Cybersecurity is a field that protects the confidentiality, integrity, and availability of digital information. We are now at a point where we are dependent on digital information to keep our records, communications, and transactions thorough, efficient, accessible, and neat in operations of all sectors – business, retail, government, commerce, healthcare, and personal. Without digital technology, we cannot operate in our organizations in any modern, relevant way. The technology landscape is evolving at such a broad and fast pace, and the risks that appear in doing so are becoming endless. In this article, we will cover several generic cyber risk scenarios that can be used to identify scenarios specific to your organization.
- Data Loss & Theft
This means losing control of the data in your organization. This is the most notorious scenario. It is considered a loss even if the data is actually not lost and still exists in your system and you know where it is. The “loss” is that the data ends up in more places than originally planned. There could be many threat actors in this scenario, but the typical threat actors occur both inside and outside the organization. Insiders will have special privileges and the employees that have broken through the control environment will have access. Outsiders will have special skills. Most cybercrimes on organizations done by outsiders occur by organized criminal groups looking to illegally gain money. In addition, cyber crimes can be done by hacktivists, who are typically low-to-medium-skilled but are politically motivated. You can further divide data loss & theft types into more categories. If you are managing a financial organization, an additional data loss and theft type of people would be relatives of customers taking advantage of their information, and while they are not skilled, they can easily have unauthorized access. Lastly, we cannot forget that human errors occur as well. In frequency assessments, both malicious acts and errors should be captured.
- Business Disruption
Here, we mean the downtime that occurs in information systems because it disrupts the supported businesses. Threat actors that can perpetuate these outages should be identified, as well as their motivations. As with the Data Loss & Theft scenario, the actors and motivations will be similar in that this scenario can occur by internal and external actors as well as through accidental or malicious actions. Usually, intentional, malicious attacks tend to be rarely done by internal members. Articulating the dollars of the outage will be very highly dependent on the business processes to which the outage is associated with, so it is important to include the business partners from those areas when assessing losses.
- Data Manipulation
This is an integrity risk scenario. This scenario is the risk associated with both unauthorized manipulation or accidental manipulation. It is both the student hacking into their school to try to turn a “C” into an “A,” amd the administrative staff accidentally keying it in incorrectly. In either case, the integrity of the data is compromised, and would thus be considered a loss. The controls to protect the two types of situations would be different, where the first situation would call for unauthorized access controls and the second situation would call for data validation controls. However, in the “data manipulation” scenario group, corrupted data is not included. Corrupted data better fits in the business disruption scenario.
Fraud is an availability issue. The logic behind that is, “If I steal your money or inventory, you do not have it anymore. It is unavailable to you.” When assessing fraud, it is crucial to ensure you measure the replacement cost when assessing the monetary value of impacts. Fraud can occur by both internal and external actors as well.
To apply cyber risk scenarios to your organization, the level and preciseness of the subcategories matters a great deal. It is important to note that IT professionals inherently think about risk at the resource or asset level, which is the server or database level. However, when it is time to integrate these asset-level risk scenarios with the rest of the organization, this intersection occurs at the application level, where certain applications are used as part of certain business processes in addition to other things done in their process. This awareness is important in constructing risk statements, where it articulates fully the responsibilities of the IT asset owner and the business process owner.
Cyber risk holds such a large place in any operational risk register. To manage cyber risk and integrate it into the overall operational risk framework, cyber and operational risk expertise must be partnered well.
A Risk Management Program is Important For Any Organization
To learn more, Contact a LIFARS Security Expert Today
Email:firstname.lastname@example.org | Call us at:(212) 222-7061
Freund, Jack. “Cyber Security and Technology Risk.” Operational Risk Perspectives: Cyber, Big Data, and Emerging Risks, Risk Books, 2016, pp. 25-46