In this blog we are going to examine the relationship between Cyber Threats and Cybersecurity Protection Measures (Controls). However, before we do that let’s take a step back and look at the relationship between risks, threats, and controls in general.
An analogy that we can all hopefully relate to is the idea of building a house close to a riverbank. We envisage sunny days lazing on the lawn and idyllic views. However, there is inevitably a potential risk that our property could be periodically flooded, our house damaged and our possessions ruined or destroyed. We could take a number of approaches here to managing this risk – a shrug of the shoulders and accept that every so often we are going to have to pay out for new carpets, furniture and re-decoration; or we could build some defences to reduce the effect of a potential flood – we could install a set of sandbags around the property, build a raised ground floor, build the house on stilts, etc. It may also be possible to buy varying levels of insurance to pay-out in the event that the flood happens, if we could afford the premiums and that is if anyone will insure us!
This simple example highlights the relationships between the Risk of flooding, the Threat of the river breaching its bank and some of the Controls that we can adopt to mitigate the risk. For every risk we can map the underlying threats such as a huge storm, that can result in the risk of the river breaching its banks being realised. We can then determine the controls that can be put into place to address the likelihood of the threat happening and reduce the potential impact should it occur.
These relationships also hold true for Cyber, which means that if we fully understand the Cyber Risk to our business and the Cyber Threats that we are exposed to, then by applying the correct Cybersecurity Controls we can significantly reduce the risk of suffering a Cyber Incident. By using this approach we should be able to assess and rate all the controls we could take to mitigate the threats and repercussions of a breach and then prioritise those which will have the greatest effect on that mitigation (rather than waste money on every conceivable control in the hope that one of them will work, or find we have not deployed the one that actually would have!).
Our trivial example above focussed on a simple use case with a single risk and a single static threat that could be easily assessed. In today’s digital enterprises, with thousands of potential exposures that are continually changing this exercise is obviously much more challenging.
If we now consider a common Cyber Threat such as Ransomware then we can see that Patching, AV Malware and Backup & Restore, as example controls, would be highly effective in mitigating this specific threat and therefore highly relevant. But the same controls would be less effective or relevant to mitigating Impersonation threats, such as Phishing or Vishing. If we did an exhaustive exercise and identified all the controls that would be effective in mitigating the threat of Ransomware, then we would see that some controls had a greater impact than others – i.e., some controls are more effective or relevant to mitigating specific threats.
Using this approach, we can build up a matrix of all Cyber Threats, the Controls that are effective in mitigating those threats and a Relevance Factor – i.e., how effective each control is in that mitigation. We can now use this Threat-Control Matrix in conjunction with how our Cybersecurity Controls are performing to show us a quantifiable rating of our Cyber Threat exposures.
This is exactly what we at Caveris have been working on recently with our new Threat Exposure Dashboard that helps senior management see in near real-time how effective their Cybersecurity Controls are in mitigating common Cyber Threats.
Interested in learning more about how our Threat Exposure Dashboard can protect your business? Contact Us for a personalized demo - https://www.caveris.co.uk/contactus
Comments