Dyman Associates Risk Management: what is Risk Management

Posted on by

The Importance of Risk Management to Business Success

Risk management is an important part of planning for businesses. The process of risk management is designed to reduce or eliminate the risk of certain kinds of events happening or having an impact on the business.

Definition of Risk Management

Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. A variety of strategies is available, depending on the type of risk and the type of business. There are a number of risk management standards, including those developed by the Project Management Institute, the International Organization for Standardization (ISO), the National Institute of Science and Technology, and actuarial societies.

Types of Risk

There are many different types of risk that risk management plans can mitigate. Common risks include things like accidents in the workplace or fires, tornadoes, earthquakes, and other natural disasters. It can also include legal risks like fraud, theft, and sexual harassment lawsuits. Risks can also relate to business practices, uncertainty in financial markets, failures in projects, credit risks, or the security and storage of data and records.

Goals of Risk Management

The idea behind using risk management practices is to protect businesses from being vulnerable. Many business risk management plans may focus on keeping the company viable and reducing financial risks. However, risk management is also designed to protect the employees, customers, and general public from negative events like fires or acts of terrorism that may affect them. Risk management practices are also about preserving the physical facilities, data, records, and physical assets a company owns or uses.

Process for Identifying and Managing Risk

While a variety of different strategies can mitigate or eliminate risk, the process for identifying and managing the risk is fairly standard and consists of five basic steps. First, threats or risks are identified. Second, the vulnerability of key assets like information to the identified threats is assessed. Next, the risk manager must determine the expected consequences of specific threats to assets. The last two steps in the process are to figure out ways to reduce risks and then prioritize the risk management procedures based on their importance.

Strategies for Managing Risk

There are as many different types of strategies for managing risk as there are types of risks. These break down into four main categories. Risk can be managed by accepting the consequences of a risk and budgeting for it. Another strategy is to transfer the risk to another party by insuring against a particular, like fire or a slip-and-fall accident. Closing down a particular high-risk area of a business can avoid risk. Finally, the manager can reduce the risk’s negative effects, for instance, by installing sprinklers for fires or instituting a back-up plan for data.

Having a risk management plan is an important part of maintaining a successful and responsible company. Every company should have one. It will help to protect people as well as physical and financial assets.

 

Dyman Associates Risk Management Approach and Plan

Posted on by

Dyman Associates Risk Management – As a management process, risk management is used to identify and avoid the potential cost, schedule, and performance/technical risks to a system, take a proactive and structured approach to manage negative outcomes, respond to them if they occur, and identify potential opportunities that may be hidden in the situation [4]. The risk management approach and plan operationalize these management goals.

Because no two projects are exactly alike, the risk management approach and plan should be tailored to the scope and complexity of individual projects. Other considerations include the roles, responsibilities, and size of the project team, the risk management processes required or recommended by the government organization, and the risk management tools available to the project.

Risk occurs across the spectrum of government and its various enterprises, systems-of-systems, and individual systems. At the system level, the risk focus typically centers on development. Risk exists in operations, requirements, design, development, integration, testing, training, fielding, etc. (see the SE Life-Cycle Building Blocks section of this Guide). For systems-of-systems, the dependency risks rise to the top. Working consistency across the system-of-systems, synchronizing capability development and fielding, considering whether to interface, interoperate, or integrate, and the risks associated with these paths all come to the forefront in the system-of-systems environment. At the enterprise level, governance and complexity risks become more prominent. Governance risk of different guidance across the enterprise for the benefit of the enterprise will trickle down into the system-of-systems and individual systems, resulting in potentially unanticipated demands and perhaps suboptimal solutions at the low level that may be beneficial at the enterprise level. Dealing with the unknowns increases and the risks associated with these——techniques in the Guide’s section on Enterprise Engineering, such as loose couplings, federated architectures, and portfolio management——can help the MITRE SE alleviate these risks.

Risk Management in System-Level Programs

System-level risk management is predominantly the responsibility of the team working to provide capabilities for a particular development effort. Within a system-level risk area, the primary responsibility falls to the system program manager and SE for working risk management, and the developers and integrators for helping identify and create approaches to reduce risk. In addition, a key responsibility is with the user community’s decision maker onwhen to accept residual risk after it and its consequences have been identified. The articles in the Risk Management topic area provide guidance for identifying risk (Risk Identification), mitigating risks at the system level with options like control, transfer, and watch (Risk Mitigation Planning, Implementation, and Progress Monitoring), and a program risk assessment scale and matrix (Risk Impact Assessment and Prioritization). These guidelines, together with MITRE SEs using tools such as those identified in the Risk Management Tools article, will help the program team deal with risk management and provide realism to the development and implementation of capabilities for the users.

