5. Overview
• Data breaches rising year by year
• Continued increased requirements in legislation and regulations around
the globe related to information/cyber security and privacy
OAIC (2023). Notifiable Data Breaches Report Jul-Dec 2022
6. Overview (continued)
• Organised crime
• State sponsored
• Hacktivists
• Terrorists
• Individual hackers
• Malicious insiders
• Accidental insiders
Verizon (2022). Data Breach Incident Report
82%
Human Element
9. What is risk?
Risk is:
• (the) “effect of uncertainty on objectives”. – ISO 31000
• “The possibility that the occurrence of an event will adversely affect
the achievement of the organization's objectives.” – Stanford University
• “The possibility of something bad happening” - Cambridge
10. Risk can be positive too!
Positive versus Negative risk.
• A positive risk has a positive impact on your objectives.
11. Positive versus Negative Risk
• A data breach occurs, which results in reputational damage
• Outsourcing a critical service, which results in improved uptime
12. Assessing & Calculating Risk
• Qualitative vs quantitative risk
• High, Medium, Low, etc.
• ALE = SLE * ARO
• SLE = AV * EF
13. Risk Appetite, Risk Tolerance, Risk Threshold
• Risk Appetite – used to describe the level of risk taking that is
acceptable
• Risk Tolerance – set of boundaries and variation
• Risk Threshold – limit where risk will not be accepted if exceeded
15. ISO 31000:2018
• Risk management - guidelines
• Broad and can be used to manage applied across any organisation
• Provides both framework and guidance on processes to manage risk
16. ISO 27005:2022
• Information security, cybersecurity and privacy protection —
Guidance on managing information security risks
• Follow the same structure as other ISO standards/documents
• Provides guidance on managing risk in the context of information
security
17. NIST 800-37 r2
• Risk management framework for Information systems and
organisations
• Describes the NIST risk management framework (RMF)
• Used to manage security and privacy risk
• Free!
20. Scope…
• Identify the scope of the cyber defence program
• What are the high value assets? (the risk assessment should help with
that and the one below!)
• What is likely to be exploited?
21. Key Elements of a Cyber Defence Strategy
• Gap Analysis
• Security Controls
• Awareness & Culture
• Data Management
• Monitoring & Measurement
• Continual Improvement
22. Security Controls
• Technical & Administrative controls
• Designed to mitigate (and reduce) identified risk
• Can be costly, so it’s important to ensure that the most appropriate
controls have been selected that provide the greatest benefit
23. Awareness & Culture
• 82% of data breaches involved a human element (Verizon, 2022)
• Security controls can only go so far, people are the last line of defence
24. Data Management
• Do you know where your data is?
• Do you know what your data is?
• Is it subject to any legal, regulatory, or contractual obligations?
• How is it currently protected?
25. Monitoring & Measurement
• Are you monitoring your environment?
• Is your monitoring centralised and adequately protected?
• Are you monitoring your security posture?
• What measures are needed to demonstrate effectiveness and ROI?