Cyber Risk Management Basics & The Human Element Flashcards
What is Risk in a cyber security context?
In a cybersecurity context, risk refers to the potential for loss, damage, or harm to an organisation’s assets, operations, or reputation due to a cyber threat exploiting a vulnerability. It is the likelihood that a particular threat will successfully exploit a vulnerability and the impact that this would have on the organisation.
Cybersecurity risk is often evaluated as a combination of three key factors:
- Threat: A potential cause of an unwanted incident, which may result in harm to a system or organisation. Threats can come from various sources, including cybercriminals, nation-states, insiders, natural disasters, or technical failures.
- Vulnerability: A weakness or flaw in a system, process, or control that could be exploited by a threat. Vulnerabilities can exist in software, hardware, configurations, or human processes.
- Impact: The potential consequences or severity of damage that could result from a successful exploitation of a vulnerability. This could include financial loss, operational disruption, data breaches, legal penalties, or reputational harm.
The overall risk in cybersecurity is often expressed as the product of the likelihood of an event occurring (threat exploiting a vulnerability) and the severity of its impact:
Risk = Likelihood X Impact
Organisations assess cybersecurity risks to prioritise their security efforts, allocate resources effectively, and implement appropriate controls to mitigate potential threats. This process often involves:
- Risk Assessment: Identifying and evaluating risks to determine their potential impact and likelihood.
- Risk Mitigation: Implementing measures to reduce the likelihood of a threat or the impact of an incident.
- Risk Acceptance: Acknowledging a certain level of risk that is acceptable to the organisation, given the cost of mitigation versus the potential impact.
- Risk Transfer: Shifting the risk to another party, such as through insurance or outsourcing certain functions.
- Risk Avoidance: Taking steps to avoid engaging in activities that would expose the organisation to certain risks.
Understanding and managing risk is fundamental to a robust cybersecurity strategy, as it helps organisations protect their critical assets and maintain business continuity in the face of evolving cyber threats.
What’s the difference between Perceived Risk and Actual Risk?
The difference between perceived risk and actual risk lies in the subjective versus objective assessment of the risk involved in a particular situation.
- Subjective: Perceived risk is the risk that individuals or organisations believe exists based on their perceptions, feelings, and understanding of a situation. It is influenced by personal experiences, knowledge, media reports, and psychological factors such as fear or uncertainty.
- Influence of Bias: Perceived risk can be affected by cognitive biases, such as overestimating the likelihood of rare but dramatic events (e.g., a highly publicised cyber attack) or underestimating more common but less sensational risks.
- Variability: Different people or organisations might perceive the same risk differently based on their background, experiences, and information they have access to. For example, a non-technical executive might perceive the risk of a cyber threat differently than a cybersecurity expert.
- Objective: Actual risk refers to the real, quantifiable level of risk that exists based on factual data, analysis, and statistical likelihood. It is determined through objective risk assessments, which involve evaluating the probability of an event occurring and its potential impact based on evidence.
- Data-Driven: Actual risk is calculated using concrete information, such as historical data, threat intelligence, and known vulnerabilities. It is less influenced by emotions or perceptions and is more about measurable facts.
- Consistency: Actual risk remains the same regardless of individual perceptions. It is a constant value based on the reality of the threat landscape, even if different stakeholders perceive it differently.
- Perceived Risk: An organisation might perceive the risk of a sophisticated state-sponsored attack as high due to recent news coverage, even if their actual risk of being targeted by such an attack is low due to their profile or industry.
- Actual Risk: The same organisation might face a much higher actual risk from phishing attacks or ransomware, which statistically are more likely to occur and have been proven to impact similar organisations in their industry.
Understanding the difference between perceived and actual risk is crucial for effective risk management, as it allows organisations to focus their resources on mitigating real, quantifiable risks rather than over- or under-allocating efforts based on misperceptions.
How do you Quantify Risk?
Risk = Impact X Likelihood
What is “Impact” in the context of Cyber Security Risk Management?
The impact is some measure of the degree of harm to assets caused by any breach of any of the ClA principles (NIST, 2008).
What is “likelihood” in the context of Cyber Security Risk Management?
Likelihood relates to both threat and vulnerability levels. A higher threat capability—such as a hacker with advanced technical skills—increases the likelihood of damage. Similarly, a more vulnerable system is more likely to be exploited.
What does the Risk Triangle help us to understand?
The risk triangle illustrates that risk only exists when assets, threats, and vulnerabilities are all present.
If:
- There are no assets, there are no risks, as nothing attracts an attacker.
- There are no vulnerabilities, a threat cannot exploit anything to compromise an asset.
- There are no threats, no one will try to exploit a vulnerability to compromise an asset.
Once a risk has been quantified, what are the three categories used to classify the risk?
Acceptable: The identified risk has either a minimal impact on the organisation or is so unlikely to occur that addressing it is not justified in terms of cost or time. No further action is necessary.
Tolerable: The risk has been managed to a level where it is either ‘As Low As Reasonably Possible’ (ALARP) or ‘As Low As Reasonably Achievable’ (ALARA). ALARP implies that the organisation can demonstrate that further risk reduction would be disproportionate in cost compared to the benefits. ALARA generally means reducing the risk to meet a specific standard or contractual obligation.
