Discussion 1

Archived NIST Technical Series Publication

The attached publication has been archived (withdrawn), and is provided solely for historical purposes.
It may have been superseded by another publication (indicated below).

Archived Publication

Series/Number:

Title:

Publication Date(s):

Withdrawal Date:

Withdrawal Note:

Superseding Publication(s)

The attached publication has been superseded by the following publication(s):

Series/Number:

Title:

Author(s):

Publication Date(s):

URL/DOI:

Additional Information (if applicable)

Contact:

Latest revision of the

attached publication:

Related information:

Withdrawal
announcement (link):

Date updated: June 9, 2015

NIST Special Publication 800-30

Risk Management Guide for Information Technology Systems

July 2002
September 2012

SP 800-30 is superseded in its entirety by the publication of
SP 800-30 Revision 1 (September 2012).

NIST Special Publication 800-30 Revision 1

Guide for Conducting Risk Assessments

Joint Task Force Transformation Initiative

September 2012
http://dx.doi.org/10.6028/NIST.SP.800-30r1

Computer Security Division (Information Technology Lab)

SP 800-30 Revision 1 (as of June 19, 2015)

http://csrc.nist.gov/

N/A

NATL INST. OF STAND & TECH

I
NISI

PUBUCATSOt^S

National Institute of
Standards and Technology

Technology Administration

U.S. Department of Commerce

NIST Special Publication
800-30

Risk Management Guide
for Information Technology
Systems
Recommendations ofthe National Institute

of Standards and Technology

Gary Stoneburner, Alice Goguen, and

Alexis Feringa

COMPUTER SECURITY

rhe National Institute of Standards and Teciinology was established in 1988 by Congress to “assist
industry in the development of technology . . . needed to improve product quality, to modernize manufacturing

processes, to ensure product reliability . . . and to facilitate rapid commercialization …of products based on new scientific

discoveries.”

NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry’s

competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the

agency’s basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide

the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and

education with the standards adopted or recognized by the Federal Government.

As an agency of the U.S. Commerce Department’s Technology Administration, NIST conducts basic and

applied research in the physical sciences and engineering, and develops measurement techniques, test

methods, standards, and related services. The Institute does generic and precompetitive work on new and

advanced technologies. NIST’s research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303.
Major technical operating units and their principal activities are listed below. For more information contact the Publications

and Program Inquiries Desk, 301-975-3058.

Office of the Director

• National Quality Program
• International and Academic Affairs

Technology Services
• Standards Services

• Technology Partnerships
• Measurement Services
• Information Services

Advanced Technology Program
• Economic Assessment
• Information Technology and Applications

• Chemistry and Life Sciences

• Materials and Manufacturing Technology

• Electronics and Photonics Technology

Manufacturing Extension Partnership

Program
• Regional Programs

• National Programs
• Program Development

Electronics and Electrical Engineering

Laboratory
• Microelectronics

• Law Enforcement Standards
• Electricity

• Semiconductor Electronics

• Radio-Frequency Technology

‘

• Electromagnetic Technology’

• Optoelectronics’

Materials Science and Engineering

Laboratory
• Theoretical and Computational Materials Science
• Materials Reliability’

• Ceramics

• Polymers
• Metallurgy

• NIST Center for Neutron Research

Chemical Science and Technology

Laboratory
• Biotechnology

• Physical and Chemical Properties’
• Analytical Chemistry

• Process Measurements
• Surface and Microanalysis Science

Physics Laboratory
• Electron and Optical Physics

• Atomic Physics
• Optical Technology
• Ionizing Radiation

• Time and Frequency’
• Quantum Physics’

Manufacturing Engineering

Laboratory
• Precision Engineering

• Automated Production Technology
• Intelligent Systems

• Fabrication Technology
• Manufacturing Systems Integration

Building and Fire Research Laboratory
• Applied Economics
• Structures

• Building Materials

• Building Environment
• Fire Safety Engineering

• Fire Science

Information Technology Laboratory
• Mathematical and Computational Sciences^

• Advanced Network Technologies
• Computer Security
• Information Access and User Interfaces
• High Performance Systems and Services
• Distributed Computing and Information Services
• Software Diagnostics and Conformance Testing
• Statistical Engineering

‘At Boulder, CO 80303.
2
Some elements at Boulder, CO.

NisT Special Publication 800-30 Risk Management Guide
for Information Technology
Systems
Recommendations ofthe National Institute

of Standards and Technology

Gary Stoneburner, Alice Goguen, and

Alexis Feringa

COMPUTER SECURITY

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

July 2002

U.S. Department of Commerce

Donald L. Evans, Secretary

Technology Administration

Phillip J. Bond, Under Secretary of Commercefor Technology

National Institute of Standards and Technology

Arden L. Bement, Jr., Director

Reports on Information Security Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST)

promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement

and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept

implementations, and technical analyses to advance the development and productive use of information

technology. ITL’s responsibilities include the development of technical, physical, administrative, and

management standards and guidelines for the cost-effective security and privacy of sensitive unclassified

information in Federal computer systems. This Special Publication 800-series reports on ITL’s research,

guidance, and outreach efforts in computer security, and its collaborative activities with industry, government,

and academic organizations.

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommendation or

endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,

materials, or equipment are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 800-30
Natl. Inst. Stand. Technol. Spec. Publ. 800-30, 54 pages (July 2002)

CODEN: NSPUE2

U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2002

For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov — Phone: (202) 5 1 2- 1 800 — Fax: (202) 5 1 2-2250
Mail: Stop SSOP Washington, DC 20402-0001

Acknowledgements

The authors, Gary Stonebumer from NIST and Ahce Goguen and Alexis Feringa from Booz
Allen Hamilton, wish to express their thanks to their colleagues at both organizations who
reviewed drafts of this document. In particular, Timothy Grance, Marianne Swanson, and Joan

Hash from NIST and Debra L. Banning, Jeffrey Confer, Randall K. Ewell, and Waseem
Mamlouk from Booz Allen Hamilton, provided valuable insights that contributed substantially to
the technical content of this document. Moreover, we gratefully acknowledge and appreciate the
many comments from the public and private sectors whose thoughtful and constructive
comments improved the quality and utility of this publication.

SP 800-30 Page iii

TABLE OF CONTENTS

1. INTRODUCTION

1.1 Authority
1.2 Purpose

1.3 Objective

1.4 Target Audience
1.5 Related References
1.6 Guide Structure

2. RISK MANAGEMENT OVERVIEW

2.1 Importance of Risk Management
2.2 Integration of Risk Management into SDLC ..
2.3 Key Roles

3. RISK ASSESSMENT

3.1 Step 1 : System Characterization

3.1.1 System-Related Information

3.1.2 Information-Gathering Techniques

3.2 Step 2: Threat Identification
3.2.1 Threat-Source Identification

3.2.2 Motivation and Threat Actions

3.3 Step 3: Vulnerability Identification

3.3.1 Vulnerability Sources

3.3.2 System Security Testing ,

3.3.3 Development ofSecurity Requirements Checklist .

3.4 Step 4: Control Analysis
3.4.1 Control Methods

3.4.2 Control Categories

3.4.3 Control Analysis Technique

3.5 Step 5 : Likelihood Determination

3.6 Step 6: Impact Analysis

3.7 Step?: Risk Determination

3.7.1 Risk-Level Matrix

3.7.2 Description ofRisk Level

3.8 Step 8: Control Recommendations
3.9 Step 9: Results Documentation

4. RISK MITIGATION

4.1 Risk Mitigation Options

4.2 Risk Mitigation Strategy
4.3 Approach for Control Implementation ,
4.4 Control Categories

4.4.1 Technical Security Controls

4.4.2 Management Security Controls

4.4.3 Operational Security Controls

4.5 Cost-Benefit Analysis

4.6 Residual Risk

5. EVALUATION AND ASSESSMENT

5.1 Ciood Security Practice

5.2 Keys for Success

Appendix A—Sample Interview Questions A-
Appendix B—Sample Risk Assessment Report Outline B-

SP 800-30 Page

Appendix C—Sample Implementation Safeguard Plan Summary Table C-1
Appendix D—Acronyms D-1
Appendix E—Glossary E-1
Appendix F—References F-

1

LIST OF FIGURES

Figure 3-1 Risk Assessment Methodology Flowchart 9

Figure 4-1 Risk Mitigation Action Points 28

Figure 4-2 Risk Mitigation Methodology Flowchart 3

1

Figure 4-3 Technical Security Controls 33

Figure 4-4 Control Implementation and Residual Risk 40

LIST OF TABLES

Table 2-1 Integration of Risk Management to the SDLC 5

Table 3-1 Human Threats: Threat-Source, Motivation, and Threat Actions 14

Table 3-2 Vulnerability/Threat Pairs 15

Table 3-3 Security Criteria 18

Table 3-4 Likelihood Definitions 21

Table 3-5 Magnitude of Impact Definitions 23

Table 3-6 Risk-Level Matrix 25

Table 3-7 Risk Scale and Necessary Actions 25

SP 800-30 Page v

I

!

‘ 1. INTRODUCTION

Every organization has a mission. In this digital era, as organizations use automated information

technology (IT) systems^ to process their information for better support of their missions, risk

management plays a critical role in protecting an organization’s information assets, and therefore

its mission, from IT-related risk.

An effective risk management process is an important component of a successful IT security
program. The principal goal of an organization’s risk management process should be to protect

the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk

management process should not be treated primarily as a technical function carried out by the IT

experts who operate and manage the IT system, but as an essential management function of the
organization.

1.1 AUTHORITY

This document has been developed by NIST in furtherance of its statutory responsibilities under
the Computer Security Act of 1987 and the Information Technology Management Reform Act of
1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline within

the meaning of 15 U.S.C 278 g-3 (a)(3).

These guidelines are for use by Federal organizations which process sensitive information.

They are consistent with the requirements of 0MB Circular A-130, Appendix HI.

The guidelines herein are not mandatory and binding standards. This document may be used by
non-governmental organizations on a voluntary basis. It is not subject to copyright.

Nothing in this document should be taken to contradict standards and guidelines made
mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing

authorities of the Secretary of Commerce, the Director of the Office of Management and Budget,

or any other Federal official.

1.2 PURPOSE

Risk is the net negative impact of the exercise of a vulnerability, considering both the probability

and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,

and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the

development of an effective risk management program, containing both the definitions and the

practical guidance necessary for assessing and mitigating risks identified within IT systems. The

ultimate goal is to help organizations to better manage IT-related mission risks.

1 The term “IT system” refers to a general support system (e.g., mainframe computer, mid-range computer, local

area network, agencywide backbone) or a major application that can run on a general support system and whose

use of information resources satisfies a specific set of user requirements.

SP 800-30 Page 1

In addition, this guide provides information on the selection of cost-effective security controls.^

These controls can be used to mitigate risk for the better protection of mission-critical

information and the IT systems that process, store, and carry this information.

Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission

risks.

1.3 OBJECTIVE

The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational

information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in

authorizing (or accrediting) the IT systems-^ on the basis of the supporting documentation

resulting from the performance of risk management.

1.4 TARGET AUDIENCE

This guide provides a common foundation for experienced and inexperienced, technical, and
non-technical personnel who support or use the risk management process for their IT systems.

These personnel include

—

• Senior management, the mission owners, who make decisions about the IT security
budget.

• Federal Chief Information Officers, who ensure the implementation of risk
management for agency IT systems and the security provided for these IT systems

• The Designated Approving Authority (DAA), who is responsible for the final
decision on whether to allow operation of an IT system

• The IT security program manager, who implements the security program

• Information system security officers (ISSO), who are responsible for IT security

• IT system owners of system software and/or hardware used to support IT functions.

• Information owners of data stored, processed, and transmitted by the IT systems

• Business or functional managers, who are responsible for the IT procurement process

• Technical support personnel (e.g., network, system, application, and database

administrators; computer specialists; data security analysts), who manage and
administer security for the IT systems

• IT system and application programmers, who develop and maintain code that could
affect system and data integrity

The terms “safeguards” and “controls” refer to risk-reducing measures; these terms are used interchangeably in

this guidance document.

Office of Management and Budget’s November 2000 Circular A-130, the Computer Security Act of 1987, and the
Government Information Security Reform Act of October 2000 require that an IT system be authorized prior to

operation and reauthorized at least every 3 years thereafter.

SP 800-30 Page 2

• IT quality assurance personnel, who test and ensure the integrity of the IT systems
and data

• Information system auditors, who audit IT systems

• IT consultants, who support clients in risk management.

1.5 RELATED REFERENCES

This guide is based on the general concepts presented in National Institute of Standards and

Technology (NIST) Special Publication (SP) 800-27, Engineering Principlesfor IT Security,

along with the principles and practices in NIST SP 800-14, Generally Accepted Principles and
Practicesfor Securing Information Technology Systems. In addition, it is consistent with the

policies presented in Office of Management and Budget (0MB) Circular A-130, Appendix III,
“Security of Federal Automated Information Resources”; the Computer Security Act (CSA) of

1987; and the Government Information Security Reform Act of October 2000.

1.6 GUIDE STRUCTURE

The remaining sections of this guide discuss the following:

• Section 2 provides an overview of risk management, how it fits into the system
development life cycle (SDLC), and the roles of individuals who support and use this
process.

• Section 3 describes the risk assessment methodology and the nine primary steps in

conducting a risk assessment of an IT system.

• Section 4 describes the risk mitigation process, including risk mitigation options and

strategy, approach for control implementation, control categories, cost-benefit

analysis, and residual risk.

• Section 5 discusses the good practice and need for an ongoing risk evaluation and

assessment and the factors that will lead to a successful risk management program.

This guide also contains six appendixes. Appendix A provides sample interview questions.
Appendix B provides a sample outline for use in documenting risk assessment results. Appendix
C contains a sample table for the safeguard implementation plan. Appendix D provides a list of
the acronyms used in this document. Appendix E contains a glossary of terms used frequently in
this guide. Appendix F lists references.

SP 800-30 Page 3

2. RISK MANAGEMENT OVERVIEW

This guide describes the risk management methodology, how it fits into each phase of the SDLC,
and how the risk management process is tied to the process of system authorization (or
accreditation).

2.1 IMPORTANCE OF RISK MANAGEMENT

Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation

and assessment. Section 3 of this guide describes the risk assessment process, which includes

identification and evaluation of risks and risk impacts, and recommendation of risk-reducing

measures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, and

maintaining the appropriate risk-reducing measures recommended from the risk assessment

process. Section 5 discusses the continual evaluation process and keys for implementing a

successful risk management program. The DAA or system authorizing official is responsible for
determining whether the remaining risk is at an acceptable level or whether additional security

controls should be implemented to further reduce or eliminate the residual risk before

authorizing (or accrediting) the IT system for operation.

Risk management is the process that allows IT managers to balance the operational and

economic costs of protective measures and achieve gains in mission capability by protecting the

IT systems and data that support their organizations’ missions. This process is not unique to the

IT environment; indeed it pervades decision-making in all areas of our daily lives. Take the case

of home security, for example. Many people decide to have home security systems installed and
pay a monthly fee to a service provider to have these systems monitored for the better protection

of their property. Presumably, the homeowners have weighed the cost of system installation and

monitoring against the value of their household goods and their family’s safety, a fundamental

“mission” need.

The head of an organizational unit must ensure that the organization has the capabilities needed

to accomplish its mission. These mission owners must determine the security capabilities that

their IT systems must have to provide the desired level of mission support in the face of real-

world threats. Most organizations have tight budgets for IT security; therefore, IT security

spending must be reviewed as thoroughly as other management decisions. A well-structured risk
management methodology, when used effectively, can help management identify appropriate

controls for providing the mission-essential security capabilities.

2.2 INTEGRATION OF RISK MANAGEMENT INTO SDLC

Minimizing negative impact on an organization and need for sound basis in decision making are

the fundamental reasons organizations implement a risk management process for their IT

systems. Effective risk management must be totally integrated into the SDLC. An IT system’s
SDLC has five phases: initiation, development or acquisition, implementation, operation or
maintenance, and disposal. In some cases, an IT system may occupy several of these phases at
the same time. However, the risk management methodology is the same regardless of the SDLC
phase for which the assessment is being conducted. Risk management is an iterative process that

can be performed during each major phase of the SDLC. Table 2-1 describes the characteristics

SP 800-30 Page 4

of each SDLC phase and indicates how risk management can be performed in support of each
phase.

Table 2-1 Integration of Risk Management into the SDLC

SDLC Phases Phase Characteristics Support from Risl(
l/lanagement Activities

Phase 1—Initiation The need for an IT system is
expressed and the purpose and
scope of the IT system is
documented

• Identified risks are used to

support the development of the
system requirements, including

security requirements, and a
security concept of operations

(strategy)

Phase 2—Development or
Acquisition

The IT system is designed,
purchased, programmed,
developed, or otherwise

constructed

• The risks identified during this
phase can be used to support

the security analyses of the IT

system that may lead to
architecture and design trade-
offs during system

development

Phase 3—Implementation The system security features
should be configured, enabled,

tested, and verified

• The risk management process
supports the assessment of the

system implementation against

its requirements and within its

modeled operational
environment. Decisions

regarding risks identified must

be made prior to system
operation

Phase 4—Operation or
Maintenance

The system performs its
functions. Typically the system is

being modified on an ongoing

basis through the addition of

hardware and software and by

changes to organizational

processes, policies, and
procedures

• Risk management activities are
performed for periodic system

reauthorization (or

reaccreditation) or whenever
major changes are made to an
IT system in its operational,

production environment (e.g.,

new system interfaces)

Phase 5—Disposal This phase may involve the
disposition of information,

hardware, and software.
Activities may include moving,
archiving, discarding, or

destroying information and

sanitizing the hardware and

software

• Risk management activities
are performed for system

components that will be
disposed of or replaced to

ensure that the hardware and

software are properly disposed

of, that residual data is

appropriately handled, and that

system migration is conducted

in a secure and systematic
manner

SP 800-30 Page 5

2.3 KEY ROLES

Risk management is a management responsibility. This section describes the key roles of the
personnel who should support and participate in the risk management process.

• Senior Management. Senior management, under the standard of due care and
ultimate responsibility for mission accomplishment, must ensure that the necessary

resources are effectively applied to develop the capabilities needed to accomplish the

mission. They must also assess and incorporate results of the risk assessment activity
into the decision making process. An effective risk management program that
assesses and mitigates IT-related mission risks requires the support and involvement

of senior management.

• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT
planning, budgeting, and performance including its information security components.

Decisions made in these areas should be based on an effective risk management
program.

• System and Information Owners. The system and information owners are
responsible for ensuring that proper controls are in place to address integrity,

confidentiality, and availability of the IT systems and data they own. Typically the

system and information owners are responsible for changes to their IT systems. Thus,

they usually have to approve and sign off on changes to their IT systems (e.g., system

enhancement, major changes to the software and hardware). The system and

information owners must therefore understand their role in the risk management

process and fully support this process.

• Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk

management process. These managers are the individuals with the authority and

responsibility for making the trade-off decisions essential to mission accomplishment.

Their involvement in the risk management process enables the achievement of proper

security for the IT systems, which, if managed properly, will provide mission

effectiveness with a minimal expenditure of resources.

• ISSO. IT security program managers and computer security officers are responsible

for their organizations’ security programs, including risk management. Therefore,

they play a leading role in introducing an appropriate, structured methodology to help

identify, evaluate, and minimize risks to the IT systems that support their

organizations’ missions. ISSOs also act as major consultants in support of senior

management to ensure that this activity takes place on an ongoing basis.

• IT Security Practitioners. IT security practitioners (e.g., network, system,

application, and database administrators; computer specialists; security analysts;

security consultants) are responsible for proper implementation of security

requirements in their IT systems. As changes occur in the existing IT system

environment (e.g., expansion in network connectivity, changes to the existing

infrastructure and organizational policies, introduction of new technologies), the IT

security practitioners must support or use the risk management process to identify and

assess new potential risks and implement new security controls as needed to

safeguard their IT systems.

SP 800-30 Page 6

• Security Awareness Trainers (Security/Subject Matter Professionals). The

organization’s personnel are the users of the IT systems. Use of the IT systems and

data according to an organization’s policies, guidelines, and rules of behavior is

critical to mitigating risk and protecting the organization’s IT resources. To minimize
risk to the IT systems, it is essential that system and application users be provided

with security awareness training. Therefore, the IT security trainers or

security/subject matter professionals must understand the risk management process so

that they can develop appropriate training materials and incorporate risk assessment

into training programs to educate the end users.

SP 800-30 Page 7

3. RISK ASSESSMENT

Risk assessment is the first process in the risk management methodology. Organizations use risk

assessment to determine the extent of the potential threat and the risk associated with an IT

system throughout its SDLC. The output of this process helps to identify appropriate controls for

reducing or eliminating risk during the risk mitigation process, as discussed in Section 4.

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential

vulnerability, and the resulting impact of that adverse event on the organization.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed

in conjunction with the potential vulnerabilities and the controls in place for the IT system.

Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a

vulnerability. The level of impact is governed by the potential mission impacts and in turn

produces a relative value for the IT assets and resources affected (e.g., the criticality and

sensitivity of the IT system components and data). The risk assessment methodology

encompasses nine primary steps, which are described in Sections 3.1 through 3.9

—

• Step 1—System Characterization (Section 3.1)
• Step 2—^Threat Identification (Section 3.2)
• Step 3—^Vulnerability Identification (Section 3.3)
• Step A—Control Analysis (Section 3.4)
• Step 5—Likelihood Determination (Section 3.5)
• Step 6—Impact Analysis (Section 3.6)
• Step 7—Risk Determination (Section 3.7)
• Step 8—Control Recommendations (Section 3.8)
• Step 9—Results Documentation (Section 3.9).

Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has been completed. Figure 3-1

depicts these steps and the inputs to and outputs from each step.

SP 800-30 Pages

Input Risk Assessment Activities Output

• Hardware

• Software

• System interfaces

• Data and information

• People

^» System mission
,

‘ History of system attack

‘ Data from intelligence

agencies, NIPC, OIG.

FedCIRC, mass media.

• Reports from prior risk

assessments

• Any audit comments
• Security requirements

• Security test results

> Current controls

‘ Planned controls

• Threat-source motivation

• Threat capacity

• Nahire of vulnerability

• Current controls

• Mission impact analysis

• Asset criticality assessment

• Data criticality

• Data sensitivity

‘ Likelihood of threat

exploitation

‘ Magnitude of impact

‘ Adequacy of plaimed or
current controls

Step 1.

System Characterization

I
Step 2.

Threat Identification

I
Step 3.

->| Vulnerability Identification

I
Step 4. Control Analysis

I

I
Step 6. Impact Analysis

• Loss of Integrity

• Loss of Availability

• Loss of Confidentiality

I
Step 7. Risk Determination

Step 9.

Results Documentation

• System Boundary

• System Functions

• System and Data

Criticality

• System and Data

Sensitivity

Threat Statement

List of Potential

Vulnerabilities

List of Current and

Planned Controls

Step 5.
1—

Likelihood Determination

Likelihood Rating

Impact Rating

Risks and

Associated Risk

Levels

r

Step 8. — Recommended
Control Recommendations Controls

Risk Assessment

Report

Figure 3-1. Risk Assessment Methodology Flowchart

SP 800-30 Page 9

3.1 STEPl: SYSTEM CHARACTERIZATION

In assessing risks for an IT system, the first step is to define the scope of the effort. In this step,

the boundaries of the IT system are identified, along with the resources and the information that

constitute the system. Characterizing an IT system establishes the scope of the risk assessment

effort, delineates the operational authorization (or accreditation) boundaries, and provides

information (e.g., hardware, software, system connectivity, and responsible division or support

personnel) essential to defining the risk.

Section 3.1.1 describes the system-related information used to characterize an IT system and its

operational environment. Section 3.1.2 suggests the information-gathering techniques that can

be used to solicit information relevant to the IT system processing environment.

The methodology described in this document can be applied to assessments of single or multiple,
interrelated systems. In the latter case, it is important that the domain of interest and all interfaces

and dependencies be well defined prior to applying the methodology.

3.1.1 System-Related Information

Identifying risk for an IT system requires a keen understanding of the system’s processing

environment. The person or persons who conduct the risk assessment must therefore first collect
system-related information, which is usually classified as follows:

• Hardware

• Software

• System interfaces (e.g., internal and external connectivity)

• Data and information

• Persons who support and use the IT system

• System mission (e.g., the processes performed by the IT system)

• System and data criticality (e.g., the system’s value or importance to an organization)

• System and data sensitivity.^

Additional information related to the operational environmental of the IT system and its data

includes, but is not limited to, the following:

• The functional requirements of the IT system

• Users of the system (e.g., system users who provide technical support to the IT
system; application users who use the IT system to perform business functions)

• System security policies governing the IT system (organizational policies, federal

requirements, laws, industry practices)

• System security architecture

^ The level of protection required to maintain system and data integrity, confidentiality, and availability.

SP 800-30 Page 10

• Current network topology (e.g., network diagram)

• Information storage protection that safeguards system and data availability, integrity,

and confidentiality

• Flow of information pertaining to the IT system (e.g., system interfaces, system input

and output flowchart)

• Technical controls used for the IT system (e.g., built-in or add-on security product

that supports identification and authentication, discretionary or mandatory access

control, audit, residual information protection, encryption methods)

• Management controls used for the IT system (e.g., rules of behavior, security
planning)

• Operational controls used for the IT system (e.g., personnel security, backup,

contingency, and resumption and recovery operations; system maintenance; off-site

storage; user account establishment and deletion procedures; controls for segregation

of user functions, such as privileged user access versus standard user access)

• Physical security environment of the IT system (e.g., facility security, data center

policies)

• Environmental security implemented for the IT system processing environment (e.g.,

controls for humidity, water, power, pollution, temperature, and chemicals).

For a system that is in the initiation or design phase, system information can be derived from the

design or requirements document. For an IT system under development, it is necessary to define

key security rules and attributes planned for the future IT system. System design documents and

the system security plan can provide useful information about the security of an IT system that is

in development.

For an operational IT system, data is collected about the IT system in its production

environment, including data on system configuration, connectivity, and documented and

undocumented procedures and practices. Therefore, the system description can be based on the

security provided by the underlying infrastructure or on future security plans for the IT system.

3.1.2 Information-Gathering Techniques

Any, or a combination, of the following techniques can be used in gathering information relevant

to the IT system within its operational boundary:

• Questionnaire. To collect relevant information, risk assessment personnel can

develop a questionnaire concerning the management and operational controls planned

or used for the IT system. This questionnaire should be distributed to the applicable

technical and nontechnical management personnel who are designing or supporting
the IT system. The questionnaire could also be used during on-site visits and

interviews.

• On-site Interviews. Interviews with IT system support and management personnel

can enable risk assessment personnel to collect useful information about the IT

system (e.g., how the system is operated and managed). On-site visits also allow risk

SP 800-30 Page 1

1

assessment personnel to observe and gather information about the physical,

environmental, and operational security of the IT system. Appendix A contains
sample interview questions asked during interviews with site personnel to achieve a

better understanding of the operational characteristics of an organization. For

systems still in the design phase, on-site visit would be face-to-face data gathering

exercises and could provide the opportunity to evaluate the physical environment in

which the IT system will operate.

• Document Review. Policy documents (e.g., legislative documentation, directives),
system documentation (e.g., system user guide, system administrative manual,

system design and requirement document, acquisition document), and security-related

documentation (e.g., previous audit report, risk assessment report, system test results,

system security plan^, security policies) can provide good information about the

security controls used by and planned for the IT system. An organization’s mission
impact analysis or asset criticality assessment provides information regarding system

and data criticality and sensitivity.

• Use of Automated Scanning Tool. Proactive technical methods can be used to
collect system information efficiently. For example, a network mapping tool can

identify the services that run on a large group of hosts and provide a quick way of
building individual profiles of the target IT system(s).

Information gathering can be conducted throughout the risk assessment process, from Step 1

(System Characterization) through Step 9 (Results Documentation).

Outputfrom Step 1—Characterization ofthe IT system assessed, a goodpicture ofthe IT
system environment, and delineation ofsystem boundary

3.2 STEP 2: THREAT IDENTIFICATION

A threat is the potential for a particular threat-source to successfully exercise a particular
vulnerability. A vulnerability is a weakness that can
be accidentally triggered or intentionally exploited. A
threat-source does not present a risk when there is no

vulnerability that can be exercised. In determining the

likelihood of a threat (Section 3.5), one must consider

threat-sources, potential vulnerabilities (Section 3.3),

and existing controls (Section 3.4).

Threat: The potential for a threat-

source to exercise (accidentally trigger

or intentionally exploit) a specific

vulnerability.

3.2.1 Threat-Source Identification

The goal of this step is to identify the potential

threat-sources and compile a threat statement

listing potential threat-sources that are applicable

to the IT system being evaluated.

Threat-Source: Either (1) intent and method

targeted at the intentional exploitation of a

vulnerability or (2) a situation and method

that may accidentally trigger a vulnerability.

^ During the initial phase, a risk assessment could be used to develop the initial system security plan.

SP 800-30 Page 12

A threat-source is defined as any
circumstance or event with the

potential to cause harm to an IT

system. The common threat-
sources can be natural, human, or

environmental.

In assessing threat-sources, it is

important to consider all potential

threat-sources that could cause

harm to an IT system and its

processing environment. For

example, although the threat

statement for an IT system

located in a desert may not
include “natural flood” because

of the low likelihood of such an event’s occurring, environmental threats such as a bursting pipe

can quickly flood a computer room and cause damage to an organization’s IT assets and
resources. Humans can be threat-sources through intentional acts, such as deliberate attacks by
malicious persons or disgruntled employees, or unintentional acts, such as negligence and errors.

A deliberate attack can be either (1) a malicious attempt to gain unauthorized access to an IT
system (e.g., via password guessing) in order to compromise system and data integrity,

availability, or confidentiality or (2) a benign, but nonetheless purposeful, attempt to circumvent

system security. One example of the latter type of deliberate attack is a programmer’s writing a
Trojan horse program to bypass system security in order to “get the job done.”

3.2.2 Motivation and Tlireat Actions

Motivation and the resources for carrying out an attack make humans potentially dangerous

threat-sources. Table 3-1 presents an overview of many of today’s common human threats, their
possible motivations, and the methods or threat actions by which they might carry out an attack.

This information will be useful to organizations studying their human threat environments and
customizing their human threat statements. In addition, reviews of the history of system break-
ins; security violation reports; incident reports; and interviews with the system administrators,

help desk personnel, and user community during information gathering will help identify human
threat-sources that have the potential to harm an IT system and its data and that may be a concern
where a vulnerability exists.

Common Threat-Sources

Natural Threats—^Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such

events.