Risk Management in System-of-Systems Programs

Today, the body of literature on engineering risk management is largely aimed at addressing traditional engineering system projects—those systems designed and engineered against a set of well-defined user requirements, specifications, and technical standards. In contrast, little exists on how risk management principles apply to a system whose functionality and performance is governed by the interaction of a set of highly interconnected, yet independent, cooperating systems. Such systems may be referred to as systems-of-systems.

A system-of-systems can be thought of as a set or arrangement of systems that are related or interconnected to provide a given capability that, otherwise, would not be possible. The loss of any part of the supporting systems degrades or, in some cases, eliminates the performance or capabilities of the whole.

What makes risk management in the engineering of systems-of-systems more challenging than managing risk in a traditional system engineering project? The basic risk management process steps are the same. The challenge comes from implementing and managing the process steps across a large-scale, complex, system-of-systems—one whose subordinate systems, managers, and stakeholders may be geographically dispersed, organizationally distributed, and may not have fully intersecting user needs.

How does the delivery of capability over time affect how risks are managed in a system-of-systems? The difficulty is in aligning or mapping identified risks to capabilities planned to be delivered within a specified build by a specified time. Here, it is critically important that risk impact assessments are made as a function of which capabilities are affected, when these effects occur, and their impacts on users and stakeholders.

Lack of clearly defined system boundaries, management lines of responsibility, and accountability further challenge the management of risk in the engineering of systems-of-systems. User and stakeholder acceptance of risk management, and their participation in the process, is essential for success.

Given the above, a program needs to establish an environment where the reporting of risks and their potential consequences is encouraged and rewarded. Without this, there will be an incomplete picture of risk. Risks that threaten the successful engineering of a system-of-systems may become evident only when it is too late to effectively manage or mitigate them.

Frequently a system-of-systems is planned and engineered to deliver capabilities through a series of evolutionary builds. Risks can originate from different sources and threaten the system-of-systems at different times during their evolution. These risks and their sources should be mapped to the capabilities they potentially affect, according to their planned delivery date. Assessments should be made of each risk’s potential impacts to planned capabilities, and whether they have collateral effects on dependent capabilities or technologies.

In most cases, the overall system-of-systems risk is not just a linear “roll-up” of its subordinate system-level risks. Rather, it is a combination of specific lower level individual system risks that, when put together, have the potential to adversely impact the system-of-systems in ways that do not equate to a simple roll-up of the system-level risks. The result is that some risks will be important to the individual systems and be managed at that level, while others will warrant the attention of system-of-systems engineering and management.

Risk Management in Enterprise Engineering Programs

Risk management of enterprise systems poses an even greater challenge than risk management in systems-of-systems programs.

Enterprise environments (e.g., the Internet) offer users ubiquitous, cross-boundary access to wide varieties of services, applications, and information repositories. Enterprise systems engineering is an emerging discipline. It encompasses and extends “traditional” systems engineering to create and evolve “webs” of systems and systems-of-systems that operate in a network-centric way to deliver capabilities via services, data, and applications through an interconnected network of information and communications technologies. This is an environment in which systems engineering at its “water’s-edge.”

In an enterprise, risk management is viewed as the integration of people, processes, and tools that together ensure the early and continuous identification and resolution of enterprise risks. The goal is to provide decision makers an enterprise-wide understanding of risks, their potential consequences, interdependencies, and rippling effects within and beyond enterprise “boundaries.” Ultimately risk management aims to establish and maintain a holistic view of risks across the enterprise, so capabilities and performance objectives are achieved via risk-informed resource and investment decisions.

Today we are in the early stage of understanding how systems engineering, engineering management, and social science methods weave together to create systems that “live” and “evolve” in enterprise environments.

Requirements for Getting Risk Management Started

  • Senior leadership commitment and participation is required.
  • Stakeholder commitment and participation is required.
  • Risk management is made a program-wide priority and “enforced” as such throughout the program’s life-cycle.
  • Technical and program management disciplines are represented and engaged. Both program management and engineering specialties need to be communicating risk information and progress toward mitigation. Program management needs to identify contracting, funding concerns, SEs need to engage across the team and identify risks, costs, and potential ramifications, if the risk were to occur, as well as mitigation plans (actions to reduce the risk, and cost/resources needed to execute successfully).
  • Risk management integrated into the program’s business processes and systems engineering plans. Examples include risk status included in management meetings and/or program reviews, risk mitigation plan actions tracked in schedules, and cost estimates reflective of risk exposure.

The Risk Management Plan

The Risk Management Plan describes a process, such as the fundamental steps shown in Figure 1, that are intended to enable the engineering of a system that is accomplished within cost, delivered on time, and meets user needs.

 Capture

Figure 1. Fundamental Steps of Risk Management

Best Practices and Lessons Learned

In supporting both Department of Defense (DoD) and civilian agency projects and programs, MITRE SEs have found the following minimum conditions needed to initiate and continuously execute risk management successfully. With these, the program increases its chance of identifying risks early so the goals and objectives are achieved [5].

