Blog post

The Cyber Risk Manager's Toolbox - A Masterclass

Created:  10 Apr 2017
Updated:  10 Apr 2017
Author:  John Y
cyber risk management masterclass

In Cyber Security, risk management is sometimes seen as an exercise in applying a single standardised method to an information system. The idea goes a bit like this: You're worried about the security of your data so you apply 'the method.' When you're finished applying 'the method' you get a to-do list that will secure your system. Once the to-do list is done, you are secure. Phew!

The trouble is, risk management is nowhere near this simple. Any single cyber risk management method will be insightful in some situations, but useless in others, and downright dangerous when applied universally. What's needed is a whole array of risk management tools.

This begs some questions. Firstly, what are all these different risk management tools? But also, how do we know which one to use when? And, which ones are essentially the same but in different wrappers?

Ahead of more extensive guidance, I'll be providing some brief answers to these questions, as covered in a recent masterclass at CyberUK.

The CyberUK risk management masterclass

The NCSC's Sociotechnical Security Group (StSG) has been researching a range of risk management methods for quite a while. And, as a warm-up to the NCSC's flagship conference CyberUK 2017, we presented some of this research to a group of twenty professionals from some of the NCSC-certified cyber security consultancies. Held in the magnificent city of Liverpool, this 2-day Risk Masterclass welcomed practitioners from organisations including QinetiQ, HPE, NCC Group, Actica and InfoSecuri.

So, what did this masterclass cover? We began by discussing the limitations of current cyber risk management approaches. If you'd like to do some background reading, this earlier paper is a great primer. But, in a nutshell, we talked about techniques which focus primarily on system components, their vulnerabilities and the threats they face. The UK Government's own legacy method, IS1/2, is a good example of the kind of technique we're talking about here.

Whilst these approaches add some value, they often give a poor picture of the risks faced by complex systems. And what's worse, they can sometimes make you over-confident in the effectiveness of a risk management exercise. They also tend to make you focus on just one kind of risk information.

Information, complexity and analysis

Having established that one size does not fit all when it comes to cyber risk management, we moved on to consider what counts as 'risk information'. The key point here is that a mature approach must be able to bring in a wide range of information types. Quantitative and qualitative to name just two.

We also introduced the implications of increasing complexity in our technology, and how the field of complexity science can help us make sense of this. We rounded up the masterclass with a high-level look at how cyber security can be analysed using systems theory-based frameworks adapted from the field of safety engineering, such as the tools that live under Professor Nancy Leveson's STAMP framework.

Upcoming guidance

In keeping with the tone of the CyberUK conference, the masterclass covered a mix of theory and practice. This was particularly valuable to us in the StSG, as it gave us an opportunity to road-test some of the concepts and tools from the risk management guidance we'll be publishing on the NCSC's website in early 2018. We will also be running more masterclasses like this one. Do keep an eye on this blog for details about these.

This guidance will include an introduction to the core concepts of cyber risk, some points to consider in the governance of cyber risk, and a discussion of the different flavours of cyber risk management frameworks, along with a look at how they complement each other. We'll be publishing more details in the coming months. 

We are particularly grateful to the participants for bringing so much energy and professional insight to the masterclass, and for making it such a success. Their feedback showed us there's a strong appetite for a broader set of tools and techniques for cyber security risk managers.

In the participants' own words, "The masterclass challenged my way of approaching risk", "I learned some useful new risk theory and practice". My personal favourite was short but sweet: "YES!" Hopefully, our guidance will be met with similar enthusiasm. As always, any comments or questions are welcomed below.

John Y

Risk Research Lead

 

7 comments

David - 11 Apr 2017
Very insightful!!! Thank you :)
Martin P - 19 Apr 2017
If your new guidance can cover practical use of quantitative methods such as those described by Hubbard, for example in his book "How to measure anything in cyber security risk", that would be most helpful.
John Y - 24 Apr 2017
We are definitely aware of Doug Hubbard’s book, and we’re using some of the techniques in it as a part of our research into risk management in cyber security. As far as the guidance is concerned, I can’t promise that we’ll go into the level of detail that you might want, but we will definitely give some guidance relating to the application of quantitative methods in cyber risk management. Some of this will overlap with the approaches in that book.
Roger - 30 Jun 2017
Dear John,

Would you consider coming to the Netherlands, or if you are in the Netherlands visiting the Dutch NCSC, to give a Masterclass at a University of Applied Science and maybe a presentation for the Army reserve cyber platoon?
John Y - 03 Jul 2017
Thanks Roger, that sounds really interesting. We should talk about that directly. Could you make contact through the 'Contact Us' page (you can find it in the quick links towards the bottom of this web page. I’ll pick it up and we can have some discussions from there. Thanks for getting in touch!
Kemi - 07 Aug 2017
Astute!! An intelligent master class indeed.
How can new researchers in the field get to participate in this kind of courses?
NCSC Communications Team - 28 Aug 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No