Protecting information is an arms race between the attackers and the targets. Each is attempting to develop more clever attacks or stronger defenses.
As an attorney representing an organization, how do you protect your organization’s information assets from attackers? How do you evaluate what kind of cyber insurance your organization may need? How do you help your organization design and implement policies on cyber security? And if you represent an insurer or an insurance regulated entity or individual, how do you best advise them in light of the proposed draft NAIC Insurance Data Security model law?[1] In light of the New York Department of Financial Security’s recently released, final Cybersecurity Requirements for Financial Services Companies?[2]
Calculating Risk – Vulnerability, Threat, and Impact
To begin our inquiry, we must discuss risk and its underlying components. Cyber security is fundamentally a risk management process. For all the technical knowhow and tools, security professionals attempt to minimize risk (whether deliberately or intuitively). Risk reduction is where the discussions between the information security and executive teams share a common goal, if not a common language. The way security practitioners think about risk is simple and comes down to vulnerabilities, threats, and impacts.
Vulnerabilities are any weaknesses in an information system. Vulnerabilities can be technical, administrative, procedural, managerial, or anything that weakens the protections in a computing system. Since most security professionals come from a technology background, they tend to focus heavily on technical controls. Many security professionals have not had significant exposure to administrative, managerial, or procedural controls. They assume that—and forgive me for saying this—end users will not understand the reasons why controls are in place. Some of this is born of experience, but in most cases it is because the end users are more and more capable of shadow information technology (IT), which we will discuss in more depth later in this article. Threats can be manmade, malicious or unintentional, or even natural (squirrels cause more outages than “hackers” by jumping onto transformers or eating cables and the term “bug” was created when a moth got into an original computer). Without a threat, vulnerability will not be exploited. Conversely, without vulnerability, the threat does not have anything to exploit. Since security professionals cannot, with few exceptions, reduce the threat, they focus on reducing vulnerability.