Cyber-Security Risk Management Framework ( RG CSRM 2015)
-
Upload
risk-group-llc -
Category
Education
-
view
130 -
download
1
Transcript of Cyber-Security Risk Management Framework ( RG CSRM 2015)
RISK GROUP CYBER-SECURITY RISK MANAGEMENT
FRAMEWORK (CSRM)
ABSTRACT The Security-Centric, Cyber-Security Risk Management
(CSRM) framework expands on both the Internal
Control Framework as well as Enterprise Risk
Management Framework and proposes an effective
Integrated NGIOA (nations: its governments,
industries, organizations and academia) Risk
Management framework to manage the changing
nature of Security* risks in Cyberspace-Geospace and
Space (CGS)
Jayshree Pandya EXECUTIVE SUMMARY
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyber-Security Risk Management Framework (CSRM)
INTRODUCTION The connected computers and the digital global age have brought complex, chaotic, and turbulent times
for every nation: its government, industries, organizations and academia (NGIOA)—where failures at all
levels have come to become self-evident, repetitive, and destructive in nature and uncertainty. NGIOAs
are caught off guard.
When NGIOAs seem to be in visible crisis, what is the adequate amount of independent and
interdependent Cyber-Security risk that should be accepted by any entity within an NGIOA? This is
probably one of the most important questions decision-makers across NGIOA face today.
In 2012, Risk Group proposed Integrated NGIOA Risk guidelines to help nations identify, evaluate,
understand and manage interconnected and
interdependent risks facing its NGIOA. The
proposed guidelines have come far from
being ignored. They are now being
acknowledged, discussed, debated and
articulated to be incorporated to better
manage the current and emerging risks
facing NGIOA in Cyberspace—while
simultaneously providing a foundation that
brings integrity, transparency, predictability,
integration, security and scalability to the
discipline of Risk Management itself.
Over the years, there has been heightened concern and focus on the lack of effectiveness in the current
approach to risk management due to critical threats brought on by the rapidly changing global
fundamentals and the inability of the risk management programs to predict critical risks at all levels. It
became increasingly clear that a need exists for re-evaluation of the approach to risk management.
Moreover, when the computer code, the connected computers and the ecosystem that make the
Cyberspace began to bring complex challenges and complexities to everyone and to everything, from
Geospace to Space, the need for a new way of identifying, evaluating and managing risks became even
more clear and urgent. This tectonic shift on the nature of risks brought on by the Cyberspace is
creating complex challenges for every NGIOA. As the computer code and connected computers blur the
line between Geospace, Cyberspace and Space, it needs to be understood that the current approach to
risk management cannot give any entity within any NGIOA an ability to manage risks effectively while
bringing security and sustainability for its initiatives—for managing Cyberspace and Cyber-Security risks
requires not only integration of Cyberspace to Geospace and Space (CGS) but also requires a fine
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
balance of cooperation and collaboration between, within and across NGIOA, and from their people,
processes, proficiency, and prudence.
These challenges prompted Risk Group to define and propose a robust Cyber-Security Risk Management
(CSRM) framework that would effectively identify, evaluate, and manage not only Cyberspace and
Cyber-Security risks but integrated CGS Risks. This framework could be readily used by each and every
entity within any NGIOA at all levels to evaluate and improve their independent and interdependent
Cyber-Security risk management capabilities.
The period from the guideline proposal to the Cyber-Security Risk Management framework has been
marked by a series of high-profile Cyber-Security breaches and other global, national, local and
industrial crises, scandals and failures where nations, its governments, investors, businesses, individuals
and other stakeholders, individually and collectively suffered tremendous losses in many formats. In the
aftermath of each crisis, there were calls for enhanced and effective governance, management and risk
management capabilities, with effective institutions, structures, systems, framework, governance
model, laws, regulations, and standards. The need for a Cyber-Security risk management framework
that would provide a new definition of security, a new approach to security, key security risk principles
and concepts, a common security risk language, and clear security direction and guidance that has an
ability to integrate security risks in cyberspace, geospace and space became even more compelling at all
levels across nations.
Risk Group believes that the proposed Cyber-Security Risk Management Framework (CSRM) fills the
need, and Risk Group hopes that it will bring effectiveness to the discipline of Risk Management and
provide NGIOA an effective way to manage its complex security risks in CGS.
THE RISK MANAGEMENT FRAMEWORK Internal Control Framework
Internal control Framework is defined by many
as a process for assuring achievement of an
organization's objectives in operational
effectiveness and efficiency, and that has clear
financial reporting, and strict compliance with
laws, regulations and policies. While this still
continues to serve as the broadly accepted
standard for satisfying regulatory reporting
requirements, requiring an entity’s
management to certify and the independent
auditor to attest to the effectiveness of those
systems, it clearly lacks an ability to identify
and manage critical security risks facing NGIOA
today in CGS.
