CYBERSECURITY RISK RESEARCH CENTER (832)

(1)

http://www.riskgroupllc.com

[email protected]

+ (832) 971 8322

CYBERSECURITY

RISK RESEARCH

CENTER

(2)

COPYRIGHT RISK GROUP LLC 1

Cyber-Security Risk Research Centre

In this era of interconnected and

interdependent digitalized global economy, the nature and

definition of security is going through a fundamental

transformation. The revolution in information technologies,

processes and connected computers are altering

everything-- from how we communicate to how we work,

how we bank, how we shop and how we go to war. The

emergence of this whole new world of cyberspace has,

and is been more or less like an alien territory today—where

there are very few knowns—and mostly unknowns.

The connected computers, information technology and digitalization capability of information that is revolutionizing every aspect of society—has brought

nations: its governments, industries, organizations, academia and individuals (NGIOA-I)—a fundamental ability to connect and access information—without any obstacle and interference. This has leveled the NGIOA-I playing field and has brought a possibility of progress, prosperity and pride. What needs to be seen is whether the connected computers can bring communication and collaboration or chaos and calamities!

While information technology on connected computers is fundamentally shaking the status quo and the power structure of

NGIOA-I, it has also been instrumental in shaking the fundamentals of security and pointing out the inadequacy and

ineffectiveness of its current form of definition, structure, nature and response

For much of human history, the concept of security has largely revolved around use of force and territorial integrity. As the definition and meaning of security is getting fundamentally challenged and changed in the world of cyberspace,

(3)

COPYRIGHT RISK GROUP LLC 2 the blurring territorial boundaries and integrity are also becoming hard to define and maintain. The notion that traditional security is about violence towards respective nations—from within or across its geographical boundaries is now outdated, and needs to be evaluated and updated. Just like in any traditional physical security ecosystem, in cyberspace—and its ecosystem also, one is only as strong as the weakest link in the chain. It is time nations’ collectively

incorporate a different, more accurate meaning of boundaries-if any, and of security—irrespective of in space, cyberspace or geo-space.

The challenges and complexities of evolving threats and security has crossed the barriers of space, ideology and politics—demanding a constructive

collaborative effort of all stakeholders. When the changing nature of threats are bringing new sets of challenges and complexities, collective brainstorming is a necessity and not an option—to have an objective evaluation of what is at threat and how can it be secured!

While the debate on the structure and role of government, industries, organizations, academia will continue in the coming years, any attempt to redefine security needs to begin with identifying, understanding, incorporating and broadening the definition and nature of threat.

While information technology provides tools and technology to communicate information on connected computers, it also

provides tools and technology to misuse information

Connected computers and its ecosystem—that makes the cyberspace, brings complex challenges and complexities. A cyber-security system –like any system is made of collection of parts that have complex level of inter-connectivity and dependencies, designed to achieve a desired goal. In spite of this inter-connectivity and inter-dependencies of collection of sub-parts of any and all systems, there is currently no culture of collective brainstorming, identifying, evaluating or managing risks across nations—and cyber-security is no exception. Irrespective of whether it is a geo-security system or cyber-security system, any and all systems needs to be evaluated holistically and collectively—not merely a

(4)

COPYRIGHT RISK GROUP LLC 3 sum of its parts (because whole is always more than sum of its parts)—but as a complete functioning unit. When any complex system that is made up of a collection of parts, not only the individual parts needs to be evaluated, but the environment in which the parts operate, its internal and external processes—and its entire ecosystem needs to be evaluated. The cyber-security system, like the human body, comprises of different components that interacts in complex ways—within and across the cyber space. Nations need to understand the cyber-security atmosphere, technology, processes, people, management, governance-- its inter-connectedness and inter-dependencies—within and across the cyberspace as one complete system. Understanding the cyberspace completely will help nations improve their cyber-security risk understanding and capabilities.

At the moment, cyber threats and cyber-security are not clearly understood by any nations: its governments, industries,

organizations, academia and individuals

In the cyberspace, information is critical for not only survival but also

sustainability—and hence becomes a critical necessity to protect it at all costs. When the cyber space is riddled with challenges and complexities, it is vital to have a cyber-security model that is dynamic, holistic, and collective-- and that considers all variables and integration points of NGIO-I.

Cyber-security vulnerabilities does not arise only from only technology, but also from inadequacies in governance, processes, management, culture, inter-dependencies and integration. When each nation: its government, industries, organizations, academia and individuals are now vulnerable to cyber-attacks, it is important to understand that short term fixes, that are preferred over

identifying and fixing root cause of the problems generally do not work. The approach to security is currently reactive—not only governments, but most of the industries and organizations do not give importance to securing their information data and are reactive in their response and do not invest proactively in cyber-security. This reactive response approach limits entire nation’s ability to have a proactive cyber- security risk management capabilities.

