Learning objectives: Describe elements of an effective cyber-resilience framework and explain ways that an organization can become more cyber-resilient. Explain resilient security approaches that can be used to increase a firm’s cyber resilience and describe challenges to their implementation. Explain methods that can be used to assess the financial impact of a potential cyber attack and explain ways to increase a firm’s financial resilience.
Questions:
(Source: Andrew Coburn, Eireann Leverett, and Gordon Woo, Solving Cyber Risk: Protecting Your Company and Society (Hoboken, NJ: Wiley, 2019))
20.13.1. Cyber security is a dynamic, complex, and unavoidably important topic for all firms. The organization that seeks to be cyber-resilient has a challenge developing a coherent strategy when the technology, conditions, and adversaries are shifting and evolving. In regard to an effective cyber-resilience framework and associated tactics (as conveyed by Coburn et al), the following statements are true EXCEPT which is false?
a. The NIST framework functions include Identify, Protect, Detect, Respond, and Recover
b. The flaw in the man-machine interface is the man and the best crisis manager is optimized, self-monitoring A.I. software
c. The key cyber resilience standards are ISO 27001 (information security management) and ISO 22301 (business continuity)
d. The gamification (i.e., define goal, define rules, setup feedback, voluntary participation) of training is compelling because cyber attacks are adversarial
20.13.2. As the strategic context for cyber risk, Coburn et al refer to resilience engineering as a progression from traditional safety engineering where the advantage of a resilience perspective is that it views social-technical systems (e.g., social and cultural factors) rather than only technical systems. This perspective informs various cyber resilience objectives; for example, analytical monitoring, coordinated defense, deception, privilege restriction, and random changes. In regard to resilient security approaches, which of the following is TRUE (according to Coburn et al)?
a. A good strategy is to maximize intrusion dwell time
b. A cyber-resilient organization aspires to anticipate, withstand, recover, and evolve
c. Most firms should avoid penetration tests because they are expensive, complex, and often ineffective
d. Although anomaly detection is a promising theory, much like string theory in physics, it does not yet provide actionable techniques
20.13.3. Cyber attacks can inflict damage in multiple dimensions; intellectual property might be stolen; mission-critical data might be corrupted; network services might be disrupted (see denial-of-service attack https://en.wikipedia.org/wiki/Denial-of-service_attack); the firm's reputation might be harmed, and even legal liability might be incurred. Most of these adverse impacts can be estimated or quantified in terms of their financial cost. In this regard, Coburn et al refer to the concept of financial resilience. As a positive and advisable element of the firm's financial resilience with respect to cyber risk, which of the following is a TRUE statement?
a. The financially resilient firm should replace defense in depth with a consistent check-the-box approach to security
b. The financially resilient firm should screen and hire error-free humans and aspire to train and promote humans who are error-free
c. The financially resilient firm should measure cyber value at risk (CVaR) with a normal distribution (like market risk) because it is stable, which is a priority of measuring cyber risk
d. The financially resilient firm should assess the balance sheet and conduct imaginative tests including a reverse stress test, historical event re-simulation, and counterfactual analysis
Answers here:
Questions:
(Source: Andrew Coburn, Eireann Leverett, and Gordon Woo, Solving Cyber Risk: Protecting Your Company and Society (Hoboken, NJ: Wiley, 2019))
20.13.1. Cyber security is a dynamic, complex, and unavoidably important topic for all firms. The organization that seeks to be cyber-resilient has a challenge developing a coherent strategy when the technology, conditions, and adversaries are shifting and evolving. In regard to an effective cyber-resilience framework and associated tactics (as conveyed by Coburn et al), the following statements are true EXCEPT which is false?
a. The NIST framework functions include Identify, Protect, Detect, Respond, and Recover
b. The flaw in the man-machine interface is the man and the best crisis manager is optimized, self-monitoring A.I. software
c. The key cyber resilience standards are ISO 27001 (information security management) and ISO 22301 (business continuity)
d. The gamification (i.e., define goal, define rules, setup feedback, voluntary participation) of training is compelling because cyber attacks are adversarial
20.13.2. As the strategic context for cyber risk, Coburn et al refer to resilience engineering as a progression from traditional safety engineering where the advantage of a resilience perspective is that it views social-technical systems (e.g., social and cultural factors) rather than only technical systems. This perspective informs various cyber resilience objectives; for example, analytical monitoring, coordinated defense, deception, privilege restriction, and random changes. In regard to resilient security approaches, which of the following is TRUE (according to Coburn et al)?
a. A good strategy is to maximize intrusion dwell time
b. A cyber-resilient organization aspires to anticipate, withstand, recover, and evolve
c. Most firms should avoid penetration tests because they are expensive, complex, and often ineffective
d. Although anomaly detection is a promising theory, much like string theory in physics, it does not yet provide actionable techniques
20.13.3. Cyber attacks can inflict damage in multiple dimensions; intellectual property might be stolen; mission-critical data might be corrupted; network services might be disrupted (see denial-of-service attack https://en.wikipedia.org/wiki/Denial-of-service_attack); the firm's reputation might be harmed, and even legal liability might be incurred. Most of these adverse impacts can be estimated or quantified in terms of their financial cost. In this regard, Coburn et al refer to the concept of financial resilience. As a positive and advisable element of the firm's financial resilience with respect to cyber risk, which of the following is a TRUE statement?
a. The financially resilient firm should replace defense in depth with a consistent check-the-box approach to security
b. The financially resilient firm should screen and hire error-free humans and aspire to train and promote humans who are error-free
c. The financially resilient firm should measure cyber value at risk (CVaR) with a normal distribution (like market risk) because it is stable, which is a priority of measuring cyber risk
d. The financially resilient firm should assess the balance sheet and conduct imaginative tests including a reverse stress test, historical event re-simulation, and counterfactual analysis
Answers here:
Last edited by a moderator:
