ABSTRACT The Security-Centric, Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control Framework as well as Enterprise Risk Management Framework and proposes an effective Integrated NGIOA (nations: its governments, industries, organizations and academia) Risk Management framework to manage the changing nature of Security* risks in Cyberspace-Geospace and Space (CGS) RISK GROUP Jayshree Pandya EXECUTIVE SUMMARY CYBER-SECURITY RISK MANAGEMENT FRAMEWORK (CSRM)
Cyber-Security Risk Management Framework (CSRM) INTRODUCTION The connected computers and the digital global age have brought complex, chaotic, and turbulent times for every nation: its government, industries, organizations and academia (NGIOA) where failures at all levels have come to become self-evident, repetitive, and destructive in nature and uncertainty. NGIOAs are caught off guard. When NGIOAs seem to be in visible crisis, what is the adequate amount of independent and interdependent Cyber-Security risk that should be accepted by any entity within an NGIOA? This is probably one of the most important questions decision-makers across NGIOA face today. In 2012, Risk Group proposed Integrated NGIOA Risk guidelines to help nations identify, evaluate, understand and manage interconnected and interdependent risks facing its NGIOA. The proposed guidelines have come far from being ignored. They are now being acknowledged, discussed, debated and articulated to be incorporated to better manage the current and emerging risks facing NGIOA in Cyberspace while simultaneously providing a foundation that brings integrity, transparency, predictability, integration, security and scalability to the discipline of Risk Management itself. Over the years, there has been heightened concern and focus on the lack of effectiveness in the current approach to risk management due to critical threats brought on by the rapidly changing global fundamentals and the inability of the risk management programs to predict critical risks at all levels. It became increasingly clear that a need exists for re-evaluation of the approach to risk management. Moreover, when the computer code, the connected computers and the ecosystem that make the Cyberspace began to bring complex challenges and complexities to everyone and to everything, from Geospace to Space, the need for a new way of identifying, evaluating and managing risks became even more clear and urgent. This tectonic shift on the nature of risks brought on by the Cyberspace is creating complex challenges for every NGIOA. As the computer code and connected computers blur the line between Geospace, Cyberspace and Space, it needs to be understood that the current approach to risk management cannot give any entity within any NGIOA an ability to manage risks effectively while bringing security and sustainability for its initiatives for managing Cyberspace and Cyber-Security risks requires not only integration of Cyberspace to Geospace and Space (CGS) but also requires a fine
balance of cooperation and collaboration between, within and across NGIOA, and from their people, processes, proficiency, and prudence. These challenges prompted Risk Group to define and propose a robust Cyber-Security Risk Management (CSRM) framework that would effectively identify, evaluate, and manage not only Cyberspace and Cyber-Security risks but integrated CGS Risks. This framework could be readily used by each and every entity within any NGIOA at all levels to evaluate and improve their independent and interdependent Cyber-Security risk management capabilities. The period from the guideline proposal to the Cyber-Security Risk Management framework has been marked by a series of high-profile Cyber-Security breaches and other global, national, local and industrial crises, scandals and failures where nations, its governments, investors, businesses, individuals and other stakeholders, individually and collectively suffered tremendous losses in many formats. In the aftermath of each crisis, there were calls for enhanced and effective governance, management and risk management capabilities, with effective institutions, structures, systems, framework, governance model, laws, regulations, and standards. The need for a Cyber-Security risk management framework that would provide a new definition of security, a new approach to security, key security risk principles and concepts, a common security risk language, and clear security direction and guidance that has an ability to integrate security risks in cyberspace, geospace and space became even more compelling at all levels across nations. Risk Group believes that the proposed Cyber-Security Risk Management Framework (CSRM) fills the need, and Risk Group hopes that it will bring effectiveness to the discipline of Risk Management and provide NGIOA an effective way to manage its complex security risks in CGS. THE RISK MANAGEMENT FRAMEWORK Internal Control Framework Internal control Framework is defined by many as a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, and that has clear financial reporting, and strict compliance with laws, regulations and policies. While this still continues to serve as the broadly accepted standard for satisfying regulatory reporting requirements, requiring an entity s management to certify and the independent auditor to attest to the effectiveness of those systems, it clearly lacks an ability to identify and manage critical security risks facing NGIOA today in CGS. Enterprise Risk Management Framework ERM, according to Casualty Actuarial Society, is a widely popular approach to managing enterprise risks in which an entity in any industry assesses,
controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization s short and long-term value to its stakeholders. While ERM framework supposedly expands on internal control framework, it does provide a more comprehensive focus on the broader issue of Risk Management. While ERM framework has gained popularity: It lacks an ability to anticipate global, national or industry crisis It lacks a framework to assure comprehensive Integrated Risk Management Its approach is largely reactive It widely promotes transfer of risk and insurance of risk over prevention of risk or management of risk, thereby creating bigger, complex and more catastrophic risks It focuses on a narrow definition of an enterprise It focuses on a narrow risk perspective It focuses on a narrow and old definition of security and lacks an ability to address the changing nature and fundamentals of security Cyber-Security Risk Management Framework The Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control Framework as well as Enterprise Risk Management Framework and provides an effective Security- Centric Risk Management framework that provides each and every NGIOA: A forward looking way to identify and manage independent and interdependent risks Integrity, neutrality and a collective approach to managing risks A Non-partisan, neutral and objective focus on managing global, national and local risks In addition, it also: Reverses the focus from transferring risks to preventing risks Embeds strategic risks as a vital part of the risk management framework Changes the approach to an enterprise and makes it more inclusive to today s global reality Connects cyberspace risks to geospace and space risks (CGS) Integrates governments risks with industries risks, organizations risks and academia s risks to give a comprehensive overview of nations risks (NGIOA) Integrates nations risks to give a comprehensive view of global risks Provides and promotes proactive approach to managing risks Promotes prevention and management of risks over transfer of risks Addresses the changing nature and definition of security and provides security-centric risk management framework ability and capability While, the goal of the security-centric CSRM is to bring effectiveness in the field of Risk Management itself in a digital global age, Risk Group recognizes the slow pace of change historically observed across nations in acknowledging the need for change, accepting the change and implementing the change itself.
When the most critical challenges for decision-makers at all levels across NGIOA is determining how much risk they are prepared to take for their initiatives as they strive to survive, sustain and create value in the cyberspace, this proposed security-centric CSRM Framework will better enable them to meet these complex challenges. The implementation of a security-centric CSRM framework will support and improve the independent and interdependent risk awareness at every level of NGIOA, from strategic to operative, from cyberspace to geospace and from management to employees. The proposed security-centric CSRM framework provides an integrated risk management approach that addresses the global shifts of the digital global age, to lay out much needed foundation of an integrated NGIOA risk governance framework. This security-centric integrated risk management framework will make a convincing case for the far-reaching need and understanding of integrated security risk concepts, integrated security risk fundamentals, and integrated NGIOA risk governance models. The integrated security-centric CSRM approach, proposed and discussed here is rational, practical, scalable and feasible. It will help create a dynamic, vibrant, and sustainable approach to managing cyber-security risks of a digital global age. This initiative is a first step towards that. Jayshree Pandya Founder: Cyber-Security Risk Research Center at Risk Group *Risk Group defines Security as the state of industries and businesses, systems and infrastructure, innovation and technology, governance model and governments, products and services, intellectual property and trade secrets, people and processes, survival and sustainability, education and academia, philanthropy and poverty, research and development, regulations and compliance, robotics and artificial intelligence, information and communication being free from danger or threat of Cyberspace.
EXECUTIVE SUMMARY The underlying premise of security-centric Cyber-Security Risk Management Framework (CSRM) is that, in the interconnected and interdependent digital global age, no entity within any NGIOA can effectively manage their security* risks independently. Even if an entity manages its private security risks independently, the interconnected and interdependent risks facing them will undermine the isolated and independent risk management effort and program, and make the entity vulnerable to catastrophic events. RELATIONSHIP BETWEEN SECURITY AND NGIOA COMPONENTS There s no such thing as secure anymore. Security is rapidly becoming a complex challenge for every NGIOA. Cyberspace is fundamentally changing the definition and meaning of security across NGIOA. Incorporate it into Geospace and Space and the complex security challenges hit the roof. *Risk Group defines Security as the state of industries and businesses, systems and infrastructure, innovation and technology, governance model and governments, products and services, intellectual property and trade secrets, people and processes, survival and sustainability, education and academia, philanthropy and poverty, research and development, regulations and compliance, robotics and artificial intelligence, information and communication being free from danger or threat of Cyberspace. Cyberspace has given nations strong pressure to change how they define, understand, operate, govern and manage their security risks, so the question is how that can be achieved when: Individual security is tied to collective NGIOA security External security threats have ties to internal security threats Security needs to be at the center of each and every discussion within any NGIOA about not only threat, conflict, defense and war, but also over progress and development! While the formation of individual (an entity within a NGIOA) and the formation of collective (NGIOA) security framework are becoming inseparably linked in cyberspace, the question arises as to the reasons behind the reluctance in acceptance for a need for structured collaboration. Since any single individual entity is connected to
other individual entities within its sector and industry, along with its connection to organizations, academia, other industries and governments at all levels there is presumably a collective requirement of cyber-security risk management framework and cyber-security risk governance authority. Security is thus a condition of all individuals, and organizations, academia, industries and governments (NGIOA-I). There is also a growing concern that there are many nations that seem to be too weak or too failed to be able to provide their own NGIOA-I with the necessary security in the cyberspace. Moreover, most nations with their current governance model are far from being ideal providers of cyber-security. Technology and Threats are forever intricately linked now just like People and Processes. The security concept is currently being subjected to big changes in respect to its aims, capabilities, sources, connectivity and the dimension of threats. In the new era of cyberspace, the security threat has no visible front, borders or armies. As governments exist to provide value to its citizens, businesses across industries exists to provide value for its stakeholders, organizations exist to provide value to its initiatives and academia exists to provide value to its students. All of them, independently and collectively, face complex security challenges and uncertainties from the cyberspace in the digital global age. Amidst that, the challenge for decisionmakers across NGIOA is to determine what security risks they face in the cyberspace and the rapidly changing digital global economy, independently and collectively, and how much uncertainty they are exposed to and forced to accept as they strive to survive, sustain, grow, develop and advance. The current uncertainty brought on by the cyberspace and the digital global economy presents both security risk as well as strategic opportunity to each component of NGIOA, with the potential to erode or enhance nation s value, independently and collectively. Cyber-Security Risk Management Framework (CSRM) enables decision makers to effectively deal with cyberspace and the digital global economic uncertainty, enhancing the capacity and capability to collectively build value as a nation. The strategic value of a nation is maximized when NGIOA decision makers collectively set national strategy and objectives, so as to strike an optimal balance between growth and goals, its related risks and rewards, and its security and sustainability while efficiently and effectively deploying resources in pursuit of independent entity goals tied to collective national objectives. Cyber-Security Risk Management (CSRM) encompasses first and foremost: Integrating cyberspace to geospace and space (CGS) Integrating nations: its government, industries, organizations and academia (NGIOA) Re-defining security* in cyberspace and understanding its NGIOA integration points.