« Human Threats—^Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network

based attacks, malicious software upload, unauthorized

access to confidential information),

Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

SP800-30 Page 13

Table 3-1. Human Threats: Threat-Source, Motivation, and Threat Actions

Threat-Source Motivation Threat Actions

Hacker, cracker

Challenge

Ego

Rebellion

• Hacking

• Social engineering

• System intrusion, break-ins

• Unauthorized system access

Computer criminal

Destruction of information

lllonf)! information Hicolociiro

Monetary gain

Unauthorized data alteration

• Computer crime (e.g., cyber
stalking)

• Fraudulent act (e.g., replay,

impersonation, interception)

• Information bribery

• Spoofing

• System intrusion

Terrorist

Blackmail

Destruction

Exploitation

Revenge

• Bomb/Terrorism

• Information warfare

• System attack (e.g., distributed
denial of service)

• System penetration

• System tampering

Industrial espionage

(companies, foreign
novprnmpnt^ nthprUWUI 1 II 1 1^1 IIO, V/il Iwl
government interests)

Competitive advantage

Economic espionage

• Economic exploitation

• Information theft

• Intrusion on personal privacy

• Social engineering

• System penetration

• Unauthorized system access

(access to classified, proprietary,

and/or technology-related

information)

Insiders (poorly trained,

disgruntled, malicious,

negligent, dishonest, or

terminated employees)

Curiosity

Ego

Intelligence

Monetary gain

Revenge

Unintentional errors and
omissions (e.g., data entry

error, programming error)

• Assault on an employee

• Blackmail

• Browsing of proprietary

information

• Computer abuse

• Fraud and theft

• Information bribery

• Input of falsified, corrupted data

• Interception

• Malicious code (e.g., virus, logic
bomb, Trojan horse)

• Sale of personal information

• System bugs

• System intrusion

• System sabotage

• Unauthorized system access

An estimate of the motivation, resources, and capabilities that may be required to carry out a
successful attack should be developed after the potential threat-sources have been identified, in

order to determine the likelihood of a threat’s exercising a system vulnerability, as described in

Section 3.5.

SP 800-30 Page 14
j

i

I

The threat statement, or the list of potential threat-sources, should be tailored to the individual

organization and its processing environment (e.g., end-user computing habits). In general,

information on natural threats (e.g., floods, earthquakes, storms) should be readily available.

Known threats have been identified by many government and private sector organizations.
Intrusion detection tools also are becoming more prevalent, and government and industry

organizations continually collect data on security events, thereby improving the ability to

realistically assess threats. Sources of information include, but are not limited to, the following:

• Intelligence agencies (for example, the Federal Bureau of Investigation’s National

Infrastructure Protection Center)

• Federal Computer Incident Response Center (FedCIRC)

• Mass media, particularly Web-based resources such as SecurityFocus.com,
SecurityWatch.com, SecurityPortal.com, and SANS.org.

Outputfrom Step 2—A threat statement containing a list ofthreat-sources that could exploit
system vulnerabilities

3.3 STEP 3: VULNERABILITY IDENTIFICATION

The analysis of the threat to an IT system

must include an analysis of the

vulnerabilities associated with the system

environment. The goal of this step is to

develop a list of system vulnerabilities

(flaws or weaknesses) that could be

exploited by the potential threat-sources.

Table 3-2 presents examples of vulnerability/threat pairs.

Table 3-2. Vulnerability/Threat Pairs

Vulnerability Threat-Source Threat Action

Terminated employees’ system

identifiers (ED) are not removed

from the system

Terminated employees Dialing into the company’s

network and accessing

company proprietary data

Company firewall allows inbound
telnet, and guest YD is enabled on

XYZ server

Unauthorized users (e.g.,

hackers, terminated

employees, computer

criminals, terrorists)

Using telnet to XYZ server
and browsing system files

with the guest ID

The vendor has identified flaws in

the security design of the system;

however, new patches have not
been applied to the system

Unauthorized users (e.g.,

hackers, disgruntled

employees, computer

criminals, terrorists)

Obtaining unauthorized

access to sensitive system

files based on known
system vulnerabilities

Vulnerability: A flaw or weakness in system
security procedures, design, implementation, or

internal controls that could be exercised

(accidentally triggered or intentionally exploited)

and result in a security breach or a violation of the

system’s security poUcy.

SP 800-30 Page 15

Vulnerability Threat-Source Threat Action

Data center uses water sprinklers

to suppress fire; tarpaulins to

protect hardware and equipment

from water damage are not in

place

Fire, negligent persons Water sprinklers being

turned on in the data center

Recommended methods for identifying system vulnerabilities are the use of vulnerability
sources, the performance of system security testing, and the development of a security

requirements checklist.

It should be noted that the types of vulnerabilities that will exist, and the methodology needed to

determine whether the vulnerabilities are present, will usually vary depending on the nature of

the IT system and the phase it is in, in the SDLC:

• If the IT system has not yet been designed, the search for vulnerabilities should focus

on the organization’s security policies, planned security procedures, and system

requirement definitions, and the vendors’ or developers’ security product analyses

(e.g., white papers).

• If the IT system is being implemented, the identification of vulnerabilities should be

expanded to include more specific information, such as the planned security features

described in the security design documentation and the results of system certification

test and evaluation.

• If the IT system is operational, the process of identifying vulnerabilities should

include an analysis of the IT system security features and the security controls,

technical and procedural, used to protect the system.

3.3.1 Vulnerability Sources

The technical and nontechnical vulnerabilities associated with an IT system’s processing

environment can be identified via the information-gathering techniques described in Section

3.1.2. A review of other industry sources (e.g., vendor Web pages that identify system bugs and
flaws) will be useful in preparing for the interviews and in developing effective questionnaires to

identify vulnerabilities that may be applicable to specific IT systems (e.g., a specific version of a
specific operating system). The Internet is another source of information on known system
vulnerabilities posted by vendors, along with hot fixes, service packs, patches, and other

remedial measures that may be applied to eliminate or mitigate vulnerabilities. Documented
vulnerability sources that should be considered in a thorough vulnerability analysis include, but

are not limited to, the following:

• Previous risk assessment documentation of the IT system assessed

• The IT system’s audit reports, system anomaly reports, security review reports, and

system test and evaluation reports

• Vulnerability lists, such as the NIST I-CAT vulnerability database
(http://icat.nist.gov)

SP 800-30 Page 16

• Security advisories, such as FedCIRC and the Department of Energy’s Computer
Incident Advisory Capability bulletins

• Vendor advisories

• Commercial computer incident/emergency response teams and post lists (e.g.,
SecurityFocus.com forum mailings)

• Information Assurance Vulnerability Alerts and bulletins for military systems

• System software security analyses.

3.3.2 System Security Testing

Proactive methods, employing system testing, can be used to identify system vulnerabilities

efficiently, depending on the criticality of the IT system and available resources (e.g., allocated

funds, available technology, persons with the expertise to conduct the test). Test methods

include

—

• Automated vulnerability scanning tool

• Security test and evaluation (ST&E)

• Penetration testing.*^

The automated vulnerability scanning tool is used to scan a group of hosts or a network for

known vulnerable services (e.g., system allows anonymous File Transfer Protocol [FTP],
sendmail relaying). However, it should be noted that some of the potential vulnerabilities

identified by the automated scanning tool may not represent real vulnerabilities in the context of
the system environment. For example, some of these scanning tools rate potential vulnerabilities

without considering the site’s environment and requirements. Some of the “vulnerabilities”
flagged by the automated scanning software may actually not be vulnerable for a particular site
but may be configured that way because their environment requires it. Thus, this test method
may produce false positives.

ST&E is another technique that can be used in identifying IT system vulnerabilities during the
risk assessment process. It includes the development and execution of a test plan (e.g., test

script, test procedures, and expected test results). The purpose of system security testing is to

test the effectiveness of the security controls of an IT system as they have been applied in an

operational environment. The objective is to ensure that the applied controls meet the approved

security specification for the software and hardware and implement the organization’s security

policy or meet industry standards.

Penetration testing can be used to complement the review of security controls and ensure that

different facets of the IT system are secured. Penetration testing, when employed in the risk

assessment process, can be used to assess an IT system’s ability to withstand intentional attempts

to circumvent system security. Its objective is to test the IT system from the viewpoint of a

threat-source and to identify potential failures in the IT system protection schemes.

The NIST SP draft 800-42, Network Security Testing Overview, describes the methodology for network system

testing and the use of automated tools.

SP 800-30 Page 17

The results of these types of optional security testing will help identify a system’s vulnerabilities.

3.3.3 Development of Security Requirements Cliecklist

During this step, the risk assessment personnel determine whether the security requirements

stipulated for the IT system and collected during system characterization are being met by

existing or planned security controls. Typically, the system security requirements can be

presented in table form, with each requirement accompanied by an explanation of how the
system’s design or implementation does or does not satisfy that security control requirement.

A security requirements checklist contains the basic security standards that can be used to
systematically evaluate and identify the vulnerabilities of the assets (personnel, hardware,

software, information), nonautomated procedures, processes, and information transfers

associated with a given IT system in the following security areas:

• Management

• Operational

• Technical.

Table 3-3 lists security criteria suggested for use in identifying an IT system’s vulnerabilities in

each security area.

Table 3-3. Security Criteria

Security Area Security Criteria

Management Security
• Assignment of responsibilities

• Continuity of support

• Incident response capability

• Periodic review of security controls

• Personnel clearance and background investigations

• Risk assessment

• Security and technical training

• Separation of duties

• System authorization and reauthorization

• System or application security plan

Operational Security
• Control of air-borne contaminants (smoke, dust, chemicals)

• Controls to ensure the quality of the electrical power supply

• Data media access and disposal

• External data distribution and labeling

• Facility protection (e.g., computer room, data center, office)

• Humidity control

• Temperature control

• Workstations, laptops, and stand-alone personal computers

SP 800-30 Page 18

Security Area Security Criteria

Technical Security
• Communications (e.g., dial-in, system interconnection, routers)

• Cryptography

• Discretionary access control

• Identification and authentication

• Intrusion detection

• Object reuse

• System audit

The outcome of this process is the security requirements checklist. Sources that can be used in

compiUng such a checklist include, but are not limited to, the following government regulatory

and security directives and sources applicable to the IT system processing environment:

• CSA of 1987

• Federal Information Processing Standards Publications

• OMB November 2000 Circular A-130

• Privacy Act of 1974

• System security plan of the IT system assessed

• The organization’s security policies, guidelines, and standards

• Industry practices.

The NIST SP 800-26, Security Self-Assessment Guidefor Information Technology Systems,
provides an extensive questionnaire containing specific control objectives against which a

system or group of interconnected systems can be tested and measured. The control objectives

are abstracted directly from long-standing requirements found in statute, policy, and guidance on

security and privacy.

The results of the checklist (or questionnaire) can be used as input for an evaluation of

compliance and noncompliance. This process identifies system, process, and procedural

weaknesses that represent potential vulnerabilities.

Outputfrom Step 3—A list ofthe system vulnerabilities (observations)”^ that could be exercised
by the potential threat-sources

3.4 STEP 4: CONTROL ANALYSIS

The goal of this step is to analyze the controls that have been implemented, or are planned for

implementation, by the organization to minimize or eliminate the likelihood (or probability) of a

threat’s exercising a system vulnerability.

Because the risk assessment report is not an audit report, some sites may prefer to address the identified
vulnerabiUties as observations instead of findings in the risk assessment report.

SP 800-30 Page 19

To derive an overall likelihood rating that indicates the probability that a potential vulnerability
may be exercised within the construct of the associated threat environment (Step 5 below), the
implementation of current or planned controls must be considered. For example, a vulnerability

(e.g., system or procedural weakness) is not likely to be exercised or the likelihood is low if there

is a low level of threat-source interest or capability or if there are effective security controls that

can eliminate, or reduce the magnitude of, harm.

Sections 3.4.1 through 3.4.3, respectively, discuss control methods, control categories, and the

control analysis technique.

3.4.1 Control Methods

Security controls encompass the use of technical and nontechnical methods. Technical controls

are safeguards that are incorporated into computer hardware, software, or firmware (e.g., access

control mechanisms, identification and authentication mechanisms, encryption methods,

intrusion detection software). Nontechnical controls are management and operational controls,

such as security policies; operational procedures; and personnel, physical, and environmental

security.

3.4.2 Control Categories

The control categories for both technical and nontechnical control methods can be further

classified as either preventive or detective. These two subcategories are explained as follows:

• Preventive controls inhibit attempts to violate security policy and include such

controls as access control enforcement, encryption, and authentication.

• Detective controls warn of violations or attempted violations of security policy and

include such controls as audit trails, intrusion detection methods, and checksums.

Section 4.4 further explains these controls from the implementation standpoint. The

implementation of such controls during the risk mitigation process is the direct result of the

identification of deficiencies in current or planned controls during the risk assessment process

(e.g., controls are not in place or controls are not properly implemented).

3.4.3 Control Analysis Technique

As discussed in Section 3.3.3, development of a security requirements checklist or use of an

available checklist will be helpful in analyzing controls in an efficient and systematic manner.

The security requirements checklist can be used to validate security noncompliance as well as

compliance. Therefore, it is essential to update such checklists to reflect changes in an

organization’s control environment (e.g., changes in security policies, methods, and

requirements) to ensure the checklist’s validity.

Outputfrom Step 4—List ofcurrent orplanned controls usedfor the IT system to mitigate the
likelihood ofa vulnerability’s being exercised and reduce the impact ofsuch an adverse event

SP 800-30 Page 20

3.5 STEPS: LIKELIHOOD DETERMINATION

To derive an overall likelihood rating that indicates the probability that a potential vulnerability
may be exercised within the construct of the associated threat environment, the following
governing factors must be considered:

• Threat-source motivation and capability

• Nature of the vulnerability

• Existence and effectiveness of current controls.

The likelihood that a potential vulnerability could be exercised by a given threat-source can be

described as high, medium, or low. Table 3-4 below describes these three likelihood levels.

Table 3-4. Likelihood Definitions

Likelihood Level Likelihood Definition

High The threat-source is highly motivated and sufficiently capable, and controls to
prevent the vulnerability from being exercised are ineffective.

Medium The threat-source is motivated and capable, but controls are in place that may
impede successful exercise of the vulnerability.

Low The threat-source lacks motivation or capability, or controls are in place to
prevent, or at least significantly impede, the vulnerability from being exercised.

Outputfrom Step 5—Likelihood rating (High, Medium, Low)

3.6 STEP 6: IMPACT ANALYSIS

The next major step in measuring level of risk is to determine the adverse impact resulting from

a successful threat exercise of a vulnerability. Before beginning the impact analysis, it is

necessary to obtain the following necessary information as discussed in Section 3.1.1:

• System mission (e.g., the processes performed by the IT system)

• System and data criticality (e.g., the system’s value or importance to an organization)

• System and data sensitivity.

This information can be obtained from existing organizational documentation, such as the

mission impact analysis report or asset criticality assessment report. A mission impact analysis
(also known as business impact analysis [BIA] for some organizations) prioritizes the impact
levels associated with the compromise of an organization’s information assets based on a

qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset
criticality assessment identifies and prioritizes the sensitive and critical organization information

assets (e.g., hardware, software, systems, services, and related technology assets) that support the

organization’s critical missions.

SP 800-30 Page 21

If this documentation does not exist or such assessments for the organization’s IT assets have not

been performed, the system and data sensitivity can be determined based on the level of

protection required to maintain the system and data’s availability, integrity, and confidentiality.

Regardless of the method used to determine how sensitive an IT system and its data are, the
system and information owners are the ones responsible for determining the impact level for

their own system and information. Consequently, in analyzing impact, the appropriate approach
is to interview the system and information owner(s).

Therefore, the adverse impact of a security event can be described in terms of loss or degradation

of any, or a combination of any, of the following three security goals: integrity, availability, and

confidentiality. The following list provides a brief description of each security goal and the

consequence (or impact) of its not being met:

• Loss of Integrity. System and data integrity refers to the requirement that

information be protected from improper modification. Integrity is lost if unauthorized

changes are made to the data or IT system by either intentional or accidental acts. If
the loss of system or data integrity is not corrected, continued use of the contaminated

system or corrupted data could result in inaccuracy, fraud, or erroneous decisions.

Also, violation of integrity may be the first step in a successful attack against system
availability or confidentiality. For all these reasons, loss of integrity reduces the

assurance of an IT system.

• Loss of Availability. If a mission-critical IT system is unavailable to its end users,

the organization’s mission may be affected. Loss of system functionality and
operational effectiveness, for example, may result in loss of productive time, thus
impeding the end users’ performance of their functions in supporting the

organization’s mission.

• Loss of Confidentiality. System and data confidentiality refers to the protection of

information from unauthorized disclosure. The impact of unauthorized disclosure of

confidential information can range from the jeopardizing of national security to the

disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional

disclosure could result in loss of public confidence, embarrassment, or legal action

against the organization.

Some tangible impacts can be measured quantitatively in lost revenue, the cost of repairing the
system, or the level of effort required to correct problems caused by a successful threat action.

Other impacts (e.g., loss of public confidence, loss of credibility, damage to an organization’s

interest) cannot be measured in specific units but can be qualified or described in terms of high,

medium, and low impacts. Because of the generic nature of this discussion, this guide designates

and describes only the qualitative categories—high, medium, and low impact (see Table 3.5).

SP 800-30 Page 22

Table 3-5. Magnitude of Impact DeHnitions

Magnitude of
Impact

impact Definition

High
Exercise of tlie vulnerability (1) may result in the highly costly loss of
major tangible assets or resources; (2) may significantly violate, harm, or
impede an organization’s mission, reputation, or interest; or (3) may result
in human death or serious injury.

Medium
Exercise of the vulnerability (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm, or impede an organization’s
mission, reputation, or interest; or (3) may result in human injury.

Low
Exercise of the vulnerability (1) may result in the loss of some tangible
assets or resources or (2) may noticeably affect an organization’s
mission, reputation, or interest.

Quantitative versus Qualitative Assessment

In conducting the impact analysis, consideration should be given to the advantages and

disadvantages of quantitative versus qualitative assessments. The main advantage of the

qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate

improvement in addressing the vulnerabilities. The disadvantage of the qualitative analysis is

that it does not provide specific quantifiable measurements of the magnitude of the impacts,

therefore making a cost-benefit analysis of any recommended controls difficult.

The major advantage of a quantitative impact analysis is that it provides a measurement of the

impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls.

The disadvantage is that, depending on the numerical ranges used to express the measurement,

the meaning of the quantitative impact analysis may be unclear, requiring the result to be
interpreted in a qualitative manner. Additional factors often must be considered to determine the

magnitude of impact. These may include, but are not limited to

—

• An estimation of the frequency of the threat-source’s exercise of the vulnerability
over a specified time period (e.g., 1 year)

• An approximate cost for each occurrence of the threat-source’s exercise of the
vulnerability

• A weighted factor based on a subjective analysis of the relative impact of a specific
threat’s exercising a specific vulnerability.

Outputfrom Step 6—Magnitude ofimpact (High, Medium, or Low)

SP 800-30 Page 23

3.7 STEP 7: RISK DETERMINATION

The purpose of this step is to assess the level of risk to the IT system. The determination of risk

for a particular threat/vulnerability pair can be expressed as a function of

—

• The likelihood of a given threat-source’s attempting to exercise a given vulnerability

• The magnitude of the impact should a threat-source successfully exercise the
vulnerability

• The adequacy of planned or existing security controls for reducing or eliminating

risk.

To measure risk, a risk scale and a risk-level matrix must be developed. Section 3.7.1 presents a
standard risk-level matrix; Section 3.7.2 describes the resulting risk levels.

3.7.1 Risk-Level Matrix

The final determination of mission risk is derived by multiplying the ratings assigned for threat

likelihood (e.g., probability) and threat impact. Table 3.6 below shows how the overall risk
ratings might be determined based on inputs from the threat likelihood and threat impact

categories. The matrix below is a 3 x 3 matrix of threat likelihood (High, Medium, and Low)
and threat impact (High, Medium, and Low). Depending on the site’s requirements and the

granularity of risk assessment desired, some sites may use a4x4ora5x5 matrix. The latter
can include a Very Low /Very High threat likelihood and a Very Low/Very High threat impact to
generate a Very LowA^ery High risk level. A “Very High” risk level may require possible
system shutdown or stopping of all IT system integration and testing efforts.

The sample matrix in Table 3-6 shows how the overall risk levels of High, Medium, and Low are
derived. The determination of these risk levels or ratings may be subjective. The rationale for
this justification can be explained in terms of the probability assigned for each threat likelihood

level and a value assigned for each impact level. For example,

• The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for

Medium, 0.1 for Low

• The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for

Low.

SP 800-30 Page 24

Table 3-6. Risk-Level Matrix

Impact

Threat
Likelihood

Low

(10)

Medium

(50)

Higli

(100)

High{^.0) Low Medium High

10X1.0 = 10 50 X 1 .0 = 50 100 X 1.0 = 100

Medium (0.5) Low Medium Medium

10X0.5 = 5 50 X 0.5 = 25 100X0.5 = 50

Low (0.1) Low Low Low

10X0.1 = 1 50X0.1 = 5 100X0.1 = 10

Risk Scale: High (>50 to 100); Medium (>10to 50); Low (1 to 10)^

3.7.2 Description of Risk Level

Table 3-7 describes the risk levels shown in the above matrix. This risk scale, with its ratings of

High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or

procedure might be exposed if a given vulnerability were exercised. The risk scale also presents

actions that senior management, the mission owners, must take for each risk level.

Table 3-7. Risk Scale and Necessary Actions

Risk Level Risk Description and Necessary Actions

High

If an observation or finding is evaluated as a higli risk, there is a

strong need for corrective measures. An existing systenn may
continue to operate, but a corrective action plan must be put in place

as soon as possible.

Medium
If an observation is rated as medium risk, corrective actions are
needed and a plan must be developed to incorporate these actions
within a reasonable period of time.

Low
If an observation is described as low risk, the system’s DAA must
determine whether corrective actions are still required or decide to

accept the risk.

Outputfrom Step 7—Risk level (High, Medium, Low)

If the level indicated on certain items is so low as to be deemed to be “negligible” or non significant (value is <1

on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for
management action. This will make sure that they are not overlooked when conducting the next periodic risk
assessment. It also establishes a complete record of all risks identified in the analysis. These risks may move to a
new risk level on a reassessment due to a change in threat likelihood and/or impact and that is why it is critical
that their identification not be lost in the exercise.

SP 800-30 Page 25

3.8 STEPS: CONTROL RECOMMENDATIONS

During this step of the process, controls that could mitigate or eliminate the identified risks, as

appropriate to the organization’s operations, are provided. The goal of the recommended
controls is to reduce the level of risk to the IT system and its data to an acceptable level. The
following factors should be considered in recommending controls and alternative solutions to
minimize or eliminate identified risks:

• Effectiveness of recommended options (e.g., system compatibility)

• Legislation and regulation

• Organizational policy

• Operational impact

• Safety and reliability.

The control recommendations are the results of the risk assessment process and provide input to
the risk mitigation process, during which the recommended procedural and technical security
controls are evaluated, prioritized, and implemented.

It should be noted that not all possible recommended controls can be implemented to reduce loss.

To determine which ones are required and appropriate for a specific organization, a cost-benefit
analysis, as discussed in Section 4.6, should be conducted for the proposed recommended

controls, to demonstrate that the costs of implementing the controls can be justified by the

reduction in the level of risk. In addition, the operational impact (e.g., effect on system

performance) and feasibility (e.g., technical requirements, user acceptance) of introducing the

recommended option should be evaluated carefully during the risk mitigation process.

Outputfrom Step 8—Recommendation ofcontrol(s) and alternative solutions to mitigate risk

3.9 STEP 9: RESULTS DOCUMENTATION

Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks

assessed, and recommended controls provided), the results should be documented in an official

report or briefing.

A risk assessment report is a management report that helps senior management, the mission
owners, make decisions on policy, procedural, budget, and system operational and management

changes. Unlike an audit or investigation report, which looks for wrongdoing, a risk assessment

report should not be presented in an accusatory manner but as a systematic and analytical

approach to assessing risk so that senior management will understand the risks and allocate

resources to reduce and correct potential losses. For this reason, some people prefer to address

the threat/vulnerability pairs as observations instead of findings in the risk assessment report.

Appendix B provides a suggested outline for the risk assessment report.

Outputfrom Step 9—Risk assessment report that describes the threats and vulnerabilities,
measures the risk, andprovides recommendationsfor control implementation

SP 800-30 Page 26 I

4. RISK MITIGATION

Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and

implementing the appropriate risk-reducing controls recommended from the risk assessment

process.

Because the elimination of all risk is usually impractical or close to impossible, it is the

responsibility of senior management and functional and business managers to use the least-cost

approach and implement the most appropriate controls to decrease mission risk to an acceptable

level, with minimal adverse impact on the organization’s resources and mission.

This section describes risk mitigation options (Section 4.1), the risk mitigation strategy (Section

4.2), an approach for control implementation (Section 4.3), control categories (Section 4.4), the

cost-benefit analysis used to justify the implementation of the recommended controls (Section

4.5), and residual risk (Section 4.6).

4.1 RISK MITIGATION OPTIONS

Risk mitigation is a systematic methodology used by senior management to reduce mission risk.

Risk mitigation can be achieved through any of the following risk mitigation options:

• Risk Assumption. To accept the potential risk and continue operating the IT system
or to implement controls to lower the risk to an acceptable level

• Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence
(e.g., forgo certain functions of the system or shut down the system when risks are
identified)

• Risk Limitation. To limit the risk by implementing controls that minimize the
adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting,

preventive, detective controls)

• Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes,
implements, and maintains controls

• Research and Acknowledgment. To lower the risk of loss by acknowledging the
vulnerability or flaw and researching controls to correct the vulnerability

• Risk Transference. To transfer the risk by using other options to compensate for the
loss, such as purchasing insurance.

The goals and mission of an organization should be considered in selecting any of these risk

mitigation options. It may not be practical to address all identified risks, so priority should be
given to the threat and vulnerability pairs that have the potential to cause significant mission

impact or harm. Also, in safeguarding an organization’s mission and its IT systems, because of

each organization’s unique environment and objectives, the option used to mitigate the risk and

the methods used to implement controls may vary. The “best of breed” approach is to use
appropriate technologies from among the various vendor security products, along with the
appropriate risk mitigation option and nontechnical, administrative measures.

SP 800-30 Page 27

4.2 RISK MITIGATION STRATEGY

Senior management, the mission owners, knowing the potential risks and recommended controls,
may ask, “When and under what circumstances should I take action? When shall I implement
these controls to mitigate the risk and protect our organization?”

The risk mitigation chart in Figure 4-1 addresses these questions. Appropriate points for
implementation of control actions are indicated in this figure by the word YES.

1
&

Unacceptable
Risk 3

Figure 4-1. Risk Mitigation Action Points

This strategy is further articulated in the following rules of thumb, which provide guidance on

actions to mitigate risks from intentional human threats:

• When vulnerability (or flaw, weakness) exists — implement assurance techniques
to reduce the likelihood of a vulnerability’s being exercised.

• When a vulnerability can be exercised — apply layered protections, architectural
designs, and administrative controls to minimize the risk of or prevent this

occurrence.

• When the attacker’s cost is less than the potential gain -> apply protections to
decrease an attacker’s motivation by increasing the attacker’s cost (e.g., use of system

controls such as limiting what a system user can access and do can significantly

reduce an attacker’s gain).

• When loss is too great — apply design principles, architectural designs, and
technical and nontechnical protections to limit the extent of the attack, thereby

reducing the potential for loss.

The strategy outlined above, with the exception of the third list item (“When the attacker’s cost

is less than the potential gain”), also applies to the mitigation of risks arising from environmental

SP 800-30 Page 28

or unintentional human threats (e.g., system or user errors). (Because there is no “attacker,” no

motivation or gain is involved.)

4.3 APPROACH FOR CONTROL IMPLEMENTATION

When control actions must be taken, the following rule applies:

Address the greatest risks and strivefor sufficient risk mitigation at the lowest cost, with

minimal impact on other mission capabilities.

The following risk mitigation methodology describes the approach to control implementation:

• Step 1—Prioritize Actions
Based on the risk levels presented in the risk assessment report, the implementation

actions are prioritized. In allocating resources, top priority should be given to risk

items with unacceptably high risk rankings (e.g., risk assigned a Very High or High

risk level). These vulnerability/threat pairs will require immediate corrective action

to protect an organization’s interest and mission.

Outputfrom Step 1—Actions rankingfrom High to Low

• Step 2—Evaluate Recommended Control Options
The controls recommended in the risk assessment process may not be the most
appropriate and feasible options for a specific organization and IT system. During

this step, the feasibility (e.g., compatibility, user acceptance) and effectiveness (e.g.,

degree of protection and level of risk mitigation) of the recommended control options

are analyzed. The objective is to select the most appropriate control option for

minimizing risk.

Outputfrom Step 2—List offeasible controls

• Step 3—Conduct Cost-Benefit Analysis
To aid management in decision making and to identify cost-effective controls, a cost-
benefit analysis is conducted. Section 4.5 details the objectives and method of

conducting the cost-benefit analysis.

Outputfrom Step 3—Cost-benefit analysis describing the cost and benefits of
implementing or not implementing the controls

• Step 4—Select Control
On the basis of the results of the cost-benefit analysis, management determines the
most cost-effective control(s) for reducing risk to the organization’s mission. The

controls selected should combine technical, operational, and management control

elements to ensure adequate security for the IT system and the organization.

Outputfrom Step 4—Selected control(s)

SP 800-30 Page 29

• Step 5—Assign Responsibility
Appropriate persons (in-house personnel or external contracting staff) who have the
appropriate expertise and skill-sets to implement the selected control are identified,

and responsibility is assigned.

Outputfrom Step 5—List ofresponsible persons

• Step 6—Develop a Safeguard Implementation Plan
During this step, a safeguard implementation plan^ (or action plan) is developed. The
plan should, at a minimum, contain the following information:

– Risks (vulnerability/threat pairs) and associated risk levels (output from risk
assessment report)

– Recommended controls (output from risk assessment report)

– Prioritized actions (with priority given to items with Very High and High risk

levels)

– Selected planned controls (determined on the basis of feasibility, effectiveness,

benefits to the organization, and cost)

– Required resources for implementing the selected planned controls

– Lists of responsible teams and staff

– Start date for implementation

– Target completion date for implementation

– Maintenance requirements.

The safeguard implementation plan prioritizes the implementation actions and

projects the start and target completion dates. This plan will aid and expedite the risk

mitigation process. Appendix C provides a sample summary table for the safeguard
implementation plan.

Outputfrom Step 6—Safeguard implementation plan

• Step 7—^Implement Selected Control(s)
Depending on individual situations, the implemented controls may lower the risk
level but not eliminate the risk. Residual risk is discussed in Section 4.6.

Outputfrom Step 7—Residual risk

Figure 4-2 depicts the recommended methodology for risk mitigation.

^ NIST Interagency Report 4749, Sample Statements of Workfor Federal Computer Security Services: For Use In-

House or Contracting Out. December 1991.

SP 800-30 Page 30

Input Risk Mitisation Activities Output

r
• Risk levels from the

risk assessment

report
/

r N

• Risk assessment

report

/

Step 1.

Prioritize Actions

I
Step 2.

Evaluate Recommended
Control Options

• Feasibility

• Effectiveness

Step 3.

Conduct Cost-Benefit Analysis

• Impact of implanaiting

• Impact of not implementing

• Associated costs

Step 5.

Assign Responsibility

I
Step 6. Develop Safeguard

Implementation Plan

• Risks and Associated Risk Levels

• Prioritized Actions

• Recommended Controls

• Selected Planned Controls

• Responsible Persons

• Start Date

• Target Completion Date

• Maintenance Requirements

I
Step 7.

