Tag Archives: cybersecurity
In part I of Cognitive Risk Framework for Cybersecurity, I introduced the reasoning for developing a bridge from existing IT and risk frameworks to the next generation of risk management based on cognitive. These concepts are no longer theoretical and, in fact, are evolving faster than most IT security and risk professionals appreciate. In part II, I introduce the pillars of a cognitive risk framework for cybersecurity that make this program operational. The pillars represent existing technology and concepts that are increasingly being adopted by technology firms, government agencies, computer scientists and industries as diverse as healthcare, biotechnology, financial services and many others.
The following is an abbreviated version of the cognitive risk framework for cybersecurity that will be published later this year.
A cognitive risk framework is fundamental to the integration of existing internal controls, risk management practice, cognitive security technology and the people who are responsible for executing on the program components that make up enterprise risk management. Cognitive risk fills the missing gap in today cybersecurity program that fails to fully incorporate how to address the “softest target”, the human mind.
A functioning cognitive risk framework for cybersecurity provides guidance for the development of a CogSec response that is three-dimensional instead of a one-dimensional defensive posture. Further, cognitive risk requires an expanded taxonomy to level set expectations about risk management through scientific methods and improve communications about risks. A CRFC is an evolutionary step from intuition and hunches to quantitative analysis and measurement of risks. The first step in the transition to a CRFC is to develop an organizational Cognitive Map. Paul Slovic’s Perception of Risk research is a guide for starting the process to understand how decision-makers across an organization perceive key risks in order to prioritize actionable steps for a range of events large and small. A Cognitive Map is one of many tools risk professionals must use to expand discussions on risk and form agreements for enhanced techniques in cybersecurity.
Risk communications sound very simple on the surface but even risk experts will refer to risks and use the term with different meanings without recognizing the contradictions. In speaking with senior executives at a major bank I was told that she thought the understood risks but the 2008 Great Recession revealed major disagreements in how the firm talked about risk and the decisions made to manage risk. Poor communications about risk are more common than not without a structured way to put risks in context to account for a diversity of risk perceptions. “The fact that the word “risk” has so many different meanings often causes problems in communication, ” according to Slovic.
Organizations rarely openly discuss these differences or even understand they exist until a major risk event forces these issues onto the table. Even then the focus of the discussion quickly pivots to solving the problem with short-term solutions leaving the underlying conflicts unresolved. Slovic, Peters, Finucane and MacGregor (2005) posited that “risk is perceived and acted on it two ways: Risk as Feelings refers to individuals’ fast, instinctive, and intuitive reactions to danger. Risk as Analysis brings logic, reason, and scientific deliberation to bear on risk management.”
Some refer to this exercise as forming a “risk appetite” but again this term is vague and doesn’t fully develop a full range of ways individuals experience risk. Researchers now recognize diverse views of risks as relevant from the nonscientist who views risks subjectively to scientists who evaluate adverse events as the probability and consequences of risks. A deeper view into risk perceptions explains why there is little consensus on the role of risk management and dissatisfaction when expectations are not met.
Techniques for reconciling these differences create a forum that leads to better discussions about risk. Discussions about risk management are extremely important to organizational success yet paradoxically produce discomfort whether in personal or business life when planning for the future. Personal experience in conjunction with a body of research demonstrates that the topic of risk tends to elicit a strong emotional response. Kahneman and Tversky called this response “loss aversion”. “Numerous studies have shown that people feel losses more deeply than gains of the same value (Kahneman and Tversky 1979, Tversky and Kahneman 1991).” Losses have a powerful psychological impact that lingers long after the fact coloring one’s perception about risk taking.
Over time these perceptions about risk and loss become embedded in the unconscious and by virtue of the vagaries of memory the facts and circumstances fade. The natural bias to avoid loss leads us to a fallacy that assumes losses are avoidable if people simply make the right choices. This common view of risk awareness fails to account for uncertainty, the leading cause of surprise, when expectations are not met. This fallacy of perceived risks produces an underestimation or overestimation of the probability of success or failure.
