Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.
Objectives
Inputs
Activities
Choose your approach
The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.
Prepare for assessment
In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.
Identify crown jewels
Your threat landscape assessment begins by identifying your organization’s assets that require protection from potential threats. However, conducting a strategic-level review for all assets is not feasible or efficient, as it can take time and effort. So, instead, you can focus on the crown jewels.
Crown jewels refer to your mission-critical information assets, distinguished by their value and potential impact if compromised. Depending on your industry and business model, these could include strategic plans, client data, proprietary source code, research results, product formulas, or trade secrets. Compromising these assets could severely affect your company’s competitive advantage, revenue streams, and reputation or lead to serious regulatory actions.
Focusing on the crown jewels lets you identify your organization’s most significant cybersecurity risks. These risks stem from the potential impact and likelihood of threat events, with the risk increasing with the impact. The most substantial impacts occur when vital assets are affected.
If you already have an inventory of your crown jewels, use it for your threat landscape assessment. If not, follow the steps below to create one.
Identify potential crown jewels
ISO 27005 identifies two types of assets: primary (business processes and information) and supporting (hardware, software, network, personnel, site, and organizational structure). IRAM2 distinguishes between business information assets and technology information assets. Both approaches can yield similar results.
To identify potential crown jewels, follow these steps:
Create a list for the assets. Create the Assets table that will contain essential information about your information assets. Include columns for:
Identify business processes. Identify your mission-critical business processes. Review your business model, Business Impact Assessment results, and available process documentation, or interview relevant stakeholders.
Identify information assets. From identified processes, recognize information assets supporting process execution. Look at process inputs and outputs. Use additional sources that may include the definition of mission-critical information assets, such as process documentation, Business Impact Assessment results or information classification policy. List unique information assets for simplicity. Fill in the Title, Description, Classification, and Key Processes columns.
Identify supporting assets. For each information asset, identify supporting assets on which it relies. Examine the information lifecycle and determine where and how the information is collected, transmitted, processed, stored, and destroyed. Focus on core assets or groups of supporting assets. Consider the following types:
Aggregate where possible. The goal is to identify potential crown jewels and understand the threats that may impact them rather than create a detailed inventory. Therefore, the level of granularity should be relatively low. When considering supporting assets like physical devices, infrastructure, people, or organization, operating in terms of asset groups or categories is more reasonable than single assets.
| ID | Title | Description | Classification | Key Processes | Supporting Assets |
|---|---|---|---|---|---|
| A001 | Business strategy | Details of the business strategy. | Strictly Confidential | Strategy management | Network shares, Laptops, Storage backups, Data center |
| A002 | Sales pipeline | Sales pipeline including information about prospects, clients, proposed services, their value and status in the sales process. | Confidential | Sales | Salesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backups |
| A003 | New service documentation | Information related to the new service including value proposition, business model, strategy, platform architecture and solution blueprints. | Strictly Confidential | Product management | Network shares, Laptops, Storage backups, Data center |
| A004 | Client data | Personally identifiable information of our clients. | Confidential | Marketing, Sales, Client onboarding, Customer service | Client portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service team |
| A005 | Platform code | Software code of our web and mobile applications including client profiling and recommendation algorithms. | Confidential | Software development, Platform management | Web servers (production, test, development), GitHub, CI/CD tools (including code scanning platform) |
| A006 | Authentication data | All user and employee passwords, certificates and other authentication data used to obtain access to applications and supporting infrastructure. | Confidential | Access management | Active Directory, Azure Active Directory, Azure Key Vaults, CyberArk |
| A007 | Vendor contracts | Contracts with our vendors. | Confidential | Sourcing, Third party management | Third party management system, Database cluster, Network shares, Backup storage, Email, Laptops, Sourcing team |
| A008 | Employee data | Personally identifiable data of our employees or contractors. | Confidential | HR management | HR platform, Database cluster, Data center, Network shares, Backup storage, Email, Laptops, HR team, Payroll provider |
Assess business value
For each potential crown jewel, assess its value for the business. The ISO 27005 standard outlines various asset valuation approaches, but ISF offers a more straightforward method in their “ISF Protecting the Crown Jewels – Implementation Guide” report.
ISF suggests analyzing the extent to which each asset supports your business in categories such as Financial, Operational, Legal and Regulatory Compliance, Reputational and Health and Safety. However, depending on the business model, you need to decide which categories are best for your organization. For example, I often used the Financial, Customer, Regulatory and Reputational categories.
For each of these, you can define a set of questions to assess the asset value in each category, such as:
- Financial: To what extent does the asset support the business revenue?
- Customer: To what extent does the asset support the customer journey?
- Regulatory: To what extent does the asset support our regulatory compliance?
- Reputational: To what extent does the asset support our brand identity?
After answering these questions, assign an asset value rating for each category using a preferred rating scale. For threat landscape assessment, consider using a simple qualitative scale (e.g., 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, 5 – Very High). Quantitative approaches may be too time-consuming for this task.
| ID | Title | Value - Financial | Value - Customer | Value - Regulatory | Value - Reputational | Asset Value |
|---|---|---|---|---|---|---|
| A001 | Business Strategy | 5 - Very High | 4 - High | 2 - Low | 2 - Low | 5 - Very High |
The highest rating usually dictates the overall asset value. However, some frameworks may propose a different approach. Record this rating in the Asset Value column of your Assets table. Granular ratings for each category are not necessary for cybersecurity strategy development.
