COMP3357 Managing Cyber Risk Richard Henson University of Worcester January 2017
By the end of this module you should be able to: Identify strategic, financial and operational benefits and issues of Cyber Risk Management Review current and future trends of the technical and non-technical risks and aspects of Information Risk Management and security, including laws, regulations, and human factors Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan
Week 1 – Management of Information & Cyber Risk Objectives: Explain risk – qualitatively, in basic (human survival) terms Explain risk to organisations – re. survival… Explain the areas of organisational risk historically (pre digital processing) Explain why security of information was often left off the organisation risk list, and consequences in the digital age…
Risk and Survival Human race survived millions of years “survival of the fittest” what does that mean? Threats… to survival! predators lack of food & drink lack of shelter
Human Response to Threat? Genetically based on… trigger of chemicals (e.g. adrenalin) “Fight or Flight” Also based on organised behaviour: find food & water sources build a home
Appropriateness of Adrenalin in 21st century UK? Survival much less about flight and fight, food and shelter unless living on the street… BUT human imagination (e.g. clever adverts) can make it seem that way! In practice… survival about keeping off the streets… parents with enough money/assets a reasonably well paid job
Organisational Risk Lose customers Lose suppliers Faulty equipment Unreliable/departing employees What about its data?
Valuing a Business Based on… equipment? Profit? People? Systems? how assessed,,, Profit? how assessed… People? Systems?
Analysing Organisational Risk Not all are businesses… not always about profit Many NfP (Not-for-Profit) charities based on fund-raising? threats to “giving” Public sector based on service e.g. swimming, education threats to providing a safe swimming pool or school offering good education & pupil safety
That’s another fine mess… (!) Until recently, value of a business based on assets no/quality of customers/partners Profit (and projections…) Assets? value = the market value of physical assets data not a physical asset… ignored!
Loss of Data? No value, no risk? As data not perceived as of value… not even on the asset register (!) Business always dependent on data… somehow overlooked as an asset Digital data treated the same way (!!!)
Management of Information Security (Senior) Management... used to the spoken or written word often misconceptions about digital data… e.g. what is data, what is information and the relationship between the two security of data may therefore not be given sufficient prominence... (!) Result: digital data is often not properly managed. 2014 figures… …
The Threats to organisations… Divides neatly into: “internal”… employees “external”… hackers
Types of Business Data (1) Administration internal use information to government bodies Customer & Supplier information customer information PERSONAL some customer information SENSITIVE both protected through Data Protection Act
Types of Business Data (2) Transaction Information regarded as financial data protected by the Financial Service Authority Management decision-making information internal use only System Data
Reasons to look after Data: 1. The Law All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) criminal offence not to do so... Personal and sensitive data must be kept in accordance with eight principles of the Data Protection Act (1984, updated 1998) not to do so can result in hefty fines or even imprisonment
Reasons to look after Data: 1. The Law - continued Financial data also covered under the law, through the Financial Services Authority (FSA)… rebadged to becomeFCA in 2013 much more severe penalties than the ICO… e.g. Nationwide fined in 2007 approx £1million e.g. HSBC fined in 2009 £ several MILLION e.g. Zurich Insurance fined 2010 £ >1 million
2. Data losses do not look good for the business! Depending on which data a business loses… it may not be able to trade efficiently, or even at all! Worst case scenario: 10 days maximum to recover, or out of business! If business data is stolen, they may ALSO lose trade secrets, customer image, supplier information, market share…
1. The Law - continued 2003: EU Privacy & Electronic Communications Regulation (PECR) Misuse of customer information for marketing purposes 1990: Computer Misuse Act unauthorised access to “computer material” is a criminal offence! most convictions under DPA civil
Data Losses & not-for-profit organisations Personal data may not be regarded as so important, other than in legal terms hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC HOWEVER… customers do expect their personal data to be safeguarded increasing concern about privacy in recent years source of great embarrassment if data lost
Internal Data Losses Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. Employees or temps with bad intent…
External (hacking…) Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it People hacking in from outside, usually via the Internet
Do “we” have a problem? Perceptions “from the inside” quite different from “outside looking in”
Fixing Data Security… Where to start? Identify risks, threats vulnerabilities… Put together a top-level information security policy
Risk, Threat, Vulnerability…? Group Exercise… what are the risks (to data)? what are vulnerabilities (of system)? what are threats (internal/external influences)?
Start at the top…an Information Security Policy Information is so important to organisations, security of information should be central to organisation’s strategic plan… therefore part of organisational policy… Problem: organisations (especially small ones) are very reluctant to do this…
How can organisations be encouraged to have a policy? Over to you again…
An Information Security Policy Fortunately, now becoming a commercial imperative for do any on-line business with a credit card thanks to recent PCI DSS guidelines… other information assurance schemes require this (e.g. ISO27001, COBIT, IASME) more rigorously enforced by ICO ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy can then implemented tactically and operationally through the organisational structure
Stakeholders A number of jobs involve security of data in one way or another e.g.: Data Controller (Data Protection Act) Head of Personnel/HR Department Heads (especially Finance) Who should bear the responsibility/carry the can?? ISO27001 requirement… http://www.iso.org/iso/home/standards/certification/home/standards/certifica tion/iso-survey.htm
Who are “stakeholders” in organisational Information Security? Who should be responsible for what? (no responsibility… no accountability) Exercise again in groups…
Differences between Public & Private Sectors? Is there a difference regarding data? if strategic business data is lost, with no back up cannot do new business cannot fulfil existing business the business will fold If public organisation data similarly lost service level drops or becomes zero people get angry, write to media public sector body gets lots of bad publicity system gets patched up and limps on enquiry suggests deficiencies & changes to be made…
Economics of Information Security Academic research area seeks to produce economic models for organisations to attribute value to data Back to basics of Information Security: Confidentiality – relationship between confidentiality & intrinsic value? Integrity – very difficult to quantify Availability – if loss of particular data: causes system failure puts the business temporarily out of business must have intrinsic value
Value of Business Data More success to date with organisational data that affects business availability than with personal data... can put a monetary value on loss to the organisation of e.g. a day’s lost production a 10% fall in share price If 10000 customer details are leaked, who cares??? Members of the public? The Information Commissioner… would this affect: the business’s availability in the market place the business’s share price?
Moving forward… Or catching up (!) EU legislation comes into effect 2018. requires organisations to take a risk-based approach to privacy a
Further Research Business-oriented recent white papers: http://www.findwhitepapers.com/security/security What SHOULD have happened as the 1998 DPA was implemented…: http://management.silicon.com/government/0,39024677,11015799,00.htm Information Commissioner’s current website – huge collection of documents: http://www.ico.gov.uk