A Cognitive Risk Framework for Cybersecurity, or any other risk, requires a clear understanding and agreement on the role(s) of data management; risk and decision support analytics, parameters for dealing with uncertainty (imperfect information), and how technology is integrated to facilitate the expansion of what Herbert A. Simon called “bounded rationality”. Building a CRFC does not eliminate risks it develops a new kind of intelligence about risk.
The goal of a cognitive risk framework is needed to advance risk management in the same way economists deconstructed the “rational man” theory. The myth of “homo economicus” still lingers in risk management damaging the credibility of the profession. “Homo economicus, economic man, is a concept in many economic theories portraying humans as consistently rational and narrowly self-interested who usually pursue their subjectively defined ends optimally”.[i] These concepts have since been contrasted with Simon’s bounded rationality; not to mention any number of financial market failures and unethical and fraudulent behavior that stands as evidence to the weakness in the argument. A cognitive risk framework will serve to broaden awareness in the science of cognitive hacks as well as the factors that limit our ability to effectively deal with the Cyber Paradox that go beyond selecting defensive strategy. Let’s take a closer look at what a cognitive risk framework for cybersecurity looks like and consider how to operationalize the program.
The foundational base (“Guiding Principles”) for developing a cognitive risk framework for cybersecurity starts with Slovic’s “Cognitive Map – Perceptions of Risk” and an orientation in Simon’s “Bounded Rationality” and Kahneman and Tversky’s “Prospect Theory – An Analysis of Decision Making Under Risk”. In other words, a cognitive risk framework formally develops a structure for actualizing the two ways people fundamentally perceive adverse events; “risk as feelings” and “risk as analysis”. Each of the following guiding principles is a foundational building block for a more rigorous science-based approach to risk management.
The CRFC guiding principles expand the language of risk with concepts from behavioral science to build a bridge connecting decision science, technology and risk management. The CRFC guiding principles establish a link and recognize the important work undertaken by the COSO Enterprise Risk Framework for Internal Controls, ISO 31000 Risk Management Framework, NIST and ISO/IEC 27001 Information Security standards; which make reference to the need for processes to deal with the human element. The opportunity to extend the cognitive risk framework to other risk programs exists however the focus of this topic is directed on cybersecurity and the program components needed to operationalize its execution. The CRFC program components include five pillars: 1) Intentional Controls Design; 2) Cognitive Informatics Security (Security Informatics); 3) Cognitive Risk Governance; 4) Cybersecurity Intelligence & Active Defense Strategies; and, 5) Legal “Best Efforts” Considerations in Cyberspace.
Brief overview of the Five Pillars of a CRFC:
Intentional Controls Design
Intentional controls design recognizes the importance of trust in networked information systems by advocating for the automation of internal controls design integration for IT, operational, audit and compliance controls. Intentional controls design is the process of embedding information security controls, active monitoring, audit reporting, risk management assessment and operational policy and procedure controls into network information systems through user-guided GUI application design and data repository to enable machine learning, artificial intelligence and other currently available smart system methods.
Intentional controls design is an explicit choice made by information security analysts to reduce or remove reliance on people through the use of automated controls. Automated controls must be animated through the used of machine learning, artificial intelligence algorithms, and other automation based on regulatory guidance and internal policy. Intentional controls design is implemented on two levels of hierarchy: 1) Enterprise level intentional controls design anticipates that these controls are mandatory across the organization and can only be changed or modified by senior executive approval responsible for enterprise governance; 2) Operational level intentional controls design anticipates that each division or business unit may require unique control design to account for lines of business difference in regulatory regimes, risk profile, vendor relationships and other unique to these operations.
Cognitive Informatics Security (Security Informatics)
Cognitive informatics security is a rapidly evolving discipline within cybersecurity and healthcare with many branches of discipline making it difficult to come up with one definition. Think of cognitive security as an overarching strategy for cybersecurity executed through a variety of advanced computing methodologies.
