Sure, every compliance and audit executive wants to manage cyber-security risks. That assumes, however, that everybody in your organization agrees on what a cyber-security risk is and how much it threatens you in the first place.
That lack of a basic cyber-risk vocabulary can be one of the biggest impediments to identifying cyber-threats—particularly for multinational companies, with their many different systems and processes. Everyone might agree on the types of data worth protecting, but they may not grasp every point of failure, and every type of failure, that might strike across the enterprise. The cyber-risk assessment, then, would fail.
Enter the cyber-security risk taxonomy.
“The taxonomy is a common language for talking about these risks,” says James Cebula, a technical manager at the Software Engineering Institute (SEI). Cebula co-authored a taxonomy of operational cyber-risks that groups the threat into four broad categories: actions of people; systems and technology failures; failed internal processes; and external events.
For compliance and audit professionals, the SEI’s taxonomy can at least provides a way to jumpstart the conversation on cyber-risk. Below is a look at each category, as well as potential points of failure that can arise under each one.
Surprising exactly no one, human behavior is the root of most cyber-risk. “The people aspect is a huge area of vulnerability across the board,” says Emily Mossburg, a principal at Deloitte’s cyber-risk services practice. The SEI taxonomy subdivides this category into risks such as deliberate or inadvertent actions, or not acting at all and failing to prevent a risk. That last category, inaction, typically occurs because of a lack of appropriate skills, knowledge, training, or guidance.
“We’ve been doing business with Cuba under the existing rules, and we welcome any reforms that will help simplify these transactions in the future.”
Dan Fogleman, Spokesman, Tyson Foods
“Everyone needs to understand how security relates to the business and how the business can be impacted by various types of security risks that are out there,” says Greg Michaels, an associate managing director with Kroll’s Cyber Investigations Practice.
“System failures” are the risk that technology doesn’t perform as expected, whether that technology is hardware, software, or some integration of the two. A system failure is “generally the first thing that pops into people’s minds when talking about cyber-security risks,” Cebula says. Most members of the Data Breach Hall of Shame—Target, Home Depot, Neiman Marcus, Michaels Stores, and so on—fall into this category.
“In a number of those cases, a contributing factor had to do with the complexity of the systems, not having a complete understanding of how all the numerous components fit together,” Cebula says.
Cyber-risks posed by software failures—a subclass of systems failures—also create vulnerabilities. They can range from improperly configuring software to weak change management that lets the wrong people update software or change settings to improper security settings that might be too lax or too strict.
The increasing integration and complexity of systems also poses a growing risk. “As systems grow larger and more inter-connected, this is becoming a larger area of concern in cyber-security risk,” Cebula says. Companies increasingly use third parties or cloud providers, for example, to handle certain functions; the integration of the third party’s systems into your own is often overlooked.
Take Target as a real-world example. Data thieves executed their huge attack against the retailer by gaining access through an HVAC contractor who billed Target electronically. That let the hackers infiltrate Target’s financial department, and from there they reached the point-of-sale card readers at cash registers.
TAXONOMY OF OPERATIONAL CYBER-SECURITY RISKS
Below is a summary of the “Taxonomy of Operational Cyber Security Risks” published by the Software Engineering Institute, a unit of Carnegie Mellon University.
Class 1: Actions of People. Actions of people describe a class of operational risk characterized by problems caused by the action taken or not taken by individuals in a given situation. This class covers actions by both insiders and outsiders. Its supporting subclasses include inadvertent actions (generally by insiders), deliberate actions (by insiders or outsiders), and inaction (generally by insiders).
Class 2: Systems and Technology Failures. Systems and technology failures describes a class of operational risk characterized by problematic abnormal or unexpected functioning of technology assets. Its supporting subclasses include failures of hardware, software, and integrated systems.
Class 3: Failed Internal Processes. Failed internal processes describe a class of operational risk associated with problematic failures of internal processes to perform as needed or expected. Its supporting subclasses include process design or execution, process controls, and supporting processes.
Class 4:; External Events. External events describe a class of operational risk associated with events generally outside the organization’s control. Often the timing or occurrence of such events cannot be planned or predicted. The supporting subclasses of this class include disasters, legal issues, business issues, and service dependencies.
Source: Software Engineering Institute.
“Often times with security incidents that we investigate, or breaches that we help client organizations with, we see that if the third party has a breach, it affects the client organization as well,” Michaels says. Doing basic due diligence on third parties that store information on behalf of the company, or that have access to its systems, is important, he says.
That first requires having a firm grasp on what information the company is outsourcing, and to whom it’s outsourcing its information, “and making sure that third party has appropriate controls in place is critically important,” Mossburg says.
Failed Internal Processes
Failed internal processes happen in the design or execution of those processes. You might have insufficient definition or understanding of stakeholder roles and responsibilities; or inadequate methods to alert you to a potential problem, or to escalate that problem to the right people. Then there is “dropping the ball” risk of inefficiently handing off a task from one person to another.
All those risks demand well-crafted procedures to reduce the chance of mistake. Ask: When something happens, what are the appropriate steps to take? Is the incident response team skilled and conversant in the right procedures? Are the proper procedures in place to deter an incident? Is that team equipped and prepared to respond? “Those all have to do with process design and execution,” Cebula says.
External events are, generally, the easiest to understand. The most visible example is the case of Sony, attacked by North Korean agents to protest the movie studio’s distribution of “The Interview.” Other examples are data thieves stealing valuable information for resale, or holding your data hostage in a ransomware attack.
The broader lesson that Sony’s situation spotlights: that external cyber-risks are unique to each company. (For example, no other company is likely to face a Sony-style attack unless it too releases a film that tweaks the country’s dictatorial leader, Kim Jong-Un.)
One point to consider, Mossburg says, is, “Who may be interested in gathering intelligence about your organization? Do you have in place the people, processes, and technology to protect against those threats?”
Using a cyber-security taxonomy to diagnose your risks is a good starting point. Then comes the harder task of ranking those risks in the proper order. Your most valuable data might vary by industry sector (in defense, it might be those plans for a new guidance system; in healthcare or finance, it’s customers’ personal data); systems and processes used to manage that data will vary company by company.
Once your risks are in a rough priority, that allows a more productive discussion with senior leadership on the need to invest in internal controls or monitoring and detection tools. The conversation starts to sound more like a request to invest in specific functions, to support specific business processes and data that deliver X amount of data to the company—a much more productive dialogue with the board or the CEO than pleas for more cash to help fight data breaches.
“It’s important for organizations to find an approach that’s manageable to them,” Michaels says. If you try to take an all-encompassing assessment of cyber-risks, “it’s going to be very difficult to manage,” he says. A workable roadmap, in contrast, helps a company to start making changes that help minimize cyber-risk.