Download to read offline
Uploaded byStephen Cobb
Improving Cyber-Risk Analysis and Communication: 4 fresh ideas
Seasoned cyber security veteran Stephen Cobb presents for fresh ideas that he has found to help improve cyber risk analysis and communication.
More Related Content
Similar to Improving Cyber-Risk Analysis and Communication: 4 fresh ideas
Improving Cyber-Risk Analysis and Communication: 4 fresh ideas
- 1. Improving Cyber-Risk Analysis andCommunication 4 Fresh Ideas Stephen Cobb, CISSP
- 2. Stephen Cobb hasbeen researching computer security and data privacy for 30 years, helping companies, consumers, and government agencies to manage cyber risks, with a focus on emerging threats and policy issues. Cobb holds a master’s in security and risk management and has been a CISSP since 1996. He heads a US security research team for ESET, one of the world’s largest security software vendors. Stephen Cobb Sr. Security Researcher ESET North America
- 3. ① ② ⑤ ④ ③ AGENDA Risk analysis &communication The Guided Tour The Cyber Tub The Risk Deck The Long Tail
- 4. • Vital ifyou need to secure information systems • But analyzing information system risk is difficult • Communicating risks to all stakeholders is challenging • People learn in different ways • Risk perception varies too Risk analysis and communication
- 5. AN EXAMPLE Hired byESET in 2011 as Security Evangelist Tasked with raising awareness of information system risks My first thought: people don’t realize cybercrime is a business That skews risk assessment
- 7. • Show themthe sights • Let them draw their own conclusions • Can be more effective than “experts say” • For example, let’s show the dark web to Kai Ryssdal on Marketplace, and hear what conclusions he draws The Guided Tour
- 11.
- 12. • Then: Archimedes– Eureka! Volume of an irregular object is equal to the amount of water displaced • Now: Shortridge – Cyber! Current risk equals flow of new risk minus mitigation, removal, transfer Brief history of science and bath tubs
- 13. • The amountof information system risk changes over time The Cyber Tub
- 14. The Cyber Tub R RR R R R R RR R R R R R The Spout: a steady stream of risk
- 15. The Cyber Tub R RR R R R R RR R R R R R R R R R R R R R R The Drain: reducing the risk (but does it drain fast enough) Spout
- 16. The Cyber Tub R R RR R R R R R R R R R R R R R R R R R R R R R R R R R R The Bucket: Drain Spout Major risk reduction Could be messy? Where to dump the risk?
- 17. • Helps peopleto imagine “what could possibly go wrong” • Create scenarios to consider, evaluate, table top • Based on large database of threats • And weighted risks scores • Can I get five volunteers? The Risk Deck
- 18. • Actor • Vulnerability •Target • Consequence • Risk The Risk Deck
- 19. • New technologiescreate new risks • Faster than risk assessments are updated • Leading to breaches and other problems • But can we show that this will happen • With enough certainty to justify • X amount of effort/spending to prevent it? • Well, we have 36 years of data (1982-2018) The Long Tail (Cassandra Effect) 1. PC 2. Modem 3. Macros 4. LAN/WAN 5. Internet 6. Email 7. Web 1.0 8. Wi-Fi 9. GPS 10. USB/BT/RFID 11. Web 2.0 12. Smartphones 13. Cloud 14. Connected cars 15. Industry 4.0 16. Blockchain 17. ML/AI 18. Drones 19. 5G 20. Autonomous cars
- 20. • Giz-Mi goesto market (without adequate security) • Giz-Mi deployed inside organizations but outside IT • Variety of researchers probe Giz-Mi (academics, hackers) • Giz-Mi vulnerabilities identified, exploits and PoCs appear • Bad actors use Giz-Mi to compromise information systems • Attempts made to secure Giz-Mi (patch, bolt on security) • Giz-Mi warnings are issued, bans proposed, hands wrung • Alternatives to Giz-Mi appear (without adequate security) Giz-Mi’s Long Tail
- 21. Mini computer PC Autonomous vehicles LAN/WAN Modem Internet Web 1.0 Web 2.0 Email Macros Wi-Fi Smartphones BT/USB/RFID Blockchain CloudIoT Connected cars Industry 4.0 ML/AI Drones GPS Mainframe • Identify risks during development • Communicate “inevitable” consequences • Demonstrate benefits of security investment • Control what is deployed, when, and how 5G Ahead of the curve?
- 23. THANK YOU! stephen.cobb@eset.com WeLiveSecurity.com Cyber Tub KellyShortridge kelly@greywire.net CREDITS The Risk Deck Emergynt earl@emergynt.com The Long Tail Gadi Evron gadi@cymmetria.com ACOD = Art into Science: A Conference for Defense – artintoscience.com
Editor's Notes
- #2 I’ve been researching information system security for 30 years. Born in Coventry, England, Britain’s Detroit. So I like car analogies. Here’s one about AI/ML. Has anyone started out on a car journey and arrive seriously late, car troubles, traffic? Yes? So how do you avoid that?
- #7 Note the screens don’t match
- #8 3 Minutes 45 seconds
- #10 Talk about how he sees things
- #12 Archimedes' principle states that the upward buoyant force that is exerted on a body immersed in a fluid, whether fully or partially submerged, is equal to the weight of the fluid that the body displaces and acts in the upward direction at the center of mass of the displaced fluid.
- #15 Clogged
- #20 Gadi
- #23 Art into Science: A Conference for Defense