Implement Selected
Controls

Actions ranking from

High to Low

List of possible

controls

Cost-benefit

analysis

Selected Controls

List of

responsible persons

Safeguard

implementation plan

Residual Risks

Figure 4-2. Risk Mitigation Methodology Flowchart

SP 800-30 Page 31

4.4 CONTROL CATEGORIES

In implementing recommended controls to mitigate risk, an organization should consider

technical, management, and operational security controls, or a combination of such controls, to

maximize the effectiveness of controls for their IT systems and organization. Security controls,

when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s
mission.

The control recommendation process will involve choosing among a combination of technical,
management, and operational controls for improving the organization’s security posture. The

trade-offs that an organization will have to consider are illustrated by viewing the decisions

involved in enforcing use of complex user passwords to minimize password guessing and

cracking. In this case, a technical control requiring add-on security software may be more
complex and expensive than a procedural control, but the technical control is likely to be more

effective because the enforcement is automated by the system. On the other hand, a procedural
control might be implemented simply by means of a memorandum to all concerned individuals
and an amendment to the security guidelines for the organization, but ensuring that users

consistently follow the memorandum and guideline will be difficult and will require security
awareness training and user acceptance.

This section provides a high-level overview of some of the control categories. More detailed
guidance about implementing and planning for IT controls can be found in NIST SP 800-18,
Guidefor Developing Security Plansfor Information Technology Systems, and NIST SP 800-12,
An Introduction to Computer Security: The NIST Handbook.

Sections 4.4.1 through 4.4.3 provide an overview of technical, management, and operational

controls, respectively.

4.4.1 Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of

threats. These controls may range from simple to complex measures and usually involve system
architectures; engineering disciplines; and security packages with a mix of hardware, software,

and firmware. All of these measures should work together to secure critical and sensitive data,

information, and IT system functions. Technical controls can be grouped into the following

major categories, according to primary purpose:

• Support (Section 4.4.1.1). Supporting controls are generic and underlie most IT

security capabilities. These controls must be in place in order to implement other

controls.

• Prevent (Section 4.4.1.2). Preventive controls focus on preventing security breaches

from occurring in the first place.

• Detect and Recover (Section 4.4.1.3). These controls focus on detecting and

recovering from a security breach.

Figure 4-3 depicts the primary technical controls and the relationships between them.

SP 800-30 Page 32

Identillcation

Cryptographic Key Managonicnl

Seciiritv Administration i

System Protections

(least privilege, ohject reuse, process separalion, etc.)

Figure 4-3. Technical Security Controls

4.4.1.1 Supporting Technical Controls

Supporting controls are, by their very nature, pervasive and interrelated with many other
controls. The supporting controls are as follows:

• Identification. This control provides the ability to uniquely identify users, processes,

and information resources. To implement other security controls (e.g., discretionary
access control [DAC], mandatory access control [MAC], accountability), it is

essential that both subjects and objects be identifiable.

• Cryptographic Key Management. Cryptographic keys must be securely managed
when cryptographic functions are implemented in various other controls.
Cryptographic key management includes key generation, distribution, storage, and

maintenance.

• Security Administration. The security features of an IT system must be configured

(e.g., enabled or disabled) to meet the needs of a specific installation and to account

for changes in the operational environment. System security can be built into

operating system security or the application. Commercial off-the-shelf add-on

security products are available.

SP 800-30 Page 33

• System Protections. Underlying a system’s various security functional capabilities
is a base of confidence in the technical implementation. This represents the quality of

the implementation from the perspective both of the design processes used and of the

manner in which the implementation was accomplished. Some examples of system
protections are residual information protection (also known as object reuse), least
privilege (or “need to know”), process separation, modularity, layering, and

minimization of what needs to be trusted.

4.4.1.2 Preventive Technical Controls

These controls, which can inhibit attempts to violate security policy, include the following:

• Authentication. The authentication control provides the means of verifying the
identity of a subject to ensure that a claimed identity is valid. Authentication

mechanisms include passwords, personal identification numbers, or PESfs, and

emerging authentication technology that provides strong authentication (e.g., token,

smart card, digital certificate, Kerberos).

• Authorization. The authorization control enables specification and subsequent
management of the allowed actions for a given system (e.g., the information owner or
the database administrator determines who can update a shared file accessed by a
group of online users).

• Access Control Enforcement. Data integrity and confidentiality are enforced by

access controls. When the subject requesting access has been authorized to access
particular processes, it is necessary to enforce the defined security policy (e.g., MAC
or DAC). These policy-based controls are enforced via access control mechanisms

distributed throughout the system (e.g., MAC sensitivity labels; DAC file permission
sets, access control lists, roles, user profiles). The effectiveness and the strength of

access control depend on the correctness of the access control decisions (e.g., how the
security rules are configured) and the strength of access control enforcement (e.g., the

design of software or hardware security).

• Nonrepudiation. System accountability depends on the ability to ensure that senders

cannot deny sending information and that receivers cannot deny receiving it.

Nonrepudiation spans both prevention and detection. It has been placed in the

prevention category in this guide because the mechanisms implemented prevent the

successful repudiation of an action (e.g., the digital certificate that contains the

owner’s private key is known only to the owner). As a result, this control is typically

applied at the point of transmission or reception.

• Protected Communications. In a distributed system, the ability to accomplish

security objectives is highly dependent on trustworthy communications. The

protected communications control ensures the integrity, availability, and

confidentiality of sensitive and critical information while it is in transit. Protected

communications use data encryption methods (e.g., virtual private network, Internet

Protocol Security [IPSEC] Protocol), and deployment of cryptographic technologies

(e.g.. Data Encryption Standard [DES], Triple DES, RAS, MD4, MD5, secure hash
standard, and escrowed encryption algorithms such as Clipper) to minimize network

threats such as replay, interception, packet sniffing, wiretapping, or eavesdropping.
]

I

i

SP 800-30 Page 34
j

i

• Transaction Privacy. Both government and private sector systems are increasingly

required to maintain the privacy of individuals. Transaction privacy controls (e.g.,

Secure Sockets Layer, secure shell) protect against loss of privacy with respect to

transactions performed by an individual.

4.4.1.3 Detection and Recovery Technical Controls

Detection controls warn of violations or attempted violations of security policy and include such

controls as audit trails, intrusion detection methods, and checksums. Recovery controls can be

used to restore lost computing resources. They are needed as a complement to the supporting

and preventive technical measures, because none of the measures in these other areas is perfect.

Detection and recovery controls include

—

• Audit. The auditing of security-relevant events and the monitoring and tracking of

system abnormalities are key elements in the after-the-fact detection of, and recovery

from, security breaches.

• Intrusion Detection and Containment. It is essential to detect security breaches

(e.g., network break-ins, suspicious activities) so that a response can occur in a timely

manner. It is also of little use to detect a security breach if no effective response can

be initiated. The intrusion detection and containment control provides these two

capabilities.

• Proof of Wholeness. The proof-of-wholeness control (e.g., system integrity tool)

analyzes system integrity and irregularities and identifies exposures and potential

threats. This control does not prevent violations of security policy but detects

violations and helps determine the type of corrective action needed.

• Restore Secure State. This service enables a system to return to a state that is

known to be secure, after a security breach occurs.

• Virus Detection and Eradication. Virus detection and eradication software installed

on servers and user workstations detects, identifies, and removes software viruses to

ensure system and data integrity.

4.4.2 Management Security Controls

Management security controls, in conjunction with technical and operational controls, are

implemented to manage and reduce the risk of loss and to protect an organization’s mission.

Management controls focus on the stipulation of information protection policy, guidelines, and

standards, which are carried out through operational procedures to fulfill the organization’s goals

and missions.

Management security controls—preventive, detection, and recovery—that are implemented to
reduce risk are described in Sections 4.4.2.1 through 4.4.2.3.

SP 800-30 Page 35

4.4.2.1 Preventive Management Security Controls

These controls include the following:

• Assign security responsibility to ensure that adequate security is provided for the

mission-critical IT systems

• Develop and maintain system security plans to document current controls and address
planned controls for IT systems in support of the organization’s mission

• Implement personnel security controls, including separation of duties, least privilege,

and user computer access registration and termination

• Conduct security awareness and technical training to ensure that end users and system

users are aware of the rules of behavior and their responsibilities in protecting the

organization’s mission.

4.4.2.2 Detection Management Security Controls

Detection management controls are as follows:

• Implement personnel security controls, including personnel clearance, background

investigations, rotation of duties

• Conduct periodic review of security controls to ensure that the controls are effective

• Perform periodic system audits

• Conduct ongoing risk management to assess and mitigate risk

• Authorize IT systems to address and accept residual risk.

4.4.2.3 Recovery Management Security Controls

These controls include the following:

• Provide continuity of support and develop, test, and maintain the continuity of

operations plan to provide for business resumption and ensure continuity of

operations during emergencies or disasters

• Establish an incident response capability to prepare for, recognize, report, and

respond to the incident and return the IT system to operational status.

4.4.3 Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure
that security procedures governing the use of the organization’s IT assets and resources are

properly enforced and implemented in accordance with the organization’s goals and mission.

Management plays a vital role in overseeing policy implementation and in ensuring the

establishment of appropriate operational controls.

SP 800-30 Page 36

Operational controls, implemented in accordance with a base set of requirements (e.g., technical

controls) and good industry practices, are used to correct operational deficiencies that could be

exercised by potential threat-sources. To ensure consistency and uniformity in security

operations, step-by-step procedures and methods for implementing operational controls must be

clearly defined, documented, and maintained. These operational controls include those presented

in Sections 4.4.3.1 and 4.4.3.2 below.

4.4.3.1 Preventive Operational Controls

Preventive operational controls are as follows:

• Control data media access and disposal (e.g., physical access control, degaussing

method)

• Limit external data distribution (e.g., use of labeling)

• Control software viruses

• Safeguard computing facility (e.g., security guards, site procedures for visitors,

electronic badge system, biometrics access control, management and distribution of

locks and keys, barriers and fences)

• Secure wiring closets that house hubs and cables

• Provide backup capability (e.g., procedures for regular data and system backups,

archive logs that save all database changes to be used in various recovery scenarios)

• Establish off-site storage procedures and security

• Protect laptops, personal computers (PC), workstations

• Protect IT assets from fire damage (e.g., requirements and procedures for the use of

fire extinguishers, tarpaulins, dry sprinkler systems, halon fire suppression system)

• Provide emergency power source (e.g., requirements for uninterruptible power

supplies, on-site power generators)

• Control the humidity and temperature of the computing facility (e.g., operation of air

conditioners, heat dispersal).

4.4.3.2 Detection Operational Controls

Detection operational controls include the following:

• Provide physical security (e.g., use of motion detectors, closed-circuit television

monitoring, sensors and alarms)

• Ensure environmental security (e.g., use of smoke and fire detectors, sensors and

alarms).

4.5 COST-BENEFIT ANALYSIS

To allocate resources and implement cost-effective controls, organizations, after identifying all
possible controls and evaluating their feasibility and effectiveness, should conduct a cost-benefit

SP 800-30 Page 37

analysis for each proposed control to determine which controls are required and appropriate for

their circumstances.

The cost-benefit analysis can be qualitative or quantitative. Its purpose is to demonstrate that the
costs of implementing the controls can be justified by the reduction in the level of risk. For

example, the organization may not want to spend $1,000 on a control to reduce a $200 risk.

A cost-benefit analysis for proposed new controls or enhanced controls encompasses the
following:

• Determining the impact of implementing the new or enhanced controls

• Determining the impact of not implementing the new or enhanced controls

• Estimating the costs of the implementation. These may include, but are not limited
to, the following:

– Hardware and software purchases

– Reduced operational effectiveness if system performance or functionality is
reduced for increased security

– Cost of implementing additional policies and procedures

– Cost of hiring additional personnel to implement proposed policies, procedures, or

services

– Training costs

– Maintenance costs

• Assessing the implementation costs and benefits against system and data criticality to

determine the importance to the organization of implementing the new controls, given
their costs and relative impact.

The organization will need to assess the benefits of the controls in terms of maintaining an

acceptable mission posture for the organization. Just as there is a cost for implementing a

needed control, there is a cost for not implementing it. By relating the result of not
implementing the control to the mission, organizations can determine whether it is feasible to

forgo its implementation.

Cost-Benefit Analysis Example: System X stores and processes mission-critical and sensitive
employee privacy information; however, auditing has not been enabled for the system. A cost-
benefit analysis is conducted to determine whether the audit feature should be enabled for

System X.

Items (1) and (2) address the intangible impact (e.g., deterrence factors) for implementing or not

implementing the new control. Item (3) lists the tangibles (e.g., actual cost).

(1) Impact of enabling system audit feature: The system audit feature allows the system security

administrator to monitor users’ system activities but will slow down system performance and i

therefore affect user productivity. Also the implementation will require additional resources, as

described in Item 3.
j

I

SP 800-30 Page 38
I

(2) Impact of not enabling system audit feature: User system activities and violations cannot be

monitored and tracked if the system audit function is disabled, and security cannot be maximized

to protect the organization’s confidential data and mission.

(3) Cost estimation for enabling the system audit feature:

Cost for enabling system audit feature—No cost, built-in feature $ 0
Additional staff to perform audit review and archive, per year $ xx,xxx
Training (e.g., system audit configuration, report generation) $ x,xxx
Add-on audit reporting software $ x,xxx
Audit data maintenance (e.g., storage, archiving), per year $ x,xxx

Total Estimated Costs $ xx,xxx

The organization’s managers must determine what constitutes an acceptable level of mission

risk. The impact of a control may then be assessed, and the control either included or excluded,
after the organization determines a range of feasible risk levels. This range will vary among
organizations; however, the following rules apply in determining the use of new controls:

• If control would reduce risk more than needed, then see whether a less expensive

alternative exists

• If control would cost more than the risk reduction provided, then find something else

• If control does not reduce risk sufficiently, then look for more controls or a different

control

• If control provides enough risk reduction and is cost-effective, then use it.

Frequently the cost of implementing a control is more tangible than the cost of not implementing

it. As a result, senior management plays a critical role in decisions concerning the

implementation of control measures to protect the organizational mission.

4.6 RESIDUAL RISK

Organizations can analyze the extent of the risk reduction generated by the new or enhanced
controls in terms of the reduced threat likelihood or impact, the two parameters that define the

mitigated level of risk to the organizational mission.

Implementation of new or enhanced controls can mitigate risk by

—

• Eliminating some of the system’s vulnerabilities (flaws and weakness), thereby

reducing the number of possible threat-source/vulnerability pairs

• Adding a targeted control to reduce the capacity and motivation of a threat-source

For example, a department determines that the cost for installing and maintaining

add-on security software for the stand-alone PC that stores its sensitive files is not
justifiable, but that administrative and physical controls should be implemented to

SP 800-30 Page 39

make physical access to that PC more difficult (e.g., store the PC in a locked room,
with the key kept by the manager).

• Reducing the magnitude of the adverse impact (for example, limiting the extent of a

vulnerability or modifying the nature of the relationship between the IT system and

the organization’s mission).

The relationship between control implementation and residual risk is graphically presented in
Figure 4-4.

Figure 4-4. Implemented Controls and Residual Risk

The risk remaining after the implementation of new or enhanced controls is the residual risk.
Practically no IT system is risk free, and not all implemented controls can eliminate the risk they

are intended to address or reduce the risk level to zero.

As mandated by 0MB Circular A-130, an organization’s senior management or the DAA, who
are responsible for protecting the organization’s IT asset and mission, must authorize (or

accredit) the IT system to begin or continue to operate. This authorization or accreditation must

occur at least every 3 years or whenever major changes are made to the IT system. The intent of

this process is to identify risks that are not fully addressed and to determine whether additional

controls are needed to mitigate the risks identified in the IT system. For federal agencies, after

the appropriate controls have been put in place for the identified risks, the DAA will sign a
statement accepting any residual risk and authorizing the operation of the new IT system or the

continued processing of the existing IT system. If the residual risk has not been reduced to an

acceptable level, the risk management cycle must be repeated to identify a way of lowering the

residual risk to an acceptable level.

SP 800-30 Page 40

5. EVALUATION AND ASSESSMENT

In most organizations, the network itself will continually be expanded and updated, its

components changed, and its software applications replaced or updated with newer versions. In

addition, personnel changes will occur and security policies are likely to change over time.

These changes mean that new risks will surface and risks previously mitigated may again
become a concern. Thus, the risk management process is ongoing and evolving.

This section emphasizes the good practice and need for an ongoing risk evaluation and

assessment and the factors that will lead to a successful risk management program.

5.1 GOOD SECURITY PRACTICE

The risk assessment process is usually repeated at least every 3 years for federal agencies, as

mandated by OMB Circular A- 130. However, risk management should be conducted and
integrated in the SDLC for IT systems, not because it is required by law or regulation, but
because it is a good practice and supports the organization’s business objectives or mission.

There should be a specific schedule for assessing and mitigating mission risks, but the

periodically performed process should also be flexible enough to allow changes where

warranted, such as major changes to the IT system and processing environment due to changes

resulting from policies and new technologies.

5.2 KEYS FOR SUCCESS

A successful risk management program will rely on (1) senior management’s commitment; (2)
the full support and participation of the IT team (see Section 2.3); (3) the competence of the risk

assessment team, which must have the expertise to apply the risk assessment methodology to a

specific site and system, identify mission risks, and provide cost-effective safeguards that meet

the needs of the organization; (4) the awareness and cooperation of members of the user

community, who must follow procedures and comply with the implemented controls to
safeguard the mission of their organization; and (5) an ongoing evaluation and assessment of the

IT-related mission risks.

SP 800-30 Page 41

f

APPENDIX A: Sample Interview Questions

Interview questions should be tailored based upon where the IT system assessed is in the SDLC.
Sample questions to be asked during interviews with site personnel to gain an understanding of

the operational characteristics of an organization may include the following:

• Who are valid users?

• What is the mission of the user organization?

• What is the purpose of the system in relation to the mission?

• How important is the system to the user organization’s mission?

• What is the system-availability requirement?

• What information (both incoming and outgoing) is required by the organization?

• What information is generated by, consumed by, processed on, stored in, and
retrieved by the system?

• How important is the information to the user organization’s mission?

• What are the paths of information flow?

• What types of information are processed by and stored on the system (e.g., financial,
personnel, research and development, medical, command and control)?

• What is the sensitivity (or classification) level of the information?

• What information handled by or about the system should not be disclosed and to
whom?

• Where specifically is the information processed and stored?

• What are the types of information storage?

• What is the potential impact on the organization if the information is disclosed to
unauthorized personnel?

• What are the requirements for information availability and integrity?

• What is the effect on the organization’s mission if the system or information is not
reliable?

• How much system downtime can the organization tolerate? How does this downtime
compare with the mean repair/recovery time? What other processing or
communications options can the user access?

• Could a system or security malfunction or unavailability result in injury or death?

SP 800-30 Page A-1

I

APPENDIX B: SAMPLE RISK ASSESSMENT REPORT OUTLINE

EXECUTIVE SUMMARY

I. Introduction

• Purpose

• Scope of this risk assessment

Describe the system components, elements, users, field site locations (if any), and any other

details about the system to be considered in the assessment.

II. Risk Assessment Approach

Briefly describe the approach used to conduct the risk assessment, such as

—

• The participants (e.g., risk assessment team members)

• The technique used to gather information (e.g., the use of tools, questionnaires)

• The development and description of risk scale (e.g., a3x3, 4×4, or 5×5 risk-level
matrix).

in. System Characterization

Characterize the system, including hardware (server, router, switch), software (e.g., application,

operating system, protocol), system interfaces (e.g., communication link), data, and users.

Provide connectivity diagram or system input and output flowchart to delineate the scope of this

risk assessment effort.

IV. Threat Statement

Compile and list the potential threat-sources and associated threat actions applicable to the

system assessed.

V. Risk Assessment Results

List the observations (vulnerability/threat pairs). Each observation must include

—

• Observation number and brief description of observation (e.g.. Observation 1: User

system passwords can be guessed or cracked)

• A discussion of the threat-source and vulnerability pair
• Identification of existing mitigating security controls

• Likelihood discussion and evaluation (e.g.. High, Medium, or Low likelihood)
• Impact analysis discussion and evaluation (e.g.. High, Medium, or Low impact)
• Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level)
• Recommended controls or alternative options for reducing the risk.

VI. Summary

Total the number of observations. Summarize the observations, the associated risk levels, the

SP 800-30 PageB-1

recommendations, and any comments in a table format to facilitate the
implementation of

recommended controls during the risk mitigation process.

SP 800-30
Page B-2

§
. . a
ON.

â
j3

•3
1

9i

00

IS

1 V O

C« PL, U

^ .2 ‘E

a o

0) .S£i

CO
S 3

^ – 3 cr
^, – W O “O « CD

Q. (/} (/} CO 0) n]

o

(0 Q. is (n

o oo o
CM CM

I I

1- CM
I I

N
> E isX o o

en ca

CO

io— —

•

CO
is
OT C ^ W= C CD “F

CD CO Q-.t
^ E p E E
CO (C -D O CO

O CD 0?

3 .ii’ c«
CDo c ^

CD

E

T- 2: CO CO

CD

o c
CC O
CO ^
b c

CO
CO
0
o
o
CO

CO
0 0

0 = x:
5

CO o
Q ^ O

CO
c
0
CO

CO
0)

O Q C3)

SI

X

0
>

^ CO~ c
O 0

*- ^ CO
CO 0) (0 0
«0 £ CO O

D
c
o
_c

5
o

Q B

I 18
o

>- 5 Jo 2 ^ ^
S 0 w ^ o 9

•— O O O ~ CO J

O)

c
CC
o
CO
^0 ^

CO
Q)^ CO

0 !c:

M ° o

0
0 £
> *-

„.|
0
CO “300 =
CO

5 >^

-Q Q.

c Q
“J z:

CO

E 05
O O)

CO

C 6 c
(U cj gj

§ §

52 S >-|C D (1)

•c a

c P

4^

2 ? .sM c3
J 55 S

SP 800-30 Page C-1

I

I

APPENDIX D: ACRONYMS

AES Advanced Encryption Standard

CSA Computer Security Act

DAA Designated Approving Authority

DAC Discretionary Access Control

DBS Data Encryption Standard

FedCIRC Federal Computer Incident Response Center

FTP File Transfer Protocol

ID Identifier

IPSEC Internet Security Protocol

ISSO Information system security officer

IT Information Technology

ITL Information Technology Laboratory

MAC Mandatory Access Control

NIPC National Infrastructure Protection Center

NIST National Institute of Standards and Technology

OIG Office of Inspector General

0MB Office of Management and Budget

PC Personal Computer

SDLC System Development Life Cycle

SP Special Publication

ST&E Security Test and Evaluation

SP 800-30

I

APPENDIX E: GLOSSARY

TERM

Accountability

Assurance

Availability

Confidentiality

Denial of Service

Due Care

Integrity

DEFINITION

The security goal that generates the requirement for actions of an entity to

be traced uniquely to that entity. This supports nonrepudiation, deterrence,

fault isolation, intrusion detection and prevention, and after-action recovery

and legal action.

Grounds for confidence that the other four security goals (integrity,

availability, confidentiality, and accountability) have been adequately met

by a specific implementation. “Adequately met” includes (1) functionality

that performs correctly, (2) sufficient protection against unintentional errors

(by users or software), and (3) sufficient resistance to intentional penetration

or bypass.

The security goal that generates the requirement for protection against

—

• Intentional or accidental attempts to (1) perform unauthorized deletion

of data or (2) otherwise cause a denial of service or data

• Unauthorized use of system resources.

The security goal that generates the requirement for protection from

intentional or accidental attempts to perform unauthorized data reads.

Confidentiality covers data in storage, during processing, and in transit.

The prevention of authorized access to resources or the delaying of time-

critical operations.

Managers and their organizations have a duty to provide for information

security to ensure that the type of control, the cost of control, and the

deployment of control are appropriate for the system being managed.

The security goal that generates the requirement for protection against either

intentional or accidental attempts to violate data integrity (the property that

data has when it has not been altered in an unauthorized manner) or system
integrity (the quality that a system has when it performs its intended
function in an unimpaired manner, free from unauthorized manipulation).

SP 800-30 Page E-1

IT-Related Risk

IT Security Goal

Risk

Risk Assessment

Risk Management

Security

Security Goals

Threat

Threat-source

Threat Analysis

Vulnerability

SP 800-30

The net mission impact considering (1) the probability that a particular
threat-source will exercise (accidentally trigger or intentionally exploit) a

particular information system vulnerability and (2) the resulting impact if

this should occur. IT-related risks arise from legal liability or mission loss

due to

—

1 . Unauthorized (malicious or accidental) disclosure, modification, or

destruction of information

2. Unintentional errors and omissions

3. IT disruptions due to natural or man-made disasters
4. Failure to exercise due care and diligence in the implementation and

operation of the IT system.

See Security Goals

Within this document, synonymous with IT-Related Risk.

The process of identifying the risks to system security and determining the
probability of occurrence, the resulting impact, and additional safeguards

that would mitigate this impact. Part of Risk Management and synonymous
with Risk Analysis.

The total process of identifying, controlling, and mitigating information

system-related risks. It includes risk assessment; cost-benefit analysis; and

the selection, implementation, test, and security evaluation of safeguards.

This overall system security review considers both effectiveness and

efficiency, including impact on the mission and constraints due to policy,

regulations, and laws.

Information system security is a system characteristic and a set of

mechanisms that span the system both logically and physically.

The five security goals are integrity, availability, confidentiality,

accountability, and assurance.

The potential for a threat-source to exercise (accidentally trigger or

intentionally exploit) a specific vulnerability.

Either (1) intent and method targeted at the intentional exploitation of a

vulnerability or (2) a situation and method that may accidentally trigger a
vulnerability.

The examination of threat-sources against system vulnerabilities to

determine the threats for a particular system in a particular operational

environment.

A flaw or weakness in system security procedures, design, implementation,
or internal controls that could be exercised (accidentally triggered or

intentionally exploited) and result in a security breach or a violation of the

system’s security policy.

Page E-2

APPENDIX F: REFERENCES

Computer Systems Laboratory Bulletin. Threats to Computer Systems: An Overview.
March 1994.

NIST Interagency Reports 4749. Sample Statements of Workfor Federal Computer Security

Services: For Use In-House or Contracting Out. December 1991.

NIST Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook.
October 1995.

NIST Special Publication 800-14. Generally Accepted Principles and Practicesfor Securing

Information Technology Systems. September 1996. Co-authored with Barbara Guttman.

NIST Special Publication 800-18. Guide For Developing Security Plans for Information
Technology Systems. December 1998. Co-authored with Federal Computer Security Managers’

Forum Working Group.

NIST Special Publication 800-26, Security Self-Assessment Guidefor Information Technology
Systems. August 2001.

NIST Special Publication 800-27. Engineering Principles for IT Security . June 2001.

0MB Circular A- 130. Management ofFederal Information Resources. Appendix HI.
November 2000.

SP 800-30 Page F-1

1

Technical Publications

Periodical

Journal of Research of the National Institute of Standards and Technology—Reports NIST research
and development in those disciplines of the physical and engineering sciences in which the Institute is

active. These include physics, chemistry, engineering, mathematics, and computer sciences. Papers cover a

broad range of subjects, with major emphasis on measurement methodology and the basic technology

underlying standardization. Also included from time to time are survey articles on topics closely related to

the Institute’s technical and scientific programs. Issued six times a year.

Nonperiodicals

Monographs—Major contributions to the technical literature on various subjects related to the Institute’s
scientific and technical activities.

Handbooks—Recommended codes of engineering and industrial practice (including safety codes)
developed in cooperation with interested industries, professional organizations, and regulatory bodies.

Special Publications—Include proceedings of conferences sponsored by NIST, NIST annual reports, and
other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.

National Standard Reference Data Series—Provides quantitative data on the physical and chemical
properties of materials, compiled from the world’s literature and critically evaluated. Developed under a

worldwide program coordinated by NIST under the authority of the National Standard Data Act (Public
Law 90-396). NOTE: The Journal of Physical and Chemical Reference Data (JPCRD) is published
bimonthly for NIST by the American Institute of Physics (AIP). Subscription orders and renewals are
available from AIP, P.O. Box 503284, St. Louis, MO 63150-3284.
Building Science Series—Disseminates technical information developed at the Institute on building
materials, components, systems, and whole structures. The series presents research results, test methods,
and performance criteria related to the structural and environmental functions and the durability and safety

characteristics of building elements and systems.

Technical Notes—Studies or reports which are complete in themselves but restrictive in their treatment of
a subject. Analogous to monographs but not so comprehensive in scope or definitive in treatment of the

subject area. Often serve as a vehicle for final reports of work performed at NIST under the sponsorship of
other government agencies.

Voluntary Product Standards—Developed under procedures published by the Department of Commerce
in Part 10, Title 15, of the Code of Federal Regulations. The standards establish nationally recognized
requirements for products, and provide all concerned interests with a basis for common understanding of
the characteristics of the products. NIST administers this program in support of the efforts of private-sector
standardizing organizations.

Order the following NISTpublications—FIPS and NISTIRs—from the National Technical Information
Service, Springfield, VA 22161.

Federal Information Processing Standards Publications (FIPS PUB)—Publications in this series
collectively constitute the Federal Information Processing Standards Register. The Register serves as the
official source of information in the Federal Government regarding standards issued by NIST pursuant to
the Federal Property and Administrative Services Act of 1949 as amended. Public Law 89-306 (79 Stat.
1127), and as implemented by Executive Order 11717 (38 FR 12315, dated May 11, 1973) andPart6of
Title 15 CFR (Code of Federal Regulations).
NIST Interagency or Internal Reports (NISTIR)—The series includes interim or final reports on work
performed by NIST for outside sponsors (both goverrunent and nongovernment). In general, initial
distribution is handled by the sponsor; public distribution is handled by sales through the National

Technical Information Service, Springfield, VA 22161, in hard copy, electronic media, or microfiche form.
NISTIR’ s may also report results of NIST projects of transitory or limited interest, including those that will
be published subsequently in more comprehensive form.

o on
8

C >

O (t

THE DIGITAL AGE
T H E D E F I N I T I V E C Y B E R S E C U R I T Y G U I D E

F O R D I R E C T O R S A N D O F F I C E R S

NAVIGATING THE DIGITAL AGE:
The Defi nitive Cybersecurity Guide

for Directors and Offi cers

Published by

SecurityRoundtable.org

Navigating the Digital Age: The Defi nitive
Cybersecurity Guide for Directors and
Offi cers

Publisher: Tim Dempsey

Editor: Matt Rosenquist

Design and Composition: Graphic World, Inc.

Printing and Binding: Transcontinental Printing

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
is published by:
Caxton Business & Legal, Inc.
27 North Wacker Drive, Suite 601
Chicago, IL 60606
Phone: +1 312 361 0821
Email: [email protected]

First published: 2015
ISBN: 978-0-9964982-0-3

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers
© October 2015

Cover illustration by Tim Heraldo

Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.

DISCLAIMER

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers (the Guide) contains
summary information about legal and regulatory aspects of cybersecurity governance and is current as of

the date of its initial publication (October 2015). Although the Guide may be revised and updated at some

time in the future, the publishers and authors do not have a duty to update the information contained in

the Guide, and will not be liable for any failure to update such information. The publishers and authors

make no representation as to the completeness or accuracy of any information contained in the Guide.