Enterprise Risk Management
Framework ERM, according to Casualty Actuarial Society,
is a widely popular approach to managing enterprise risks in which an entity in any industry assesses,
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
controls, exploits, finances and monitors risks from all sources for the purpose of increasing the
organization’s short and long-term value to its stakeholders. While ERM framework supposedly expands
on internal control framework, it does provide a more comprehensive focus on the broader issue of Risk
Management. While ERM framework has gained popularity:
It lacks an ability to anticipate global, national or industry crisis
It lacks a framework to assure comprehensive Integrated Risk Management
Its approach is largely reactive
It widely promotes transfer of risk and insurance of risk over prevention of risk or management
of risk, thereby creating bigger, complex and more catastrophic risks
It focuses on a narrow definition of an “enterprise”
It focuses on a narrow “risk” perspective
It focuses on a narrow and old definition of security and lacks an ability to address the changing
nature and fundamentals of “security”
Cyber-Security Risk Management Framework The Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control
Framework as well as Enterprise Risk Management Framework and provides an effective Security-
Centric Risk Management framework that provides each and every NGIOA:
A forward looking way to identify and manage
independent and interdependent risks
Integrity, neutrality and a collective approach to
managing risks
A Non-partisan, neutral and objective focus on
managing global, national and local risks
In addition, it also:
Reverses the focus from transferring risks to
preventing risks
Embeds strategic risks as a vital part of the risk
management framework
Changes the approach to an enterprise and
makes it more inclusive to today’s global reality
Connects cyberspace risks to geospace and space risks (CGS)
Integrates governments’ risks with industries’ risks, organizations’ risks and academia’s risks to
give a comprehensive overview of nations’ risks (NGIOA)
Integrates nations risks to give a comprehensive view of global risks
Provides and promotes proactive approach to managing risks
Promotes prevention and management of risks over transfer of risks
Addresses the changing nature and definition of security and provides security-centric risk
management framework ability and capability
While, the goal of the security-centric CSRM is to bring effectiveness in the field of Risk Management
itself in a digital global age, Risk Group recognizes the slow pace of change historically observed across
nations in acknowledging the need for change, accepting the change and implementing the change
itself.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
When the most critical challenges for decision-makers at all levels across NGIOA is determining how
much risk they are prepared to take for their initiatives as they strive to survive, sustain and create value
in the cyberspace , this proposed security-centric CSRM Framework will better enable them to meet
these complex challenges. The implementation of a security-centric CSRM framework will support and
improve the independent and interdependent risk awareness at every level of NGIOA, from strategic to
operative, from cyberspace to geospace and from management to employees.
The proposed security-centric CSRM framework provides an integrated risk management approach that
addresses the global shifts of the digital global age, to lay out much needed foundation of an integrated
NGIOA risk governance framework. This security-centric integrated risk management framework will
make a convincing case for the far-reaching need and understanding of integrated security risk
concepts, integrated security risk fundamentals, and integrated NGIOA risk governance models. The
integrated security-centric CSRM approach, proposed and discussed here is rational, practical, scalable
and feasible. It will help create a dynamic, vibrant, and sustainable approach to managing cyber-security
risks of a digital global age. This initiative is a first step towards that.
Jayshree Pandya
Founder: Cyber-Security Risk Research Center at Risk Group
*Risk Group defines Security as the state of industries and businesses, systems and infrastructure,
innovation and technology, governance model and governments, products and services, intellectual
property and trade secrets, people and processes, survival and sustainability, education and academia,
philanthropy and poverty, research and development, regulations and compliance, robotics and artificial
intelligence, information and communication—being free from danger or threat of Cyberspace.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
EXECUTIVE SUMMARY
The underlying premise of security-centric Cyber-Security Risk Management Framework (CSRM) is that,
in the interconnected and interdependent digital global age, no entity within any NGIOA can effectively
manage their security* risks independently. Even if an entity manages its private security risks
independently, the interconnected and interdependent risks facing them will undermine the isolated
and independent risk management effort and program, and make the entity vulnerable to catastrophic
events.
RELATIONSHIP BETWEEN SECURITY AND NGIOA COMPONENTS There’s no such thing as ‘secure’ anymore. Security is rapidly becoming a complex challenge for every
NGIOA. Cyberspace is fundamentally changing the definition and meaning of security across NGIOA.
Incorporate it into Geospace and Space and the complex security challenges hit the roof.
*Risk Group defines Security as the state of industries and businesses, systems and infrastructure,
innovation and technology, governance model and governments, products and services, intellectual
property and trade secrets, people and processes, survival and sustainability, education and academia,
philanthropy and poverty, research and development, regulations and compliance, robotics and artificial
intelligence, information and communication—being free from danger or threat of Cyberspace.
Cyberspace has given nations strong pressure to change how they define, understand, operate, govern
and manage their security risks, so the question is how that can be achieved when:
Individual security is tied to collective NGIOA security
External security threats have ties to internal security threats
Security needs to be at the center of each and every discussion within any NGIOA about not only threat,
conflict, defense and war, but also over progress and development! While the formation of individual
(an entity within a NGIOA) and the formation of collective (NGIOA) security framework are becoming
inseparably linked in cyberspace, the question arises as to the reasons behind the reluctance in
acceptance for a need for structured collaboration. Since any single individual entity is connected to
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
other individual entities within its sector and industry, along with its connection to organizations,
academia, other industries and governments at all levels—there is presumably a collective requirement
of cyber-security risk management framework and cyber-security risk governance authority.
Security is thus a condition of all individuals, and organizations, academia, industries and governments
(NGIOA-I).
There is also a growing concern that there are many nations that seem to be too weak or too failed to
be able to provide their own NGIOA-I with the necessary security in the cyberspace. Moreover, most
nations with their current governance model are far from being ideal providers of cyber-security.
Technology and Threats are forever intricately linked now—just like People and
Processes.
The security concept is currently being subjected to big changes in respect to its aims, capabilities,
sources, connectivity and the dimension of threats. In the new era of cyberspace, the security threat has
no visible front, borders or armies.
