One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8539548 |
| Date de publication | 2024-07-18 07:28:50 (vue: 2024-07-18 13:06:59) |
| Titre | Comment quantifier le cyber-risque How to Quantify Cyber Risk |
| Texte | It is truly difficult to communicate cyber risk in business terms. Chief information security officers and security and risk management leaders have come a long way in their efforts to create relevant narratives around cyber risk to earn a seat in boardrooms. However, the ability to articulate cyber risk is a dark art that most security professionals aspire to practice daily-and may spend their lifetimes working to get right. That is why the growing field of cyber risk quantification (CRQ) has caught the attention of many security and risk management leaders. Gartner® defines CRQ as “A method for expressing risk exposure from interconnected digital environments to the organization in business terms. Risk exposure can be expressed in currency, market share, customer and beneficiary engagement and disruption in products or services over a chosen period.” Currency is the defining metric of business. But it can be difficult to map a hard-dollar value to black swan cyber events (low probability, high impact) or even soft opportunity costs. Gartner defines the top five use cases for CRQ by the percentage of security and risk management leaders (SRM) as: 78% prioritize cyber-risk mitigation 61% communicate to risk owners 61% communicate to C-level executives 53% communicate to the board 53% align cyber risks to other risk practices To create compelling narratives that break through the noise, it\'s helpful to center your storytelling around people. Here, we\'ll discuss the ways that people create cyber risk-and show you how to quantify it so that you can tell better stories. Cyber risk in human-centric terms When you frame cyber risk in the context of people, it can help make the concept real and relevant to business stakeholders. Telling stories about incidents that affect people in the business is often a starting point. This form of scenario analysis is one of the most compelling ways to demonstrate tangible impact. However, in the language of the FAIR (Factor Analysis of Information Risk) methodology, this approach tells only a fraction of the story. That is because the loss magnitude and loss frequency are limited to the scope of the incident or person. To tell a more universal human-centric cyber story, the risk model needs to recognize that human risks and vulnerabilities encompass a spectrum of behaviors, events and actions that can expose people, companies or institutions to cyberthreats. Crucial facets to consider in the broader view of human risk include the following. 1. Security awareness and education Many users lack adequate knowledge about cybersecurity best practices. Ignorance about phishing scams, the significance of secure passwords or the dangers of downloading suspicious attachments can inadvertently open the door to cyberthreats. 2. User negligence and oversight Even with sufficient knowledge, human error remains a significant risk factor. Careless actions like leaving devices unlocked or unattended, using unsecured public Wi-Fi, or failing to update software regularly can create vulnerabilities that cybercriminals exploit. 3. Social engineering Most modern cyberattacks exploit human psychology through social engineering tactics. Techniques like phishing-where attackers masquerade as trustworthy entities to obtain sensitive information-rely on human trust to succeed. 4. Insider threats Employees or other users with access to sensitive data can pose an insider threat. Whether through malicious intent or inadvertent actions, insiders can compromise data security. That makes them a significant concern for businesses. 5. Threat landscape or threat intelligence Human behaviors are not malicious or risky unless there is context and consideration for the ever-evolving panorama of potential risks, vulnerabilities, and dangers that may threaten a company\'s information security. 6. Security posture and controls |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ability about access according accounted accurate across actions activity adequate adjust adjustable administrator advancements advances advise affect affiliates against aid align all also analysis analytics and/or answer any apply approach are areas around art articulate artificial as: aspire assess assesses attachments attack attackers attacks attention available awareness based because become behave behavioral behaviors believe benchmarks beneficiary benefits best better between beyond big black board boardrooms break broader business businesses but calculations can capabilities careless cases caught cause center centric chain challenge chief chosen circumstance click come comes communicate companies company compare compelling comprehensive compromise concept concern consider consideration consist constant construed context continue control controls controls costs create critical crq crucial culture culture currency custom customer customers customize cyber cyberattackers cyberattacks cybercriminals cybersecurity cyberthreats daily damage dangers dark data data dataset decision default defend defenses defines defining demand demo demonstrate department depicted describe designation designed determine devices diagram difficult digital disclaims discuss discussion disruption does dollar done door downloading earn easily ecosystem education efforts element elements emails employees encapsulate encompass end endorse engagement engineering engineering entirely entities environments error even events ever every evolve evolving executives exist exploit explorer expose exposure expressed expressing facets fact factor factors failing fair field find fitness five following foolproof form fortifying fraction frame frequency from fundamental gartner gartner® generate get goal groups growing hard has have having help helpful here herein high highest highlight highly hope how however human humans ignorance illustrates impact implied inadvertent inadvertently inc incident incidents include includes: including industry information infrastructure insider insiders institutions integrate integrated integrations intelligence intelligence intended intent interact interconnected internationally interplay investments its knowing knowledge lack landscape language leader leaders learning leaving lens level lies lifetimes like likelihood likewise limited long looking loss low machine made magnitude make makes making malicious management managers many map mark market masquerade matter may mean measures merchantability method methodology metric metrics million mind mitigate mitigating mitigation mitigation model modeling modern monitored more most narratives near needs negligence networks nexus nirvana” noise not obtain obvious officers often one only open opinions opportunity organization organizational other out over oversight owners panorama particular passwords people per percentage period permission person phishing place point policies pose posture potential practice practices practices presents prevention primary prioritize privilege probabilities probability product products professionals program proofpoint proper protect protected provide provides psychology public publications purpose quantification quantify quantifying range rate ratings readily readiness real receive recognize reflect registered regularly relative relevant rely remain remains report reports research reserved reside resilient respect response right rights risk risk risks risky scams scanned scenario scope scores seat secure security seen select sensitive service services several severe share should show significance significant single singular sizable sms/mms social soft software sometimes spectrum spend srm stakeholders start starting state statements statistical stories story storytelling strategies strategy succeed successful sufficient suspicious swan system systems tactics tangible targeted techniques technology telemetry tell telling tells tensi |
| Tags | Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.