, even if it means sacrificing potential higher rewards. Risk averse individuals are generally more comfortable with stable and predictable outcomes, and they are willing to give up potential gains to ensure they don't face significant losses. This attitude is often associated with conservative investment strategies and cautious decision-making. For example, let's say you have a choice between receiving $100 or participating in a draw. In this draw, a single ticket is picked from a hat. You have a 50% chance of winning $200 and a 50% chance of winning nothing. A risk-averse person might choose $100 with certainty to avoid uncertainty. On the other hand, a person is considered risk seeking when they prefer taking on risks even when the outcome is uncertain. Risk-seeking individuals are often more interested in high rewards and willing to accept losses. They might find the thrill of uncertainty exciting and are more likely to engage in activities that involve potential gains even if the risks are substantial. Continuing with the same example of the ticket draw, a risk seeking individual might choose to participate for a chance to win $200, even though there's a 50% chance of winning nothing. It's imperative to note that individual’s attitudes toward risk can vary depending on the context, their personal experiences, and their individual circumstances. Additionally, some individuals might fall somewhere in between being purely risk averse or risk seeking, resulting in a more balanced approach to risk. Economists and psychologists often study these preferences to understand how individual make decisions. The concepts of risk aversion and risk seeking can also apply to organizations, especially when it comes to decision-making, strategy development, and risk management. An organization that is risk averse tends to prioritize stability, predictability, and minimizing potential losses. Such organizations are more cautious in their decision-making and may opt for established and proven strategies rather Marc-André Léger, Ph.D. 85 May 2023 Introduction to Cybersecurity Governance for Business Technology Management than venturing into uncharted territories. Risk-averse organizations might be reluctant to pursue high-risk, high-reward opportunities and instead focus on maintaining a steady course of action. Some examples of risk-averse behavior in organizations are: • Choosing conservative investment options over riskier but more lucrative investments. • Opting for incremental improvements to existing products rather than innovations. • Implementing comprehensive risk management practices to mitigate potential threats. Conversely, a risk-seeking organization is more inclined to take calculated risks in pursuit of substantial rewards. These organizations often seek out innovative ideas, explore new markets, and are willing to embrace uncertainty for the chance of achieving a competitive advantage. Risk-seeking organizations might be more adaptable and open to disruptive changes. Examples of risk-seeking behavior in organizations are: • Investing in research and development for ground-breaking products or technologies. • Entering emerging markets with high growth potential despite the associated uncertainties. • Pursuing mergers and acquisitions to expand market share, even if there are risks. Most organizations fall somewhere on a spectrum between risk aversion and risk seeking. The ideal approach often depends on the industry, market conditions, competitive landscape, and the organization's goals and resources. Striking the right balance between risk and caution is crucial. Risk aversion and risk seeking play a significant role in organizational decision-making and strategy formulation. Organizations must assess their risk appetite based on their goals, resources, and the external environment to make informed choices that align with their overall mission and objectives. Looking at the cybersecurity spending data and recommendations from Gartner Research, the larger consulting firms, and cybersecurity industry associations, we observe recommendations that most organizations should spend between 4% and 15% of their total BTM and IT budget for cybersecurity. Looking at existing data puts the spending median value at 7.8%. If you have a risk seeking organization, an organization willing to take more risks, therefore you're going to spend less on risk mitigation. In cybersecurity spending numbers, a risk seeking organization would lean towards the 4% end of the spectrum. If an organization is risk averse, it would move towards the 15% end. A risk averse organization would be seeking to take less risks and willing to spend more money on cybersecurity. A risk neutral organization would be at the median, 7.8%. This is when the balanced approach should become a consideration. The context, the culture, the risk tolerance of the Marc-André Léger, Ph.D. 86 May 2023 Introduction to Cybersecurity Governance for Business Technology Management organization, the industry that they're in, and all the things must be considered in setting the right number for cybersecurity spending. The amount is based on the total IT spending, which should include salaries. For example, a company is spending $100 million everything IT, including cybersecurity, software and data management and salaries. $100 million. If it is risk neutral, it means it should be spending at least $7.8 million directly related to cybersecurity, which is not that