This guide is written as a general guide only. It should not be relied upon as a substitute for specifi c

professional advice. Professional advice should always be sought before taking any action based on the

information provided. Every effort has been made to ensure that the information in this guide is correct at

the time of publication. The views expressed in this guide are those of the authors. The publishers and

authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility

to verify any information contained in the Guide before relying upon it.

iii ■

Introduction
New York Stock Exchange – Tom Farley, President

No issue today has created more concern within corporate
C-suites and boardrooms than cybersecurity risk. With
the ability to shatter a company’s reputation with their
customers and draw criticism from shareholders, lawsuits
from affected parties, and attention from the media, the
threat of cyber risk is ubiquitous and insidious. No com-
pany, region, or industry is immune, which makes the
responsibility to oversee, manage, and mitigate cyber risk
a top-down priority in every organization.

The New York Stock Exchange has long advocated that
exemplary governance and risk oversight is fundamental
to the health of individual companies, as well as to the
sound operation of our capital markets. In other words,
we too take the threat very seriously. Today, managing
cybersecurity risk has expanded far beyond the realm of
IT; it has become a business continuity necessity to ensure
shareholder value remains intact and that privacy and
corporate intellectual property is protected. Accordingly,
those responsibilities are weighing heavily on corporate
executives and directors, making it vital for them to better
understand and prepare for the evolving cybersecurity
landscape.

Cyber risk ultimately poses a threat to confi dence, a
foundational aspect of U.S. corporate issuers and markets.
We are taking a leadership role on many fronts, such as
reducing market fragmentation and complexity, as well
as increasing effi ciency through the highest levels of
intelligence, analytics, and technology. Confi dence in the
integrity and security of our assets is concurrent with our
success—as it is for every other company operating in the
public markets today.

Moreover, because the public markets have become
increasingly reliant on interdependent technology sys-
tems, the threat looms even larger. As we witnessed dur-
ing the 2008 fi nancial crisis, rarely does any failure happen
in a vacuum; therefore, the threat of systemic disruption
has taken on an even higher level of prominence and
concern among regulators and policymakers worldwide.

It is important that companies remain vigilant, taking
steps to proactively and intelligently address cybersecurity

■ iv

INTRODUCTION

risk within their organizations. Beyond the
technological solutions developed to defend
and combat breaches, we can accomplish
even more through better training, aware-
ness, and insight on human behavior.
Confi dence, after all, is not a measure of
technological systems, but of the people who
are entrusted to manage them.

With insights from the preeminent
authorities on cybersecurity today, this
groundbreaking, practical guide to cyberse-
curity has been developed to refl ect a body
of knowledge that is unsurpassed on this
topic. At the heart of effective risk manage-
ment must be a thorough understanding of
the risks as well as pragmatic solutions.
Thank you for your continued partnership
with the New York Stock Exchange, and we
look forward to continuing to support your
requirements in this dynamic landscape.

v ■

Foreword
Visa Inc. – Charles W. Scharf, CEO

For years, cybersecurity was an issue that consumers,
executive management, and boards of directors took for
granted. They were able to do so because the technolo-
gists did not. The technologists worked every day to
protect their systems from attack, and they were quite
effective for many years. We sit here today in a very dif-
ferent position. The threats are bigger than ever before
and growing in frequency and severity every day.
Cybersecurity is now something everyone needs to think
about, whether it’s in your personal or professional life.
What worked in the past is not enough to protect us in the
present and future.

So what has changed?
First of all, the technology platforms of today are big-

ger targets than ever given the breadth and criticality of
items they control. Second, the amount and value of the
data that we all produce and store has grown exponen-
tially. The data is a gold mine for criminals. Third, the
interconnectedness of the world just makes it easier for
more people—regardless of geography—to be able to
steal or disrupt. And fourth, the perpetrators are more
sophisticated, better organized, better funded, and harder
to bring to justice than ever before.

So the problem is different, and what we all do about it
is different.

This is not simply an IT issue. It is a business prob-
lem of the highest level. Protecting our data and our
systems is core to business today. And that means that
having an outstanding cybersecurity program also
can’t detract from our objectives around innovation,
speed, and performance.

Security has been a top priority at Visa for decades. It
is foundational to delivering our brand promise. To be
the best way to pay and be paid, we must be the most
secure way to pay and be paid. We cannot ask people to
use our products unless they believe that we are just that.
Thus we must guard carefully both the security of our
own network and company and the security of the broader
payments ecosystem.

■ vi

accounts had been compromised—a pivotal
moment for our industry.

The losses experienced by our clients,
combined with the impact on consumer con-
fi dence, galvanized our industry to take
actions that, we believe, will have a mean-
ingful and lasting effect on how the world
manages sensitive consumer data—not just
payments.

We are taking action as an ecosystem, to
collaborate and share information across
industries and with law enforcement and
governments and to develop new technolo-
gies that will allow us to prevent attacks and
respond to threats in the future.

� Protect payments at physical retailers.
Fraudsters have targeted the point-of-
sale environment at leading U.S. retailers,
capturing consumer account information
and forcing the reissuance of millions
of payment cards. As an industry we
are rapidly introducing EMV (Europay,
MasterCard, and Visa) chip payment
technology in the United States. Chip-
enabled payment cards and terminals
work in concert to generate dynamic
data with each transaction, rendering the
transaction data useless to fraudsters.

� Protect online payments. Consumer
purchases online and with mobile devices
are growing at a signifi cant rate. In order
to prevent cyberattacks and fraudulent
use of consumer accounts online, Visa and
the global payments industry adopted
a new payment standard for online
payments. The new standard replaces the
16-digit account number with a digital
token that is used to process online
payments without exposing consumer
account information.

� Collaborate and share information.
Sharing threat intelligence is a necessity
rather than a “nice to have,” allowing
merchants, fi nancial institutions, and
payment networks like Visa to rapidly
detect and respond to cyberattacks.
Public and private partnerships are
also critical to creating the most robust

There are several elements that we have
found to be critical to ensuring an effective
security program at Visa.

� Be open and honest about the effectiveness
of your security program and regularly
share an honest assessment of your security
posture with the executive team and board.

We use a data-driven approach that scores
our program across fi ve categories: risk
intelligence, malware prevention, vulner-
ability management, identity and access
management, and detection and response.
Scores move up and down not only as our
defenses improve or new vulnerabilities
are discovered but also as threats change.
The capabilities of the adversaries are
growing, and you need a dynamic
approach to measurement.

� Invest in security before investing
elsewhere. A well-controlled environment
gives you the license to do other things.
Great and innovative products and
services will only help you win if you
have a well-protected business.

� Don’t leave the details to others. Active,
hands-on engagement by the executive
team and the board is required. The risk
is existential. Nothing is more important.
Your involvement will produce better
results as well as make sure the whole
organization understands just how
important the issue is.

� Never think you’ve done enough. The
bad guys are smart and getting smarter.
They aren’t resting, and they have more
resources than ever. Assume they will
attack.

Defending against cyberthreats is not some-
thing that we can solve for our company in a
vacuum. At Visa, we must protect not only
our own network but the whole payments
ecosystem. This came to life for us in late
2013 when some of the largest U.S. retailers
and fi nancial institutions in the U.S. reported
data breaches. Tens of millions of consumer

FOREWORD

vii ■

FOREWORD

community of threat intelligence, so we
also work closely with law enforcement
and governments. At the heart of Visa’s
security strategy is the concept of “cyber
fusion,” which is centered on the principle
of shared intelligence—a framework to
collect, analyze, and leverage cyberthreat
intelligence, internally and externally,
to build a better defense for the whole
ecosystem.

Championing security is one of Visa’s six
strategic goals. This is an area where there
are no grades—it is pass or fail, and pass is
the only option. Cybersecurity needs to be
part of the fabric of every company and
every industry, integrated into every busi-
ness process and every employee action.
And it begins and ends at the top. It is job
number one.

■ viii

TABLE OF CONTENTS
iii INTRODUCTION

New York Stock Exchange — Tom Farley, President

v FOREWORD
Visa Inc. — Charles W. Scharf, CEO

Introductions — The cyberthreat in the digital age
3 1. PREVENTION: CAN IT BE DONE?

Palo Alto Networks Inc. — Mark McLaughlin, CEO

9 2. THE THREE Ts OF THE CYBER ECONOMY
The Chertoff Group — Michael Chertoff, Executive Chairman
and Former United States Secretary of Homeland Security and Jim
Pfl aging, Principal

17 3. CYBER GOVERNANCE BEST PRACTICES
Georgia Institute of Technology, Institute for Information
Security & Privacy — Jody R. Westby, Esq., Adjunct Professor

27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
Institutional Shareholder Services Inc. — Patrick McGurn,
ISS Special Counsel and Martha Carter, ISS Global Head
of Research

33 5. TOWARD CYBER RISKS MEASUREMENT
World Economic Forum — Elena Kvochko, co-author of
Towards the Quantifi cation of Cyber Threats report and Danil
Kerimi, Director, Center for Global Industries

37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE
FOR ADDRESSING IT
Internet Security Alliance — Larry Clinton, CEO

43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
Former CIO of The United States Department
of Energy — Robert F. Brese

I. Cyber risk and the board of directors
51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER

OBLIGATIONS
Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner

TABLE OF CONTENTS

ix ■

TABLE OF CONTENTS

57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S
PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES
AND DISCLOSURES
Fish & Richardson P.C. — Gus P. Coldebella, Principal
and Caroline K. Simons, Associate

65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
Internet Security Alliance and National Association
of Corporate Directors — Larry Clinton, CEO of ISA
and Ken Daly, President and CEO of NACD

71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing
Director

79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING:
HOW BOARDS CAN TEST ASSUMPTIONS
Dell SecureWorks — Mike Cote, CEO

II. Cyber risk corporate structure
87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT

QUESTIONS
Palo Alto Networks Inc. — Davis Hake, Director
of Cybersecurity Strategy

91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE
AN EFFECTIVE PROGRAM
Coalfi re — Larry Jones, CEO and Rick Dakin, CEO
(2001-2015)

III. Cybersecurity legal and regulatory
considerations

101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY
AND BIG DATA
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Dean Forbes, Senior Associate, Agatha O’Malley,
Senior Associate, Jaqueline Cooney, Lead Associate and
Waiching Wong, Associate

107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
Data Risk Solutions: BuckleySandler LLP & Treliant Risk
Advisors LLC — Elizabeth McGinn, Partner; Rena Mears,
Managing Director; Stephen Ruckman, Senior Associate;
Tihomir Yankov, Associate; and Daniel Goldstein, Senior
Director

■ x

TABLE OF CONTENTS

115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED
TO CYBERSECURITY MATTERS
Baker & McKenzie — David Lashway, Partner; John Woods,
Partner; Nadia Banno, Counsel, Dispute Resolution; and
Brandon H. Graves, Associate

121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
K&L Gates LLP — Roberta D. Anderson, Partner

129 19. CONSUMER PROTECTION: WHAT IS IT?
Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa
Ventrone, Partner and Lindsay Nickle, Partner

137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
Fish & Richardson P.C. — Gus P. Coldebella, Principal

143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS
FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
Latham & Watkins LLP — Jennifer Archie, Partner

151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS,
AND RULES OF THE ROAD
Kaye Scholer LLP — Adam Golodner, Partner

157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
Pillsbury Winthrop Shaw Pittman LLP — Brian Finch,
Partner

163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS
FROM MALICIOUS AND NEGLIGENT EMPLOYEES
Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group

IV: Comprehensive approach to
cybersecurity

171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING
THREAT ENVIRONMENT
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate

177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH
WITH DIVERSE CAPABILITIES
Booz Allen Hamilton — Bill Stewart, Executive Vice President;
Jason Escaravage, Vice President; and Christian Paredes,
Associate

xi ■

V. Design best practices
187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY

RISK MANAGEMENT
Intercontinental Exchange & New York Stock
Exchange — Jerry Perullo, CISO

193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
Palo Alto Networks Inc.

VI. Cybersecurity beyond your network
207 29. SUPPLY CHAIN AS AN ATTACK CHAIN

Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior Associate;
and Laura Eise, Lead Associate

213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
Covington & Burling LLP — David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate

219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
Delta Risk LLC — Thomas Fuhrman, President

229 32. THE INTERNET OF THINGS
The Chertoff Group — Mark Weatherford, Principal

VII. Incident response
237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS

U.S. Department of Justice — CCIPS Cybersecurity Unit

243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE
INCIDENT RESPONSE
Booz Allen Hamilton — Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior Associate;
and Katie Stefanich, Lead Associate

249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist

255 36. FORENSIC REMEDIATION
Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
and Ryan Vela, Regional Director, Northeastern North America
Cybersecurity Services

TABLE OF CONTENTS

■ xii

TABLE OF CONTENTS

261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATION
Rackspace Inc. — Brian Kelly, Chief Security Offi cer

267 38. CYBER INCIDENT RESPONSE
BakerHostetler — Theodore J. Kobus, Partner and Co-Leader,
Privacy and Data Protection; Craig A. Hoffman, Partner;
and F. Paul Pittman, Associate

275 39. COMMUNICATING AFTER A CYBER INCIDENT
Sard Verbinnen & Co — Scott Lindlaw, Principal

VIII. Cyber risk management
investment decisions

283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
Axio Global, LLC — Scott Kannry, CEO and David White,
Chief Knowledge Offi cer

289 41. INVESTMENT IN CYBER INSURANCE
Lockton Companies Inc. — Ben Beeson, Senior Vice President,
Cybersecurity Practice

IX. Cyber risk and workforce development
297 42. CYBER EDUCATION: A JOB NEVER FINISHED

NYSE Governance Services — Adam Sodowick, President

301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL
AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
Wells Fargo & Company — Rich Baich, CISO

307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez,
Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew
Smallwood, Lead Associate

313 45. BUILDING A CYBER-SAVVY BOARD
Korn Ferry — Jamey Cummings, Senior Client Partner;
Joe Griesedieck, Vice Chairman and Co-Leader, Board and
CEO Services; and Aileen Alexander, Senior Client Partner

319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED
APPROACHES FOR A MORE SOPHISTICATED ROLE
Egon Zehnder — Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick

325 CONTRIBUTOR PROFILES

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Introductions — The
cyberthreat in the digital age

3 ■

Palo Alto Networks Inc. – Mark McLaughlin, CEO

Prevention: Can it be done?

Frequent headlines announcing the latest cyber breach of
a major company, government agency, or organization are
the norm today, begging the questions of why and will it
ever end?

The reason cybersecurity is ingrained in news cycles,
and receives extraordinary investments and focus from
businesses and governments around the world, is the
growing realization that these breaches are putting our
very digital lifestyle at risk. This is not hyperbole. More
and more, we live in the digital age, in which things that
used to be real and tangible are now machine-generated or
only exist as bits and bytes. Consider your bank account
and total absence of tangible money or legal tender that
underlies it; you trust that the assets exist because you can
“see” them when you log in to your account on the fi nan-
cial institution’s website. Or the expectation you have that
light, water, electricity, and other utility services will work
on command, despite your having little to no idea of how
the command actually results in the outcome. Or the com-
fort in assuming that of the 100,000 planes traversing the
globe on an average day, all will fl y past each other at safe
distances and take off and land at proper intervals. Now,
imagine that this trust, reliance, and comfort could not be
taken for granted any longer and the total chaos that
would ensue. This is the digital age; and with all the effi –
ciencies and productivity that has come with it, more and
more we trust that it will just “work.”

This reliance on digital systems is why the tempo of
concern due to cyberattacks is rising so rapidly. Business
leaders, government leaders, education leaders, and mili-
tary leaders know that there is a very fi ne line separating
the smoothly functioning digital society built on trust and
the chaotic breakdown in society resulting from the ero-
sion of that trust. And it is eroding quickly. Why is that,
and do we have any analogies? And, more importantly,
can it be fi xed?

■ 4

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

attack, responses are highly manual in
nature. Unfortunately, humans facing off
against machines have little to no leverage,
and cyber expertise is increasingly hard to
come by in the battle for talent. Flipping the
cost curve on its head with automation and
a next-generation, natively integrated secu-
rity platform is required if there is any hope
of reducing the “breach du jour” headlines.
(See Figure 2.)

It is unlikely that the number of attacks
will abate over time. On the contrary, there is
every reason to expect that their number will
continue to grow. In fact, we can also expect
that the “attack surface” and potential tar-
gets will also continue to grow as we con-
stantly increase the connections of various
things to the Internet.

An understandable but untenable
response to this daunting threat environ-
ment is to assume that prevention is impos-
sible, so we must simply detect and respond
to all intrusions. The fundamental problem
with this approach is that without signifi cant
prevention no combination of people, pro-
cess, and technology can prioritize and
respond to every intrusion that could signifi –
cantly impact a network and those who rely
on it. The math problem is simply insur-
mountable. Quite simply, detection and
response should be supplements to, instead
of substitutes for, prevention.

■ Machine vs. human
At the heart of the cybersecurity battle is a
math problem. It is relatively simple to
understand, but hard to correct. One of the
negative offshoots of the ever-decreasing
cost of computing power is the ability for
cyber criminals and adversaries to launch
increasingly numerous and sophisticated
attacks at lower and lower costs. Today,
bad actors without the capability to develop
their own tools can use existing malware
and exploits that are often free or inex-
pensive to obtain online. Similarly,
advanced hackers, criminal organizations,
and nation-states are able to use these
widely available tools to launch successful
intrusions and obscure their identity. These
sophisticated adversaries are also develop-
ing and selectively using unique tools that
could cause even greater harm. This all
adds up to tremendous leverage for the
attackers. (See Figure 1.)

In the face of this increasing onslaught in
the sheer number of attacks and levels of
sophistication, the defender is generally
relying on decades-old core security tech-
nology, often cobbled together in multiple
layers of point products; there is no true
visibility of the situation, nor are the point
products designed to communicate with
each other. As a result, to the extent attacks
are detected or lessons are learned from an

The attack math

Number of
successful attacks

Cost of launching a
successsful attack

FIGURE As computing power becomes less
expensive,the cost for launching automated
attacks decreases. This allows the number

of attacks to increase at a given cost.

5 ■

PREVENTION: CAN IT BE DONE?

U.S. Suddenly, the very way of life in the
Western world was deemed, appropriately
so, at risk. The comfort and confi dence of
living in a well-protected and prosperous
environment was shattered as citizens lost
trust in their ability to follow their daily rou-
tines and way of life. It appeared as though
there was an insurmountable technological
lead, and everywhere people turned there
was anxiety and cascading bad news.

In the years immediately following
Sputnik, the main focus was on how to sur-
vive a post–nuclear-war world. Items like
backyard bomb shelters and nonperishable
food items were in great demand, and
schools were teaching duck-and-cover drills.
In other words, people were assuming
attacks could not be prevented and were
preparing for remediation of their society
post-attack.

However, this fatalistic view was tempo-
rary. America relied on diplomacy and tradi-
tional forms of deterrence while devoting
technological innovation and ingenuity to
breakthroughs such as NASA’s Mercury
program. While it took a decade of resourc-
es, collaboration, trial, and effort, eventually
the Mercury program and succeeding efforts
changed the leverage in the equation. The
space-based attack risk was not eliminated,
but it was compartmentalized to the point of
fading into the background as a possible but

So, the strategy must be to signifi cantly
decrease the likelihood, and increase the
cost, required for an attacker to perform a
successful attack. To be more specifi c, we
should not assume that attacks are going
away or that all attacks can be stopped.
However, we should assume, and be very
diligent in ensuring, that the cost of a suc-
cessful attack can be dramatically increased
to the point where the incidence of a success-
ful attack will sharply decline.

When this point is reached, and it will not
come overnight, then we will be able to
quantify and compartmentalize the risk to
something acceptable and understood. It’s at
that point that cyber risks will be real and
persistent but that they will leave the head-
lines and fade into the background of every-
day life, commerce, communications, and
interaction. This should be our goal. Not to
eliminate all risk, but to reduce it to some-
thing that can be compartmentalized. There
is a historical analogy to this problem and an
approach to solve it.

■ Sputnik analogy
The analogy, which is imperfect but helpful,
is the space race. In 1957 the Soviet Union
launched Sputnik. The result was panic at
the prospect that this technology provided
the Soviets with an overwhelming advan-
tage to deliver a nuclear attack across the

FIGURE Harnessing automation and integrated
intelligence can continually raise the cost

of making an attack successful, eventually
decreasing the number of successful attacks.

The attack math
Cost of launching a
successsful attack

Number of
successsful attacks

■ 6

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

not probable event. It was at this stage that
the panic and confusion receded from the
headlines and daily reporting. We will know
we are in good shape in the cyber battle
when we have reached this point. So, how
do we get there?

As with all things in life, ideas and phi-
losophy matter. This is true because if you
do not know what you are trying to get
done, it’s unlikely that you will get it done.
In the space race analogy, the philosophy
shifted over time from one that primarily
assumed an attack was imminent and
unstoppable with the majority of planning
and resources geared toward life in the post-
attack world, to one of prevention where the
majority of resources and planning were
geared to reduce the probability and effec-
tiveness of an attack.

Importantly, the risk of an attack was not
eliminated, but the probability of occurrence
and success was reduced by vastly increas-
ing the cost of a successful attack. It was
previously noted that no analogy is perfect,
so the analogy of “cost” here for space-based
attacks and cyberattacks is, of course, meas-
ured in different ways. Most notably,
cyberthreats are not the sole purview of
superpower nations, and the technological
innovation most likely to reverse the cost of
successful attacks is most likely to come
from industry, not governments. However,
the principle is the same in that a prevention
philosophy is much more likely to result in
prevention capabilities being developed, uti-
lized, and continually refi ned over time.

■ Is prevention possible?
The obvious question then is whether pre-
vention is possible. I think that most security
professionals and practitioners would agree
that total prevention is not possible. This is
disheartening but also no different from any
other major risk factor that we have ever
dealt with over time. So, the real question is
whether prevention is possible to the point
where the incidence of successful attacks is
reduced to something manageable from a
risk perspective. I believe that this is possible
over time. In order to achieve this outcome,

it is an imperative that cost leverage is
gained in the cyber battle. This leverage can
be attained by managing the cyber risk to an
organization through the continual improve-
ment and coordination of several key ele-
ments: technology, process and people, and
intelligence sharing.

Technology
It is very apparent that traditional or legacy
security technology is failing at an alarming
rate. There are three primary reasons for this:

� The fi rst is that networks have been
built up over a long period of time and
often are very complicated in nature,
consisting of security technology that
has been developed and deployed in a
point product, siloed approach. In other
words, a security “solution” in traditional
network architecture of any size consists
of multiple point products from many
different vendors all designed to do one
specifi c task, having no ability to inform
or collaborate with other products. This
means that the security posture of the
network is only as “smart” overall as the
least smart device or offering. Also, to the
extent that any of the thousands of daily
threats is successfully detected, protection
is highly manual in nature because there is
no capability to automatically coordinate
or communicate with other capabilities in
the network, let alone with other networks
not in your organization. That’s a real
problem because defenders are relying
more and more on the least leverageable
resource they have—people—to fi ght
machine-generated attacks.

� Second, these multiple point solutions are
often based on decades-old technology,
like stateful inspection, which was useful
in the late 1990s but is totally incapable of
providing security capabilities for today’s
attack landscape.

� And third, the concept of a “network”
has morphed continues to do so at a
rapid pace into something amorphous
in nature: the advent of software as a
service (SaaS) providers, cloud computing,

7 ■

PREVENTION: CAN IT BE DONE?

successful leaders understand the need to
assess organizational risk and to allocate
resources and effort based on prioritized
competing needs. Given the current threat
environment and the math behind success-
ful attacks, leaders need to understand both
the value and vulnerabilities residing on
their networks and prioritize prevention
and response efforts accordingly.

Under executive leadership, it is also
very important that there is continued
improvement in processes used to manage
the security of organizations. People must
be continually trained on how to identify
cyberattacks and on the appropriate steps to
take in the event of an attack. Many of the
attacks that are being reported today start or
end with poor processes or human error. For
example, with so much personal informa-
tion being readily shared on social network-
ing, it is simple for hackers to assemble very
accurate profi les of individuals and their
positions in companies and launch socially
engineered attacks or campaigns. These
attacks can be hard to spot in the absence of
proper training for individuals, and diffi cult
to control in the absence of good processes
and procedures regardless of how good the
technology is that is deployed to protect an
organization.

A common attack on organizations to
defraud large amounts of money via wire
transfers counts on busy people being poor-
ly trained and implementing spotty pro-
cesses. In such an attack, the attacker uses
publicly available personal information
gleaned off social networking sites to iden-
tify an individual who has the authority to
issue a wire transfer in a company. Then the
attacker uses a phishing attack, a carefully
constructed improper email address that
looks accurate on a cursory glance, seem-
ingly from this person’s manager at the
company telling the person to send a wire
transfer right away to the following coordi-
nates. If the employee is not trained to look
for proper email address confi guration, or
the company does not have a good process
in place to validate wire transfer requests,
like requiring two approvals, then this attack

mobility, the Internet of Things, and other
macrotechnology trends that have the
impact of security professionals having
less and less control over data.

In the face of these challenges, it is critical
that a few things are true in the security
architecture of the future:

� First is that advanced security systems
designed on defi nitive knowledge of
what and who is using the network be
deployed. In other words, no guessing.

� Second is that these capabilities be as
natively integrated as possible into
a platform such that any action by
any capability results in an automatic
reprogramming of the other capabilities.

� Third is that this platform must also
be part of a larger, global ecosystem
that enables a constant and near-real-time
sharing of attack information that can be
used to immediately apply protections
preventing other organizations in the
ecosystem from falling victim to the same
or similar attacks.

� Last is that the security posture is
consistent regardless of where data
resides or the deployment model of the
“network.” For example, the advanced
integrated security and automated
outcomes must be the same whether the
network is on premise, in the cloud, or has
data stored off the network in third-party
applications. Any inconsistency in the
security is a vulnerability point as a general
matter. And, as a matter of productivity,
security should not be holding back high-
productivity deployment scenarios based
on the cloud, virtualization, SDN, NFV,
and other models of the future.

Process and people
Technology alone is not going to solve the
problem. It is incumbent upon an executive
team to ensure their technical experts are
managing cybersecurity risk to the organi-
zation. Most of today’s top executives did
not attain their position due to technological
and cybersecurity profi ciency. However, all

■ 8 SecurityRoundtable.org

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

often succeeds. It is important that technol-
ogy, process, and people are coordinated,
and that training is done on a regular basis.

Intelligence sharing
Given the increasing number and sophistica-
tion of cyberattacks, it is diffi cult to imagine
that any one company or organization will
have enough threat intelligence at any one
time to be able to defeat the vast majority of
attacks. However, it is not hard to imagine
that if multiple organizations were sharing
what they are seeing from an attack perspec-
tive with each other in close to real time, that
the combined intelligence would limit suc-
cessful attacks to a small number of the
attempted attacks. This is the outcome we
should strive for, as getting to this point
would mean that the attackers would need
to design and develop unique attacks every
single time they want to attack an organiza-
tion, as opposed to today where they can use
variants of an attack again and again against
multiple targets. Having to design unique
attacks every time would signifi cantly drive
up the cost of a successful attack and force
attackers to aggregate resources in terms of
people and money, which would make them
more prone to be visible to defenders, law
enforcement, and governments.

The network effect of defense is why
there is such a focus and attention on threat
intelligence information sharing. It is early
days on this front, but all progress is good
progress, and, importantly, organizations are
now using automated systems to share
threat intelligence. At the same time, analyti-
cal capabilities are being rapidly developed
to make use and sense of all the intelligence
in ways that will result in advanced plat-
forms being able to reprogram prevention
capabilities in rapid fashion such that con-
nected networks will be constantly updating
threat capabilities in an ever-increasing eco-
system. This provides immense leverage in
the cybersecurity battle.

■ Conclusion
There is understandable concern and atten-
tion on the ever-increasing incidence of
cyberattacks. However, if we take a longer
view of the threat and adopt a prevention-
fi rst mindset, the combination of next-
generation technology, improvements in
processes and training, and real-time shar-
ing of threat information with platforms
that can automatically reconfi gure the secu-
rity posture, can vastly reduce the number
of successful attacks and restore the digital
trust we all require for our global economy.

9 ■

The Chertoff Group — Michael Chertoff, Executive
Chairman and Former United States Secretary
of Homeland Security, and Jim Pfl aging, Principal

The three Ts of the cyber economy

Thanks to rapid advances in technology and thinking, over
the last decade we have seen entire industries and countries
reinvented in large part because of the power of the Internet
and related innovations. Naturally, these developments cre-
ated new opportunities and risks, and none is greater than
cybersecurity. Today, business leaders, academics, small
business owners, and school kids know about hackers,
phishing, identify theft, and even “bad actors.”

In late 2014, the Sony Pictures Entertainment breach
led to debates over data security, free speech, and corpo-
rate management as well as the details of celebrity feuds
and paychecks. The idea of cybersecurity is rising to the
fore of our collective consciousness. Notable cybersecuri-
ty breaches, including those at Target, Anthem BlueCross,
and the U.S. Offi ce of Personnel Management, have dem-
onstrated that no organization or individual is immune to
cyberthreat. In short, the cybersecurity environment has
changed dramatically over the past several years, and
many of us have struggled to keep up. Many fi rms now
fi nd themselves in an environment where one of their
greatest business risks is cyber risk, a risk that has rapidly
risen from an afterthought to primary focus.

How do we create more opportunity and a safer world
while protecting privacy in an interconnected world? This
question is not just for policy makers in government and
leaders of global Fortune 500 businesses. It affects the
neighborhood small business, the academic community,
investors and, of course, our children.

Answering that question requires an understanding of
the three Ts—technology, threat, and trust. Why? Because
these are big interrelated ideas that have a signifi cant
effect on business strategy, policy, and public opinion. For
starters, you need to know about the three Ts, think about

■ 10

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

technology and are thriving. Still, the advan-
tage lies with the fi rms who not only
embraced the Internet but also built their
entire business around it: Amazon, Google,
and Uber. Finally, there is Apple, which
came of age with the Internet and morphed
into a wildly successful global leader with
the introduction of the iPhone.

There have been applications for these
technologies, with signifi cant impact, in a
variety of industries. In transportation, Uber
is a great example of transforming a perva-
sive but sedentary sector into a newly reimag-
ined market. Uber used emerging technolo-
gies to disrupt seemingly distinct segments
such as auto rental and even automotive
manufacturing. In the electrical sector, smart
meters, transformers, and switches have
given utilities greater control over their distri-
bution networks while their customers have
gained greater control of their consumption.

However, the golden age of innovation
has a dark side. A new class of “bad guys”
has emerged and is taking advantage of
“holes” in these new technologies and our
online behavior to create new risks. This
leads us to the second T—Threat.

■ Threat
Lifecycle
It is almost cliché to talk about the pervasive-
ness and escalating impact of cybersecurity
attacks. However, it is useful to provide a
map that can help us better understand
where we may be heading to help us prepare
and to develop more lasting defenses.