“Cognitive computing has the ability to tap into and make sense of security data that has previously been dark to an organization’s defenses, enabling security analysts to gain new insights and respond to threats with greater confidence at scale and speed. Cognitive systems are taught, not programmed, using the same types of unstructured information that security analysts rely on.”[i]
The International Journal of Cognitive Informatics and Natural Intelligence defines cognitive informatics as, “ a transdisciplinary enquiry of computer science, information sciences, cognitive science, and intelligence science that investigates the internal information processing mechanisms and processes of the brain and natural intelligence, as well as their engineering applications in cognitive computing. Cognitive computing is an emerging paradigm of intelligent computing methodologies and systems based on cognitive informatics that implements computational intelligence by autonomous inferences and perceptions mimicking the mechanisms of the brain.”[ii]
Cyber Risk Governance
The Cyber Risk Governance pillar is concerned with the role of the Board of Directors and senior management in strategic planning and executive sponsorship of cybersecurity. Boards of director historically delegate risk and compliance reporting to the Audit Committee although a few forward thinking firms have appointed a senior risk executive who reports directly to the BoD. In order to implement a Cognitive Risk Framework for Cybersecurity the entire board must participate in an orientation of the guiding principles to set the stage and tone for the transformation required to incorporate cognition into a security program.
The framework represents a transformational change in risk management, cybersecurity defense and an understanding of decision-making under uncertainty. To date, traditional risk management has lacked scientific rigor through quantitative analysis and predictive science. The framework dispels myths about risk management while aligning the practice of security and risk management using the best science and technology available today and the future.
Transformational change from an old to a new framework requires leadership from the board and senior management that goes beyond the sponsorship of a few new initiatives. The framework represents a fundamentally new vision for what is possible in risk and security to address cybersecurity or enterprise risk management. Change is challenging for most organizations however the transformation required to move to a new level of cognition may be the hardest, but most effective, any firm will ever undertake. This is exactly why the board and senior management must understand the framing of decision-making and the psychology of choice. Why, you may ask, must senior management understand what one does naturally and intuitively? The answer is that change is a choice and the process of decision-making among a set of options is not as intuitive or simple as one thinks.
Cybersecurity Intelligence and Defense Strategies
“Information on its own maybe of utility to the commander, but when related to other information about the operational environment and considered in the light of past experience, it gives rise to a new understanding of the information, which may be termed “intelligence.”[i]
The Cybersecurity Intelligence and Defense Strategies (CIDS) pillar is based on the principles of the 17-member Defense Intelligence and Intelligence community “Joint Intelligence” report. Cybersecurity intelligence is conducted to develop information on four levels – Strategic, Operational, Tactical & Asymmetrical. Strategic intelligence should be developed for the board of directors, senior management and the Cyber Risk Governance committee. Operational intelligence should be designed to provide security professionals with an understanding of threats and operational environment vulnerabilities. Tactical intelligence must provide directional guidance for offensive and defensive security strategies. Asymmetrical intelligence strategies include monitoring the cyber black market and other market intelligence from law enforcement and other means as possible.
CIDS also acts as the laboratory for cybersecurity intelligence responsible for leading the human and technology security practice through a data dependent format to provide rapid response capabilities. Information gathering is the process of providing organizational leadership with context for improved decision-making for current and forward-looking objectives that are key to operational success or to avoid operational failure. Converting information into intelligence requires an organization to develop formal processes, capabilities, analysis, monitoring, and communication channels that enhance its ability to respond appropriately and in a timely manner. Intelligence gathering assumes that the organization has in place objectives for cybersecurity that are well defined through plans of execution and possesses capabilities to respond accordingly to countermeasures (surprise) as well as expected outcomes.
Legal “Best Efforts” Considerations in Cyberspace
To say that the legal community is struggling with how to address cyberrisks is an understatement on the one hand addressing the protection of their own client’s data and on the other hand determining negligence in an global environment where no organization can ensure against a data breach with 100% certainty. “The ABA Cybersecurity Legal Task Force, chaired by Judy Miller and Harvey Rishikof, is hard at work on the Cyber and Data Security Handbook. The Cyber Incident Response Handbook, which originated with the Task Force.”[i] Law firms have the same challenges as all other organizations but also have a higher standard in their ethical rules that require confidentiality of attorney-client and work product data. I looked to the guidance provided by the ABA to frame the fifth pillar of the CRFC.