In addition, security-centric, Cyber-Security Risk Management (CSRM) framework should individually and collectively involve: Identifying and Aligning Security-Centric Risk Appetite, Security Risk Planning and Strategy in Cyberspace: CSRM framework allows any individual entity and its decision makers within and across NGIOA to take into consideration its independent and interdependent security risk appetite in evaluating independent and inter-dependent strategic alternatives, setting security riskcentric informed objectives and goals, and simultaneously developing mechanisms to manage independent and interdependent strategic security risks. (Depending on the nature of the security risk, its industry and relevance, appropriate security risk measures needs to be incorporated in the planning process) Identifying and Improving the Security Risk Response Decisions Process in Cyberspace: CSRM provides an integrated NGIOA structure to have an informed, independent as well as integrated security risk decision process to identify, evaluate and manage various security risk response choices: from prevention of security risk to risk avoidance, reduction, transfer, sharing, and acceptance. (Depending on the nature of the security risk, a relevant risk response strategy needs to be formulated) Identifying and Reducing Security Surprises and Losses in Cyberspace: CSRM provides NGIOA with an enhanced capability, both individually and collectively, to identify potential catastrophic security events and establish timely responses to reduce its impact and its associated costs or losses. (Depending on the nature of the security risk, a structured plan needs to be in place to have relevant risk intelligence to manage security surprises) Identifying and Managing overall Global, National, Local and Individual NGIOA Security Risks in Cyberspace: Each nation faces a myriad of independent and interdependent security risks affecting different parts of the NGIOA, and CSRM facilitates effective responses to its interrelated, interconnected and interdependent impacts. (Depending on the nature of the security risk, an overall plan needs to be in place to manage it) Identifying and Seizing Strategic Opportunities: By considering a full range of potential security events at all levels (global, national, local, industry and organizational) and individual components of NGIOA, decision makers are better positioned to identify and proactively realize current and strategic opportunities in the cyberspace both individually and collectively. (By understanding cyberspace, its revolutionary transformation potential, understanding the current initiatives within an entity and formulating potential strategic alternatives will guide entities within an NGIOA to seize strategic opportunities in CGS) Identifying and Improving Resource Deployment: CSRM allows nations to obtain collective and independent, current and strategic security risk information that allows NGIOA decision makers to effectively evaluate overall resource needs and enhance capital allocation appropriately. These capabilities inherent in CSRM framework will help NGIOA decision makers achieve their performance and profitability targets while preventing loss of vital current and strategic
resources. (By understanding the nature of strategic opportunities and threats, entities within a NGIOA will need to identify resource needs and make relevant plans) CSRM will help ensure effective security risk reporting and compliance with current and potential laws and regulations, to help avoid damage to not only the NGIOA reputation, both independently and collectively, but its associated consequences. external CGS environment. In summation, Cyber-Security Risk Management framework (CSRM) will help an NGIOA achieve its independent and collective security goals and objectives of the Cyberspace in a Digital Global Economy while avoiding downsides and disbeliefs along the way. It is important that CSRM be not viewed as a static one-time process; rather it must be embedded across NGIOA and dynamically adapted to the changing internal and CYBERSPACE EVENTS IN A DIGITAL GLOBAL ECONOMY: ASSOCIATED SECURITY RISKS AND OPPORTUNITIES Any event in the Cyberspace or Digital Global Economy can have negative security impacts, positive strategic impacts, or both. Cyberspace events in a digital global economy with a negative security impact represent risks, which can prevent value creation in the Cyberspace or erode existing value in Geospace, Cyberspace or Space. Cyberspace events in a digital global economy with positive impact may offset negative security impacts or represent strategic Cyberspace opportunities. Cyberspace opportunities are the possibility that an event will occur in Cyberspace or Geospace that would positively affect the achievement of Cyberspace objectives, supporting value creation or preservation. NGIOA decision makers can channel opportunities in the Cyberspace back to its National Security Strategy, while formulating plans to seize the Digital Global Age opportunities in CGS. The CSRM framework aims to identify all independent and interdependent potential security events that could affect the achievement of the entity objectives in CGS. These events can be divided into two categories: Cyberspace events with positive impact on independent and collective NGIOA objectives and events with negative security impact on independent and collective NGIOA objectives. The former represent opportunities, and the latter are security risks. These must be managed with a clear integrated risk management process composed of the following phases: Cyber-Security Risk Identification and Analysis Cyber-Security Risk Understanding and Profiling