Using a simple x-y graph, we can create an
instructive map, in which x represents the
severity of the impact and y the “actor” or
perpetrator. Impact can be divided into the
following stages: embarrassment, theft,
destruction to a target fi rm or asset, and wide-
spread destruction. The actors also can be
grouped into four escalating stages: individu-
als, hacktivists, cyber organized crime, and
nation-states. See Figure 1. Given the impor-
tance of understanding threat, business lead-
ers should understand how the map applies
to their business. To aid in this understand-
ing, it is useful to cover a few examples that
illustrate various stages of these threats.

them, and decide how you are going to
embrace the fi rst, deal with the second, and
shape the last.

■ Technology
Today we live in a golden age of innovation
driven by technologies that dominate
headlines—cloud computing, mobility, big
data, social media, open source software, vir-
tualization, and, most recently, the Internet of
Things. These tectonic shifts allow individu-
als, government, and companies to innovate
and reinvent how they interact with each
other. These forces mandate that we redefi ne
what, how, and where we manage any busi-
ness. We need to challenge core assumptions
about markets, company culture, and the art
of the possible. The winners will be those
who leverage these innovations to reduce
costs and deliver better, lower-priced prod-
ucts. Take Table 1 below, for example:

It is easy to see the relationship between
innovation and valuation. Some companies,
such as Kodak, did not react fast enough
and lost their market as a result. Others,
such as AT&T, have invested heavily in new

TABLE

A good reputation

TABLE Market capitalization
(or private estimates, USD

in millions)

3/31/2005 3/31/2015

Amazon $13,362 $207,275

Apple $30,580 $752,160

Google $64,180 $378,892

Uber N/A $41,000

AT&T $78,027 $175,108

Citigroup $244,346 $165,488

General
Electric

$388,007 $274,771

Kodak $6,067 $794

Sources: Capital IQ, Fortune

11 ■

THE THREE TS OF THE CYBER ECONOMY

work of criminals operating in Eastern
Europe, netted 40 million credit and debit
card numbers and 70 million customer
records and was largely responsible for the
company’s 46 percent drop in profi t in Q4 of
2013 when compared to 2012.2 The attack
also resulted in a serious decline in the com-
pany’s stock price and led the company’s
board to fi re their CEO. The attack is esti-
mated to have netted its perpetrators
approximately $54 million in profi t from the
sale of stolen card details on black market
sites—quite the motivation for a criminal
enterprise.

Another high-profi le attack, directed
against Sony Pictures Entertainment, is
alleged to have been the work of hackers sup-
ported by the government of North Korea.
The attackers managed to secure not only a
copy of The Interview, which had offended
and motivated the North Korean state, but
also a vast trove of data from the corporate
network, including the personal and salary

In 2011, a high-profi le attack was under-
taken by Anonymous, the prominent
“hacktivist” collective, in which it attacked
the security services fi rm HBGary Federal.
The attack was precipitated by HBGary’s
CEO, Aaron Barr, claiming in a Financial
Times article that his fi rm had uncovered
the identities of Anonymous leaders and
planned on releasing these fi ndings at a
security conference in San Francisco the fol-
lowing week.1 Anonymous responded by
hacking into HBGary’s networks, eventually
posting archives of company executives’
emails on fi le-sharing websites, releasing a
list of the company’s customers, and taking
over the fi rm’s website. Although the attack
did affect HBGary fi nancially, Anonymous’
primary motivation was to embarrass
Aaron Barr and HBGary.

More recent attacks have been perpetrat-
ed by better-organized criminal gangs and
have had a greater impact. For instance, the
Target breach, believed to have been the

Nation-
states

Cyber
organized

crime

Hacktivist

Individual

Embarrass Steal
customer

info

Disrupt
operations and
destroy property

Destroy
business and

future earnings

Widespread
disruption

and destruction

INTENT & IMPACT

A
C

T
O

R JPMorganChase

Sony

??

Saudi Aramco

HBGary

Target

FIGURE

■ 12

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ Trust
One of the greatest casualties in the ever-
increasing torrent of cyberthreats is trust—
specifi cally, the trust consumers have in
business, the trust citizens and business
have in government, and the trust govern-
ment has in business. This should be trou-
bling for all corporate executives and gov-
ernment leaders because trust is precious to
all relationships and is critical to effective
workings of commerce and government. As
we know, it takes years to build, but it is easy
to lose. For instance, a single data breach can
undo years of effort and cause immediate
and lasting reputation loss.

Measuring trust
Recent consumer surveys suggest that con-
sumers are tired of dealing with fraudulent
charges and are raising their expectations for
how their favorite brands and websites pro-
tect consumer data and personally identifi a-
ble information. In May 2015, Pew Research
released a study in which 74 percent of
Americans said it was “very important” to
be “in control of who can get info about
you.” Edelman, one of the world’s largest
public relations fi rms, does an annual study
called The Trust Barometer. The 2015 edition
of this survey showed a huge jump in the
importance consumers place in privacy of
their personal data. The study revealed that
80 percent of consumers, across dozens of
countries and industries, listed this as a top
issue in evaluating brands they trust. Finally,
HyTrust, an emerging technology company,
published a study on the impact of a cyber
breach on customer loyalty and trust. Of the
2,000 consumers surveyed, 52 percent said a
breach would cause them to take their busi-
ness elsewhere.3 What business can afford to
lose 50 percent of its customers?

What these numbers make clear is that con-
sumers are paying attention to cybersecurity
issues and that failure to address these con-
cerns comes at a company’s own risk. Recent
attacks have served as learning moments for
many companies and consumers, allowing
them to gain a fi rmer understanding of just

details of tens of thousands of employees,
internal email traffi c, and other highly sensi-
tive information. The attack led the company
to delay the release of its big-budget fi lm, and
it generated weeks of headlines. The attack
also forced the company to take a variety of
computer systems offl ine. Although the long-
term impact of the attack is unclear, it has had
a dramatic impact on the studio’s reputation,
stock price, and earnings.

What is next? In the future, we can expect
a continued rise in the severity of cyberthreats.
Well-fi nanced criminal gangs and well-
resourced nation-states appear to be increas-
ingly capable and willing to engage in attacks
that cause signifi cant damage.

Boards and risk
After the initial shock of “how is this possi-
ble,” every business leader has to consider
what it means for his or her business. Just a
few years ago, many viewed cybersecurity
threats as a technical problem best left to the
company CIO or CISO. Increasingly, CEOs
and boards are coming to the realization
cybersecurity threats are a business risk that
demands C-level and board scrutiny.

Corporate boards have begun to look at
cybersecurity risk in much the same way
they would look at other risks to their busi-
ness, applying risk management frame-
works while evaluating the likelihood and
impact of cyber risk. Boards also have begun
to look at ways to transfer their risk, leading
insurance companies to offer cybersecurity
insurance products. In their evaluation of
cyber risk, companies are also taking a hard
look at the second order effects of a cyberat-
tack, notably the ability for a successful
attack to undermine customers’ trust in the
company. A successful attack often leads to
the revelation of sensitive, personally identi-
fi able information on customers, eroding
consumer confi dence in the fi rm. Many of
the commonly understood risk management
frameworks and related insurance products
now being used recognize this and make it
clear that corporate boards must have a thor-
ough understanding of the third T, Trust.

13 ■

THE THREE TS OF THE CYBER ECONOMY

develop cyber risk mitigation products. Many
of the insurance industry’s largest players,
including Allstate, Travelers, Marsh, and
Tennant, have moved to offer companies
cyber insurance products, although the imma-
turity of the market has created complications
for insurers and potential customers. Insurers
have had a hard time calculating their risk and
thus appropriate premiums for potential cus-
tomers, while customers have sometimes
found their insurance quotes too expensive.
Fortunately, time and the accompanying set-
tling of industry standards and actuarial data
will help to mature and grow this market.

Role of government
Effective risk management—for govern-
ments or private enterprises—starts with an
honest understanding of the situation and
recognition that information sharing with
partners is essential. Information sharing, of
course, starts with agreeing on common val-
ues, and then trusting vetted, capable, and
reliable partners. Information sharing can be,
and must be, something that takes place at
and across all levels. The Constitution charg-
es the federal government with the responsi-
bility of providing for the defense of the
nation while protecting the privacy and civil
liberties of our citizens, a diffi cult balance
that requires trust in the government and
processes by which we reach that balance.

As we discuss the role of government in
information sharing and building trust, we
have to acknowledge the impact the
Snowden revelations have had on public
trust in government. Fundamentally, we
have to determine what we want the role of
government to be and engage in legal
reforms that refl ect that role. Laws such as
the Computer Fraud and Abuse Act, enacted
in 1986 and amended fi ve times since then,
and the Electronic Controls Privacy Act
(ECPA), which dates to 1986, have to be
updated to refl ect the signifi cant changes in
technology and practice that have occurred
since they were envisioned.

Beyond these efforts, we need to establish
or reinforce agreed-upon rules and programs

how damaging such an attack can be. However,
with this knowledge comes increased expecta-
tions for how companies safeguard their data
and that of their consumers.

Role of industry
Fortunately, industry is moving in this direc-
tion, and many companies have begun to
consider cyber risk in their corporate plan-
ning. In 2014, the National Association of
Corporate Directors issued a call to action,
which included fi ve steps that its members
should take to ensure their enterprises prop-
erly address cyber risk. These include the
following:

� Treating cyber risk as an enterprise risk
� Understanding the legal implications of

cyber risks
� Discussion of cyber risk at board

meetings, giving cyber risk equal footing
with other risks

� Requiring management to have a
measureable cybersecurity plan

� The development of a plan at the board
level on how to address cyber risks,
including which risks should be avoided,
accepted, mitigated, or transferred via
insurance.

Although this guidance is an excellent start,
we at The Chertoff Group believe that indus-
try has to go further and move toward a
common cyber risk management framework
that allows everyone to understand the
cyber risks to a business and how the com-
pany intends to address them. This model
would be a corollary to the General Accepted
Accounting Principles (GAAP), the standard
accounting guidelines and framework that
underlies the fi nancials and planning of
almost any business. The emergence of
GAAP in the 1950s made it signifi cantly
easier for investors, regulators, and other
stakeholders to gain a clear understanding
of a business and its fi nancials, allowing for
comparisons across industries and sectors.

In parallel, banks, insurers, and other pro-
viders of risk mitigation are scrambling to

■ 14

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

for government data collection on citizens
and the legal frameworks that manage the
transfer of that data between governments
for judicial and law enforcement purposes.
Importantly, this initiative must provide for
mutual accountability for all participants.
These initiatives have to lay out clearly the
roles of all participants and, in our opinion,
reinforce and strengthen the role for NSA in
helping this nation deal with the adversaries
that are using information technology to
harm us.

On the international front, in response to
mounting concerns over data privacy, data
security and the rise of online surveillance,
governments around the world have been
seeking to pass new data protection rules.
Several governments, including Germany,
Indonesia, and Brazil, have considered
enacting “data localization” laws that would
require the storage, analysis, and processing
of citizen and corporate data to occur only
within their borders.

However, many of these proposals are
likely to impose economic harm and sow
seeds of distrust. For example, several of the
proposals under consideration would force
companies to build servers in locations
where the high price of local energy and the
lack of trained engineers could translate into
higher costs and reduced effi ciencies.
Furthermore, requiring that data reside in a
server based in Germany instead of one in
Ireland will do little to prevent spies from
accessing that data if they are determined
and capable.

So, what should we do? It is critical that
policymakers and technology providers
work together to develop solutions that keep
online services available to all who rely on
them. We must develop principles that can
serve as a framework for coordinated multi-
lateral action between states and across the
public and private sectors. We must be pre-
pared to lead abroad and at home with effec-
tive ideas.

Public private partnerships (PPPs) are
important pieces of the solution and are
good models of trust that we should lever-
age going forward. First, the formation of

Information Sharing and Analysis Centers
(ISACs) was a Clinton Administration initia-
tive to build PPPs across critical infrastruc-
ture sectors. These sector-by-sector ISACs
have proven to be models of trust. The
Financial Services ISAC has truly epito-
mized these ideas and is considered by
many to be the leading ISAC in sharing
threat information. This model has been rep-
licated in other industries and led President
Obama to call for an expansion of the infor-
mation sharing model to smaller groups of
companies through Information Sharing and
Analysis Organizations (ISAOs). Another
example is a U.S. government-industry ini-
tiative to combat botnets, in which the gov-
ernment is working with the Industry Botnet
Group to identify botnets and minimize
their impacts on personal computers.

■ Technology, threat, and trust in the
boardroom

What do the three Ts of the cyber economy
mean for you? Here are just a few of the
questions every leader has to consider:

� Are we using technology for competitive
advantage?

� Are we secure? How do you know? Do we
have a framework, a GAAP-equivalent
for cyber risk, that gives me the tools to
understand and measure risk?

� Are we a good steward of the data we
collect about our customers?

Each of us needs answers to these questions.
Your response will have a big impact on the
future of your organization.

A few years ago, there was a common
story in security circles about two types of
companies: those who knew they had been
hacked and those who had been hacked but
did not know it. Going forward, we will talk
about companies in terms of who cares
about cybersecurity: in some companies, it
will be the entire executive suite; in others,
it will just be the CISO or CIO. Your com-
pany doesn’t want to fall into the latter cat-
egory. Use the three Ts to help your organi-
zation manage cyber risk and leverage the

THE THREE TS OF THE CYBER ECONOMY

SecurityRoundtable.org 15 ■

target-profit-falls-46-on-credit-card-
breach-and-says-the-hits-could-keep-
on-coming/.

3. See “Consumers Increasingly Hold
Companies Responsible for Loss of
Confi dential Information, HyTrust Poll
Shows,” HyTrust, October 1, 2014, Available
at http://www.hytrust.com/company/
n e w s / p r e s s – r e l e a s e s / c o n s u m e r s –
increasingly-hold-companies-responsible-
loss-confi dential-info, Additional survey
data available at http://www.hytrust.
c o m / s i t e s / d e f a u l t / f i l e s / H y Tr u s t _
consumer_poll_results_with_charts2.pdf.

fantastic opportunities in this golden age of
innovation.

Works Cited
1. See Joseph Menn, “Cyberactivists warned

of arrest,” The Financial Times, February
5, 2011, Available at http://www.ft.com/
c m s / s / 0 / 8 7 d c 1 4 0 e – 3 0 9 9 – 11 e 0 – 9 d e 3 –
00144feabdc0.html#axzz3cg7emYx4.

2. See Maggie McGrath, “Target Profi t Falls
46% On Credit Card Breach And The Hits
Could Keep On Coming,” Forbes, February
26, 2014, Available at http://www.forbes.
com/sites/maggiemcgrath/2014/02/26/

17 ■

Georgia Institute of Technology, Institute for Information
Security & Privacy – Jody R. Westby, Esq., Adjunct Professor

Cyber governance best practices

■ The evolution of cybersecurity governance
Corporate governance has evolved as a means of protect-
ing investors through regulation, disclosure, and best
practices. The United Nations Guidance on Good Practices
in Corporate Governance Disclosure noted:

Where there is a local code on corporate governance,
enterprises should follow a “comply or explain” rule
whereby they disclose the extent to which they fol-
lowed the local code’s recommendations and explain
any deviations. Where there is no local code on corpo-
rate governance, companies should follow recognized
international good practices.1

The Business Roundtable (BRT), one of America’s most
prominent business associations, has promoted the use of
best practices as a governance tool since it published its
fi rst Principles of Corporate Governance in 2002. In its 2012
update, BRT noted:

Business Roundtable continues to believe, as we noted
in Principles of Corporate Governance (2005), that the
United States has the best corporate governance,
fi nancial reporting and securities markets systems in
the world. These systems work because of the adop-
tion of best practices by public companies within a
framework of laws and regulations that establish
minimum requirements while affording companies
the ability to develop individualized practices that are
appropriate for them. Even in the challenging times
posed by the ongoing diffi cult economic environment,
corporations have continued to work proactively to
refi ne their governance practices, and develop new
practices, as conditions change and “best practices”
continue to evolve.2

■ 18

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

17799 and then ISO/IEC 27001.8 ISO/IEC
27001 is the most accepted cybersecurity
standard globally.

Today, the ISO/IEC 27000 series of infor-
mation security standards is comprised of
nearly 30 standards. ISO, of which the
American National Standards Institute
(ANSI) is the member body representing U.S.
interests for the development of international
standards, has additional information secu-
rity standards outside of the 27000 series.9

ISO information security standards cover a
range of topics, such as security controls, risk
management, the protection of personally
identifi able information (PII) in clouds, and
control systems. Additional security stand-
ards also have been developed for fi nancial
services, business continuity, network secu-
rity, supplier relationships, digital evidence,
and incident response.10

The U.S. National Institute of Standards
and Technology (NIST) has developed a
comprehensive set of cybersecurity guid-
ance and Federal Information Processing
Standards (FIPS),11 including a Framework
for Improving Critical Infrastructure
Cybersecurity (Framework).12 The NIST
guidance and standards are world-class
materials that are publicly available at no
charge. NIST recognized existing standards
and best practices by mapping the
Framework to ISO/IEC 27001 and COBIT.

Other respected cybersecurity standards
have been developed for particular purpos-
es, such as the protection of credit card data
and electrical grids. The good news is that
cybersecurity best practices and standards
are harmonized and requirements can be
mapped. This is particularly important
because as companies buy and sell operating
units or subsidiaries or merge, they may
have IT systems and documentation based
upon several standards or best practices.
Thus, the harmonization of standards ena-
bles companies to blend IT departments and
security programs and continue to measure
maturity.

Some companies may need to align with
multiple standards. For example, electric
transmission and distribution companies

Increases in cybercrime and attacks on corpo-
rate systems and data have propelled discus-
sions regarding governance of cyber risks
and what exactly boards and senior execu-
tives should be doing to properly manage
this new risk environment and protect corpo-
rate assets. The topic reached a crescendo in
May 2014 when the Institutional Shareholder
Service (ISS) called for seven of the ten Target
board members not to be re-elected on the
grounds that the failure of the board’s audit
and corporate responsibility committees “to
ensure appropriate management of these
risks set the stage for the data breach, which
has resulted in signifi cant losses to the com-
pany and its shareholders.”3

Over the past decade, the concept of cyber-
security governance has evolved from infor-
mation technology (IT) governance and
cybersecurity best practices. The Information
Systems Audit and Control Association
(ISACA) has been a frontrunner in IT govern-
ance best practices with the COBIT (Control
Objectives for Information and Related
Technology)4 framework. ISACA founded the
IT Governance Institute (ITGI) in 1998 to
advance the governance and management of
enterprise IT. The ITGI defi nes IT governance:

IT governance is the responsibility of the
board of directors and executive manage-
ment. It is an integral part of enterprise
governance and consists of the leadership
and organisational structures and pro-
cesses that ensure that the organisation’s
IT sustains and extends the organisation’s
strategies and objectives.5

Gartner has a similar defi nition.6

■ Cybersecurity program standards and best
practices7

As IT systems became vulnerable through
networking and Internet connectivity, secur-
ing these systems became an essential ele-
ment of IT governance. The fi rst cybersecu-
rity standard was developed by the British
Standards Institute in 1995 as BS 7799. Over
time, this comprehensive standard proved
its worth and ultimately evolved into ISO

19 ■

CYBER GOVERNANCE BEST PRACTICES

important to understand the breadth and
reach of the standard and to choose one that
meets the organization’s security and compli-
ance needs.

ISO/IEC 27001, which can be obtained
from ANSI at http://webstore.ansi.org, is a
comprehensive standard and a good choice
for any size of organization because it is
respected globally and is the one most
commonly mapped against other stand-
ards. One should not make the mistake of
believing that all standards contain a full
set of requirements for an enterprise secu-
rity program; they do not. Some standards,
such as NERC-CIP or PCI, set forth security
requirements for a particular purpose but
are not adequate for a full corporate secu-
rity program.

will need to meet the North American
Electric Reliability Corporation Critical
Infrastructure Protection (NERC-CIP) stand-
ards, as well as the Payment Card Industry
Data Security Standard (PCI DSS) if they
take credit cards, and some other broad
security program standard, such as ISO/IEC
27001 or NIST for their corporate operations.

Even with harmonization, it is important
that companies choose at least one standard to
align their cybersecurity program with so pro-
gress and security maturity can be measured.
In determining which standard to use as a
corporate guidepost, organizations should
consider the comprehensiveness of the stand-
ard. Although standards requirements may be
mapped, each standard does not contain the
same or equivalent requirements. Thus, it is

Leading cybersecurity standards and best practices include:
� The International Organization for Standardization (ISO), the information security series,
http://www.iso.org/iso/home/search.htm?qt=information+security&published=on&
active_tab=standards&sort_by=rel (also available from ANSI at http://www.ansi.org)

� The American National Standards Institute (ANSI)—the U.S. member body to ISO.
Copies of all ISO standards can be purchased from ANSI at http://webstore.ansi.org/

� National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800)
series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov/
publications/index.html

� Information Technology Infrastructure Library (ITIL), http://www.itlibrary.org/.
� International Society of Automation (ISA), https://www.isa.org/templates/two-
column.aspx?pageid=131422

� Information Systems Audit and Control Association (ISACA), the Control Objectives
for Information and Related Technology (COBIT), http://www.isaca.org/cobit/pages/
default.aspx

� Payment Card Industry Security Standards Council (PCI SSC), https://www.
pcisecuritystandards.org/

� Information Security Forum (ISF) Standard of Good Practice for Information Security,
https://www.securityforum.org/shop/p-71-173

� Carnegie Mellon University’s Software Engineering Institute, Operationally Critical
Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://www.cert.org/resilience/
products-services/octave/

� Health Insurance Portability and Accountability Act (HIPAA) regulations for security
programs, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/
index.html

� North American Electric Reliability Corporation Critical Infrastructure Protection
(NERC-CIP), http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

� U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs
for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571.pdf

■ 20

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

necessarily extends this duty to include the
protection of the organization’s digital assets
(data, networks, and software). As a conse-
quence, the governance of cyber risks has
become increasingly important for boards of
directors and senior management. This
includes exercising good risk management,
validating the effectiveness of controls, and
ensuring compliance requirements are met.

An increase in shareholder derivative
suits against D&Os for failure to protect
against breaches also has heightened atten-
tion on cybersecurity at the board and senior
management level. Target was hit with share-
holder derivative suits for failure to protect
the company and its data from a breach,13 as
was Wyndham Hotels on similar grounds.14

In addition, cybersecurity has become an
important compliance issue that carries the
risk of headlines concerning enforcement
actions, investigations, and breaches of per-
sonally identifi able information. Several state
and federal laws impose privacy and securi-
ty requirements on targeted industry sec-
tors and types of data. For example, the
Gramm-Leach-Bliley Act (GLBA), the Health
Insurance Portability and Accountability Act
(HIPAA), the Health Information Technology
for Economic and Clinical Health Act
(HITECH Act), and state breach laws impose
specifi c requirements pertaining to the secu-
rity and privacy of data and networks.

So, what does cyber governance mean?
What actions should board members be tak-
ing? Who should be involved—the entire
board or just certain committees? Cyber gov-
ernance means more than D&Os periodically
asking interesting questions or receiving
reports regarding the company’s cybersecu-
rity program. There is now an international
standard, ISO/IEC 27014, on the governance
of information security, which sets out roles
and responsibilities for executive manage-
ment and boards of directors and is applica-
ble to all types and sizes of organizations.

The standard notes:

[G]overnance of information security
provides a powerful link between an
organization’s governing body, executive

Some information security standards,
such as NERC-CIP, U.S. Nuclear Regulatory
cybersecurity requirements, PCI standards
for credit card data, and HIPAA security
requirements are mandatory. Portions of
NIST guidance are mandatory for federal
government contractors and U.S. govern-
ment agencies and departments. The remain-
der of the standards listed are voluntary.

In addition to the leading cybersecurity
standards listed in the shaded box, additional
standards have been developed for certain
industry sectors because they require height-
ened security protections. For example, ISO/
IEC 27015 was developed as additional secu-
rity requirements for fi nancial organizations;
ISO/IEC 27799 was developed for informa-
tion security in health systems using ISO/IEC
27002 (the controls portion of ISO/IEC 27001);
27011 was developed for telecommunications
systems using ISO/IEC 27002; and ISO/IEC
27019 was developed for industrial control
system security for the energy utility industry.

The value of using a standard as a guide-
post for the development, maintenance, and
maturity of a security program is that it sets
forth best practices for cybersecurity and is
updated as required to meet changing
threats, technological innovation, and com-
pliance requirements. Standards also enable
boards and senior executives to understand
how comprehensive their organization’s
security program is and provide an objective
basis for audits and cybersecurity assess-
ments. Evaluating a cybersecurity program
against a leading standard enables an organ-
ization to measure progress, assess the effec-
tiveness of controls, identify gaps and defi –
ciencies, and measure program maturity.

■ Cyber governance standards and best practices
Cyber governance standards and best prac-
tices have evolved over the past 20 years as
companies have increased connectivity to the
Internet and networks and as cyberattacks
have continued to rise. Directors and offi cers
(D&Os) have a fi duciary duty to protect the
organization’s assets and the value of the cor-
poration. The increased dependence on IT
systems and data in corporate operations

21 ■

CYBER GOVERNANCE BEST PRACTICES

and compliance obligations, reputational

risks, business interruption, and fi nancial

losses; allocate the resources needed for the

risk-based approach.
3. “Set the direction of investment decisions”:

establish an information security
investment strategy that meets business
and security requirements; integrate
security considerations into existing
business and investment processes.

4. “Ensure conformance with internal and
external requirements”: ensure policies
and procedures incorporate legal,
regulatory, and contractual obligations;
routinely audit such compliance.

5. “Foster a security-positive environment”:
accommodate human behavior and
the needs of users; promote a positive
information security environment through
training and tone from the top.

6. “Review performance in relation to
business outcomes”: ensure the security
program supports business requirements,
review impact of security on business as
well as controls.18

ISO/IEC 27014 sets forth separate roles and
responsibilities for the board and executive
management within fi ve processes: Evaluate,
Direct, Monitor, Communicate, and Assure.
These are set forth in abbreviated form in the
following table.19

management and those responsible for
implementing and operating an informa-
tion security management system. It pro-
vides the mandate essential for driving
information security initiatives through-
out the organization.15

The objectives of the standard are to align
security program and business objectives
and strategies, deliver value to stakeholders
and the board, and ensure information risks
are adequately managed.16

The difference between IT governance
and information security governance is that
the latter is focused on the confi dentiality,
integrity, and availability of information,
whereas governance of IT is focused on the
resources required to acquire, process, store,
and disseminate information.17 ISO/IEC
27014 sets forth six principles as foundation
for information security governance:

1. “Establish organization-wide information
security”: information security activities
should encompass the entire organization
and consider the business, information
security, physical and logical security, and
other relevant issues.

2. “Adopt a risk-based approach”:
governance decisions should be based on

the risk thresholds of a company, taking

into account competitiveness issues, legal

Board of directors Executive management

Evaluate

Ensure business initiatives take information
security into consideration

Ensure information security supports
business objectives

Review reports on information security
performance, initiate prioritized actions

Submit new security projects with
signifi cant impact for board review

Direct

Establish risk thresholds of organization Ensure security and business objectives are
aligned

Approve security strategy and overarching
policy

Develop security strategy and overarching
policy

Allocate adequate resources for security
program

Establish a positive culture of cybersecurity

Continued

■ 22

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

is IT-focused, however, and does not men-
tion the roles and responsibilities of chief
information security offi cers (CISOs). The
separation of the role of the chief informa-
tion security offi cer from the chief informa-
tion offi cer (CIO) (in other words, not having
the CISO report to the CIO), is a best practice
that the Board Briefi ng ignores. It assigns all
responsibilities to the CIO, IT Strategy
Committee, IT Steering Committee, IT
Architecture Review Board, and Technology
Council. Nevertheless, it is a valuable
resource for boards and executive teams
seeking to implement good cyber govern-
ance practices.

Finally, Carnegie Mellon University’s
Software Engineering Institute developed the
Governing for Enterprise Security Implementation
Guide in 2007 as a guide for boards and execu-
tives on governing enterprise security pro-
grams.21 It is still quite instructive and includes
a model organizational structure for cyber

■ Beyond ISO/IEC 27014: Other best practices
and guidance

At present, the only guidance NIST has
developed that addresses information secu-
rity governance is its 2006 Special Publication
800-100, Information Security Handbook: A
Guide for Managers. This publication, how-
ever, is written for a federal audience and is
more technical than other materials directed
toward boards and senior executives.

ISACA’s IT Governance Institute updated
its Board Briefi ng on IT Governance in 2014,20
which sets forth an approach similar to ISO/
IEC 27014, but is based on ISACA’s COBIT
best practices. The Board Briefi ng includes
questions board members should ask and
also checklists, tool kits, roles and responsi-
bilities, and other helpful materials. The
Board Briefi ng focuses on fi ve activity areas:
Strategic Alignment, Value Delivery, Risk
Management, Resource Management, and
Performance Measurement. The publication

Board of directors Executive management

Monitor

Assess effectiveness of security program Determine appropriate metrics for security
program

Ensure compliance and legal obligations
are met

Provide input to board on security
performance results, impacts on
organization

Evaluate changes to operations, legal
frameworks, and impact on information
security

Keep board apprised of new developments
affecting information security

Communicate

Report to investors/shareholders on
whether information security is adequate
for business

Inform board of security issues that require
their attention

Provide results of external audits or reviews
and identifi ed actions to executive team

Ensure board’s actions and decisions
regarding security are acted upon

Recognize compliance obligations, business
needs, and expectations for information
security

Assure

Order independent reviews/audits of
security program

Support reviews/audits commissioned by
board

23 ■

CYBER GOVERNANCE BEST PRACTICES

members to become inundated in technical
data and issues and lose sight of the major
risks that must be managed. In part, CIOs
and CISOs need to develop better executive
and board communication skills when
reporting on cybersecurity program activi-
ties and incidents. Outside experts can also
help separate which cybersecurity govern-
ance issues should be directed to the execu-
tive management team and which are for
board consideration.

Once the critical vulnerabilities that
require board and executive attention have
been identifi ed, the next step is to deter-
mine the information fl ows that are needed
to keep the board and senior management
informed and enable informed decision-
making. These two steps—identifi cation of
cyber-related vulnerabilities and associ-
ated information flows—should be fol-
lowed by an analysis of the board’s and
senior management’s roles in incident
response and business continuity/disaster
recovery.

The Target breach revealed how disas-
trous it can be when a company’s executive
team and board are not prepared to manage
a major cybersecurity incident. The breach
was clever but not terribly diffi cult to recov-
er from; as ISS pointed out so clearly, it was
Target’s executive team and board who
failed to protect the company’s data and
ensure a robust incident response plan was
in place that involved their participation.

Cybersecurity governance is an area
where an independent adviser can provide
valuable guidance to a board and executive
team by reviewing available reports and
assessing the current state of the security
program, identifying key vulnerabilities
and associated information fl ows that
should be directed to the board, advising on
the threat environment, and establishing
the proper organizational structures for
effective cybersecurity governance. These
activities should be undertaken in a collab-
orative fashion with IT and security leaders
and in the spirit of helping them gain visi-
bility and support for security program
initiatives.

governance; composition of a cross-
organizational privacy/security committee;
sample mission, goals, and objectives for a
board Risk Committee; and an explanation of
the critical activities in an enterprise security
program, including who should lead and be
involved in them, and the outputs (artifacts)
to be developed. It indicates where the board
has a role for governance oversight and sets
forth roles and responsibilities for the critical
players, as well as shared responsibilities, for
the following:

� chief security offi cer/chief information
security offi cer

� chief privacy offi cer
� chief information offi cer
� chief fi nancial offi cer
� general counsel
� business line executives
� human resources
� public relations
� business managers
� procurement
� operational personnel
� asset owners
� certifi cation authority.

