Fundamentals of Information Security
In the age of digitalization, organizations of all sizes are grappling with the complex challenges of information security. The widespread integration of third-party SaaS applications, the implementation of IOT, and the emergence of AI technologies such as Bard, ChatGPT and DALL-E have transformed the landscape of business operations. While these technologies have streamlined many business processes, they have also increased the risks to the digital assets used by and exposed to these applications.
This article will explore the current information security environment with a particular focus on risk-based methods, which ensure that organizations can anticipate, prepare for, and mitigate cyber and technology risk in the digital era. In the first part of the article, we define information security, trace its evolution, explain the core principles of information security, and outline the most common cybersecurity frameworks. In the second half of the article, we look at risk as the foundation for a solid cybersecurity strategy where we discuss the value that a risk-based cyber risk management approach can bring to an information security strategy, and we consider how Cyber Risk Quantification allows companies to prioritize and justify their information security budget and strategy across business units and with all decision-makers.
What is information security?
In the early days of computer networks, the focus of information security was the physical safeguarding of mission critical IT systems, sensitive documents, and communications systems. Today, information security is the practice of safeguarding information in all forms to ensure its appropriate use. This discipline extends beyond the realm of IT or cybersecurity, integrating the broader aspects of protecting information in all its forms and across all areas of an organization. These measures aim to fulfill the essential requirements of confidentiality, integrity, and availability of information by reducing the frequency and impact of security incidents.
The National Institute of Standards and Technology (NIST) defines information security as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
A very short history of information security and cybersecurity
In the mid-1960s, computer systems began the transition from government and corporate spheres to everyday life. Airlines were using computer reservation systems, and financial transactions could now be made as EFTs or electronic fund transfers. Universities also began offering computer science courses. Security in those early days was rather rudimentary, focusing on physical safeguards and password access. In 1969, a research agency, part of the US Defense Department, called Advanced Research Projects Agency, developed a computer network called ARPANET that allowed computers to communicate over phone lines and without a central core machine – the precursor to today’s Internet. A few years later in 1971, a computer developer named Bob Thomas wrote a program called Creeper (considered by some to be the first non-malicious computer virus) that would display a message on an ‘infected’ computer, start to print a file and before completing the task, it would jump to a new machine and continue its journey through the network. A year later, an ‘anti-virus’ program called Reaper was developed that chased down Creeper to delete it.
These developments led government agencies, business leaders, computer scientists and academics to identify the basic principles of information security. In 1977, the first conference on Audit and Security of Computer Systems held by the Institute for Computer Sciences and Technology of the National Bureau of Standards – later NIST – outlined how the US government should detect threats to the computer networks and implement effective safeguards to counter them. In the introduction to the companion paper to the conference, the president of the Institute for Computer Sciences and Technology Ruth Davis called on governmental agencies and organizations working together with auditors to conduct threat assessments specifically related to potential loss, the probability of loss and the cost to implement adequate controls.
Since then, the legal framework for data privacy reporting and the safeguarding of personal information has been updated and expanded. Notably, the General Data Protection Regulation (GDPR) in the European Union, which came into effect in 2018, represents a significant milestone in data protection and privacy. In the United States, various states have enacted their own data privacy laws, such as the California Consumer Privacy Act (CCPA). These regulations mandate that organizations implement measures to protect consumer data, report any breaches in a timely manner, and allow individuals more control over their personal information. The conversation around data privacy and security continues to evolve as technology becomes increasingly integrated into our daily lives presenting new challenges and requiring continuous updates to security protocols and legislation to protect users and data from growing threats.
Core Concepts of Information Security
The CIA Triad is used as the basis for all information security and cybersecurity frameworks which use this as a guide. They use the CIA Triad as a guide for implementing security practices, controls, and standards. The triad is not specific to an industry or sector but includes all information. Whenever data is created, transmitted, used, and reused, the triad plays a role:
- Confidentiality – This aspect of information security ensures that sensitive information is not disclosed to unauthorized individuals or systems.
- Integrity – This component ensures that data is authentic, accurate, and reliable, and it has not been tampered with or altered.
- Availability – This ensures that information is consistently and readily accessible and available for authorized parties.
