Cyber-Security Risk Management Framework ( RG CSRM 2015)

RISK GROUP CYBER-SECURITY RISK MANAGEMENT

FRAMEWORK (CSRM)

ABSTRACT The Security-Centric, Cyber-Security Risk Management

(CSRM) framework expands on both the Internal

Control Framework as well as Enterprise Risk

Management Framework and proposes an effective

Integrated NGIOA (nations: its governments,

industries, organizations and academia) Risk

Management framework to manage the changing

nature of Security* risks in Cyberspace-Geospace and

Space (CGS)

Jayshree Pandya EXECUTIVE SUMMARY

RG CSRM 2015 Copyright Risk Group LLC All Rights Reserved

Cyber-Security Risk Management Framework (CSRM)

INTRODUCTION The connected computers and the digital global age have brought complex, chaotic, and turbulent times

for every nation: its government, industries, organizations and academia (NGIOA)—where failures at all

levels have come to become self-evident, repetitive, and destructive in nature and uncertainty. NGIOAs

are caught off guard.

When NGIOAs seem to be in visible crisis, what is the adequate amount of independent and

interdependent Cyber-Security risk that should be accepted by any entity within an NGIOA? This is

probably one of the most important questions decision-makers across NGIOA face today.

In 2012, Risk Group proposed Integrated NGIOA Risk guidelines to help nations identify, evaluate,

understand and manage interconnected and

interdependent risks facing its NGIOA. The

proposed guidelines have come far from

being ignored. They are now being

acknowledged, discussed, debated and

articulated to be incorporated to better

manage the current and emerging risks

facing NGIOA in Cyberspace—while

simultaneously providing a foundation that

brings integrity, transparency, predictability,

integration, security and scalability to the

discipline of Risk Management itself.

Over the years, there has been heightened concern and focus on the lack of effectiveness in the current

approach to risk management due to critical threats brought on by the rapidly changing global

fundamentals and the inability of the risk management programs to predict critical risks at all levels. It

became increasingly clear that a need exists for re-evaluation of the approach to risk management.

Moreover, when the computer code, the connected computers and the ecosystem that make the

Cyberspace began to bring complex challenges and complexities to everyone and to everything, from

Geospace to Space, the need for a new way of identifying, evaluating and managing risks became even

more clear and urgent. This tectonic shift on the nature of risks brought on by the Cyberspace is

creating complex challenges for every NGIOA. As the computer code and connected computers blur the

line between Geospace, Cyberspace and Space, it needs to be understood that the current approach to

risk management cannot give any entity within any NGIOA an ability to manage risks effectively while

bringing security and sustainability for its initiatives—for managing Cyberspace and Cyber-Security risks

requires not only integration of Cyberspace to Geospace and Space (CGS) but also requires a fine


balance of cooperation and collaboration between, within and across NGIOA, and from their people,

processes, proficiency, and prudence.

These challenges prompted Risk Group to define and propose a robust Cyber-Security Risk Management

(CSRM) framework that would effectively identify, evaluate, and manage not only Cyberspace and

Cyber-Security risks but integrated CGS Risks. This framework could be readily used by each and every

entity within any NGIOA at all levels to evaluate and improve their independent and interdependent

Cyber-Security risk management capabilities.

The period from the guideline proposal to the Cyber-Security Risk Management framework has been

marked by a series of high-profile Cyber-Security breaches and other global, national, local and

industrial crises, scandals and failures where nations, its governments, investors, businesses, individuals

and other stakeholders, individually and collectively suffered tremendous losses in many formats. In the

aftermath of each crisis, there were calls for enhanced and effective governance, management and risk

management capabilities, with effective institutions, structures, systems, framework, governance

model, laws, regulations, and standards. The need for a Cyber-Security risk management framework

that would provide a new definition of security, a new approach to security, key security risk principles

and concepts, a common security risk language, and clear security direction and guidance that has an

ability to integrate security risks in cyberspace, geospace and space became even more compelling at all

levels across nations.

Risk Group believes that the proposed Cyber-Security Risk Management Framework (CSRM) fills the

need, and Risk Group hopes that it will bring effectiveness to the discipline of Risk Management and

provide NGIOA an effective way to manage its complex security risks in CGS.

THE RISK MANAGEMENT FRAMEWORK Internal Control Framework

Internal control Framework is defined by many

as a process for assuring achievement of an

organization's objectives in operational

effectiveness and efficiency, and that has clear

financial reporting, and strict compliance with

laws, regulations and policies. While this still

continues to serve as the broadly accepted

standard for satisfying regulatory reporting

requirements, requiring an entity’s

management to certify and the independent

auditor to attest to the effectiveness of those

systems, it clearly lacks an ability to identify

and manage critical security risks facing NGIOA

today in CGS.

