1 / 42

COMP3357 Managing Cyber Risk

Richard Henson University of Worcester January 2018. COMP3357 Managing Cyber Risk. By the end of this module you should be able to:. Identify strategic, financial and operational benefits and issues of Cyber Risk Management

sheilakenny
Télécharger la présentation

COMP3357 Managing Cyber Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Richard Henson University of Worcester January 2018 COMP3357Managing Cyber Risk

  2. By the end of this module you should be able to: • Identify strategic, financial and operational benefits and issues of Cyber Risk Management • Review current and future trends of the technical and non-technical risks and aspects of Information Risk Management and security, including laws, regulations, and human factors • Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share • Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan

  3. Week 1 – Management of Information & Cyber Risk • Objectives: • Explain risk – qualitatively, in basic (human survival) terms • Explain risk to organisations – re. survival… • Explain the areas of organisational risk historically (pre digital processing) • Explain why security of information was often left off the organisation risk list, and consequences in the digital age…

  4. Risk and Survival • Human race survived millions of years • “survival of the fittest” • what does that mean? • Threats… to survival! • predators • lack of food & drink • lack of shelter

  5. Human Response to Threat? • Genetically based on… • trigger of chemicals (e.g. adrenalin) • “Fight or Flight” • Also based on organised behaviour: • find food & water sources • build a home

  6. Appropriateness of Adrenalin to humans in 21st century UK? • Survival much less about flight and fight, food and shelter • unless living on the street… • BUT human imagination (e.g. films/clever adverts) can make it seem that way! • In practice for most of us… survival is about 21st century parameters • enough money/assets • a reasonably well paid job

  7. Organisations and Survival • Like living things, organisations have to keep functioning adequately to survive • depends on inputs • If insufficient… liquidation… c.f. Carillion • Environment… affects activities… including inputs • business needs to react appropriately • or go into liquidation…

  8. Typical Risks to Organisations • Activities that could: • lose customers • lose suppliers • Faulty equipment • Unreliable/departing employees • Slow payment by customers • get into debt…

  9. Response? • Organisation doesn’t have adrenalin (!) • Up to management… • need to: • assess risk • protect against risk!

  10. How much is a Business Worth? • Based on… • equipment? • how assessed,,, • Profit? • how assessed… • People? • how assessed… • Systems? • how assessed…

  11. NfP (Not-for-Profit) Organisations • Charities • based on fund-raising! • if inputs insufficient can still be liquidated… • Public sector • based on providing service e.g. swimming, education, healthcare • threats to providing a safe swimming pool or school offering good education & pupil safety • liquidation less likely?

  12. Assets • Important part of worth (value) of an organisation • Value of Assets • market value of physical assets • human assets also important • as is year-on-year accounts • data not a physical asset… traditionally ignored!

  13. Loss of Data? No value, no risk? • Business always dependent on data… • often overlooked as an asset • unless “intellectual property” • If data not perceived as of value… • loss shouldn’t affect value/worth • “just” a matter of data protection • UK pre-2010… no fines, just warnings

  14. Management of Data • Important function in any organisation • loss or inappropriate processing bad • systems failure • breach of the law • threatens survival of organisation • functions involving handling information need to be risk assessed • improving systems has a cost…

  15. Management of Risk • Whether human (survival) or organisation survival… • need to identify the threats (threat agents) • need to adopt a strategy to deal with threats • Under threat because of weaknesses (vulnerabilities) • need to identify and mitigate vulnerabilities

  16. The Threats to organisational data… • Divides neatly into: • “internal”… employees • accidentally/deliberately exploit vulnerabilities • “external”… hackers • deliberately/accidentally exploit vulnerabilities

  17. What is a Data Breach? • Loss of organisational data to a 3rd party • Particular problem if: • financial data (FCA: severe penalties) • personal data (ICO: penalties) • sensitive data (ICO: big penalties) • intellectual property data (competitors could steal designs, etc.)

  18. Break

  19. Management of Security of Data • Important to: • identify risk agents, vulnerabilities of system that enable the threat • mitigate the threat • use IT professionals to close down the vulnerabilities • Use HR to train employees so they don’t accidentally threaten data

  20. Management of Information Security • (Senior) Management... • used to the spoken or written word • often misconceptions about digital data… • e.g. what is data, what is information? • how do they relate to each other? • security of data may therefore not be given sufficient prominence... (!) • Result: digital data is often not properly managed. 2014 figures… …

  21. Types of Data used by Organisations (1) • Administration • internal use • information to government bodies • Customer & Supplier information • customer information PERSONAL • some customer information SENSITIVE • both protected through Data Protection Act

  22. Types of Data used by organisations (2) • Transaction Information • regarded as financial data • protected by the Financial Conduct Authority • Management decision-making information • internal use only • System Data • internal use only