A breach of the confidentiality of personally identifiable information (PII) could cause harm if the person associated with the data is denied benefits or is financially, physically, or socially harmed as a result. Businesses without robust detection and response mechanisms are increasingly exposed to cyber incidents that compromise data integrity such as through ransomware attacks. DDOS attacks can result in the complete unavailability of a server or network. An information security and cyber security strategy is not a nice-to-have but a necessary-to-have to keep information secure and your systems running.
Types of Information security measures
For a business or organization to implement the high-level concept of the CIA Triad, there are some basic types of information security measures that can be taken.
- Organizational measures ensure that an internal department is created to develop policies and strategy for improved security.
- Human measures focus on awareness training, such as knowing how to create strong passwords, phishing awareness, and other ways to improve the CIA Triad.
- Physical measures are implemented to control access to the office location, data centers and physical machines that are part of the network.
- Technological measures are concerned with the use and configuration of hardware, software, encryption, and firewalls to improve security controls, for example those covering intrusion detection and authentication.
Each of these measures can be further expanded into specific controls that form the basis of the InfoSec and Cybersecurity frameworks used today.
Information security risk management frameworks
Information security and cybersecurity frameworks provide organizations with a structured approach to managing information security risks. These frameworks typically codify the CIA triad (confidentiality, integrity, and availability) into various control families and controls. Some of the most widely implemented frameworks include:
The NIST Cybersecurity Framework (CSF) is a widely adopted framework that provides a comprehensive set of guidelines and best practices to help organizations manage and reduce cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST) and first published in 2014, the CSF was initially designed for critical infrastructure organizations but has since proven to be valuable across various sectors, regardless of size or maturity.
The CSF is structured around five core functions:
- Identify
- Protect
- Detect
- Respond
- Recover
An additional function, Govern, has been proposed to emphasize the importance of continuous oversight and improvement of the organization's cybersecurity posture. These core functions provide a high-level view of an organization's approach to managing cybersecurity risk.
The framework's flexibility and adaptability make it suitable for organizations of all sizes and industries. In addition, the CSF's alignment with other cybersecurity frameworks, such as ISO 27000 and COBIT, facilitates their integration into existing risk management processes.
The NIST 800 series provides detailed guidance on a wide range of topics, including risk management, incident response, and physical security. It is considered the gold standard for cybersecurity and is influential in shaping cybersecurity policies and practices globally. While primarily developed for US federal organizations, the NIST 800 series has become widely adopted by private companies worldwide.
The framework includes guidelines, recommendations, and technical specifications for organizations that handle sensitive data, including controlled unclassified information (CUI). It defines 20 control families, such as Access Control, Incident Response, Awareness and Training, and Risk Assessment and includes over 1,000 specific controls.
Due to its comprehensiveness and alignment with industry best practices, the NIST 800 series is often used by private organizations to achieve compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the General Data Protection Regulation (GDPR).
COBIT 5 is a framework for the governance and management of enterprise IT. Created by ISACA, an international professional association focused on IT governance, COBIT is used to help organizations create value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 is based on five principles:
- Meeting stakeholder needs.
- Covering the enterprise end to end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
COBIT 5 can be implemented in any organization of any size and ensures the quality, control, and reliability of information systems.
ISO 27000 series – This family of standards addresses three pillars of information security: people, processes, and technology. Each standard within the series describes best practices for managing information risk by implementing security controls within the framework of an Information Security Management System (ISMS). They can be used by organizations of any size to secure their information assets and mitigate risk.
Justify your InfoSec budget with data-driven insights
CRQ is a risk-based approach for measuring and managing cyber and technology risk. C-Risk can help you get started on that journey.
Risk as a Foundation for Information Security
What is risk?
ISO 27000 defines risk at a high level as the “effect of uncertainty on objectives.” It then provides six notes to further define risk.
- An effect is a deviation from the expected — positive and/or negative.
- Objectives can have different aspects (such as financial, health and safety, information security, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
- Risk is often characterized by reference to potential events and consequences, or a combination of these.
- Information security risk is often expressed in terms of a combination of the consequences of an information security event and the associated likelihood of occurrence.
- Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
- Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.
The Open FAIR™ standard and taxonomy defines risk simply as "the probable frequency and probable magnitude of future loss." This concept, also known as "loss exposure," encapsulates not only the likelihood of a security breach or other information security event but also the potential financial and reputational consequences an organization might incur. The FAIR standard provides a quantitative framework for cyber risk analysis, enabling organizations to measure, manage, and communicate their information risks effectively.
