Need for an Effective Cyber-Security Risk Management Framework

Risk Group Founder, Jayshree Pandya Ph. D discusses “Need For An Effective Cyber-Security Risk Management Framework” with Mark Bernard, Author of the NIST Cyber-Security Foundation, Canada. Introduction The rapid advances in cyberspace are bringing complex, chaotic, and challenging time for each nation: its government, industries, organizations and academia (NGIOA) in cyberspace, geospace and space (CGS). As cyberspace is getting deeply embedded across each component of a nation: that is its government, industries, organizations and academia, its crowded interconnections within and across NGIOA in CGS are catching nations off guard. These interconnections and interdependencies raises an important question, on whether our current risk management framework, tools, technologies and processes are effective in managing the security risks within and across nations geographical boundaries in cyberspace, geospace and space. How can we visualize and understand the complexity of cyberspace and its interconnections? In simple terms, cyberspace can be visualized as a neural network of a human brain—that runs through all the components of a nation, enabling them to connect, communicate, collaborate and function. Each connection, and its interconnectedness and interdependencies within and across CGS network brings its own security challenges.  Managing the security risks of this complex digital neural network is vital for each NGIOA. The independent and interdependent cyberspace-geospace and space brings each NGIOA-I risks- and risks are inevitable. So what are these risks and how do we identify, understand, evaluate and manage them? Defining Cyber-Security Risk How should we define risk in the context of cyberspace and cyber-security? In the context of cyberspace, cyber-security risks are those risks that arise from the potential of losing the value of the current as well as strategic entities, events and relationships. * It could range from current and strategic industries, businesses, technology, information and communication and so on. * It is a measure of the extent to which an entity within any NGIOA is threatened by the potential changes of and due to the cyberspace and is typically a function of: * the adverse impact that would arise from the loss of confidentiality, security, stability, safety, necessity, value or availability of the current entities, events and relationships of any component of an NGIOA in CGS. * and the likelihood of the potential adverse impact to the current and strategic operations of respective NGIOA in CGS. Defining “Security” Risk Group defines security as “the state of entities across NGIOA in Cyberspace, Geospace or Space—being free from danger or threat of Cyberspace”. For much of human history the concept of security has largely revolved around use of force and territorial integrity. That definition is no longer accurate in Cyberspace and Digital Global Age. It’s no longer accurate because … to a large extent, nations no longer face, as they have so often in their past, a conventional threat of attack, on their geographical territory, by a hostile power. But they are more vulnerable to many other kinds of attacks in Cyberspace and this rapidly emerging digital global age, as nations are moving towards one of the most open societies, in a world that is more connected than ever before- without the necessary Security framework and infrastructure. “Security” is the state of being protected or safe from harm, the things that are done to make people, places, industries or a nation feel safe. While there is a fine line between Security, Stability and Safety, the emergence of the digital global age has resulted in evolution of the definition and model of Securi...