Risk Management within businesses and organizations

Current technology and information systems It is an important tool to drive businesses and organizations to advance and speed up. Including transforming the business into a digital society. (Transformation) makes those businesses and organizations face more risks from cyber threats (Cyber ​​Threats).

Current technology and information systems It is an important tool to drive businesses and organizations to advance and speed up. Including transforming the business into a digital society. (Transformation) makes those businesses and organizations face more risks from cyber threats (Cyber Threats). Therefore, it plays a very important role in businesses and organizations. Having security from cyber threats with a tight level of risk to prepare to deal with threats Cyber risk includes risk management in terms of people, processes and information technology tools. To help increase confidence and stability for both government and public service users.

Based on the example of cyber risk assessment and cyber risk management by the Bank of Thailand (BOT), the Bank of Thailand (BOT) has established information technology risk supervision criteria. Ensuring business operators have good governance in information technology There is information technology security. and appropriate risk management The rules governing information technology risks consist of 2 important parts:

  1. Maintaining the security of the basic information technology system (Cyber Hygiene), which is a preliminary measure to raise the security level to prevent and respond to important cyber threats both internally and externally.
  2. Information technology risk management (IT risk management), which focuses on obtaining qualifications according to appropriate information technology risk management criteria. have an organizational structure Composition and assignment of roles and responsibilities of caregivers To formulate a comprehensive information technology risk management policy as well as supervise information technology risks in accordance with the nature of service or business operations in supervising operations and managing cyber risk in accordance with Principle 3 -Lines of Defense, which is an international standard tool, inspection measures

The figure represents a 3-Lines of Defense model (The Institute of Internal Auditors, 2013).

The main purpose of the “Lines of Defense Model” is the principle of hierarchical supervision in accordance with procedural regulations. The 3 Lines of Defense consists of the 1st Line of Defense, 2nd Line of Defense, and 3rd Line of. defense which processes at each level (Line) by creating a good governance process and efficiency and being part of the management according to the enterprise wide risk management framework, including having personnel with Sufficient knowledge and expertise in operations and personnel at all levels are aware of cyber security. Mechanisms for oversight and monitoring of cybersecurity

What is a cyber risk?

Cyber risk is the tendency to be affected by disruptions to sensitive information, finances, or online business operations. Including providing some services that are related to business operations and public services. Cyber risks are generally associated with events that could result in a data breach. data theft or destruction of data so that the service cannot be provided. Cyber risks are security threats to the operations of businesses and organizations. Examples of cyber risks include:

  • Ransomware, one of the main types of malware, aims to attack data, files and documents within the target’s information system by encrypting the data using methods such as Advanced Encryption. Standard (AES), which is one of the most trusted encryption standards in industries and organizations aiming to ensure and secure data so that confidential data cannot be compromised. For this reason, adversaries have developed malware that has taken advantage of this encryption by encrypting the target’s data, making them inaccessible until a ransom is paid. with ransomware developers
  • Data leaks Data leaks occur when sensitive or confidential information is inadvertently disclosed on the Internet or any other form. Data removal may be saved via Flash drive, External Hard disk, or through a portable computer and may be lost, which may incur the risk that ill-wishers can access sensitive data.
  • Phishing is a form of attack that tricks the target into entering personal information. confidential information financial information ID card information With various methods to allow the target to send that information to the bad. such as sending emails to scam targets “You have a certain amount of withdrawals. If not, please click the link below to cancel the transaction” or “You are lucky to receive a free iPhone just by filling in this information” and when the target sends information to the bad person, the person who does not wish to use the information to access other parts of the target, such as financial information Various system code information that is personal information
  • Malware (Malware) or Malicious Software is software developed by malicious people. to steal information and damage the computer system Malware is divided into several categories such as:
  • Virus (Virus) is software that is highly harmful to information systems, with the aim of attacking blocked so that the system cannot be used.
  • Malware (Malware) or Malicious Software is software developed by malicious people. to steal information and damage the computer system Malware is divided into several categories such as:Malware (Malware) or Malicious Software is software developed by malicious people. to steal information and damage the computer system Malware is divided into several categories such as:
  • A Trojan (Trojan) is a software whose purpose is to intercept, alter, or modify data which may affect the integrity of data within an information system or may cause damage within the information system.
  • Spyware: Malicious software that operates in secret. on the computer and report back to the remote user. Spyware focuses on stealing financial or personal information.
  • Adware is software that collects computer system usage information and serves targeted advertisements. Although adware may not be dangerous, But in some cases, adware can cause problems with information systems where it can reroute website access to unsafe websites.
  • Ransomware is software whose purpose is to attack data, files and documents within a target’s information system by encrypting it. files and documents so that the target cannot use them
  • Insider threats are insider threats that can occur to someone within an organization who is authorized to access confidential information, whose access could compromise critical organization data or systems. can This type of threat may be employees, vendors, contractors, partners or close persons. Cyber risks and vulnerabilities have different ways of working. Vulnerabilities are vulnerabilities that allow unauthorized access to a network by an adversary that could pose a cyber risk within businesses and organizations’ information systems.