Twenty-One “Musts”

  1. Risk management must be a priority for leadership and throughout the program’s management levels. Maintain leadership priority and open communication. Teams will not identify risks if they do not perceive an open environment to share risk information (messenger not shot) or management priority on wanting to know risk information (requested at program reviews and meetings), or if they do not feel the information will be used to support management decisions (lip service, information not informative, team members will not waste their time if the information is not used).
  2. Risk management must never be delegated to staff that lack authority.
  3. A formal and repeatable risk management process must be present—one that is balanced in complexity and data needs, such that meaningful and actionable insights are produced with minimum burden.
  4. The management culture must encourage and reward identifying risk by staff at all levels of program contribution.
  5. Program leadership must have the ability to regularly and quickly engage subject matter experts.
  6. Risk management must be formally integrated into program management
  7. Participants must be trained in the program’s specific risk management practices and procedures.
  8. A risk management plan must be written with its practices and procedures consistent with process training.
  9. Risk management execution must be shared among all stakeholders.
  10. Risks must be identified, assessed, and reviewed continuously—not just prior to major reviews.
  11. Risk considerations must be a central focus of program reviews.
  12. Risk management working groups and review boards must be rescheduled when conflicts arise with other program needs.
  13. Risk mitigation plans must be developed, success criteria defined, and their implementation monitored relative to achieving success criteria outcomes.
  14. Risks must be assigned only to staff with authority to implement mitigation actions and obligate resources.
  15. Risk management must never be outsourced.
  16. Risks that extend beyond traditional impact dimensions of cost, schedule, and technical performance must be considered (e.g., programmatic, enterprise, cross-program/cross-portfolio, and social, political, economic impacts).
  17. Technology maturity and its future readiness must be understood.
  18. The adaptability of a program’s technology to change in operational environments must be understood.
  19. Risks must be written clearly using the Condition-If-Then protocol.
  20. The nature and needs of the program must drive the design of the risk management process within which a risk management tool/database conforms.
  21. Risk management tool/database must be maintained with current risk status information; preferably, employ a tool/database that rapidly produces “dashboard-like” status reports for management.

It is important for MITRE SEs as well as project and program leaders to keep these minimum conditions in mind with each taking action appropriate for their roles. In particular, the SE should provide effective support as follows:

  • Get top-level buy-in. MITRE SEs can help gain senior leadership support for risk management by highlighting some of the engineering as well as programmatic risks. MITRE SEs should prepare assessments of the impact that risks could manifest and back them by facts and data (e.g., increased schedule due to more development, increased costs, increased user training for unique, technology edge capabilities, and potential of risk that capabilities will not be used because they do not interoperate with legacy systems). MITRE SEs can highlight the various risk areas, present the pros and cons of alternative courses of mitigation actions (and their impacts), and help the decision makers determine the actual discriminators and residual impact to taking one action or another. In addition to data-driven technical assessments, success in getting top-level buy-in requires consideration of political, organizational/operational, and economic factors as seen through the eyes of the senior leadership. Refer to [6] for foundational information on the art of persuasion.
  • Get stakeholder trust. Gain the trust of stakeholders by clearly basing risk reduction or acceptance recommendations on getting mission capabilities to users.
  • Leverage your peers. Someone at MITRE generally knows a lot about every risk management topic imaginable. This includes technical, operational, programmatic dimensions of risks and mitigations. Bringing the company to bear is more that a slogan—it is a technique to use, as risks are determined, particularly in system-of-systems and enterprise. In all likelihood, MITRE is working other parts of these large problems.
  • Think horizontal. Emphasize cross-program or cross-organization participation in risk identification, assessment, and management. Cross-team coordination and communication can be particularly useful in risk management. All ‘ilities’ (e.g., information assurance, security, logistics, software) should be represented in the risk reviews. Communication of risk information helps illuminate risks that have impact across organizations and amplifies the benefits of mitigations that are shared.
  • Stay savvy in risk management processes and tools. Become the knowledgeable advisor in available risk management processes and tools. Many government organizations have program management offices that have defined risk management processes, templates, and tools. These should be used as a starting point to develop the specific approach and plan for an individual project or program. Make sure the government sponsors or customers have the current information about the risk management approach and plan required by their organizations, and assist them in complying with it. Assist the sponsors or customers in determining the minimum set of activities for their particular program that will produce an effective risk management approach and plan.

Dyman Associates Risk Management on How to Develop a Risk Management Plan

Posted on by

Developing an effective Risk Management Plan can help keep small issues from developing into emergencies. Different types of Risk Management Plans can deal with calculating the probability of an event, and how that event might impact you, what the risks are with certain ventures and how to mitigate the problems associated with those risks. Having a plan may help you deal with adverse situations when they arise and, hopefully, head them off before they arise.

Steps

1. Understand how Risk Management works. Risk is the effect (positive or negative) of an event or series of events that take place in one or several locations. It is computed from the probability of the event becoming an issue and the impact it would have (See Risk = Probability X Impact). Various factors should be identified in order to analyze risk, including:

Event: What could happen?

