RISK GROUP CYBER-SECURITY RISK MANAGEMENT FRAMEWORK (CSRM) ABSTRACT The Security-Centric, Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control Framework as well as Enterprise Risk Management Framework and proposes an effective Integrated NGIOA (nations: its governments, industries, organizations and academia) Risk Management framework to manage the changing nature of Security* risks in Cyberspace-Geospace and Space (CGS) Jayshree Pandya EXECUTIVE SUMMARY
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
RISK GROUP CYBER-SECURITY RISK MANAGEMENT
FRAMEWORK (CSRM)
ABSTRACT The Security-Centric, Cyber-Security Risk Management
(CSRM) framework expands on both the Internal
Control Framework as well as Enterprise Risk
Management Framework and proposes an effective
Integrated NGIOA (nations: its governments,
industries, organizations and academia) Risk
Management framework to manage the changing
nature of Security* risks in Cyberspace-Geospace and
Space (CGS)
Jayshree Pandya EXECUTIVE SUMMARY
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyber-Security Risk Management Framework (CSRM)
INTRODUCTION The connected computers and the digital global age have brought complex, chaotic, and turbulent times
for every nation: its government, industries, organizations and academia (NGIOA)—where failures at all
levels have come to become self-evident, repetitive, and destructive in nature and uncertainty. NGIOAs
are caught off guard.
When NGIOAs seem to be in visible crisis, what is the adequate amount of independent and
interdependent Cyber-Security risk that should be accepted by any entity within an NGIOA? This is
probably one of the most important questions decision-makers across NGIOA face today.
In 2012, Risk Group proposed Integrated NGIOA Risk guidelines to help nations identify, evaluate,
understand and manage interconnected and
interdependent risks facing its NGIOA. The
proposed guidelines have come far from
being ignored. They are now being
acknowledged, discussed, debated and
articulated to be incorporated to better
manage the current and emerging risks
facing NGIOA in Cyberspace—while
simultaneously providing a foundation that
brings integrity, transparency, predictability,
integration, security and scalability to the
discipline of Risk Management itself.
Over the years, there has been heightened concern and focus on the lack of effectiveness in the current
approach to risk management due to critical threats brought on by the rapidly changing global
fundamentals and the inability of the risk management programs to predict critical risks at all levels. It
became increasingly clear that a need exists for re-evaluation of the approach to risk management.
Moreover, when the computer code, the connected computers and the ecosystem that make the
Cyberspace began to bring complex challenges and complexities to everyone and to everything, from
Geospace to Space, the need for a new way of identifying, evaluating and managing risks became even
more clear and urgent. This tectonic shift on the nature of risks brought on by the Cyberspace is
creating complex challenges for every NGIOA. As the computer code and connected computers blur the
line between Geospace, Cyberspace and Space, it needs to be understood that the current approach to
risk management cannot give any entity within any NGIOA an ability to manage risks effectively while
bringing security and sustainability for its initiatives—for managing Cyberspace and Cyber-Security risks
requires not only integration of Cyberspace to Geospace and Space (CGS) but also requires a fine
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
balance of cooperation and collaboration between, within and across NGIOA, and from their people,
processes, proficiency, and prudence.
These challenges prompted Risk Group to define and propose a robust Cyber-Security Risk Management
(CSRM) framework that would effectively identify, evaluate, and manage not only Cyberspace and
Cyber-Security risks but integrated CGS Risks. This framework could be readily used by each and every
entity within any NGIOA at all levels to evaluate and improve their independent and interdependent
Cyber-Security risk management capabilities.
The period from the guideline proposal to the Cyber-Security Risk Management framework has been
marked by a series of high-profile Cyber-Security breaches and other global, national, local and
industrial crises, scandals and failures where nations, its governments, investors, businesses, individuals
and other stakeholders, individually and collectively suffered tremendous losses in many formats. In the
aftermath of each crisis, there were calls for enhanced and effective governance, management and risk
management capabilities, with effective institutions, structures, systems, framework, governance
model, laws, regulations, and standards. The need for a Cyber-Security risk management framework
that would provide a new definition of security, a new approach to security, key security risk principles
and concepts, a common security risk language, and clear security direction and guidance that has an
ability to integrate security risks in cyberspace, geospace and space became even more compelling at all
levels across nations.
