Cybersecurity Risk Management
Learning goals:
1. Describe frameworks for cybersecurity and resilience (ISO 27001/2, PAS555),
2. Distinguish various types of security risks (confidentiality, integrity, availability)
3. Analyze a system and perform a systematic risk assessment (likelihood and impact)
4. Explain common security measures, including cryptography, to address the risks
5. Discuss ethical and legal aspects, including privacy a nd data protection (GDPR)
6. Appreciate multi-disciplinary nature of cybersecurity risks and their impact on
society.
,Part 1 Cybersecurity and Resilience
1. Describe frameworks for cybersecurity and resilience
2. Distinguish various types of security risks (confidentiality, integrity, availability)
A Framework:
Policy Specify objectives (Impact assessment, CIA, security levels)
Mechanism Implement security measures (physical, technical, encryption, organizational,
security architecture)
Incentives Motives for people (social engineering, fraud triangle, business model, risk
appetite, proportionality)
Assurance Confidence that measures are meeting objectives (regulatory supervision,
audit, monitoring, forensics, learning)
1.1 Cybersecurity and Information security
Information security is the preservation of confidentiality, integrity, and availability of
information (ISO 27000). Information can come in any form, be it electronic or material, or
even as knowledge of personnel.
Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information.
Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity.
Availability: Ensuring timely and reliable access to and use of information.
Auditability: ensuring that evidence of all crucial transactions is stored reliably for
auditing purposes
Cybersecurity is the complex domain of interdependent physical and information security.
1
, Information Security vs. Cybersecurity
Cybersecurity only concerns protection from threats that use a cyberspace [narrower], and
moreover, does not only cover information assets, but also physical assets, infrastructure, or
social effects on society [wider].
Information security focuses on individual organizations; external risks are internalized.
Cybersecurity looks at risks in the network as a whole.
Traditionally, information security focuses mostly on prevention, whereas cybersecurity
focuses on resilience.
Refsdal et al
• Cybersecurity is the protection of cyber systems against cyber threats.
• A cyber threat is a threat that exploits a cyberspace.
• A cyberspace is a collection of interconnected computerized networks,
including services, computer systems, embedded processors, and controllers,
as well as information in storage or transit.
• A cyber system is a system that makes use of a cyberspace.
• A cyber-physical system is a cyber system that controls and responds to
physical entities through actuators and sensors.
A cyber-physical system (CPS) is a mechanism that is controlled or monitored by
computer-based algorithms, tightly integrated with the Internet and its users. Many of these
examples involve Internet of Things (RFID technology) as sensors and actuators.
Examples: smart grid, autonomous vehicles, medical monitoring, public transport, process
control, robotics.
2
Learning goals:
1. Describe frameworks for cybersecurity and resilience (ISO 27001/2, PAS555),
2. Distinguish various types of security risks (confidentiality, integrity, availability)
3. Analyze a system and perform a systematic risk assessment (likelihood and impact)
4. Explain common security measures, including cryptography, to address the risks
5. Discuss ethical and legal aspects, including privacy a nd data protection (GDPR)
6. Appreciate multi-disciplinary nature of cybersecurity risks and their impact on
society.
,Part 1 Cybersecurity and Resilience
1. Describe frameworks for cybersecurity and resilience
2. Distinguish various types of security risks (confidentiality, integrity, availability)
A Framework:
Policy Specify objectives (Impact assessment, CIA, security levels)
Mechanism Implement security measures (physical, technical, encryption, organizational,
security architecture)
Incentives Motives for people (social engineering, fraud triangle, business model, risk
appetite, proportionality)
Assurance Confidence that measures are meeting objectives (regulatory supervision,
audit, monitoring, forensics, learning)
1.1 Cybersecurity and Information security
Information security is the preservation of confidentiality, integrity, and availability of
information (ISO 27000). Information can come in any form, be it electronic or material, or
even as knowledge of personnel.
Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information.
Integrity: Guarding against improper information modification or destruction, and
includes ensuring information non-repudiation and authenticity.
Availability: Ensuring timely and reliable access to and use of information.
Auditability: ensuring that evidence of all crucial transactions is stored reliably for
auditing purposes
Cybersecurity is the complex domain of interdependent physical and information security.
1
, Information Security vs. Cybersecurity
Cybersecurity only concerns protection from threats that use a cyberspace [narrower], and
moreover, does not only cover information assets, but also physical assets, infrastructure, or
social effects on society [wider].
Information security focuses on individual organizations; external risks are internalized.
Cybersecurity looks at risks in the network as a whole.
Traditionally, information security focuses mostly on prevention, whereas cybersecurity
focuses on resilience.
Refsdal et al
• Cybersecurity is the protection of cyber systems against cyber threats.
• A cyber threat is a threat that exploits a cyberspace.
• A cyberspace is a collection of interconnected computerized networks,
including services, computer systems, embedded processors, and controllers,
as well as information in storage or transit.
• A cyber system is a system that makes use of a cyberspace.
• A cyber-physical system is a cyber system that controls and responds to
physical entities through actuators and sensors.
A cyber-physical system (CPS) is a mechanism that is controlled or monitored by
computer-based algorithms, tightly integrated with the Internet and its users. Many of these
examples involve Internet of Things (RFID technology) as sensors and actuators.
Examples: smart grid, autonomous vehicles, medical monitoring, public transport, process
control, robotics.
2
