Remote workforces using VPNs, Cloud-based infrastructure and critical systems, and a proliferation in phishing attacks and fraudulent websites are all raising the level of risk for every company. It all comes down to just one thing that is at stake: how to gauge a company’s level of cyber risk and the tolerance level for this risk. Loosely put, this translates to how much level of uncertainty an organization can tolerate before the uncertainty starts to negatively affect mission critical flows and business processes.
Trying to gauge this can be a huge and nebulous task for any IT security team to accomplish. Making this task so difficult are the many frameworks and models that can be utilized. It is very confusing to know which one to utilize in order to achieve a high level of security. Complicating this situation further is that both quantitative and qualitative variables must be taken into consideration and deployed into a cyber risk model.
Assessing and Insuring Cybersecurity Risk provides an insight into how to gauge an organization’s particular level of cyber risk, and what would be deemed appropriate for the organization’s risk tolerance. In addition to computing the level of cyber risk, an IT security team has to determine the appropriate controls that are needed to mitigate cyber risk. Also to be considered are the standards and best practices that the IT security team has to implement for complying with such regulations and mandates as CCPA, GDPR, and HIPAA. To help a security team to comprehensively assess an organization’s cyber risk level and how to insure against it, the book covers:
The mechanics of cyber risk
Risk controls that need to be put into place
The issues and benefits of cybersecurity risk insurance policies
GDPR, CCPA, and the CMMC
Gauging how much cyber risk and uncertainty an organization can tolerate is a complex and complicated task, and this book helps to make it more understandable and manageable.
Author(s): Ravi Das
Publisher: CRC Press
Year: 2021
Language: English
Pages: 167
City: Boca Raton
Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
Acknowledgments
Authors
Chapter 1: Cybersecurity Risk
Introduction
What Cyber Measurement Is All About
The Concept of Bayesian Measurement
The Classification Chain
Uncertainty
Measurement of Uncertainty
Risk
Measurement of Risk
The Statistical Methods of Measurement
The Rule of Five
The Various Quantitative Methods for Gauging Cyber Risk
The Risk Matrix
The Monte Carlo Method
The Creation of Random Cyber-Related Events
The Lognormal Distribution
The Summation of the Cyber Risks
How to Visualize Cyber Losses
The Return on Mitigation
The Decomposition of the One for One Substitution Cyber Risk Model
A Decomposition Strategy
A Newer Decomposition Strategy
How to Avoid Over-Decomposing the Variables
A Critical Variable Related to Cyber Risk: Reputational Damage
How to Reduce the Level of Cyber Risk with Bayesian Techniques
The Important Statistical Concepts of the Bayesian Theory
Making Use of Prior Cyber Events in the Bayesian Methodology
Statistically Proving the Bayesian Theorem
The Applications of the Bayesian Methodology
How to Reduce the Level of Cyber Risk with More Sophisticated Bayesian Techniques
The Beta Distribution
Making Use of the Log Odds Ratio
How to Use the Log Odds Ratio (LOR) Methodology
The Lens Methodology
A Cross Comparison of the LOR and Lens Methodologies
How to Ascertain the Value of Information and Data
How a Known Factor Can Have an Impact on a Predicted Event
A Brief Overview of Cybersecurity Metrics
Notes
Chapter 2: Cybersecurity Audits, Frameworks, and Controls
An Overview of the Cybersecurity Controls
A Technical Review of the Cybersecurity Audit
Why the Cyber Audit Is Conducted
The Principles of Control in the Cyber Audit
The Validation of the Audit Frameworks
A Macro View of How the Cyber Audit Process Works
The Importance of Cyber Audit Management
A Holistic View of How the Cyber Audit Process Works
A Review of the Cyber Audit Frameworks
Breaking Down the Importance of Information Technology (IT) Security Governance
A Deep Dive into the Cybersecurity Frameworks
The ISO 27001
The COBIT 5
The National Institute of Standards and Technology
The Framework for Improving Critical Infrastructure Cybersecurity
The Information Security Forum Standard of Good Practice for Information Security
The Payment Card Industry Data Security Standards
The Cyber Risk Controls
The Goal-Based Security Controls
The Preventive Controls
The Detective Controls
The Operational Controls
Notes
Chapter 3: Cybersecurity Insurance Policies
Cybersecurity Risk Insurance Policies
The State of the Cybersecurity Insurance Market
An Analysis of the Major Insurance Carriers That Offer Cyber Insurance
The Major Components of a Cyber Insurance Policy
How Should an SMB Decide on What Kind of Cyber Policy to Get
Notes
Chapter 4: The Compliance Laws of the GDPR, CCPA, and CMMC
GDPR
Implications for Business and Cybersecurity
More about GDPR
DPO, DCs, and DPs
Conclusions on GDPR
California Consumer Privacy Act (CCPA)
Cybersecurity Maturity Model Certification (CMMC)
Who Cares?
Levels
Summary
Notes
Chapter 5: Conclusions
Chapter 1
Chapter 3
An Example of Cyber Resiliency
How the Definition of Cyber Resiliency Was Met
What Is the Difference between Cyber Resiliency and Cybersecurity?
The NIST Special Publication 800-160 Volume 2
What Cybersecurity Insurance Is and Its History
The Advantages and Disadvantages of Cybersecurity Insurance
The Advantages
The Disadvantages
The Factors That Insurance Companies Consider When Providing Coverage
Chapter 4
PII Versus Personal Data
The Rights That Are Afforded to Individuals
The CCPA
The GDPR
The Usage of Data
The CCPA
The GDPR
The Components of the Maturity Level 1
The Access Control (AC)
The Identification and Authentication (IA)
The Media Protection (MP)
The Physical Protection (PE)
The System and Communications Protection (SC)
The System and Information Integrity (SI)
The Background of the PCI-DSS
The Compliance Levels of the PCI-DSS
The Requirements of the PCI-DSS
Notes
Index