Risk Group believes that the proposed Cyber-Security Risk Management Framework (CSRM) fills the
need, and Risk Group hopes that it will bring effectiveness to the discipline of Risk Management and
provide NGIOA an effective way to manage its complex security risks in CGS.
THE RISK MANAGEMENT FRAMEWORK Internal Control Framework
Internal control Framework is defined by many
as a process for assuring achievement of an
organization's objectives in operational
effectiveness and efficiency, and that has clear
financial reporting, and strict compliance with
laws, regulations and policies. While this still
continues to serve as the broadly accepted
standard for satisfying regulatory reporting
requirements, requiring an entity’s
management to certify and the independent
auditor to attest to the effectiveness of those
systems, it clearly lacks an ability to identify
and manage critical security risks facing NGIOA
today in CGS.
Enterprise Risk Management
Framework ERM, according to Casualty Actuarial Society,
is a widely popular approach to managing enterprise risks in which an entity in any industry assesses,
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
controls, exploits, finances and monitors risks from all sources for the purpose of increasing the
organization’s short and long-term value to its stakeholders. While ERM framework supposedly expands
on internal control framework, it does provide a more comprehensive focus on the broader issue of Risk
Management. While ERM framework has gained popularity:
It lacks an ability to anticipate global, national or industry crisis
It lacks a framework to assure comprehensive Integrated Risk Management
Its approach is largely reactive
It widely promotes transfer of risk and insurance of risk over prevention of risk or management
of risk, thereby creating bigger, complex and more catastrophic risks
It focuses on a narrow definition of an “enterprise”
It focuses on a narrow “risk” perspective
It focuses on a narrow and old definition of security and lacks an ability to address the changing
nature and fundamentals of “security”
Cyber-Security Risk Management Framework The Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control
Framework as well as Enterprise Risk Management Framework and provides an effective Security-
Centric Risk Management framework that provides each and every NGIOA:
A forward looking way to identify and manage
independent and interdependent risks
Integrity, neutrality and a collective approach to
managing risks
A Non-partisan, neutral and objective focus on
managing global, national and local risks
In addition, it also:
Reverses the focus from transferring risks to
preventing risks
Embeds strategic risks as a vital part of the risk
management framework
Changes the approach to an enterprise and
makes it more inclusive to today’s global reality
Connects cyberspace risks to geospace and space risks (CGS)
Integrates governments’ risks with industries’ risks, organizations’ risks and academia’s risks to
give a comprehensive overview of nations’ risks (NGIOA)
Integrates nations risks to give a comprehensive view of global risks
Provides and promotes proactive approach to managing risks
Promotes prevention and management of risks over transfer of risks
Addresses the changing nature and definition of security and provides security-centric risk
management framework ability and capability
While, the goal of the security-centric CSRM is to bring effectiveness in the field of Risk Management
itself in a digital global age, Risk Group recognizes the slow pace of change historically observed across
nations in acknowledging the need for change, accepting the change and implementing the change
itself.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
When the most critical challenges for decision-makers at all levels across NGIOA is determining how
much risk they are prepared to take for their initiatives as they strive to survive, sustain and create value
in the cyberspace , this proposed security-centric CSRM Framework will better enable them to meet
these complex challenges. The implementation of a security-centric CSRM framework will support and
improve the independent and interdependent risk awareness at every level of NGIOA, from strategic to
operative, from cyberspace to geospace and from management to employees.
The proposed security-centric CSRM framework provides an integrated risk management approach that
addresses the global shifts of the digital global age, to lay out much needed foundation of an integrated
NGIOA risk governance framework. This security-centric integrated risk management framework will
make a convincing case for the far-reaching need and understanding of integrated security risk
concepts, integrated security risk fundamentals, and integrated NGIOA risk governance models. The
integrated security-centric CSRM approach, proposed and discussed here is rational, practical, scalable
and feasible. It will help create a dynamic, vibrant, and sustainable approach to managing cyber-security
risks of a digital global age. This initiative is a first step towards that.
