To analyze a cyber risk you don’t need to be technical. But you need to identify some key elements. Here’s a mini-lesson that vaguely references a bad 1980s movie:
The 3 key elements of cyber risk:
- The type of information, system or asset impacted
- The method of attack
- The protection measure that failed or was missing
The more precisely you can identify these elements, the more useful your results will be.
ASSETS IMPACTED
Identifying what was affected by a breach helps in finding out what losses may have occurred.
“Data breaches” are a loss of “confidentiality”, which can have financial or psychological (and maybe even physical injury) impacts on anyone of interest.
Photo by Towfiqu barbhuiya on Unsplash
Join our next 5-Day Challenge to experience something completely unique
“The challenges were so quick I was able to do them in the time it took me to sip an espresso.” – IT Security Manager
Example: If the January crop reports were disclosed to insiders, they could make trades on “frozen concentrated orange juice” futures to beat the market.
“Unauthorized changes or transactions (scams)” are a loss of “integrity”, and can have immediate impacts that benefit the attacker.
Example: If the January crop reports were altered before being made public, insiders could manipulate the market in the other direction, for even greater impact.
Unexpected loss of access (e.g. ransomware) is a loss of “availability”, and can cost money for production systems.
Example: If the stock market trading computers were held for ransom, there would be chaos and lost transactions, and the ransom may need to be paid.
These aspects of asset value are key to understanding risks. Each risk has potentially different aspects and values to the owner and the attacker.
THREATS
Threats can be from anyone, including insiders, but the method is most important to understand for risk analysis.
Example: An insider accesses the crop reports ahead of time by physically intercepting them, to learn which way the market will go, so they can do trades ahead of time, with confidence.
Did the attacker use a phishing attack, a scam phone call, an intercepted message, a forgery or a direct, technical attack that launched malware?
PROTECTION MEASURES
The method of protection that was exploited by the threat is the most important part of a cyber risk story.
Example: A courier with a briefcase chained to his arm containing the crop reports travels by train from the Department of Agriculture to the presentation venue.
What actually failed in protecting the asset? (Often, there can be more than one thing.)
YOUR CHALLENGE
Once you can describe these items, you can determine how risks can be reduced. In most cases, the risk is addressed by improving protection measures. Here is a challenge for you: think of a cyber risk story (from a bad movie or otherwise) and try to identify the assets, threats, and protection methods. Have fun!
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.
Cyber Security
Phishing Defense
Phishing threatens businesses and opens the door to ransomware. Fight phishing and spear phishing attacks with gamified learning.
Social Engineering Defense
Social engineering scams are a serious hazard to businesses. Fight back with Click Armor.
Cyber Security Awareness for Remote Workers
Home-based workers are vulnerable to cyber attacks. Build team immunity today.
Privacy and Compliance
PCI Compliance Awareness
When team members work in an environment where they may encounter cardholder data, they need to know what to do to protect it.
Gamified HIPAA Compliance Awareness
If your business is a supplier to a healthcare provider in the USA or Canada, your team needs to know what to do to protect Protected Health information (PHI).
Gamified Learning Platform
Active Awareness Platform
Experience the power of tailored gamified learning with Click Armor. Take your security awareness training to the next level.