much. Assessing an organizations cybersecurity risk appetite Assessing an organization's cybersecurity risk appetite is crucial in identifying and understanding the level of risk tolerance within the organization. By evaluating the organization's risk appetite, stakeholders can make informed decisions regarding cybersecurity investments, resource allocation, and risk management strategies. In this section we provide some guidance on how to assess an organization's cybersecurity risk appetite effectively. The first step in assessing an organization's cybersecurity risk appetite is to establish a clear definition of what risk appetite means for an organization. As mentioned previously, risk appetite refers to the amount and type of risk an organization is willing to accept in pursuit of its objectives. This definition should align with the organization's overall strategic objectives, considering its industry, regulatory requirements, and risk management culture. From there, the organization will need to identify the key stakeholders involved in the assessment process. These stakeholders may include senior management, the board of directors, IT staff, cybersecurity teams, risk management professionals, and legal and compliance teams. Identifying the organization's risk appetite will involve these stakeholders to ensure their perspectives and insights are considered throughout the assessment. Once the organization's key stakeholders have been identified, it is essential to determine the cybersecurity risk landscape. This is done by performing an initial cybersecurity risk assessment if one has not been done already. This will be useful to identify the appropriate tolerance levels for each potential risk in the initial assessment. Risk tolerance refers to an organization's willingness to accept or avoid specific risks. This determination should consider the potential impact, likelihood, and cost of mitigating each risk. Then, the organization can develop risk criteria that align with its risk appetite. These criteria will serve as guidelines for decision-making and risk management activities. Risk criteria should include factors such as acceptable levels of impact, likelihood, and cost for each risk. To facilitate the identification appropriate tolerance levels and criteria, the organization can organize workshops Marc-André Léger, Ph.D. 87 May 2023 Introduction to Cybersecurity Governance for Business Technology Management with key stakeholders to discuss and determine the organization's risk appetite. These workshops should facilitate open and transparent communication to ensure a shared understanding of risk tolerance levels. Document the outcomes and decisions made during these workshops. Finally, the organization will need to document cybersecurity risk appetite. This includes risk tolerance levels, risk criteria, and decisions made during the assessment process. The must ensure that this documentation is widely communicated across the organization to create awareness and alignment regarding cybersecurity risk management. It is this documentation that will be used in the formal cybersecurity risk assessment process, as presented a later in this chapter, to conduct a formal risk assessment. As well, regular reviews and updates to the risk appetite assessment should be conducted to ensure its ongoing relevance and effectiveness in managing cybersecurity risks. Assess cybersecurity risks Cybersecurity metrics are quantitative and qualitative measures used to assess various aspects of an organization's cybersecurity posture, effectiveness, and risk management efforts. Metrics can support the decision-making process. These metrics provide insights into the organization's security performance, help track progress over time, and aid in making informed decisions to enhance cybersecurity strategies. Cybersecurity metrics can cover a wide range of areas within an organization's security program. This book proposes to use cybersecurity risk scenarios supported by Key Risk Indicators (KRI). These are further described in this chapter. Decisions about risk When risk is being mitigated, what is being done is illustrated by the big red arrows that were presented in chapter 1, figure 4. In managing cybersecurity risks, organizations are fundamentally trying to do two things: 1. Reduce the probability that the threat will exploit the vulnerability, or 2. Reduce the impact, should the exploitation happen. Understanding the nature and origin of risk is fundamental for risk management. That should seem like an obvious statement if you read the previous chapters of this book. As risk starts with the exploitation of a vulnerability by a threat, the threats, vulnerabilities, and exploits need to be identified. As well, since the result of the exploitation might be a potential future impact, it remains an exposure to risk until it materializes, which need to be determined. Once a possible scenario has occurred a hazard, potential impacts, damages, or some reduction of an expected future utility Marc-André Léger, Ph.D. 88 May 2023 Introduction to Cybersecurity Governance for Business Technology Management occurs. Another possible outcome is an inability to meet some of the cybersecurity governance objectives, regulatory, legal, or contractual obligations that have been determined in the governance framework, as explained in chapter 2. Key risk indicators One vital component of the risk assessments presented in this