5. The Approach to Cybersecurity: Cyber Risk Management 101 above, organizations like NIST provide detailed guidance on the risk management process. This section highlights a few of the major functions in the process. 5.3.1 Cyber Assets The first consideration in cyber risk management is identifying and valuing cyber assets. Cyber assets are computer systems and data of value. Cyber assets must be identified and valued before they can be appropriately protected. Otherwise, organizations could end up spending more money protecting an asset than it would cost to replace it. Computer systems are relatively straightforward to value because they are physical assets with a known market value. As part of the cyber risk management process, organizations should inventory all of their computer systems (see Table 5.3 above). Computer system inventories should include a record of every computer system owned by the organization, where it is located, and who is responsible for it. If this information is not compiled, computer systems could be lost or stolen without anyone noticing, and such losses pose a risk to the organization. Computer systems include employee workstations (e.g., laptops), servers, copiers, printers, and company-owned smartphones. These inventories must be kept up-to-date, so this is an ongoing process. When computers are replaced, the old ones need to be taken out of inventory and securely discarded. Organizations also need to understand the value of their data. Data has value based on how the organization uses it as well how others value it, including customers and potential adversaries. One example of data that has value is personally identifiable information (PII). PII is data that can be used to identify a person and commit identity theft. PII includes names, birthdays, addresses, phone numbers, and social security numbers. Most organizations store PII for their constituents so they can track and contact them. PII is not only valued by organizations but also by criminals because it can be used to commit identity theft. Identity theft is fraudulent actions taken in someone else’s name to obtain a financial benefit. When PII is divulged a data breach occurs. Cyber criminals may use the stolen PII directly, or they may sell it on the black market such as those found on the dark web. The black market is a marketplace for stolen and illegal goods—this includes data. The dark web is a collection of websites accessible via specialized web browsers designed to protect the anonymity of the website hosts and clients. PII is valued on a per record basis. The more records an organization has, the bigger target they are for hackers. Data breaches have a negative impact on the people whose PII was stolen. Their privacy was violated and they are at heightened risk for identity theft. However, data breaches may not have as big of an impact on the breached organization itself. They may still have access to their constituent’s data because attackers typically exfiltrate PII without deleting it. This dynamic is an example of an externality. An externality is a cost borne by external parties that exceeds the cost borne by the party responsible for causing or preventing it. This creates an asymmetry that makes incidents more likely, and ultimately,
RkJQdWJsaXNoZXIy MTM4ODY=