Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.
Objectives
Inputs
Activities
Choose your approach
Several methodologies for identifying and managing information security risks exist, the most popular of which include ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection – Guidance on managing information security risks (ISO 27005), NIST SP 800-30 Rev 1 Guide for Conducting Risk Assessments (NIST SP 800-30), Information Security Forum Information Risk Assessment Methodology 2 (IRAM2), and Factor Analysis of Information Risk (FAIR).
These frameworks can assist in conducting structured risk assessments. However, an efficient evaluation of the organizational threat landscape requires some adjustments. A threat landscape review on an organizational level significantly differs from a risk assessment of a single business process or a selected system:
Purpose. The threat landscape review provides input into the strategy development process — the results of the assessment aid in prioritizing security domains, which contain groups of organization-wide controls.
Organizational applicability. Generally, a threat landscape assessment encompasses the entire organization across multiple business lines. However, for larger or more complex organizations, the focus may sometimes be on a single division or service provider.
Timeframe. Cyber strategy development involves considering risks that will remain relevant for an extended timeframe, including emerging risks. For more on the timeframes applicable to cyber strategies, refer to the “Effective Timeframes for Cybersecurity Strategy” article.
Architecture and technology. The threat landscape assessment considers the broad array of technologies deployed throughout your organization. Therefore, the evaluation should focus on general threats to most systems and shared infrastructure. Conducting an exhaustive risk analysis for every business process, information asset, and supporting asset might not be practical.
Simplicity. Developing a cybersecurity strategy requires efficient and swift identification of key threats to your organization. You should be able to summarize these threats in a single slide for your main presentation, followed by a few more detailed slides in your attachments section.
These various factors necessitate adopting a more general and flexible approach rather than rigid adherence to the selected framework. Therefore, the methodology proposed in this article rests on the following assumptions and constraints:
Framework alignment. This approach integrates key phases and concepts from the ISO 27005, IRAM2, and NIST SP 800-30 frameworks. However, it applies them selectively in cybersecurity strategy development, not strictly following these frameworks.
Organizational scope. The proposed process covers the assessment of the entire organization. It advises simplification and aggregation to keep things simple and quickly define the organizational threat landscape.
Control strength assessment. The steps outlined here focus on inherent risk evaluation, which does not consider implemented controls. The Orientation phase, which appears later in the Cybersecurity Strategy Management Framework, will assess the maturity of your security domains. Only after that, it is possible to conduct a residual risk assessment.
Analytical approach. The framework advocates for an asset-oriented analysis. Identifying crucial assets helps in determining relevant threat events for your organization. For its speed and simplicity, we recommend a qualitative assessment.
Approximation. Limitations related to available data on threat source attributes, threat probability or historical data about threat events may necessitate approximation at different stages.
Given these constraints, the process proves beneficial for prioritizing cybersecurity areas during cybersecurity strategy development. However, it may not suit other use cases, especially risk assessments at the business process or information system level.
Prepare for assessment
The initial preparation for the threat landscape assessment will help you to conduct it efficiently. It includes the activities specified below.
Define the scope
Identify what your threat landscape assessment will cover regarding the organizational structure, time frame supported and technology considerations. The scope of the evaluation should be the same as the scope of your cybersecurity strategy.
Identify information sources
Identify information sources that you can use to identify threat sources and threat events, rate their likelihood and impact and calculate the final risk.
Internal information sources may include standardized lists of threat sources, threat events, risk taxonomy and historical data about past incidents or attempted cyber attacks.
External information sources may consist of market reports providing insights about threat sources and threat events relevant to selected industries, past incidents or emerging threats. You may find the following resources helpful:
Verizon Business Data Breach Investigations Report. This annual report includes the analysis of known data breaches – incidents that resulted in confirmed disclosure of confidential data. It presents insights on threat actors, threat events, techniques used, types of information assets and supporting assets impacted. Additionally, the authors present the statistics related to data breaches in selected industries.
ISF Threat Horizon. The report focuses on emerging threats. The report’s authors analyze political, environmental, legal, technological, social and economic trends and their risk implications for the foreseeable future. The report helps to understand future threats to your information assets, assess their impact and build your cybersecurity strategy that addresses them. If your organization is a member of the Information Security Forum (ISF), you can register on the ISF website using your corporate email address to access this report and other ISF resources.
Gartner Emerging Risk Report. It is a quarterly report that provides a prioritized view of emerging risks. It does not focus on cybersecurity but includes the technological risk category, which covers the risks that might be relevant to cyber. If your organization has access to Gartner, you can use your corporate email to register and access this report on the Gartner website.
Trend Micro Future Threat Report. The report results from a study that surveys IT security decision-makers about their thoughts on cyber risks. It provides insights into adversarial threat sources, techniques they use and notable vulnerabilities.
IBM X-Force Threat Intelligence Index. This annual report focuses on trends and attack patterns analyzed from the data from detection devices, incident response engagements, domain tracking and others. It identifies the top threat sources, attack types, infection vectors, and industry trends and provides supporting statistics.
Trellix Threat Report. Trellix analyzes the data on threat sources, targeted industries, attack vectors and techniques. The company produces reports based on data from its threat detection products and open-source intelligence around threats.
Akamai State of the Internet. The company provides multiple reports covering threats targeting specific industries and supporting statistics.
Additional resources. Consulting companies, solution vendors and other companies or organizations provide many other sources of information you can use for your threat landscape development.
A review of these data sources will help you understand threat sources and events and obtain statistics to support your conclusions on their likelihood in your industry in case your internal data is limited.
Identify risk model
The risk model outlines how to assess your assets’ value, significance, the impact and likelihood of threats, and the criticality of the risk. Often, this model depends on a chosen risk management framework and needs customization to fit your organization. For the cyber threat landscape, employ the established model to maintain consistent risk communication with your stakeholders. While this article provides examples, ensure you adapt them to your specific framework.
Identify crown jewels
The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.
Assess threat sources
Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.
Assess threat events
A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.
Estimate the inherent likelihood
The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Estimate the inherent impact
From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Calculate inherent risks
Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Summarize the threat landscape
Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. [Elsevier]
- Landoll, D. (2021). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. [CRC Press]
- Talabis, M. R., & Martin, J. (2021). Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis. [Elsevier]
- Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. [Elsevier]
- Cyber Leadership Institute (2019). CISO Playbook: Protecting the Crown Jewels
- Information Security Forum (2017). IRAM2: The Next Generation of Assessing Information Risk
- Information Security Forum (2016). Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets
- Information Security Forum (2016). Protecting the Crown Jewels: Implementation Guide
- ISO (2011). ISO/IEC 27005: Information Technology – Security Techniques – Information Security Risk Management
- NIST (2012). NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
- NIST (2011). NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.