Cyber Security Risk Assessment Cybersecurity risk assessments help businesses and organizations understand, control, and mitigate all types of cyber risks. That is an important element of risk management and risk mitigation. Without a cybersecurity risk assessment may affect important information and resources in It is the live action of businesses and organizations. Implementing cybersecurity measures There is a calculation method based on OWASP Risk Assessment.

*Risk = Likelihood Impact**

The risk assessment procedures are as follows:

  1. Identify the risks Is to identify the risks that will occur with information systems.
  2. Factors in Probability Estimation is a factor that can help determine the probability which is related to the threat itself
  3. Impact Assessment Factors is the factor that affects the operation of the information system
  4. Determining the severity of the risk is the severity that may affect the information system
  5. Decide whether to fix it in the future or not. Is it likely to fix this vulnerability in the future?
  6. Risk Assessment Simulation It is important to have a customizable risk prioritization framework for the business to implement.

When entering the cyber threat risk assessment step Taking into account a vulnerability with a low level of risk means a vulnerability of low severity. High-risk vulnerabilities are defined as vulnerabilities that may cause high damage to information systems or have a high degree of severity. and easy to attack Using the principles of vulnerability severity analysis and risk assessment as follows:

violence

Many vulnerabilities can hinder or terminate the service or damage the data.

Medium The vulnerability does not allow the system to stop providing service. Or need to use other vulnerabilities Helps to cause the system to terminate the service.

Medium The vulnerability does not allow the system to stop providing service. Or need to use other vulnerabilities Helps to cause the system to terminate the service.

The cyber risk assessment is defined by the National Institute of Standards and Technology (NIST) as a risk assessment used to identify Estimating and prioritizing risks to the operations of businesses and organizations Assets of businesses and organizations, individuals, other businesses and organizations, and nations resulting from the operation and use of information systems. The main objectives of a cyber risk assessment are: Informing stakeholders and encouraging appropriate responses to emerging risks Ready to be able to summarize important information for executives. To assist executives and directors in making decisions about security.

The cyber risk assessment is defined by the National Institute of Standards and Technology (NIST) as a risk assessment used to identify Estimating and prioritizing risks to the operations of businesses and organizations Assets of businesses and organizations, individuals, other businesses and organizations, and nations resulting from the operation and use of information systems. The main objectives of a cyber risk assessment are: Informing stakeholders and encouraging appropriate responses to emerging risks Ready to be able to summarize important information for executives. To assist executives and directors in making decisions about security.