Cyber-Security Risk Response and Management Cyber-Security Risk Control and Integration The CSRM process must be supported by a sound security foundation in terms of broad understanding of security, its changing nature, overall CGS environment, integrated NGIOA risk philosophy, integrity and ethical values, integrated risk governance approach, and Cyber-Security competence and responsibilities, together with a collective Cyberspace security objective-setting process that considers the Cyber-Security risk dimension, a dynamic complete security information flow and an ongoing monitoring of all the CSRM framework components. Each and every entity should implement CSRM framework because it will allow them to optimize strategic opportunities in the Cyberspace by providing a systematic, integrated, accountable and holistic evaluation and control of Cyber-Security risks. CSRM framework deals with security risks and strategic opportunities affecting value creation in the Cyberspace and/or preservation of Cyberspace-Geospace-Space value and infrastructure. CSRM can be defined as an integrated security risk management process realized by decision makers of an entity within an NGIOA, who independently and collectively identify potential security risk events that may affect any component of an NGIOA or overall NGIOA and manage risk both individually and collectively to be within its security risk appetite boundaries, to provide reasonable assurance and confidence regarding the achievement of its current and strategic security objectives in Cyberspace-Geospace and Space (CGS). The comprehensive CSRM definition reflects certain fundamental security concepts and is in essence: An independent but Integrated NGIOA security process, that is ongoing and flowing through any entity and component of NGIOA within, between and across nation s geographical boundaries. Effected by decision makers at every level of an entity within and between a nation: its government, industries, organization and academia (NGIOA). Applied in independent and collective security strategy settings at all levels of an entity within and between a NGIOA. Applied within, between and across NGIOA, at every level and unit of an entity, and includes taking an independent and collective view of security risk as a nation, industry, business and organization. Designed to identify potential Cybersecurity events that, if they occur, will affect independent component of an NGIOA or all the components of an NGIOA and to manage security risk within its independent and collective risk appetite boundaries.
Able to provide reasonable security assurance to any entity within and between a NGIOA-and its decision makers and stakeholders. Geared towards achievement of global, regional, national, local and independent security objectives of any and all components of an NGIOA in one or more separate but overlapping categories. Provides an integrated NGIOA structure and format to facilitate incorporation of the changing definition of security by re-defining the approach to security and integrating security of CGS. This CSRM definition is purposefully broad for the purpose of its scalability and sustainability needs. It captures key changing global security concepts as to how nations: its governments, industries, organizations and academia (NGIOA) should manage its security risks in the Cyberspace, while providing a basis for Cyber-Security Risk Management Framework in a Digital Global Economy. It also focuses directly on achievement of any entity s security objectives in Cyberspace, established independently and collectively by an individual or a group of NGIOA. CYBER-SECURITY RISK MANAGEMENT OBJECTIVES Within the context of any entity or component of an NGIOA, the CSRM framework will be geared to achieving the overall security objectives, set forth in the following categories: Strategic Security: High-level strategic security goals, aligned with and supporting its Cyberspace mission in a Digital Global Age Security Operations: Effective and efficient use of NGIOA resources in the Cyberspace Security Reporting: Reliability of Cyberspace reporting Security Communications: Effective and timely Cyber-Security communication Security Compliance: Compliance with applicable Global, National, Local laws and regulations Security Approach: Integrated Geospace, Cyberspace and Space approach to Security Security Integration: Integration at all NGIOA levels across nations and also in Cyberspace- Geospace and Space (CGS) NGIOA Sustainability: NGIOA Sustainability as a key criteria Security Scalability: A Cyber-Security Risk Management framework that is scalable at all levels of NGIOA across nations in CGS The above categorization of CSRM objectives allows a focus on collective as well as individual aspects of any entity within and between NGIOA and aspects of overall NGIOA security in Cyberspace, Geospace and Space. Amidst these distinct but overlapping components of a NGIOA across the barriers of virtual
territories a particular Cyberspace objective and its associated risks can fall into more than one components necessitating a need to address its individual and collective integration points while directing the responsibility of different decision makers at all levels of an entity or an NGIOA. This clear categorization also allows clear distinctions of what can be expected from each component of an entity or an NGIOA in Cyberspace. SAFEGUARDING OF SECURITY OBJECTIVES AND RESOURCES Safeguarding of NGIOA Security resources is essential in CGS. Because security objectives in Cyberspace related to reliability of the current nature of security reporting and the compliance framework with current laws and regulations are within an entity s control, CSRM is expected to provide reasonable assurance of achieving those security objectives. However, it needs to be understood that no effective controls are in place for the changing nature and definition of security across nations. There is a clear need for developing effective security controls for compliance. Achievement of strategic security and operational objectives in Cyberspace is however subject to external NGIOA events in CGS, and not always within the control of an entity. Accordingly, for these security objectives, CSRM can provide reasonable assurance that decision makers in their oversight role are made aware, in a timely manner, of the extent to which an entity is moving toward achievement of the Cyberspace and Cybersecurity objectives. COMPONENTS OF CYBER-SECURITY RISK MANAGEMENT FRAMEWORK Just as any structure needs a strong foundation in Geospace, so does the structures in Cyberspace and Space. The internal as well as external NGIOA environment serves as a basis for all security foundation and key components of the proposed CSRM framework in Cyberspace, Geospace and Space. The internal NGIOA environment reflects the overall cyber-security risk attitude, awareness and actions that have an impact on the individual entity s activities within any component of an NGIOA or whole NGIOA. It is also important for decision-makers to apply the same rules for the external NGIOA environment across nation s geographical boundaries, in order to have an understanding of the interconnected and interdependent NGIOA security risks in the CGS environment. An on-going Integrated NGIOA Security Risk Management process can be considered the heart of the CSRM framework. Cyber-Security risk identification and assessment are useless if no appropriate security risk responses are implemented and no regular security controls are in place. The Cybersecurity, strategic security, its business and its operational processes do not work properly without integrated NGIOA security information that flows in, out and across the entity and NGIOA. The security monitoring component has the same importance as the other components of the CSRM framework,