The concept of “best efforts” is a contractual term used to obligate the parties to make their best attempt to accomplish a goal, typically used when there is uncertainty about the ability to meet a goal. “Courts have not required that a party under a duty to use best efforts to accomplish a given goal make every available effort to do so, regardless of the harm to it. Some courts have held that the appropriate standard is one of good faith. Black’s Law Dictionary 701 (7th ed. 1999) has defined good faith as “A state of mind consisting in (1) honesty in belief or purpose, (2) faithfulness to one’s duty or obligation, (3) observance of reasonable commercial standards of fair dealing in a given trade or business, or (4) absence of intent to defraud or to seek unconscionable advantage””.[ii]
Boards of director and senior executives are held to these standards by contractual agreement whether aware of these standards or not in the event a breach occurs. The ABA has adopted a security program guide by the Carnegie Mellon University’s Software Engineering Institute. The Carnegie Mellon Enterprise Security Program (ESP) has been tailored for law firms as a prescriptive set of security related activities as well as incident response and ethical considerations. The Carnegie Mellow ESP spells out “some basic activities must be undertaken to establish a security program, no matter which best practice a firm decides to follow. (Note that they are all harmonized and can be adjusted for small firms.) Technical staff will manage most of these activities, but firm partners and staff need to provide critical input. Firm management must define security roles and responsibilities, develop top-level policies and exercise oversight. This means reviewing findings from critical activities; receiving regular reports on intrusions, system usage and compliance with policies and procedures; and reviewing the security plans and budget.”
This is information is not legal guidance to comply with an organization’s best efforts requirements. The information is provided to bring awareness to the importance the board and senior management’s participation to ensure all bases are covered in cyberrisk. The CRFC’s fifth pillar completes the framework as a link to existing standards of information security with an enhanced approach that includes cognitive science.
A cognitive risk framework for cybersecurity represents an opportunity to accelerate advances in cybersecurity and enterprise risk management simultaneously. A convergence of technology, data science, behavioral research and computing power are no longer wishful thinking about the future. The future is here but in order to fully harness the power of these technologies and the benefits possible IT security professionals and risk managers, in general, need a guidepost for comprehensive change. The cognitive risk framework for cybersecurity is the first of many advances that will change how organizations manage risk now and in the future in fundamental and profound ways few have dared to imagine.
Redesigning Risk Management and Internal Controls for Cyberrisks
Cybersecurity has gotten a great deal of attention these days for two reasons – billions of dollars are being spent in response to a growing threat in cybersecurity and, secondly, the lack of meaningful and sustainable success in preventing hackers from stealing data. Every organization is vulnerable to attack and no matter the amount of money spent hardening the enterprise threats continue to escalate. This phenomenon is called the Cyber Paradox. The definition of a paradox: “something (such as a situation) that is made up of two opposite things and that seem impossible but is actually true or possible.” How is it that incremental investments in security have not impacted the marginal cost of cyberrisk?
“The answer may surprise you… security investments have been focused on the wrong vulnerability.”
Researchers who have studied the cyber black market have made an obvious but overlooked finding in trends associated with participants in the cyber black markets. There is a smaller percentage of hackers with the technical capability to successfully penetrate most of the hardened security defenses in corporations…called “hard targets” prompting hackers to target the softest targets to hack…the human mind.
Cognitive hacks, phishing attacks, botnet delivered malware and other cognitive directed attacks have found a great deal of success executing its exploits and conversely corporate and government security professionals have spent the least amount of time, money, resources and mental energy developing security strategies to defend the weakest link in their organization. This is obvious to most security professionals but to date very few organizations have created a thoughtful approach to secure the organization to its biggest vulnerability ….. the people who work in the organization. This is not the Insider Threat that most researcher and security professionals believe is the biggest threat. Edward Snowden’s breach has created an illusion of vulnerability that appears larger than it really is. Like shark attacks….we are afraid of the oceans because a small fraction of people are attacked creating a media frenzy that is greater than the actual threat.
