The Cyber-Resilient Organization

After completing this reading, you should be able to:

• Describe elements of an effective cyber-resilience framework and explain ways that an organization can become more cyber-resilient.
• Explain resilient security approaches that can increase a firm’s cyber resilience, and describe challenges to their implementation.
• Explain methods that can be used to assess a potential cyber-attacks financial impact and explain ways to increase a firm’s financial resilience.

Resilience is defined in financial terms as an organization’s ability to recuperate to its initial stable condition, enabling it to operate during and after a significant problem or continuous and substantive level of stress. We shall discuss resilience in the context of cyberspace.

Approaches to Cyber Risk Management

As proposed by the National Institute of Standards and Technology (NIST), the cyber risk management framework consists of five functions:

1. Identify: create an organizational comprehension of the cybersecurity risk to systems, persons, assets, data, and capabilities.
2. Protect: create and execute the appropriate defense to ensure that the critical services are delivered.
3. Detect: Develop and implement appropriate practices to identify the cybersecurity event
4. Respond: Develop and execute relevant activities to take action regarding an identified cybersecurity occurrence
5. Recover: Develop and implement relevant practices to sustain plans for resilience and restore ay capabilities of service affected by cybersecurity.

An organization’s cybersecurity concentrates on maintaining a secure perimeter by using the technological tools for monitoring internal traffic and external communications with less tolerance of external penetration, malware, or unauthorized software. Some cybersecurity tools include antivirus software, firewalls, network traffic deep-packet inspection, data management systems, email security systems, server gateways, web application firewalls, etc.

The structure of the cybersecurity system is complex and requires skills. The cybersecurity system’s complexity depends on the specific operations and the needs of an organization given the cyber threats it encounters, the tools available to deal with the cyber threat, and the size of budget allocation. Security depends on the weakest link in these components’ chain.

Threat Analysis

The cybersecurity evaluation mostly starts with the threat analysis. An organization ought to assess the likelihood of being the main target of each threat group or being entangled in the collateral damage due to the threat group’s activities. The analysis involves monitoring the cyber events (attempted attacks, malware identification, dubious activity), generally termed as an incident log. Threat analysis provides more knowledge of the features and frequencies of attempted attacks and the threat’s overall insight.

Incident Response and Crisis Management

Real-time Crisis Management

An organization’s resilience depends on its ability to recover from unexpected and risky events. The technology should be designed so that it is adaptive to expected and unanticipated cyber threats. The man-machine interface should be enhanced through training and preparing the corporate staff for the foreseen and inspected threats. Cyber resilience’s essence is to sustain the system’s ability to deliver the required outcome on normal and crisis times where regular delivery has been impaired. Cyber resilience is improved by having backup plans and full disaster recovery. Cyber resilience ensures the continuity of business under precarious and unexpected events.

Rapid Adaptation to Changing Conditions

The cyber resilience analysts look for system deficiencies in response to distress and come up with ways of correcting these flaws through cybersecurity improvement in prevention, detection, and reaction. Organizations should be flexible in crisis response; they need to prepare, prevent, respond, and recover from any cyber threat.

Cyber resilience calls for a clear strategy involving people, processes, and technology. The human contribution is the most critical aspect in that; people can make careless security decisions and thus act in a risky manner. On the other side, people can deal with distress most prudently by making an excellent decision under intense pressure and coping with the uncertainty of their problems and the suitability of their response plan.

Corporate decision making begins with the board of directors who masterminds the cyber resilience agenda and then involve the whole organization-supply chain, partners, and clients. To maintain an equilibrium between risk and opportunity, the organization’s risk strategy should manage vulnerabilities, threats, risks, and the effects. The risk strategy should include preparation for and recovery from a cyber threat. The strategy’s cost should be gauged, and the user convenience and business requirements should be appropriate.

