How to align cyber risk management with business needs

We live in an advanced digital society, in which technological developments are evolving rapidly – with powerful networks, increasing interconnectedness, and highly automated concepts such as e-health, smart cities, and the Fourth Industrial Revolution playing increasingly prominent roles.

This rise of such technologies means that cybersecurity is an extremely important and growing precondition for a successfully functioning society.

Our new digital reality requires business leaders to adequately assess and govern cyber risk and executive decision-makers are needed, to have a strong understanding of cyber risk concepts and issues in order to take effective action.

However, both the dynamic nature of cyber risk and exponential growth in cyber attacks can introduce challenges in decision-making.

To that end, the World Economic Forum and its partners, in collaboration with the National Association of Corporate Directors (NACD), Internet Security Alliance (ISA) and PwC, have published six Principles for Board Governance of Cyber Risk to enable organizations to better manage and understand how to navigate cyber risk-related strategic and operational choices.

A key principle in this guidance is that boards of directors must “align cyber risk management with business needs” across every facet of decision-making, including innovation, mergers and acquisitions, product development and more.

Leaders routinely face difficult decisions in managing cyber risk, as exposure to cyber risk may threaten reputation, customer trust and competitive positioning, and possibly result in fines and lawsuits.

In this context, leaders must cope simultaneously with shifting organizational priorities, changing budgets, technologies and employee headcounts as well as evolving adversary tactics and emerging security events, among other things.

This complexity as a whole is referred to as the dynamic nature of cyber risk.

However, executive decision-makers are often overwhelmed by the complexity and pressure to act when dealing with cyber risk issues and in such situations, the risk of security blind spots exist.

Scientific research indicates that 56% of experienced security specialists and managers take suboptimal decisions and these sub-optimal decisions may yield up to a 200% higher cost base.

Many approaches are available to support business leaders and executives in their role to define and implement a sustainable cybersecurity and cyber resilience strategy.

Examples include periodic risk assessments using industry recognized frameworks – such as NIST Cybersecurity framework, C2M2 and ISO 27001 – or execution of cyber event simulations and exercises.

Risk assessment is the process of identifying cyber risk and evaluating the consequences of these risks when they happen.

Cyber event simulations and exercises are techniques that mimics cyber attacks in a controlled manner. Often, they appear as tabletop exercises or approved predefined attacks against the defender’s infrastructure.

Although these activities are helpful in establishing a baseline for cyber risk management, the dynamic nature of cyber risk is not captured. They can be best described as a one-dimensional approach, resulting in decision-makers frequently underestimating risk.

In their most advanced form, these activities can capture the near real-time situation, while business leaders and executives also have a need to see what the future outcome of their intended decisions.

Therefore, forecasting decision support systems for cyber risk management are needed. These systems require dealing with multi-dimensional dynamic problems, such as dynamic nature of cyber risk, and nonlinear variables, like the exponential increase in cyber attacks, so that they can represent the organizations that are managed.

MIT CAMS has developed a cyber risk dashboard that provides the means to establish forward-looking projections on multiple critical performance indicators relevant to an organization’s cybersecurity strategy because there was a lack of solutions that captures the dynamic nature of cyber risk.

The MIT CAMS dashboard accounts for the dynamic nature of cyber risk as it is supported by scientifically-grounded computational modelling. The simulation is based on control theory and uses stocks and flows determined by differentially equations to represent the actions of people, process and technology in an organization.

It considers the dynamic effects as well as the interdependency of various security efforts, enabling strategic and effective cyber risk management decision-making.

The dashboard focuses on a highly innovative approach that enables leaders to simulate the impact of their decisions before making large investments. It exists to determine what areas organizations want to optimize when it comes to prioritization.

An anonymized exploratory case study leveraging the CAMS dashboard was conducted at a Fortune-500 company called Smart Wealth Management Inc.

As part of the case study, common managerial challenges such as resource allocation and budget prioritization were selected as levers to analyze their impact on cyber risk management decisions and the broader cybersecurity strategy.

This was done as the CAMS dashboard mimics a real-life decision-making environment in a safe and isolated testing, or sandbox, environment. This provides leaders the means to explore and experiment with a wide range of strategic decisions without true cyber impact on the organization.

An important lesson from the case study was that poor cyber risk management decisions can impact and cripple the entire organization. Effective interventions need to consider the interconnectedness of decisions and the interactions between different mechanisms and departments prevalent in the organization.

Another important lesson from the case study was that traditional approaches can be augmented by the CAMS dashboard.

In our case study, we used Smart Wealth Management’s existing cyber risk reports and assessments to populate the model parameters for simulation and analysis.

This approach has sustainable advantages for executives as they can:

Ongoing exponential growth in cyber attacks presses executive decision-makers more to stay ahead of the curve.

Reacting after the fact can be very costly and increase needs for regulatory ex-post evaluation and sanctioning. We see and understand that cyber risk is dynamic in nature, and now we must act on it.

Through exploratory and interactive technology solutions, leaders can develop better foresight to manage economic aspects of cyber risk and alignment to business needs.

The CAMS dashboard is leading example of this direction.

This work was co-funded by ”Fondo Europeo di Sviluppo Regionale Puglia POR Puglia 2014 – 2020 – Asse I – Obiettivo specifico 1a – Azione 1.1 (RS) - Titolo Progetto: Suite prodotti Cybersecurity e SOC” and BV TECH S.p.A.
This work is co-funded by Cybersecurity at MIT Sloan (CAMS)