In Cyber Security, risk management is sometimes seen as an exercise in applying a single standardised method to an information system. The idea goes a bit like this: You're worried about the security of your data so you apply 'the method.' When you're finished applying 'the method' you get a to-do list that will secure your system. Once the to-do list is done, you are secure. Phew!
The trouble is, risk management is nowhere near this simple. Any single cyber risk management method will be insightful in some situations, but useless in others, and downright dangerous when applied universally. What's needed is a whole array of risk management tools.
This begs some questions. Firstly, what are all these different risk management tools? But also, how do we know which one to use when? And, which ones are essentially the same but in different wrappers?
Ahead of more extensive guidance, I'll be providing some brief answers to these questions, as covered in a recent masterclass at CyberUK.
The CyberUK risk management masterclass
The NCSC's Sociotechnical Security Group (StSG) has been researching a range of risk management methods for quite a while. And, as a warm-up to the NCSC's flagship conference CyberUK 2017, we presented some of this research to a group of twenty professionals from some of the NCSC-certified cyber security consultancies. Held in the magnificent city of Liverpool, this 2-day Risk Masterclass welcomed practitioners from organisations including QinetiQ, HPE, NCC Group, Actica and InfoSecuri.
So, what did this masterclass cover? We began by discussing the limitations of current cyber risk management approaches. If you'd like to do some background reading, this earlier paper is a great primer. But, in a nutshell, we talked about techniques which focus primarily on system components, their vulnerabilities and the threats they face. The UK Government's own legacy method, IS1/2, is a good example of the kind of technique we're talking about here.
Whilst these approaches add some value, they often give a poor picture of the risks faced by complex systems. And what's worse, they can sometimes make you over-confident in the effectiveness of a risk management exercise. They also tend to make you focus on just one kind of risk information.
Information, complexity and analysis
Having established that one size does not fit all when it comes to cyber risk management, we moved on to consider what counts as 'risk information'. The key point here is that a mature approach must be able to bring in a wide range of information types. Quantitative and qualitative to name just two.
We also introduced the implications of increasing complexity in our technology, and how the field of complexity science can help us make sense of this. We rounded up the masterclass with a high-level look at how cyber security can be analysed using systems theory-based frameworks adapted from the field of safety engineering, such as the tools that live under Professor Nancy Leveson's STAMP framework.
In keeping with the tone of the CyberUK conference, the masterclass covered a mix of theory and practice. This was particularly valuable to us in the StSG, as it gave us an opportunity to road-test some of the concepts and tools from the risk management guidance we'll be publishing on the NCSC's website in early 2018. We will also be running more masterclasses like this one. Do keep an eye on this blog for details about these.
This guidance will include an introduction to the core concepts of cyber risk, some points to consider in the governance of cyber risk, and a discussion of the different flavours of cyber risk management frameworks, along with a look at how they complement each other. We'll be publishing more details in the coming months.
We are particularly grateful to the participants for bringing so much energy and professional insight to the masterclass, and for making it such a success. Their feedback showed us there's a strong appetite for a broader set of tools and techniques for cyber security risk managers.
In the participants' own words, "The masterclass challenged my way of approaching risk", "I learned some useful new risk theory and practice". My personal favourite was short but sweet: "YES!" Hopefully, our guidance will be met with similar enthusiasm. As always, any comments or questions are welcomed below.
Risk Research Lead