because it will allow the determination of whether everything continues to work effectively in the CGS environment within, between and across NGIOA. Each of the NGIOA components equally contributes to CSRM in CGS. A weak component can affect the entire CSRM process in the CGS. The interconnectedness, interdependencies and interrelationships of the security embedded CSRM framework strengthens the role of each single NGIOA component. The security centered integrated NGIOA risk management philosophy and the risk appetite contribute to the security objective setting, which in turn allows the identifying of security events that could affect them all. Events with positive impact are channeled back to the security objective-setting process, while events that could adversely affect the strategic objective achievement are assessed, responses are carried out, and security control activities are performed. The CSRM process will only function effectively if the integrated NGIOA security information flows through all the NGIOA components and an ongoing security monitoring is performed. Internal Security Environment Cyber-Security Risk Management Philosophy: A clear security embedded integrated NGIOA risk management philosophy is important as the first step in implementing successful CSRM. It defines how an entity should consider security risk in everything it does. The security centric philosophy should be reflected in oral and written communication from the decision makers to the employees, in shared beliefs, but also in attitudes across an entity and/or overall NGIOA. The philosophy on security-centric integrated risk management should be reinforced not only with words but, more importantly, with effective collaborative NGIOA actions. The Cyber- Security Risk appetite, the amount of risk the entity would be willing to accept in the Cyberspace, must be defined in the first step. Security-Centric Governance and Management: Healthy security centric governance and management is crucial for effective CSRM framework in any entity within a NGIOA. With their appropriate actions, the board of directors, the executive management as well as senior and middle management at all levels can heavily influence the security success of an entity within any NGIOA. CSRM Roles and Responsibility: Clear authorities and security responsibilities should be defined and communicated within an entity of an NGIOA. Clear security competences will help to avoid overlapping tasks but also to optimize security processes within an entity. Everyone within an entity in and across NGIOA and within nations geographical and virtual boundaries are accountable and responsible in the global comprehensive structure and framework for CSRM. CSRM Competence: Employees within any entity should have the adequate security knowledge and skills needed to perform the assigned Cyber-Security tasks. The human resource
management would play an important role in recruiting the right cyber-security people, but also in identifying the security training needs of all employees. Integrity and Ethical Values: All employees should adhere to a standard of security behavior that considers integrity and ethical values in order to enable a strong security focused culture. Security Objective Settings The following Security Objective Settings have been identified and embedded into basic CSRM elements: Cyber-Security Strategy Formulation: Before decision makers formulate the Cyber-Security strategy, it should conduct a situation analysis to identify not only the entity s security strengths and weaknesses in the Geospace and Cyberspace but also the external strategic opportunities and threats in the Cyberspace. The decision makers should define a range of possible CGS strategies for which security risks and strategic opportunities are identified. The cyber-security strategy setting process must be done on an ongoing basis requiring continuous reassessment and reformation. Cyber-Security Strategy Implementation: The strategic security objectives should be accompanied by security operations, reporting, and compliance related security objectives. Those objectives should be measurable and understood by all employees within an entity. The security objectives should be dynamically adjusted and should always support and be aligned with the entity s CGS strategy. Cyber-Security Strategy Effectiveness: The decision makers should regularly monitor the Cyber- Security objectives achievement as well as the employee commitment to security in CGS. The entity should also compare results among peers within and across NGIOA, in order to identify improvement in security opportunities in CGS. A Cyber-Security Strengths, Weaknesses, Opportunities and Threats (CS-SWOT) analysis should be performed in order to identify the Cyberspace security strategy choices. These should focus on the maximization of the Cyberspace strengths and opportunities and on the minimization of Cyber-Security weaknesses and threats. This process should be performed on an ongoing basis. Cyber Security-SWOT Analysis The Cyber-Security SWOT analysis is a matrix in which the internal security strengths and weaknesses are combined with the external Cyberspace opportunities and threats. The CS-SWOT combinations result in the following four types of security strategies: Security Strengths- Cyberspace Opportunities Strategy: This exploits the internal security strengths to take advantage of the external opportunities in the Cyberspace. Security Strengths- Cyber-Security Threats Strategy: This exploits the internal strengths to reduce the external threats of Cyberspace. Security Weaknesses- Cyberspace Opportunities Strategy: This improves weaknesses in the Cybersecurity to take advantage of external opportunities in the Cyberspace.
