Skip to main content

2015 | Buch

Cyber-Risk Management

insite
SUCHEN

Über dieses Buch

This book provides a brief and general introduction to cybersecurity and cyber-risk assessment. Not limited to a specific approach or technique, its focus is highly pragmatic and is based on established international standards (including ISO 31000) as well as industrial best practices. It explains how cyber-risk assessment should be conducted, which techniques should be used when, what the typical challenges and problems are, and how they should be addressed.

The content is divided into three parts. First, part I provides a conceptual introduction to the topic of risk management in general and to cybersecurity and cyber-risk management in particular. Next, part II presents the main stages of cyber-risk assessment from context establishment to risk treatment and acceptance, each illustrated by a running example. Finally, part III details four important challenges and how to reasonably deal with them in practice: risk measurement, risk scales, uncertainty, and low-frequency risks with high consequence.

The target audience is mainly practitioners and students who are interested in the fundamentals and basic principles and techniques of security risk assessment, as well as lecturers seeking teaching material. The book provides an overview of the cyber-risk assessment process, the tasks involved, and how to complete them in practice.

Inhaltsverzeichnis

Frontmatter
Chapter 1. Introduction
Abstract
This chapter explains our motivation for writing the book, our aim and emphasis, as well as our policy of writing and presentation. We also describe the structure of the book and the intended target group, as well as advice on ways to read. Finally, we explain the relation between the book and relevant standards.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen

Conceptual Introduction

Frontmatter
Chapter 2. Risk Management
Abstract
This chapter gives an introduction to risk management in general and explains the central concepts. We begin by explaining what risk is and presenting the terminology we need in order to talk about risk. Thereafter we introduce risk management and explain what it involves for an organization to manage risk in a systematic and effective manner. Subsequently we look more into the details of the risk management process and its sub-process.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 3. Cyber-systems
Abstract
How organizations should conduct risk management largely depends on the kind and nature of the systems of concern. In this book we are concerned about systems that make use of a cyberspace, namely cyber-systems. We therefore need to establish a clear understanding of cyber-systems. This chapter explains what we mean by a cyberspace, a cyber-system and a cyber-physical system.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 4. Cybersecurity
Abstract
The notion of cybersecurity is closely related to cyber-risk management. However, no universally accepted definition of cybersecurity seem to exist. This chapter therefore defines and explains what we mean by this concept. What characterizes cybersecurity, and what are the kinds of threats that cybersecurity shall prevent or provide protection from? We also explain how cybersecurity relates to information security, critical infrastructure protection and safety.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 5. Cyber-risk Management
Abstract
In this chapter we specialize risk management, which was introduced in Chap. 2, to the domain of cyber-systems. We highlight what is special about cyber-systems and cyber-threats from a risk management perspective, focusing in particular on the nature of cyber-risks and the options and means we have for managing them. First we explain what we mean by cyber-risk. Thereafter we specialize the three main processes of risk management to cope with cyber-risk. These processes are communication and consultation of cyber-risk, cyber-risk assessment, and monitoring and review of cyber-risk.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen

