Entries Tagged as 'Risk'

A Taxonomy for Managing Operational Cybersecurity Risk

OCTAVE , Risk No Comments »

By James Cebula
Senior Member of the Technical Staff
SEI CERT Division

This blog post was also co-authored by Lisa Young.

James CebulaOrganizations are continually fending off cyberattacks in one form or another. The  2014 Verizon Data Breach Investigations Report, which included contributions from SEI researchers, tagged 2013 as "the year of the retailer breach." According to the report, 2013 also witnessed “a transition from geopolitical attacks to large-scale attacks on payment card systems.” To illustrate the trend, the report outlines a 12-month chronology of attacks, including a January “watering hole” attack on the Council on Foreign Relations website followed in February by targeted cyber-espionage attacks against The New York Times and The Wall Street Journal. The well-documented Target breach brought 2013 to a close with the theft of more than 40 million debit and credit card numbers. This blog post highlights a recent research effort to create a taxonomy that provides organizations a common language and set of terminology they can use to discuss, document, and mitigate operational cybersecurity risks.

Read more...

Understanding How Network Security Professionals Perceive Risk

CERT , Risk 1 Comment »

By James Cebula
Senior Member of the Technical Staff
CERT Division
James Cebula

Risk inherent in any military, government, or industry network system cannot be completely eliminated, but it can be reduced by implementing certain network controls. These controls include administrative, management, technical, or legal methods.  Decisions about what controls to implement often rely on computed-risk models that mathematically calculate the amount of risk inherent in a given network configuration. These computed-risk models, however, may not calculate risk levels that human decision makers actually perceive. These decision makers include the network team (e.g., those people who work to implement the controls to ensure the network is secure), the information assurance (IA) officer, and authorizing officials. For example, these models may be missing immeasurable risk factors (e.g., adversarial sophistication or the value to an adversary of data stored on the network) that decision makers perceive as high risk. This blog post describes the problem of how network security professionals perceive risk in more depth, as well as the SEI’s research efforts to study what risk factors influence perceptions of network risk and how risk perceptions are formulated. 

Read more...