Cyber Risk Awareness in Staff

As recommended by Microsoft (Johnson, 2017), every person who accesses the corporate network (full-time employees, consultants, and contractors) should be frequently trained to develop a cyber-resilient mindset. Some of the training aspects include adhering to IT policies on identity control access and reporting suspicious events to reduce recovery time.

Most corporate training exists to equip the staff to deal with social engineering scams that target the staff’s psychological, emotional, and cognitive weaknesses. In cognitive science literature, misinformation about past events reduces memory accuracy and even develops false memories. Phishing attacks and social engineering applies different types of con tricks, misdirections, and scams to lure the staff to give out credentials, open infected attachments, click dubious links, and more harmful activities. Therefore, staff should be trained in identifying and analyzing the truthfulness and fakeness of these tricks.

Business Continuity Planning and Staff Engagement

Staff members should understand the business continuity issues. Those mandated to specialist duties such as planning testing, threat response, and emergency responders require extra training. Middle and senior managers should also know and practice integrated cyber resilience management best practices and compliance standards. The compliance standards to be adopted include:

• ISO 27001: the international standard explaining the best practice for an information security management system; and
• ISO 22301: the international standard for business continuity.

To achieve a successful staff training, the staff should be fully engaged. The training should not be dull, tedious, and boring. The training should be psychology based. For instance, employees should be positively rewarded for good cyber hygiene, such as reporting phishing emails, preventing tailgating and keeping desktop software patched and updated, and keeping the confidential passwords.

Gaming and Exercises

Incentivized training has been seen to be effective when delivered in the form of competitive games. This is termed as gamification. The application of gamification in fighting cyber risk has been proved to be effective. A good example is Kaspersky Lab, which uses gamification technology to instil security awareness.

There are four principles of gamification:

1. Defining a goal;
2. Defining the rules for reaching that goal;
3. Setting up a feedback mechanism; and
4. Implementing voluntary participation.

It is worth noting that gamification involves awarding points to employees who do the right thing, and forms of recognition such as prizes are awarded. Cybersecurity is a form of an adversarial game where the attackers are awarded for their efforts, and the defenders should also be rewarded accordingly. The more the points earned by the staff, the stronger the defense.

Nudging Behavior

Psychology can also be adopted through the nudging principle, motivating the staff to maintain good cyber hygiene without necessarily having to reward them. The nudging principle uses an example of a golf tournament metaphor: the target is marked with a golf flag pin. An example of nudging in the cybersecurity context is inducing the staff to talk about cybersecurity, which develops a cyber risk culture.

Resilience Engineering

Safety Management

Conventional safety management concentrates on identifying and defending against the threats using methods with limited capability to realistically and adequately represent the complexity of human and organizational influences. Moreover, identifying the causal factors is hindered by the social, cultural, and technical features of complex engineered systems.

However, resilience engineering addresses traditional safety management demerits by building on the safety engineering and treating faults and failures in socio-economy systems rather than technical terms. Resilience engineering focuses on the organization and the socio-technical system in the presence of accidents, errors, and disasters. Generally, resilience engineering is suitable for tightly coupled systems and cannot be described or specified.

Attributes of Cyber-Resilient Organization

A cyber-resilient organization should focus on anticipating, withstanding, recovering, and evolving. These features are related and, thus, should be addressed simultaneously. For instance, while recovering or withstanding from a cyber threat, a manager should expect further attacks. Moreover, the business in question should evolve to address the changing operational and technical environments. In other words, a cyber-resilient organization should aim at becoming further resilient above all the stresses.

The top six attributes of resilience include:

1. Flexibility: an organization should maximize the ability to solve problems without loss of operational ability. Flexibility requires essential security decisions to be made at the lower hierarchy of the organization.
2. Preparedness: an organization should always be ready for problems, especially in human performance. It should expect and be ready for any threat.
3. Learning culture: an organization should possess a learning culture, both from good and bad experiences, and should not deal with cyber risk issues with denial.
4. Awareness: an organization should be aware of the actual state of defenses and the state of degradation. The human performance should be evaluated.
5. Just culture: developing a just culture in an organization helps report issues up through the organization. Lack of a just culture hinders the employees of an organization from reporting problems. The organization will, therefore, be weak in terms of the ability to learn about defensive weaknesses.
6. Commitment: an organization should cultivate a top-level commitment to organizing and assessing human performance issues in both words and actions. It should provide continuous and extensive follow-through to deeds linked to human performance.