Jayshree Pandya
Founder: Cyber-Security Risk Research Center at Risk Group
*Risk Group defines Security as the state of industries and businesses, systems and infrastructure,
innovation and technology, governance model and governments, products and services, intellectual
property and trade secrets, people and processes, survival and sustainability, education and academia,
philanthropy and poverty, research and development, regulations and compliance, robotics and artificial
intelligence, information and communication—being free from danger or threat of Cyberspace.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
EXECUTIVE SUMMARY
The underlying premise of security-centric Cyber-Security Risk Management Framework (CSRM) is that,
in the interconnected and interdependent digital global age, no entity within any NGIOA can effectively
manage their security* risks independently. Even if an entity manages its private security risks
independently, the interconnected and interdependent risks facing them will undermine the isolated
and independent risk management effort and program, and make the entity vulnerable to catastrophic
events.
RELATIONSHIP BETWEEN SECURITY AND NGIOA COMPONENTS There’s no such thing as ‘secure’ anymore. Security is rapidly becoming a complex challenge for every
NGIOA. Cyberspace is fundamentally changing the definition and meaning of security across NGIOA.
Incorporate it into Geospace and Space and the complex security challenges hit the roof.
*Risk Group defines Security as the state of industries and businesses, systems and infrastructure,
innovation and technology, governance model and governments, products and services, intellectual
property and trade secrets, people and processes, survival and sustainability, education and academia,
philanthropy and poverty, research and development, regulations and compliance, robotics and artificial
intelligence, information and communication—being free from danger or threat of Cyberspace.
Cyberspace has given nations strong pressure to change how they define, understand, operate, govern
and manage their security risks, so the question is how that can be achieved when:
Individual security is tied to collective NGIOA security
External security threats have ties to internal security threats
Security needs to be at the center of each and every discussion within any NGIOA about not only threat,
conflict, defense and war, but also over progress and development! While the formation of individual
(an entity within a NGIOA) and the formation of collective (NGIOA) security framework are becoming
inseparably linked in cyberspace, the question arises as to the reasons behind the reluctance in
acceptance for a need for structured collaboration. Since any single individual entity is connected to
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
other individual entities within its sector and industry, along with its connection to organizations,
academia, other industries and governments at all levels—there is presumably a collective requirement
of cyber-security risk management framework and cyber-security risk governance authority.
Security is thus a condition of all individuals, and organizations, academia, industries and governments
(NGIOA-I).
There is also a growing concern that there are many nations that seem to be too weak or too failed to
be able to provide their own NGIOA-I with the necessary security in the cyberspace. Moreover, most
nations with their current governance model are far from being ideal providers of cyber-security.
Technology and Threats are forever intricately linked now—just like People and
Processes.
The security concept is currently being subjected to big changes in respect to its aims, capabilities,
sources, connectivity and the dimension of threats. In the new era of cyberspace, the security threat has
no visible front, borders or armies.
As governments exist to provide value to its citizens, businesses across industries exists to provide value
for its stakeholders, organizations exist to provide value to its initiatives and academia exists to provide
value to its students. All of them, independently and collectively, face complex security challenges and
uncertainties from the cyberspace in the digital global age. Amidst that, the challenge for decision-
makers across NGIOA is to determine what security risks they face in the cyberspace and the rapidly
changing digital global economy, independently and collectively, and how much uncertainty they are
exposed to and forced to accept as they strive to survive, sustain, grow, develop and advance.
The current uncertainty brought on by the cyberspace and the digital global economy presents both
security risk as well as strategic opportunity to each component of NGIOA, with the potential to erode
or enhance nation’s value, independently and collectively.
Cyber-Security Risk Management Framework (CSRM) enables decision makers to effectively deal with
cyberspace and the digital global economic uncertainty, enhancing the capacity and capability to
collectively build value as a nation.