(5)

COPYRIGHT RISK GROUP LLC 4 Information—irrespective of individuals, industries, organizations, academia or governments across nations is at risk. Unless security becomes a collective

proactive initiative, there will be recurring incidents of cyber-attacks with varied levels of impact and intensity. The increasing level of cyber-security challenges from integration within, between and across NGIOA-I forces a collective mindset and efforts for securing cyberspace.

In order to be able to minimize and manage-- any and all cyber-security risks, it is important to understand every possible building block of cyberspace: its framework, associated processes, technology, people and ecosystem. When managing cyber security seems to be near impossible at the moment, it is

important to acknowledge that there is a need for collective understanding and integrated NGIOA-I cyber-security framework without which, any and all efforts will be meaningless.

Cyber-security requires an integrated approach with a common language. While appropriate hardware and software is a fundamental necessity,

establishing effective cyber-security framework, integrated NGIOA-I approach, structured processes is even more important.

What do we know about the cyberspace? Who does it belong to? Who is accountable? Governments-Department of Defense?

Homeland Security? Industries? Organizations? Academia?

While going digital is a global age necessity, the question is whether going digital is wise through open internet -- especially when nation’s digital

infrastructure is put together in a haste in silo—with no coordinated framework, standards, policies and regulations. Unless there are significant advances in the nature of digital infrastructure, its processes, technology, tools, accountability and oversight, it is not only the privacy of NGIOA-I that is @ risk—everything is at risk.

In an interconnected world, NGIOA-I need to be responsible for securing the cyberspace. Relying on government alone to provide and enforce

(6)

COPYRIGHT RISK GROUP LLC 5 one of us—each NGIOA-I has a responsibility towards securing the cyber

space—just like each one of us has responsibility towards securing our valuables, homes and businesses!!

Cyberspace cannot be secured if nations and its governments work in silo within and across its national boundaries. The need for integration and collaboration between NGIOA-I—within and across nation’s geographical boundaries is a fundamental necessity for not only managing the cyberspace but to manage any global threat! Time for NGIOA integration and collaboration is now!

Jayshree Pandya Founder: Risk Group

http://www.riskgroupllc.com [email protected]

+ (832)9718322

Risk Group pioneers value in Integrated NGIOA Risks

(7)

Need for Integrated Risk Research Services

What risks are managed depends on what risks have been identified!

RISKS ARE INEVITABLE. ALL THE TOOLS, TECHNOLOGY, PROCESSES, GUIDELINES AND FRAMEWORK IN THE WORLD WON’T HELP, IF RISKS CANNOT BE ACCURATELY

IDENTIFIED, OBJECTIVELY EVALUATED AND PROACTIVELY MANAGED! Everything has risks. It is the ability to take risks that gives rise to possibility of progress and advancement. Progress and advancement is all about risk taking. Every decision-whether it be for investment, innovation, product choice, market penetration or strategy comes with risks and a possibility of failure. The

fundamental reality of risks and uncertainty brings a possibility of failure, and the very promise of progress and prosperity— crushed and shattered. Amidst this, no decision makers can stand unconcerned. It is in their own interests, and their initiatives interest that they need to educate themselves with the knowledge that is necessary and essential, to identify real risks and issues.

It is vital for nations: its governments, industries, organizations and academia to be risk aware—to accurately anticipate, prepare

and plan!

No decision maker can live and operate in a culture that lacks basic

understanding and acknowledgement of risks. Neither can they deny or refuse to take personal and professional responsibility of the decisions that they make; nor can they refuse to take accountability and ownership of their decisions. No decision maker can be in denial, or can develop tone deafness towards risks. It is time to change, the culture habit of not identifying real risks, ignoring risks or transferring risks.

Developing a culture of objective, non-partisan risk awareness is very critical and vital to the success of any initiative or progress and development. This risk aware culture will ultimately help ensure trust and understanding of critical risks and issues, as well as its impact. Amidst exposure to turbulent times and its

(8)

COPYRIGHT RISK GROUP LLC 7 associated perils, no tools in the world can help meet any initiative’s objectives --whose risks are not identified. Risk identification is the key.

When risk transcends initiatives, industries, borders, cultures, nations, societies and human existence, taking timely risk

initiatives, is a necessary forward-looking move.