Enterprise Risk Management

Framework ERM, according to Casualty Actuarial Society,

is a widely popular approach to managing enterprise risks in which an entity in any industry assesses,


controls, exploits, finances and monitors risks from all sources for the purpose of increasing the

organization’s short and long-term value to its stakeholders. While ERM framework supposedly expands

on internal control framework, it does provide a more comprehensive focus on the broader issue of Risk

Management. While ERM framework has gained popularity:

It lacks an ability to anticipate global, national or industry crisis

It lacks a framework to assure comprehensive Integrated Risk Management

Its approach is largely reactive

It widely promotes transfer of risk and insurance of risk over prevention of risk or management

of risk, thereby creating bigger, complex and more catastrophic risks

It focuses on a narrow definition of an “enterprise”

It focuses on a narrow “risk” perspective

It focuses on a narrow and old definition of security and lacks an ability to address the changing

nature and fundamentals of “security”

Cyber-Security Risk Management Framework The Cyber-Security Risk Management (CSRM) framework expands on both the Internal Control

Framework as well as Enterprise Risk Management Framework and provides an effective Security-

Centric Risk Management framework that provides each and every NGIOA:

A forward looking way to identify and manage

independent and interdependent risks

Integrity, neutrality and a collective approach to

managing risks

A Non-partisan, neutral and objective focus on

managing global, national and local risks

In addition, it also:

Reverses the focus from transferring risks to

preventing risks

Embeds strategic risks as a vital part of the risk

management framework

Changes the approach to an enterprise and

makes it more inclusive to today’s global reality

Connects cyberspace risks to geospace and space risks (CGS)

Integrates governments’ risks with industries’ risks, organizations’ risks and academia’s risks to

give a comprehensive overview of nations’ risks (NGIOA)

Integrates nations risks to give a comprehensive view of global risks

Provides and promotes proactive approach to managing risks

Promotes prevention and management of risks over transfer of risks

Addresses the changing nature and definition of security and provides security-centric risk

management framework ability and capability

While, the goal of the security-centric CSRM is to bring effectiveness in the field of Risk Management

itself in a digital global age, Risk Group recognizes the slow pace of change historically observed across

nations in acknowledging the need for change, accepting the change and implementing the change

itself.


When the most critical challenges for decision-makers at all levels across NGIOA is determining how

much risk they are prepared to take for their initiatives as they strive to survive, sustain and create value

in the cyberspace , this proposed security-centric CSRM Framework will better enable them to meet

these complex challenges. The implementation of a security-centric CSRM framework will support and

improve the independent and interdependent risk awareness at every level of NGIOA, from strategic to

operative, from cyberspace to geospace and from management to employees.

The proposed security-centric CSRM framework provides an integrated risk management approach that

addresses the global shifts of the digital global age, to lay out much needed foundation of an integrated

NGIOA risk governance framework. This security-centric integrated risk management framework will

make a convincing case for the far-reaching need and understanding of integrated security risk

concepts, integrated security risk fundamentals, and integrated NGIOA risk governance models. The

integrated security-centric CSRM approach, proposed and discussed here is rational, practical, scalable

and feasible. It will help create a dynamic, vibrant, and sustainable approach to managing cyber-security

risks of a digital global age. This initiative is a first step towards that.

Jayshree Pandya

Founder: Cyber-Security Risk Research Center at Risk Group

*Risk Group defines Security as the state of industries and businesses, systems and infrastructure,

innovation and technology, governance model and governments, products and services, intellectual

property and trade secrets, people and processes, survival and sustainability, education and academia,

philanthropy and poverty, research and development, regulations and compliance, robotics and artificial

intelligence, information and communication—being free from danger or threat of Cyberspace.


EXECUTIVE SUMMARY

The underlying premise of security-centric Cyber-Security Risk Management Framework (CSRM) is that,

in the interconnected and interdependent digital global age, no entity within any NGIOA can effectively

manage their security* risks independently. Even if an entity manages its private security risks

independently, the interconnected and interdependent risks facing them will undermine the isolated

and independent risk management effort and program, and make the entity vulnerable to catastrophic

events.

RELATIONSHIP BETWEEN SECURITY AND NGIOA COMPONENTS There’s no such thing as ‘secure’ anymore. Security is rapidly becoming a complex challenge for every

NGIOA. Cyberspace is fundamentally changing the definition and meaning of security across NGIOA.

Incorporate it into Geospace and Space and the complex security challenges hit the roof.

*Risk Group defines Security as the state of industries and businesses, systems and infrastructure,

innovation and technology, governance model and governments, products and services, intellectual

property and trade secrets, people and processes, survival and sustainability, education and academia,

philanthropy and poverty, research and development, regulations and compliance, robotics and artificial

intelligence, information and communication—being free from danger or threat of Cyberspace.

Cyberspace has given nations strong pressure to change how they define, understand, operate, govern

and manage their security risks, so the question is how that can be achieved when:

Individual security is tied to collective NGIOA security

External security threats have ties to internal security threats

Security needs to be at the center of each and every discussion within any NGIOA about not only threat,

conflict, defense and war, but also over progress and development! While the formation of individual

(an entity within a NGIOA) and the formation of collective (NGIOA) security framework are becoming

inseparably linked in cyberspace, the question arises as to the reasons behind the reluctance in

acceptance for a need for structured collaboration. Since any single individual entity is connected to


other individual entities within its sector and industry, along with its connection to organizations,

academia, other industries and governments at all levels—there is presumably a collective requirement

of cyber-security risk management framework and cyber-security risk governance authority.

Security is thus a condition of all individuals, and organizations, academia, industries and governments

(NGIOA-I).

There is also a growing concern that there are many nations that seem to be too weak or too failed to

be able to provide their own NGIOA-I with the necessary security in the cyberspace. Moreover, most

nations with their current governance model are far from being ideal providers of cyber-security.

Technology and Threats are forever intricately linked now—just like People and

Processes.

The security concept is currently being subjected to big changes in respect to its aims, capabilities,

sources, connectivity and the dimension of threats. In the new era of cyberspace, the security threat has

no visible front, borders or armies.