Probability: How likely is it to happen?

Impact: How bad will it be if it happens?

Mitigation: How can you reduce the Probability (and by how much)?

Contingency: How can you reduce the Impact (and by how much)?

Reduction = Mitigation X Contingency

Exposure = Risk – Reduction

2. Define your project. In this article, let’s pretend you are responsible for a computer system that provides important (but not life-critical) information to some large population. The main computer on which this system resides is old and needs to be replaced. Your task is to develop a Risk Management Plan for the migration

3. Get input from others. Brainstorm on risks. Get several people together that are familiar with the project and ask for input on what could happen, how to help prevent it, and what to do if it does happen. Take a lot of notes! You will use the output of this very important session several times during the following steps. Try to keep an open mind about ideas.

4. Identify the consequences of each risk. From your brainstorming session, you gathered information about what would happen if risks materialized. Associate each risk with the consequences arrived at during that session. Be as specific as possible with each one. “Project Delay” is not as desirable as “Project will be delayed by 13 days.”

5. Eliminate irrelevant issues. If you’re moving, for example, a car dealership’s computer system, then threats such as nuclear war, plague pandemic or killer asteroids are pretty much things that will disrupt the project. There’s nothing you can do to plan for them or to lessen the impact.

6. List all identified risk elements. You don’t need to put them in any order just yet. Just list them one-by-one.

7. Assign probability. For each risk element on your list, determine if the likelihood of it actually materializing is High, Medium or Low. If you absolutely have to use numbers, then figure Probability on a scale from 0.00 to 1.00. 0.01 to 0.33 = Low, 0.34 to 0.66 = Medium, 0.67 to 1.00 = High.

8. Assign impact. In general, assign Impact as High, Medium or Low based on some pre-established guidelines. If you absolutely have to use numbers, then figure Impact on a scale from 0.00 to 1.00 as follows: 0.01 to 0.33 = Low, 0.34 – 066 = Medium, 0.67 – 1.00 = High.

9. Determine risk for the element. Often, a table is used for this. If you have used the Low, Medium and High values for Probability and Impact, the top table is most useful. If you have used numeric values, you will need to consider a bit more complex rating system similar to the second table here. It is important to note that there is no universal formula for combining Probability and Impact; that will vary between people and projects.

10. Rank the risks. List all the elements you have identified from the highest risk to the lowest risk.

11. Compute the total risk: Here is where numbers will help you. In Table 6, you have 7 risks assigned as H, H, M, M, M, L, and L. This can translate to 0.8, 0.8, 0.5, 0.5, 0.5, 0.2 and 0.2, from Table 5. The average of the total risk is then 0.5 and this translates to Medium.

12. Develop mitigation strategies. Mitigation is designed to reduce the probability that a risk will materialize. Normally you will only do this for High and Medium elements. You might want to mitigate low risk items, but certainly address the other ones first. For example, if one of your risk elements is that there could be a delay in delivery of critical parts, you might mitigate the risk by ordering early in the project

13. Develop contingency plans. Contingency is designed to reduce the impact if a risk does materialize. Again, you will usually only develop contingencies for High and Medium elements.

14. Analyze the effectiveness of strategies. How much have you reduced the Probability and Impact?

15. Compute your effective risk. Now your 7 risks are M, M, M, L, L, L and L, which translate to 0.5, 0.5, 0.5, 0.2, 0.2, 0.2 and 0.2. This gives an average risk of 0.329.

16. Monitor your risks. Now that you know what your risks are, you need to determine how you’ll know if they materialize so you’ll know when and if you should put your contingencies in place. This is done by identifying Risk Cues. Do this for each one of your High and Medium risk elements.

Dyman Associates Risk Management – Preparing A Risk Management Plan And Business Impact Analysis

Posted on by

The process of identifying risks, assessing risks and developing strategies to manage risks is known as risk management. A risk management plan and a business impact analysis are important parts of your business continuity plan. By understanding potential risks to your business and finding ways to minimise their impacts, you will help your business recover quickly if an incident occurs.

Types of risk vary from business to business, but preparing a risk management plan involves a common process. Your risk management plan should detail your strategy for dealing with risks specific to your business.

It’s important to allocate some time, budget and resources for preparing a risk management plan and a business impact analysis. This will help you meet your legal obligations for providing a safe workplace and can reduce the likelihood of an incident negatively impacting on your business.

This guide outlines the steps involved in preparing a risk management plan and a business impact analysis for your business.

Dyman & Associates Projects: A New Graduate’s Survival Guide Against Identity Hackers

Posted on by

As fresh graduates descend from the ivory tower (bearing their unstained diplomas), many will eventually encounter “real world” interactions for the very first time, and they run the risk of being eaten alive out there. Identity-connected scams, dark schemes and credit status traps litter the way to financial success. And for many of those new graduates who confidently say, “It will never to me,” get ready for you bubble to burst.