The biggest vulnerability is much more simple. It is the access organizations give through mobile devices, social media and Internet surfing. Cognitive hacks now exceed all other hacks in success rate because it is the softest target to attack and the least defended in most organizations. Cost of cyber attacks is a poor metric for determining security defense success. Success rate at defending against a breach is the only metric that really matters. So how does an organization improve its success rate of defending against an attack? Cognitive hacks require a cognitive security response.
“Cognitive security uses data mining, machine learning, natural language processing and human-computer interaction to mimic the way the human brain functions and learns. It gets stronger over time, learning with each interaction and getting better at proactively stopping threats. Cognitive systems bring the ability to spot anomalies and flawed logic, and provide evidence-based reasoning — enabling analysts to weigh alternative outcomes and improve decision-making”, according to IBM’s Watson division. However, cognitive security, or CogSec, is a much more diverse set of solutions than IBM’s Watson. CogSec is a multidisciplinary approach that is in the early stage of development that will use a variety of security informatics in defensive and offensive strategy in response to cyberrisks. “One-off” solutions are insufficient to deal with an adversary that is expert in asymmetric risk management. That is why a Cognitive Risk Framework for Cybersecurity is needed to operate in this new domain of cyberrisk.
The concepts referenced in the Cognitive Risk Framework for Cybersecurity (CRFC) is drawn from a large body of research in decision science, psychology, philosophy, cognitive computing, systems engineering and other cross disciplinary topics. A cognitive risk framework is fundamental to the integration of existing internal controls, risk management practice, cognitive security technology and the people who are responsible for executing on the program components that make up enterprise risk management. Cognitive risk fills the missing gap in today’s cybersecurity program that fails to fully incorporate the “softest target”, the human mind.
A functioning cognitive risk framework for cybersecurity provides guidance for the development of a CogSec response that is three-dimensional instead of a one-dimensional defensive posture. Further, cognitive risk requires an expanded taxonomy to level set expectations about risk management through scientific methods and improve communications about risks. A CRFC is an evolutionary step from intuition and hunches to quantitative analysis and measurement of risks.
The CRFC five pillars expand the language of risk with concepts from behavioral science to build a bridge connecting decision science, technology and risk management. The CRFC five pillars establish a link and recognize the important work undertaken by the COSO Enterprise Risk Framework for Internal Controls, ISO 31000 Risk Management Framework, NIST and ISO/IEC 27001 Information Security standards; which make reference to the need for processes to deal with the human element. The opportunity to extend the cognitive risk framework to other risk programs exists however the focus of this topic is directed on cybersecurity and the program components needed to operationalize its execution.
The CRFC program components include five pillars: 1) Intentional Controls Design; 2) Cognitive Informatics Security (Security Informatics); 3) Cognitive Risk Governance; 4) Cybersecurity Intelligence & Active Defense Strategies; and, 5) Legal “Best Efforts” Considerations in Cyberspace.
The Five Pillars of the Cognitive Risk Framework will be discussed in detail in the next posting but for now consider these the foundational building blocks for an enhanced cybersecurity program now and in the future that is sustainable and responsive to asymmetric cyber attack.
No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk. With the ability to shatter a company’s reputation with their customers and draw criticism from shareholders, lawsuits from affected parties, and attention from the media, the threat of cyber risk is ubiquitous and insidious. No company, region, or industry is immune, which makes the responsibility to oversee, manage, and mitigate cyber risk a top-down priority in every organization.
R.I.S.K. is the next generation chief risk/audit/compliance/IT security officer who is capable of processing billions of bits of data, analyzing behavioral patterns, assess changes in internal controls and tackle cyber risks within seconds of an attack. R.I.S.K. does not command a salary, go on vacation, require a pension or healthcare benefits nor complain about not having enough budget or resources to get their job done.