As governments exist to provide value to its citizens, businesses across industries exists to provide value
for its stakeholders, organizations exist to provide value to its initiatives and academia exists to provide
value to its students. All of them, independently and collectively, face complex security challenges and
uncertainties from the cyberspace in the digital global age. Amidst that, the challenge for decision-
makers across NGIOA is to determine what security risks they face in the cyberspace and the rapidly
changing digital global economy, independently and collectively, and how much uncertainty they are
exposed to and forced to accept as they strive to survive, sustain, grow, develop and advance.
The current uncertainty brought on by the cyberspace and the digital global economy presents both
security risk as well as strategic opportunity to each component of NGIOA, with the potential to erode
or enhance nation’s value, independently and collectively.
Cyber-Security Risk Management Framework (CSRM) enables decision makers to effectively deal with
cyberspace and the digital global economic uncertainty, enhancing the capacity and capability to
collectively build value as a nation.
The strategic value of a nation is maximized when NGIOA decision makers collectively set national
strategy and objectives, so as to strike an optimal balance between growth and goals, its related risks
and rewards, and its security and sustainability while efficiently and effectively deploying resources in
pursuit of independent entity goals tied to collective national objectives.
Cyber-Security Risk Management (CSRM) encompasses first and foremost:
Integrating cyberspace to geospace and space (CGS)
Integrating nations: its government, industries, organizations and academia (NGIOA)
Re-defining security* in cyberspace and understanding its NGIOA integration points.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
In addition, security-centric, Cyber-Security Risk Management (CSRM) framework should individually
and collectively involve:
Identifying and Aligning Security-Centric Risk Appetite, Security
Risk Planning and Strategy in Cyberspace: CSRM framework allows
any individual entity and its decision makers within and across
NGIOA to take into consideration its independent and
interdependent security risk appetite in evaluating independent
and inter-dependent strategic alternatives, setting security risk-
centric informed objectives and goals, and simultaneously
developing mechanisms to manage independent and
interdependent strategic security risks. (Depending on the nature
of the security risk, its industry and relevance, appropriate security
risk measures needs to be incorporated in the planning process)
Identifying and Improving the Security Risk Response Decisions
Process in Cyberspace: CSRM provides an integrated NGIOA
structure to have an informed, independent as well as integrated
security risk decision process to identify, evaluate and manage
various security risk response choices: from prevention of security
risk to risk avoidance, reduction, transfer, sharing, and acceptance.
(Depending on the nature of the security risk, a relevant risk
response strategy needs to be formulated)
Identifying and Reducing Security Surprises and Losses in Cyberspace: CSRM provides NGIOA
with an enhanced capability, both individually and collectively, to identify potential catastrophic
security events and establish timely responses to reduce its impact and its associated costs or
losses. (Depending on the nature of the security risk, a structured plan needs to be in place to
have relevant risk intelligence to manage security surprises)
Identifying and Managing overall Global, National, Local and Individual NGIOA Security Risks in
Cyberspace: Each nation faces a myriad of independent and interdependent security risks
affecting different parts of the NGIOA, and CSRM facilitates effective responses to its
interrelated, interconnected and interdependent impacts. (Depending on the nature of the
security risk, an overall plan needs to be in place to manage it)
Identifying and Seizing Strategic Opportunities: By considering a full range of potential security
events at all levels (global, national, local, industry and organizational) and individual
components of NGIOA, decision makers are better positioned to identify and proactively realize
current and strategic opportunities in the cyberspace—both individually and collectively. (By
understanding cyberspace, its revolutionary transformation potential, understanding the
current initiatives within an entity and formulating potential strategic alternatives will guide
entities within an NGIOA to seize strategic opportunities in CGS)
Identifying and Improving Resource Deployment: CSRM allows nations to obtain collective and
independent, current and strategic security risk information that allows NGIOA decision makers
to effectively evaluate overall resource needs and enhance capital allocation appropriately.
These capabilities inherent in CSRM framework will help NGIOA decision makers achieve their
performance and profitability targets while preventing loss of vital current and strategic
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
resources. (By understanding the nature of strategic opportunities and threats, entities within a
NGIOA will need to identify resource needs and make relevant plans)
CSRM will help ensure effective security risk reporting
and compliance with current and potential laws and
regulations, to help avoid damage to not only the
NGIOA reputation, both independently and collectively,
but its associated consequences.
In summation, Cyber-Security Risk Management
framework (CSRM) will help an NGIOA achieve its
independent and collective security goals and objectives
of the Cyberspace in a Digital Global Economy while
avoiding downsides and disbeliefs along the way. It is
important that CSRM be not viewed as a static one-time
process; rather it must be embedded across NGIOA and
dynamically adapted to the changing internal and
external CGS environment.
CYBERSPACE EVENTS IN A DIGITAL GLOBAL ECONOMY: ASSOCIATED SECURITY RISKS AND
OPPORTUNITIES Any event in the Cyberspace or Digital Global Economy can have negative security impacts, positive
strategic impacts, or both. Cyberspace events in a digital global economy with a negative security impact
represent risks, which can prevent value creation in the Cyberspace or erode existing value in Geospace,
Cyberspace or Space. Cyberspace events in a digital global economy with positive impact may offset
negative security impacts or represent strategic Cyberspace opportunities. Cyberspace opportunities are
the possibility that an event will occur in Cyberspace or Geospace that would positively affect the
achievement of Cyberspace objectives, supporting value creation or preservation.