Information violations and the identity-theft crimes that arise from them have become realities in life, next only to death and taxes. But there are a few things you can undertake to improve your protection against them, identify the problems and reduce the effects in case the inevitable happens. However, if you believe a compromise to your identity or credit will never cause you to incur a good amount of money, you will be surprised to realize the emotional turmoil and endless moments of annoyance spent regretting things which are non-refundable.

New grads must bear this in mind: Your personal identity and credit are significantly precious assets. And whereas it might be quite early in the game to seriously consider your investment portfolio, you now have a built-in two investment-grade portfolios that you ought to manage well: your identity portfolio and your credit portfolio.

Take a look at a few general rules in the game that will aid you to protect your identity that, if you observe them, could make it easier for you to succeed.

1. Credit Cards

If you are newbie to the world of credit cards, you tend to make some beginner’s errors that may lead to identity risk.

First, be wary as to where you divulge your credit card data. Consider yourself as your worst enemy when it concerns credit card scams if you fail to observe proper security steps when sharing your credit card information over the websites, to companies and even to friends. And while scammers have a way of stealing your account numbers, taking extra care if you live with roommates will protect you in a big way.

Make sure to check your account statements as often as you can, even daily, for unauthorized withdrawals or purchases. If anyone steals your debit or credit card number and goes out to spend like a king, and you fail to discover it early enough to prevent more damage, you could find yourself back to zero.

Keep track of your credit report and note how your credit standing moves. This will allow you ascertain that all the accounts listed there belong to you. Usually, the first sign that says you have fallen victim to a new account fraud arises from these reports. Being aware lets you face and deal with the issue way before a collection firm asks for money you did not spent. Check your credit reports without being charged yearly from all three credit reporting agencies through this site: AnnualCreditReport.com. Likewise, you can check two of your credit scores for free with a Credit.com account  –  in case you observe an unexpected reduction in your credit scores, check your reports for any issues, including fraudulent accounts.

2. Utilities

What about utilities? You phone a customer service agent who gets your name, address and phone number, and when your bill comes on the last day of the month, you pay accordingly. Sounds so simple, even a child could do it — which is exactly the problem. Identity thieves are so good at stealing electricity in your name, and since it is that easy for anyone to set up an account using your name, you may not be aware of it until you receive a notice from a collection agency for unpaid utilities bills and your credit status falls.

Here is what you need to do: Take extra time assessing your bills and immediately check on any doubtful items, pay your bills on time always, (think of enrolling in a direct debit plan), safeguard your personally identifiable data (which means protecting your Social Security number from everyone except the select few who have to know it), and keep in mind that monitoring your scores and your reports often can warn you of any issue soon enough. One could never be too paranoid when it comes to monitoring nowadays.

3. Applying for Jobs

Many fresh graduates are not aware that a significant number of firms and institutions will check credit reports (not credit scores) prior to offering anyone a job. They are required to obtain a permission from you (often in writing) before looking at your reports and most of them will ask for your Social Security number, a primary asset in your identity portfolio, for them to do so.

Obviously, you have to be sure the employer is authorized, and if you feel uneasy about divulging your Social Security number to a potential employer, conduct a little research before you give it. Many job scammers will take your SSN upfront, before they even interview you.

4. Filing Your Taxes

For a few new graduates, taxes have never entered their vocabulary or their limited world. It may be that their parents filed taxes for them, or they have never worked at a job to make it necessary.

If you are new at dealing with taxes, be aware of this: Not every person who offers to assist you will be trustworthy. Thieves abound everywhere, so take a careful look before getting an accountant or a tax-preparation service provider. Tax-connection identitytheft is one more reason why you must check who has access to your personally identifiable data. If a scammer files a tax return in your name before you do, you will spend six months or more waiting for the IRS to rectify the error and give you a refund.

Last Word on Identity Protection

In the realm of personal finance, many kinds of fraudulent people will try to take advantage of you, snatch your personally identifiable data and possibly decimate your credit. They revel in feasting over fresh-graduate meat. Not surprising as most new graduates still have a clean credit record and may not know the possible harm that identity thieves waiting at a dark corner can do. But if you carefully manage and attentively check your identity portfolio, it will be a real asset and not a liability.

 

 

 

The political science of cybersecurity V: Why running hackers through the FBI really isn’t a good idea

Posted on by

2014-04-10T074037Z_01_BER95_RTRIDSP_3_CYBERSECURITY-INTERNET-BUG-063

(Washingtonpost) – One of the most difficult challenges of cybersecurity is that it enables private actors to play a significant role in international security. Both security officials and international relations scholars tend to assume that states are the most important security actors. With a couple of minor exceptions (mercenary forces and the like) private actors simply don’t have the firepower to play a substantial role. Even terrorist groups with international ambitions usually require some kind of state to provide them with safe haven or to back them. Many (although certainly not all) experts argue that cybersecurity is different. Computers and Internet access are all that you need to carry out many kinds of attack, allowing private actors to become a real force in international cyber politics.

