To analyze a cyber risk you don’t need to be technical. But you need to identify some key elements. Here’s a mini-lesson that vaguely references a bad 1980s movie:
The more precisely you can identify these elements, the more useful your results will be.
Identifying what was affected by a breach helps in finding out what losses may have occurred.
“Data breaches” are a loss of “confidentiality”, which can have financial or psychological (and maybe even physical injury) impacts on anyone of interest.
Photo by Towfiqu barbhuiya on Unsplash
“The challenges were so quick I was able to do them in the time it took me to sip an espresso.” – IT Security Manager
Example: If the January crop reports were disclosed to insiders, they could make trades on “frozen concentrated orange juice” futures to beat the market.
“Unauthorized changes or transactions (scams)” are a loss of “integrity”, and can have immediate impacts that benefit the attacker.
Example: If the January crop reports were altered before being made public, insiders could manipulate the market in the other direction, for even greater impact.
Unexpected loss of access (e.g. ransomware) is a loss of “availability”, and can cost money for production systems.
Example: If the stock market trading computers were held for ransom, there would be chaos and lost transactions, and the ransom may need to be paid.
These aspects of asset value are key to understanding risks. Each risk has potentially different aspects and values to the owner and the attacker.
Threats can be from anyone, including insiders, but the method is most important to understand for risk analysis.
Example: An insider accesses the crop reports ahead of time by physically intercepting them, to learn which way the market will go, so they can do trades ahead of time, with confidence.
Did the attacker use a phishing attack, a scam phone call, an intercepted message, a forgery or a direct, technical attack that launched malware?
The method of protection that was exploited by the threat is the most important part of a cyber risk story.
Example: A courier with a briefcase chained to his arm containing the crop reports travels by train from the Department of Agriculture to the presentation venue.
What actually failed in protecting the asset? (Often, there can be more than one thing.)
Once you can describe these items, you can determine how risks can be reduced. In most cases, the risk is addressed by improving protection measures. Here is a challenge for you: think of a cyber risk story (from a bad movie or otherwise) and try to identify the assets, threats, and protection methods. Have fun!
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.