Risk Management

Full Title

Much of life is simply Risk Management, It is essential to survival of any organization even though it is not the primary goal, it is the bedrock of continued existence.

Context

Risk Management consists of risk evaluation based on assets that need protection. In any transaction there are at least two points of view, that of each party to the transaction, For identity risk management we will be addressing the points of view of the user and of the web site, also known (in the GDPR) as the Principal and the PII Controller.

• Threat Modeling provides the core data needed for Security Risk evaluation.
• Privacy Risk
• Conduct Risk

This usage is measured in risk that is associated with the access of assets that is provided over the internet. When it is important to separate physical risk management from digital risk management the term Cyber or Cybersecurity Risk Management may be used.

Problems

Before Risk can be managed, it must be possible to determine the likelihood of an event and the apply costs and Risk Tolerance to determine if the risk is acceptable or must be mitigated.^[1] The challenge is the Risk Assessment itself when not all of the factors are known or even constant. Still some estimate is required before a decision can be made.

Cost

• The Risk is typically measured by the likelihood of a breach times the cost of the breach.
• An alternate measure is to look at similar enterprises and measure the cost of breaches in those simply situations.
• Banking has in many ways the easiest measures as there is a history of losses by a range of categories so a measure of risk is actually fairly easy to gage, at least for old techniques. Even for new techniques the historical data can help to create a risk metric. For example Ross Anderson and his grad students have created an extensive inventory of cybercrime costs.

Solutions

• It is important for enterprise risk management that the Board of Directors (or governance) are fully committed to the security of the enterprise.
• A good reference is for the World Economic Form Principles for Board Governance of Cyber Risk 2021-03-23.

Static Evaluations

The most common form of static evaluation is to score the enterprise on NIST 800-171 compliance. This was required by the US DoD in 2020.

Dynamic Evaluations

Two kinds of dynamic evaluations are considered:

1. Evaluations of security logs kept within the enterprise, commonly called Security Information and Event Management or SIEM,
2. Evaluations of attacks directly on the internet, possibly by monitoring traffic on the dark web, among other measures.

Government Support

• NATIONAL RISK MANAGEMENT CENTER (NRMC) run by the US CISA (CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY)

  As the Agency’s center for collaborative risk management, the NRMC works closely with the critical infrastructure community to identify and analyze the most significant risks to our Nation, and strategically manage resiliency and security efforts to “Secure Tomorrow”. Staying ahead of evolving cyber and physical threats depends on a unified effort. The NRMC is committed to working with the private sector, facility operators/owners, all levels of government, and the public to protect our way of life.

Reference

1. ↑ Guy Carpenter, Risk Profile, Appetite and Tolerance Marsh McLennan https://www.guycarp.com/insights/2009/04/risk-profile-appetite-and-tolerance-fundamental-concepts-in-risk-management-and-reinsurance-effectiveness/