The six attributes of the organization stated above have a significant impact on the quantitative resilience measures, including:

• Time and cost to restore operations
• Time and cost to restore system configurations
• Time and cost to restore operations
• Time and cost to restore functionality and performance
• Time and cost to restore operations
• The degree to which the level of normality is restored after the disruption
• Successful adaptations within time and cost blocks.

Cyber Resilience Objectives

The dynamic nature of cyber threats makes many actions to improve resilience only effective over a short duration of time. The following are some of the objectives of cyber resilience:

1. Adaptive Response

   The adaptive response includes monitoring the effectiveness of most effective actions in dealing with cyber-attacks, maintaining essential functionalities, and restoring functional capabilities.

2. Analytic Monitoring

   Analytic monitoring includes gathering and analyzing data on an ongoing basis in an organized way to identify imminent vulnerabilities, adversary activities, and effects.

3. iii. Coordinated Defense

   The traditional defenses against cyber attacks should be organized so that they do not conflict with each other. They should mutually work towards the same purpose.

4. Deception

   A deception is an essential tool for cyber defense most appropriate to powerful adversaries such as state-sponsored threat actors.

5. Privilege Restriction

   Privileges should be limited to lower the likelihood of cyber-attacks.

6. Random Changes

   There should be frequent and random maintenance to defense mechanisms to offset predictability and increase the likelihood of detecting an attacker.

7. Redundancy

   The failure of the defense of mechanisms should be independent.

8. Segmentation

   An organization’s attack surface should be segmented based on the importance of lowering the threat’s effects. Segmentation can be done physically into entities or virtualization of computing sub-networks.

9. Substantiated Integrity

   The integrity of the critical systems and backups should be substantiated and analyzed to ensure that they are invalid or out of range.

Incident Response Planning

Forensic Investigation

Many cyber-crimes are reported, but a tiny proportion of cyber-crimes are successfully prosecuted after a significant criminal investigation level has been done. A criminal investigation should be done for legal reasons and comply with obligations to shareholders and stakeholders and enhance resilience. The investigations include computer forensics, where diligence is required when visiting the crime scene to limit the evidence’s interference.

The criminal investigation should be done while adhering to the following principles:

1. The law enforcement agencies and their employees/agents should not change the data used in the court proceedings.
2. Only competent personnel should access original data and should have the ability to give evidence that explains the relevance and implications of his or her actions.
3. An audit trail or the record of the digital evidencing process should be developed and preserved. Only an independent third party should have the ability to analyze the process and reach the same result.
4. The head of the investigation should ensure that the law and the principles herein are adhered to.

The forensics should also be aware of the invisible attempts to distort the computer forensic analysis such as encryption, the overwriting of data, and the file metadata’s modification.

Initial Breach Diagnosis

The first step in the incident response is to assess the time when the security was first attacked, followed by discovering what systems have been affected, what data has been taken, or corrupted. Generally, the first response is conducting triage, consisting of grouping, prioritizing, and assigning the incidents to relevant personnel.

Before eliminating the threat and the malware in the system, containment of the damage and prevention of its spread should be prioritized. The organizational resilience is reflected through complete restoration of the systems to their functional state though it is challenged by reconnection of the networks and ensuring that the systems have been successfully restored.

Another sign of organizational resilience is prospective thinking. That is before the primary occurrence happens, plans should be set out for investigating incidents such the predicting when it might happen and conducting post-crisis investigations. The key outcomes (such as workability of the security measures and the costs of cyber incidents) from the investigations should be communicated to the organization’s stakeholders transparently and timely, after which cost-effectiveness of improved security measures can be developed.