The strategic value of a nation is maximized when NGIOA decision makers collectively set national
strategy and objectives, so as to strike an optimal balance between growth and goals, its related risks
and rewards, and its security and sustainability while efficiently and effectively deploying resources in
pursuit of independent entity goals tied to collective national objectives.
Cyber-Security Risk Management (CSRM) encompasses first and foremost:
Integrating cyberspace to geospace and space (CGS)
Integrating nations: its government, industries, organizations and academia (NGIOA)
Re-defining security* in cyberspace and understanding its NGIOA integration points.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
In addition, security-centric, Cyber-Security Risk Management (CSRM) framework should individually
and collectively involve:
Identifying and Aligning Security-Centric Risk Appetite, Security
Risk Planning and Strategy in Cyberspace: CSRM framework allows
any individual entity and its decision makers within and across
NGIOA to take into consideration its independent and
interdependent security risk appetite in evaluating independent
and inter-dependent strategic alternatives, setting security risk-
centric informed objectives and goals, and simultaneously
developing mechanisms to manage independent and
interdependent strategic security risks. (Depending on the nature
of the security risk, its industry and relevance, appropriate security
risk measures needs to be incorporated in the planning process)
Identifying and Improving the Security Risk Response Decisions
Process in Cyberspace: CSRM provides an integrated NGIOA
structure to have an informed, independent as well as integrated
security risk decision process to identify, evaluate and manage
various security risk response choices: from prevention of security
risk to risk avoidance, reduction, transfer, sharing, and acceptance.
(Depending on the nature of the security risk, a relevant risk
response strategy needs to be formulated)
Identifying and Reducing Security Surprises and Losses in Cyberspace: CSRM provides NGIOA
with an enhanced capability, both individually and collectively, to identify potential catastrophic
security events and establish timely responses to reduce its impact and its associated costs or
losses. (Depending on the nature of the security risk, a structured plan needs to be in place to
have relevant risk intelligence to manage security surprises)
Identifying and Managing overall Global, National, Local and Individual NGIOA Security Risks in
Cyberspace: Each nation faces a myriad of independent and interdependent security risks
affecting different parts of the NGIOA, and CSRM facilitates effective responses to its
interrelated, interconnected and interdependent impacts. (Depending on the nature of the
security risk, an overall plan needs to be in place to manage it)
Identifying and Seizing Strategic Opportunities: By considering a full range of potential security
events at all levels (global, national, local, industry and organizational) and individual
components of NGIOA, decision makers are better positioned to identify and proactively realize
current and strategic opportunities in the cyberspace—both individually and collectively. (By
understanding cyberspace, its revolutionary transformation potential, understanding the
current initiatives within an entity and formulating potential strategic alternatives will guide
entities within an NGIOA to seize strategic opportunities in CGS)
Identifying and Improving Resource Deployment: CSRM allows nations to obtain collective and
independent, current and strategic security risk information that allows NGIOA decision makers
to effectively evaluate overall resource needs and enhance capital allocation appropriately.
These capabilities inherent in CSRM framework will help NGIOA decision makers achieve their
performance and profitability targets while preventing loss of vital current and strategic
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
resources. (By understanding the nature of strategic opportunities and threats, entities within a
NGIOA will need to identify resource needs and make relevant plans)
CSRM will help ensure effective security risk reporting
and compliance with current and potential laws and
regulations, to help avoid damage to not only the
NGIOA reputation, both independently and collectively,
but its associated consequences.
In summation, Cyber-Security Risk Management
framework (CSRM) will help an NGIOA achieve its
independent and collective security goals and objectives
of the Cyberspace in a Digital Global Economy while
avoiding downsides and disbeliefs along the way. It is
important that CSRM be not viewed as a static one-time
process; rather it must be embedded across NGIOA and
dynamically adapted to the changing internal and
external CGS environment.