This potentially presents two problems for traditional understandings of international security. First, many argue that the world will be less stable if private actors can affect international security. For example, Joseph Nye, a prominent scholar and former policymaker, argues (PDF) that states have not been displaced by private actors in cybersecurity, but now have to share the stage with them. This creates greater volatility in world politics. The more actors there are, the greater the chance of unpredictable accidents, events, attacks or misunderstandings. Furthermore, private actors may have widely varying motivations and be more difficult to discipline. They are less likely to be concerned with the stability of the international system than states are.

There is also a more subtle problem. The existence of empowered private actors in cybersecurity presents temptations to states. It is easier for states to attack other states while blaming hackers, rogue elements or others for the attacks, thus making retaliation less likely. In cyberspace, it is often hard to figure out who precisely is responsible for an attack. These problems are multiplied when states can e.g. use clandestine relationships with private actors to carry out attacks by proxy.

For example, there is still vigorous debate over whether or not the Russian state mounted cyber attacks on Georgia during a dispute a few years ago. Certainly, the major attacks appear to have been mounted from within Russia. However, Ron Deibert, Rahal Rohozinski and Masashi Crete-Nishihata argue (paywalled) that the likely perpetrators were patriotic Russian cyber criminals (who had already created “botnets” of compromised computers for purely criminal attacks) rather than the Russian state itself. While it is possible that the Russian state (some elements of which maintain clandestine contact with the Russian underworld) was using these criminal networks as a cutout to blur responsibility, it is nearly impossible to prove one way or another.

This has led some experts to call for new norms about responsibility. Jason Healey of the Atlantic Council proposes a sliding scale under which states would effectively be required to take responsibility for any major attacks organized from their territory or carried out by their citizens. This would change the incentives, so that states would both be less inclined to cheat by acting through hidden proxies, and more inclined to tidy up rogue elements on their territory that might mount international attacks and land them in hot water. They suggest that the best way for the U.S. to protect its national security interest is to push for such norms.

In this context, yesterday’s New York Times story about the relationship between the FBI and the loosely-knit hacker culture/collective Anonymous raises some problems. The FBI identified a key Anonymous member, Sabu, and turned him so as to identify other hackers. Sabu then appears to have shared a list of foreign Web sites (including sites run by the governments of Iran, Syria, Poland, Turkey, Brazil and Pakistan) with vulnerabilities, and encouraged his colleagues to try to hack into them, uploading data to a server monitored by the FBI.

The Times says it is unclear whether he was doing so on direct orders from his FBI handlers. It is also unclear what happened to the information after it was uploaded (the Times raises the possibility that it was shared with other intelligence agencies, but it may have been left there to sit as evidence). Either way, this report is sure to be interpreted by other countries (including U.S. allies like Poland and Turkey) as strong circumstantial evidence that the U.S. has used independent hackers to conduct attacks in the past, and very possibly is doing so at present.

This obviously makes it harder for the U.S. to push for the kinds of norms that Healey and others advocate. If the U.S. appears to have dirty hands, it will have a more difficult time getting other states to believe in the purity of its actions and intentions. U.S. allies  will be disinclined to believe its protestations. Countries that are more or less hostile to the U.S., and which have dubious relations with their own hacking community (such as Russia), are sure to point to the FBI’s decision to run Sabu as evidence of U.S. hypocrisy if the U.S. tries to get them to take responsibility for attacks mounted from their soil.

This will also have consequences if and when U.S. hackers (who are smart, talented and sometimes politically motivated) mount a successful public attack on a target in a third country. The U.S. administration will likely come under sustained suspicion as the hidden culprit behind such an attack, even if it has had absolutely nothing to do with it. Apparent past history will guide other states’ judgment (especially if these other states themselves have clandestine but systematic relationships with hackers, and assume that countries do the same). It’s doubtful that these issues of international policy were foremost in the thoughts of FBI officials when they decided to run Sabu (the FBI is a domestically focused agency, primarily concerned with criminal enforcement). Even so, their decisions may turn out to have important, and likely unfortunate, international ramifications.

5 Things You Need to Know About Cybersecurity Insurance

Posted on by

Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. But it doesn’t do a good job of covering the reputation damage and business downturn that can be triggered by a security breach.

CIO — Cybersecurity insurance does mitigate some financial damage should you suffer an attack, but it’s not a complete solution. Here are five things CIOs need to know.

1. It’s a risk-management strategy. Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. First-party insurance typically covers damage to digital assets, business interruptions and, sometimes, reputational harm.

Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines. Cyberthreats are so broad that the cost of protecting against them all would be prohibitive. The best approach is to identify and secure the company’s digital crown jewels, then quantify and insure the remaining risk, says Daljitt Barn, director of cybersecurity at PricewaterhouseCoopers.

