Risk Management and Cyber Security

<Name>

University of Maryland, Baltimore County

Fall 2017

1
Abstract

The way in which an organization prepares for a data protection breach - and manages it if it
occurs - has a measurable effect on the impact of such an infringement. By effectively managing
such an incident, which can cost millions of dollars and ruin an organization's reputation, it can
be controlled and dramatically reduce the severity of its consequences. This paper discusses on
the cyber security attacks and the risk mitigation planning to save the millions lost due to
security breaches. The importance of cyber security is critical as the world is increasingly going
online. Virtually everything is being kept online on the local computers, network, and emails and
even on cloud servers. People are increasingly dependent on the systems and this entails that the
systems should be up and running at all times. The dependency has become almost 24 X 365, so
this means that the systems must be available all days. In the wake of this dependency, securing
the systems is of utmost importance. There is lot of threats due to which the security of the
systems is at risk. There are internal as well as external threats to the cyber security. Controlling
and managing the cyber security risks is the object of this research paper.

2
Risk Management and Cyber Security
Proliferation of data
Personal information is defined as data that can be used to identify a person, and their collection
creates privacy obligations (explaining the existence of privacy laws). With technological
advances, organizations are collecting, retaining and transferring more personal information
about consumers, professionals, patients and employees than ever before. The accumulation of
large amounts of personal information in huge databases increases the risk of unauthorized
access to information and the consequences that may result. A single attack on the protection of
personal data can affect millions of people today. The increasing adoption of biometric
identifiers (fingerprints or vocals, facial recognition, etc.) by companies now creates new risks,
namely the loss or misuse of these immutable identifiers (Johnston and Walker, 2004).

Increasingly large and sophisticated incidents

If incidents are increasing, the most important problem is their growing sophistication. The
business models of evildoers have evolved and, in addition to increasingly complex methods,
their targets have changed. Formerly, the modus operandi was to steal credit card information to
perform unauthorized transactions. Today, cyber-opponents use social engineering methods
(such as phishing by means of fraudulent e-mails to induce employees to provide confidential or
sensitive information) to obtain valuable information for the company. This information is then
directly exchanged through its use in insider trading, sold to competitors (in the case of
intellectual property or trade secrets) or used to charge a ransom. Senior executives are
increasingly concerned about data breaches, and it is now widely accepted that companies should
not consider whether such an incident will occur, but they should rather consider when it wil
occur.

Preparing For Risks

Data breaches do not make headlines, but a serious attack can disrupt an organization for
months. The 72 hours following an incident are particularly chaotic, since a multitude of
problems must be managed with incomplete information. A prepared plan for a trained and

3
seasoned team is a great help in avoiding chaos because it keeps key stakeholders informed and
focuses their efforts on identified priorities. More importantly, this plan helps to organize
emergencies and can curb scattered reactions or the irrepressible need to "do something". In
addition, rigorously orchestrated intervention reduces costs and prevents external suppliers from
taking up too much space, helps preserve evidence that the organization has complied with
applicable standards of care, and minimizes the risk of reputation.

Evolving standards of care

A well-designed, documented and executed plan is essential to limit data loss and disruption in
the organization. Most importantly, it helps to minimize liability to third parties and regulators,
provided it is regularly updated to reflect changes in risks and measures to counter them. An
organization may, if prosecuted, have its response plan (and its implementation) evaluated by a
court to determine its reasonableness. With the new risks and threats that arise each week (and
the corresponding response and corrective measures), an intervention plan cannot be a static
document. The tribunal responsible for assessing the reasonableness of an incident response plan
will take into account not only documents prepared by the organization, but also compliance
with policies, allocation of technical, financial and the degree of involvement of senior
management in the creation and management of the plan (Yulia, 2015).

From Compliance to Competitive Advantage

While data protection was previously considered to be a difficult compliance effort that did not
yield anything, smart businesses are slowly realizing that improved data protection and robust
response can provide a competitive advantage. In a study conducted in 2015, 25 percent of
respondents felt that senior management of the organization assimilates security a competitive
advantage. If a breach of data protection seems almost inevitable, it may not be a disaster.
Organizations prepared for such an incident as part of their Cyber Security Risk Management
and Prevention Program are much more likely to have a positive outcome in the event of an
incident (or even totally avoid it) than those who adopt a one-off approach. In the context of data
protection breaches, a "favorable outcome" results in an incident resolution process that attracts
little media attention, reduces costs (including those associated with potential litigation), limits
damage to reputation, minimizes shareholder involvement and involves a limited review by

4
regulators.
A cyber security program consists of a cyber security framework and an action plan. A cyber
security framework is proactive and consists of a set of organizational resources, including
policies, personnel, processes, practices and technologies to assess and mitigate cyber-attacks.
An intervention plan must be reactive. It is a company-wide initiative that establishes a protocol
for the entire organization, assigns responsibilities, and defines follow-up actions to the
organizational efforts to resolve incidents. It must include specific elements and covers a wide
range of disciplines. Above all, it must be comprehensive and detailed, and not just simple
check-boxes or lists of things to do (Kondakci, 2010).

Governance

Cyber security is not just about addressing information technology risks. It also takes into
account risks at the company level. Therefore, it should be part of the overall risk management
mandate of the board of directors. The board of directors must address the issue of cyber
security. In June 2014, Securities and Exchange Commission (SEC) Commissioner Luis Aguilar
spoke to the NYSE about the cyber security risks for the Board, saying that the incidents have
frequency and complexity, and they have become more expensive for companies. He highlighted
the role of boards of directors, stressing their responsibility to ensure that the company's cyber
security measures are appropriate in their role of risk oversight (Yulia, 2015).

Security, Malware and Monitoring

The IT defenses of the organization are a vital aspect of risk management - are they adequate,
up-to-date and adapted to known threats? It is important that the organization subscribe to a
comprehensive and legitimate threat assessment service, such as cyber security bulletins and best
practices documents. There are also industry and sector groups dedicated to information sharing.
An organization must therefore install standard software to protect against viruses and malware,
ensure that it is regularly updated and documented, protect its networks, including wireless
networks, from internal and external attacks using standardized methods , such as firewalls and
systems for the continuous detection of malicious software, conduct regular penetration tests

5
(ideally carried out by an independent third party) and implement technical solutions for
detecting and blocking suspicious activities or accesses (Lv, 2009).

Social engineering attacks must also be considered, and organizations should consider training
their employees on how to avoid being a victim of phishing, the dangers of "bad twins" (Wi-Fi
hotspots which appear to be legitimate access points on the spot but actually created by hackers
to intercept wireless communications, many users connect their laptop or mobile phone to the
hacker's fraudulent access point, which presents itself as a legitimate supplier and on USB sticks
that seem to have been mislaid, but which in fact were deliberately infected with malicious
software and left on the spot.

Bibliography
Johnston, D. and Walker, J. (2004). Overview of IEEE 802.16 security, Security and Privacy,
vol. 2, no. 3, pp. 4048.
Kondakci, S. (2010). A causal model for information security risk assessment, Proceedings of
the 6th International Conference on Information Assurance and Security (IAS) Conference, pp.
143148.
Lv, H. (2009). Research on network risk assessment based on attack probability, Proceedings of
the 2nd International Workshop on Computer Science and Engineering, WCSE 09, vol. 2, pp.
376381,
Yulia, C. (2015). A Review of Cyber Security Risk Assessment Methods. Available at the
British Library, reference UIN: ETOCvdc_100030733535.0x000001.