■ Additional considerations in cybersecurity
governance

Board structure plays a signifi cant role in
cybersecurity governance. A Risk Committee
is the best choice for governance of cybersecu-
rity because IT risks must be managed as
enterprise risks and integrated into enterprise
risk management and planning. Many compa-
nies place all oversight for cybersecurity in the
board Audit Committee, which can substan-
tially increase the workload of that committee.
Placing cyber governance with the Audit
Committee also creates segregation of duties
issues at the board level because the Audit
Committee is auditing the security program,
determining remediation measures, and then
auditing this work the following year.

One of the most important aspects of
cybersecurity governance is the identifi ca-
tion of vulnerabilities that could have a
material impact on corporate operations
and/or bottom line. It is easy for board

■ 24

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

12. Evaluate the adequacy of cyber
insurance against loss valuations and
ensure adequate risk strategies are in
place for cyber risks.

Many organizations also are struggling
with how to integrate cybersecurity into
their enterprise risk management process.
Most business operations today are
dependent upon IT systems and the confi –
dentiality, availability, and integrity of their
data. Following are another dozen guiding
points on integrating cyber risks into enter-
prise risk management.:

A dozen best practices for integrating cybersecurity into
enterprise risk management
1. Understand the business’s strategies,

objectives, and needs for IT and data.
2. Inventory assets (data, applications,

hardware), assign ownership,
classifi cation, and risk categorization.

3. Map legal requirements to data for all
jurisdictions.

4. Evaluate the security of vendors, business
partners, and supply chain linkages.

5. Align the cybersecurity program with
best practices and standards.

6. Ensure controls are determined and
metrics identifi ed.

7. Conduct a risk assessment to establish a
baseline for cyber risk management.

8. Develop cyber risk strategies (block the
risk, cyber insurance, other compensating
controls, all of these).

9. Design system architecture to
accommodate business goals and
objectives, meet security and legal
requirements, and detect or prevent
unauthorized usage.

10. Use technical tools and services to
provide integrated data on threats and
attacks.

11. Make cyber training and security
compliance part of annual performance
reviews for all personnel.

12. Stay abreast of innovation and changes
in the threat environment as well as
changing operational requirements.

■ Dutiful dozen
There are some actions that boards can take
to ensure they are managing cyber risks
and meeting their fi duciary duty. Following
is a list of a dozen actions that are within
best practices, which can be used as a start-
ing point and checklist for governance
activities:

A dozen best practices for cyber governance
1. Establish a governance structure with

a board Risk Committee and a cross-
organizational internal team.

2. Identify the key cyber vulnerabilities
associated with the organization’s
operations.

3. Identify the security program activities
over which boards and executives
should exercise oversight, and identify
the key information fl ows and reports
that will inform board and executives on
the management of cyber vulnerabilities
and security program activities.

4. Identify legal compliance and fi nancial
exposures from IT systems and data.

5. Set the tone from top that privacy and
security are high priorities for the
organization, and approve top-level
policies on acceptable use of technology
and compliance with privacy and
security policies and procedures.

6. Review the roles and the responsibilities
of lead privacy and security personnel,
and ensure there is segregation of duties
between IT and security functions.

7. Ensure that privacy and security
responsibilities are shared, enterprise
issues that apply to all personnel.

9. Review and approve annual budgets for
security programs.

10. Review annual risk assessments, the
maturity of the security program, and
support continual improvement.

11. Retain a trusted adviser to independently
inform the board on changes in the
threat environment, provide assistance
on governance issues, and advise on
response issues in the event of a major
cyber incident.

25 ■

CYBER GOVERNANCE BEST PRACTICES

management of enterprise IT is available
at http://www.isaca.org/cobit/pages/
default.aspx.

5. Board Briefi ng on IT Governance, IT
Governance Institute, 2nd ed., 2014 at
10, http://www.isaca.org/restricted/
Documents/26904_Board_Briefing_
fi nal.pdf.

6. Gartner, IT Glossary, “IT Governance,”
http://www.gartner.com/it-glossary/
it-governance.

7. The term “cybersecurity best practice”
may be used interchangeably with
“standard” in the cybersecurity context,
as the standards embody best practices.
The term “standard” is commonly used
to refer to mandatory requirements.
With respect to cybersecurity programs,
however, there is no bright line between
best practices and standards. Some
standards, such as NERC-CIP and
HIPAA, are mandatory for certain
organizations, while other standards,
such as ISO/IEC, are voluntary.
Other standards, such as the Federal
Information Processing Standards (FIPS)
and NIST guidance (the 800 Special
Publication series) are voluntary for
some entities and mandatory for others.

8. Wikipedia, “BS 7799,” https://en.
wikipedia.org/wiki/BS_7799.

9. International Organization for
Standardization, Information Security,
http://www.iso.org/iso/home/search.
htm?qt=information+security&publis
hed=on&active_tab=standards&sort_
by=rel.

10. Id.
11. National Institute of Standards and

Technology, Computer Security Division,
Computer Security Resource Center,
h t t p : / / c s rc . n i s t . g o v / p u b l i c a t i o n s /
PubsSPs.html.

12. Framework for Improving Critical
Infrastructure Cybersecurity, National
Institute of Standards and Technology,
Version 1.0, Feb. 12, 2014, http://www.
nist.gov/cyberframework/upload/
cybersecurity-framework-021214.pdf.

■ Conclusion
Best practices and standards now require
boards and senior management to exercise
governance over cybersecurity programs and
associated risks. Laws such as Gramm-Leach-
Bliley, the Health Insurance Portability and
Accountability Act, and the Federal
Information Security Management Act all
require executive oversight of security pro-
grams. Each organization’s operations, system
architecture, policies and procedures, and
culture vary, thus, cyber risk management has
to be tailored to the organization. Boards
should know what standards/best practices
their organization is using to implement their
security program and determine an approach
for their own governance activities. Checklists
and the use of ISO/IEC 27014, the ISACA
Board Briefi ng on IT Governance, and the
Carnegie Mellon University’s Governing for
Enterprise Security Implementation Guide are all
useful resources that will help ensure boards
are meeting their fi duciary duty and protect-
ing the assets of the organization.

References
1. Guidance on Good Practices in Corporate

Governance Disclosure, United Nations
Conference on Trade and Development
(UNCTAD), New York & Geneva, 2006,
http://unctad.org/en/docs/iteteb20063_
en.pdf.

2. Principles of Corporate Governance 2012,
Harvard Law School Forum on Corporate
Governance and Financial Regulation,
Aug. 17, 2012, http://corpgov.law.
harvard.edu/2012/08/17/principles-of-
corporate-governance-2012/.

4. Elizabeth A. Harris, “Advisory Group
Opposes Re-election of Most of Target’s
Board,” The New York Times, May 28,
2014, http://www.nytimes.com/
2014/05/29/business/advisory-group-
opposes-re-election-of-most-of-targets-
board.html?_r=0 (quoting ISS report).

4. COBIT is an acronym for Control
Objectives for Information and Related
Technology. Information on the COBIT
5 framework for the governance and

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ 26 SecurityRoundtable.org

16. Id. at 4.2. “Objectives.”
17. Id. at 4.4. “Relationship.”
18. Id. at 5.2. “Principles.”
19. Id. at 5.3. “Processes.” The full

requirements of the standard should be
reviewed prior to use by an organization;
ISO 27014 is available at http://www.iso.
org/iso/home/search.htm?qt=27014&
sort=rel&type=simple&published=on.

20. Board Briefi ng on IT Governance, IT
Governance Institute, 2nd ed., 2014,
h t t p : / / w w w. i s a c a . o rg / re s t r i c t e d /
Documents/26904_Board_Briefing_
fi nal.pdf.

21. Jody R. Westby & Julia H. Allen, Governing
for Enterprise Implementation Guide,
Carnegie Mellon University, Software
Engineering Institute, 2007, http://
g l o b a l c y b e r r i s k . c o m / w p – c o n t e n t /
u p l o a d s / 2 0 1 2 / 0 8 / G o v e r n i n g – f o r –
Enterprise-Sec-Impl-Guide.pdf.

13. See, e.g., Kevin LaCroix, “Target Directors
and Offi cers Hit with Derivative Suits
Based on Data Breach,” Feb. 3, 2014,
http://www.dandodiary.com/2014/02/
articles/cyber-liability/target-directors-
and-officers-hit-with-derivative-suits-
based-on-data-breach/.

14. See, e.g., Jon Talotta, Michelle Kisloff, &
Christopher Pickens, “Data Breaches Hit
the Board Room: How to Address Claims
Against Directors & Offi cers,” Hogan &
Lovells, Chronicle of Data Protection, Jan.
23, 2015, http://www.hldataprotection.
com/2015/01/articles/cybersecurity-
data-breaches/data-breaches-hit-the-
board-room/.

15. ISO/IEC 27014 (2013), Governance
of Information Security, “Summary,”
http://www.iso.org/iso/home/search.
htm?qt=27014&sort=rel&type=simple&
published=on.

27 ■

Institutional Shareholder Services Inc. – Patrick McGurn,
ISS Special Counsel and Martha Carter,
ISS Global Head of Research

Investors’ perspectives on cyber
risks: Implications for boards

Although pundits proclaimed 2014 as the “Year of the
Data Breach” and a signifi cant “no” vote at Target’s
annual meeting put directors on notice that sharehold-
ers want to know about potential risks, few 2015 corpo-
rate disclosure documents provide evidence that boards
increased transparency with respect to cyber oversight.
Despite prodding from top regulators and investors’
calls for greater transparency, companies continue to fall
short on disclosure in their key governance disclosure
documents of cybersecurity risks and their board’s over-
sight of them. Equally concerning is the limited infor-
mation regarding cyber risk oversight provided by
boards at a handful of fi rms that were the targets of
2014’s most widely publicized breaches. Boards would
benefi t from an understanding of investors’ perspec-
tives and adoption of best practices in disclosure on
cyber risks.

■ Target’s breach led to boardroom backlash
Target’s high-profi le data breach made headlines world-
wide. Despite this, neither Target’s 2014 proxy state-
ment nor the company’s initial annual meeting-related
engagement materials discussed in a meaningful way
the massive data theft or the board’s responses to it. As
part of its research process leading up to the annual
meeting, Institutional Shareholder Services (ISS)
engaged with members of the Target board to learn
more about the directors’ oversight of cyber risks before
and after the breach. In the end, ISS opined in its 2014
annual meeting report on Target that the members of the
board’s Audit and Corporate Responsibility committees
had “failed to provide suffi cient oversight of the risks
facing the company that potentially led to the data

■ 28

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

lack of sharp, downward stock movements
in the wake of disclosures of hacks or other
data breaches (or quick rebounds from such
price drops when they occur) with share-
holders’ apathy over cybersecurity prob-
lems. In a recent Harvard Business Review
article (Why Data Breaches Don’t Hurt Stock
Prices, March 31, 2015), cybersecurity strate-
gist Elena Kvochko and New York Times
Chief Technology Offi cer Rajiv Pant dismiss
this easy explanation. They argue that muted
stock price reactions to data breaches refl ect
the absence of timely information and qual-
ity tools to price cyber risk: “Shareholders
still don’t have good metrics, tools, and
approaches to measure the impact of cyber
attacks on businesses and translate that into
a dollar value . . . The long and mid-term
effects of lost intellectual property, disclo-
sure of sensitive data, and loss of customer
confi dence may result in loss of market
share, but these effects are diffi cult to quan-
tify.” Faced with this information vacuum,
Kvochko and Pant note that “shareholders
only react to breach news when it has direct
impact on business operations, such as
litigation charges (for example, in the case of
Target) or results in immediate changes to a
company’s expected profi tability.”

Indeed, stock prices may not tell the
whole story. Contrary to the conventional
wisdom, recent survey data show investors
understand the long-term risks stemming
from hacks and they may actually shy
away from investing in companies with
multiple breaches. A recent survey—
conducted by FTI Consulting on behalf of
consulting giant KPMG LLP—of more than
130 global institutional investors with an
estimated $3 trillion under management
found that cyber events may affect inves-
tors’ confi dence in the board and demand
for the affected companies’ shares.

Investors opined that less than half of
boards of the companies that they currently
invest in have adequate skills to manage
rising cyberthreats. They also believe that
43 percent of board members have “unac-
ceptable skills and knowledge to manage
innovation and risk in the digital world.”

breach.” Accordingly, ISS recommended
votes against the members of those two
board oversight panels. ISS acknowledged
the board’s actions in the wake of the
breach but found that the committees
“failed to appropriately implement a risk
assessment structure that could have better
prepared the company for a data breach.”

After investors’ concerns emerged before
the meeting, the company engaged in a solic-
itation effort to defend the board’s response
to the breach. When the votes were tallied,
none of the members of Target’s audit and
governance panels received support from
more than 81 percent of the votes cast. Target
lead director James A. Johnson received the
lowest support—62.9 percent of the votes
cast. According to ISS’ Voting Analytics data-
base of institutional investors’ voting records,
governance professionals at funds connected
to nearly half of Target’s top 10 largest inves-
tors cast votes against one or more of the
company’s directors.

In the direct wake of the 2014 data
breach issues and the dearth of proxy-
related disclosure on those matters, SEC
Commissioner Luis A. Aguilar fi red a shot
across the bow of boards that lack disclo-
sure. In a June 10, 2014, speech (“Boards of
Directors, Corporate Governance and Cyber
Risks: Sharpening the Focus”) delivered at
a New York Stock Exchange (NYSE)–hosted
cybersecurity conference, Aguilar said,
“[B]oard oversight of cyber-risk manage-
ment is critical to ensuring that companies
are taking adequate steps to prevent, and
prepare for, the harms that can result from
such attacks. There is no substitution for
proper preparation, deliberation, and
engagement on cybersecurity issues.”
Noting the wide damage crater caused by
cyber events, Aguilar noted that the board-
room plan should include “whether, and
how, the cyber-attack will need to be dis-
closed internally and externally (both to
customers and to investors).”

■ Shareholders care about breaches
Are shareholders apathetic about data
breaches? Some media reports equate the

29 ■

INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS

■ ISS policy respondents indicate a disclosure
framework

What level of detail do investors expect to
see about these issues in disclosures regard-
ing cyberthreats? In 2014, as part of ISS’
2015 policy-formulation process, we asked
institutional investors to weigh the factors
they assess in reviewing boardroom over-
sight of risk, including cyberthreats. A
majority of the shareholder respondents
indicated that the following are all either
“very” or “somewhat” important to their
voting decisions on individual directors
elections:

� role of the company’s relevant risk
oversight committee(s)

� the board’s risk oversight policies and
procedures

� directors’ oversight actions prior to and
subsequent to the incident(s)

� changes in senior management.

Notably, shareholders do not appear to be
looking for scapegoats. Disclosures about
boardroom oversight action subsequent to
an incident drew more demand than fi r-
ings. An eye-popping 85 percent of the
respondents cited such crisis management
and “lessons learned” disclosures as “very
important.” In contrast, only 46 percent of
the shareholders indicated that changes in
senior management are “very important” to
them when it came time to vote on director
oversight.

■ 2015 disclosures provide few insights
Despite prodding by the SEC and numerous
indications from investors, many boards
continue to lack disclosure of cyberthreats
in their fl agship documents—the proxy
statement and the 10-K. Only a handful of
the companies that drew widespread cover-
age of their data breaches during 2014 men-
tion the events in their proxy statements,
and many cite materiality concerns to avoid
discussing the data breaches in detail in
their 10-Ks.

In sharp contrast to the absence of infor-
mation in Target’s 2014 proxy statement,

More ominously for boards, four of fi ve
investor respondents (79 percent) suggest-
ed that they may blacklist stocks of hacked
fi rms. As for a remedy, 86 percent of the
surveyed investors told KPMG and FTI
that they want to see increases in the time
boards spend on addressing cyber risk.

■ Investors raise the bar for disclosure
Insights on the gap between investors’
expectations and boardroom practices were
gleaned from PwC’s juxtaposition of two
surveys that it conducted in the summer of
2014, one of 863 directors in PwC’s 2014
Annual Corporate Directors Survey, and the
other of institutional investors with more
than $11 trillion in aggregate assets under
management in PwC’s 2014 Investor Survey.

� Nearly three quarters (74 percent) of
investors told PwC that they believe
it is important for directors to discuss
their company’s crisis response plan in
the event of a major security breach.
Only about half of directors (52 percent)
reported having such discussions.

� Roughly three out of four (74 percent)
investors urged boards to boost cyber
risk disclosures in response to the SEC’s
guidance, but only 38 percent of directors
reported discussing the topic.

� Similarly, 68 percent of investors believe it is
important for directors to discuss engaging
an outside cybersecurity expert, but only
42 percent of directors had done so.

� Fifty-fi ve percent of investors said it
was important for boards to consider
designating a chief information security
offi cer, if their companies did not
have one in place. Only half as many
directors (26 percent) reported that such
a personnel move had been discussed in
the boardroom.

� Finally, 45 percent of investors believe
it is important for directors to discuss
the National Institute of Standards
and Technology (NIST)/ Department
of Homeland Security cybersecurity
framework, but only 21 percent of directors
reported their boards had done so.

■ 30

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

and management process to the full
Board.”

Next, the Home Depot disclosure provides
some color on the board’s risk oversight
policies and procedures:

For a number of years, IT and data secu-
rity risks have been included in the risks
reviewed on a quarterly basis by the ERC
and the Audit Committee and in the
annual report to the Board on risk assess-
ment and management. In the last few
years, the Audit Committee and/or the
full Board have also regularly received
detailed reports on IT and data security
matters from senior members of our IT
and internal audit departments. These
reports were given at every quarterly
Audit Committee meeting in fi scal 2014,
including an additional half-day Audit
Committee session devoted exclusively to
these matters that was held prior to the
discovery of the Data Breach. The topics
covered by these reports included risk
management strategies, consumer data
security, the Company’s ongoing risk mit-
igation activities, and cyber security strat-
egy and governance structure. . . .

To further support our IT and data
security efforts, in 2013 the Company
enhanced and expanded the Incident
Response Team (“IRT”) formed several
years earlier. The IRT is charged with
developing action plans for and respond-
ing rapidly to data security situations. . . .
The IRT provided daily updates to the
Company’s senior leadership team, who
in turn periodically apprised the Lead
Director, the Audit Committee and the
full Board, as necessary.

The Home Depot board also highlights its
cyber-risk oversight actions prior to the
incident:

Under the Board’s and the Audit
Committee’s leadership and oversight,
the Company had taken signifi cant steps

however, another big box retailer provided
investors with a window into the board’s
role in cyber risk oversight in its 2015
proxy materials. Home Depot addressed its
2014 data breach, which affected up to
56 million customers who shopped at the
company’s stores between April 2014 and
September 2014, with a concise (roughly
1000-word) explanation of the steps taken
by the board before and after the company’s
breach.

The proxy statement disclosures include a
brief summary of the depth and duration of
the breach, an explanation of the board’s
delegation of oversight responsibility to the
audit committee, and an outline of remedial
steps that the board took in response to the
event.

Notably, Home Depot’s disclosures gen-
erally align with all the pillars identifi ed by
investors in their responses to the ISS policy
survey:

First, Home Depot’s board details the
delegation of risk oversight to the audit com-
mittee and describes the directors’ relation-
ship with the company’s internal audit and
compliance team:

The Audit Committee . . . has primary
responsibility for overseeing risks related
to information technology and data pri-
vacy and security. . . . The Audit
Committee stays apprised of signifi cant
actual and potential risks faced by the
Company in part through review of quar-
terly reports from our Enterprise Risk
Council (the “ERC”). The quarterly ERC
reports not only identify the risks faced
by the Company, but also identify wheth-
er primary oversight of each risk resides
with a particular Board committee or the
full Board . . . The chair of the ERC, who
is also our Vice President of Internal
Audit and Corporate Compliance, reports
the ERC’s risk analyses to senior manage-
ment regularly and attends each Audit
Committee meeting. The chair of the ERC
also provides a detailed annual report
regarding the Company’s risk assessment

31 ■

INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS

Privacy Governance Committee,
to provide further enterprise-wide
oversight and governance over data
security. This committee reports
quarterly to the Audit Committee.

� We are in the process of further
augmenting our IT security team,
including by adding an offi cer level
Chief Information Security Offi cer and
hiring additional associates focused on
IT and data security.

� We are reviewing and enhancing all
of our training relating to privacy and
data security, and we intend to provide
additional annual data security
training for all of our associates before
the end of Fiscal 2015.

� Our Board, the Audit Committee, and
a special committee of the Board have
received regular updates regarding the
Data Breach. In addition to the IT
and data security initiatives described
above, the Board, supported by
the work of its Audit and Finance
Committees, has reviewed and
authorized the expenditures associated
with a series of capital intensive
projects designed to further harden
our IT security environment against
evolving data security threats.

■ Boards would benefi t from engagement
and disclosure

Although the good news is that cybersecu-
rity has seemingly come to the forefront for
many directors, the bad news is that share-
holders are not yet getting the transparency
they need to assess the quality of boardroom
oversight. The signifi cant “no” vote against
the Target board at its 2014 annual meeting,
coupled with survey data, show that share-
holders are far from apathetic when it comes
to assessing cyber risk oversight.

■ Target’s lessons learned
In the wake of its challenging 2014 annual
meeting, Target hosted calls or held meet-
ings with shareholders representing approx-
imately 41% of shares voted. The majority of

to address evolving privacy and cyber
security risks before we became aware of
the Data Breach:

� Prior to the Data Breach and in part
in reaction to breaches experienced
by other companies, we augmented
our existing security activities by
launching a multi-work stream effort
to review and further harden our
IT and data security processes and
systems. This effort included working
extensively with third-party experts
and security fi rms and has been
subsequently modifi ed and enhanced
based on our learnings from the Data
Breach experience.

� In January 2014, as part of the efforts
described above, we began a major
payment security project to provide
enhanced encryption of payment card
data at the point of sale in all of our U.S.
stores. . . . Upon discovery of the Data
Breach, we accelerated completion
of the project to September 2014,
offering signifi cant new protection for
customers. The new security protection
takes raw payment card information
and scrambles it to make it unreadable
to unauthorized users. . . .

� We are rolling out EMV “chip-and-PIN”
technology in our U.S. stores, which
adds extra layers of payment card
protection for customers who use EMV
chip-and-PIN enabled cards. . . .

Finally, the Home Depot board discusses the
boardroom oversight actions taken subse-
quent to the incident including changes in
senior management:

Following discovery of the Data Breach,
in addition to continuing the efforts
described above, the Company and the
Board took a number of additional
actions:

� We formed an internal executive
committee, the Data Security and

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ 32 SecurityRoundtable.org

these conversations were led by Director
Anne Mulcahy. In light of this feedback and
with the assistance of a third-party strategy
and risk management and regulatory com-
pliance consultant, the board “embarked on
a comprehensive review” of risk oversight
at the management, board, and committee
levels. As a result of this comprehensive
review, in January 2015, the Target board
“clarifi ed and enhanced” its practices to pro-
vide more transparency about how risk
oversight is exercised at the board and com-
mittee levels. As part of this revamp, the
board reallocated and clarifi ed risk oversight

responsibilities among the committees, most
notably by elevating the risk oversight role
of the corporate risk & responsibility com-
mittee (formerly known as the corporate
responsibility committee).

Examples such as Home Depot and the
Target board’s 2015 disclosures provide
more transparency on risk oversight and are
a good framework for other boards to follow.
Boards would be wise to raise their games
by disclosing more details of their board
oversight efforts and engaging with inves-
tors when cyber incidents occur, or they may
run the risk of a loss of investor confi dence.

33 ■

Elena Kvochko, Author, Towards the Quantifi cation
of Cyber Threats report; and Danil Kerimi, Director,
Center for Global Industries, World Economic Forum

Toward cyber risks measurement

As most companies in the U.S. already use some form of
cloud-based solutions, the digital footprint of enterprises
is growing, and so are the risks. Technological solutions
have always focused on convenience, transparency, and
an ever-increasing ability to share information and col-
laborate, while built-in security hasn’t been a priority
until recently. Now enterprises are shifting away from
this model. Growing privacy and security concerns affect
customer perception. According to Deloitte, 80% of cus-
tomers are aware of recent cyber breaches, and 50% of
them are ready to switch brands if they feel their informa-
tion may be compromised. Experian reported that now
cyber breaches are as devastating for the reputation of
organizations as environmental disasters and poor cus-
tomer service.

Most executives recognize that cyber risks are no longer
on the horizon but are an imminent cost of doing business.
Companies are actively looking for effective mitigation
actions. Recent surveys show that cybersecurity is already
part of the agenda of 80% of corporate boards (up from
around 30% 4 years ago). Companies are adjusting their
enterprise risk management frameworks and including
cyber risks and accompanying controls as part of the nec-
essary risk management actions. Traditional controls intro-
duced for in-house infrastructure no longer work, as more
and more operations are performed in the cloud. Just as in
any healthy ecosystem, these environments present great
opportunities for stakeholders to interact with each other
and with the content, but they also carry inherent risks.

Risk mitigation approaches and technologies lag
behind the sophistication of the threat. In fact, our ear-
lier research with the World Economic Forum and
McKinsey showed that 90% of executives feel they only

■ 34

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

fi nancial services industry and describes the
risk appetite and potential losses for a port-
folio that an institution will incur over a
defi ned period of time and is expressed in a
probability to insure the loss.

In the cyber value-at-risk, we introduced
three major pillars, according to which com-
panies can model their risk exposure: exist-
ing vulnerabilities, value of the assets, and
profi le of an attacker. A complete cyber value-
at-risk allows us to answer the question:
“Given a successful cyberattack, a company
will lose not more than X amount of money
over period of time with 95% accuracy.” The
application of these models will depend on
particular industries, companies, and avail-
able data and should be built for an organi-
zation. We discussed specifi c indicators that
can potentially be used to populate the
model. Mathematically, these components
can be brought together and used to build a
stochastic model. For example, vulnerabili-
ties can be measured in the number of exist-
ing unpatched vulnerabilities, not up-to-
date software, number of successful compro-
mises, or results of internal and external
audits. They can be benchmarked against
the maturity of existing controls and security
of networks, applications, data, etc. The
maturity of defending systems has to be
benchmarked against the threat environ-
ment, hence the profi le of an attacker com-
ponent becomes important. In this model, it
would be important to look into their moti-
vations (e.g., fi nancial gain, destruction of
assets, espionage), the tools they are using,
and the innovative approaches. Because
cyber breaches are criminal activity, nontech-
nical factors, such as behavioral motivations,
are to be considered. The component of the
value of assets of many organizations is dif-
fi cult to establish. This includes tangible
assets, such as fi nancial fl ows, infrastructure,
and products, and intangible assets, primarily
data assets (customer and employee data,
business strategies, intellectual property),
brand, reputation, and trust of stakeholders.
Although cost of business interruption can
be qualifi ed easier, the impact on intangible
assets is still subject to approximation. The

have “nascent” and “developing” capabili-
ties to combat cyberthreats. In this situa-
tion when cyber breaches have become an
inevitable reality of doing business, execu-
tives ask themselves, “What does it mean
for my business, how probable is it that a
devastating breach will happen to us, and
how much could it cost us?” Still, very few
organizations have developed ways to
assess their cyber risk exposure and to
quantify them.

In this chapter, we discuss the cyber
value-at-risk framework introduced by the
Partnering for Cyber Resilience initiative of
the World Economic Forum and released at
the Annual Summit in Davos in 2015. More
than 50 organizations, including Wipro,
Deloitte (project advisor), and Aon, have
contributed to this effort. The framework
laid the foundations for modeling cyber
risks and encouraged organizations to take
a quantitative approach toward assessing
their cyber risks exposure, which could
also help make appropriate investment
decisions.

We were delighted to see many spin-off
projects and initiatives that were initiated as
part of this work and hope they will contrib-
ute to better risk management tools. Our
research showed that the aggregate impact
of cybercrime on the global economy can
amount to $3 trillion in terms of slow down
in digitization and growth and result in the
slower adoption of innovation. Multiple
other studies showed signifi cant negative
impact of cyber breaches. CSIS established
that the annual cost of economic espionage
reaches $445 billion. Target’s breach cost the
company more than $140 million, a large
portion of which went to cover litigation
costs. Interestingly, however, Aon research
shows that more than 80% of breaches cost
the companies less than $1 million.

■ Value-at-risk
How can companies defi ne their risk expo-
sure and the level of investments, as well as
priority areas for these investments? To
answer this question, we turned to the value-
at-risk concept. The concept goes back to the

35 ■

TOWARD CYBER RISKS MEASUREMENT

breach probability distribution”); hacker
model (mapping out motivations of adver-
saries in relation to the organization); attack
model (attack types and characteristics);
asset and loss model (potential loss given a
successful attack); security model (describ-
ing organizations’ security posture), and
company model (modeling organizations’
attractiveness as a target). Cyberpoint’s
Cy-var models looks at “time-dependent
valuation of assets” while taking into
account an organization’s security posture
and includes variables such as the values of
intellectual property assets, IT security con-
trols in place to protect those assets and
other related risks, infrastructure risks, a
time horizon, and a probability of an attack.

At the same time, all stakeholders came to
agreement that quantifying risks is a chal-
lenging task. In a workshop organized togeth-
er with Deloitte, the World Economic Forum
Partnering for Cyber Resilience members
defi ned the attributes of an ideal model of
cyber risks quantifi cation: applicability across
various industries; ease of interpretation by
experts and executives alike; association with
real data and measurable security events;
scalability across organizations or even
across the industry; at the same, not relying
on data that are currently absent within most
organizations.

Although the cyber value-at-risk frame-
work doesn’t specify how to calculate the
fi nal number, it presents core components
and gives examples of how these compo-
nents can be quantifi ed. This complete
model, however, could be characterized by
general applicability across various indus-
tries. For it to be effective, it has to be vali-
dated by the industry stakeholders. Cyber
value-at-risk aimed to bring together “tech-
nical, behavioral and economic factors from
both internal (enterprise) and external (sys-
temic) perspectives.” As a next step, it would
be important to understand dependencies
between various components in the frame-
work and ways to incorporate these models
into existing enterprise risk frameworks. It is
important to remember that organizations
should be wary of new emerging risks and

impact of losing these assets can be unno-
ticed in the short term but may hurt long-
term profi tability and market leadership of
an organization.