NGIOA decision makers can channel opportunities in the Cyberspace back to its
National Security Strategy, while formulating plans to seize the Digital Global Age
opportunities in CGS.
The CSRM framework aims to identify all independent and interdependent potential security events that
could affect the achievement of the entity objectives in CGS. These events can be divided into two
categories: Cyberspace events with positive impact on independent and collective NGIOA objectives and
events with negative security impact on independent and collective NGIOA objectives. The former
represent opportunities, and the latter are security risks. These must be managed with a clear
integrated risk management process composed of the following phases:
Cyber-Security Risk Identification and Analysis
Cyber-Security Risk Understanding and Profiling
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyber-Security Risk Response and Management
Cyber-Security Risk Control and Integration
The CSRM process must be supported by a sound security foundation in terms of broad understanding
of security, its changing nature , overall CGS environment, integrated NGIOA risk philosophy, integrity
and ethical values, integrated risk governance approach, and Cyber-Security competence and
responsibilities, together with a collective Cyberspace security objective-setting process that considers
the Cyber-Security risk dimension, a dynamic complete security information flow and an ongoing
monitoring of all the CSRM framework components.
Each and every entity should implement CSRM framework because it will allow them to optimize
strategic opportunities in the Cyberspace by providing a systematic, integrated, accountable and holistic
evaluation and control of Cyber-Security risks.
CSRM framework deals with security risks and strategic opportunities affecting value
creation in the Cyberspace and/or preservation of Cyberspace-Geospace-Space value
and infrastructure.
CSRM can be defined as an integrated security risk management process realized by decision makers
of an entity within an NGIOA, who independently and collectively identify potential security risk
events that may affect any component of an NGIOA or overall NGIOA and manage risk both
individually and collectively to be within its security risk appetite boundaries, to provide reasonable
assurance and confidence regarding the achievement of its current and strategic security objectives in
Cyberspace-Geospace and Space (CGS).
The comprehensive CSRM definition reflects certain fundamental security concepts and is in essence:
An independent but Integrated NGIOA security process,
that is ongoing and flowing through any entity and
component of NGIOA within, between and across nation’s
geographical boundaries.
Effected by decision makers at every level of an entity
within and between a nation: its government, industries,
organization and academia (NGIOA).
Applied in independent and collective security strategy
settings at all levels of an entity within and between a
NGIOA.
Applied within, between and across NGIOA, at every
level and unit of an entity, and includes taking an
independent and collective view of security risk as a
nation, industry, business and organization.
Designed to identify potential Cybersecurity events that, if they occur, will affect independent
component of an NGIOA or all the components of an NGIOA and to manage security risk within
its independent and collective risk appetite boundaries.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Able to provide reasonable security assurance to any entity within and between a NGIOA-and its
decision makers and stakeholders.
Geared towards achievement of global, regional, national, local and independent security
objectives of any and all components of an NGIOA in one or more separate but overlapping
categories.
Provides an integrated NGIOA structure and format to facilitate incorporation of the changing
definition of security by re-defining the approach to security and integrating security of CGS.
This CSRM definition is purposefully broad for the purpose of its scalability and sustainability needs. It
captures key changing global security concepts as to how nations: its governments, industries,
organizations and academia (NGIOA) should manage its security risks in the Cyberspace, while providing
a basis for Cyber-Security Risk Management Framework in a Digital Global Economy. It also focuses
directly on achievement of any entity’s security objectives in Cyberspace, established independently and
collectively by an individual or a group of NGIOA.
CYBER-SECURITY RISK MANAGEMENT OBJECTIVES Within the context of any entity or component of an NGIOA, the CSRM framework will be geared to
achieving the overall security objectives, set forth in the following categories:
Strategic Security: High-level strategic
security goals, aligned with and
supporting its Cyberspace mission in a
Digital Global Age
Security Operations: Effective and
efficient use of NGIOA resources in the
Cyberspace
Security Reporting: Reliability of
Cyberspace reporting
Security Communications: Effective and
timely Cyber-Security communication
Security Compliance: Compliance with
applicable Global, National, Local laws
and regulations
Security Approach: Integrated
Geospace, Cyberspace and Space
approach to Security
Security Integration: Integration at all NGIOA levels across nations and also in Cyberspace-
Geospace and Space (CGS)
NGIOA Sustainability: NGIOA Sustainability as a key criteria
Security Scalability: A Cyber-Security Risk Management framework that is scalable at all levels of
NGIOA across nations in CGS
The above categorization of CSRM objectives allows a focus on collective as well as individual aspects of
any entity within and between NGIOA and aspects of overall NGIOA security in Cyberspace, Geospace
and Space. Amidst these distinct but overlapping components of a NGIOA across the barriers of virtual
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
territories a particular Cyberspace objective and its associated risks can fall into more than one
components necessitating a need to address its individual and collective integration points while
directing the responsibility of different decision makers at all levels of an entity or an NGIOA. This clear
categorization also allows clear distinctions of what can be expected from each component of an entity
or an NGIOA in Cyberspace.