As governments exist to provide value to its citizens, businesses across industries exists to provide value

for its stakeholders, organizations exist to provide value to its initiatives and academia exists to provide

value to its students. All of them, independently and collectively, face complex security challenges and

uncertainties from the cyberspace in the digital global age. Amidst that, the challenge for decision-

makers across NGIOA is to determine what security risks they face in the cyberspace and the rapidly

changing digital global economy, independently and collectively, and how much uncertainty they are

exposed to and forced to accept as they strive to survive, sustain, grow, develop and advance.

The current uncertainty brought on by the cyberspace and the digital global economy presents both

security risk as well as strategic opportunity to each component of NGIOA, with the potential to erode

or enhance nation’s value, independently and collectively.

Cyber-Security Risk Management Framework (CSRM) enables decision makers to effectively deal with

cyberspace and the digital global economic uncertainty, enhancing the capacity and capability to

collectively build value as a nation.

The strategic value of a nation is maximized when NGIOA decision makers collectively set national

strategy and objectives, so as to strike an optimal balance between growth and goals, its related risks

and rewards, and its security and sustainability while efficiently and effectively deploying resources in

pursuit of independent entity goals tied to collective national objectives.

Cyber-Security Risk Management (CSRM) encompasses first and foremost:

Integrating cyberspace to geospace and space (CGS)

Integrating nations: its government, industries, organizations and academia (NGIOA)

Re-defining security* in cyberspace and understanding its NGIOA integration points.


In addition, security-centric, Cyber-Security Risk Management (CSRM) framework should individually

and collectively involve:

Identifying and Aligning Security-Centric Risk Appetite, Security

Risk Planning and Strategy in Cyberspace: CSRM framework allows

any individual entity and its decision makers within and across

NGIOA to take into consideration its independent and

interdependent security risk appetite in evaluating independent

and inter-dependent strategic alternatives, setting security risk-

centric informed objectives and goals, and simultaneously

developing mechanisms to manage independent and

interdependent strategic security risks. (Depending on the nature

of the security risk, its industry and relevance, appropriate security

risk measures needs to be incorporated in the planning process)

Identifying and Improving the Security Risk Response Decisions

Process in Cyberspace: CSRM provides an integrated NGIOA

structure to have an informed, independent as well as integrated

security risk decision process to identify, evaluate and manage

various security risk response choices: from prevention of security

risk to risk avoidance, reduction, transfer, sharing, and acceptance.

(Depending on the nature of the security risk, a relevant risk

response strategy needs to be formulated)

Identifying and Reducing Security Surprises and Losses in Cyberspace: CSRM provides NGIOA

with an enhanced capability, both individually and collectively, to identify potential catastrophic

security events and establish timely responses to reduce its impact and its associated costs or

losses. (Depending on the nature of the security risk, a structured plan needs to be in place to

have relevant risk intelligence to manage security surprises)

Identifying and Managing overall Global, National, Local and Individual NGIOA Security Risks in

Cyberspace: Each nation faces a myriad of independent and interdependent security risks

affecting different parts of the NGIOA, and CSRM facilitates effective responses to its

interrelated, interconnected and interdependent impacts. (Depending on the nature of the

security risk, an overall plan needs to be in place to manage it)

Identifying and Seizing Strategic Opportunities: By considering a full range of potential security

events at all levels (global, national, local, industry and organizational) and individual

components of NGIOA, decision makers are better positioned to identify and proactively realize

current and strategic opportunities in the cyberspace—both individually and collectively. (By

understanding cyberspace, its revolutionary transformation potential, understanding the

current initiatives within an entity and formulating potential strategic alternatives will guide

entities within an NGIOA to seize strategic opportunities in CGS)

Identifying and Improving Resource Deployment: CSRM allows nations to obtain collective and

independent, current and strategic security risk information that allows NGIOA decision makers

to effectively evaluate overall resource needs and enhance capital allocation appropriately.

These capabilities inherent in CSRM framework will help NGIOA decision makers achieve their

performance and profitability targets while preventing loss of vital current and strategic


resources. (By understanding the nature of strategic opportunities and threats, entities within a

NGIOA will need to identify resource needs and make relevant plans)

CSRM will help ensure effective security risk reporting

and compliance with current and potential laws and

regulations, to help avoid damage to not only the

NGIOA reputation, both independently and collectively,

but its associated consequences.

In summation, Cyber-Security Risk Management

framework (CSRM) will help an NGIOA achieve its

independent and collective security goals and objectives

of the Cyberspace in a Digital Global Economy while

avoiding downsides and disbeliefs along the way. It is

important that CSRM be not viewed as a static one-time

process; rather it must be embedded across NGIOA and

dynamically adapted to the changing internal and

external CGS environment.

CYBERSPACE EVENTS IN A DIGITAL GLOBAL ECONOMY: ASSOCIATED SECURITY RISKS AND

OPPORTUNITIES Any event in the Cyberspace or Digital Global Economy can have negative security impacts, positive

strategic impacts, or both. Cyberspace events in a digital global economy with a negative security impact

represent risks, which can prevent value creation in the Cyberspace or erode existing value in Geospace,

Cyberspace or Space. Cyberspace events in a digital global economy with positive impact may offset

negative security impacts or represent strategic Cyberspace opportunities. Cyberspace opportunities are

the possibility that an event will occur in Cyberspace or Geospace that would positively affect the

achievement of Cyberspace objectives, supporting value creation or preservation.

