To analyze a cyber risk you don’t need to be technical. But you need to identify some key elements. Here’s a mini-lesson that vaguely references a bad 1980s movie:
[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.16″ custom_padding=”5px||8px|||” global_colors_info=”{}”][et_pb_column type=”1_2″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ text_font_size=”20px” text_line_height=”1.8em” header_2_line_height=”1.4em” min_height=”582px” global_colors_info=”{}”]The 3 key elements of cyber risk:
- The type of information, system or asset impacted
- The method of attack
- The protection measure that failed or was missing
The more precisely you can identify these elements, the more useful your results will be.
ASSETS IMPACTED
Identifying what was affected by a breach helps in finding out what losses may have occurred.
“Data breaches” are a loss of “confidentiality”, which can have financial or psychological (and maybe even physical injury) impacts on anyone of interest.
[/et_pb_text][/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_image src=”https://clickarmor.ca/wp-content/uploads/2022/04/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-scaled-1.jpg” alt=”Cyber risks in 1980s movies” title_text=”towfiqu-barbhuiya-em5w9_xj3uU-unsplash” align=”center” _builder_version=”4.23.1″ _module_preset=”default” module_alignment=”center” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″][/et_pb_image][et_pb_text _builder_version=”4.23.1″ _module_preset=”default” hover_enabled=”0″ sticky_enabled=”0″]Photo by Towfiqu barbhuiya on Unsplash
[/et_pb_text][et_pb_cta title=”Join our next 5-Day Challenge to experience something completely unique” button_url=”https://clickarmor.ca/challenge-registration” button_text=”Sign Up For Free” _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]“The challenges were so quick I was able to do them in the time it took me to sip an espresso.” – IT Security Manager
[/et_pb_cta][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.16″ custom_padding=”8px|||||” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ text_font_size=”18px” text_line_height=”1.8em” header_2_line_height=”1.4em” min_height=”107px” global_colors_info=”{}”]Example: If the January crop reports were disclosed to insiders, they could make trades on “frozen concentrated orange juice” futures to beat the market.
“Unauthorized changes or transactions (scams)” are a loss of “integrity”, and can have immediate impacts that benefit the attacker.
Example: If the January crop reports were altered before being made public, insiders could manipulate the market in the other direction, for even greater impact.
Unexpected loss of access (e.g. ransomware) is a loss of “availability”, and can cost money for production systems.
Example: If the stock market trading computers were held for ransom, there would be chaos and lost transactions, and the ransom may need to be paid.
These aspects of asset value are key to understanding risks. Each risk has potentially different aspects and values to the owner and the attacker.
THREATS
Threats can be from anyone, including insiders, but the method is most important to understand for risk analysis.
Example: An insider accesses the crop reports ahead of time by physically intercepting them, to learn which way the market will go, so they can do trades ahead of time, with confidence.
Did the attacker use a phishing attack, a scam phone call, an intercepted message, a forgery or a direct, technical attack that launched malware?
PROTECTION MEASURES
The method of protection that was exploited by the threat is the most important part of a cyber risk story.
Example: A courier with a briefcase chained to his arm containing the crop reports travels by train from the Department of Agriculture to the presentation venue.
What actually failed in protecting the asset? (Often, there can be more than one thing.)
YOUR CHALLENGE
Once you can describe these items, you can determine how risks can be reduced. In most cases, the risk is addressed by improving protection measures. Here is a challenge for you: think of a cyber risk story (from a bad movie or otherwise) and try to identify the assets, threats, and protection methods. Have fun!
[/et_pb_text][et_pb_button button_url=”https://clickarmor.ca/trial” button_text=”Book a free trial of Click Armor to start strengthening your security culture” button_alignment=”center” _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][/et_pb_button][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.
[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}”][et_pb_post_nav prev_text=”Previous Post” next_text=”Next Post” _builder_version=”4.16″ title_text_color=”#ffffff” background_color=”rgba(14,79,136,0.68)” custom_padding=”5px|10px|5px|10px|true|true” border_radii=”on|4px|4px|4px|4px” border_width_all=”1px” global_colors_info=”{}”][/et_pb_post_nav][/et_pb_column][/et_pb_row][/et_pb_section]