2. American and European markets differ. The cybersecurity insurance market is more mature in the U.S. than in the E.U., primarily because of U.S. states’ mandatory data-breach-notification laws. Third-party insurance is more common in the U.S., and first-party is more popular in Europe, but that may change if the E.U. starts requiring breach notifications, Barn says.

The U.S. market is growing about 30 percent per year, says Richard Betterley, president of Betterley Risk Consultants. Some surveys estimate that 30 percent of large U.S. companies have cybersecurity insurance, but among companies of all sizes, Betterley says, the number is probably under 10 percent.

3. Clear wording is essential. Before you buy, investigate what risks are covered by existing insurance packages, because there may be overlaps with a cyber-insurance policy. “Make sure the cyber policy wording covers your true cyber exposure,” Barn says. “Challenge your corporate insurance broker to find a policy that provides a multifaceted response, including legal, PR, notification, forensics and cyber incident response.”

4. Coverage is inadequate in some areas. Cybersecurity insurance doesn’t do a good job of covering intellectual property theft or the reputational damage and business downturn that can be caused by a security breach, Betterley says. Meanwhile, the industry is debating whether state-sponsored cyberattacks, to the extent they can be identified as such, are covered by cybersecurity insurance policies.

5. There’s room for improvement. Ideally cybersecurity insurance should encourage companies to improve security so they can negotiate lower premiums. However, insurers don’t have enough actuarial data to adjust premiums based on what security controls and products are most effective, says Andrew Braunberg, research director at NSS Labs.

Japan, EU planning cybersecurity summit

Posted on by

(Japantimes) – With China a suspected source of cyberattacks, Prime Minister Shinzo Abe and European Union leaders will agree at a summit in Brussels on May 7 to launch a dialogue to boost cybersecurity, according to a draft of a statement to be issued after the meeting.

“Facing more severe, widespread and globalized risks surrounding cyberspace . . . protection of a safe, open and secure cyberspace is needed,” according to the draft, a copy of which was obtained Sunday.

Abe and the EU leaders, European Council President Herman Van Rompuy and European Commission President Jose Manuel Barroso, will also agree to hold an inaugural meeting of a Japan-EU dialogue on the stable use of outer space in the latter half of this year in Tokyo, the draft says.

Tokyo appears poised to proactively contribute to international rule-making over cyberspace. The launch of a Japan-EU dialogue to promote cooperation on cyberspace would follow similar consultations Japan has held with the United States, Britain and other countries.

In recognition of the threat posed to national security, Japan said in its National Security Strategy adopted in December that it will strengthen information sharing and promote cyberspace defense cooperation with relevant countries.

In the first meeting of the Japan-EU Space Policy Dialogue, the two sides are expected to discuss creation of international norms to reduce space debris caused by anti-satellite tests, satellite collisions and other reasons.

“We affirm the importance of safety, security and sustainability of outer space activities,” the draft statement says.

In 2007, China destroyed one of its aging satellites via a missile-driven anti-satellite test, creating a mess of fragments fluttering through space and sparking concern that such debris could seriously damage other satellites nearby.

In the summit, Abe and the EU leaders will reaffirm their shared view that international disputes and issues “should be resolved peacefully and in accordance with international law, not by force or coercion,” the draft says.

The wording apparently refers to the intrusions by Chinese patrol ships into Japanese waters around the Senkaku Islands in the East China Sea in aimed at undermining Japan’s administration of the islets, claimed as Diaoyu by Beijing and Tiaoyutai by Taiwan.

Turning to Ukraine, the Japanese and EU leaders will “strongly condemn” and “will not recognize” Russia’s annexation of Crimea in March, while urging Moscow and other parties concerned to “refrain from any steps to further destabilize Ukraine,” the draft says.

The leaders will call for ensuring freedom of navigation in and flight over the open seas, according to the draft, in an apparent criticism of China’s unilateral declaration in November of an air defense identification zone overlapping Japanese airspace over the Senkaku Islands.

Beijing announced rules requiring aircraft entering the zone — which covers an extensive area above the high seas separating China, Japan, South Korea and Taiwan — to file flight plans in advance and follow instructions of Chinese controllers or face “defensive emergency measures.”

Policymakers and experts outside China, however, say Beijing is not in line with international norms.

Among other issues, the EU leaders will welcome an expanded role for Japan in promoting and sustaining global peace and security, as set out in Abe’s policy of proactively contributing to peace based on the principle of international cooperation, it says.

Japan will study the possibility of participating in EU peace missions in Africa and elsewhere, it says.

Brussels will be the last leg of Abe’s six-nation European tour starting Tuesday, following visits to Germany, Britain, Portugal, Spain and France.

ISACA launches cyber-security skills programme

Posted on by

(computerweekly) – Global IT association ISACA has launched its Cybersecurity Nexus (CSX) programme to help address the global security skills shortage.

