IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Dan Solomon MBA is Director of Cyber Risk and Security Services at Optimal Risk Management.
A former special ops planner turned critical thinker, Strategic Intelligence specialist with 15 years experience as analyst and manager, dedicated to a robust gather-analyze process.
Subsequently focused on the application of analysis, with a track record of client facing and consultative responsibilities, including workshop & scenario-building facilitation, programme management and business leadership/development roles.
Now focused on bringing a proactive approach to security risk consulting, mitigating cyber risk and industrial espionage, through Red Teaming and Blue Teaming.
A well maintained risk register can indicate how well a company manages its risks – if it contains relevant information on risks and responses, supported by both qualitative and quantitative analyses.
However, there is a danger of the register becoming more a management tool for checking on progress and less a tool for analysts monitoring the evolution of threats, vulnerabilities and probabilities.
To begin ‘future-proofing’ an organisation must deploy methods that build awareness and preparedness for future threats and a basis for investing to mitigate risks.
To be effective, risk management needs a methodology to identify the appropriate mitigating steps that control the probability and impact of an event, but also to highlight issues or security capabilities that must be verified and tested.
It should therefore create focus on preparedness for priority threats, and give early warning of emerging scenarios of which executive management should be aware.
Creating and maintaining a risk register
Potentially, the more valuable element to an organisation is the process of creating and maintaining a risk register if firms can dynamically consider threats and vulnerabilities, based on scenarios, and build on a real quantitative foundation.
This process contributes significantly to a real shift in organisational attitudes towards risk awareness, focuses boardroom attention on vulnerabilities and emphasises the ‘business resilience’ rationale for investment in remediation.
On that basis, it needs to incorporate a financial mapping of assets and processes, the technical identification of vulnerabilities and a financial model that informs scenario considerations.
Cyber risk scenarios present a new challenge to security and risk planners. The key to developing converged security risk strategy through scenarios is creating outcomes that prompt decisions that effectively mitigate information risk from physical, human and cyber threats.
Scenarios should therefore demonstrate the manifestation of one specific ‘element’ of a converged threat and illustrate several ways in which one threat can evolve and develop into different plausible outcomes – otherwise the quantitative evaluation of probable impacts will always be understated and inaccurate.
Developing scenarios for future threats should focus on issues that are more likely to expose current levels of preparedness, and uncertainties that are critical but most difficult to predict. In doing so, the scenario process creates awareness of how changes in underlying factors affect security failures and a better understanding of the relationship between different factors.
Factor Analysis of Information Risk (FAIR)
Factor Analysis of Information Risk (FAIR) is the recommended methodology for achieving this, particularly when used to illustrate scenario outcomes.
The unique aspect to the consideration of converged risk is the type of vulnerability that is uncovered specifically because of the compounding and multifaceted nature of sophisticated threats.
As there are multiple ways in which specific converged threats can present themselves, an effective scenario-building process should dynamically address threats and vulnerabilities in a way that can feed usefully into risk assessment.
A ‘What if?’ scenario approach to quantifying risk using FAIR can be applied for introducing, removing or modifying controls over information assets as well as processes, and to see how they reflect on the overall future risk posture of the business.
Risk modelling generates the quantitative outputs that allow business oriented decision-making by informing managers of where to shortlist options for investment planning and of security risk implications for the trade-offs they may need to consider.
The advantage of introducing these quantitative inputs to the scenario process is to balance investment between technology, processes and management across the organisation based on an accurate appreciation of sophisticated threat scenarios against proven and tested vulnerability.
Each vulnerability and exposure should include assessment of the ability to generate and exploit opportunity to gain access to the information assets.
This must include physical access and human vulnerability to social engineering as well as access through less standard devices such as mobile equipment, custom systems and applications, control systems and embedded devices – mimicking the approach of an advanced attacker.
This phase of FAIR is not limited to technical vulnerabilities of some application or server. It must also include risks to business processes, third party providers involved in a business process and any other aspect of the asset lifecycle.
The human factor must also be evaluated based on the level of education in relation to the criticality of the assets and the awareness to risks related to the business process at stake.
While many firms do not systematically invest time and resources in scenario-building exercises, they need to consider their readiness to deal with different threats and manage a variety of potential consequences.
As the scenario-building process brings together managers from different security disciplines in order to consider the converged aspects of your human firewall, physical security and IT solutions, well-prepared scenarios examine the converged nature of uncertainties and cater for the broad range of opinions that a cross-discipline approach will uncover around cyber threats.
Presentation at IFSEC International 2014
Dan Solomon MBA, director of cyber risk and security services at Optimal Risk Management, will deliver a presentation called ‘Cyber Security: neutralising risks and threats’ for the IFSEC Academy at this year’s IFSEC International 2014.
Delivering his talk on the IFSEC Global.com Centre Stage Theatre on Wednesday 18 June between 2.00 pm and 2.30 pm, Dan will outline how stronger collaboration between business-process owners and security teams can identify and evaluate cyber risks to realise competitive advantage.
To attend IFSEC International 2014, which takes place at at ExCeL London from 17-19 June, visit the website to register
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
Future-Proofing against Converged Information RiskCyber risk scenarios present a new challenge to security and risk planners, writes Dan Solomon. Scenario outcomes outcomes must lead to decisions that mitigate information risk from physical, human and cyber threats.
Dan Solomon MBA
IFSEC Insider | Security and Fire News and Resources