SAFEGUARDING OF SECURITY OBJECTIVES AND RESOURCES Safeguarding of NGIOA Security resources is essential in CGS. Because security objectives in Cyberspace
related to reliability of the current nature of security reporting and the compliance framework with
current laws and regulations are within an entity’s control, CSRM is expected to provide reasonable
assurance of achieving those security objectives. However, it needs to be understood that no effective
controls are in place for the changing nature and definition of security across nations. There is a clear
need for developing effective security controls for compliance. Achievement of strategic security and
operational objectives in Cyberspace is however subject to external NGIOA events in CGS, and not
always within the control of an entity. Accordingly, for these security objectives, CSRM can provide
reasonable assurance that decision makers in their oversight role are made aware, in a timely manner,
of the extent to which an entity is moving toward achievement of the Cyberspace and Cybersecurity
objectives.
COMPONENTS OF CYBER-SECURITY RISK MANAGEMENT FRAMEWORK Just as any structure needs a strong foundation in Geospace, so does the structures in Cyberspace and
Space. The internal as well as external NGIOA environment serves as a basis for all security foundation
and key components of the proposed CSRM framework in Cyberspace, Geospace and Space. The
internal NGIOA environment reflects the overall cyber-security risk attitude, awareness and actions that
have an impact on the individual entity’s activities within any component of an NGIOA or whole NGIOA.
It is also important for decision-makers to apply the same rules for the external NGIOA environment
across nation’s geographical boundaries, in order to have an understanding of the interconnected and
interdependent NGIOA security risks in the CGS environment.
An on-going Integrated NGIOA Security Risk Management process can be considered the heart of the
CSRM framework. Cyber-Security risk identification and assessment are useless if no appropriate
security risk responses are implemented and no regular security controls are in place. The Cyber-
security, strategic security, its business and its operational processes do not work properly without
integrated NGIOA security information that flows in, out and across the entity and NGIOA. The security
monitoring component has the same importance as the other components of the CSRM framework,
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
because it will allow the determination of whether everything continues to work effectively in the CGS
environment within, between and across NGIOA.
Each of the NGIOA components equally contributes to CSRM in CGS. A weak component can affect the
entire CSRM process in the CGS. The interconnectedness, interdependencies and interrelationships of
the security embedded CSRM framework strengthens the role of each single NGIOA component.
The security centered integrated NGIOA risk management philosophy and the risk appetite contribute to
the security objective setting, which in turn
allows the identifying of security events that
could affect them all. Events with positive
impact are channeled back to the security
objective-setting process, while events that
could adversely affect the strategic objective
achievement are assessed, responses are
carried out, and security control activities are
performed. The CSRM process will only
function effectively if the integrated NGIOA
security information flows through all the
NGIOA components and an ongoing security
monitoring is performed.
Internal Security Environment
Cyber-Security Risk Management Philosophy: A clear security embedded integrated NGIOA risk
management philosophy is important as the first step in implementing successful CSRM. It
defines how an entity should consider security risk in everything it does. The security centric
philosophy should be reflected in oral and written communication from the decision makers to
the employees, in shared beliefs, but also in attitudes across an entity and/or overall NGIOA.
The philosophy on security-centric integrated risk management should be reinforced not only
with words but, more importantly, with effective collaborative NGIOA actions. The Cyber-
Security Risk appetite, the amount of risk the entity would be willing to accept in the
Cyberspace, must be defined in the first step.
Security-Centric Governance and Management: Healthy security centric governance and
management is crucial for effective CSRM framework in any entity within a NGIOA. With their
appropriate actions, the board of directors, the executive management as well as senior and
middle management at all levels can heavily influence the security success of an entity within
any NGIOA.
CSRM Roles and Responsibility: Clear authorities and security responsibilities should be defined
and communicated within an entity of an NGIOA. Clear security competences will help to avoid
overlapping tasks but also to optimize security processes within an entity. Everyone within an
entity in and across NGIOA and within nations’ geographical and virtual boundaries are
accountable and responsible in the global comprehensive structure and framework for CSRM.
CSRM Competence: Employees within any entity should have the adequate security knowledge
and skills needed to perform the assigned Cyber-Security tasks. The human resource
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
management would play an important role in recruiting the right cyber-security people, but also
in identifying the security training needs of all employees.
Integrity and Ethical Values: All employees should adhere to a standard of security behavior that
considers integrity and ethical values in order to enable a strong security focused culture.
Security Objective Settings The following Security Objective Settings have been identified and embedded into basic CSRM elements:
• Cyber-Security Strategy Formulation: Before decision makers formulate the Cyber-Security
strategy, it should conduct a situation analysis to identify not only the entity’s security strengths
and weaknesses in the Geospace and Cyberspace but also the external strategic opportunities
and threats in the Cyberspace. The decision makers should define a range of possible CGS
strategies for which security risks and strategic opportunities are identified. The cyber-security
strategy setting process must be done on an ongoing basis requiring continuous reassessment
and reformation.
• Cyber-Security Strategy Implementation: The strategic security objectives should be
accompanied by security operations, reporting, and compliance related security objectives.
Those objectives should be measurable and understood by all employees within an entity. The
security objectives should be dynamically adjusted and should always support and be aligned
with the entity’s CGS strategy.
• Cyber-Security Strategy Effectiveness: The decision makers should regularly monitor the Cyber-
Security objectives’ achievement as well as the employee commitment to security in CGS. The
entity should also compare results among peers within and across NGIOA, in order to identify
improvement in security opportunities in CGS.
• A Cyber-Security Strengths, Weaknesses, Opportunities and Threats (CS-SWOT) analysis should
be performed in order to identify the Cyberspace security strategy choices. These should focus
on the maximization of the Cyberspace strengths and opportunities and on the minimization of
Cyber-Security weaknesses and threats. This process should be performed on an ongoing basis.