Resilient Security Solutions

Resilient Software

A resilient software is the one that can withstand the failure in a critical situation such as a cyber-attack and still recover in an appropriate and predefined way and time. However, software’s resilience is affected by the complexity, globalization, interdependency, rapid change, level of system integration, and behavioral impacts.

When a networked system of an organization is involved, providing a service platform with a considerable amount of resilience becomes difficult. Learning from past failures is essential for a resilient organization. When software fails, it is an opportunity to do further additional resilience characteristics to be incorporated.

When developing a software, security should be fully incorporated with built-in characteristics such as robust defense mechanism, running with least privilege avoidance of security by insignificance. A software development life cycle (SDLC) gives the framework for creating software and managing it throughout its life. However, there is no definite way of developing software and applications because the approaches employed by different organizations cover distinct challenges and objectives.

A resilient software has a well-hardened defense perimeter and tested by a sponsored cyber attacker to identify entry points through some social engineering deception or zero-day exploit. It is notable to say that cyber-attacks will eventually happen in the future. Thus a resilient response must be planned because even the 21st-century software is not a medieval fortress.

According to Dr. Eric Cole, the three successful foundations of response are detection, containment, and control. Quick threat detection is achieved only when the cybersecurity of an organization is resilient.

Minimization of the Intrusion Dwell Time

A resilient strategy in combating the cyber-attack should minimize the intrusion dwell time – the time from the first system attack to the time the malware stops to be effective. Reduction of the intrusion dwell time is achieved by early detection with relevant effective response to minimize the number and the extent of the affected systems.

Intrusion dwell time can be measured in terms of months rather than days or weeks because attackers usually adapt to new systems and change their attack strategies from those detected by the intelligence. A network behavior anomaly detection (NBAD) is a program that tracks important network features in real-time and alarms if abnormal activity is detected, which might lead to a threat. NBAD can also monitor the behavior of individual network subscribers. Some of the characteristics observed by the NBAD are increased traffic volume, bandwidth, and protocol used.

NBAD works optimally when a solid baseline of a healthy network or user behavior is determined over time to avoid “false positives” and “false negatives.” For instance, a large network data volume can be detected and reported by NBAD as abnormal.

Anomaly Detection Algorithm

Anomaly detection algorithms are based on high-quality intelligence approaches, including sophisticated Bayesian inference techniques for detecting anomalies. These probabilistic techniques have been further improved by the use of techniques for Big Data Analysis. The signature base detection approaches are faster, less costly, and simple but less powerful. These methods depend on the signatures database carried by packets, which is believed to be malicious activities. The signature-based tools work by checking the automated procedures from the well-known hacker tools.

Both the anomaly and the signature-based detection methods should be incorporated into the general NIDS. Detection of a cyber attacker’s movement calls for continuous monitoring of the internal network and the visual metrics that give the appropriate measures for the security analysts to be aware of any potential intrusion, which can be contained and controlled immediately.

Penetration Testing

It is crucial to understand the relationship between the vulnerability assessment and the risk analysis in the cyberspace context, but more emphasis is put on the vulnerability assessment. Note that practical vulnerability assessment does not translate to risk reduction. For instance, software update and a reboot might be recommended by a vulnerability scanner. If this request is fulfilled, it has to determine whether the update and reboot will reduce the risk.

A penetration test (abbreviated as a pen test) is a process of implementing a simulated attack to determine the level of cyber-attack success. A pen test to determine whether a missing patch raise vulnerability raises the cost of testing and might lead to costly system downtime. However, there are cheap pen tests, such as simple social engineering tricks or manipulating easy passwords.

The pen testers should possess a wide range of knowledge, ability, and experience. The expertise of the best testers can range from operating, networking, and scripting language skills. It should be able to combine manual and automated methods to mimic with equal sophistication as that of attackers.

