As infosec professionals, we are constantly hearing the phrase “risk-based approach” when looking at our options for ways to mitigate vulnerabilities and reduce our exposure to business disruption, whether that is by cyberattacks or natural disasters. It occurred to me recently to wonder what is not a risk-based approach? The first example that comes to mind is a hype-based approach, where you go after exposures based on how much vendor hype is allocated to a risk or vulnerability. There are certainly examples of this in our industry and it’s not my intent to talk about them right now. I do, however, want to pull on the idea that we need to have an unshakeable focus on real risk when thinking about cybersecurity.
The Dimensions of Cyberspace
In my work teaching cybersecurity and creating courses on threat intelligence and cybersecurity analytics at NYU over the last few years, I have developed an analysis that casts the discussion of cyber risk management as having three dimensions:
- Physical – the core infrastructure of hardware and software
- Informational – the content or data, both at rest and in transit
- Cognitive – the values, beliefs, intentions and perceptions of individuals and groups
I collapse virtual and physical into just the physical dimension because at the end of the day, all virtual systems run as software on some physical system somewhere, so there is no need to maintain that as a separate dimension. It is useful to point out that the informational dimension is where cyber personas reside: digital representations of individuals or other entities that use cyberspace and have one or more identities that can be identified, attributed and acted upon. But it is my firm belief that it is the cognitive dimension which does not receive enough attention and discussion. Furthermore, I have come to believe that executive cognitive risk is one of the areas where we need to work most urgently. Good governance of cybersecurity risk requires the top of the org chart to better understand the nature of cybersecurity risks and their effective mitigations. NIST has added “Govern” as a sixth category to the Cyber Security Framework v2.0 with good reason, as it informs and directs the efforts in the other five categories.
Increasingly, board members are being asked to think like chief risk officers, whether they have the skills and experience or not. Understanding cybersecurity risks demonstrated by supply chain attacks against SolarWinds, Kaseya, Microsoft Proxy-Logon, Storm-0558 and Okta illustrate that all senior executives can expect to be increasingly held accountable. The SEC case against SolarWinds and its CISO is just the beginning of what promises to be a long line of prosecutions and trials.
What Is Cognitive Risk?
This cognitive dimension of cyberspace provides the societal, cultural, religious, and historical contexts that influence the perceptions of those producing content and those consuming it. Governments, criminals, activists, and hackers all think, perceive, visualize, understand, and decide within this dimension. Cognitive risk has many components such as the infamous “too big to fail” in the financial services industry, or a bias towards prevention in compliance frameworks and controls that leaves precious little budget for detection and response capabilities once a breach occurs.
Among the many characteristics of cognitive risk is confirmation bias, which is especially important in board governance environments where most directors are not subject matter experts on cybersecurity. Confirmation bias is a phenomenon whereby we actively seek out and assign more weight to evidence that confirms our hypothesis and ignore evidence that could refute our hypothesis. One such belief is thinking that our company won’t be breached or compromised. By now we should all have heard the mantra that compromise is not a matter of if, but rather just a matter of when. We should not speak about breach likelihood but rather breach cadence. Some companies seem to be compromised every six months, whereas others are only being successfully attacked and breached every five years or so.
How can boards provide effective challenge to their security programs if they don’t yet comprehend the fundamentals of cybersecurity?
Understanding cyber risk is a relatively new ask of executive management and boards of directors. A seat has been made at the proverbial table for the CISO and infosec professionals, but few board members are able to understand the crazy “moon language” of CVEs, CVSS scores, IOCs (Indicators of Compromise) and TTPs (Tactics, Techniques and Procedures). In many cases, board members are simply not even asking the right questions about failure and risk. How can boards provide effective challenge to their security programs if they don’t yet comprehend the fundamentals of cybersecurity? How can we empower board members to question a hype-based approach to risk management (and not fall victim to it themselves)?
Any discussion of cognitive risk also must entail discussing systemic risk. Systemic risk is an emergent property of complex systems. It is not rooted in any one component of these systems that comprise our digital economy, but rather in the density of connections and dependencies between all of the “nodes” in the network. One of the major elements of cybersecurity risk management is to be aware of and to design trustworthy and resilient systems with an eye towards addressing systemic risk. A deep dive into the nature and properties of systemic risk is beyond the scope of this article. I will leave that for a subsequent post.
Together, cognitive risk and systemic risk in the boardroom can exacerbate the consequences of an unforeseen event. In February of 2021, Texas nearly dropped off the grid due to a severe winter storm. The citizens of Texas were a few seconds away from returning to the Stone Age had there been a “black start” event where the entire electrical grid experiences a cascade failure and collapse. After the storm, the very next meeting of ERCOT (Electricity Reliability Council of Texas) saw half of its board members resign. This is an example of both cognitive risk (the board discussed the storm for only 40 seconds in their meeting before the storm) and systemic risk because rolling blackouts were invoked to shed load on the system, which in turn took even more electricity generation offline.
Complex systems behave in ways that surprise us and the operators of the systems. This is the very definition of systemic risk, an emergent property of our increasingly interdependent critical infrastructure. Without continuous monitoring of these systems, our awareness of systems failure and breaches is significantly hampered. How we help make our ecosystem of vendors and service providers more resilient is the real challenge that must be met. Modern governance of cybersecurity risk sits squarely at the heart of that path forward.
Let’s Do Something About It!
In the world of incident response, there is a term called “tactical restraint” which speaks to the instinct of defenders to want to take action immediately and “do something.” But more than once, it has proven to be a detriment to the successful investigation of a cybersecurity incident to act hastily and without a plan.
Traditional warfare is constrained by natural features of the physical environment and can be used to one’s advantage or disadvantage. But there are no natural features to cyberspace; in fact, it is constantly changing, adapting, and transforming. In kinetic warfare, a combatant delivers an ordinance to a location at a particular time. Boom! In cyber warfare, entities create the capability to deliver “an effect” at a particular point in time against a particular set of digital assets (denial of service attacks or malware infections are good examples). This is a much more “silent boom.” The combination of the two is what is being termed “hybrid warfare” or “cyber-kinetic warfare” by analysts and experts.
Cyber-kinetic risk management brings some new questions to boards of directors:
- Do you have the capability or an established method to calculate the potential financial impacts of a breach or cybersecurity incident? Do you use this information to prioritize and plan your risk mitigation accordingly?
- How resilient is your organization to the loss or severe disruption of critical service providers?
- What is your current “too big to fail” scenario? If you haven’t already, can you plan a tabletop exercise with your team to explore your response and options?
Companies that effectively manage their entire portfolio of risks, including cyber, do better in the marketplace. Regulators around the world are demanding scenario planning incorporating “severe but plausible” events with significant impact across a wide range of risk domains, including cyber risk. We must find ways to empower the effective stewardship of cybersecurity risk and that most definitely includes addressing cognitive risk in the boardroom. The resilience of our increasingly digital economy depends on a more holistic approach to risk management across enterprises both large and small.
Want to learn more about how to improve your organization’s cybersecurity? Contact us for more information.