What is R.I.S.K.? Risk Intelligent Systems Knowledgeware is a concept that I created to describe a collection of informatics applications that are in development today designed to tackle the challenge of tomorrow’s complex risk problems. If you think this is some far-fetched science fiction story about risk management you simply have not done your homework. Let me explain why risk management, as you know it today, will never be the same and is going through a major transformation never before seen.
Intelligence and security informatics (“ISI”) is defined as the development of advanced information technologies, systems, algorithms, and databases for international, national, and homeland security-related applications, through an integrated technological, organizational, and policy-based approach. Academics, military researchers, systems programmers and information security engineers are exploring a range of advanced technologies to address tomorrow’s threats. Disparate teams from around the world are separately; and in collaborative partnership, working on first generation smart systems to redefine how risk management and cyber security will be prosecuted in the very near future. While it is true that much of this research is very early stage it is also true that practical applications are being used today.
What is driving this change? Every organization is impacted by the speed of change and volumes of data generated by regulation and our 24/7 online, on-all-the-time, networked environment. Whether you work in a government agency, small business or global corporate enterprise humans candidly cannot keep up without the assistance of technology. It would be naïve to assume that risk, audit, IT security and compliance professionals have the ability to assess the health of an entire organization by reviewing a fraction of the internal controls and enterprise threats that endlessly flow through every firm.
Risk professionals spend 80% or more of their time focused on high frequency, low impact risks because it is easy to capture yet only creates a false sense of security. The phenomenon is called cognitive overload and creates a distraction from the true risks that threaten organizations. This is the primary reason organizations are “surprised” when a major control failure disrupts business or security professionals fail to keep up with cyber threats. Conventional risk practice is not enough! Unfortunately, risk professionals cling to ineffective risk practice without questioning outcomes or seeking alternatives.
So what are the implications of this transformation in risk management? First of all, it is important to understand that this change has already begun and will speed up rapidly as new technology is brought to bear to address risks. Open source intelligence is increasingly being used in security related applications. Hundreds of cyber security vendor applications have been launched in the last 3-5 years and behavioral defense systems have been deployed to identify patterns of insider threats to proprietary corporate data.
As these systems and their developers learn from their early stage experience more advanced applications will be deployed very rapidly. Artificial intelligence and machine learning are playing a larger role in cybersecurity, which can in theory help companies identify risks and anticipate problems before they occur. The idea is to create software that can adapt and evolve to combat ever-changing attack strategies, or identify patterns of suspicious behavior.
Traditional security mechanisms have leveraged rule, pattern, signature and algorithm-based approaches to detect threats, and that’s a problem, according to Paul Stokes, CIO of the University of Victoria in British Columbia. “These approaches require constant care and feeding to identify and mitigate security threats,” he said. “I think machine learning changes the game.”
The risk professional of the future will be more defined in skill set and come from a diverse set of deep domain expertise beyond audit, legal, operations or generalist oriented backgrounds. Risk engineers will increasingly become a new title bestowed on security professionals able to design or deploy systems with intelligence custom fit to the organization’s risk. The cost of risk, compliance and audit will be streamlined and spread across resources more effectively targeting real threats to the enterprise. These changes were unimaginable a mere 5 years ago but are becoming a reality today.
The question is are you prepared or do you ignore the change until you are replaced by R.I.S.K.?
You must be logged in to view this document. Click here to login
In the past 20 years, the nature of corporate asset value has changed significantly, shifting away from the physical and toward the virtual. One recent study found that 80 percent of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles.1 Along with the rapidly expanding “digitization” of corporate assets, there has been a corresponding digitization of corporate risk. Accordingly, policy makers, regulators, shareholders, and the public are more attuned to corporate cybersecurity risks than ever before. Organizations are at risk from the loss of IP and trading algorithms, destroyed or altered data, declining public confidence, harm to reputation, disruption to critical infrastructure, and new legal and regulatory sanctions. Each of these risks can adversely affect competitive positioning, stock price, and shareholder value.