The asymmetry of cyber risk makes it difficult to detect what’s lurking below the surface.
Risk asymmetry creates blind spots that require internal audit to develop a comprehensive understanding of the weaknesses and vulnerabilities.
Hidden Depths
Articles James Bone Aug 08, 2023
Cyber risk is one of the most complex risks facing organizations, and it continues to grow unabated despite regulatory mandates and the millions of dollars spent to combat it. Academic researchers and chief information security officers (CISOs) have attempted to quantify the probability and cost of cyberattacks using various methods; however, a lack of credible data makes it difficult to calculate potential impacts or to develop a consistent tool or methodology to stop the spread.
The inherent asymmetry of cyber risk reduces proactive insights into the threats and vulnerabilities that lead to data breaches and compromised systems. In other words, cyber risk is hard to detect in a virtual environment because the threat can be hidden for months and even years from human perception. Systems can be manipulated to conceal an invasion and these approaches evolve faster than smart detection systems can keep pace.
Risk asymmetry is similar to war games, where one opponent has a unique advantage that requires the other to counter the advantage with innovative approaches to successfully defend itself. The challenge in cybersecurity is there isn’t just one opponent, and the level of sophistication in each attack cannot be judged in advance. This level of risk asymmetry creates blind spots that require internal audit to develop a comprehensive understanding of the weaknesses and vulnerabilities across the enterprise.
A Costly, Complex Risk
A recent report from the RAND Corporation. found that, globally, “cybercrime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1% to 32% of GDP).” The RAND study used several models to estimate the cost of a breach with varied assumptions and provided an interactive spreadsheet to allow readers to adjust estimates for themselves. According to the study, Estimating the Global Cost of Cyber Risk, the cost of cyber risk is growing at a 15% compound annual growth rate.
What can auditors do to protect organizations from cyberattacks? Traditional audit procedures may be inadequate to detect, correct, and prevent serious cyber risks without new tools to understand the nature of asymmetry in cyber risk. This does not mean that a focus on fundamental controls such as authentication and authorization, access controls, and other audit procedures are less important. It means that more enhanced procedures are needed to understand risks related to cyber threats.
The Root of the Matter
To put the threat in perspective, IBM’s Cost of a Data Breach reports the average time to detect and contain a ransomware attack is 326 days. The average time to detect and contain a destructive attack is 324 days, and the global average to detect and contain a breach is 277 days. These findings suggest that serious cyber threats are going undetected for almost one year, and mitigation takes nearly three months. This can lead to massive disruption, huge mitigation costs, and scrutiny from law enforcement, shareholders, and customers.
These findings beg the question, which asymmetric risks in cybersecurity are the root cause of vulnerabilities and data breaches? According to The Three Most Common Causes of Data Breaches in 2021, by Dark Reading magazine, a publication that leverages data from the Identity Theft Resource Center, the root cause of data breaches falls into four categories: cyberattacks, human and systems errors, physical attacks, and other (unknown). Each category has subcategories that point consistently to human error and poor decision-making about cyber risk. For example, under cyberattacks the leading causes/attack vectors are:
- Phishing.
- Smishing (using text messages or messaging apps).
- Business email compromise.
- Ransomware.
- Malware.
- Non-secured cloud environment.
- Credential stuffing (stolen credentials).
Human and systems errors include failure to configure cloud security or misconfiguring a firewall. With physical attacks, data loss is equally attributed to accidental disclosure, device theft, and improper disclosure. Each of these security failure categories are well known, yet they continue to provide attackers new opportunities to compromise systems. Fortunately, each of these areas can be positively impacted by auditors with the right mindset.
The Human Factor
There appears to be a disconnect between the continued rise in cyber threats and prescriptive approaches in cybersecurity, risk, and audit to mitigate the threat. That disconnect is in how auditors and CISOs identify key cyber risks to influence the right behaviors and reduce data breaches. By enhancing audit procedures and recognizing asymmetry in audit practices, internal audit can better address the human factors in cybersecurity.
Enhance audit procedures. The airline industry is a pioneer in human factors and has applied these concepts to manage the risk of transporting millions of passengers from point A to point B safely, given the probability of equipment failure, weather conditions, bird strikes, pilot fatigue, and varying skill sets. The airline industry didn’t use a risk framework; instead, it studied the pilot’s dashboard, workflow, and navigation systems, and added a co-pilot to support the pilot. These approaches to enhance “situational awareness” may not be included in the audit toolkit but should be.