Intolerable: The risk poses a severe threat, necessitating the abandonment or replacement of the system at risk. If this cannot be done quickly, then efforts should focus on eliminating vulnerabilities wherever possible.
What are the 3 ways of addressing tolerable risks?
Mitigating risk: An organisation will implement measures to eliminate or reduce a risk. Examples might include:
- Enhancing security to prevent potential threats.
- Employing specialised software to detect suspicious activity on a network.
- Providing improved cyber security training for employees.
- Developing strategies for recovery in the event of a successful attack, such as using off-site backups to restore data in case of a disaster at the primary location or employing multiple, geographically dispersed servers to maintain continuous service during a denial-of-service attack.
Shifting risk: An organisation may opt to reduce its exposure to risks by outsourcing some of its operations to another organisation. The subcontractor will then assume that risk, often with better resources or expertise to manage it than the original organisation. Examples of shifting risk include using an external provider for email services that offers greater capacity and malware screening, or employing a third-party service to handle credit card transactions. However, shifting risk introduces the new risk that the subcontractor may not be able to fulfil its responsibilities.
Transferring risk: This is a common risk management approach where there is a potential for financial loss to an organisation. The most typical method of transferring risk is by purchasing an insurance policy that will provide compensation if the risk materialises. Alternatively, risk transfers can involve indemnification clauses that outline conditions under which an organisation will compensate others, or prevent users from seeking compensation altogether.
What are the 3 aspects of Human Factors?
The individual: The person carrying out the task. Individuals have different levels of education, skills, physical and mental abilities, preconceptions, and temperaments. Each person is likely to approach a task in a slightly different way.
The job: The specific task the person is attempting to complete. The individual might be well-suited for the job or may struggle with it. They could be experienced and familiar with the task or completely new to it. Their state of mind could vary—they might be enthusiastic, distracted, bored, or even resistant. They may also face additional pressures, such as tight deadlines, which can lead to shortcuts and rushed decisions. Importantly, in most tasks, the focus on cybersecurity is not the primary goal; users are generally focused on sending emails, interacting with databases, or performing numerous other tasks—often without considering the security implications of their actions.
The organisation: When working within an organisation, individuals are expected to adhere to workplace policies and meet performance standards. Even if an organisation sets clear policies and monitors performance, challenges can arise from factors such as a hostile work environment, poor leadership, or ineffective communication.
What is ‘Social Engineering’?
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.
(NIST, 2017, p. 54)
What are the 6 principles of social engineering?
Reciprocity: People have a natural tendency to repay favors. They often feel compelled to help those who have provided them with assistance, gifts, services, or support.
Scarcity: Offers that are limited by time, such as job openings or discounted prices, create pressure on individuals to make quick decisions without fully evaluating the potential risks.
Authority: People tend to follow the directives of authority figures, such as managers, teachers, or social leaders. This influence can sometimes lead them to carry out actions that are dangerous, illegal, or unethical.
Commitment and consistency: People generally dislike going back on their promises. They are likely to persist in a risky action they’ve committed to, even if they begin to question the soundness of their decision.
Liking: People are more easily persuaded to take action when they have a positive regard for the person making the request. They tend to like those who exhibit similar behaviors, share common views, or offer them compliments.
Consensus: Individuals are inclined to mimic the actions of others, particularly when they observe those actions leading to positive outcomes.
What are the different types of Phishing?
- Phishing: A cyber attack where attackers send fraudulent emails or messages pretending to be from legitimate sources to trick individuals into revealing sensitive information like passwords or credit card numbers.
- Spear-Phishing: A more targeted form of phishing where attackers tailor their fraudulent messages to specific individuals or organizations, often using personal information to make the attack more convincing.
- Whaling: A type of spear-phishing that specifically targets high-profile individuals within an organization, such as executives or key decision-makers, aiming to steal sensitive information or gain access to critical systems.
- Vishing: A form of phishing that uses voice communication, typically phone calls, to deceive individuals into providing personal or financial information.
- Smishing: Phishing conducted through SMS or text messages, where attackers send fraudulent messages to trick individuals into clicking on malicious links or revealing personal information.
What is Pretexting?
Pretexting in cybersecurity is a social engineering tactic where an attacker creates a fabricated scenario or identity to manipulate a target into revealing confidential information. The attacker pretends to be someone the target trusts, like a colleague or authority figure, to gain access to sensitive data.
*Example: Hello, this is TrustedBank. As part of our ongoing security processes, we’ve identified some attempts by criminals to access your bank account. We’re really sorry this has happened, and we will fix any problems shortly. First of all, we need to complete a few simple security questions
- so if you can tell us your name as written on your bank card …
What is Impersonation?
Impersonation in social engineering is when an attacker pretends to be a trusted individual, such as a colleague, vendor, or authority figure, to deceive the target into divulging sensitive information or performing actions that compromise security.
What is Baiting?
Baiting is a social engineering technique where an attacker entices a target with something appealing, like a free download or a physical device (e.g., USB drive), to trick them into compromising their system or revealing sensitive information.