According to the Cisco 2014 Annual Security Report, more than one million positions for security professionals remain unfilled around the world.

CSX is aimed at helping IT professionals with security-related responsibilities to “skill up” and providing support through research, guidance and mentoring.

A recent ISACA survey found that 62% of organisations have not increased security training in 2014, despite 20% of enterprises reporting they have been hit by advanced persistent threats.

“Unless the industry moves now to address the cyber-security skills crisis, threats such as major retail data breaches and the Heartbleed bug will continue to outpace the ability of organisations to defend against them,” said Robert Stroud, ISACA international president-elect.

CSX is designed as a comprehensive programme that provides expert-level cyber-security resources tailored to each stage in a cyber-security professional’s career.

The programme includes career development resources, frameworks, community and research guidance, such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5.

There is also a Cybersecurity Fundamentals Certificate that is aimed at entry level information security professionals with zero to three years of practitioner experience.

The CSX program marks the first time in its 45-year history that ISACA will offer a security-related certificate.

The certificate is for people just coming out of college and for career-changers now getting into IT security. The foundational level is knowledge-based and covers four domains:

  • Cybersecurity architecture principles
  • Security of networks, systems, applications and data
  • Incident response
  • Security implications related to adoption of emerging technologies
  • The exam will be offered online and at select ISACA conferences and trainingevents beginning this September.
  • The content aligns with the US NICE framework and was developed by a team of about 20 cyber-security professionals from around the world.
  • ISACA plans to add more to the CSX programme, including: A cybersecurity practitioner-level certification with the first exam in 2015, Cybersecurity Training courses, SCADA guidance and digital forensics guidance.
  • A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge.
  • A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge.

However, fewer than half say they will have the adequate skills and knowledge they need to do the job when they graduate.

“Security is always one of the top three items on a CIO’s mind, yet IT and computer science courses at university level are not allocating a proportional amount of training to cybersecurity,” said Eddie Schwartz, chair of ISACA’s Cybersecurity Task Force.

“Today, there is a sizeable gap between formal education and real world needs. This, in itself, is an area requiring immediate focus so that the industry can get better at detecting and mitigating cyber threats,” he said.

According to Tony Hayes, ISACA international president, enterprises cannot rely on just a handful of universities to teach cybersecurity.

“With every employee and endpoint at risk of being exploited by cyber criminals, security is everyone’s business. We need to make cybersecurity education as accessible as possible to the next generation of defenders,” he said.

U.S., UK advise avoiding Internet Explorer until bug fixed

Posted on by
The Microsoft logo is seen at their offices in Bucharest March 20, 2013. CREDIT: REUTERS/BOGDAN CRISTEL

The Microsoft logo is seen at their offices in Bucharest March 20, 2013.
CREDIT: REUTERS/BOGDAN CRISTEL

(Reuters) – The U.S. and UK governments on Monday advised computer users to consider using alternatives to Microsoft Corp’s Internet Explorer browser until the company fixes a security flaw that hackers used to launch attacks.

The Internet Explorer bug, disclosed over the weekend, is the first high-profile computer threat to emerge since Microsoft stopped providing security updates for Windows XP earlier this month. That means PCs running the 13-year-old operating system will remain unprotected, even after Microsoft releases updates to defend against it.

The Department of Homeland Security’s U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to “the complete compromise” of an affected system.

The recently established UK National Computer Emergency Response Team issued similar advice to British computer users, saying that in addition to considering alternative browsers, they should make sure their antivirus software is current and regularly updated.

Versions 6 to 11 of Internet Explorer dominate desktop browsing, accounting for 55 percent of global market share, according to research firm NetMarketShare.

Boldizsár Bencsáth, assistant professor with Hungary’s Laboratory of Cryptography and Systems Security, said the best solution was to use another browser such as Google Inc’s Chrome or Mozilla’s Firefox.

DELAYED UPGRADES

Security experts have long been warning Windows XP users to upgrade to Windows 7 or 8 before Microsoft stopped supporting it at the beginning of this month.

The threat that emerged over the weekend could be the wakeup call that prompts the estimated 15 to 25 percent of PC users who still use XP to dump those systems.

“Everybody should be moving off of it now. They should have done it months ago,” said Jeff Williams, director of security strategy with Dell SecureWorks.

Roger Kay, president of Endpoint Technologies, expects several hundred million people running Windows XP to dump those machines for other devices by the end of the year.

They will be looking at Windows machines as well as Apple Inc’s Macs and iPads along with Google’s Chrome laptops and Android tablets, he said.

“Not everybody will necessarily go to Windows, but Microsoft has a good chance at getting their business,” he said. “It’s got to be a good stimulus for the year.”

News of the vulnerability surfaced over the weekend. Cybersecurity software maker FireEye Inc warned that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed “Operation Clandestine Fox.”