Cyber-Risk Assessment Exemplified

Frontmatter
Chapter 6. Context Establishment
Abstract
This chapter is the first chapter of Part II, which is dedicated to a running example designed to demonstrate each step of the cyber-risk assessment process. The example concerns an advanced metering infrastructure in a smart grid. The chapter demonstrates the context establishment, which will guide the rest of the risk assessment. This includes describing the external and internal context, the goals and objectives, the target of assessment and its interface to cyberspace, as well as the scope, focus and assumptions being made. Moreover, it also involves defining the assets, scales and risk criteria.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 7. Risk Identification
Abstract
Risk identification involves determining what could happen to cause potential harm to assets, which includes gaining insight into how, where and why such cyberincidents may occur. This chapter starts by giving an overview of risk identification techniques, before moving on to demonstrate how the risk identification process described in Chap. 5 can be instantiated. Two different identification approaches are used, one aimed at malicious cyber-risk and the other at non-malicious cyber-risk. 1.10 Risk Treatment 5. In both cases we provide examples of threat sources, threats, vulnerabilities and incidents for the target described in Chap. 6, and show how these, as well as the relations between them, are documented.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 8. Risk Analysis
Abstract
Risk analysis involves determining the level of risk, typically in terms of the likelihood of incidents to happen and the consequence for assets. This can be done qualitatively or quantitatively. In order to determine the risk level, it is usually necessary to perform an analysis of the related threats and vulnerabilities. This also helps us to better understand what contributes to the risk, which is useful for identifying treatments. This chapter continues the running example of Part II by demonstrating a pragmatic approach to analysis of the cyber-risks that were identified in Chap. 7.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 9. Risk Evaluation
Abstract
Risk evaluation is the process of comparing the results of the risk analysis with the risk evaluation criteria defined during the context establishment to determine whether the cyber-risks are acceptable. We also need to consider whether some risks that we have regarded as separate actually are instances of the same risk and therefore should be aggregated and evaluated as one risk. Furthermore, as preparation for the risk treatment, we group risks according to relationships such as shared vulnerabilities or threats. This chapter demonstrates risk evaluation, risk aggregation and risk grouping of the running example based on the risk analysis results obtained in Chap. 8.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 10. Risk Treatment
Abstract
Risk treatment involves deciding on strategies and controls to deal with cyber-risks, and starts with identification of treatments for selected risks. After identifying treatments we assess their effect and consider whether the residual risk is acceptable. If it is, the documentation is finalized and the process terminates, otherwise we need to go back and do another iteration of the treatment identification. This chapter concludes the running example by demonstrating the risk treatment step based on the risk evaluation results from Chap. 9.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen

Known Challenges and How to Address Them in Practice

Frontmatter
Chapter 11. Which Measure of Risk Level to Use?
Abstract
There is no universal agreement on how to measure risk. The definition of risk in ISO 31000, for example, comes with five notes, each defining risk in a slightly different way. Traditionally, risk value is a function of two factors, namely likelihood and consequence. However, within the field of cybersecurity, three-factor and many-factor definitions are gaining popularity. This chapter discusses the different alternatives and provides advice on when to use which.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 12. What Scales Are Best Suited Under What Conditions?
Abstract
The selection of the right scale for the right purpose is essential. The selection of scales is particularly important when measuring expert judgments. This chapter gives an overview of relevant kinds of scales and provides advice on which to use when and how the scale should be defined. The chapter also discusses the strengths and weaknesses of qualitative versus quantitative scales. When should we use which, and does it make sense to combine?
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 13. How to Deal with Uncertainty?
Abstract
In relation to risk assessment the issue of uncertainty appears at several levels. We may talk about uncertainty in the meaning of a specific risk appearing with some likelihood. We may also talk about how certain we are that this estimate of likelihood is correct. In the latter case, we basically estimate our trust in the former estimate. In this chapter we give recommendations on how to handle the various forms of uncertainty in practice.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 14. High Consequence Risk with Low Likelihood
Abstract
Risk assessment is said to be unreliable for risks of low likelihood and very high consequence. In this chapter we explain why, and offer guidelines on how to deal with such situations. We also discuss the problem of the “unknown unknown”, often referred to as the “black swan problem”.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Chapter 15. Conclusion
Abstract
This chapter presents the main conclusions of the book. It is structured into three parts. First we draw conclusions on the general theme of cyber-risk management as described in Part I and Part II. Then we do the same for the four issues addressed in further detail in Part III. A technical brief is by its very definition short; hence, much has just been touched on and even more has not been covered at all. We end the chapter by identifying some of these issues.
Atle Refsdal, Bjørnar Solhaug, Ketil Stølen
Backmatter
Metadaten
Titel
Cyber-Risk Management
verfasst von
Atle Refsdal
Bjørnar Solhaug
Ketil Stølen
Copyright-Jahr
2015
Electronic ISBN
978-3-319-23570-7
Print ISBN
978-3-319-23569-1
DOI
https://doi.org/10.1007/978-3-319-23570-7