It should not be surprising that situational awareness is also needed in cybersecurity. Cybersecurity professionals have adopted the concepts from human factor science aeronautics for the same reason: to manage uncertainty. A pilot, auditor, or CISO must respond and adapt to events in real time to ensure the mission is completed. Auditors should understand the level of situational awareness the IT team has. Is there visibility into a complete inventory of critical assets? Does the disaster recovery plan include contingencies for an outage or ransomware attack? Is the workforce distracted with manual processes and administrative projects? Is the workforce trained on social media and social engineering risks?
Auditors need to develop more insightful questions to better understand the gaps in situational awareness in cybersecurity. To understand the importance of situational awareness in cyber risks, auditors must know how to recognize asymmetry. Understand asymmetry in audit practice. The goal of asymmetric cyber risk management is to make a data breach as difficult and costly as possible for the attacker. Cyber criminals are like car thieves. They start by checking the car doors to see if they are unlocked or for the keys in the glovebox. Attackers seek easy access and low-cost approaches, which is why phishing attacks and ransomware are common weapons of choice.
There is also a saying among cyber researchers: Amateurs hack systems, but pros hack people. The softest target is the human target, because most organizations have not trained employees sufficiently to recognize attacks. Attackers commonly conduct research on a target firm by studying publicly available information. Next, attackers will start with social engineering at the receptionist level, or if they have acquired emails of employees on social media sites, they may make random calls posing as vendors or customers and asking what may seem like benign questions.
This tactic was demonstrated during a live performance at a cybersecurity convention in Las Vegas, where social engineer presenters entered a sound-proof booth and called target firms that were randomly selected before the convention. Each attacker developed a persona before the call with a checklist of information to gather. Some attackers posed as IT staff at the firm conducting tests. Others tricked the receptionist or random employees to click on a false link.
Diggind Deep to Asses Asymmetric Risk
The information security and asymmetric risk assessment process involves a deep dive into the organization's assets, risks, and mitigation efforts.
- Identify the organization's most important data and IT assets for enhanced security control measures.
- Define levels of materiality in IT control failure that would cause the greatest impacts to operations, and develop plans to address each level prospectively.
- Document and monitor known security threats but plan on residual threat risks that are not yet known.
- Define human risk factors: human error, insider threats, executive exposure, decision error, social media, workflow design, and manual processes. Map them to perceived vulnerabilities for mitigation.
- Define human risk factors as key performance and risk indicators.
- Define the human-machine risk vectors (critical systems, data, assets, third-party, and social media) to estimate potential exposure to breach.
- Quantify, as possible, the probability of system exploitation. Include confidence levels of assurance (0-100%). Note: Zero risk or zero IT failure is unrealistic and sets the wrong expectation.
- Consider a “zero-trust” approach and methodology that fits the risk posture of the firm.
- Consider two to four scheduled disaster recovery tabletop exercises under different scenarios a year.
- Conduct multiprong attack scenarios that include simultaneous events and single-event attacks.
- Plan IT security posture based on risk appetite in alignment with management expectations and operational effectiveness.
- Clarify the specific type of risk being reduced. Is it the risk of noncompliance or the risk of a data breach? This allows auditors to determine the effectiveness of controls for each type.
These presenters demonstrated that a calm voice and benign questions can disarm staff to divulge key insights into a firm’s security posture. Factors such as how much training the employee has received or how helpful he or she is during the call can determine the likelihood of a breach. One stolen email credential may be all the attacker needs. The attacker presenters were stopped in their tracks when the targets asked for information only in-house employees would know or were skeptical in providing information without validation.
Many attacks start with quiet surveillance operations at the human level and move to more advanced attacks once the attackers determine the most effective way to proceed. That is risk asymmetry in real time. Ransomware, chatbots, and phishing get all the attention in the media, but the real attack may have happened months or years before with simple approaches — person to person.
The same approach occurs at the systems level virtually. Attackers are routinely searching for zero-day vulnerabilities, email credentials, and profiles of executives whose information is publicly available. If auditors think these are not the risks they thought they were managing, they are not alone.
The enterprise is no longer a hardened shell, but is virtual, which is why enterprise risk is no longer a valid approach to risk management. Thinking like a hacker gives auditors insight into the unanticipated ways the organization is exposed.
Put in the Effort
Creating simplicity in cybersecurity is the hardest thing to do in any organization, but the effort pays dividends in reducing cyber risk asymmetry. Designing simplicity into cybersecurity means that auditors must understand the pain points inherent in situational awareness and impacts on security teams to manage risks. The goal of reducing complexity of operations requires innovative IT service level agreements (SLAs) between each of the three lines of the organization. SLAs must include explicit agreed-upon tradeoffs between risk-based cybersecurity and organizational objectives.
IIA Resources:
Auditing the Cybersecurity Program Certificate
Fundamentals of Cybersecurity Auditing
Auditing Cyber Incident Response and Recovery