NGIOA decision makers can channel opportunities in the Cyberspace back to its

National Security Strategy, while formulating plans to seize the Digital Global Age

opportunities in CGS.

The CSRM framework aims to identify all independent and interdependent potential security events that

could affect the achievement of the entity objectives in CGS. These events can be divided into two

categories: Cyberspace events with positive impact on independent and collective NGIOA objectives and

events with negative security impact on independent and collective NGIOA objectives. The former

represent opportunities, and the latter are security risks. These must be managed with a clear

integrated risk management process composed of the following phases:

Cyber-Security Risk Identification and Analysis

Cyber-Security Risk Understanding and Profiling


Cyber-Security Risk Response and Management

Cyber-Security Risk Control and Integration

The CSRM process must be supported by a sound security foundation in terms of broad understanding

of security, its changing nature , overall CGS environment, integrated NGIOA risk philosophy, integrity

and ethical values, integrated risk governance approach, and Cyber-Security competence and

responsibilities, together with a collective Cyberspace security objective-setting process that considers

the Cyber-Security risk dimension, a dynamic complete security information flow and an ongoing

monitoring of all the CSRM framework components.

Each and every entity should implement CSRM framework because it will allow them to optimize

strategic opportunities in the Cyberspace by providing a systematic, integrated, accountable and holistic

evaluation and control of Cyber-Security risks.

CSRM framework deals with security risks and strategic opportunities affecting value

creation in the Cyberspace and/or preservation of Cyberspace-Geospace-Space value

and infrastructure.

CSRM can be defined as an integrated security risk management process realized by decision makers

of an entity within an NGIOA, who independently and collectively identify potential security risk

events that may affect any component of an NGIOA or overall NGIOA and manage risk both

individually and collectively to be within its security risk appetite boundaries, to provide reasonable

assurance and confidence regarding the achievement of its current and strategic security objectives in

Cyberspace-Geospace and Space (CGS).

The comprehensive CSRM definition reflects certain fundamental security concepts and is in essence:

An independent but Integrated NGIOA security process,

that is ongoing and flowing through any entity and

component of NGIOA within, between and across nation’s

geographical boundaries.

Effected by decision makers at every level of an entity

within and between a nation: its government, industries,

organization and academia (NGIOA).

Applied in independent and collective security strategy

settings at all levels of an entity within and between a

NGIOA.

Applied within, between and across NGIOA, at every

level and unit of an entity, and includes taking an

independent and collective view of security risk as a

nation, industry, business and organization.

Designed to identify potential Cybersecurity events that, if they occur, will affect independent

component of an NGIOA or all the components of an NGIOA and to manage security risk within

its independent and collective risk appetite boundaries.


Able to provide reasonable security assurance to any entity within and between a NGIOA-and its

decision makers and stakeholders.

Geared towards achievement of global, regional, national, local and independent security

objectives of any and all components of an NGIOA in one or more separate but overlapping

categories.

Provides an integrated NGIOA structure and format to facilitate incorporation of the changing

definition of security by re-defining the approach to security and integrating security of CGS.

This CSRM definition is purposefully broad for the purpose of its scalability and sustainability needs. It

captures key changing global security concepts as to how nations: its governments, industries,

organizations and academia (NGIOA) should manage its security risks in the Cyberspace, while providing

a basis for Cyber-Security Risk Management Framework in a Digital Global Economy. It also focuses

directly on achievement of any entity’s security objectives in Cyberspace, established independently and

collectively by an individual or a group of NGIOA.

CYBER-SECURITY RISK MANAGEMENT OBJECTIVES Within the context of any entity or component of an NGIOA, the CSRM framework will be geared to

achieving the overall security objectives, set forth in the following categories:

Strategic Security: High-level strategic

security goals, aligned with and

supporting its Cyberspace mission in a

Digital Global Age

Security Operations: Effective and

efficient use of NGIOA resources in the

Cyberspace

Security Reporting: Reliability of

Cyberspace reporting

Security Communications: Effective and

timely Cyber-Security communication

Security Compliance: Compliance with

applicable Global, National, Local laws

and regulations

Security Approach: Integrated

Geospace, Cyberspace and Space

approach to Security

Security Integration: Integration at all NGIOA levels across nations and also in Cyberspace-

Geospace and Space (CGS)

NGIOA Sustainability: NGIOA Sustainability as a key criteria

Security Scalability: A Cyber-Security Risk Management framework that is scalable at all levels of

NGIOA across nations in CGS

The above categorization of CSRM objectives allows a focus on collective as well as individual aspects of

any entity within and between NGIOA and aspects of overall NGIOA security in Cyberspace, Geospace

and Space. Amidst these distinct but overlapping components of a NGIOA across the barriers of virtual


territories a particular Cyberspace objective and its associated risks can fall into more than one

components necessitating a need to address its individual and collective integration points while

directing the responsibility of different decision makers at all levels of an entity or an NGIOA. This clear

categorization also allows clear distinctions of what can be expected from each component of an entity

or an NGIOA in Cyberspace.