As today’s risks are tomorrow’s crisis, there is a need to make transition from a reactive approach to proactive for identifying, evaluating and managing risks. Proactive Risk Identification is fundamental for progress and advancement and it is an on-going process. Risk Group’s understanding of the changing global fundamentals and years of research on risks facing nations: its governments, industries, organizations and academia (NGIOA) will help:

 Board of Directors  C-Suite  Executive Management  Senior Management  Decision Makers  Policy Makers  Investors

While traditional risk management can offer tools, technology, processes, guidelines and framework, it cannot provide global insights and integrated knowledge and understanding of globalized cyberspace risks—this is where Risk Group steps in! Risk Group’s stellar reputation in global risk industry is derived from its expertise in understanding of global age, changing global

fundamentals, defining broader problems of traditional risk management, creating an advanced risk management practice, developing integrated risk research designs, executing complex integrated studies, analyzing data and identifying integrated risks that has the biggest impact on any initiative—to help decision makers make the most informed decision possible.

All of Risk Group’s core competencies are supported by an active commitment to on-going advanced risk research and

(9)

COPYRIGHT RISK GROUP LLC 8 Risk Group’s passion in studying NGIOA (nations: its governments, industries, organizations and academia) is to guide them towards excellence through sustainable change. As integrated risk experts, Risk Group offers extensive risk research, out of the box solutions, and future thinking in supporting all NGIOA to face and overcome global challenges. Risk Group achieves this by engaging in a dialogue with our clients to identify risks that matter, manage change and co-create the meaning of risks and risk management!

Risk Group’s advanced risk research services will help you identify integrated risks facing your decisions, be prepared and compete

(10)

Need for Cyber-Security Risk Research Services

Concerns about cyber-security risks are increasing across nations: its

governments, industries, organizations, academia-and individuals (NGIOA-I)! For NGIOA-I, identifying, evaluating and understanding the many complex

interconnected and interdependent – internal and external sources to have objective, risk centric, relevant, targeted and actionable information is like finding a needle in a haystack: time-consuming, resource-intensive and inefficient. This is where Risk Group can help-

With a global network of highly skilled integrated risk resources, Risk Group is well positioned to provide NGIOA-I, the

Cyber-security Risk Research Centre that it needs.

Risk Group’s Cyber-Security Risk Services can help NGIOA-I understand:

 Cyberspace: Opportunities and Risks

 Cyberspace Infrastructure: Current and Crucial

 Cyberspace: Digital Assets and Valuation

 Cyber-security Tools and Technology: Current and Crucial

 Cyber-security Processes: Current and Crucial

 Cyber-security Human Resources: Current and Crucial

 Cyber-security Insurance: Current and Crucial

 Cyber-warfare: From Geo wars to Cyber war

Risk Group’s Cyber-Security Risk Research Centre is being developed to help nations: its governments, industries, organizations and academia make risk informed and intelligent decisions.

 How well do you understand cyberspace?

 How secure is your organizations cyber infrastructure?

 What is your organization’s cyber-security approach?

 What is your organization’s cyber-security risk strategy?

 What cyber-security capabilities do you have right now?

 What cyber-security resources do you have right now?

(11)

COPYRIGHT RISK GROUP LLC 10 Survival and success of nations: its government, industries, organizations and academia are subject to uncertainty, gaps, strength, weaknesses, resources, capabilities, motivation, risks-rewards and much more. The rapidly changing fundamentals of the emerging cyberspace are creating unusual complexities and challenges for every nation: its government, industries, organizations and academia (NGIOA).

Because of the rapid pace of change in the cyberspace ecosystem, cyber-security risk research has become a

fundamental need for survival

Cyber-security risks are most consequential for an ability to achieve objectives, build, and protect value—and cyber-security risk research is about identifying the risks that are most vital to achieving core objectives and goals.

Planning cyber strategy and managing cyber-security risks goes hand in hand!

(12)

Cyber-Security Risk Research Center’s Objectives

Without understanding independent and integrated cyber-security risks, no nation: its government, industries, organizations

and academia can make appropriate investments, take necessary initiatives, compete and succeed!

The objective of Cyber-Security Risk Research Centre is to:

 Identify, analyze and respond to those cyber-security risks that could potentially impact any organizations ability to realize its current and strategic / operational objectives in cyberspace as well as geo-space.

 Support the development of collaborative thinking about the integrated cyber-security risk challenges facing nations: its government, industries, organizations and academia.

 Promote the ability of NGIOA-I to share common understanding and awareness of threats facing NGIOA-so as to prepare an organization ready to act independently but collaboratively.

