The US government’s recent efforts to ban the introduction of specific foreign IT vendors’ equipment in government networks is emblematic of the growing concern among organizational leaders posed by global supply chains, highlighting the broad interdependencies between technical and human systems. Organizational leaders who are seeking greater efficiencies are finding that the confluence of technical, human, and supply chain-induced cybersecurity risk requires a deeper understanding of how each of these siloed processes work together in a highly choreographed and complex system. Specifically, how do we understand and measure the risk surface of human systems for our organization?
Despite the recent tensions between the US and China on the potential threat ZTE or Huawei present to US government systems and critical infrastructure, there has been a steady evolution in guidance on how to manage broad cyber security risk. National standards, including the latest version of the NIST Cyber Security Framework (CSF), detail both the concerns and the need to account for the risks as part of a robust and comprehensive action plan for addressing those factors of enterprise risk. Yet while frameworks, guidance, controls, and other standards highlight the importance of conducting risk assessments, we often lack the methodologies for assessing not only the individual elements of risk but also how they come together in a complex system. There is a handful of methodologies, such as FAIR, that have recently emerged to begin to quantify cyber risk for specific assets, but have yet to map and integrate technical, human, and supply chain elements of cyber risk to mission functions. Research, including at the University of Maryland, is demonstrating how both human and technical systems can be defined and measured.
A central concept in modeling the cyber risk for interdependent systems is to link the mission business functions of an organization to the underlying information technology infrastructure. Each device in that mapped function has users connected to it, as well as some number of supply chains (e.g. hardware, software, data). This cascading set of interdependent technical and human networks is precisely why cybersecurity continues to be a persistent and evolving problem as new attack vectors, methods and techniques are leveraged. Laptops work with routers, servers, and other devices, but people touch each of those devices as well, and the combination of the two support mission/business functions. For example, a specific user might have access to some number of your organization’s devices that support your manufacturing line. They then maintain a certain level of access permission to each device (e.g. root privilege), they might be more inclined to click on malicious links, and finally they have exposure to the outside world (both physically and digitally) that make them targets for compromise.
As you begin to account for every mission/business function of concern to senior leadership, a seemingly dizzying array of combinations emerge to overwhelm even the most intrepid risk manager. Risks might stem from a remote attack via a vulnerability in an exposed system, a user who clicks on a spearphish, or through a vendor that does not maintain adequate controls. This technical and human complexity in the organizational attack surface is what is leveraged by threat actors to achieve their goals. While the task of mapping missions to technical and human networks seems daunting, defenders do have an advantage … you know your organization. While threat actors must discover what systems and people hold the keys to their objectives, a well-defended network can focus its resources to assess, architect, train, and defend the devices, people, and supply chains that support the most critical business functions. Reducing user-induced cyber risk to the organization in practice might therefore require us to rank users who represent greater risk to specific missions based on their device access, permission levels, propensity to be compromised, and account attack surface (number of social media accounts, e-mail, etc.). A similar activity can be performed for supply chain vendors. Can we map and rank risk of vendors based on the hardware, software, and data they provide our organization, with the ranking coming from the length of the supply chain, their vendor cyber risk posture, and the number and importance of connections they maintain to our IT network? Creating indices and ranks ordering the broad set of human-induced risk into the organization enables prioritization of training resources, technical and organizational controls, and focus by leadership on the most important relationships, personnel, and technical systems underpinning their organization.
The persistent increase in cyber events of significance stemming from the use of a complicated set of technical and human attack vectors necessitates a new approach for assessing systemic risk. Mapping missions to IT infrastructure, users, and supply chains enables a clear way to discuss and thoughtfully address any number of attack scenarios against an organization. Without this map-connecting mission with human and technical networks, we will continue to remain lost in the sea of cyber incidents.