Security Weaknesses- Cyber-Security Threats Strategy: This Reduces Cyber-Security weaknesses in order to avoid external cyberspace threats. Cyber-Security Event Identification The following Security Event Identification main topics have been identified and translated into basic CSRM elements: External Security Factors Driving Cyberspace Events: Each and every entity within an NGIOA should consider and analyze external Security factors driving Cyberspace events that could affect the achievement of current and strategic Cyberspace objectives. The analysis should consider Cyberspace, Cyber technologies, Cyber-security processes, Cyber-security framework, Cyber Technologies, Cyberspace regulations, Cyberspace competency, Geo-political status, and Social and Economic factors. The security factors identification process should be performed on an ongoing basis, and at every level of the entity within and across NGIOA. Internal Security Factors Driving Cyberspace Events: Any entity within any NGIOA should consider and analyze internal security factors driving events in Cyberspace that could affect the achievement of not only strategic cyberspace objectives but also current geospace and cyberspace objectives. The security analysis should consider cyber infrastructure, cyber personnel, cyber processes, cyber technology factors, cyber integration, cyber controls, understanding of security and more. The cyber-security identification process should be performed on an ongoing basis, and at every level of the entity within an NGIOA. Cyber-Security Events Affecting Governance, Business and Strategies: The decision-makers should focus on significant and possible Cyber-Security events that could affect adversely the achievement of Cyberspace objectives. The Cyberspace opportunities, positive events, should be channeled back to the Cyberspace objective and strategy setting process, while the security risks, negative events, should be assessed and actions taken immediately independently and/or collectively. Cyber-Security Risk Assessment The following Cyber-Security Risk Assessment main topics have been identified and translated into basic CSRM elements: Cyber-Security Event Characteristics: In assessing Cyber-Security risk, decision makers should consider both immediate impact and strategic impact, as well as expected and unexpected losses. Cyber-Security Assessment Metrics: Each and every entity within an NGIOA should assess both the possibility of a Cyber-Security breach occurrence and the impact of potential Cyber-security events that could adversely affect the achievement of Cyberspace objectives in the near term and the long term. The Cyber-Security risks should be ranked in order to focus first on highly significant risks. Cyber-Security Assessment Mode: Decision makers should promote Cyber-Security Practices assessment techniques and a continuous and iterative Cyber-Security risk management process aligned with the Cyberspace strategy setting process. A composite assessment of Cyber-security risks across any entity within an NGIOA should be performed. The quality of the supporting cyber-security data and assumptions should be continuously reviewed.
Cyber-Security Risk Response The following Cyber-Security Risk Response main topics have been identified and translated into basic CSRM elements: Cyber-Security Risk Mitigation Strategies: Decision makers should identify the appropriate response to the identified Cyber-Security risks considering their significance to Geospace and Space in terms of likelihood and impact. The risk responses can be handled according to the nature of the risk and by accepting, reducing, sharing and/or avoiding Cyber-Security risk in order to align it with Cyberspace risk appetite. Decision makers should develop alternative Cyberspace risk mitigation strategies for each of its Cyberspace and Cyber-Security risks. A cost versus benefit analysis, for both short term and long term should be the basis for the Cyber- Security risk response strategy selection. The selected Cyber-Security strategy should be accompanied by a risk response implementation plan. Cyber-Security Residual Risk: Decision makers should assess the residual cyber-security risk remaining after the responses are fully implemented. The Cyber-Security residual risk should be aligned with Cyberspace risk appetite. The decision makers should have a broad portfolio view of cyber-security residual risks by entity level, from an independent entity to business divisions across entities within and across NGIOA. Cyber-Security Control Activities The following Cyber-Security Control Activities main topics have been identified and translated into basic CSRM elements: Cyber-Security Controls Basis: Each and every entity within an NGIOA should have in place Cyber-security policies and procedures and ensure that these are well-understood and implemented. The CSRM processes should be documented and assure a segregation of clear duties. Cyber-Security Controls over Objectives: Each and every entity should establish and execute Cyber-Security control activities over basic strategic, operations, reporting and compliance objectives. Cyber-Security Controls over Processes: Each and every entity should establish and execute Cyber-Security control activities over processes. It has to ensure that risk responses are appropriately carried out in a timely manner, risk limits are observed, prices and models are appropriate, risk management resources are adequate, and new products can be managed. The control activities should be regularly reviewed.
