How to talk about cybersecurity risks, colloquially – TechTarget
Our language for describing and discussing cybersecurity risks is failing. It’s failing to elevate our conversations with boards and company executives. It’s failing to provide a full picture of an organization’s security risks. It’s failing to garner investment in critical processes, technologies and people to defend organizations from cyber threats.
To solve a problem, we need to know where we’ve been and where we’re going. We’ve used the same language to describe risk for many years: risk = likelihood x impact.
But it’s not as easy as a mathematical formula with easy calculations. Instead of simplifying the situation, we’ve added cybersecurity terms like threat, vulnerability, threat actor, exploit and probability to make this harder. We further complicate the problem by using terms such as threat, threat actor and vulnerability interchangeably.
These terms are defined by NIST and other standards and accrediting bodies, but in practice, we often conflate them, confusing ourselves and the audience we’re seeking to enlighten.
Systems are more complex than ever. The number and complexity of attacks have increased, and new languages, tools and computing capabilities have advanced at a rapid pace. The scale of impact has also increased exponentially, resulting in thousands of attacks, such as NotPetya, SolarWinds and the Exchange Server hacks.
How should we talk about risk?
We need ways of talking about risk that do the following:
- communicate levels of danger to our intended audience;
- are relevant to decision-makers;
- lead to decisions, actions, investments and implementation;
- are repeatable and broadly usable across a variety of industries; and
- are backed by comprehensive data that indicates risk levels.
Organizations have inadequately addressed this problem in several ways:
- by writing Securities and Exchange Commission 10-K filings with risk factors that are generic factors and divorced from the underlying business;
- by estimating the probability of a material impact in the next three years with unhelpful calculations;
- by calculating and tracking the mean time to identify, investigate and respond to incidents that provide good insight but not actual solutions;
- by applying the Factor Analysis of Information Risk methodology when there’s limited quantitative information;
- by filing risk registers with identified issues and tracking items through a risk mitigation process to resolution; and
- by outsourcing risk scores from various systems in an attempt to capture risk in a single value analogous to individual credit scores for loans.
</…….
Source: https://www.techtarget.com/searchsecurity/post/How-to-talk-about-cybersecurity-risks-colloquially