  23. Reasons to look after Data: 1. The Law • All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) • criminal offence not to do so... • Personal and sensitive data must be kept in accordance with eight principles of the Data Protection Act (1984, updated 1998) • not to do so can result in hefty fines • or even imprisonment

  24. Reasons to look after Data: 1. The Law - continued • Financial data also covered under the law, through the Financial Services Authority (FSA)… rebadged to become FCA in 2013 • much more severe penalties than the ICO… • e.g. Nationwide fined in 2007 • approx £1million • e.g. HSBC fined in 2009 • £ several MILLION • e.g. Zurich Insurance fined 2010 • £ >1 million

  25. 1. The Law - continued • 2003: EU Privacy & Electronic Communications Regulation (PECR) • misuse of customer information for marketing purposes • 1990: Computer Misuse Act • unauthorised access to “computer material” is a criminal offence! • most convictions under DPA civil

  26. 2. Data losses do not look good for the business! • Depending on which data a business loses… • it may not be able to trade efficiently, or even at all! • worst case scenario: 10 days maximum to recover, or out of business! • If business data is stolen, they may ALSO lose trade secrets, customer image, supplier information, market share…

  27. Data Losses & not-for-profit organisations • Personal data may not be regarded as so important, other than in legal terms • hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC in 2007 • HOWEVER… customers do expect their personal/sensitive data to be safeguarded • increasing concern about privacy in recent years • source of great embarrassment if data lost

  28. Internal Data Losses • Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. • Employees or temps with bad intent…

  29. External (hacking…) • Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it • People hacking in from outside, usually via the Internet

  30. Do “we” have a problem? • Perceptions “from the inside” quite different from “outside looking in”

  31. Fixing Data Security… • Basic management requirements… • identify risks, threats, vulnerabilities… • put together a top-level information security policy!!! • see to it that the policy is enforced throughout the organisation

  32. Risk, Threat, Vulnerability…? • Group Exercise… • what are the risks (to data)? • what are vulnerabilities (of system)? • what are threats (internal/external influences)?

  33. Start at the top…an Information Security Policy • Information is so important to organisations, security of information should be central to organisation’s strategic plan… • therefore part of organisational policy… • Problem: organisations (especially small ones) are very reluctant to do this…

  34. How can organisations be encouraged to have a policy? • Over to you again…

  35. An Information Security Policy • Fortunately, now becoming a commercial imperative for do any on-line business with a credit card • thanks to recent PCI DSS guidelines… • other information assurance schemes require this (e.g. ISO27001, COBIT, IASME) • more rigorously enforced by ICO • ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy • can then implemented tactically and operationally through the organisational structure

  36. Stakeholders • A number of jobs involve security of data in one way or another e.g.: • Data Controller (Data Protection Act) • Head of Personnel/HR • Department Heads (especially Finance) • Who should bear the responsibility/carry the can?? • ISO27001 requirement… • http://www.iso.org/iso/home/standards/certification/home/standards/certification/iso-survey.htm

  37. Who are “stakeholders” in organisational Information Security? • Who should be responsible for what? • (no responsibility… no accountability) • Exercise again in groups…

  38. Differences between Public & Private Sectors? • Is there a difference regarding data? • if strategic business data is lost, with no back up • cannot do new business • cannot fulfil existing business • the business will fold • If public organisation data similarly lost • service level drops or becomes zero • people get angry, write to media • public sector body gets lots of bad publicity • system gets patched up and limps on • enquiry suggests deficiencies & changes to be made…

  39. Economics of Information Security • Academic research area • seeks to produce economic models for organisations to attribute value to data • Back to basics of Information Security: • Confidentiality – relationship between confidentiality & intrinsic value? • Integrity – very difficult to quantify • Availability – if loss of particular data: • causes system failure • puts the business temporarily out of business • must have intrinsic value

  40. Value of Business Data • More success to date with organisational data that affects business availability than with personal data... • can put a monetary value on loss to the organisation of e.g. • a day’s lost production • a 10% fall in share price • If 10000 customer details are leaked, who cares??? • members of the public? • the Information Commissioner… • would this affect: • the business’s availability in the market place • the business’s share price?

  41. Moving forward… • Or catching up (!) • EU legislation comes into effect May 25th 2018 • requires organisations to take a risk-based approach to privacy • new applications need to be risk assessed

  42. Further Research • Business-oriented recent white papers: • http://www.findwhitepapers.com/security/security • What SHOULD have happened as the 1998 DPA was implemented…: • http://management.silicon.com/government/0,39024677,11015799,00.htm • Information Commissioner’s current website – huge collection of documents: • http://www.ico.gov.uk

More Related