Cyber Risk Management Framework by the National Institute of Standards and Technology (NIST)

NIST Cyber Security Framework Functions enable the creation of a cybersecurity risk prevention strategy. Cyber and cyber risk reduction, along with cyber risk management, which has the following components:

  1. Identify The identification function helps to develop a business and organizational understanding of how to manage risks to systems, people, assets, information and capabilities. Its main purpose is to identify all people, processes or systems that may be vulnerable to this type of threat.
  2. Protect The Protect function supports the ability to limit or control the impact of a threat. Its primary purpose is to limit the threat of attacks, however, by removing or blocking vulnerabilities.
  3. Detect The detection function determines events to identify events that occur at the right time. The main purpose is to, if it is not possible to stop a threat (i.e. preventive steps), how to know what is happening? And businesses and organizations are facing cyber threats.
  4. Response The response function includes appropriate activities on cyber threats to mitigate the impact. The main objective is to recognize threats. prevent further damage damage to reputation or violation of privacy
  5. Recover The recovery function consists of identifying appropriate activities to maintain a plan for resilience and to recover impaired services during cybersecurity incidents. The main objective is to bring the incident back to an equal or better state than before.

Example Cyber Risk Management Matrix (https://owasp.org/www-project-threat-and-safeguard-matrix/)

summarize

The benefits of risk assessment can enable management to make decisions in response to risks and to effectively appoint a person responsible for managing the risks being assessed. and analysis Additional security within a business or organization’s information system which after the risk assessment The Cyber Risk Management Framework, the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, has also been established as one of the cybersecurity risk management frameworks. The most popular in the industry, NIST provides an end-to-end map of activities and their associated outcomes. The five functions of cybersecurity risk management – identify, protect, detect, respond and recover – are part of. Critical to the operations of businesses and organizations in the digital 4.0 era.

Mr. Supachokchai Saetan

Upper Southern Branch

Digital Economy Promotion Agency

Reference from:

  1. E. Bragger, “Cyber Controls Matrix,” Owasp, 2563. [ออนไลน์]. Available: https://owasp.org/www-project-cyber-controls-matrix/.
  2. S. Yu, “Cyber Defense Matrix,” Owasp, 2563. [ออนไลน์]. Available: https://owasp.org/www-project-cyber-defense-matrix/.
  3. J. B. U. F. Stefan Varga*, “Cyber-threat perception and risk management in the Swedish financial sector,” ScieneDirect, p. 13, 201.
  4. A. S. I. K. Y. B.-M. Isabel Arend*, “Smart cities and cyber security: Are we there yet?A comparative study on the role of standards, third party risk management and security ownership,” ScienceDirect, p. 3, 2020.
  5. NIST, “CYBERSECURITY FRAMEWORK,” nist, เมษายน 2561. [ออนไลน์]. Available: https://www.nist.gov/cyberframework/framework.
  6. Trendmicro, “Ransomware,” Trendmicro, [ออนไลน์]. Available: https://www.trendmicro.com/vinfo/us/security/definition/Ransomware. [%1 ที่เข้าถึง18 11 2564].
  7. A. T. Tunggal, “What is a Data Leak? Stop Giving Cybercriminals Free Access,” Upguard, 18 10 2564. [ออนไลน์]. Available: https://www.upguard.com/blog/data-leak. [%1 ที่เข้าถึง18 11 2564].
  8. NIST, “COMPUTER SECURITY RESOURCE CENTER,” NIST, [ออนไลน์]. Available: https://csrc.nist.gov/glossary/term/phishing. [%1 ที่เข้าถึง18 11 2564].
  9. Cisco, “What Is Malware?,” Cisco, [ออนไลน์]. Available: https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html. [%1 ที่เข้าถึง18 11 2564].
  10. C. &. I. S. AGENCY, “DEFINING INSIDER THREATS,” CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY, [ออนไลน์]. Available: https://www.cisa.gov/defining-insider-threats. [%1 ที่เข้าถึง18 11 2564].
  11. Bank of Thailand, “Cyber Resilience Readiness Assessment Framework,” Cyber Resilience Readiness Assessment Framework under Information Technology Risk Management Regulations, 2019.
  12. M. J. P. S. Radoica Luburić, “Quality Management in terms of strengthening the “Three Lines of Defence” in Risk Management – Process Approach,” Researchgate, p. 4, 2558.
  13. IIA Position Paper, “THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL,” p. 4, 2556.

Related Insight

We work with ambitious leaders who want to define the future, not hide from it. Together, we achieve extraordinary outcomes.