Cyber Security-SWOT Analysis The Cyber-Security SWOT analysis is a matrix in which the internal security strengths and weaknesses
are combined with the external Cyberspace
opportunities and threats. The CS-SWOT
combinations result in the following four types of
security strategies:
• Security Strengths- Cyberspace Opportunities
Strategy: This exploits the internal security
strengths to take advantage of the external
opportunities in the Cyberspace.
• Security Strengths- Cyber-Security Threats
Strategy: This exploits the internal strengths to
reduce the external threats of Cyberspace.
• Security Weaknesses- Cyberspace Opportunities
Strategy: This improves weaknesses in the Cybersecurity to take advantage of external
opportunities in the Cyberspace.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
• Security Weaknesses- Cyber-Security Threats Strategy: This Reduces Cyber-Security weaknesses
in order to avoid external cyberspace threats.
Cyber-Security Event Identification The following Security Event Identification main topics have been identified and translated into basic
CSRM elements:
• External Security Factors Driving Cyberspace Events: Each and every entity within an NGIOA
should consider and analyze external Security factors driving Cyberspace events that could
affect the achievement of current and strategic Cyberspace objectives. The analysis should
consider Cyberspace, Cyber technologies, Cyber-security processes, Cyber-security framework,
Cyber Technologies, Cyberspace regulations, Cyberspace competency, Geo-political status, and
Social and Economic factors. The security factors identification process should be performed on
an ongoing basis, and at every level of the entity within and across NGIOA.
• Internal Security Factors Driving Cyberspace Events: Any entity within any NGIOA should
consider and analyze internal security factors driving events in Cyberspace that could affect the
achievement of not only strategic cyberspace objectives but also current geospace and
cyberspace objectives. The security analysis should consider cyber infrastructure, cyber
personnel, cyber processes, cyber technology factors, cyber integration, cyber controls,
understanding of security and more. The cyber-security identification process should be
performed on an ongoing basis, and at every level of the entity within an NGIOA.
• Cyber-Security Events Affecting Governance, Business and Strategies: The decision-makers
should focus on significant and possible Cyber-Security events that could affect adversely the
achievement of Cyberspace objectives. The Cyberspace opportunities, positive events, should be
channeled back to the Cyberspace objective and strategy setting process, while the security
risks, negative events, should be assessed and actions taken immediately—independently
and/or collectively.
Cyber-Security Risk Assessment The following Cyber-Security Risk Assessment main topics have been identified and translated into basic
CSRM elements:
• Cyber-Security Event Characteristics: In assessing Cyber-Security risk, decision makers should
consider both immediate impact and strategic impact, as well as expected and unexpected
losses.
• Cyber-Security Assessment Metrics: Each and every entity within an NGIOA should assess both
the possibility of a Cyber-Security breach occurrence and the impact of potential Cyber-security
events that could adversely affect the achievement of Cyberspace objectives in the near term
and the long term. The Cyber-Security risks should be ranked in order to focus first on highly
significant risks.
• Cyber-Security Assessment Mode: Decision makers should promote Cyber-Security Practices
assessment techniques and a continuous and iterative Cyber-Security risk management process
aligned with the Cyberspace strategy setting process. A composite assessment of Cyber-security
risks across any entity within an NGIOA should be performed. The quality of the supporting
cyber-security data and assumptions should be continuously reviewed.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyber-Security Risk Response The following Cyber-Security Risk Response main topics have been identified and translated into basic
CSRM elements:
• Cyber-Security Risk Mitigation Strategies: Decision makers should identify the appropriate
response to the identified Cyber-Security risks considering their significance to Geospace and
Space in terms of likelihood and impact. The risk responses can be handled according to the
nature of the risk and by accepting, reducing, sharing and/or avoiding Cyber-Security risk in
order to align it with Cyberspace risk appetite. Decision makers should develop alternative
Cyberspace risk mitigation strategies for each of its Cyberspace and Cyber-Security risks. A cost
versus benefit analysis, for both short term and long term should be the basis for the Cyber-
Security risk response strategy selection. The selected Cyber-Security strategy should be
accompanied by a risk response implementation plan.
• Cyber-Security Residual Risk: Decision makers should assess the residual cyber-security risk
remaining after the responses are fully implemented. The Cyber-Security residual risk should be
aligned with Cyberspace risk appetite. The decision makers should have a broad portfolio view
of cyber-security residual risks by entity level, from an independent entity to business divisions
across entities within and across NGIOA.
Cyber-Security Control Activities
The following Cyber-Security Control Activities main topics have been identified and translated into
basic CSRM elements:
• Cyber-Security Controls Basis: Each and every entity within an NGIOA should have in place
Cyber-security policies and procedures and ensure that these are well-understood and
implemented. The CSRM processes should be documented and assure a segregation of clear
duties.
• Cyber-Security Controls over Objectives: Each and every entity should establish and execute
Cyber-Security control activities over basic strategic, operations, reporting and compliance
objectives.
• Cyber-Security Controls over Processes: Each and every entity should establish and execute
Cyber-Security control activities over processes. It has to ensure that risk responses are
appropriately carried out in a timely manner, risk limits are observed, prices and models are
appropriate, risk management resources are adequate, and new products can be managed. The
control activities should be regularly reviewed.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
• Cyber-Security Controls over Information Processing: Each and every entity should establish and
execute Cyber-Security control activities over information systems regarding data validity,
exceptions management, IT security and availability. The entity should control performance
indicators on operational or financial data, such as staff turnover rates, transaction volume and
cost trend.