Maturity model
The maturity of an organization's approach to information security is often reflected in how proactively it identifies and mitigates potential threats. A mature, risk-based strategy is characterized by measures that aim to recognize security vulnerabilities and control gaps before they can be exploited. This allows the organization to detect and address threats before they become loss events, reducing the overall cost of security.
In contrast, a reactive stance, where the focus is on responding to incidents such as hacks and data breaches after they have occurred, is often less effective and more costly. Ad hoc risk management, where risk assessments are performed only when required or controls are implemented after a breach has occurred, represents the least mature approach. A more mature approach is compliance-driven, where organizations focus on implementing controls that adhere to relevant laws, regulations, and guidelines such as HIPAA, GDPR, and others. The most proactive and mature approach is risk-based, considering the organization's risk appetite and ways to mitigate risk while maximizing return on investments.
Benefits of a Risk-based Approach
Embracing a risk-based approach in information security allows an organization to identify and evaluate the digital assets that are most critical to their value chain. By understanding where the most significant risks lie, risk managers and CISOs can assess and implement controls that are not only effective but also cost-efficient, thereby ensuring that the security investments are proportional to the potential impact of risks. An effective risk-based method for risk management is called Cyber Risk Quantification.
Cyber Risk Quantification
What is Cyber Risk Quantification?
Cyber risk quantification (CRQ) is a methodology for measuring information and technology risk in financial terms. The Open FAIR™ (Factor Analysis of Information Risk) standard provides a structured and systematic way to analyze and quantify information risk. By defining a clear taxonomy and ontology, Open FAIR breaks down risk into a logical hierarchy that can be examined and quantified. This granular approach allows organizations to identify their critical assets and the associated risks within their value chain. With this information, organizations can then assess the effectiveness of their current controls and make informed decisions about where to implement additional measures.
Methods and Tools
Statistical models like Monte Carlo simulation are a key part of Cyber Risk Quantification (CRQ) methodologies. These enable organizations to understand the range of potential outcomes by running scenarios for uncertain variables. This provides a distribution of possible impacts, helping to quantify the risks in financial terms. Monte Carlo methods are particularly powerful when combined with the FAIR model, as they allow for more nuanced risk analysis and decision-making under uncertainty, adding a depth of statistical rigor to the risk management process.
Another risk-based method used in conjunction with CRQ is MITRE ATT&CK. MITRE ATT&CK is a knowledge base that helps model the tactics and techniques of cyber adversaries. Scenarios can be mapped to MITRE and then controls implemented to mitigate risk to an acceptable level.
In addition, it is possible to map your scenarios along a path like the cyber kill chain but after the loss event has occurred. This is called a Loss Chain. And at this level it is possible to quantify the probable frequency and probable magnitude of loss as well as identify any controls that may be possible to reduce the financial impact.
Benefits and Challenges
Cyber Risk Quantification (CRQ) is a risk-based approach to cybersecurity that offers several significant benefits to organizations. By translating complex technical risks into understandable business terms, CRQ facilitates clearer communication between cybersecurity professionals and senior management, enabling informed decision-making. This alignment of cybersecurity efforts with business objectives ensures that resources are allocated to maximize their impact on the organization's overall risk posture.
CRQ empowers organizations to make data-driven decisions about cybersecurity investments, ensuring that resources are directed to the areas of greatest need. This risk-based approach helps organizations prioritize their cybersecurity efforts effectively, preventing potential losses and safeguarding valuable assets.
While CRQ offers many benefits, it also presents certain challenges. One of the primary challenges is identifying critical digital assets and mapping them within the organization's value chain. This process requires a comprehensive understanding of the organization's business operations, IT infrastructure, and data assets.
By embracing CRQ, organizations can enhance their cybersecurity posture, improve communication with stakeholders, and make informed decisions that align with their business goals.
Conclusion
Risk-based cybersecurity is not just an approach—it is the foundation of a mature information security strategy. It is imperative for organizations to embrace a dynamic approach that includes qualitative and quantitative methods of risk analysis and risk management. By prioritizing critical digital assets and their value chain, businesses can ensure that their security posture remains robust and responsive to the ever-changing digital landscape.
If you would like to learn more about how C-Risk's solutions can help you develop a more mature information security program, you can contact us here.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.