book is the use of Key Risk Indicators (KRIs). Key Risk Indicators, commonly referred to as KRIs, are quantifiable metrics used to measure the potential occurrence and impact of risks within an organization. They serve as early warning signals, providing insights into the health of an organization's risk profile. Unlike Key Performance Indicators (KPIs), which focus on measuring achievements, KRIs are forward-looking indicators that help identify and assess potential risks before they escalate. The primary purpose of using KRIs is to enhance an organization's risk management capabilities by proactively identifying and monitoring risks. By establishing a set of predefined KRIs, companies can gain a better understanding of their risk exposure and take necessary actions to prevent or mitigate potential risks. KRIs provide management with timely and relevant information to make informed decisions and allocate resources effectively. KRIs also help organizations to detect early warning signals of potential risks and threats, allowing them to take proactive measures. By monitoring KRIs, organizations can gain a better understanding of their risk profile and adjust their risk management strategies accordingly. KRIs can be categorized into various types depending on the nature of the risks they measure. Some common types of KRIs include: • Financial KRIs, which are used to assess financial risks such as liquidity, credit, market, or operational risks that can impact an organization's financial stability. • Operational KRIs, which focus on risks related to operational processes, including supply chain disruptions, system failures, compliance breaches, or employee safety incidents. • Compliance KRIs are used to monitor compliance with applicable laws, regulations, and internal policies. This ensures adherence to ethical standards and minimizes legal and reputational risks. • Strategic KRIs, which help gauge risks associated with achieving strategic objectives, such as market volatility, competitive threats, or technological disruptions. • Cybersecurity KRIs, which we are using in this book, to help organizations in their cybersecurity risk management activities. Implementing a robust KRI framework provides several benefits to organizations, including: Marc-André Léger, Ph.D. 89 May 2023 Introduction to Cybersecurity Governance for Business Technology Management • Early Risk Detection: KRIs enable organizations to identify potential risks in their early stages, allowing proactive risk mitigation measures to be implemented. • Improved Decision-making: By providing timely and relevant risk information, KRIs help management make informed decisions related to risk appetite, resource allocation, and strategic planning. • Enhanced risk communication: KRIs facilitate effective communication and collaboration among different stakeholders, ensuring a shared understanding of risks across the organization. • Support regulatory compliance: KRIs help organizations comply with regulatory requirements by monitoring and reporting on key risk areas. Key Risk Indicators play a critical role in effective risk management by providing organizations with valuable insights into their risk profile. By using quantifiable metrics to measure potential risks, KRIs enable companies to take proactive measures, mitigate risks, and safeguard their long-term success. Implementing a comprehensive KRI framework can significantly enhance an organization's risk management capabilities and help it navigate the ever-changing business landscape with confidence. Threat identification While there are many ways to categorize threats, the simplest is to organize them as internal and external, as they are presented in the next few paragraphs. Internal threats originate from within an organization itself. These threats can come from employees, contractors, partners, or anyone who has legitimate access to the organization's systems, networks, and data. Internal threats can be intentional (malicious) or unintentional (accidental), and they pose a significant risk to an organization's sensitive information, intellectual property, and overall security posture. Readers should refer to the fraud triangle, presented in chapter 1 and figure 2, to better understand the motivations that make this an important problem. There are two primary categories of internal threats, malicious insider threats and unintentional insider threats. Malicious insiders can be employees, such as disgruntled employees, former employees, or individuals with malicious intent who exploit their access to carry out attacks or steal sensitive data. They can also be contractors and business partners. These include third-party individuals or organizations with authorized access who misuse their privileges for personal gain or to harm the organization. These are using techniques such as privilege abuse. This is when employees or insiders abusing their elevated access privileges to gain unauthorized access to systems or data. However, problems can also arise from negligence. This occurs when employees or Marc-André Léger, Ph.D. 90 May 2023 Introduction to Cybersecurity Governance for Business Technology Management individuals accidentally compromise security by not following established security protocols, such as failing to update software or using weak passwords. Insiders can also become threat by unknowingly fall victim to phishing attacks or social engineering tactics, resulting in data