The pen test results are typically delivered based on severity, exploitability, and the subsequent remediation responses. From the pen test results, appropriate actions such as plugging in security gaps, improve attack reactions, and enhance cyber resilience.

The Risk-Return Trade-Off

The cybersecurity personnel of an organization might reduce vulnerability whenever detected. Still, the senior finance and accountants officials of the organization are concerned about the risk-return trade-off. For instance, the level of risk reduction might be lower than the budgetary allocation.

Pentest is usually done to determine cyber risk mitigation instead of sophisticated scientific techniques. Pen testers usually know what to charge, but they cannot put the price to success or failure. The pen testers give the required recommendations from their assessment, but two testers cannot perform similar assessments, and usually, pen tests are done on specific targets.

Financial Resilience

Financial Impacts of a Cyber Attack

A cyber-attack on a corporation can affect the corporation in numerous perspectives such as theft of intellectual property and intellectual information, corruption of important computer files, downtime of the whole system, the corporation’s reputational damage, and a trail of lawsuits may follow. Whatever the impact, the business of a corporation is disrupted. Therefore, any organization’s basis is the ultimate financial impact, in that in each of the cyber-attack results in a financial loss to the corporation. For instance, a publicly listed corporation, stock prices might be affected adversely in a cyber-attack.

Financial Risk Assessment

Corporations need to make an analysis of their risk and build resilience into the balance sheet to resist all categories of shock that is anticipated. For instance, in the US, public companies must file 10-k submissions to the Securities and Exchange Commission that identify critical risks to their business and inform respective shareholders and counterparties. One of the critical risks reported is cyber risk.

Cyber-attack can negatively affect the balance sheet of an even smaller company. For instance, companies might issue a profit warning, suffer rating downgrades, make emergency loan provisions, and reduce stock price. These impacts might be so severe that the colony exits the market. The probability of a cyber attack causing the events such announcement of the profit warning depends on the type of the risk analysis, the definition of the likelihood of severe cyber loss, the financial structure of an organization, the liquidity, access to capital reserves, and the analysts’ explanation of the cyber attack on how it might impact the future business model and the organizations’ position compared with its competitors.

To achieve a financial balance sheet resilience for the levels of financial shock caused by cyber-attack, all standard financial engineering processes should minimize the volatility of the earnings, maintain appropriate liquidity margins, lower debt ratios, have access to emergency loan provisions, be able to slice costs to meet earnings targets and buying cyber insurance.

Reverse Stress Testing

A financial stress test stated based on a cyber-attack scenario is used to evaluate the implications for cooperation while considering how the stress test can affect the businesses. For instance, a severe scenario might lead to a downgrade of the credit rating of a corporation. Moody’s Investors Service treats material cyberattacks such as those caused by natural disasters as extraordinary risks. The rating effects depend on the length of time and the severity of the event.

The resilience of an organization depends on the period of disruption and restoration. Therefore, a cyber-resilient organization should know the level of impact of cyber-attack on its viability or its credit rating through reverse stress testing. Consequently, the organization can develop measures that protect the corporation against such adverse outcomes.

Defense in Depth

Defense in debt is crucial in strengthening the system’s resilience. An overlapping system design implies that one system’s failure does not translate to another failing, and thus the chances of system failure reduce. On the other hand, the standard check-box monitoring for security has a minimum redundancy level and less sufficient security. Operational redundancy is expensive, but this is the cost of resilience. The defense level in an organization’s depth partially depends on the regulation and the corporation’s risk appetite.

Enterprise Risk Management (ERM)

The enterprise risk management is designed to identify occurrences that might impact the organization and help monitor risks within the risk appetite. The desired cyber resilience of an organization should be based on its risk appetite. Conventional ERM measures do not quantify the level of financial loss in case of a financial attack. However, ERM researches help in specifying the levels of cyber resilience investment.