 Strengthen the resilience of an organization through systemic preparation for the cyber threats that pose the greatest risks to its survival, security and sustainability in cyberspace and geospace

Emerging Cyber-security threats

Emerging

Cyber-Security

threats

Resources Technology Products Processes Investment Skills Regulations Cyber-Space Governance Cyber-Space Knowledge

(13)

COPYRIGHT RISK GROUP LLC 12 Cyber-Security Risk Research Centre will merge the boundaries of

Geo-security, Cyber-security and Space-security

Understanding the nature of client objectives and their current challenges, Risk Group will recommend the scope of the Risk Research Services.

Broad cyber-security scope:

 Global cyber- security risks

 Regional cyber-security risks

 National cyber-security risks

 Industry cyber-security risks

 Organization cyber- security risks

 Academia cyber-security risks

 Individuals cyber- security risks Narrow Scope:

 Cyber-security technology risks

 Cyber -security product risks

 Cyber-security process risks

 Cyber-security resource risks

The scope will determine the need for resources—both on-site as well as off-site

(14)

Cyber- Security Risk Research Approach

Risk Group’s proactive, objective, neutral and participatory approach to cyber-security risks will help NGIOA take informed

decisions about risks facing their initiatives

Risk Group will draw risk data and information from

 In house Risk Group research

 Client interviews

 Public information

All sources will be documented to promote credibility and transparency of the risk identification and assessment. Given the uncertainty inherent in assessing evolving cyber-security risks, a wide degree of uncertainty will be likely. Key limitations and assumptions will be noted.

In spite of the inherent nature of uncertainties in cyber-space, risk identification and analysis supports better decision-making

Risk Group’s approach to cyber-security risk research is designed to provide maximum value, with integrity and privacy that is desired by the board rooms and c-suites.

(15)

Cyber-Security Risk Research Methodology

Risk Group approach will be tailored to the needs of the organization

Risk Group Methodology

Cyber-security risks, impact an organization’s ability to achieve its current and strategic objectives. Cyber-security risk research is a process to identify, evaluate and communicate the risks facing current and strategic objectives. This process protects and creates value for shareholder/investors.

Cyber-security risk management is a process to identify, evaluate and manage cyber-security risks. Cyber-security risk research needs to be

an on-going process.

Risk Group will

 Research and review cyber-security risks impacting the

sector/industry/nation to achieve a preliminary understanding of the risks facing organization

(16)

 Prepare an initial risk review that will help understand the cyber-security risks facing organization

 Collaborate and achieve a deeper understanding of the strategic risks facing organization through meetings, interviews and brainstorming sessions with c-suites, executive management, boardroom etc.

 Evaluate the understanding of cyber-security risks and risk management processes by organization

 Review and record the cyber-security risk profile of the organization (Risk Group views + organization views)

 Communicate the cyber-security risk profile to the stakeholders

 Perform regular cyber-security risk research reviews

Understanding of cyber-security risks is the foundation to preparedness

Cyber-security risk research will provide nations: its government, industries,

organizations and academia a clear view of risk variables to which they may be exposed –collectively or individually. An on-going thorough integrated risk

analysis will empower the decision-makers with a better decision making criteria and process. A structured integrated risk research would allow organization within any NGIOA be better prepared to meet its goals and objectives.

Risk Group research would not be based on purely what organizations think their risks are—but would also have Risk Group

internal thought leaders add to what the risks are—that would help complete the risk profile

(17)

Cyber-Security Risk Research Plan

The cyber-security risk research would be conducted with a view that the primary purpose of any organization is to meet the shareholders / investors’ expectations. Any unforeseen and unidentified cyber-security risk compromises the ability to support its fundamental objectives

 Understand the organization

o Understand organizations objectives, strategies, business model, culture, technology, operations, resource model, working practices, communication protocol and so on

o Understand the broader challenges facing the organization, industry and nation through Risk Group internal research

o Understand the challenges as experienced by the organization and its executives

 Understand the cyber-security challenges facing organization

 Evaluate the cyber-security risks

o Cyber-security risks that can be managed by the organization o Cyber-security risks that have interdependencies and needs

collaboration of NGIOA to be managed

 Develop a cyber-security risk profile

 Communicate the cyber-security risk profile

 Risk research frequency is established –quarterly recommended

 Risk Research plans will be revised as necessary

An objective, independent, cyber-security risk analysis plays a significant role in the development and sustainability of any

initiative / and or organization within any NGIOA.

(18)

Cyber-Security Risk Research Deliverables

A Cyber-Security Risk Map: Cyber-security risks will be individually rated and

summarized. A cyber-security risk map will reveal which risks are most significant and should be the focus of management for mitigation / and or management. It will also enable analysis of risk interdependencies that will help them evaluate whether there is need for collaboration within the sector/ industry/nation for possible mitigation/ and or management of risks.

