Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
FDseminar IT Risk - Yuri Bobbert - Antwerp Management School
1. Maturing Business Information Security (MBIS)
Yuri Bobbert
10 October 2017
IT Risks & Cyberrisks: An academic practitioners view
2. Contents
Introductie
Context
Wat is informatiebeveiliging versus Cyber Security?
Ontwikkelingen en veiligheidsbeeld van Nederland
Research examples: Governance, Management and Operations
The role of the CISO
Value Enablement
Einde
3. Introduction: Yuri Bobbert
Visiting researcher and lecturer at Antwerp
University & Radboud University
Chief Information Security Officer (CISO) at NN
Group (+DeltaLloyd) (Financial Services)
Former interim CISO at UWV (Government)
Professor (lector) at NOVI University of Applied
Sciences in Utrecht
Founder of Maturing Business Information
Security Methodology & Community
(www.mbis.eu)
6. Context
Internet of Things
Cloud
CaaS
Corporate Espionage
Value of Data
Regulations
Cyber resilience due diligence
Integrated reporting
Innovations
Source: Ponemon 2016
World Economic Forum 2017
7. Ontwikkeling van Cybercrime; van netwerk naar software/applicaties
Bron:trendMicro
CRIMEWARE
DamagecausedbyCybercrime
2001 2003 2004 2005 2007 2010
Vulnerabilities
Worm
Outbreaks
Spam
Mass Mailers
Spyware
Intelligent
Botnets
Web
Threats
2012+
Targeted
Attacks
Mobile
Attacks
9. Our biggest cyber challenges
Source: CSBN 2016
Professional criminals carry out long-lasting and high-quality operations
Digital economic espionage by foreign intelligence services puts a strain on the competitiveness
of European companies
Ransomware is commonplace and has become even more advanced
Advertising networks have not yet shown the ability to cope with malvertising
10. What’s the problem?
Low Business Information Security
“maturity”
Leads to unknown risks and incidents
Has effect on the –perceived- success of
firms (WEF)
Quest for practical methods to implement
Information Security Governance and
management processes, structures and
relational mechanisms
Source: Bobbert, Mulder 2015 ICCICN
11. From IT Security to Business Information Security
Source: Bobbert, Hubbard
Enterprise Risk Management
is the overarching domain for
Information Risk Management
ensuring proper controls is the
discipline of Information
Security
Information Security Controls
exist of IT Controls, Process
Controls and People Controls
Business Continuity is part of
Enterprise Risk Management
and consists of physical and
digital controls
Enterprise Risk management
Business Continuity
Information Security
Information Technology
(IT) Cyber
SecurityIT Security
14. From Governance to operations
Presence of Information Security Management practices
Absence of Information Security Governance practices
Source: Bobbert
17. The role of the CISO; Enable Value
The CISO is generally the “heart and soul” of an information security program in most organizations. There is no
better way to obtain a pulse regarding cyber risk” according to the IIA [327].
The CISO “defines the information security strategy and organises and manages the organisation’s information
security in line with the organisation’s needs and risk appetite”, according to the European Competence
Framework [328]
In 2015 Accenture [330] did research into so-called “leapfrog companies” that outperform in the field of
Information Security compared to others. For example, due to the positioning of the CISO as a strategic role
“These relatively new aspects of the role require CISOs to be successful change agents. To do this they need to
be able to reflect on, and understand, the impact of their role on organisational culture”
IT Policy Compliance Group reports that firms that standardise procedures and controls for IS and manage IS via
a dedicated IS staff which is led by a CISO achieve 8.5% higher revenue than industry averages (n= 3000
organisations) [329]
Hooper et al. states “organisations need to embrace their concern about cybersecurity and build it into their
selection criteria for board members” [333].
