Cybersecurity and Information security are often used synonymously, but that isn’t the case. Information security is the process of protecting the confidentiality, integrity, and availability (CIA) of an organizations’ data and information. Sometimes people use the terms information security, network security, or cyber security when they mean information security. Now network security and computer security are part of information security, but they don’t provide an entire picture; for example, information security needs to consider protecting data even when it’s not on a computer or network, for instance a printout.
I personally avoid the term cyber security, in large part because the term cyber comes from cybernetics which also provides the basis for the word cyborg, and generally we aren’t concerned with securing cyborgs. The term has gained widespread use from the US Department of Defense (DoD), who is concerned about the security of their cyber war fighters – which is much closer to the notion of a cyborg. In fact, the DoD looks at three different types of warfare: conventional, cyber, and information operations; information operations is more closely aligned to what we normally think of as information security. So cyber security is great, if you’re looking to secure cyborgs. For most organizations we’re worried about securing the organization’s information.
What does any information security program look like? When we say information security you probably think of things like firewalls antivirus programs and vulnerability scanning. Now those are all elements, in the same way that harnesses, scaffolds, and lockouts our part of a safety program. Information security uses these components, but it’s chiefly concerned with managing risks, just like all the other risks that a business deals with be they financial risk, market risk, legal risk, supply chain risk, and safety risks etc. In fact, information security information risks overlap many of these other risks to a greater or lesser degree. In general information risks will overlap with many other risks across and organization, and one might think of it as a Venn diagram (see figure 1). Many large enterprises will have an enterprise risk management (ERM) system, often with a chief risk officer (CRO), to holistically manage risks across the entire enterprise.
OK so a lot of discussion here about risks, you may ask what exactly is a risk?
The National Institute of Standards and Technology’s (NIST) defines risk as a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
There are a few key pieces here: first, an event that is a threat to the confidentiality, integrity, or availability of an organization’s information. We can determine threats by looking at an organization’s assets, and the actors who may cause harm to those assets. When determining threats, we aren’t concerned about the motivation; for instance we don’t really care if a System Administrator maliciously or accidentally deletes an entire hard drive, either is damaging to the organization.
Given these threats, we can look at the second piece which is the impact to the organization. This can be difficult for governments and militaries because that impact may only be measured by intangibles such as lives or political capital. Fortunately for most organizations – even non-profits – we can measure impact in monetary terms by the effect on an organization’s revenue. Generally, threats will either have a direct cost, such as fines or reconstructing data, or indirect costs which are things like lost revenue due to customers or donors going elsewhere.
The third piece of risks is the likelihood of occurrence. This is where the motivation starts to come into play. Some threat actors don’t have a motivation, for example the likelihood of flooding in a specific geographical region. In other cases, we do care about the motivation; for instance, many people are concerned about the Advanced Persistent Threats (APTs) that they hear about on the news. These are generally foreign intelligence services or similar organizations with highly skilled attackers that can sneak into even well defended organizations and operate there for months or even years. Is this something that your organization needs to worry about? If you sell software to most of the Fortune 500 and the US government, then yes probably. If you manufacture bathroom fixtures, maybe not. Instead, you probably need to worry more about opportunistic attackers bringing your production to a screeching halt. Particularly for insiders we are concerned about the likelihood someone might make a mistake and do damage versus the likelihood that someone will maliciously do damage, particularly since the impact of malfeasance tends to be much larger.
Given a dollar value for the impact and the probability that a risk could materialize in a given year we can multiply the two together to find what is called the Annualized Loss Expectancy (ALE). This tells us, absent any controls, how much we can expect to lose due to this risk in any given year. This is great because 1) it allows us to compare and rank our risks and 2) allows us to determine if various controls for that risk are worth it; for instance, we aren’t going to pay $75,000 to protect against a $50,000 risk. Given the uncertainty around probabilities and impacts, we might not even want to pay $45,000 to protect against a $50,000 risk; However! We almost certainly want to spend $5000 to protect us against a $50,000 risk.
That brings us to the question what do we do about these risks?
There are four approaches you can take to manage risk
- You can eliminate the risk: generally, this is only accomplished by eliminating the activity associated with the risk; clear examples of this often come up in the form of legacy systems that are being kept around just in case someone needs to access their data. Oftentimes a great deal of risk can be eliminated by migrating the data and decommissioning the system.
- You can transfer the risk: this is usually done by purchasing cyber insurance (because we should all be insuring our cyborgs). It can also be accomplished through means such as outsourcing an activity, as long as you ensure in the contract that the liability is clearly transferred.
- You can mitigate the risk: this is typically what people think of when they think of information security – policies, firewalls, multifactor authentication, and so forth are all controls that we use to mitigate risk. None of these controls can eliminate the risk, but some are highly effective and in concert they can reduce your risk to an acceptable level which brings us to…
- You accept the risk: this is where you say “OK, this might happen, and if it does we can accept it and move on.” If you do nothing in your risk management, you are implicitly accepting the risk; It is far better to explicitly except the risk and this is easy to do when your other mitigations have brought the risk down to an acceptable level.
The bulk of our time in information security is spent mitigating risks. We mitigate risks using a variety of controls such as governance, preventative, detective, reactive, and validating; but that’s a story for another time.
Have you identified your organizations risks? Contact us, our experts at Scalesology have years of experience doing risk assessments in organizations ranging from small to massive in size. Let’s figure out how to best mitigate those risks before you have a problem that will cost you significantly.