A Cyber-Security Risk Report: A cyber-security risk report will detail the

identification, evaluation and communication of the identified cyber-security risks

(19)

RISKGROUPHOPESTOPARTNERWITHNATIONS:ITSGOVERNMENT, INDUSTRIES, ORGANIZATIONSANDACADEMIA(NGIOA)FORTHESUPPORTOFINDEPENDENT

ANDINTERDEPENDENTCYBERSECURITYRISKRESEARCHTHATISINCONSONANT WITHITSMISSIONOFGLOBALPEACETHROUGHRISKMANAGEMENT!

It is our belief that collaboration between and across NGIOA will be mutually beneficial to all cybersecurity stakeholders across nations—for not only the

identification and understanding of critical Cyber-security risks, cyber space and its ecosystem (for what risks are managed depends on what risks are identified), but also raising awareness of the much-needed critical risks of the

interconnected and interdependent global age.

Risk Group intends to carry out independent and integrated Cyber-security risk research to advance the frontiers of

Cyberspace and its ecosystem.

Risk Group’s Cyber-security Risk Research Centre and its projects will not be of only intellectual interest and debate but also provide practical and forward looking understanding and guidance for the survival and sustainability of

NGIOAs in the digitalized Global Age. In addition it will also provide operational guidance for the development of useful products, processes and services to make Cyberspace and its ecosystem secure.

Risk Group is available to enter into agreement for both public as well as private research. Depending on the scope, Risk Group research will be either

independent or interdependent and will depend on collaboration and support of NGIOA.

A valuable benefit of Risk Group approach to Cyber-security Risk Research is Collaboration, Cooperation and Comprehension.

(20)

Cyber-Security Risk Research and Advisory Pricing

Risk Group offers Fixed Price framework for funding Sponsored Strategic Risk Research as well as Advisory Services.

FIXED PRICE CYBER-SECURITY RISK RESEARCH FUNDING FRAMEWORK: Under this framework, Risk Group and the client organization agrees upon a fixed-price arrangement based on the best estimate of costs needed to complete the Cyber-Security Risk Research, which can be adjusted if the parties agree or if the client organization requests additional work.

FIXED PRICE CYBER-SECURITY RISK ADVISORY SERVICES: Depending on the scope of the advisory services, Risk Group and the client organization will agree upon a fixed price yearly advisory services fees.

(21)

Cyber-Security Risk Research Areas: On-going

Research

Topic # Cyber-Space Research Areas Scope of Research Fixed Price Research Funding (USD) Details Comments 1 Blurring boundaries : Geospace - Cyberspace-Interplanetary Space 2 Traditional- Security to Cyber-Security 3 Cyberspace: Need for Integrated Cyber-Governance 4 Cyberspace: Evolving Regulations and Compliance 5 Cyber-Security Technologies: Current and Needed 6 Cyber-Systems: Unknowns 7 Cyber-Security Standards: Need for common language 8 Cyberspace: Privacy and Identity Management 9 Cyber-Security: Beyond Hackers and Crackers 10 Cyberspace: Its impact on Geo-space 11 Cyberspace: Laws and Law Enforcement 12 Cyberspace: Leveled Playing Field

(22)

COPYRIGHT RISK GROUP LLC 21 13 Cyberspace: Computer Forensics 14 Cyberspace: Information Data Flow 15 Cyberspace: Blurring boundaries with traditional geography 16 Cyberspace: Crime and Criminals 17 Cyberspace: Impact on Commerce 18 Cyberspace: Impact on Healthcare 19 Cyberspace: Impact on Economy 20 Cyberspace: Impact on Military 21 Cyberspace: Impact on Government 22 Cyberspace: Impact on Nations Culture 23 Cyberspace: Impact on Society 24 Cyberspace: Impact on Innovation and Entrepreneurship 25 Cyberspace: Impact on Banking 26 Cyberspace: Impact on Communication and Media 27 Cyberspace: Evolving Authentication protocols 28 Cyberspace: Liability and Cyber-insurance

(23)

29 Cyber warfare 30 Cyberspace: Impact on Energy

Infrastructure 31 Cyberspace: Impact on Transportation Infrastructure 32 Cyberspace: Impact on Financial Infrastructure 33 Cyberspace: A key to Global Peace

Risk Group is in process of identifying additional areas of interest for Cyber-security Risk Research. In case Sponsoring Organization suggests research topics relevant to their interests, Risk Group, after internal evaluation of cost will quote the Fixed Price of suggested work-

INFORMATION

(24)