A Taxonomy for Managing Operational Cybersecurity Risk
Organizations are continually fending off cyberattacks in one form or another. The 2014 Verizon Data Breach Investigations Report, which included contributions from SEI researchers, tagged 2013 as "the year of the retailer breach." According to the report, 2013 also witnessed "a transition from geopolitical attacks to large-scale attacks on payment card systems." To illustrate the trend, the report outlines a 12-month chronology of attacks, including a January "watering hole" attack on the Council on Foreign Relations website followed in February by targeted cyber-espionage attacks against The New York Times and The Wall Street Journal. The well-documented Target breach brought 2013 to a close with the theft of more than 40 million debit and credit card numbers. This blog post highlights a recent research effort to create a taxonomy that provides organizations a common language and set of terminology they can use to discuss, document, and mitigate operational cybersecurity risks.
Foundations of Our Work
Organizations of all sizes in the public and private sectors increasingly rely on information and technology assets that are supported by people and facilities. An attack that disrupts these assets can be devastating. In March, The Economist reported that the Target breach "cost the company US $61m in response costs in the fourth quarter alone and helped fuel a 5.5 percent drop in transactions during the crucial holiday shopping season."
For the purpose of drafting our taxonomy, we defined operational risks as
those arising due to the actions of people, systems and technology failures, failed internal processes, and external events
We defined operational cybersecurity risk as follows:
operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems
While there are a tremendous number of risks that organizations have no control over, organizations can control their understanding of risk in the context of business objectives. Specifically, organizations need to ask the following questions:
- What are our most important mission aspects?
- What threats and risks are we most concerned about?
It is not enough for organizations to understand what controls they are mandated to implement. For instance, federal agencies need to conduct a thoughtful consideration of risk specific to their business so that they can make financially responsible decisions when allocating resources. Our initial taxonomy, along with this latest effort, attempts to help organizations and federal agencies secure information systems and manage risk effectively.
As we outlined in the recently published SEI technical note, A Taxonomy of Operational Cybersecurity Risks, the taxonomy can be used as a tool to help identify all applicable cybersecurity risks within an organization. The impetus for revisiting and updating this taxonomy is the release in April 2013 of the National Institute of Standards (NIST) Special Publication 800-53 rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, which offers updated security controls for agencies. These controls are intended to protect federal agencies and should be applied tactically at the information-system level. To address expanding cyber threats, the NIST report addresses mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat.
Our taxonomy is structured around a hierarchy that comprises the four main classes from the definition of operational risk
- actions of people (or inaction) taken either deliberately or accidentally that impact cybersecurity
- systems and technology failures including failure of hardware, software, and information systems
- failed internal processes including problems in the internal business processes, that adversely affect the ability to implement, manage, and sustain cybersecurity, such as process design, execution, and control
- external events including issues often outside the control of the organization, such as disasters, legal issues, business issues, and service provider dependencies
The taxonomy further decomposes each of the above listed classes into subclasses, and each subclass is described by its elements.
In attempting to address risk, organizations need to understand that risks can cascade: risks in one class can trigger risks in another. For example, a software failure due to improper security setting could be the result of any of the elements of inadvertent or deliberate actions of people. Organizations therefore need to analyze a particular risk by involving several elements from different classes.
Consider the following example regarding external events pulled from our technical note:
Class 4 External Events
External events describes a class of operational risk associated with events generally outside the organization's control. Often the timing or occurrence of such events cannot be planned or predicted. The supporting subclasses of this class include disasters, legal issues, business issues, and service dependencies.
Subclass 4.1 Hazards
The hazards subclass deals with risks owing to events, both natural and of human origin, over which the organization has no control and that can occur without notice. The elements supporting this subclass include weather event, fire, flood, earthquake, unrest, and pandemic.
4.1.1 weather event--adverse weather situations such as rain, snow, tornado, or hurricane
4.1.2 fire--fire within a facility or disruption caused by a fire external to a facility
4.1.3 flood--flooding within a facility or disruption caused by a flood external to a facility
4.1.4 earthquake--disruption of organizational operations due to an earthquake
4.1.5 unrest--disruption of operations due to civil disorder, riot, or terrorist acts
4.1.6 pandemic--widespread medical conditions that disrupt organizational operations
Subclass 4.2 Legal Issues
The legal issues subclass deals with risks potentially impacting the organization due to the elements regulatory compliance, legislation, and litigation.
4.2.1 regulatory compliance--new governmental regulation or failure to comply with existing regulation
4.2.2 legislation--new legislation that impacts the organization
4.2.3 litigation--legal action taken against the organization by any stakeholder, including employees and customers
Subclass 4.3 Business Issues
The business issues subclass, described by the elements of supplier failure, market conditions, and economic conditions, deals with operational risks arising from changes in the business environment of the organization.
4.3.1 supplier failure--the temporary or permanent inability of a supplier to deliver needed products or services to the organization
4.3.2 market conditions--the diminished ability of the organization to sell its products and services in the market
4.3.3 economic conditions--the inability of the organization to obtain needed funding for its operations
Subclass 4.4 Service Dependencies
The service dependencies subclass deals with risks arising from the organization's dependence on external parties to continue operations. The subclass is associated with the elements of utilities, emergency services, fuel, and transportation.
4.4.1 utilities--failure of the organization's electric power supply, water supply, or telecommunications services
4.4.2 emergency services--dependencies on public response services such as fire, police, and emergency medical services
4.4.3 fuel--failure of external fuel supplies, for example to power a backup generator
Mapping to Existing Federal Initiatives
As with our initial taxonomy, which we also detailed in a technical note, this latest version also spans a broad swath of industries and explores how to reconcile risk mitigation efforts with recent federal government initiatives:
- the Federal Information Security Management Act of 2002 (FISMA 2002), which applies to U.S. federal agencies and provides a standardized definition of information security that links identified operational cybersecurity risks to specific examples of consequences that impact confidentiality, integrity, and availability
- security guidance provided in NIST special publications, which provide a control catalog that can be applied to federal information systems based on an analysis of the system's relative importance and consequence of loss
- the threat profile contained within the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. The OCTAVE method uses the concept of asset-based threat profiles. Octave uses four standard threat categories:
-human actors using network access
-human actors using physical access
-other problems including failed internal processes and external events
For example, NIST SP 800-53 rev 4 includes, for the first time, a number of controls associated with mitigating insider threats. These and other new controls are now mapped into the taxonomy.
In Conclusion and Looking Ahead
Although estimates vary, a recent survey by Ponemon Institute estimated the cost of cybercrime in 2012 to be $8.9 million per company. As shown by the Verizon DBIR report that was mentioned in the introduction, the nature of cybersecurity will continue to evolve on new fronts, prompting new revisions to our taxonomy. In the meantime, we are field testing our taxonomy with various organizations subject to regulatory compliance and risk tolerance. The results of these field tests will also inform future revisions to this taxonomy.
We welcome your feedback on our research in the comments section below.
To read the SEI technical report, A Taxonomy of Operational Cyber Security Risks, Version 2, please visit http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=91013.