‘Cyber Risk Intelligence’ for Total Security

Thursday, May 2, 2013 @ 03:05 PM gHale

Organizations need to deploy risk-intelligence governance to secure digital communications and resources from eavesdropping, theft or attack, said a new paper just published.

Against the backdrop of technology experts and policymakers’ elusive battle to find a remedy for the ongoing onslaught of cyber threats and vulnerabilities, there needs to be “cyber risk intelligence,” a general framework for understanding the varied phenomena that impact an organization’s capacity to secure it cyber infrastructure, said Christopher Bronk, a fellow in information technology policy at Rice University’s Baker Institute for Public Policy in his paper entitled, “Risk-Intelligent Governance in the Age of Cyberthreats.”

Firms Don’t Budget to Protect IP
Manufacturing Most Attacked Industry
Simulated Attacks Hike Security Awareness
Phishing Hole: Execs Names Pilfered

“In the geopolitical context of cyber incidents and conflict, perhaps the most important questions revolve around ‘Why?’” Bronk said. “In cyber defense activities, the typical mindset has been one in which risks are identified and mitigated based on known vulnerabilities and threats. Where organizations often fall short is in pulling together all the different inputs in understanding their vulnerabilities.”

Bronk proposes a holistic identification and mitigation model that considers cyber security in the broader scope of an organization.

“Considering what bad outcomes might occur in the cyber arena needs inputs not just from the IT space but the broader space of operation,” he said. “We suggest three general flows of information in determining an organizational frame for cyber risk intelligence: One that encompasses the awareness of the IT enterprise and its apparent health; a second that brings internal business activities into view; and a third that encompasses broader geopolitical and economic forces. These three areas can be combined into a common operating picture for cyber risk awareness.”

For organizations to become cyber risk intelligent, they must move beyond seeing cyber security as province of organizational IT, Bronk said. They must also understand and evaluate how they end up exposed to competition or harm and join industrywide efforts that identify key security concerns and meet them with a collaborative response.

Bronk draws comparisons to more visible security threats in making the case for the importance of cyber risk intelligence.

“Since the Sept. 11, 2001, attacks, two air travelers have tried to blow up airplanes and been thwarted by fellow passengers and flight crew because there is a clear understanding of what is at stake,” he said.

“People aboard airliners now understand that successful hijacking may mean death. Threats in cyberspace are not so clear and so great, in terms of life and limb. The case is clear that the world’s organizations depend on IT to function. The question for preserving cyberspace is how those organizations pool their attentions and resources to preserve a vibrant and functioning cyberspace that may be used to enhance human endeavor,” Bronk said. “Without adequately studying new and even unorthodox approaches to security, we may eventually lament the loss of the cyber connected world we once enjoyed.”

Click here to download a copy of Bronk’s paper.

Leave a Reply

You must be logged in to post a comment.