Contemporary cyber security risk management practices are largely driven by compliance requirements, which force organizations to focus on security controls and vulnerabilities. Risk management considers multiple facets – including assets, threats, vulnerabilities and controls – which are jointly evaluated with the variables of probability and impact. Threats cause damage to information systems. Threats utilize vulnerabilities to enact this damage, and security controls are implemented to attempt to prevent or mitigate attacks executed by threat actors. The unbalanced focus on controls and vulnerabilities prevents organizations from combating the most critical element in risk management: the threats. This unbalanced condition is manifested as incident response processes rather than threat intelligence management in the analyst realm, adherence to predefined standards and policies in security architecture and engineering practices, and compliance verification in the operational domain. A functionally integrated cyber security organization is structured to place threats at the forefront of strategic, tactical and operational practices. Architects, engineers and analysts adhere to a common methodology that incorporates threat analysis and threat intelligence across systems development and operational processes. This ensures security controls are implemented, evaluated and adjusted over time per the most impactful threats and attack vectors. The resultant risk management practices are enhanced due to a higher fidelity of information regarding current state security postures. This drives improved resource allocation and spending, and produces an agile and resilient cyber security practice. When this threat-driven approach is implemented along with tailored compliance processes, organizations can produce information systems that are both compliant and more secure.
[1]
John T. Michalski,et al.
Cyber Threat Metrics
,
2012
.
[2]
Dirk Fox,et al.
Open Web Application Security Project
,
2006,
Datenschutz und Datensicherheit - DuD.
[3]
New Mexico..
for Sandia National Laboratories
,
2009
.
[4]
Sergio Caltagirone,et al.
The Diamond Model of Intrusion Analysis
,
2013
.
[5]
Eric Michael Hutchins,et al.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
,
2010
.
[6]
Yair Levy,et al.
National Institute of Standards and Technology (NIST) Cybersecurity Framework In Action
,
2015
.
[7]
Joint Task Force Transformation Initiative,et al.
Security and Privacy Controls for Federal Information Systems and Organizations
,
2013
.
[8]
Common Attack Pattern Enumeration and Classification — CAPEC TM A Community Knowledge Resource for Building Secure Software
,
2013
.
[9]
Emmanuel Aroms,et al.
NIST Special Publication 800-39 Managing Information Security Risk
,
2012
.