breaches or unauthorized access. Often, this is caused by a lack of awareness, when employees who are not adequately trained in cybersecurity best practices inadvertently contribute to security breaches. Some examples of internal threats include: • Unauthorized access to sensitive data by an employee who abuses their privileges. • An employee sharing login credentials with unauthorized individuals, allowing them to gain unauthorized access. • An employee accidentally clicking on a malicious link in a phishing email, leading to a malware infection, ransomware being installed, or data leak. • A former employee who still has access to the organization's systems exploiting that access to steal valuable intellectual property or disrupt activities to get some form of revenge. • A contractor with network access inadvertently exposing confidential client information. External threats in cybersecurity refer to risks and vulnerabilities that originate from outside an organization. These threats are posed by individuals, groups, or entities that are not part of the organization's internal structure. These can be cybercriminals, nation-states, activists, and even competitors. External threats target an organization's digital assets, systems, networks, and data with the intent to compromise security, steal sensitive information, disrupt operations, or cause other forms of harm. External threats encompass a wide range of actors and attack methods. Cybercriminals are probably the first category that most think of when thinking about external threats. One should keep in mind that the internal threats, even if less discussed in the media or outside specialist circles, are often a much bigger threat. Cybercriminals might use malware attacks to distribute malicious software (viruses, worms, Trojans) to compromise systems and steal data. The principal strategies used are ransomware and phishing. This is often achieved by sending fraudulent emails or messages to trick recipients into revealing sensitive information or clicking on malicious links. Once a link is clicked, the malware would encrypt critical data, allowing the cybercriminal to demand payment for its release. When aiming to disrupt an organization, cybercriminals may elect to operate a Distributed Denial of Service (DDoS) attack, flooding business systems with a tsunami of traffic to render them unavailable. Nation-State actors or activists might use the same techniques as cybercriminals for Marc-André Léger, Ph.D. 91 May 2023 Introduction to Cybersecurity Governance for Business Technology Management cyber-espionage, targeting organizations to steal sensitive data, trade secrets, and intellectual property. In a cyberwar scenario, they may revert to cyber-sabotage to disrupt critical infrastructure, supply chains, services, or operations to cause economic or political harm. When the opportunity arises, external attackers will collaborate with insiders to exploit their knowledge and access, perhaps encouraged with bribes, shared ideology, or blackmail. Assessing cybersecurity threats is a critical process for any organization to protect its digital assets, sensitive information, and overall operations. As well as performing regular risk assessments, there are many strategies for organizations to help them in identifying and assessing cybersecurity threats. A few of them are mentioned here: • Monitor your threat landscape: Stay updated on the latest cybersecurity threats, vulnerabilities, and attack techniques by subscribing to threat intelligence feeds and forums. • Subscribe to cybersecurity news sources: Follow reputable cybersecurity news sources and blogs for insights into emerging threats. • Use an ethical hacking team: Conduct penetration testing (pen testing) to simulate realworld attacks and identify vulnerabilities before malicious actors can exploit them. • Perform regular external and internal testing: Perform both external (outside the organization) and internal (within the network) penetration tests. • Become part of a community: there are many industry associations, user groups and communities that exist where you can share information and learn from your peers. For example, in Montreal we have In-Sec-M and CyberÉco that offer a safe space for the cybersecurity community to meet and collaborate. There are also user groups and associations, such as ASIM, ISACA and many others. The identification of threats can be supported by using different tools, such as taxonomies and ontologies, as mentioned previously. However, these are not covered in this book. One strategy that should be used is to setup a formal cybersecurity threat intelligence activity in your organization, as presented in the next section. This would typically be handled by a group of individuals in a cyberdefence team. It would also be supported by cybersecurity vulnerability identification activities. Using the methodology proposed in this book requires to create a scenario and identify a potential threat for which there is a possibility of exploiting a vulnerability. From there, to contribute to the creation of a risk indicator, it is assigned a severity value between 0.1 and 0.9. This can be done as resultant of a consensus of stakeholders, as described later. Marc-André Léger, Ph.D. 92 May 2023 Introduction to Cybersecurity Governance for Business Technology Management Threat intelligence Threat intelligence is a key component of cybersecurity efforts. As the business technology