ISF Congress Post 5: Expect the worst; Operational risk quantification process

Expect the worst case;

Approach for quantifying operational risks – special focus on cyber security risks

Presentation by Hanno Lenz for the ERGO Insurance group

ERGO splits risk management into three categories / lines of defence;

  • Risk Taker (Owner) – Business line
  • Risk Controller – Risk Management
  • Independent Assurance – Internal Audit

 

This is then further split into lines of business and risk categories (Strategic Risks, Market and credit risks, operational risks, liquidity risks, repetitional risks).

This presentation had some excellent graphics highlighting their risk process, how they move from threats to risks, how to assess the probability, impacts and then the actual risk.  This process is outlined below.  Click on the images for a larger view.

 

They created this Security and Continuity Risk management model;

Screen Shot 2013-11-04 at 09.38.08

This model for working through from threats to the actual risks;

Screen Shot 2013-11-04 at 09.39.15

The process they follow from threat to actual business risk and impact is outlined in the diagrams below.

Assessing the Probability of the threat occurring;

Screen Shot 2013-11-04 at 09.42.44

Assessing the Impact should the risk occur;

Screen Shot 2013-11-04 at 09.44.35

And finally, working out the actual risk by combining the probability with the impact;

Screen Shot 2013-11-04 at 09.46.09

 

I think this provides a very good, easy to understand overview of a relatively simple and workable risk assessment process.

Remember in order to make any risk assessment process success and for the results to be worthwhile you need to ensure the input data is as accurate as possible, and also that the analysis is performed by people with the relevant expertise.

For the inputs, ensure you consult with the business streams, have an in depth understanding of the organisation, it’s IT structure, where the data and applications are, the number of employees, office locations etc.  Also ensure you have engaged with the BCM teams to understand recovery requirements and plans, recovery costs, degree of outsourcing etc.

For the outputs, as well as the IT security and BCM teams, ensure you have the right experts for creating realistic examples, creating actual security situations, estimating the costs of the risk should it occur, and also experts in mathematical modelling so that the results are modelled correctly and not just estimates.

K

ISF congress post 2: Communicating information security value to the business

Communicating information security value to the business using words and pictures.

Presentation by Steve Jump from Telkom SA SOC ltd.

I have high hopes for the usefulness of this talk as we all seem great at explaining and discussing security issues with other security and technical people, but fairly terrible at getting the board and other business people to understand the issues and importance of remediating them!

 

Highlighted at the start that this is a work in progress, but already proving useful.

If you are trying to obtain budget for upcoming initiatives  you need to get the board on board and ensure they understand the risks from a business standpoint.

  • Why business gets turned off by security
    • Too much shouting about risks, creating policies and standards, more talking about risks – who is looking at your data (criminals, governments, hacktivists), where is your data, more standards and policies
  • What the business actually wants (and needs) to talk about
    • What do these threats mean to my business?
    • Why should I worry?
    • How does this affect the bottom line?
    • What happens if I ignore you? (e.g. is the cost of doing nothing lower than the cost if fixing the issue?)
    • Can you put a value on that?
    • If I do ignore you, will anyone notice?
  • Its all in the words we use;
    • Business Impact Taxonomy!

 

Regulatory

  • Non compliance to legislation, risk of fines, prosecution etc.

Fraud

  • Illegal access to information leading to fraud, Identity theft, mis-representation, corrupt practices, banking and card fraud etc.

Theft

  • Theft of information or revenue, direct theft of assets

Service Availability

  • Service denial or interference

Business Agility

  • Prevention of business growth and reduced opportunity for profit due to reduced agility of systems and increased need to deliver custom protection of solutions.

Reputation

  • Loss of business reputation resulting from information loss or device interruption resulting in loss of credibility with customers and investors.

 

So that’s all the jargon sorted out?

Think of creating threat cubes – they have a LOT more words than this and are technical.

So how do we bridge the gab between the jargon and output from threat analysis etc. to a simple taxonomy the business can understand, relate to and use in budget and planning discussions?

 

Add pictures!

One for each of the six words in the simple taxonomy;

 

Warning triangle – Regulatory

Credit card – Fraud (may need to be different for you if you work in a PCI environment as this may get confused with the regulatory one)

Money Bag – Theft

Road block sign – Service availability (things with this could impact our ability to do business)

Rocket ship – Business agility – faster, innovative

Happy / sad masks – Reputation

 

So the taxonomy now has words and images for each item.

So when you create a threat cube or other form of threat analysis you can then relate each item on the list back to one or more of the taxonomy words and images – images can be added to aid understanding.  For reporting, each should be mapped to the main area it impacts.

 

How this works in practice;

  • Formal Information Security Risk assessment process
    • Asess solution, change product or service against technical business threat models
    • Identify key threats, recommend mitigations and evaluate impact of residual threats
  • Summarise business impact in business terms
    • Use six key business impact areas to describe and prioritise impact areas
    • Use business impact icons in formal / technical risk assessment (in body text and headings) to ensure continuity
  • Technical risk assessment and Business risk owners still work in different areas
    • Icons bridge experience and jargon barriers
    • Technical designers and security specialists understand business drivers
    • Business owners understand where technical short cuts will affect overall risk model

 

 

The chosen icons work on mac and windows as standard keyboard short cuts so should work across most businesses using Word / PDFs / spreadsheets etc.

For larger threats, use more icons – so one, two, or three icons depending on low, medium or high issues size.

For reference, the symbols used to represent the 6 areas;

Fraud 1F4B3 <Alt-X>

Regulatory 26A0

Theft 1F4B0

Service Availability 1F6A7

Business Agility 1F680

Business Reputation 1F3AD

If Unicode character is used (Win7/8 – type code, press Alt-x) it will display automatically if font is Segoe.

UI Symbol on Windows (Word/Excel/PowerPoint/Outlook) or as emoji font on OS X, iOS, Android.

 

It will be interesting to test this method out at work to see if it helps get engagement from the board and wider business.  This definitely seems like a good idea, and anything that will help engage and lead to greater understanding of security issues has to be worth a try1

It would be great to hear from anyone who s trying this method, or a similar one in their business.

K