The motivation for writing this book is to share our knowledge, analyses, and conclusions about cybersecurity in particular and risk management in general to raise awareness among businesses, academics, and the general public about the cyber landscape changes and challenges that are occurring with emerging threats that will affect individual and corporate information security. As a result, we believe that all stakeholders should adopt a unified, coordinated, and organized approach to addressing corporate cybersecurity challenges based on a shared paradigm. There are two levels at which this book can be read. For starters, it can be read by regular individuals with little or no risk management experience. Because of the book's non-technical style, it is appropriate for this readership. The intellectual information may appear daunting at times, but we hope the reader will not be disheartened. One of the book's most notable features is that it is organized in a logical order that guides the reader through the enterprise risk management process, beginning with an introduction to risk management fundamentals and concluding with the strategic considerations that must be made to successfully implement a cyber risk management framework. Another group of readers targeted by this book is practitioners, students, academics, and regulators. We do not anticipate that everyone in this group will agree with the book's content and views. However, we hope that the knowledge and material provided will serve as a basis for them to expand on in their work or endeavors. The book comprises ten chapters. Chapter 1 is a general introduction to the theoretical concepts of risk and constructs of enterprise risk management. Chapter 2 presents the corporate risk landscape and cyber risk in terms of the characteristics and challenges of cyber threats vis-á-vis the emerging risks thereof from the perspective of a business organization. Chapter 3 presents the idea of enterprise risk management and explains the structure and functions of enterprise risk management as they relate to cybersecurity. Chapter 4 provides the cybersecurity risk management standards, which may be used to build a cybersecurity risk management framework that is based on best practices. The cyber operational risk management process begins in Chapter 5 with the introduction of the risk identification function. Chapter 6 continues with the next step of this process by presenting the risk assessment procedures for evaluating and prioritizing cyber risks. Chapter 7 explains the activities in the third step in the ORM process of risk mitigation and provides examples of the tools and techniques for addressing risk exposures. Chapter 8 presents a critical function from an operational perspective for its role in detecting risk and continual improvement of the organization's cybersecurity processes through the reporting function. Chapter 9 discusses the crisis management steps that businesses must take to respond to and recover from a cyber incident. Chapter 10 emphasizes the essential ERM components that senior management should be aware of and cultivate to create an effective cyber risk control framework by focusing on the strategic aspects of cybersecurity risk management from a business viewpoint. This chapter proposes a cybersecurity ERM framework based on the content given in this book.
Author(s): Kok-Boon Oh
Series: Cybercrime and Cybersecurity Research
Publisher: Nova Science Publishers
Year: 2022
Language: English
Pages: 264
City: New York
Contents
List of Figures
List of Tables
Preface
Acknowledgments
List of Acronyms and Glossary
Chapter 1
Cyber Threats and Enterprise Risk
1. Introduction
2. Why Is Risk Management Important?
3. Cyber Risk and Cybersecurity
4. Cybercrime and Cyber-Terrorism
5. What Is Enterprise Risk Management?
6. Uncertainty, Threat & Risk
7. Risk Types and Dimensions
8. Risk and Return
9. Systematic and Unsystematic Risks
10. Standalone Risk and Portfolio Risk
11. Risk Tolerance
Conclusion
Chapter 2
Corporate Risk Environment and Cyber Risk
1. Introduction
2. Corporate Risk Environment
3. Corporate Cybersecurity
4. Impact of Technology
5. Critical Systems, Networks, and Data
5.1. Critical Systems
5.2. Networks
5.3. Data
6. Human Factors
7. Cyber Risk Landscape
7.1. Cyber Threat, Vulnerability, and Risk