landscape evolves, so do cyber threats. New vulnerabilities are discovered every day. As well, cybercriminals constantly develop effective methods of exploiting vulnerabilities, stealing information, or disrupting systems. It is therefore essential to stay on top of threats, and that is where threat intelligence comes in. Threat intelligence enables organizations to detect, respond to, and prevent cyber threats in a timely manner. It also provides insights into attackers and their strategies, allowing organizations to stay one step ahead of malicious activity. Threat intelligence is like a detailed briefing in military operations. Just as commanders need intelligence about enemy positions, movements, and strategies, cybersecurity professionals require detailed information about potential or current cyber threats. Organizations that have access to upto-date threat intelligence can quickly and accurately identify malicious actors and their activities, allowing them to take appropriate action to protect their systems. Additionally, threat intelligence can provide organizations with the necessary information to plan and implement effective security measures. Threat intelligence refers to organized, analyzed, and refined information about possible or current attacks on a system or organization. Data collection and analysis result in actionable information that can be used to minimize or defend against potential and existing security threats. By using threat intelligence, organizations can make informed decisions to protect their systems and data from malicious actors. It also helps organizations identify and respond to potential threats efficiently and timely. However, it's not about collating vast volumes of raw data. Threat intelligence lies in converting raw data into actionable insights, providing organizations with a lucid understanding of the potential risks they face in the digital expanse. This intelligence is meticulously crafted, drawing from diverse sources like public forums, specialized cybersecurity blogs, and even clandestine communications on the dark web. By scrutinizing this data, analysts can discern patterns, identify emerging threats, and uncover malicious actors' modus operandi. The value it offers is proactive; it's about anticipating cyber threats before they strike, preparing for them, and devising strategies to counteract or mitigate potential harm. In a world brimming with advanced defense mechanisms, intrusion detection systems, and state-ofthe-art firewalls, threat intelligence remains a vital function for cybersecurity teams. Traditional cybersecurity tools are indispensable, but they often function based on previously known threat Marc-André Léger, Ph.D. 93 May 2023 Introduction to Cybersecurity Governance for Business Technology Management patterns. Cybercriminals continuously innovate and devise creative methods of intrusion and harm. Threat intelligence operates in this ever-changing landscape, illuminating the path for organizations, allowing them to navigate safely and respond adeptly to emerging threats. Imagine an organization armed with intelligence about a new malware strain targeting its industry. With this information, they can swiftly adapt their defenses, remaining impervious to this new threat. Furthermore, it's not just about technical defenses. Armed with threat intelligence, organizations can engage in extensive staff training, making individuals more alert to sophisticated phishing attempts or potential insider threats. The advantages extend beyond mere defense. Organizational leaders can leverage threat intelligence to make well-informed decisions, be it related to investments in cybersecurity infrastructure, personnel training, or even business strategies that consider cyber risks. In the unfortunate eventuality of a breach, having prior intelligence can significantly expedite response times, possibly curtailing the extent of damage and subsequent financial implications. Threat intelligence is at the forefront of cyberdefense. It is the reconnaissance team, or recon, of the digital world. It ensures that they, and the organizations they protect in the future, are always one step ahead in the intricate dance with cyber adversaries. Table 1 presents a sample of information sources for threat and vulnerability intelligence. Vulnerability identification Vulnerabilities are a fundamental component of risk, as discussed in chapter one. To grasp the full impact of vulnerabilities, it's crucial to delve into their nature, the processes for identifying them, and the immense value organizations derive from understanding and mitigating them. Vulnerabilities can be exploited to gain unauthorized access to critical systems and resources. The exploitation of a vulnerability by a threat agent is where cybersecurity risks materialize. Therefore, it is essential to have a comprehensive vulnerability management plan in place to ensure that any potential risks are identified and addressed promptly. In the business technology management field, cybersecurity vulnerabilities can be likened to weak links in a chain. It represents a flaw or weakness in a system's design, implementation, or operation. This flaw can lead to an unauthorized breach or contravention of system expected behavior. These vulnerabilities can stem from a variety of sources, ranging from errors in code, system misconfigurations, to even lapses in security protocols or practices. Identifying these