Source: IIA, Accenture, Bobbert, Hooper et al
18. The role of the CISO; Enable Value by measuring
Source: ISACA, Bobbert
Plan
(APO)
Build
(BAI)
Run
(DSS)
Monitor
(MEA)
Management:
The making of operation decisions
Direct Monitor
Evaluate
Governance:
The creation of a Setting wich others can manage effectively
Operations:
The operational effectuation of management decisions
METRICS
Risk appetite treshholds
# of Business Risks and EUR impact
# of relevant Stakeholders
Compliance percentage
Maturity level
METRICS
Number en percent of information security incidents
related to changes made in assets
Number en percent of information security incidents
related to changes made in accounts
Percent of (un)authorized assets
Percent of (un)authorized accounts
Average time for update/change of asset
Average time for update/change of account
..
METRICS
Number of breaches
Number of threats identified
Number of vulnerabilities discovered
Number of information security incidents and their
risk rankings
Number of information security violations
Average time to resolve information security
incidents
Number en Percent of information security
incidents causing disruption to business-critical
processes
….
METRICS
Identity number of information leakage events
Identity number mean time to resolve information
security incidents
Identity number and percent of information security-
related incidents causing disruption to business-critical
processes
Identity number of information security incidents
open/closed and their risk rankings
Identity number of recurring information security
problems that remain unresolved
Identity number of vulnerabilities discovered
Identity number of incidents involving endpoint devices
Identity number of unauthorised devices detected on
the network or in the end-user environment
Identity average time between change and update of
accounts
Identity number of incidents relating to unauthorised
access to information
Identity number of threats identified
Identity number of information security violations
Identity percent of availability, performance and
capacity incidents per year caused by information
security controls
Identity number of information security incidents
caused by operational problems
Identity number of firewall breaches
….
19. Value Creation: Value contributors
Increase stakeholders trust (World Economic Forum, OECD)
Corporate Social Responsibility ladder on IT Risk & Cyber Security (S&P, DJI, MVO)
Responsible disclosure on Information Security has a positive effect on the perceived value of the
firm
Providing greater confidence and trust with customers via In control statements (ISAE, ISO,
SOC1/2)
Reducing operational costs by providing predictable outcomes – mitigating risk factors that may
interrupt the process
Increase the number of new customers (Hunter & Westerman, 2007)
Increase the number of passed audits (Cobit5)
Increase in resilience (Amazon)
Marketing differentiation (Pharmaceuticals, Carriers, Telco’s)
Decrease the number of Compliance penalties (Cobit5)
Decrease the number of Privacy Violations (ITGI, 2005) (ENISA)
Strengthening reputation (Peters, 2012)
20. Further Reading
http://www.b-able.nl/nl/news/video/
Panel discussion Dick Schoof & Prof S. de Haes
Gordon, L.A., M.P. Loeb and T. Sohail, “A Framework for Using Insurance for Cyber Risk
Management,” Communications of the ACM, March 2003. This paper examines the unique aspects
associated with cyber risk and presents a framework for using insurance as a tool for helping to
manage information security risk.
Campbell, K., L.A. Gordon, M.P. Loeb and L. Zhou, “The Economic Cost of Publicly Announced
Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer
Security, Vol. 11, No. 3, 2003. This study examines the economic effect of information security
breaches on the stock market value of corporations.
Gordon, L.A., M.P. Loeb, and L. Zhou, “The Impact of Information Security Breaches: Has there
been a Downward Shift?,” Journal of Computer Security, Vol. 19, No. 1, 2011. This paper shows
that information security breaches have had a significant impact on the stock market returns of
some firms, but there has been a significant downward shift in the impact of such breaches in the
sub-period following 9/11/2001.
Gordon, L.A., M.P. Loeb and T. Sohail, “Market Value of Voluntary Disclosures Concerning
Information Security,” MIS Quarterly, Vol. 34, No.3, 2010. This paper provides strong evidence
that voluntary disclosures concerning information security, in annual reports filed with the SEC, are
positively associated with the stock market value of firms.