CYBERSPACE EVENTS IN A DIGITAL GLOBAL ECONOMY: ASSOCIATED SECURITY RISKS AND
OPPORTUNITIES Any event in the Cyberspace or Digital Global Economy can have negative security impacts, positive
strategic impacts, or both. Cyberspace events in a digital global economy with a negative security impact
represent risks, which can prevent value creation in the Cyberspace or erode existing value in Geospace,
Cyberspace or Space. Cyberspace events in a digital global economy with positive impact may offset
negative security impacts or represent strategic Cyberspace opportunities. Cyberspace opportunities are
the possibility that an event will occur in Cyberspace or Geospace that would positively affect the
achievement of Cyberspace objectives, supporting value creation or preservation.
NGIOA decision makers can channel opportunities in the Cyberspace back to its
National Security Strategy, while formulating plans to seize the Digital Global Age
opportunities in CGS.
The CSRM framework aims to identify all independent and interdependent potential security events that
could affect the achievement of the entity objectives in CGS. These events can be divided into two
categories: Cyberspace events with positive impact on independent and collective NGIOA objectives and
events with negative security impact on independent and collective NGIOA objectives. The former
represent opportunities, and the latter are security risks. These must be managed with a clear
integrated risk management process composed of the following phases:
Cyber-Security Risk Identification and Analysis
Cyber-Security Risk Understanding and Profiling
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyber-Security Risk Response and Management
Cyber-Security Risk Control and Integration
The CSRM process must be supported by a sound security foundation in terms of broad understanding
of security, its changing nature , overall CGS environment, integrated NGIOA risk philosophy, integrity
and ethical values, integrated risk governance approach, and Cyber-Security competence and
responsibilities, together with a collective Cyberspace security objective-setting process that considers
the Cyber-Security risk dimension, a dynamic complete security information flow and an ongoing
monitoring of all the CSRM framework components.
Each and every entity should implement CSRM framework because it will allow them to optimize
strategic opportunities in the Cyberspace by providing a systematic, integrated, accountable and holistic
evaluation and control of Cyber-Security risks.
CSRM framework deals with security risks and strategic opportunities affecting value
creation in the Cyberspace and/or preservation of Cyberspace-Geospace-Space value
and infrastructure.
CSRM can be defined as an integrated security risk management process realized by decision makers
of an entity within an NGIOA, who independently and collectively identify potential security risk
events that may affect any component of an NGIOA or overall NGIOA and manage risk both
individually and collectively to be within its security risk appetite boundaries, to provide reasonable
assurance and confidence regarding the achievement of its current and strategic security objectives in
Cyberspace-Geospace and Space (CGS).
The comprehensive CSRM definition reflects certain fundamental security concepts and is in essence:
An independent but Integrated NGIOA security process,
that is ongoing and flowing through any entity and
component of NGIOA within, between and across nation’s
geographical boundaries.
Effected by decision makers at every level of an entity
within and between a nation: its government, industries,
organization and academia (NGIOA).
Applied in independent and collective security strategy
settings at all levels of an entity within and between a
NGIOA.
Applied within, between and across NGIOA, at every
level and unit of an entity, and includes taking an
independent and collective view of security risk as a
nation, industry, business and organization.
Designed to identify potential Cybersecurity events that, if they occur, will affect independent
component of an NGIOA or all the components of an NGIOA and to manage security risk within
its independent and collective risk appetite boundaries.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Able to provide reasonable security assurance to any entity within and between a NGIOA-and its
decision makers and stakeholders.
Geared towards achievement of global, regional, national, local and independent security
objectives of any and all components of an NGIOA in one or more separate but overlapping
categories.
Provides an integrated NGIOA structure and format to facilitate incorporation of the changing
definition of security by re-defining the approach to security and integrating security of CGS.
This CSRM definition is purposefully broad for the purpose of its scalability and sustainability needs. It
captures key changing global security concepts as to how nations: its governments, industries,
organizations and academia (NGIOA) should manage its security risks in the Cyberspace, while providing
a basis for Cyber-Security Risk Management Framework in a Digital Global Economy. It also focuses
directly on achievement of any entity’s security objectives in Cyberspace, established independently and
collectively by an individual or a group of NGIOA.