The cyber value-at-risk model has a num-
ber of limitations, including availability of
data, diffi culties in calculating probabilities,
and applicability across various industries,
but it presents a fi rst step and incentives for
organizations to move toward quantitative
risk management. By publishing the model,
we aimed to encourage more industry stake-
holders to develop comprehensive quantita-
tive approaches to cyber risks measurement
and management. For further examples and
information, please refer to Wipro’s use of
cyber value-at-risk for its clients, Deloitte’s
continuous development cyber value-at-
risk, Rod Becktom’s cybervar model, and
CXOWare’s Cyber Risk application model.
The Institute of Risk Management (IRM)
announced that it will release a cyber risk
quantifi cation framework to help companies
assess their cyber risks exposure. The call to
action from the Partnering for Cyber
Resilience effort was that to develop a uni-
fi ed framework that can be used by indus-
tries to reduce uncertainty around cyber risks
implications on businesses in the absence of
dominant models and frameworks. Aon has
defi ned important ways in which quantifi ca-
tion of cyberthreats can lead to better busi-
ness decisions. First, as the conversation has
shifted from technology and information
security departments to boardrooms, the
question of costs and risks becomes ever
more prevalent. It helps show the scale and
the impact that cyberthreats can have on
fi nancial targets and overall competitiveness
of organizations; helps defi ne and narrow
down the investments required to mitigate
those threats; makes it easy to paint compel-
ling pictures, build scenarios, and make busi-
ness cases; and helps make a determination
whether any parts of the risk can be trans-
ferred. Deloitte has put together a compre-
hensive model for modular approach to
cyber risk measurement introducing the
following components: probability model
(“attractiveness and resilience determine

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ 36 SecurityRoundtable.org

consider cyber risks in addition to broader
technology or operational risks.

Overall, the goal was to help raise aware-
ness of cyber risks as a standing and regular
cost of doing business and help fi nd a way
to measure and mitigate those risks. This
can be done through standardization of
various risk factors and indicators into a
normal distribution.

The components that we looked at in this
chapter help bring together various risk fac-
tors via “measures of risk likelihood and
impact.” To achieve a more granular level of
sophistication, quantifi cation and standardi-
zation metrics must mature. Some of the
main cited obstacles are availability of data
to build models, lack of standardized met-
rics and tools, lack of visibility within enter-
prise, and inability to collect data and
dubbed models internally. The variables and
components of the model can be brought
together into a stochastic model, which will
show the maximum loss given a certain
probability over a given period of time. It
was discussed that close to real-time sharing
of data between organizations could address
some of the main challenges of datasets’
availability and provide enough data to
build models.

Although a silver bullet to achieve cyber
resilience doesn’t exist, organizations con-
sider comprehensive frameworks for quanti-
fying and mitigating risk factors, including
cyber risks. Following this model, compa-
nies will assess their assets and existing
controls, quantify vulnerabilities, and know

their attackers and threats. The most signifi –
cant challenge so far is the absence of input
variables, quality of existing datasets and,
following these, no standardized measures
to assess cyber risk exposures. Building such
a model would require efforts in data classi-
fi cation, encourage a strong organization
leadership, process improvement and col-
laboration, as well improve decision making
across various business areas. For example,
the car industry, mortgage industry, or most
insurances have agreed on a standardized
metrics and data collection; the same should
happen for cyber risks measurement.
Understanding dependencies between these
variables and what they mean for various
industries should be a subject for cross-
industry collaboration so that input varia-
bles are unifi ed. The main benefi ts of this
approach are seen in the ability to support
decision-making processes, quantify the
damage at a more granular level, and defi ne
appropriate investments. This would help
stimulate the development of risk transfer
markets and emergence of secondary risk
transfer products to mitigate and distribute
the risks. For organizations, the focus will
shift from an attacker to assets and how to
secure them in such a distributed digital
ecosystem, where everything is vulnerable.
As more robust quantitative cyber risks
models emerge and the industries are mov-
ing toward a standardized recognizable
model, the confi dence of digital ecosystems
stakeholders and their ability to make effec-
tive decisions will also rise.

Based on Towards the Quantifi cation of Cyber
Threats report.

37 ■

Internet Security Alliance – Larry Clinton, CEO

The evolving cyberthreat and an
architecture for addressing it

According to the Pentagon’s 2015 Annual Report, “The
military’s computer networks can be compromised by
low to meddling skilled attacks. Military systems do not
have a suffi ciently robust security posture to repel sus-
tained attacks. The development of advanced cyber tech-
niques makes it likely that a determined adversary can
acquire a foothold in most DOD systems and be in a posi-
tion to degrade DOD missions when and if they choose.”

If the cyber systems of the world’s most sophisticated
and best funded armed forces can be compromised by
“low to meddling skilled attacks,” how safe can we expect
discount retailers, movie studios, or any other corporate
or public systems to be?

That is not even the bad news.

■ Things are getting much worse: Three reasons
1. The system is getting weaker.
The bad news is that the cyber systems that have become
the underpinning of virtually all of aspects of life in the
digital age are becoming increasing less secure. There are
multiple reasons for this distressing trend. First, the sys-
tem is getting technologically weaker. Virtually no one
writes code or develops “apps” from scratch. We are still
relying on many of the core protocols designed in the
1970s and 80s. These protocols were designed to be
“open,” not secure. Now the attacking community is
going back through these core elements of the Internet
and discovering still new vulnerabilities. So as new func-
tionalities come online, their own vulnerabilities are sim-
ply added to the existing and expanding vulnerabilities
they are built upon. The reality is that the fabric of the
Internet is riddled with holes, and as we continue to
stretch that fabric, it is becoming increasingly less secure.

Additionally, vulnerabilities in many open source
codes, widely in use for years, are becoming increasingly
apparent and being exploited by modern “zero-day”

■ 38

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

new access points to large amounts of data
resulting from the explosion in the number of
mobile devices vastly increases the challeng-
es to securing cyberspace.

However, the rise in use of mobile devices
pales in comparison to the coming Internet
of Things (IoT). The IoT, embedded comput-
ing devices with Internet connections,
embraces a wide range of devices, including
home security systems, cars, smart TVs, and
security cameras. Like the bring-your-own-
device (BYOD) phenomenon, the coming of
the IoT further undermines the overall secu-
rity of the system by dramatically increasing
the vectors, making every new employee’s
internet-connected device, upon upgrade, a
potential threat vector.

2. The bad guys are getting better.
Just after the turn of the century, the NSA
coined a new term, the “APT,” which stood
for the advanced persistent threat. The APT
referred to ultrasophisticated cyberattack
methods being practiced by advanced
nation-state actors. These attacks were char-
acterized by their targeted nature, often
focused on specifi c people instead of
networks, their continued and evolving
nature, and their clever social engineering
tactics. These were not “hackers” and “script
kiddies.” These were pros for whom cyberat-
tacks were their day job.

They were also characterized by their
ability to compromise virtually any target
they selected. APTs routinely compromised
all anti-virus intrusion detection and best
practices. They made perimeter defense
obsolete.

Now these same attack methods, once
practiced only by sophisticated nation-states,
are widely in use by common criminals.
Whereas a few years ago these attacks were
confi ned to nations and the Defense Industrial
Complex, they now permeate virtually all
economic sectors.

The APT now stands for the average persis-
tent threat.

The increasing professionalism and
sophistication of the attack community is
fueled by the enormous profi ts cyberattacks

attacks, and the patching system we have
relied on to remediate the system can’t keep
pace. Huge vulnerabilities such as
Heartbleed and Shellshock have existed
within open source code for years only to
be revealed recently when scrutinized by
fresh eyes.

Within hours of the Heartbleed vulnerabil-
ity becoming public in 2014, there was a surge
of attackers stepping up to exploit it. The
attackers exploiting the vulnerability were
much faster than the vendors could patch it.
This is a growing trend. In 2014 it took
204 days, 22 days, and 52 days to patch the top
three zero-day vulnerabilities. In 2013 it took
only four days for patches to arrive. Even
more disturbing is that the top fi ve zero-day
attacks in 2014 were actively used for a com-
bined 295 days before patches were available.

Moreover, because almost no one builds
from scratch anymore, the rate of adoption
for open source programming as a core com-
ponent of new software greatly exceeds the
vetting process for many applications. As
the code gets altered into new apps, the risks
continue to multiply. In 2015 Symantec esti-
mates there are now more than a million
malicious apps in existence. In fast-moving,
early stage industry, developers have a
strong incentive to offer new functionality
and features, but data protection and priva-
cy policies tend to be a lesser priority.

The risks created by the core of the system
becoming intrinsically weaker is being fur-
ther magnifi ed by the explosion of access
points to the system, many with little or no
security built into their development. Some
analysts are already asserting that there are
more mobile devices than there are people
on the earth. If that is not yet literally true, it
will shortly be.

It is now common for individuals to have
multiple mobile devices and use them inter-
changeably for work and leisure often with-
out substantial security settings. Although
this certainly poses a risk of data being stolen
directly from smartphones, the greater con-
cern is that mobile devices are increasingly
conduits to the cloud, which holds increasing
amounts of valuable data. The number of

39 ■

THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

corporate growth, innovation, and profi ta-
bility also undermine cybersecurity.

Technologies such as VOIP or cloud com-
puting bring tremendous cost effi ciencies but
dramatically complicate security. Effi cient,
even necessary, business practices such as the
use of long supply chains and BYOD are also
economically attractive but extremely prob-
lematic from a security perspective.

Corporate boards are faced with the
conundrum of needing to use technology to
grow and maintain their enterprises without
risking the corporate crown jewels or hard-
won public faith in the bargain. In addition,
the fears and potential losses from cyber
events tend to be speculative and future ori-
ented, whereas most corporate leaders (as
well as the citizen investors who have their
401(k)s tied up in the stock market) tend to
make their decisions with an eye toward the
next quarter or two.

The national security equation
Finally, from the national security perspec-
tive, Internet economics are also complicated.
This economic puzzle is important to solve
because multiple independent studies indi-
cate that the number one problem with
securing critical infrastructure from cyberat-
tack is economic. As the 2014 National
Infrastructure Protection Plan makes clear,
the public and private sectors have aligned,
but not identical, perspective on cybersecu-
rity based on their differing, and legally
mandated, roles and obligations.

The private sector is legally required to
invest to maximize shareholder value.
Although shareholder value is enhanced to
some degree by security investment, gener-
ally security is considered a cost center in
the corporate world. As with most corporate
investments, security is a mater of cost ben-
efi t for the private sector. What this trans-
lates to is that the private sector may legiti-
mately judge that there is a level of security
that goes beyond their commercial interest
and hence their legally mandated obligation
to their shareholders. An example is the
common case of pilfering in many retail
stores, wherein the owner may be aware

are generating—routinely estimated in the
hundreds of billions of dollars and growing.
It is now apparent that attackers are not
going to rely on reusing the same old meth-
ods. Instead, like any smart, successful, and
growing enterprise, they are investing in
R&D and personnel acquisition. They are
seeking to grow their business, including
fi nding new vulnerabilities in older infra-
structures and thus widening the surface
available for attack.

3. The economics of cybersecurity favor the attackers.
Cyberattacks are relatively cheap and easy to
access. Virtually anyone can do an Internet
search and fi nd vendors to purchase attack
methods for a comparatively small invest-
ment. The attacker ’s business plans are
expansive with extremely generous profi t
margins. Multiple reports suggest hundreds
of billions of dollars in criminal cyber reve-
nue each year. They can use virtually identi-
cal attack methods against multiple targets.
The vast interconnection of the system
allows attackers to exploit weaker links who
have permitted access to more attractive
targets, and their “market” is accessible to
them worldwide.

Meanwhile, cyber defense tends to be
almost inherently a generation behind the
attackers, as anticipating the method and
point of attack is extremely diffi cult. From a
business investment perspective it is hard
to show return on investment (ROI) to
attacks that are prevented, making ade-
quate funding a challenge. Moreover, law
enforcement is almost nonexistent—we
successfully prosecute less than 2% of cyber
criminals, so there is little to discourage the
attackers from being bold. Furthermore, as
we have already illustrated, notwithstand-
ing consumers tend to prefer utility and
function over security, which provides a
disincentive for investors to enhance devic-
es with added security, which often slows
or limits utility.

This little-understood imbalance of the
economic incentives is exacerbated by the
fact that many of the technologies and busi-
ness practices that have recently driven

■ 40

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

the Department of Homeland Security
(DHS) be given authority to set minimum
standards for cybersecurity over the private
sector. Subsequently two bills were offered
in the Senate, one by the Chairman of the
Senate Commerce Committee, Senator Jay
Rockefeller (D-WV) with Senator Olympia
Snow (R-ME) and separately by Senate
Homeland Security Chairman Joe Lieberman
(D-CN) and Senator Susan Collins (R-ME).
Both bills largely followed the Obama para-
digm of DHS setting regulatory mandates
for the private sector with substantial penal-
ties available for noncompliance.

Despite strong backing from the Senate
Majority Leader Harry Reid and much of the
military establishment, the bills could not
get out of committee. Even though Reid
exercised his parliamentary power to control
the Senate agenda, there was not enough
support to even get the bills to the fl oor for
consideration, let alone vote on it.

There was certainly industry opposition to
these bills, but what killed them was the
bipartisan realization that the traditional reg-
ulatory model was an ill fi t for cybersecurity.
Government agencies’ ability to craft regula-
tions that could keep up with cyberthreats
was highly questionable. Early efforts to
apply traditional regulation to cyberspace,
such as HIPAA in the health-care industry,
had not generated success. Indeed health
care is widely considered one of the least
cyber secure of all critical infrastructures.

However, with cyber systems becoming
increasingly ubiquitous and insecure threat-
ening economic development and national
security, there was obvious need for an
affi rmative and effective approach. The non-
regulatory, collaborative model selected
largely followed the “social contract” para-
digm previously promoted by industry gov-
ernment analysts.

The social contract approach
In 2013 President Obama reversed course
180 degrees. In an executive order on
cybersecurity the president abandoned the
government-centric regulatory approach

that 5% of his inventory is “walking out the
back door” every month. The reason he
doesn’t hire more guards or put up more
cameras or other security measures is that
the cost benefi t presumably suggests it will
cost him 6% to do so, and hence the better
business decision is to tolerate this level of
insecurity.

Government doesn’t have that luxury.
The government is charged with providing
for the common defense. Surely, they have
economic considerations with respect to
security; however, they are also mandated to
a higher level of security largely irrespective
of cost to provide for national security, con-
sumer protection, privacy, and other non-
economic considerations.

In the Internet space, government and
industry are using the same networks. This
means the two users of the systems have dif-
fering security requirements—both legiti-
mate and backed by lawful authority.
Moreover, requiring greater cybersecurity
spending, beyond commercial interest as
suggested by some, could run afoul of other
government interests such as promoting
innovation, competitiveness, and job growth
in a world economy (presumably not follow-
ing U.S.-based requirements).

Finally, the presumption that requiring
increased security spending by commercial
entities up to the government risk tolerance
is in the corporate self-interest is complicat-
ed by the data that have emerged after
highly publicized cyber breaches. One year
after the Target breach, which would pre-
sumably damage the company’s image prof-
itability and reputation, Target’s stock price
was up 22%, suggesting such predictions
were incorrect. Similarly, 6 months after the
high-profi le cyberattacks on Sony (the sec-
ond high-profi le cyberattack for Sony in a
few years), Sony’s stock price was up 26%.

■ Some good news: Enlightened policy working
in partnership

Traditional regulatory efforts fail
In 2012 President Obama offered a legisla-
tive proposal to Congress suggesting that

41 ■

THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

telephone service at affordable rates, govern-
ment would guarantee the investment pri-
vate industry would make in building and
providing the service. This agreement
ensured enough funds to build, maintain,
and upgrade the system plus make a reason-
able rate of return on the investment. Thus
were born the privately owned public utili-
ties and the rate of return regulation system.

The result was that the U.S. quickly built
out the electric and communications systems
for the expanding nation, which were gener-
ally considered the best in the world. Some
have argued this decision was foundational
to the U.S.’s rapid expansion and develop-
ment, which turned it from a relatively
minor power in the early part of the twenti-
eth century to the world’s dominant super-
power less than a generation later.

Although the Obama social contract
approach to cybersecurity has different
terms than that of previous infrastructure
development, the paradigm is similar.
Similar modifi cations of the incentive model
are also in use in other areas of the economy,
such as environment, agriculture, and trans-
portation, but this is the fi rst application in
the cybersecurity fi eld.

Although it is in its formative stages, at
this point early indications for the social con-
tract approach are positive. The cybersecuri-
ty framework development process conduct-
ed by the National Institute of Standards and
Technology (NIST) has been completed and
received virtually unanimous praise. In an
exceedingly rare development, the Obama
approach to cybersecurity closely tracks with
that outlined by the House Republican Task
Force on Cyber Security. Bipartisan bills
using liability incentives, instead of govern-
ment mandates, are moving through
Congress, and additional incentive programs
are under development.

■ Conclusion
The cybersecurity problem is extremely
serious and becoming more so. An inher-
ently insecure system is becoming weaker.
The attack community is becoming more

embodied in his previous legislative pro-
posals and the Senate bills. Instead, he sug-
gested a public private partnership—a
social contract—that would address the
technical as well as economic issues that are
precluding the development of a cyber sys-
tem that can become sustainably secure. In
this new partnership, industry and govern-
ment would work together to identify a
framework of standards and practices wor-
thy of industry based on cyber risk assess-
ments conducted by the companies. The
president ordered that the framework be
voluntary, prioritized, and cost effective. If
there were an economic gap between what
ought to be done and what would be
accomplished through normal market
mechanisms, a set of market incentives
would be developed to promote voluntary
adoption of the framework. Although
industry that operates under regulatory
systems would remain subject to regulatory
authority, no new regulatory authority for
cybersecurity would be part of the system.
Instead, a partnership system based on vol-
untary use of consensus standards and
practices and reinforced through market
incentives would be built.

The cyber social contract model has sub-
stantial precedent in the history of infra-
structure development in the United States.
In the early twentieth century the innovative
technologies were telephony and electricity
transport. Initially the private companies
that provided these technologies, because of
natural economies, served primarily high-
density and affl uent markets. Policy makers
of the era quickly realized that there was a
broader social good that would be served by
having universal service of these services
but also realized that building out that infra-
structure would be costly and uneconomic
either for industry or government.

Instead of government taking over the
process or mandating that industry make
uneconomic investment, the policy makers
designed a modern social contract with
industry. If industry would build out the
networks and provide universal electric and

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ 42 SecurityRoundtable.org

sophisticated and enjoys massive economic
incentives over the defender community.
Traditional government methods to fi ght
criminal activity have not matured to
address the threat and may be inappropri-
ate to meet the dynamic nature of this
uniquely twenty-fi rst century problem.
Fortunately, at least the U.S. government

seems to have developed a consensus strat-
egy to better leverage public and private
resources to combat cyberthreats without
excessively compromising other critical
social needs. Although there are some ini-
tial signs of progress, the road to creating a
sustainably secure cyber system will be
long and diffi cult.

43 ■

Former CIO of the U.S. Department
of Energy – Robert F. Brese

Effective cyber risk management:
An integrated approach

In its 2015 Data Breach Report, Verizon found that in 60%
of the nearly 80,000 security incidents reviewed, including
more than 2,000 confi rmed data breaches, cyber attackers
were able to compromise an organization within minutes.
Alarmingly, only about one third of the compromises
were discovered within days of their occurrence. This is
not good news for C-suites and boardrooms. Data breach-
es, compromises in which data loss is unknown, denial of
service attacks, destructive malware, and other types of
cybersecurity incidents can lead to lost revenue, reputa-
tion damage, and even lawsuits, as well as short- and
long-term liabilities affecting a company’s future.
Although “getting hacked” may seem, or even be, inevita-
ble, the good news is that by taking an integrated
approach to risk management, cybersecurity risk can be
effectively managed.

But who is responsible for this integrated approach,
and what does it include? Although often the case, man-
aging cybersecurity risk should not be left solely to the
chief information offi cer (CIO) and chief information
security offi cer (CISO). Even though these professionals
are capable, only an integrated information (i.e., data),
information technology, and business approach will ena-
ble a company to effectively manage cybersecurity risk as
a component of an organization’s overarching enterprise
risk program. There is also a movement for board-level
involvement and reporting, resulting in a risk to board
members’ tenure if they are not considered to be suffi –
ciently engaged in the oversight of cybersecurity risk
management and incident response. As an example, in
2014, Institutional Shareholders Services (ISS) recom-
mended that shareholders of Target stock vote against all
seven of the directors that were on the board at the time of
the highly publicized 2013 breach. Although somewhat
shocking, it should be inherently obvious that effective

■ 44

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

collaboration. They also predict that the digi-
tal industrial economy, and the Internet of
Things (IoT), will result in even greater diffi –
culty. However, attempting to scale cyberse-
curity risk management in isolation from an
organization’s enterprise risk program only
exposes the organization to greater risk by
creating a gap in risk oversight.

Nearly every company has established
processes to manage enterprise risk. Larger
companies often have a chief risk offi cer
(CRO) or equivalent individual who is inde-
pendent of the business units and is given
the authority and responsibility to manage
the enterprise risk processes. Incorporating
cybersecurity into the mix of corporately
managed risks should be a priority. Some
may argue that cybersecurity is too different
from the other risks a company faces, such as
market risk, credit risk, currency risk, or
physical security risk, to be managed in a
similar manner. However, although cyberse-
curity may seem more “technical,” the
desired outcome of the treatment is the
same, that is to eliminate, mitigate, transfer,
or accept risk affecting the company’s future.
One thing is certain: not all cybersecurity
risk can be eliminated through controls or
transferred through insurance, so residual
risk must accepted. Making good decisions
requires an integrated, formal approach.

■ The cybersecurity risk management process
There are several key steps that should be
taken to effectively integrate cybersecurity
risk management into the company’s enter-
prise risk management process. This chapter
doesn’t attempt to explain the details of any
particular process but instead focuses on com-
mon attributes that should be used, including
risk framing and assessment, controls assess-
ment, risk decision-making, residual risk sign-
off, risk monitoring, and accountability. Figure 1
provides a visual of the process. For addi-
tional details on approaches to cybersecurity
risk management, the National Institute of
Standards and Technology (NIST) Computer
Security Resource Center (CSRC), interna-
tional standards organizations, and other
industry sources may be consulted.

cybersecurity risk management is key to
meeting the fi duciary responsibilities of cor-
porate offi cers and the board.

To ensure success, managing cybersecu-
rity risk must be an ongoing and iterative
process, not a one-time, infrequent, or check-
the-box activity. This area of risk manage-
ment must grow with the company and
change with ever-evolving cyber threats.
Data holdings and information technology
(IT) systems, and the Internet-connected
environment in which they operate, change
at a pace that is more rapid than many of the
other variables affecting enterprise risk. Not
only must the right stakeholders be engaged
at the right levels within an organization,
but also the right automated tools and
processes must be in place to support risk
decision making and monitoring.

■ Perfect security is a myth
As in physical security, there is no such thing
as perfect IT (cyber) security. All the fi re-
walls, encryption, passwords, and patches
available cannot create a zone of absolute
safety that enables a company to operate
unimpeded and free of concern regarding
the cybersecurity threat. However, perfect
security is not required, or even desired. The
effects of too little security are fairly obvious.
However, too much security unnecessarily
constricts the business’ ability to operate by
reducing the effectiveness and effi ciency of a
customer’s access to the company’s products
and services and unnecessarily constraining
internal and business-to-business (B2B)
interactions. Effective risk management
fi nds the balance between the needs of the
business to operate and the needs and cost of
security. In fi nding this balance, the company
will be able to compete successfully in its
market while protecting the critical informa-
tion and assets on which its success relies.

■ Enterprise risk management
Gartner, Inc., the world’s leading IT research
and advisory company, has found that cyber-
security risk management programs have
experienced trouble in scaling with corporate
initiatives in mobility, cloud, big data, and

45 ■

EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

a company has to avoid, mitigate, share,
transfer, or accept risk. This means that cor-
porate structure, training and awareness
programs, physical security, and other
options should be considered in addition to
traditional IT controls. Cyber insurance may
also be considered. Again, the CIO and
CISO cannot do this alone, and there should
be active engagement across all the various
business lines, business support, and IT
organizations that can contribute to identi-
fying potential controls and the impact they
may have on cybersecurity risk.

Risk Decision Making: A crucial element
of risk response is the decision-making pro-
cess. Decisions are made regarding what will
be done and what will not be done in
response to each risk. A balance must be
struck between protecting systems and
information and the need to effectively run
the business that relies on them. Other fac-
tors that should be considered include the
amount of risk reduction related to imple-
mentation and maintenance costs and the
impacts on employee training and certifi ca-
tion requirements.

An acceptable course of action is identi-
fi ed and agreed to by the business, and then
controls are implemented and initially eval-
uated for effectiveness. If the controls per-
form acceptably, then the sign-off and moni-
toring processes can begin. If not, then a
new course of action must be developed,
which may require further controls assess-
ment to respond to the risk or even addi-
tional framing and assessment to adjust the
risk tolerance.

Risk Framing and Assessment: The ini-
tial activities in risk management include
risk framing and assessment and controls
assessment. CIOs and CISOs have been
assessing the risk to IT systems for many
years and are well informed on the range of
cybersecurity threats and vulnerabilities
that affect corporate risk. However, the con-
sequences (i.e., business impact) may or
may not be well understood, depending on
how close the relationship between IT and
the line of business leaders has been in the
past. The engagement between IT and the
line of business owners is crucial and must
result in clarity about the type and amount
of risk the business is willing to accept with
respect to the

confi dentiality (preventing unauthorized
disclosure);

integrity (preventing unauthorized modifi ca-
tion or destruction); and

availability (ensuring data and systems are
operational when needed)

of the information and systems on which
the business relies. Once IT understands the
business owner’s risk threshold, the CIO
and CISO can begin planning, implement-
ing, and assessing the appropriate security
controls.

Controls Assessment: Preparing an
appropriate response to risk requires the
assessment of potential controls. Controls
include all of the tools, tactics, and processes

Risk
Framing &
Assessment

Controls
Assessment

Risk
Decision
Making

Residual
Risk Sign-off

Risk
Monitoring

Accountability

FIGURE

The cybersecurity risk management process

■ 46

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

treatment plan and/or the accepted level of
residual risk may require revision. If so, the
previous process steps should be revisited.
The frequency of review should be in rela-
tion to the likelihood and severity of the risk.
Because most companies have a large num-
ber of systems, each with their own risk
register, an automated system is typically
used to aid monitoring and review.

Accountability: Last and most important,
we have to consider accountability.
Accountability is not about who to blame
when something goes wrong. As stated earli-
er, the likelihood of something going wrong is
high. Accountability ensures a formal risk
management process is followed and that
effective decision-making is occurring. One
person should be accountable for the risk
management process; however, numerous
individuals will be
responsible or
accountable for
the various steps,
and many more
will be consulted
and informed
along the way.
One option to
ensure roles and
responsibilities are
clearly articulated

Residual Risk Sign-Off: The sign-off of
residual risk closes the decision-making pro-
cess. This should be the role of the business
because it is the operational customer of the
risk management process. Additionally, this
should be a formal, documented activity.
The decisions on how each risk will be
treated and/or accepted must be articulated
in a manner such that the signatory and
reviewers (i.e., regulators, etc.) can clearly
understand the risk treatment plan and the
residual risk being accepted. Once the resid-
ual risk is formally accepted, the system is
typically placed into operation. The formal
recognition of the residual risk also helps
build a culture of risk awareness in the busi-
ness units.

Risk Monitoring: Monitoring risk is an
ongoing process. Each monitoring activity is
designed with a purpose, type, and frequen-
cy of monitoring. Typically, a risk register
has been developed during the risk framing
and assessment phase and leveraged
throughout all steps of the risk management
process. The register also serves as a refer-
ence for auditors. The register should con-
tain the risks that matter most and be rou-
tinely updated and reviewed with the busi-
ness over time. If the likelihood or severity
of consequences changes, or if other physical
or IT environmental factors change, the

TABLE

Process Step CIO CISO LOB CRO CEO Board

Risk Framing and
Assessment

A R C C C C

Controls Assessment A R C I I I

Risk Decision-Making C R A C I I

Residual Risk Sign-Off C R A I I I

Risk Monitoring A R C C I I

Accountability R C C A C C

A responsibility assign-

ment matrix (RAM), also

known as RACI matrix/

‘reisi:/ or ARCI matrix

or linear responsibility

chart (LRC), describes

the participation by var-

ious roles in completing

tasks or deliverables for

a project or business

process.

47 ■

EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

conduct user acceptance testing or experi-
ence surveys as well.

■ Evaluating maturity of an organization’s
cybersecurity risk management program

Cybersecurity risk management programs
aren’t born effective and are not immedi-
ately prepared to scale with the business.
Equally important as making effective risk
management decisions and accepting resid-
ual risk is the continuous evaluation of the
process itself. Numerous IT, cybersecurity,
and business consultants, as well as trade
associations have published guidance,
checklists, and suggested questions for
board members. Although there are many
ways for the C-suite and board to stay
engaged, a company’s cybersecurity risk
management program must continuously
mature to ensure future success. To under-
stand a program’s growing maturity, ques-
tions should be focused on evaluating
improvements in how well risk is under-
stood and treated, the effectiveness of busi-
ness leader and general employee participa-
tion, how responsive the risk management
process is to change, and the capability to
effectively respond to an incident.

How consistent is the understanding of
the company’s tolerance for cybersecurity
risk across the C-suite and senior managers?
How deep in the organization does this
understanding go?

How well do line of business owners
understand the cybersecurity risks associat-
ed with their business? Are sound and effec-
tive risk management and acceptance deci-
sions being made in a timely manner to meet
business needs?

How clearly are roles and responsibilities
understood, and how well do role owners
adhere to and fulfi ll their responsibilities?
Do employees report cybersecurity issues
and are they incorporated into the risk mon-
itoring process?

When threats, vulnerabilities, or other con-
ditions change, does the risk management
process respond and, when necessary, make
sustainable changes to the risk treatment plan?

is by using a RACI matrix (see insert) to iden-
tify which person or organization is responsi-
ble, accountable, consulted, or informed. Table
1 provides an example but should be adjusted
to align to the enterprise risk management
and governance processes of the company.

■ Information supporting cybersecurity risk
management

No risk management is a precise science,
including cybersecurity risk management.
Throughout the risk management process,
the information required for success has to be
“good enough” to recognize and understand
risks to the level necessary to support effec-
tive decision-making. Although complex
mathematical models may work to manage
some risks the company faces, forcibly creat-
ing objectivity when little or none exists can
actually result in poor or ineffective decisions
by creating a focus on the numbers rather
than on the meaning of the risk analysis. So,
using big bucket approach categories such as
low, moderate, and high or unlikely, likely,
and very likely may be adequate.

■ Stakeholder engagement
A key success factor of ensuring that fi duci-
ary responsibilities are fulfi lled in a compa-
ny’s cybersecurity risk management pro-
gram is the right level of stakeholder engage-
ment. Leaving the program to the CRO or
the CIO alone should not be considered due
diligence. Framing and assessing risk
requires a clear understanding of corporate
risk tolerance. The line of business lead
should have the responsibility to sign off on
the residual risk, but to make good risk deci-
sions, the perspectives of other individuals
and organizations in the company must be
consulted and taken into consideration.
Depending on the system(s) for which risk is
being evaluated, some potential stakehold-
ers include the CIO, CISO, chief fi nancial
offi cer (CFO), legal counsel, and other line of
business owners and external partners with
supporting or dependent relationships. If
there is signifi cant potential to affect the cus-
tomer experience, there may be a need to

INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ 48 SecurityRoundtable.org

How effective is the cyber incident
response plan? Is it regularly exercised and
are lessons learned from exercises and prior
incidents leveraged to improve the plan?