SAFEGUARDING OF SECURITY OBJECTIVES AND RESOURCES Safeguarding of NGIOA Security resources is essential in CGS. Because security objectives in Cyberspace

related to reliability of the current nature of security reporting and the compliance framework with

current laws and regulations are within an entity’s control, CSRM is expected to provide reasonable

assurance of achieving those security objectives. However, it needs to be understood that no effective

controls are in place for the changing nature and definition of security across nations. There is a clear

need for developing effective security controls for compliance. Achievement of strategic security and

operational objectives in Cyberspace is however subject to external NGIOA events in CGS, and not

always within the control of an entity. Accordingly, for these security objectives, CSRM can provide

reasonable assurance that decision makers in their oversight role are made aware, in a timely manner,

of the extent to which an entity is moving toward achievement of the Cyberspace and Cybersecurity

objectives.

COMPONENTS OF CYBER-SECURITY RISK MANAGEMENT FRAMEWORK Just as any structure needs a strong foundation in Geospace, so does the structures in Cyberspace and

Space. The internal as well as external NGIOA environment serves as a basis for all security foundation

and key components of the proposed CSRM framework in Cyberspace, Geospace and Space. The

internal NGIOA environment reflects the overall cyber-security risk attitude, awareness and actions that

have an impact on the individual entity’s activities within any component of an NGIOA or whole NGIOA.

It is also important for decision-makers to apply the same rules for the external NGIOA environment

across nation’s geographical boundaries, in order to have an understanding of the interconnected and

interdependent NGIOA security risks in the CGS environment.

An on-going Integrated NGIOA Security Risk Management process can be considered the heart of the

CSRM framework. Cyber-Security risk identification and assessment are useless if no appropriate

security risk responses are implemented and no regular security controls are in place. The Cyber-

security, strategic security, its business and its operational processes do not work properly without

integrated NGIOA security information that flows in, out and across the entity and NGIOA. The security

monitoring component has the same importance as the other components of the CSRM framework,


because it will allow the determination of whether everything continues to work effectively in the CGS

environment within, between and across NGIOA.

Each of the NGIOA components equally contributes to CSRM in CGS. A weak component can affect the

entire CSRM process in the CGS. The interconnectedness, interdependencies and interrelationships of

the security embedded CSRM framework strengthens the role of each single NGIOA component.

The security centered integrated NGIOA risk management philosophy and the risk appetite contribute to

the security objective setting, which in turn

allows the identifying of security events that

could affect them all. Events with positive

impact are channeled back to the security

objective-setting process, while events that

could adversely affect the strategic objective

achievement are assessed, responses are

carried out, and security control activities are

performed. The CSRM process will only

function effectively if the integrated NGIOA

security information flows through all the

NGIOA components and an ongoing security

monitoring is performed.

Internal Security Environment

Cyber-Security Risk Management Philosophy: A clear security embedded integrated NGIOA risk

management philosophy is important as the first step in implementing successful CSRM. It

defines how an entity should consider security risk in everything it does. The security centric

philosophy should be reflected in oral and written communication from the decision makers to

the employees, in shared beliefs, but also in attitudes across an entity and/or overall NGIOA.

The philosophy on security-centric integrated risk management should be reinforced not only

with words but, more importantly, with effective collaborative NGIOA actions. The Cyber-

Security Risk appetite, the amount of risk the entity would be willing to accept in the

Cyberspace, must be defined in the first step.

Security-Centric Governance and Management: Healthy security centric governance and

management is crucial for effective CSRM framework in any entity within a NGIOA. With their

appropriate actions, the board of directors, the executive management as well as senior and

middle management at all levels can heavily influence the security success of an entity within

any NGIOA.

CSRM Roles and Responsibility: Clear authorities and security responsibilities should be defined

and communicated within an entity of an NGIOA. Clear security competences will help to avoid

overlapping tasks but also to optimize security processes within an entity. Everyone within an

entity in and across NGIOA and within nations’ geographical and virtual boundaries are

accountable and responsible in the global comprehensive structure and framework for CSRM.

CSRM Competence: Employees within any entity should have the adequate security knowledge

and skills needed to perform the assigned Cyber-Security tasks. The human resource


management would play an important role in recruiting the right cyber-security people, but also

in identifying the security training needs of all employees.

Integrity and Ethical Values: All employees should adhere to a standard of security behavior that

considers integrity and ethical values in order to enable a strong security focused culture.

Security Objective Settings The following Security Objective Settings have been identified and embedded into basic CSRM elements:

• Cyber-Security Strategy Formulation: Before decision makers formulate the Cyber-Security

strategy, it should conduct a situation analysis to identify not only the entity’s security strengths

and weaknesses in the Geospace and Cyberspace but also the external strategic opportunities

and threats in the Cyberspace. The decision makers should define a range of possible CGS

strategies for which security risks and strategic opportunities are identified. The cyber-security

strategy setting process must be done on an ongoing basis requiring continuous reassessment

and reformation.

• Cyber-Security Strategy Implementation: The strategic security objectives should be

accompanied by security operations, reporting, and compliance related security objectives.

Those objectives should be measurable and understood by all employees within an entity. The

security objectives should be dynamically adjusted and should always support and be aligned

with the entity’s CGS strategy.

• Cyber-Security Strategy Effectiveness: The decision makers should regularly monitor the Cyber-

Security objectives’ achievement as well as the employee commitment to security in CGS. The

entity should also compare results among peers within and across NGIOA, in order to identify

improvement in security opportunities in CGS.

• A Cyber-Security Strengths, Weaknesses, Opportunities and Threats (CS-SWOT) analysis should

be performed in order to identify the Cyberspace security strategy choices. These should focus

on the maximization of the Cyberspace strengths and opportunities and on the minimization of

Cyber-Security weaknesses and threats. This process should be performed on an ongoing basis.