CYBER-SECURITY RISK MANAGEMENT OBJECTIVES Within the context of any entity or component of an NGIOA, the CSRM framework will be geared to
achieving the overall security objectives, set forth in the following categories:
Strategic Security: High-level strategic
security goals, aligned with and
supporting its Cyberspace mission in a
Digital Global Age
Security Operations: Effective and
efficient use of NGIOA resources in the
Cyberspace
Security Reporting: Reliability of
Cyberspace reporting
Security Communications: Effective and
timely Cyber-Security communication
Security Compliance: Compliance with
applicable Global, National, Local laws
and regulations
Security Approach: Integrated
Geospace, Cyberspace and Space
approach to Security
Security Integration: Integration at all NGIOA levels across nations and also in Cyberspace-
Geospace and Space (CGS)
NGIOA Sustainability: NGIOA Sustainability as a key criteria
Security Scalability: A Cyber-Security Risk Management framework that is scalable at all levels of
NGIOA across nations in CGS
The above categorization of CSRM objectives allows a focus on collective as well as individual aspects of
any entity within and between NGIOA and aspects of overall NGIOA security in Cyberspace, Geospace
and Space. Amidst these distinct but overlapping components of a NGIOA across the barriers of virtual
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
territories a particular Cyberspace objective and its associated risks can fall into more than one
components necessitating a need to address its individual and collective integration points while
directing the responsibility of different decision makers at all levels of an entity or an NGIOA. This clear
categorization also allows clear distinctions of what can be expected from each component of an entity
or an NGIOA in Cyberspace.
SAFEGUARDING OF SECURITY OBJECTIVES AND RESOURCES Safeguarding of NGIOA Security resources is essential in CGS. Because security objectives in Cyberspace
related to reliability of the current nature of security reporting and the compliance framework with
current laws and regulations are within an entity’s control, CSRM is expected to provide reasonable
assurance of achieving those security objectives. However, it needs to be understood that no effective
controls are in place for the changing nature and definition of security across nations. There is a clear
need for developing effective security controls for compliance. Achievement of strategic security and
operational objectives in Cyberspace is however subject to external NGIOA events in CGS, and not
always within the control of an entity. Accordingly, for these security objectives, CSRM can provide
reasonable assurance that decision makers in their oversight role are made aware, in a timely manner,
of the extent to which an entity is moving toward achievement of the Cyberspace and Cybersecurity
objectives.
COMPONENTS OF CYBER-SECURITY RISK MANAGEMENT FRAMEWORK Just as any structure needs a strong foundation in Geospace, so does the structures in Cyberspace and
Space. The internal as well as external NGIOA environment serves as a basis for all security foundation
and key components of the proposed CSRM framework in Cyberspace, Geospace and Space. The
internal NGIOA environment reflects the overall cyber-security risk attitude, awareness and actions that
have an impact on the individual entity’s activities within any component of an NGIOA or whole NGIOA.
It is also important for decision-makers to apply the same rules for the external NGIOA environment
across nation’s geographical boundaries, in order to have an understanding of the interconnected and
interdependent NGIOA security risks in the CGS environment.
An on-going Integrated NGIOA Security Risk Management process can be considered the heart of the
CSRM framework. Cyber-Security risk identification and assessment are useless if no appropriate
security risk responses are implemented and no regular security controls are in place. The Cyber-
security, strategic security, its business and its operational processes do not work properly without
integrated NGIOA security information that flows in, out and across the entity and NGIOA. The security
monitoring component has the same importance as the other components of the CSRM framework,
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
because it will allow the determination of whether everything continues to work effectively in the CGS
environment within, between and across NGIOA.
Each of the NGIOA components equally contributes to CSRM in CGS. A weak component can affect the
entire CSRM process in the CGS. The interconnectedness, interdependencies and interrelationships of
the security embedded CSRM framework strengthens the role of each single NGIOA component.
The security centered integrated NGIOA risk management philosophy and the risk appetite contribute to