Building cyber risk management capabilities
by Mark Brett, honorary visiting fellow, De Montfort and director, NLAWARP
Looking at existing risk management methodologies there are various approaches that can help in the cyber resilience space. The key is to understand where the touch points are, what we’re trying to mitigate against, and with what, where and when.
The traditional space was around people place and incident. This model has served policing well for a long time.
In the 1970s ICL developed their data dictionary for database entity modelling, which crossed over from the physical tangible world to the intangible work of ICT systems and data models. The model works because most ICT systems aim to facilitate or enable a physical business process.
However, the evolving internet of things (which is going to explode metaphorically) operates the other way round, with physical things interacting with the intangible cyber world.
In order to plan and model this new complex world, we need the language, descriptions, standards and metadata to enable it all. Without understandable frameworks and models, it is not possible to describe, develop and manage risks.
Local public services need a language, metadata and schemas to facilitate the modelling of abstractions that exist in cyber space. Once we can articulate the problems, through conceptual frameworks, we can begin to qualify value and understand the real problems and issues.
This eventually leads to the development of mathematical models and algorithms, which in turn can be used to detect anomalous behaviours in networks and communications systems. This makes is possible to develop risk mitigations for problems that do not yet exist.
Technological change will increase the demand, pace and complexities of cyber space. Local public services are already looking at the use of telematics and assistive technologies, but we must also look at the potential risks and implications.
New technologies can help to improve quality of life and drive out savings – but they also open the way for new attack vectors, exploits and harm. Criminals and other adversaries will be quick to exploit these.
For example, we know that when we go on holiday we should not advertise that our homes are empty – but what if criminals could just tap into you heating hive or smart meter or alarm system to detect your house is empty? How many of us post photos on social media advertising the fact that we are on a beach or other exotic location far from home?
Nor is it just criminals that we have to keep out – other adversaries will be equally quick to learn to exploit the new tools and techniques out there.
Therefore, we need to develop new methodologies for risk management and mitigation against those risks.
Disrupt and impede
Yes, technology can help to disrupt and impede attacks. Automated systems monitor networks and detect anomalies, but we should not be over-reliant on automated detection.
We need to raise awareness at all levels within the organisation and across our delivery chains. Awareness raising and training is the best defence we have, coupled with a culture that encourages the reporting of incidents quickly. This will need a change of stance from the information commissioner, especially when accidental human error was the cause.
We may not be able to stop all attacks or incursions into our networks – we may never win the cyber war as the odds are stacked against us – but we can disrupt and impede a lot of it.
Risk management, whether physical or cyber risks, requires leadership; it is about increased understanding of the issues, raising awareness about the impacts, and changing social norms or the expectations of society in how risks are handled.
“This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.