• Cyber-Security Controls over Industries and Businesses: Each and every entity should establish
and execute Cyber-Security control activities over Industries and Businesses regarding emerging
industries and businesses that may bring security challenges to businesses and industries.
• Cyber-Security Controls over Systems and Infrastructure: Each and every vital system and
infrastructure at all levels of NGIOA should establish Cyber-Security Control activities to ensure
its safety and security from the activities initiated within Cyberspace.
• Cyber-Security Controls over Innovations and Technology: Each and every entity should
establish and execute Cyber-security control activities over emerging innovations and
technology from within and across NGIOA that could bring security challenges.
• Cyber-Security Controls over Governments and Governance Model: Each and every entity within
and across NGIOA should establish Cyber-Security control activities over governance models
from within and across nations’ borders that could bring security challenges.
• Cyber-Security Controls over Products and Services: Each and every entity within a NGIOA
should establish Cyber-Security Control activities over product and services that could bring
security challenges.
• Cyber-Security Controls over Intellectual Property and Trade Secrets: Each and every entity
within a NGIOA should establish Cyber-Security Control activities over Intellectual Property and
Trade secrets that could bring security challenges
• Cyber-Security Controls over People and Processes: Each and every entity within a NGIOA
should establish Cyber-Security Control activities over key people and processes that could bring
security challenges.
• Cyber-Security Controls over Survival and Sustainability: Each and every entity within a NGIOA
should establish Cyber-Security Control activities over its survival and sustainability security
• Cyber-Security Controls over Education and Academia: Each and every entity within a NGIOA
should establish Cyber-Security Control activities over education and academia that could bring
security challenges.
• Cyber-Security Controls over Philanthropy and Poverty: Each and every entity within a NGIOA
should establish Cyber-Security Control activities over philanthropy and poverty that could bring
security challenges.
• Cyber-Security Control over Regulation and Compliance: Each and every entity within a NGIOA
should establish Cyber-Security Control activities over regulation and compliance that could
bring security challenges.
• Cyber-Security Control over Robotics and Artificial Intelligence: Each and every entity within a
NGIOA should establish Cyber-Security Control activities over robotics and artificial intelligence
that could bring security challenges.
• Cyber-Security Control over Information and Communication: Each and every entity within a
NGIOA should establish Cyber-Security Control activities over Information and Communication
that could bring security challenges.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Information and Communication The following Security Information and Communication main topics have been identified and translated
into basic CSRM elements:
• Security Information over Current and Strategic Objectives: Each and every entity should verify
and assure on an ongoing basis that relevant cyber-security information over strategic security,
operations security, reporting and compliance security objectives are delivered in a timely
manner and in a form that enables the entity to carry out the CSRM activities effectively.
• Security Information Quality: Each and every entity should assure the quality of the provided
security information, in terms of depth, timeliness, availability, accuracy and accessibility.
• Security Information Management: Each and every entity should establish integrated security
data management programs enabling security information systems to provide both internal as
well as external security information. Decision makers should promote integrated security
systems in order to facilitate access to security information.
• Security Communication: Each relevant decision maker and stakeholder must be apprised of
sensitive information on cyber-security risks the entity is facing in the achievement of its
cyberspace objectives. An on-going dialogue and collaboration, communication and
coordination between decision makers and stakeholders should be assured. Each and every
entity should communicate with relevant stakeholders providing appropriate levels of security
information to conform to their needs and to regulatory requirements. The entity should
establish a security policy that defines the relevant information and coordinates the disclosure
process. To increase transparency, the entity should establish a disclosure policy defining and
coordinating the disclosed security information.
Security Monitoring The following Security Monitoring main topics have been identified and translated into basic CSRM
elements:
• Security Monitoring Activities: Each and every entity should perform ongoing security
monitoring activities and regular separate evaluations in order to identify security weaknesses in
CSRM.
• Security Monitoring Corrective Actions: The entity should report security deficiencies to those
positioned to take necessary actions. These should be monitored until complete security
fulfillment is effective. Each identified security element can be assessed along the security
maturity-level scale. An evaluation criterion is set for each of the security maturity scale levels.
• Ongoing security monitoring activities differ from control activities because the latter are
performed as required steps in processes. The entity should perform periodical separate
security evaluations over businesses and processes, establishing an internal security control
system. Changes in security processes, strategies, structure and systems should be monitored.
The security evaluation process should be based on clear methodologies and be documented.
Security Assessment Tool By means of the Cyber-Security Risk Management maturity-level assessment tool, it is possible to
evaluate the elements of the CSRM framework’s components: internal security environment, security
objective setting in CGS, security event identification, security risk assessment, security risk response,
security control activities, security information and communication and monitoring.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyber-security risks exist as no effective security risk management framework exists, and since the
Cyberspace cannot be predicted with certainty, future cyberspace security events and situations imply
security risks. Even when all security information and resources are available, error in human
judgments can be made in security decision making. This is because there is always a possibility that
even the most improbable security risk event can occur.
CSRM cannot be seen as a static one-time process; rather it must be embedded in each and every entity
within a NGIOA and across NGIOAs and dynamically adapted to the changing internal and external CGS
security environment.
CSRM consists of the following interconnected, interrelated and interdependent key components. These
components are:
Overall Global NGIOA Commitment: Global NGIOA commitment is fundamental to manage
security risks in Geospace, Cyberspace or Space.