■ Effective communications
Long-term effectiveness in cybersecurity risk
management requires all employees to fulfi ll
their responsibilities of the security of the
organization for which they work. Creating
a company culture of cybersecurity risk
awareness is critical and is fostered through
effective communications. Leadership must
understand how risk is being measured
across the enterprise, articulate what level is
acceptable, and balance the cost they are will-
ing incur for this level of security. Employees
must understand the basics of the various
cybersecurity threats and vulnerabilities and
the importance of their daily decisions and
actions as they go about their business.
Regular training and awareness activities are
essential and can be similar to the “see some-
thing, say something” campaigns related to
physical security. Additionally, employees
must be empowered and rewarded for iden-
tifying cybersecurity issues.

Communications are also important to
build strong relationships, not only through
customer assurances but also with external
partners and suppliers. Communicating
cybersecurity requirements and expecta-
tions to business partners can improve risk

decision-making as well as lead to coopera-
tive approaches to mitigating risk.
Cybersecurity risks also exist in the supply
chain, and communicating cybersecurity
requirements and vetting suppliers for cer-
tain critical components or services can effec-
tively reduce risk. Had Target, Home Depot,
and certain other high-profi le cyberattack
victims built stronger cybersecurity relation-
ships with external partners, their risk of
becoming a victim may have been reduced.

■ Conclusion
C-suites and boards should not fear cyberse-
curity. By integrating cybersecurity risk man-
agement into the enterprise risk management
process and by effectively engaging IT and
business executives, cybersecurity risk can be
understood and managed. Building a risk-
aware culture is important to ensuring the
quality of the ongoing risk monitoring pro-
cess. When cyberthreats and vulnerabilities
are regularly evaluated, employees are
empowered to report issues and business
executives are aware of potential impacts to
their operations, the company’s cybersecuri-
ty defenses become more agile and respon-
sive and the overall risk remains under con-
trol. Finally, continuous evaluation of the risk
management process, including its effective-
ness and responsiveness to change and to
incidents, is necessary to ensure effectiveness
is sustained.

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Cyber risk and the
board of directors

51 ■

Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner

The risks to boards of directors
and board member obligations

As cyberattacks and data breaches continue to accelerate
in number and frequency, boards of directors are focusing
increasingly on the oversight and management of corpo-
rate cybersecurity risks. Directors are not the only ones.
An array of federal and state enforcement agencies and
regulators, most notably the Department of Justice (DOJ),
Department of Homeland Security (DHS), Securities
and Exchange Commission (SEC), Financial Industry
Regulatory Authority (FINRA), and state Attorneys
General, among others, identify board involvement in
enterprise-wide cybersecurity risk management as a cru-
cial factor in companies’ ability to appropriately establish
priorities, facilitate adequate resource allocation, and
effectively respond to cyberthreats and incidents. As SEC
Commissioner Luis A. Aguilar recently noted, “Boards
that choose to ignore, or minimize, the importance of
cybersecurity responsibility do so at their own peril.”1
Indeed, even apart from the regulators, aggressive plain-
tiffs’ lawyers, and activist shareholders are similarly
demanding that boards be held accountable for cyberse-
curity. Shareholder derivative actions and activist investor
campaigns to oust directors are becoming the norm in
high-profi le security breaches.

Directors have clearly gotten the message. A survey by
the NYSE Governance Services (in partnership with a
leading cybersecurity fi rm) found that cybersecurity is
discussed at 80% of all board meetings. However, the same
survey revealed that only 34% of boards are confi dent
about their respective companies’ ability to defend them-
selves against a cyberattack. More troubling, a June 2015
study by the National Association of Corporate Directors
found that only 11% of respondents believed their boards
possessed a high level of understanding of the risks associ-
ated with cybersecurity.2 This is a diffi cult position to be in:
aware of the magnitude of the risks at hand but struggling

■ 52

CYBER RISK AND THE BOARD OF DIRECTORS

action or inaction. To maximize their per-
sonal protection, directors must ensure that,
if the unthinkable happens and their corpo-
ration falls victim to a cybersecurity disaster,
they have already taken the steps necessary
to preserve this critical defense to personal
liability.

In the realm of cybersecurity, the board of
directors has “risk oversight” responsibility:
the board does not itself manage cybersecurity
risks; instead, the board oversees the corpo-
rate systems that ensure that management is
doing so effectively. Generally, directors will
be protected by the business judgment rule
and will not be liable for a failure of oversight
unless there is a “sustained or systemic fail-
ure of the board to exercise oversight—such
as an utter failure to attempt to assure a rea-
sonable information and reporting system
exists.” This is known as the Caremark test,5
and there are two recognized ways to fall
short: fi rst, the directors intentionally and
entirely fail to put any reporting and control
system in place; or second, if there is a report-
ing and control system, the directors refuse to
monitor it or fail to act on warnings they
receive from the system.

The risk that directors will face personal
liability is especially high where the board
has not engaged in any oversight of their
corporations’ cybersecurity risk. This is a
rare case, but other risks are more prevalent.
For example, a director may fail to exercise
due care if he or she makes a decision to
discontinue funding an IT security project
without getting any briefi ng about current
cyberthreats the corporation is facing, or
worse, after being advised that termination
of the project may expose the company to
serious threats. If an entirely uninformed or
reckless decision to de-fund renders the cor-
poration vulnerable to known or anticipated
risks that lead to a breach, the members of
the board of directors could be individually
liable for breaching their Caremark duties.

II. The Personal Liability Risk to Directors

Boards of directors face increasing litigation
risk in connection with their responsibilities

to understand and fi nd solutions to address
and mitigate them.

In this chapter, we explore the legal obli-
gations of boards of directors, the risks that
boards face in the current cybersecurity
landscape, and strategies that boards may
consider in mitigating that risk to strengthen
the corporation and their standing as dutiful
directors.

I. Obligations of Board Members

The term “cybersecurity” generally refers to
the technical, physical, administrative, and
organizational safeguards that a corporation
implements to protect, among other things,
“personal information,”3 trade secrets and
other intellectual property, the network and
associated assets, or as applicable, “critical
infrastructure.”4 This defi nition alone should
leave no doubt that a board of directors’ role
in protecting the corporation’s “crown jew-
els” is essential to maximizing the interests of
the corporation’s shareholders.

Generally, directors owe their corporation
fi duciary duties of good faith, care, and loy-
alty, as well as a duty to avoid corporate
waste.3 The specifi c contours of these duties
are controlled by the laws of the state in
which the company is incorporated, but the
basic principles apply broadly across most
jurisdictions (with Delaware corporations
law often leading the way). More specifi cal-
ly, directors are obligated to discharge their
duties in good faith, with the care an ordi-
narily prudent person would exercise in the
conduct of his or her own business under
similar circumstances, and in a manner that
the director reasonably believes to be in the
best interests of the corporation. To encour-
age individuals to serve as directors and to
free corporate decision making from judicial
second-guessing, courts apply the “business
judgment rule.” In short, courts presume
that directors have acted in good faith and
with reasonable care after obtaining all mate-
rial information, unless proved otherwise; a
powerful presumption that is diffi cult for
plaintiffs to overcome, and has led to dis-
missal of many legal challenges to board

53 ■

THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS

by failing to act in the face of a reasonably
known cybersecurity threat. Recent cases
have included allegations that directors:

� failed to implement and monitor an
effective cybersecurity program;

� failed to protect company assets and
business by recklessly disregarding
cyberattack risks and ignoring red fl ags;

� failed to implement and maintain
internal controls to protect customers’
or employees’ personal or fi nancial
information;

� failed to take reasonable steps to timely
notify individuals that the company’s
information security system had been
breached;

� caused or allowed the company to
disseminate materially false and
misleading statements to shareholders (in
some instances, in company fi lings).

Board members may not be protected from
liability by the exculpation clauses in their
corporate charters. Although virtually all
corporate charters exculpate board mem-
bers from personal liability to the fullest
extent of the law, Delaware law, for exam-
ple, prohibits exculpation for breaches of
the duty of loyalty, or breaches of the duty
of good faith involving “intentional mis-
conduct” or “knowing violations of law.”
As a result, because the Delaware Supreme
Court has characterized a Caremark viola-
tion as a breach of the duty of loyalty,7
exculpation of directors for Caremark
breaches may be prohibited. In addition,
with the myriad of federal and state laws
that touch on privacy and security, directors
may also lose their immunity based on
“knowing violations of law.” Given the
nature of shareholder allegations in deriva-
tive litigation, these are important consid-
erations, and importantly, vary depending
on the state of incorporation.

Directors should also be mindful of stand-
ard securities fraud claims that can be
brought against companies in the wake of a
data breach. Securities laws generally pro-
hibit public companies from making material

for cybersecurity oversight, particularly in
the form of shareholder derivative litigation,
where shareholders sue for breaches of
directors’ fi duciary duties to the corporation.
The rise in shareholder derivative suits coin-
cides with a 2013 Supreme Court decision
limiting the viability of class actions that fail
to allege a nonspeculative theory of con-
sumer injury resulting from identity theft.6
Because of a lack of success in consumer
class actions, plaintiffs’ lawyers have been
pivoting to shareholder derivative litigation
as another opportunity to profi t from mas-
sive data breaches.

In the last fi ve years, plaintiffs’ lawyers
have initiated shareholder derivative litiga-
tion against the directors of four corpora-
tions that suffered prominent data breaches:
Target Corporation, Wyndham Worldwide
Corporation, TJX Companies, Inc., and
Heartland Payment Systems, Inc. Target,
Heartland, and TJX each were the victims of
signifi cant cyberattacks that resulted in the
theft of approximately 110, 130, and 45 million
credit cards, respectively. The Wyndham
matter, on the other hand, involved the theft
of only approximately 600,000 customer
records; however, unlike the other three
companies, it was Wyndham’s third data
breach in approximately 24 months that got
the company and its directors in hot water.
The signs point to Home Depot, Inc., being
next in line. A Home Depot shareholder
recently brought suit in Delaware seeking to
inspect certain corporate books and records.
A “books and records demand” is a common
predicate for a shareholder derivative action,
and this particular shareholder has already
indicated that the purpose of her request is
to determine whether Home Depot’s man-
agement breached fi duciary duties by failing
to adequately secure payment information
on its data systems, allegedly leading to the
exposure of up to 56 million customers’ pay-
ment card information.

Although there is some variation in the
derivative claims brought to date, most have
focused on two allegations: that the directors
breached their fi duciary duties by making a
decision that was ill-advised or negligent, or

■ 54

CYBER RISK AND THE BOARD OF DIRECTORS

III. Protecting Boards of Directors

From a litigation perspective, boards of
directors can best protect themselves from
shareholder derivative claims accusing them
of breaching their fi duciary duties by dili-
gently overseeing the company’s cybersecu-
rity program and thereby laying the founda-
tion for invoking the business judgment
rule. Business judgment rule protection is
strengthened by ensuring that board mem-
bers receive periodic briefi ngs on cybersecu-
rity risk and have access to cyber experts
whose expertise and experience the board
members can rely on in making decisions
about what to do (or not to do) to address
cybersecurity risks. Most importantly, direc-
tors cannot recklessly ignore the information
they receive, but must ensure that manage-
ment is acting reasonably in response to
reported information the board receives
about risks and vulnerabilities.

Operationally, a board can exercise its
oversight in a number of ways, including by
(a) devoting board meeting time to presenta-
tions from management responsible for
cybersecurity and discussions on the subject,
to help the board become better acquainted
with the company’s cybersecurity posture
and risk landscape; (b) directing manage-
ment to implement a cybersecurity plan that
incentivizes management to comply and
holds it accountable for violations or non-
compliance; (c) monitoring the effectiveness
of such plan through internal and/or exter-
nal controls; and (d) allocating adequate
resources to address and remediate identi-
fi ed risks. Boards should invest effort in
these actions, on a repeated and consistent
basis, and make sure that these actions are
clearly documented in board and committee
packets, minutes, and reports.
(a) Awareness. Boards should consider

appointing a chief information security
offi cer (CISO), or similar offi cer, and
meet regularly with that individual
and other experts to understand the
company’s risk landscape, threat
actors, and strategies to address

statements of fact that are false or mislead-
ing. As companies are being asked more and
more questions about data collection and
protection practices, directors (and offi cers)
should be careful about statements that are
made regarding the company’s cybersecurity
posture and should focus on tailoring cyber-
security-related risk disclosures in SEC fi l-
ings to address the specifi c threats that the
company faces.

Cybersecurity disclosures are of keen
interest to the SEC, among others. Very
recently, the SEC warned companies to use
care in making disclosures about data secu-
rity and breaches and has launched inquiries
to examine companies’ practices in these
areas. The SEC also has begun to demand
that directors (and boards) take a more
active role in cybersecurity risk oversight.

Litigation is not the only risk that direc-
tors face. Activist shareholders—who are
also customers/clients of corporations—
and proxy advisors are challenging the re-
election of directors when they perceive that
the board did not do enough to protect the
corporation from a cyberattack. The most
prominent example took place in connection
with Target’s data breach. In May 2014, just
weeks after Target released its CEO,
Institutional Shareholder Services (ISS), a
leading proxy advisory fi rm, urged Target
shareholders to seek ouster of seven of
Target’s ten directors for “not doing enough
to ensure Target’s systems were fortifi ed
against security threats” and for “failure to
provide suffi cient risk oversight” over
cybersecurity.

Thoughtful, well-planned director
involvement in cybersecurity oversight, as
explained below, is a critical part of a com-
prehensive program, including indemnifi ca-
tion and insurance, to protect directors
against personal liability for breaches.
Moreover, it can also assist in creating a com-
pelling narrative that is important in brand
and reputation management (as well as liti-
gation defense) that the corporation acted
responsibly and reasonably (or even more
so) in the face of cybersecurity threats.

55 ■

THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS

details of any cybersecurity risk
management plan should differ from
company to company, the CISO and
management should prepare a plan
that includes proactive cybersecurity
assessments of the company’s network
and systems, builds employee
awareness of cybersecurity risk and
requires periodic training, manages
engagements with third parties that
are granted access to the company’s
network and information, builds an
incident response plan, and conducts
simulations or “tabletop” exercises to
practice and refi ne that plan. The board
should further consider incentivizing
the CISO and management for company
compliance with cybersecurity policies
and procedures (e.g., bonus allocations
for meeting certain benchmarks) and
create mechanisms for holding them
responsible for noncompliance.

(c) Monitor compliance. With an
enterprise-wide cybersecurity risk
management plan fi rmly in place,
boards of directors should direct
that management create internal and
external controls to ensure compliance
and adherence to that plan. Similar
to internal fi nancial controls, boards
should direct management to test and
certify compliance with cybersecurity
policies and procedures. For example,
assuming that management establishes
a policy that software patches be
installed within 30 days of release,
management would conduct a patch
audit, confi rm that all patches have
been implemented, and have the
CISO certify the results. Alternatively,
boards can also retain independent
cybersecurity fi rms that could be
engaged by the board to conduct an
audit, or validate compliance with
cybersecurity policies and procedures,
just as they would validate fi nancial
results in a fi nancial audit.

(d) Adequate resource allocation. With
information in hand about what the

that risk. Appointing a CISO has an
additional benefi t. Reports suggest that
companies that have a dedicated CISO
detected more security incidents and
reported lower average fi nancial losses
per incident.8

Boards should also task a committee
or subcommittee with responsibility
for cybersecurity oversight, and devote
time to getting updates and reports
on cybersecurity from the CISO on
a periodic basis. As with audit
committees and accountants, boards
can improve oversight by recruiting
a board member with aptitude for
the technical issues that cybersecurity
presents, and placing that individual on
the committee/subcommittee tasked
with responsibility for cybersecurity
oversight. Cybersecurity presentations,
however, need not be overly technical.
Management should use established
analytical risk frameworks, such as the
National Institute for Standards and
Technology “Framework for Improving
Critical Infrastructure Cybersecurity,”
(usually referred to as the “NIST
Cybersecurity Framework”) to assess
and measure the corporation’s current
cybersecurity posture. These kinds
of frameworks are critical tools that
have an important role in bridging
the communication and expertise gaps
between directors and information
security professionals and can also
help translate cybersecurity program
maturity into metrics and relative
relationship models that directors are
accustomed to using to make informed
decisions about risk. It is principally
through their use that directors can
become sufficiently informed to
exercise good business judgment.

(b) Plan implementation and
enforcement. Boards should require that
management implement an enterprise-
wide cybersecurity risk management
plan and align management’s incentives
to meet those goals. Although the

CYBER RISK AND THE BOARD OF DIRECTORS

■ 56 SecurityRoundtable.org

other government-issued identifi cation;
(c) fi nancial or credit/debit account
number plus any security code necessary
to access the account; or (d) health or
medical information.

4. Critical infrastructure refers to systems,
assets, or services that are so critical
that a cyberattack could cause serious
harm to our way of life. Presidential
Policy Directive 21 (PPD-21) identifi es
the following 16 critical infrastructure
sectors: chemicals, commercial facilities,
communications, critical manufacturing,
dams, defense industrial base, emergency
services, energy, fi nancial services, food
and agriculture, government facilities,
healthcare and public health, information
technology, nuclear, transportation, waste,
and wastewater. See Critical Infrastructure
Sectors, Department of Homeland
Security, available at http://www.dhs.
gov/critical-infrastructure-sector.

5. For Delaware corporations, directors’
compliance with their oversight function
is analyzed under the test set out in In re
Caremark Int’l, Inc. Derivative Litig., 698 A.2d
959 (Del. Ch. 1996).

6. See Clapper v. Amnesty Int’l USA, 133 S. Ct.
1138 (2013). Consistent with Clapper, most
data breach consumer class actions have
been dismissed for lack of “standing”:
the requirement that a plaintiff has
suffered a cognizable injury as a result
of the defendant’s conduct. That has
proven challenging for plaintiffs because
consumers are generally indemnifi ed
by banks against fraudulent charges on
stolen credit cards, and many courts have
rejected generalized claims of injury in the
form of emotional distress or exposure to
heighted risk of ID theft or fraud.

7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
8. Ponemon Inst., 2015 Cost of Data Breach

Study: Global Analysis (May 2015), http://
www-03.ibm.com/security/data-breach/.

company’s cybersecurity risks are,
and an analysis of its current posture,
boards should allocate adequate
resources to address those risks so that
management is appropriately armed
and funded to protect the company.

As criminals continue to escalate the cyber-
war, boards of directors will increasingly fi nd
themselves on the frontlines of regulatory,
class plaintiff, and shareholder scrutiny.
Directors are well-advised to proactively ful-
fi ll their risk oversight functions by driving
senior management toward a well-developed
and resilient cybersecurity program. In so
doing, board members will not only better
protect themselves against claims that they
failed to discharge their fi duciary duties, but
will strengthen their respective organizations’
ability to detect, respond, and recover from
cybersecurity crises.

Endnotes
1. SEC Commissioner Luis A. Aguilar,

Remarks at the N.Y. Stock Exchange,
Boards of Directors, Corporate Governance
and Cyber-Risks: Sharpening the Focus
(June 10, 2014).

2. Press Release, Nat’l Assoc. of Corp.
Dir., Only 11% of Corporate Directors
Say Boards Have High Level of Cyber-
Risk Understanding (June 22, 2015)
https://www.nacdonline.org/AboutUs/
PressRelease.cfm?ItemNumber=15879.

3. Personal information is defi ned under a
variety of federal and state laws, as well
as industry guidelines, but is generally
understood to refer to data that may be
used to identify a person. For example,
state breach notifi cation laws in the U.S.
defi ne personal information, in general,
as including fi rst name (or fi rst initial)
and last name, in combination with
any of the following: (a) social security
number; (b) driver ’s license number or

57 ■

Fish & Richardson P.C. – Gus P. Coldebella,
Principal and Caroline K. Simons, Associate

Where cybersecurity meets
corporate securities: The SEC’s
push to regulate public companies’
cyber defenses and disclosures

The risks associated with cyberattacks are a large and
growing concern for American companies, no matter the
size or the industry. If a company is publicly traded, how-
ever, there’s a signifi cant additional impetus for execu-
tives’ cyber focus: the ever-increasing attention the U.S.
Securities and Exchange Commission (SEC) pays to
cybersecurity issues. The SEC, as one of the newest gov-
ernment players in the cybersecurity space, is fl exing its
regulatory muscles—including by mandating and scruti-
nizing cybersecurity risk disclosures, prodding compa-
nies to disclose additional information, and launching
investigations after a breach comes to light.

This chapter explores the SEC’s expanding role as
cyber regulator and the growing nexus between cyberse-
curity and corporate securities. It gives companies a
primer on the background and sources of the SEC’s cyber
authority, discusses tricky disclosure and securities regu-
lation-related issues, and provides a potential framework
for companies to think about whether, how, and when
they should publicly disclose cybersecurity risks, and—
when the inevitable happens—cyberattacks.

■ The SEC’s authority to regulate cybersecurity
Generally, a company’s duty to disclose material infor-
mation under U.S. securities laws arises only when a
statute or SEC rule requires it, and currently, no existing
laws or rules explicitly refer to disclosure of cyber risks
or incidents. Even so, the SEC has made it clear that it
will use authorities already on the books to promote
cybersecurity in public companies. During the SEC’s
March 2014 “Cybersecurity Roundtable,” Chairman
Mary Jo White said that, although the SEC’s “formal
jurisdiction over cybersecurity is directly focused on
the integrity of our market systems, customer data pro-
tection, and disclosure of material information, it is

■ 58

CYBER RISK AND THE BOARD OF DIRECTORS

■ Contours of the SEC’s staff guidance
Taking its cues from Regulation S-K, the
Guidance details the key places where cyber-
security disclosures may appear in a com-
pany’s 10-Ks and 10-Qs. The main focuses
are as follows:

� Risk factors. The company’s risk factors
are the central place for cyber disclosure.
If cybersecurity is among the most
signifi cant factors making investment
in the company risky, the risk factor
disclosure should take into account
“all available relevant information” from
past attacks, the probability of future
attacks occurring, the magnitude of
the risks—including third-party risk,
and the risk of undetected attacks—
and the costs of those risks coming
to pass, including the potential costs
and consequences resulting from
misappropriation of IP assets, corruption
of data, or operational disruption. The
risk factor should also describe relevant
insurance coverage.

� MD&A. If the costs or other consequences
of a cyberattack represent a material
trend, demand, or uncertainty “that is
reasonably likely to have a material effect
on the registrant’s results of operations,
liquidity, or fi nancial condition or would
cause reported fi nancial information
not to be necessarily indicative of future
operating results or fi nancial condition,”
the company should address cybersecurity
risks and cyber incidents in its
Management’s Discussion and Analysis
of Financial Condition and Results of
Operations (MD&A).

� Description of business. If one or more
cyber incidents materially affected the
company’s products, services, customer
or supplier relationships, or competitive
conditions, the Guidance suggests
disclosure in the “Description of Business”
section.

� Legal proceedings. If any litigation arose as
a result of a cyber incident, the Guidance
suggests disclosure if material.

incumbent on every government agency to
be informed on the full range of cybersecu-
rity risks and actively engage to combat
those risks in our respective spheres of
responsibility.” In other words—formal
jurisdiction notwithstanding—the SEC
will use every tool it has to combat cyber
risks.

To divine the SEC’s position on cyberse-
curity, companies and experienced counsel
may look to a patchwork of non-binding staff
guidance, SEC offi cials’ speeches, and espe-
cially staff comment letters on companies’
public fi lings. Given that cyber disclosures
can have an effect on corporate reputations
and stock price, give would-be attackers
information about vulnerabilities, and trig-
ger shareholder and other litigation and
government investigations, companies
anguish over exactly when, what, and how
much to disclose. To answer these questions,
it is crucial to understand the background
and contours of existing requirements and
the SEC’s expectations.

■ History and background of the SEC’s
cybersecurity oversight

In May 2011, Senator Jay Rockefeller sent a
letter to then-SEC Chairman Mary Schapiro
urging the SEC to “develop and publish
interpretive guidance clarifying existing
disclosure requirements pertaining to infor-
mation security risk.” Rockefeller, frustrated
with Congress’s inability to pass cybersecu-
rity legislation, identifi ed the SEC’s control
over corporate public disclosure as a vehicle
to promote security in the absence of legisla-
tion. Five months after the Rockefeller letter,
in October 2011, the Division of Corporation
Finance (the “Division”) issued CF Disclosure
Guidance: Topic No. 2 (the “Guidance”). Even
though it’s not an SEC rule itself, the
Guidance announced the Division’s view
that—”although no existing disclosure
requirement explicitly refers to cybersecurity
risks and cyber incidents”—existing SEC
rules, such as Regulation S-K, “may impose”
obligations to disclose cybersecurity and cyber
events in a company’s periodic reporting.

59 ■

WHERE CYBERSECURITY MEETS CORPORATE SECURITIES

staff comments have consistently urged
companies to disclose past data breaches
that are not material, even in the face of
companies’ well-reasoned positions to the
contrary. For instance, Amazon resisted
disclosing a past cyberattack at its subsidi-
ary Zappos because it said the entire
Zappos operation was not material to
Amazon’s consolidated revenues. SEC
staff pushed Amazon to disclose it any-
way, to place the risk factor “in appropri-
ate context.” A version of this comment
appears in letter after letter. By fi rst man-
dating cybersecurity risk factors via the
Guidance, and then urging even non-
material incidents to be included in those
risk factors for “context,” the staff appears
to be pushing for disclosure of past cyber
events notwithstanding materiality.

Trend 2: Staff will research cyber incidents—
and ask about them. Division staff is inde-
pendently monitoring breaches and com-
paring them with company disclosures.
When a breach has been reported by a
company or in the press, but there is no
concomitant disclosure in the company’s
fi lings—especially where the company has
already acknowledged susceptibility to
attack as a risk factor—the staff will likely
notice. Citigroup discovered this when the
staff referred to press reports about a 2011
breach that supposedly affected 360,000
credit card accounts and asked why no
10-Q disclosure was made. The staff ’s
practice is to ask for analysis supporting
the conclusion that no further disclosure is
necessary, including a discussion of mate-
riality from a fi nancial and reputational
risk standpoint. Moreover, when a compa-
ny discloses that a particular kind of
potential breach may be material, the
staff’s comment letter almost always asks
the company to disclose whether that kind
of breach has already occurred—and if it
has, to disclose it, material or not (see
Trend 1). Taken together, these trends sug-
gest that the SEC may be using its author-
ity to make up for the lack of a federal
breach notifi cation law.

� Financial statements. If signifi cant costs
are associated with cyber preparedness
or remediation, they should appear in the
company’s fi nancial statements.

■ SEC post-guidance practice
Of course, guidance is just guidance unless
the SEC, through its actions, gives it teeth.
And the SEC has. Under Sarbanes-Oxley,
the Division reviews every public compa-
ny’s reports at least once every three years,
and the Division has focused intensely
on cyber disclosures since the Guidance—
especially risk factor disclosures.
Responding to a follow-up letter from
Senator Rockefeller requesting that
the SEC enshrine the Guidance as a formal
SEC rule, Schapiro’s successor Mary Jo
White took pains to stress that active staff
review of cybersecurity—using existing
disclosure rules—was an SEC priority.
In her May 1, 2013 letter, White revealed
that the Division had already issued
approximately 50 cyber-related comment
letters. And many more have been sent
since then. Google, Amazon, AIG, Quest
Diagnostics, and Citigroup are just some of
the scores of public companies that
received letters from staff urging enhanced
disclosures of their cyber risks. The lessons
we can learn from those exchanges are
detailed below.

■ Tips for preparing 10-K and 10-Q cyber
disclosures

According to a recent survey by Willis,
87% of Fortune 500 companies claim to
have complied with the Guidance. The
SEC’s “enforcement” of it through com-
ment letters has given it the muscle and
imprimatur of a rule. Certain noteworthy
trends that emerge from these letters
follow:

Trend 1: Staff pushes for all cyber incidents
to be disclosed—material or not. Materiality
is the touchstone of disclosure. Even so,
and even though the Guidance calls for
disclosure of “cyber incidents… that are
individually, or in the aggregate, material,”

■ 60

CYBER RISK AND THE BOARD OF DIRECTORS

enumerated material corporate events, such
as termination of executive offi cers or chang-
es in auditors, must be reported on a “current
basis” on Form 8-K. However, no currently-
existing securities law or rule expressly
requires cyberattacks—material or other-
wise—to be reported on Form 8-K. Generally,
reporting cyber events is entirely voluntary.
Companies that do so use Form 8-K’s Item
8.01, “Other Events,” which is used to volun-
tarily report events that the company consid-
ers to be of importance to investors. Public
companies must navigate issues such as
materiality, selective disclosure, trading, and
effect on stock price, all in an environment
where disclosure of a cyber event is almost
sure to draw a lawsuit, a government investi-
gation, or other unwanted scrutiny. No one-
size-fi ts-all answer exists—it is almost always
a judgment call. In this section, we detail
some of the questions and analysis that com-
panies should consider regarding whether to
disclose an attack on Form 8-K, and if so,
when. One way to think about these ques-
tions is outlined in the decision tree on the
next page (Figure 1).

Why consider disclosure if you don’t have
to? Even if no rule mandates disclosure,
companies and experienced counsel know
that there are frequently upsides to disclo-
sure—especially in a world where securi-
ties litigation, derivative suits, and enforce-
ment actions are lurking. Instead of pro-
voking shareholder litigation, might an
announcement ward it off? Can an 8-K
eliminate a plaintiff’s or regulator ’s argu-
ment that an insider traded on the basis on
material non-public information? The chart
on the next page (Table 1) lays out some of
the possible advantages—along with the
more well-known disadvantages—that com-
panies should consider.

Is the cyberattack material? The determina-
tion of whether a cyber event is material is
not clear-cut. First, the Supreme Court has
rejected a bright-line, quantitative rule for
materiality—instead reaffi rming Basic v.
Levinson’s formulation that any nonpublic
information that signifi cantly alters the total

Trend 3: Staff is interested not only in the
disclosure, but the pre-disclosure process. As
Chairman White has stated, even with the
absence of a direct law or regulation directly
compelling companies to adopt strict
cybersecurity measure, the SEC is exercis-
ing its power to indirectly prod companies
to analyze and strengthen their cybersecu-
rity programs through issuing disclosure
guidance and bringing investigations,
enforcement actions, and litigation against
companies that fall short. In this way the
SEC has taken on a larger mission than
simply requiring disclosure—it is using its
existing authorities to steer companies to
engage in a deep, searching process to
evaluate cyber risk. Whether or not you
think the SEC is the appropriate regulator
of this area, such a searching analysis is
important to securing a company’s digital
assets. Management should engage in and
document its analysis of the effects of cyber
incidents on the company’s operations,
with special attention to probability of
various types of attacks and their potential
cost, from a quantitative and qualitative
standpoint. It should do so not just to
weather the storm of a possible SEC inquiry,
but because such an analysis brings neces-
sary executive-level oversight to a crucial
area of enterprise risk.

Trend 4: Third-party risk is on the staff’s mind.
Staff is encouraging companies to look
beyond their four walls to the cyber risk
posed by the use of vendors. Staff will ask
whether the company’s vendors have experi-
enced cyberattacks, and request assessment—
and disclosure—if a breach at a third-party
vendor could have a material effect on the
company. The SEC likely believes that if
public companies are required to disclose
risks in their supply chain in addition to their
own, third-party cybersecurity will improve
as a result.

■ In the heat of battle: 8-K disclosure
questions during an attack

Of course, 10-Ks and 10-Qs are not the only
reports public companies produce—certain