Upon completing this activity, each information asset in your Assets table should have an asset value rating.
Assess business impact
Next, evaluate the business impact level for each potential crown jewel if a compromise occurs, focusing on confidentiality, integrity, and availability. You do not have to consider the threats causing the impact at this stage, as you will evaluate them later. Similarly, focus on the inherent risk impact, leaving out the mitigating controls for now.
Use a qualitative rating scale for the impact rating. Apply the same assessment categories as you did during the value assessment but shift your approach slightly. Instead of gauging the asset’s importance to your organization, examine the consequences of risk materialization.
Many organizations use a risk impact matrix that outlines the impact across predefined categories at various levels. Here is a partial example to illustrate the concept:
| Impact Rating | Impact - Financial | Impact - Customer | Impact - Reputational | |
|---|---|---|---|---|
| 01 | 5 - Very High | Impact on financial performance > 1m USD | Adverse impact on more than 35 % of the clients | High likelihood of widespread and long-term adverse coverage in national and international media endangering the brand reputation |
| 02 | 4 - High | Impact on financial performance between 1 m USD and 1m USD | Adverse impact on 2% to 35 % of the clients | High likelihood of adverse coverage in national and international media |
| 03 | 3 - Medium | Impact on financial performance between 50k and 1 m USD | Adverse impact on 5 % to 2% of the clients | High likelihood of single coverage in national media |
| 04 | 2 - Low | Impact on financial performance between 10k and 50k USD | Adverse impact on less than 5 % of the clients | High likelihood of single coverage in the local media |
| 05 | 1 - Very Low | Impact on financial performance below 10k USD | Impact below the low threshold | Below the low threshold |
Agree on an impact rating for each category with the selected scale, ideally assessing this rating for three information attributes: Confidentiality, Integrity, and Availability. Record these ratings in your Assets table under the Impact – Confidentiality, Impact – Integrity, and Impact – Availability columns. Then, enter the highest of the three assessments in the Impact – Overall column as the overall impact rating.
Your Assets table should now include an impact rating for each information asset, which you can use later in the process.
| ID | Title | Impact - Confidentiality | Impact - Integrity | Impact - Availability | Asset Impact |
|---|---|---|---|---|---|
| A001 | Business strategy | 4 - High | 4 - High | 2 - Low | 4 - High |
| A002 | Sales pipeline | 4 - High | 3 - Medium | 3 - Medium | 4 - High |
| A003 | New service documentation | 4 - High | 4 - High | 3 - Medium | 4 - High |
| A004 | Client data | 5 - Very High | 4 - High | 5 - Very High | 5 - Very High |
| A005 | Platform code | 5 - Very High | 4 - High | 3 - Medium | 5 - Very High |
| A006 | Authentication data | 5 - Very High | 5 - Very High | 5 - Very High | 5 - Very High |
| A007 | Vendor contracts | 4 - High | 4 - High | 3 - Medium | 4 - High |
| A008 | Employee data | 4 - High | 4 - High | 3 - Medium | 4 - High |
Select crown jewels
To identify the crown jewels, you can use a simple matrix that considers asset value and impact rating, as shown in the following example:
Assets in the matrix’s top right section typically represent your crown jewels. They have a “5 – Very High” (VH) criticality rating in the example.
This activity should yield a list of your assets, highlighting the crown jewels and providing supporting information.
| ID | Title | Asset Value | Asset Impact | Asset Criticality |
|---|---|---|---|---|
| A001 | Business strategy | 5 - Very High | 4 - High | 5 - Very High |
| A002 | Sales pipeline | 4 - High | 4 - High | 5 - Very High |
| A003 | New service documentation | 4 - High | 4 - High | 5 - Very High |
| A004 | Client data | 4 - High | 5 - Very High | 5 - Very High |
| A005 | Platform code | 5 - Very High | 5 - Very High | 5 - Very High |
| A006 | Authentication data | 4 - High | 5 - Very High | 5 - Very High |
| A007 | Vendor contracts | 3 - Medium | 4 - High | 4 - High |
| A008 | Employee data | 3 - Medium | 4 - High | 4 - High |
For a more in-depth exploration of identifying and securing organizational crown jewels, you might want to read the “Protecting the Crown Jewels – How to Secure Mission-Critical Information Assets” and “Protecting the Crown Jewels – Implementation Guide” reports, both published by the Information Security Forum.
Assess threat sources
Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.
Assess threat events
A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.
Estimate the inherent likelihood
The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Estimate the inherent impact
From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Calculate inherent risks
Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Summarize the threat landscape
Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. [Elsevier]
- Landoll, D. (2021). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. [CRC Press]
- Talabis, M. R., & Martin, J. (2021). Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis. [Elsevier]
- Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. [Elsevier]
- Cyber Leadership Institute (2019). CISO Playbook: Protecting the Crown Jewels
- Information Security Forum (2017). IRAM2: The Next Generation of Assessing Information Risk
- Information Security Forum (2016). Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets
- Information Security Forum (2016). Protecting the Crown Jewels: Implementation Guide
- ISO (2011). ISO/IEC 27005: Information Technology – Security Techniques – Information Security Risk Management
- NIST (2012). NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
- NIST (2011). NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.