United National Strategy and Environment: The overall national environment and tone sets the
foundation of NGIOA cooperation and
collaboration to establish a collective
view on national security strategy in CGS.
Internal NGIOA Environment: The
Internal NGIOA environment
encompasses the tone of an entity and
sets the basis for how independent and
interdependent security risks are viewed
and addressed and the environment in
which they operate.
Cyberspace Security Goal Setting:
Cyberspace security objectives must be
defined and agreed upon before decision
makers can identify potential security risk
events affecting their desired goals. CSRM ensures that relevant decision makers have in place a
process to set Cyberspace security objectives and that the selected objectives support and align
with its independent and collective mission and are consistent with its security risk appetite.
Cyberspace Security Risk Identification: Internal and external, independent and interdependent
security risk events affecting achievement of an entity’s Cyberspace objectives must be
identified and evaluated for their security risks and opportunities in CGS.
Cyberspace Security Risk Assessment: Cyberspace security risks are analyzed, considering their
likelihood and impact, as a basis for determining how they should be managed independently
and collectively by NGIOA in CGS.
Cyberspace Security Risk Response: Decision makers select security risk responses – avoiding,
accepting, reducing, or sharing risk – in order to develop a set of actions to align security risks
with entity’s security risk tolerances and risk appetite.
Cyberspace Security Control Activities: Security policies and procedures are established and
implemented to help ensure the Cyberspace security risk responses are effectively carried out
within any entity within and across NGIOA.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
Cyberspace Security Risk Information and Communication: Relevant Cyberspace security
information is identified, captured, and communicated in a form and timeframe that enables
decision-makers to carry out their security responsibilities. Effective security communication
also occurs in a broader sense, flowing between, within and across NGIOA.
Cyberspace Security Risk Monitoring: The entirety of CSRM is monitored and modifications
made as necessary through ongoing CSRM activities, evaluations, or both. CSRM is a
multidirectional and multidimensional security process in which almost any unit component can
and does influence an entity within and across NGIOA.
CSRM EFFECTIVENESS The implementation of a CSRM framework supports and improves the security risk awareness and the
security risk identification and management at every level of an NGIOA, from strategic to operative, and
from NGIOA decision makers to employees in Cyberspace, Geospace and Space.
Determining whether CSRM is effective is
representative of whether the CSRM
components are present and functioning
effectively within an entity in CGS
environment. Thus, the security
components are also criteria for effective
CSRM. For the CSRM components to be
present and functioning properly there can
be no structural and functional NGIOA
weaknesses, and independent and
interdependent security risks needs to have
been identified, understood and managed
either within the entity’s security risk
appetite boundaries or the nations’. And
most importantly, the changing nature and
definition of security needs to be clearly understood and acknowledged. When CSRM is designed to be
effective in CGS environment and for individual and broader NGIOA security objectives, the decision
makers have reasonable assurance that they understand the extent to which the entity’s strategic
security, operational security, digital security, innovation security, products and processes security and
other security objectives are being achieved and that the entity’s security reporting is beneficial,
reliable, and timely and applicable security laws and regulations are being complied with at all levels—
global, national and local.
It needs to be understood that all the security components will not function identically across every
entity within and across every NGIOA as each nation is at a different maturity level when it comes to its
governance, management, industries, innovations, products and processes. However, irrespective of the
size of an entity, CSRM will be largely effective, as long as each of its security components are defined
accurately, understood, structured and functioning properly.
RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved
CSRM LIMITATIONS While CSRM provides fundamental change in how to define security: its nature, structure, approach and
integration with NGIOA in CGS environment to effectively identify, evaluate and manage Cyber-Security
Risks in a digital global age, limitations do exist. In addition to factors discussed above, limitations result
from the realities that each nation: its government, industries, organizations and academia are at a
different level of security understanding and maturity. Each NGIOA has different security understanding,
capability and compatibility that can hamper the decision-makers ability in individual and collective
decision making. These limitations preclude NGIOA decision makers and stakeholders from having
absolute assurance as to achievement of its Cyber-security and Cyberspace objectives.
CSRM ASSUMPTIONS Internal Control Framework is the basis for existing rules, regulations, and laws—and it is in its entirety
incorporated by reference and remains in place within the boundaries of CSRM framework. Both
Internal Control Framework as well as Enterprise Risk Management Framework are in its philosophical
essence incorporated within the boundaries of CSRM.
This CSRM Summary is a high-level security risk overview directed to NGIOA decision makers. Details
about specific techniques and processes with clear security roles and responsibilities will be discussed
individually with interested entities and organizations in person.
While this framework, RG CSRM 2015 provides and promotes an independent and collective, integrated
view of security risks in CGS, including its strengths, weaknesses and limitations, it is still a work in
progress. It is open to constructive dialogue and analysis, to see where future enhancements can be
made. With the presumption that this CSRM proposal becomes accepted as a common ground for
managing Cyber-Security Risks in a digital global age, its key security risk concepts and terms should find
its way into academic curriculum and industry and government vocabulary across nations. With this
security risk foundation in CGS proposed for mutual Cyberspace understanding and advancement, each
NGIOA will be able to speak a common security risk language and communicate its independent and
interdependent security risks more effectively and in a timely manner.
I look forward to your constructive comments.
Jayshree Pandya
Founder: Cyber-Security Risk research Center at Risk Group
http://www.riskgroupllc.com
+ (832) 9718322