Cyber-Security Controls over Information Processing: Each and every entity should establish and execute Cyber-Security control activities over information systems regarding data validity, exceptions management, IT security and availability. The entity should control performance indicators on operational or financial data, such as staff turnover rates, transaction volume and cost trend. Cyber-Security Controls over Industries and Businesses: Each and every entity should establish and execute Cyber-Security control activities over Industries and Businesses regarding emerging industries and businesses that may bring security challenges to businesses and industries. Cyber-Security Controls over Systems and Infrastructure: Each and every vital system and infrastructure at all levels of NGIOA should establish Cyber-Security Control activities to ensure its safety and security from the activities initiated within Cyberspace. Cyber-Security Controls over Innovations and Technology: Each and every entity should establish and execute Cyber-security control activities over emerging innovations and technology from within and across NGIOA that could bring security challenges. Cyber-Security Controls over Governments and Governance Model: Each and every entity within and across NGIOA should establish Cyber-Security control activities over governance models from within and across nations borders that could bring security challenges. Cyber-Security Controls over Products and Services: Each and every entity within a NGIOA should establish Cyber-Security Control activities over product and services that could bring security challenges. Cyber-Security Controls over Intellectual Property and Trade Secrets: Each and every entity within a NGIOA should establish Cyber-Security Control activities over Intellectual Property and Trade secrets that could bring security challenges Cyber-Security Controls over People and Processes: Each and every entity within a NGIOA should establish Cyber-Security Control activities over key people and processes that could bring security challenges. Cyber-Security Controls over Survival and Sustainability: Each and every entity within a NGIOA should establish Cyber-Security Control activities over its survival and sustainability security Cyber-Security Controls over Education and Academia: Each and every entity within a NGIOA should establish Cyber-Security Control activities over education and academia that could bring security challenges. Cyber-Security Controls over Philanthropy and Poverty: Each and every entity within a NGIOA should establish Cyber-Security Control activities over philanthropy and poverty that could bring security challenges. Cyber-Security Control over Regulation and Compliance: Each and every entity within a NGIOA should establish Cyber-Security Control activities over regulation and compliance that could bring security challenges. Cyber-Security Control over Robotics and Artificial Intelligence: Each and every entity within a NGIOA should establish Cyber-Security Control activities over robotics and artificial intelligence that could bring security challenges. Cyber-Security Control over Information and Communication: Each and every entity within a NGIOA should establish Cyber-Security Control activities over Information and Communication that could bring security challenges.
Information and Communication The following Security Information and Communication main topics have been identified and translated into basic CSRM elements: Security Information over Current and Strategic Objectives: Each and every entity should verify and assure on an ongoing basis that relevant cyber-security information over strategic security, operations security, reporting and compliance security objectives are delivered in a timely manner and in a form that enables the entity to carry out the CSRM activities effectively. Security Information Quality: Each and every entity should assure the quality of the provided security information, in terms of depth, timeliness, availability, accuracy and accessibility. Security Information Management: Each and every entity should establish integrated security data management programs enabling security information systems to provide both internal as well as external security information. Decision makers should promote integrated security systems in order to facilitate access to security information. Security Communication: Each relevant decision maker and stakeholder must be apprised of sensitive information on cyber-security risks the entity is facing in the achievement of its cyberspace objectives. An on-going dialogue and collaboration, communication and coordination between decision makers and stakeholders should be assured. Each and every entity should communicate with relevant stakeholders providing appropriate levels of security information to conform to their needs and to regulatory requirements. The entity should establish a security policy that defines the relevant information and coordinates the disclosure process. To increase transparency, the entity should establish a disclosure policy defining and coordinating the disclosed security information. Security Monitoring The following Security Monitoring main topics have been identified and translated into basic CSRM elements: Security Monitoring Activities: Each and every entity should perform ongoing security monitoring activities and regular separate evaluations in order to identify security weaknesses in CSRM. Security Monitoring Corrective Actions: The entity should report security deficiencies to those positioned to take necessary actions. These should be monitored until complete security fulfillment is effective. Each identified security element can be assessed along the security maturity-level scale. An evaluation criterion is set for each of the security maturity scale levels. Ongoing security monitoring activities differ from control activities because the latter are performed as required steps in processes. The entity should perform periodical separate security evaluations over businesses and processes, establishing an internal security control system. Changes in security processes, strategies, structure and systems should be monitored. The security evaluation process should be based on clear methodologies and be documented. Security Assessment Tool By means of the Cyber-Security Risk Management maturity-level assessment tool, it is possible to evaluate the elements of the CSRM framework s components: internal security environment, security objective setting in CGS, security event identification, security risk assessment, security risk response, security control activities, security information and communication and monitoring.
