The COBIT2019 framework includes a holistic approach to manage cyber risks. Although the framework consists of 40 objectives, in this article we will discuss the one objective most relevant to cyber risk management – ‘managed risk’ (APO12). We emphasize the need to leverage experienced cybersecurity professionals who fully understand risk in technology infrastructure.
The COBIT2019 objective on 'managed risk' includes detailed guidance on specific practices, metrics and information flows with inputs and outputs. This objective in the ‘Align, Plan & Organize’ (APO) domain of the framework, can be used specifically for managing cyber risk within an organization’s overall enterprise risk management (ERM).
Below we present the key risk management practices with suggestions for practical use in an organization.
‘Collect data’ (APO12.01) on risks to an organization’s information and technology. Data can be collected and organized using a cyber-threat taxonomy that facilitates a consistent risk analysis and a sustained cybersecurity roadmap. Two such taxonomies are the US NIST 800-30 Threat Event taxonomy and the European Union's ENISA Threat Taxonomy. These taxonomies can be scaled up or down in complexity depending on the organization, but we suggest to keep it simple for full adoption and added value.
To illustrate the collection of data, an organization may identify the most relevant NIST 'adversarial' threats (e.g. obtain unauthorized access, malware delivered to internal systems, exfiltration of sensitive information). The threat taxonomy can then be used to establish a set of scenarios for the consistent collection of data, period after period, with corresponding metrics (e.g. volume of security incidents and problems, endpoint systems infected with malware, externally facing systems). Relevant data should be accumulated that aligns with these threats.
‘Analyze risk’ (APO12.02) with supporting evidence for the risk assessment and associated decisions. Risk scenarios are analyzed by considering internal risk factors (e.g. vulnerability scan results, patch status, externally facing systems) and external factors (e.g. government and industry notifications on malware, trends in exploits and attacks). Analysis of specific scenarios (e.g. unauthorized 'insider' privileged access, ransomware attack, theft of intellectual property) should be customized within the organization's context (e.g. assets affected, repositories with sensitive data, critical business processes). Expand the analysis with estimated impact and probability of each scenario. The technical response to counter each threat should also be analyzed and documented.
In the analysis of risk, consult with cybersecurity professionals to understand the full capabilities of cyber-threat actors e.g. organized crime, nation-state hacking groups. It is also worthwhile to consider the full range of cyber tactics and techniques as documented in the Lockheed Martin ‘Cyber Kill Chain’ or MITRE Att&ck framework.
‘Maintain a risk profile’ (APO12.03) for a set of risk scenarios by category (cyber-threat), business line or functional area. Present worst case and most probable risk scenarios that will enable management to balance risk and mitigation. The risk profiles should be maintained with a quantitative approach that rates impact (1-5) and likelihood (1-5) to get a risk rating (high, normal, low) for each scenario. These profiles can then be prioritized and actioned. Note that the data collected, analyzed and aggregated into risk profiles as described above should yield actionable intelligence for decision making.
‘Articulate risk’ (APO12.04) through communication with relevant stakeholders. It may be worthwhile to consolidate this internal articulation of risk with third part assessments, internal audit reports or quality assurance reviews. We suggest using actual examples of cyber-attacks that are conceivable in the organization. An excellent source of such examples is the annual Verizon 'Data Breach Investigations' report which covers actual data breaches and security incidents in good detail. High profile breaches that reflect possible threats to an organization will get attention from senior management (e.g. Petya ransomware, data theft from Marriott, Equifax and others).
‘Define a risk management action portfolio’ (APO12.05) where each scenario has a corresponding control activity for mitigation. Specific mitigating actions should be documented e.g. compromise of privileged access is mitigated by granting only temporary and restricted access to system administrators; malware is prevented through scanning, patching and robust firewalls.
‘Respond to risk’ (APO12.06) by taking action in actual risk events. We suggest to prepare, maintain and test plans for the most significant risks. Develop scripts or runbooks of actions to take when a specific event occurs. Plan and run periodic exercises with realistic simulations of adverse events.
The practices described above in managing risk represent the COBIT2019 formal and methodical approach. Each practice can be customized and elaborated to match any organization. Managing risk is a continuous process that is most appreciated when risk becomes real with an actual adverse event.