Cyber Value at Risk

Recall that the value at risk (VaR) is a measure of risk for a given portfolio and time horizon, generally defined as threshold loss. That is, financial value at risk is the maximum value of the loss at a given confidence interval (such as a 99% confidence interval) given a time horizon such as one year. Cyber VaR is based on the general definition of VaR. Like other risks, the expected loss from cyber threats and other losses from small but finite probability should be considered. Cyber Risks can be understood as the value that is predisposed to both common and critical attack risks.

Note that the confidence intervals are determined using hypothesis tests while assuming a normal distribution. The normal assumption might not be appropriate to cyber risk analysis due to less historical data, which may not represent the tail loss distribution. This is because cyber risks do not recognize geographical limits, and its severity scales increases by order of magnitude.

Re-Simulation of the Historical Data

The stochastic simulations of the historical cyber-attacks with a given time horizon assist the cyber risk analyst in looking into both near and far horizon and determining the size of the cyber losses at that time. For instance, a corporation’s sensitivity to vulnerability to cloud failure might be determined by analyzing the historical failures of a service provider and examining the downward counterfactuals where an unfortunate event transformed to worse due to poor resilience of the cloud service provider.

The counterfactual analysis quantifies the advantage of past security improvement, such as regular pen tests. For example, in the WannaCry attack of May 2017, the measure to smoothen the backup systems in a malware attack might be determined retrospectively.

Studying the past events would encourage better future preparedness for and resilience against cyber-attack. Moreover, counterfactual analysis assists in deciding the cost-effectiveness of adding resilience technology.

Building Back Better

After a cyber-attack, the computer systems should be configured in a way that is relatively resistant to future attacks. Metaphorically, engineers construct earthquake-resistant buildings after an earthquake instead of just restoring the buildings to pre-earthquake state. In other words, restoring the pre-attack functionality with the same vulnerability constant is short term solution. Restoring the system should include some additional redundancy that can mitigate the same cyber-attack source in the future.

Moreover, as hackers learn from others, so do the affected corporations. In other words, an organization can build back better by using their experiences and other organizations that have relatively the same attack. For instance, the attack of target in 2013 saw other managements respond accordingly. Some cooperations also increase the security budget.

Education for the Cyber Resilience

There is a growing demand for cybersecurity professionals, even more than IT. More millennial professionals are required to be trained as cybersecurity professionals. Hackers with a considerable level of IT skills and knowledge should be employed to prevent them from enabling cybercrime or influence by high-skilled hackers. Cyberspace resilience is highly dependent on the skill, the training, and the experience of cybersecurity professionals.

Apart from education on cyber resilience, the cyber profession itself should be improved. Governments have the upper hand in promoting the cyber profession. For instance, the UK National Cyber Security Centre has offered bursaries, specialized training, and paid work placements to a thousand British students.

Apart from government intervention, a cyber-resilient organization should employ and retain the best cyber professionals. Professionalism in cyberspace security reduces cyber threats and vulnerabilities; cyber-attacks increase when professionals leave without effective succession planning.

Practice Question

Capital Bank, whose shares trade at the New York Stocks Exchange, has just undergone a cyber-security incidence. Adversaries managed to breach the bank’s money transfer system and channelled millions of dollars into a personal account through an intricate web. As a result of the breach, which of the following is likely to occur?

A. The bank may issue a profit warning

B. The bank may be subjected to a ratings downgrade

C. The bank’s share price may fall significantly

D. All of the above

The correct answer is: D).

A cyber-attack has the potential to cause damage to a company’s balance sheet, especially for fairly sized institutions. A breach of the money transfer system would mean the adversaries gain unfettered access to the bank’s funds. Loss of cash running into millions of shillings may force the bank to issue a profit warning to investors to warn investors that the profit of the bank in the coming quarter will significantly decline when compared with the same quarter of the previous year, or the bank may even make a loss. Also likely, the bank’s credit rating may be downgraded to reflect its weakened balance sheet standing. Ultimately, the bank’s share price could fall as investors express their loss of confidence in the bank.