Cyber Security-SWOT Analysis The Cyber-Security SWOT analysis is a matrix in which the internal security strengths and weaknesses

are combined with the external Cyberspace

opportunities and threats. The CS-SWOT

combinations result in the following four types of

security strategies:

• Security Strengths- Cyberspace Opportunities

Strategy: This exploits the internal security

strengths to take advantage of the external

opportunities in the Cyberspace.

• Security Strengths- Cyber-Security Threats

Strategy: This exploits the internal strengths to

reduce the external threats of Cyberspace.

• Security Weaknesses- Cyberspace Opportunities

Strategy: This improves weaknesses in the Cybersecurity to take advantage of external

opportunities in the Cyberspace.


• Security Weaknesses- Cyber-Security Threats Strategy: This Reduces Cyber-Security weaknesses

in order to avoid external cyberspace threats.

Cyber-Security Event Identification The following Security Event Identification main topics have been identified and translated into basic

CSRM elements:

• External Security Factors Driving Cyberspace Events: Each and every entity within an NGIOA

should consider and analyze external Security factors driving Cyberspace events that could

affect the achievement of current and strategic Cyberspace objectives. The analysis should

consider Cyberspace, Cyber technologies, Cyber-security processes, Cyber-security framework,

Cyber Technologies, Cyberspace regulations, Cyberspace competency, Geo-political status, and

Social and Economic factors. The security factors identification process should be performed on

an ongoing basis, and at every level of the entity within and across NGIOA.

• Internal Security Factors Driving Cyberspace Events: Any entity within any NGIOA should

consider and analyze internal security factors driving events in Cyberspace that could affect the

achievement of not only strategic cyberspace objectives but also current geospace and

cyberspace objectives. The security analysis should consider cyber infrastructure, cyber

personnel, cyber processes, cyber technology factors, cyber integration, cyber controls,

understanding of security and more. The cyber-security identification process should be

performed on an ongoing basis, and at every level of the entity within an NGIOA.

• Cyber-Security Events Affecting Governance, Business and Strategies: The decision-makers

should focus on significant and possible Cyber-Security events that could affect adversely the

achievement of Cyberspace objectives. The Cyberspace opportunities, positive events, should be

channeled back to the Cyberspace objective and strategy setting process, while the security

risks, negative events, should be assessed and actions taken immediately—independently

and/or collectively.

Cyber-Security Risk Assessment The following Cyber-Security Risk Assessment main topics have been identified and translated into basic

CSRM elements:

• Cyber-Security Event Characteristics: In assessing Cyber-Security risk, decision makers should

consider both immediate impact and strategic impact, as well as expected and unexpected

losses.

• Cyber-Security Assessment Metrics: Each and every entity within an NGIOA should assess both

the possibility of a Cyber-Security breach occurrence and the impact of potential Cyber-security

events that could adversely affect the achievement of Cyberspace objectives in the near term

and the long term. The Cyber-Security risks should be ranked in order to focus first on highly

significant risks.

• Cyber-Security Assessment Mode: Decision makers should promote Cyber-Security Practices

assessment techniques and a continuous and iterative Cyber-Security risk management process

aligned with the Cyberspace strategy setting process. A composite assessment of Cyber-security

risks across any entity within an NGIOA should be performed. The quality of the supporting

cyber-security data and assumptions should be continuously reviewed.


Cyber-Security Risk Response The following Cyber-Security Risk Response main topics have been identified and translated into basic

CSRM elements:

• Cyber-Security Risk Mitigation Strategies: Decision makers should identify the appropriate

response to the identified Cyber-Security risks considering their significance to Geospace and

Space in terms of likelihood and impact. The risk responses can be handled according to the

nature of the risk and by accepting, reducing, sharing and/or avoiding Cyber-Security risk in

order to align it with Cyberspace risk appetite. Decision makers should develop alternative

Cyberspace risk mitigation strategies for each of its Cyberspace and Cyber-Security risks. A cost

versus benefit analysis, for both short term and long term should be the basis for the Cyber-

Security risk response strategy selection. The selected Cyber-Security strategy should be

accompanied by a risk response implementation plan.

• Cyber-Security Residual Risk: Decision makers should assess the residual cyber-security risk

remaining after the responses are fully implemented. The Cyber-Security residual risk should be

aligned with Cyberspace risk appetite. The decision makers should have a broad portfolio view

of cyber-security residual risks by entity level, from an independent entity to business divisions

across entities within and across NGIOA.

Cyber-Security Control Activities

The following Cyber-Security Control Activities main topics have been identified and translated into

basic CSRM elements:

• Cyber-Security Controls Basis: Each and every entity within an NGIOA should have in place

Cyber-security policies and procedures and ensure that these are well-understood and

implemented. The CSRM processes should be documented and assure a segregation of clear

duties.

• Cyber-Security Controls over Objectives: Each and every entity should establish and execute

Cyber-Security control activities over basic strategic, operations, reporting and compliance

objectives.

• Cyber-Security Controls over Processes: Each and every entity should establish and execute

Cyber-Security control activities over processes. It has to ensure that risk responses are

appropriately carried out in a timely manner, risk limits are observed, prices and models are

appropriate, risk management resources are adequate, and new products can be managed. The

control activities should be regularly reviewed.


• Cyber-Security Controls over Information Processing: Each and every entity should establish and

execute Cyber-Security control activities over information systems regarding data validity,

exceptions management, IT security and availability. The entity should control performance

indicators on operational or financial data, such as staff turnover rates, transaction volume and

cost trend.