vulnerabilities is a task that parallels looking for a needle in a haystack but on a magnified scale. The sheer complexity of today's software and systems means that vulnerabilities Marc-André Léger, Ph.D. 94 May 2023 Introduction to Cybersecurity Governance for Business Technology Management can lurk in the shadows, often unnoticed until exploited. Organizations must adopt a proactive stance in this quest. In addition to performing regular risk assessments and strategies to help organizations identify and assess cybersecurity threats, mentioned in the section on threat identification, other strategies can be used. Some of them are mentioned here, such as vulnerability assessments and penetration testing. These systematic evaluations of systems or applications simulate cyberattacks, aiming to discover weaknesses before malicious entities do. Central to these evaluations is a multidisciplinary approach that combines automated tools with human expertise. Cyber-defense teams will use advanced vulnerability identification software to scan applications, networks, and systems for known vulnerabilities. These software tools also analyze patches, configurations, and permissions. However, the human touch remains indispensable. Expert penetration testers, sometimes called ethical hackers, bring creativity and intuition to the table, often discovering complex vulnerabilities that machines might overlook. Addressing and rectifying these vulnerabilities post-identification is equally crucial. This often entails patching software, altering configurations, or even revisiting and overhauling certain aspects of the system design. The speed and effectiveness with which organizations respond to these identified vulnerabilities can often make the difference between a secure environment and a catastrophic breach. While there are challenges and complexities involved, the tangible benefits for organizations justify the time and resources required. First, it comes as no surprise that understanding and mitigating vulnerabilities contributes to risk reduction and cybersecurity maturity levels. By pre-emptively identifying and addressing potential points of exploitation, organizations can prevent data breaches, system downtimes, and unauthorized access to sensitive information. This not only safeguards an organization's assets but also bolsters its reputation in the eyes of stakeholders, clients, and customers. Furthermore, in an era where regulatory landscapes are becoming increasingly stringent, addressing vulnerabilities ensures compliance with various cybersecurity standards and regulations. Non-compliance can result in hefty fines and legal repercussions, adding financial incentive to security concerns. Vulnerabilities present both challenges and opportunities. They represent the chink in digital armor, demanding vigilance, expertise, and swift action. By understanding and addressing them, organizations enhance their security posture. The next chapter builds on what is presented here to create and use cybersecurity risk scenarios to be used in an organization context. Marc-André Léger, Ph.D. 95 May 2023 Introduction to Cybersecurity Governance for Business Technology Management Name URL Description Provides community driven threat intelligence on cyber threats. Extensive threat intelligence feed. Abuse ch https://abuse.ch/ AlienVault https://otx.alienvault.com/ Automated Indicator Sharing Binary Edge https://tinyurl.com/46w4yt5r DorkSearch https://dorksearch.com/ Really fast Google dorking. ExploitDB https://www.exploit-db.com/ Archive of various exploits. Fofa https://en.fofa.info/ Search for various threat intelligence. HoneyDB https://honeydb.io/ Microsoft threat intelligence ONYPHE https://tinyurl.com/mr26w4zp HoneyDB provides real time data of activity from honeypots deployed on the Internet using the HoneyPy honeypot. The blog contains security research and threat intelligence from Microsoft’s network of security experts. OWASP https://owasp.org/www-project-top-ten/ Packet Storm Security PolySwarm https://packetstormsecurity.com/ https://polyswarm.network/ PublicWWW https://publicwww.com/ Pulsedive https://pulsedive.com/ Search for threat intelligence. Spamhaus https://www.spamhaus.org/ Provides threat intelligence, and comprehensive block-lists for known spammers and malware distributors. Splunk top 50 https://tinyurl.com/mr224fh4 Talos intelligence https://www.talosintelligence.com/ Virus Share https://virusshare.com/ Virus Total https://www.virustotal.com/ Annual report of the most significant cybersecurity threats from Splunk. Aimed at Cisco customers. Provides information about known threats, new vulnerabilities, and emerging dangers. Online repository of malware provides millions of malware samples. Used to quickly check incidents. Vulners https://vulners.com/ https://www.binaryedge.io/ A service the Cybersecurity and Infrastructure Security Agency to enable real-time exchange of cyber threat indicators and defensive measures. Scans the internet for threat intelligence. Collects cyber-threat intelligence data. https://www.onyphe.io/ Provides a broad consensus about the most critical security risks to web applications. Browse latest vulnerabilities and exploits. Scan files and URLs for threats. Marketing and affiliate marketing research. Search vulnerabilities in a large database. Table 1: Information sources for threat and vulnerability intelligence. Marc-André Léger, Ph.D. View publication stats 96 May 2023