Cybersecurity Risk

Management

Peter Frøkjær, MBA, CISM, CISSP, CEH, CCNP

Products and Solutions Security Officer

@: peter@froekjaer.dk

In: dk.linkedin.com/in/froekjaer/

: +45 6155 2021 / +1 530 683 5388

Unrestricted

About ISACA

Founded in 1969; non-profit, independent association that helps

members achieve greater trust in, and value from, their information systems

Has more than 140,000 constituents in 200 countries and more than 190

chapters worldwide

Sponsors international conferences and education

Publishes original research

Develops international IS audit and control standards

Offers CISA, CISM, CGEIT and CRISC certifications

Developed and continually updates the COBIT, Val IT

and Risk IT frameworks, as well as the IT Assurance Framework and

Business Model for Information Security

isaca.org

Risk: A Balance Is Essential

• Risk and value are two sides of the same coin.

• Risk is inherent to all Businesses.

Enterprises need to ensure that opportunities for

value creation are not missed by trying to

eliminate all risk.

Risk Anasysis Definitions

Asset:

An asset is any tangible or intangible thing or characteristic that has value to an organization.

There are many types of assets. Some of these include obvious things like machines, facilities,

patents, and software. But the term can also include less obvious things like services, information,

and people, and characteristics like reputation and image or skill and knowledge.

Threat:

Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner

that can result in harm; a potential cause of an unwanted incident.

Vulnerability:

A vulnerability is a weakness in an asset or group of assets. An asset’s weakness could allow it to

be exploited and harmed by one or more threats.

Risk:

Risk is the combination of the probability of an event and its consequence. (ISO/IEC 73)

Risk is the probable frequency and probable magnitude of future loss. (FAIR)

Probabilities are derived from the combination of threat, vulnerability, and asset characteristics

RI$K – Set the scene

Pa

ge

Factor

Analysis of

Information Risk

(FAIR)

RI$K – Set the scene

Pa

ge

RI$K – Set the scene

Pa

ge

RI$K – Set the scene

Pa

ge

RI$K – Set the scene

Pa

ge

RI$K – Set the scene

Pa

ge

fairwiki.riskmanagementinsight.com

Now, identify the following components

within the scenario. What were the:

• Threats

The earth and the force of gravity

that it applies to the tire and rope

• Vulnerabilities

The frayed rope

• Asset

The bald tire

• Risks

Very low

Manage Risks

Top 10 Businesses Risks globally by AON – 2015:

1. Damage to reputation/brand

2. Economic slowdown/slow recovery

3. Regulatory/legislative changes

4. Increasing competition

5. Failure to attract or retain top talent

6. Failure to innovate/meet customer needs

7. Business interruption

8. Third-party liability

9. Computer crime/hacking/viruses/malicious code

10. Property damage

2015-Global-Risk-Management-Report-230415.pdf

Some of the Risk’s

• Financial risk

• Company's ability to manage its debt and financial

leverage

• Business risk

• Company's ability to generate sufficient revenue to

cover its operational expenses

• Cyber risk (Business & Financial risk)

• Company’s activities online, internet trading,

electronic systems and technological networks, as

well as storage of personal data, IP etc.

Manage and Capitalize on Business Risk

• Enterprises achieve return by

taking risks.

Cyber/IT Risk – Where to look?

Everywhere in the valuechain!

Cross all silos!

Cyber/IT Risk – Where it’s a little different

ExploytabilityCyber Threats

Best Practises

t

Legislation/Compliance

Residual risk

after mitigation

Risk Identification and Assessment

FAIR (Factor Analysis of Information Risk

Exposure

*

Exploitability

Based on business

Business Impact such as:

Services diliverables,

brand impact, financial

impact etc.

Guiding Principles of a Risk program

Always connect to enterprise objectives.

Align the management of Cyber-related business risk with

overall enterprise risk management.

Balance the costs and benefits of managing risk.

Promote fair and open communication of Cyber risk.

Establish the right tone from the top while defining

and enforcing personal accountability for operating

within acceptable and well-defined tolerance levels.

Understand that this is a continuous process

and an important part of daily activities.

Thank You – Q&A

AVAuth

WAF

DLP

AD

WLAN

DPI

URL

FW

IDS

Event Enrichment

Lo

ca

tion

Iden

tity

Div

isio

nB

us

ine

ss

Da

ta V

alu

e

Asset V

alu

eG

eo

Info

Re

gu

latio

n

CIR

C

NCC

SCC

Th

rea

ts

Inc

ide

nts

As

se

ts

GRC

Security

EventsMed

High

Low

VPN

MDM

uVM

SB

AI

Ag

gre

gatio

n

References / Links

The current threat landscape

Cyber Kill Chain

Deconstructing The Cyber Kill Chain

Advanced persistent threat – defined

Verizon Data Breach Investigations Report

Mandiant Reports

Symantec Security Response Publications

Trustwave Global Security Report 2014

Secret Service Downloads

US CERT

EU CERT

OWASP Top 10

OWASP ESAPI for PHP: Strong, Simple Security Controls for PHP Developers

SANS - Critical Security Controls

Hackmageddon, 1-15-december 2014 Cyber Attacks Timeline

SC Magazineuk - Top 10 issues in IT security for 2014

National Vulnerability Database

PCI DSS v3

Pa

ge

References / Links

Frameworks and Resources…

Digitaliseringsstyrelsen - Styring af informationssikkerhed efter ISO-27001 (Danish)

ISACA – COBIT

ISACA - CSX (Cybersecurity)

ISO27001 Security

DS - Standardpakke It-sikkerhed (Danish site)

Best Management Practice - ITIL

ITIL- ISO/IEC 20000

NIST

Unified Compliance Frameworks (UCF)

OSSTMM

http://ddosattackprotection.org/blog/cyber-security-blogs/

https://www.scadahacker.com/ (SCADA)

Pa

ge