Cyber-security risks exist as no effective security risk management framework exists, and since the Cyberspace cannot be predicted with certainty, future cyberspace security events and situations imply security risks. Even when all security information and resources are available, error in human judgments can be made in security decision making. This is because there is always a possibility that even the most improbable security risk event can occur. CSRM cannot be seen as a static one-time process; rather it must be embedded in each and every entity within a NGIOA and across NGIOAs and dynamically adapted to the changing internal and external CGS security environment. CSRM consists of the following interconnected, interrelated and interdependent key components. These components are: Overall Global NGIOA Commitment: Global NGIOA commitment is fundamental to manage security risks in Geospace, Cyberspace or Space. United National Strategy and Environment: The overall national environment and tone sets the foundation of NGIOA cooperation and collaboration to establish a collective view on national security strategy in CGS. Internal NGIOA Environment: The Internal NGIOA environment encompasses the tone of an entity and sets the basis for how independent and interdependent security risks are viewed and addressed and the environment in which they operate. Cyberspace Security Goal Setting: Cyberspace security objectives must be defined and agreed upon before decision makers can identify potential security risk events affecting their desired goals. CSRM ensures that relevant decision makers have in place a process to set Cyberspace security objectives and that the selected objectives support and align with its independent and collective mission and are consistent with its security risk appetite. Cyberspace Security Risk Identification: Internal and external, independent and interdependent security risk events affecting achievement of an entity s Cyberspace objectives must be identified and evaluated for their security risks and opportunities in CGS. Cyberspace Security Risk Assessment: Cyberspace security risks are analyzed, considering their likelihood and impact, as a basis for determining how they should be managed independently and collectively by NGIOA in CGS. Cyberspace Security Risk Response: Decision makers select security risk responses avoiding, accepting, reducing, or sharing risk in order to develop a set of actions to align security risks with entity s security risk tolerances and risk appetite. Cyberspace Security Control Activities: Security policies and procedures are established and implemented to help ensure the Cyberspace security risk responses are effectively carried out within any entity within and across NGIOA.
Cyberspace Security Risk Information and Communication: Relevant Cyberspace security information is identified, captured, and communicated in a form and timeframe that enables decision-makers to carry out their security responsibilities. Effective security communication also occurs in a broader sense, flowing between, within and across NGIOA. Cyberspace Security Risk Monitoring: The entirety of CSRM is monitored and modifications made as necessary through ongoing CSRM activities, evaluations, or both. CSRM is a multidirectional and multidimensional security process in which almost any unit component can and does influence an entity within and across NGIOA. CSRM EFFECTIVENESS The implementation of a CSRM framework supports and improves the security risk awareness and the security risk identification and management at every level of an NGIOA, from strategic to operative, and from NGIOA decision makers to employees in Cyberspace, Geospace and Space. Determining whether CSRM is effective is representative of whether the CSRM components are present and functioning effectively within an entity in CGS environment. Thus, the security components are also criteria for effective CSRM. For the CSRM components to be present and functioning properly there can be no structural and functional NGIOA weaknesses, and independent and interdependent security risks needs to have been identified, understood and managed either within the entity s security risk appetite boundaries or the nations. And most importantly, the changing nature and definition of security needs to be clearly understood and acknowledged. When CSRM is designed to be effective in CGS environment and for individual and broader NGIOA security objectives, the decision makers have reasonable assurance that they understand the extent to which the entity s strategic security, operational security, digital security, innovation security, products and processes security and other security objectives are being achieved and that the entity s security reporting is beneficial, reliable, and timely and applicable security laws and regulations are being complied with at all levels global, national and local. It needs to be understood that all the security components will not function identically across every entity within and across every NGIOA as each nation is at a different maturity level when it comes to its governance, management, industries, innovations, products and processes. However, irrespective of the size of an entity, CSRM will be largely effective, as long as each of its security components are defined accurately, understood, structured and functioning properly.
CSRM LIMITATIONS While CSRM provides fundamental change in how to define security: its nature, structure, approach and integration with NGIOA in CGS environment to effectively identify, evaluate and manage Cyber-Security Risks in a digital global age, limitations do exist. In addition to factors discussed above, limitations result from the realities that each nation: its government, industries, organizations and academia are at a different level of security understanding and maturity. Each NGIOA has different security understanding, capability and compatibility that can hamper the decision-makers ability in individual and collective decision making. These limitations preclude NGIOA decision makers and stakeholders from having absolute assurance as to achievement of its Cyber-security and Cyberspace objectives. CSRM ASSUMPTIONS Internal Control Framework is the basis for existing rules, regulations, and laws and it is in its entirety incorporated by reference and remains in place within the boundaries of CSRM framework. Both Internal Control Framework as well as Enterprise Risk Management Framework are in its philosophical essence incorporated within the boundaries of CSRM. This CSRM Summary is a high-level security risk overview directed to NGIOA decision makers. Details about specific techniques and processes with clear security roles and responsibilities will be discussed individually with interested entities and organizations in person. While this framework, RG CSRM 2015 provides and promotes an independent and collective, integrated view of security risks in CGS, including its strengths, weaknesses and limitations, it is still a work in progress. It is open to constructive dialogue and analysis, to see where future enhancements can be made. With the presumption that this CSRM proposal becomes accepted as a common ground for managing Cyber-Security Risks in a digital global age, its key security risk concepts and terms should find its way into academic curriculum and industry and government vocabulary across nations. With this security risk foundation in CGS proposed for mutual Cyberspace understanding and advancement, each NGIOA will be able to speak a common security risk language and communicate its independent and interdependent security risks more effectively and in a timely manner. I look forward to your constructive comments. Jayshree Pandya Founder: Cyber-Security Risk research Center at Risk Group http://www.riskgroupllc.com info@riskgroupllc.com + (832) 9718322