Examining Cybersecurity from a Risk-Management Viewpoint
Get started on your cybersecurity degree at American Military University.
By Edward J. Hawkins, II
In today’s interconnected world, cybersecurity has a lot of different meanings, depending on your understanding of cybersecurity and how it is used in a business environment. What is even more confusing is the number of definitions that define this term.
For example, the National Initiative for Cybersecurity Careers and Studies (NICCS) defines cybersecurity as: “Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.”
This definition includes some terms common to risk management. Depending on how you view risk – whether as a threat and vulnerability reduction, an incident response or resiliency –cybersecurity risk management has a significant impact on an organization, and the personal and the professional life of individuals.
Risk Management and Cybersecurity Closely Linked
Cybersecurity expert John R. Mallery says, “Security is not about hardware and software…[it] is a process.” When it comes to risk management for an organization, it is an important concept to adopt. Risk management can be used to leverage multiple solutions to bolster an organization’s security.
There are two traditional views of threat actors associated with risk: natural disasters and man-made problems. These two basic views can be further broken down into various categories.
Some threat actors can fall into multiple categories, such as fire or floods. Threat actors can also be combined to create a compound risk.
Risk, Threat and Vulnerability Assessments Not the Same
To effectively understand which threat actors pose the greatest threats to an organization and increase its security risk, a risk assessment must be conducted. As security expert Douglas Landoll notes in The Security Risk Assessment Handbook, there is confusion within organizations regarding the relationship among risk, threat and vulnerability assessments.
While these assessments are related, they are also very specific in their ability to assist an organization in its cybersecurity defense efforts. For example, a risk assessment commonly evaluates a known vulnerability exploited by a threat actor.
However, a threat assessment determines what types of threat actors may affect an organization in a specific location. A vulnerability assessment explains which systems or data that are sensitive or critical to the organization might be affected by a threat actor if that hacker exploits a given weakness.
According to Landoll, a risk assessment “is an objective analysis of the effectiveness of the current security controls that protect an organization’s assets and a determination of the probability of losses to those assets.” This all-encompassing view should be used as the driving force behind a comprehensive cybersecurity program.
Organizations Need to Look Inward and Examine Potential Reasons for Threat Actor Attacks
Much cybersecurity-based literature agrees that threat actors use various techniques to gain unauthorized access to an organization’s systems. Therefore, it is critical for organizations to ask themselves certain questions, such as:
- Why am I a target?
- How do I reduce my likelihood of being attacked?
The reasoning behind these questions is to understand why a threat actor chooses to attack an organization. The answer may be found in an organization’s mission statement or policies.
But answers to the second question depend on multiple factors. Some of these factors can be attributed to environmental conditions, current security defenses or a threat actor’s level of motivation.
Cybersecurity Defenses Must Reflect Organization’s Mission and Goals
It is impossible to provide specific solutions for every possible situation, because every organization and its security configuration are different. However, cybersecurity defenses need to reflect the organization’s mission statement and its goals. That will lead to critical asset identification, protection requirements, the identification of potential associated risks and the determination of the best possible solution to meet cybersecurity requirements.
About the Author
Edward J. Hawkins II is a graduate of AMU with a Master of Science in Information Technology with a concentration in Information Assurance and Security with a Graduate Certificate in Digital Forensics, and a former Navy Information System Technician First Class Petty Officer. He also holds numerous certifications in information technology systems. Reach out to Ed on LinkedIn.