• Cyber-Security Controls over Industries and Businesses: Each and every entity should establish

and execute Cyber-Security control activities over Industries and Businesses regarding emerging

industries and businesses that may bring security challenges to businesses and industries.

• Cyber-Security Controls over Systems and Infrastructure: Each and every vital system and

infrastructure at all levels of NGIOA should establish Cyber-Security Control activities to ensure

its safety and security from the activities initiated within Cyberspace.

• Cyber-Security Controls over Innovations and Technology: Each and every entity should

establish and execute Cyber-security control activities over emerging innovations and

technology from within and across NGIOA that could bring security challenges.

• Cyber-Security Controls over Governments and Governance Model: Each and every entity within

and across NGIOA should establish Cyber-Security control activities over governance models

from within and across nations’ borders that could bring security challenges.

• Cyber-Security Controls over Products and Services: Each and every entity within a NGIOA

should establish Cyber-Security Control activities over product and services that could bring

security challenges.

• Cyber-Security Controls over Intellectual Property and Trade Secrets: Each and every entity

within a NGIOA should establish Cyber-Security Control activities over Intellectual Property and

Trade secrets that could bring security challenges

• Cyber-Security Controls over People and Processes: Each and every entity within a NGIOA

should establish Cyber-Security Control activities over key people and processes that could bring


• Cyber-Security Controls over Survival and Sustainability: Each and every entity within a NGIOA

should establish Cyber-Security Control activities over its survival and sustainability security

• Cyber-Security Controls over Education and Academia: Each and every entity within a NGIOA

should establish Cyber-Security Control activities over education and academia that could bring


• Cyber-Security Controls over Philanthropy and Poverty: Each and every entity within a NGIOA

should establish Cyber-Security Control activities over philanthropy and poverty that could bring


• Cyber-Security Control over Regulation and Compliance: Each and every entity within a NGIOA

should establish Cyber-Security Control activities over regulation and compliance that could

bring security challenges.

• Cyber-Security Control over Robotics and Artificial Intelligence: Each and every entity within a

NGIOA should establish Cyber-Security Control activities over robotics and artificial intelligence

that could bring security challenges.

• Cyber-Security Control over Information and Communication: Each and every entity within a

NGIOA should establish Cyber-Security Control activities over Information and Communication

that could bring security challenges.


Information and Communication The following Security Information and Communication main topics have been identified and translated

into basic CSRM elements:

• Security Information over Current and Strategic Objectives: Each and every entity should verify

and assure on an ongoing basis that relevant cyber-security information over strategic security,

operations security, reporting and compliance security objectives are delivered in a timely

manner and in a form that enables the entity to carry out the CSRM activities effectively.

• Security Information Quality: Each and every entity should assure the quality of the provided

security information, in terms of depth, timeliness, availability, accuracy and accessibility.

• Security Information Management: Each and every entity should establish integrated security

data management programs enabling security information systems to provide both internal as

well as external security information. Decision makers should promote integrated security

systems in order to facilitate access to security information.

• Security Communication: Each relevant decision maker and stakeholder must be apprised of

sensitive information on cyber-security risks the entity is facing in the achievement of its

cyberspace objectives. An on-going dialogue and collaboration, communication and

coordination between decision makers and stakeholders should be assured. Each and every

entity should communicate with relevant stakeholders providing appropriate levels of security

information to conform to their needs and to regulatory requirements. The entity should

establish a security policy that defines the relevant information and coordinates the disclosure

process. To increase transparency, the entity should establish a disclosure policy defining and

coordinating the disclosed security information.

Security Monitoring The following Security Monitoring main topics have been identified and translated into basic CSRM

elements:

• Security Monitoring Activities: Each and every entity should perform ongoing security

monitoring activities and regular separate evaluations in order to identify security weaknesses in

CSRM.

• Security Monitoring Corrective Actions: The entity should report security deficiencies to those

positioned to take necessary actions. These should be monitored until complete security

fulfillment is effective. Each identified security element can be assessed along the security

maturity-level scale. An evaluation criterion is set for each of the security maturity scale levels.

• Ongoing security monitoring activities differ from control activities because the latter are

performed as required steps in processes. The entity should perform periodical separate

security evaluations over businesses and processes, establishing an internal security control

system. Changes in security processes, strategies, structure and systems should be monitored.

The security evaluation process should be based on clear methodologies and be documented.

Security Assessment Tool By means of the Cyber-Security Risk Management maturity-level assessment tool, it is possible to

evaluate the elements of the CSRM framework’s components: internal security environment, security

objective setting in CGS, security event identification, security risk assessment, security risk response,

security control activities, security information and communication and monitoring.


Cyber-security risks exist as no effective security risk management framework exists, and since the

Cyberspace cannot be predicted with certainty, future cyberspace security events and situations imply

security risks. Even when all security information and resources are available, error in human

judgments can be made in security decision making. This is because there is always a possibility that

even the most improbable security risk event can occur.

CSRM cannot be seen as a static one-time process; rather it must be embedded in each and every entity

within a NGIOA and across NGIOAs and dynamically adapted to the changing internal and external CGS

security environment.

CSRM consists of the following interconnected, interrelated and interdependent key components. These

components are:

Overall Global NGIOA Commitment: Global NGIOA commitment is fundamental to manage

security risks in Geospace, Cyberspace or Space.