7.2. Cyber Threat Actors
8. Industries at Risk
Conclusion
Chapter 3
Cybersecurity Enterprise Risk Management
1. Introduction
2. Value Creation
3. Strategic Cyber Risk Management
4. Convergence between ERM & Cybersecurity
5. The ERM Framework and Process
5.1. Structure and Elements
5.2. Role of Management
5.3. Enterprise Information Security Policy
5.4. Budgets
5.5. Cybersecurity Risk Culture
5.6. Performance Measurement
6. Scope of Strategic Cyber Risk Control in an ERM Program
7. ERM Organizational Structure & Management Process
7.1. Strategic Risk Management (SRM)
7.2. Operational Risk Management
Conclusion
Chapter 4
Standards and Regulations
1. Introduction
2. Regulatory Risk Management
3. Cybersecurity Standards and Frameworks
4. Cybersecurity Strategic ERM Standards
4.1. ISO 31000
4.2. COSO Enterprise Risk Management
5. Cybersecurity Operational Standards
5.1. NIST Cybersecurity Framework
5.1.1. Framework Core
5.1.2. Framework Profile
5.1.3. Framework Implementation Tiers
5.2. ISO 27000 Series
5.2.1. ISO 27000 – Overview and Vocabulary
5.2.2. ISO 27001:2005 - Requirements
5.2.3. ISO 27002 - Code of Practice
5.2.4. ISO 27003 – Implementation Guide
5.2.5. ISO 27005 – Risk Management
5.3. Control Objectives for Information and Related Technology (COBIT 5)
5.4. General Data Protection Regulation (GDPR)
5.5. Basel III
Conclusion
Chapter 5
Cyber Risk Identification
1. Introduction
2. Risk Identification
3. Identifying Cyber Threats
4. NIST/CSF – Identify Function
5. Risk Identification, Threats, and CIA Triad
5.1. Confidentiality
5.2. Integrity
5.3. Availability
6. Risk Identification Tools and Techniques
6.1. SWOT Analysis (Strengths, Weaknesses, Opportunities, and Threats)
6.2. Information Gathering Techniques
6.3. Bow-Tie Analysis
6.4. Business Impact Analysis
6.5. Network Diagram and Flowchart
6.6. Document Reviews (Historical Data) & Expert Judgment
6.7. Vulnerability Assessment (“Pen Test”) & Footprinting
7. Risk Register
Conclusion
Chapter 6
Cyber Risk Assessment
1. Introduction
2. Cyber Risk Assessment
3. NIST/CSF –Risk Assessment (Identify Function)
4. Qualitative Risk Assessment
4.1. Heat Map
4.2. Risk Data Quality Assessment (RDQA)
5. Quantitative Risk Assessment
5.1. Expected Monetary Value Analysis (EMV)
5.1.1. Steps to Calculate Expected Monetary Value (EMV)
5.2. Monte Carlo Analysis (SIMULATION Technique)
5.3. Decision Tree
5.4. VaR
5.5. Business Impact Analysis (BIA)
6. Risk Mapping
Conclusion
Chapter 7
Cyber Risk Mitigation
1. Introduction
2. Mitigating Risk
3. Four Ts’ Mitigation Techniques
3.1. Transferring Risk
3.2. Treating Risk
3.3. Tolerating Risk
3.4. Terminating Risk
4. NIST/CSF – Protect Function
5. Cybersecurity Insurance
6. Hedging Cyber Risk
7. Cybersecurity Mitigation Tools & Techniques
8. Network Protection Techniques
8.1. Perimeter Network
8.2. Firewalls
8.3. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
8.4. Access Control
9. Emerging Cybersecurity Technologies
9.1. Cloud Computing
9.2. Artificial Intelligence
9.3. Blockchain
9.4. Big Data
Conclusion
Chapter 8
Cyber Risk Monitoring, Detection and Reporting
1. Introduction
2. Monitoring, Detection, and Reporting Risk
2.1. Monitor Risk
2.2. Detect Risk
2.3. Report Risk
2.3.1. Internal Reporting
2.3.2. External Reporting
3. NIST/CSF – Detect Function
Conclusion
Chapter 9
Cyber Attack Response and Recovery
1. Introduction
2. Cybersecurity Crisis Management Plan
3. NIST/CSF – Respond & Recover Functions
3.1. Respond Function
3.2. Recover Function
4. Pre-Crisis
5. Crisis Response
5.1. Incident Response Plan
5.2. Incident Response Team
5.3. Security Operations Center & Incident Response Platform
5.4. Testing the IRP
5.5. Managing the Crisis
5.5.1. Managing the Crisis
5.5.2. Managing the Business
5.5.3. Managing the Fallout
6. Post-Crisis
6.1. Impact Analysis
6.2. Incident Report
Conclusion
Chapter 10
Strategic Cybersecurity Risk Management
1. Introduction
2. A Holistic & Strategic ERM
3. Vision, Goals, and Objectives
4. Leadership and Governance
5. Risk Culture & Tolerance
6. Risk-Based Approach
7. A Strategic CRM Using NIST/CSF
7.1. Framework Core
7.1.1. Asset Management
7.1.2. Business Environment
7.1.3. Governance
7.1.4. Risk Management Strategy
7.1.5. Supply Chain Cyber Risk Management
7.2. Framework Profile
7.3. Framework Tiers
Conclusion
References
About the Authors
Index
Blank Page
Blank Page
