Anyone not hiding in a hole in the ground the last five years must have noticed how much media is writing about cyber threats. The media picture aligns well with the impression I get when talking to clients; business risks for production centered firms tend to no longer be dominated only by random accidents – but also by potential cyber threats. This means that such threats need to be managed.
Most companies already have a risk management system in place, typically along the lines of ISO 30001. A risk management process must consist of a cycle of activities;
- Identify risks
- Evaluate risks up against acceptance criteria for severity and probability
- Plan mitigating actions
- Involve internal and external stakeholders along the way
Exactly the same process can be used to deal with information security risks. A good methodology for managing such security risks should take into account who the threat actors are in the context of the business. Why do they want to attack? Do they have a lot of resources and know-how? What is the cost-benefit ratio for the bad guys? Understanding these human factors in the equation at play will arm you with a reasonable way to rank the credibility of various attack scenarios. This helps put cyber risks into the typical risk management scenarios; resources should be spent where they bring the largest risk reduction. Typically, highly credible attack scenarios with terrible consequences should be dealt with first, less likely or less severe scenarios second, and scenarios that seem extremely unlikely or have no or little impact on our business are perhaps OK. This sort of risk ranking is well-known to risk management professionals. A few differences on assessing credibility of attack scenarios from more random events are the following;
- A bad guy may be motivated by worse consequences; the probability of an attack is thus not decoupled from the consequence
- It is hard to use “probabilities” or “frequencies” in a meaningful sense – a qualitative approach may be just as useful (sometimes true also for random risks!)
Mitigations should thus be planned according to risk reduction needs and effects of the mitigation approaches. This is exactly the same as we do in other risk management settings. Also, communication with stakeholders is equally necessary in this context, if not even more. Risk owners, equipment suppliers, users, other supply chain partners – they can all be affected. And in our connected world, and increasingly so as we move to smarter production systems, cross-infection may be possible across various domains and interfaces. The tools of communication well-known to risk managers are therefore equally important when managing risks to production critical information systems.
The bottom line is: don’t outsource responsibility for risk management to your IT services provider – integrate cyber risk management into your existing risk management process. That is the only way to be in control of your own environment.