United National Strategy and Environment: The overall national environment and tone sets the

foundation of NGIOA cooperation and

collaboration to establish a collective

view on national security strategy in CGS.

Internal NGIOA Environment: The

Internal NGIOA environment

encompasses the tone of an entity and

sets the basis for how independent and

interdependent security risks are viewed

and addressed and the environment in

which they operate.

Cyberspace Security Goal Setting:

Cyberspace security objectives must be

defined and agreed upon before decision

makers can identify potential security risk

events affecting their desired goals. CSRM ensures that relevant decision makers have in place a

process to set Cyberspace security objectives and that the selected objectives support and align

with its independent and collective mission and are consistent with its security risk appetite.

Cyberspace Security Risk Identification: Internal and external, independent and interdependent

security risk events affecting achievement of an entity’s Cyberspace objectives must be

identified and evaluated for their security risks and opportunities in CGS.

Cyberspace Security Risk Assessment: Cyberspace security risks are analyzed, considering their

likelihood and impact, as a basis for determining how they should be managed independently

and collectively by NGIOA in CGS.

Cyberspace Security Risk Response: Decision makers select security risk responses – avoiding,

accepting, reducing, or sharing risk – in order to develop a set of actions to align security risks

with entity’s security risk tolerances and risk appetite.

Cyberspace Security Control Activities: Security policies and procedures are established and

implemented to help ensure the Cyberspace security risk responses are effectively carried out

within any entity within and across NGIOA.


Cyberspace Security Risk Information and Communication: Relevant Cyberspace security

information is identified, captured, and communicated in a form and timeframe that enables

decision-makers to carry out their security responsibilities. Effective security communication

also occurs in a broader sense, flowing between, within and across NGIOA.

Cyberspace Security Risk Monitoring: The entirety of CSRM is monitored and modifications

made as necessary through ongoing CSRM activities, evaluations, or both. CSRM is a

multidirectional and multidimensional security process in which almost any unit component can

and does influence an entity within and across NGIOA.

CSRM EFFECTIVENESS The implementation of a CSRM framework supports and improves the security risk awareness and the

security risk identification and management at every level of an NGIOA, from strategic to operative, and

from NGIOA decision makers to employees in Cyberspace, Geospace and Space.

Determining whether CSRM is effective is

representative of whether the CSRM

components are present and functioning

effectively within an entity in CGS

environment. Thus, the security

components are also criteria for effective

CSRM. For the CSRM components to be

present and functioning properly there can

be no structural and functional NGIOA

weaknesses, and independent and

interdependent security risks needs to have

been identified, understood and managed

either within the entity’s security risk

appetite boundaries or the nations’. And

most importantly, the changing nature and

definition of security needs to be clearly understood and acknowledged. When CSRM is designed to be

effective in CGS environment and for individual and broader NGIOA security objectives, the decision

makers have reasonable assurance that they understand the extent to which the entity’s strategic

security, operational security, digital security, innovation security, products and processes security and

other security objectives are being achieved and that the entity’s security reporting is beneficial,

reliable, and timely and applicable security laws and regulations are being complied with at all levels—

global, national and local.

It needs to be understood that all the security components will not function identically across every

entity within and across every NGIOA as each nation is at a different maturity level when it comes to its

governance, management, industries, innovations, products and processes. However, irrespective of the

size of an entity, CSRM will be largely effective, as long as each of its security components are defined

accurately, understood, structured and functioning properly.


CSRM LIMITATIONS While CSRM provides fundamental change in how to define security: its nature, structure, approach and

integration with NGIOA in CGS environment to effectively identify, evaluate and manage Cyber-Security

Risks in a digital global age, limitations do exist. In addition to factors discussed above, limitations result

from the realities that each nation: its government, industries, organizations and academia are at a

different level of security understanding and maturity. Each NGIOA has different security understanding,

capability and compatibility that can hamper the decision-makers ability in individual and collective

decision making. These limitations preclude NGIOA decision makers and stakeholders from having

absolute assurance as to achievement of its Cyber-security and Cyberspace objectives.

CSRM ASSUMPTIONS Internal Control Framework is the basis for existing rules, regulations, and laws—and it is in its entirety

incorporated by reference and remains in place within the boundaries of CSRM framework. Both

Internal Control Framework as well as Enterprise Risk Management Framework are in its philosophical

essence incorporated within the boundaries of CSRM.

This CSRM Summary is a high-level security risk overview directed to NGIOA decision makers. Details

about specific techniques and processes with clear security roles and responsibilities will be discussed

individually with interested entities and organizations in person.

While this framework, RG CSRM 2015 provides and promotes an independent and collective, integrated

view of security risks in CGS, including its strengths, weaknesses and limitations, it is still a work in

progress. It is open to constructive dialogue and analysis, to see where future enhancements can be

made. With the presumption that this CSRM proposal becomes accepted as a common ground for

managing Cyber-Security Risks in a digital global age, its key security risk concepts and terms should find

its way into academic curriculum and industry and government vocabulary across nations. With this

security risk foundation in CGS proposed for mutual Cyberspace understanding and advancement, each

NGIOA will be able to speak a common security risk language and communicate its independent and

interdependent security risks more effectively and in a timely manner.

I look forward to your constructive comments.

Jayshree Pandya

Founder: Cyber-Security Risk research Center at Risk Group

http://www.riskgroupllc.com

[email protected]

+ (832) 9718322

http://www.riskgroupllc.com/

mailto:[email protected]