Articles by the cybersecurity community

Showing posts with label Risk. Show all posts
Showing posts with label Risk. Show all posts

Guest post - James Meikle - BBQing #Risks Steakments (Statements)

 Thank you to James Meikle for contributing his expertise to support the Demystify Cyber project. 

........................

BBQing Risks Steakments Statements

 

Risk statements have the power to deliver a strong message to people from all backgrounds on something bad that might happen. To be clearly understood common language should be used. There are a few different ways to formulate risk statements this is just one of the common ones.

PS: We all need an acronym swear jar!

 

As I would like to see more powerful messages and I like Aussie BBQ's. It is time for a combo!

 

Diving in at BBQs you usually need a story, keep the interest going use common tongue, use Aussie slang rarely. You tell a story, and you hope people understand it. Your feedback is provided by still having an audience and as you practice you get better at it. There is a formular for success of storytelling – its watchable if you do not do this yourself.

 

A formula is also needed for successful risk talking. Let us try a minimal one (in BBQ speak) and yes, I had to change it for the example – but it is still based on a true story in our very own Gold Coast of Australia!

 

“Our family fun day on a whale sighting trip may be ruined by naughty jet skiers that get too close scaring off whales resulting in no fun and children in tears.”

 

This is going to get a bit quirky but let us try take this apart. My rough translation of talking risk is people trying to explain the effect of uncertainty against what they want to occur so they can help the situation.

 

Event

An event is something that happens due to something else that disrupts its objective. In this example the objective is family fun, and the event is a whale sighting tour. Keep it to one event per statement.

 

“Our family fun day while on a whale sighting trip may be ruined”

 

Cause

The jet skis cannot be linked directly to kids crying their little hearts out as their effect of being there is scaring whales. Cause and event can be mixed up if you are not careful – events have objectives causes do not. There can be more than one cause.

 

“… by naughty jet skiers that get too close scaring off whales”

 

Consequence

The worst examined outcome for the day was whales not being seen on a (first-time) sightseeing tour with crying kids and ruined day. I always seem to focus on this one since it is the meaty part of why we should care about the risk. There can be more than one consequence.

 

“… resulting in no fun and children in tears”

 

Okay since my BBQ stories have happy endings when involving children, I must add this bit…

“The day was saved by instant karma when the pair were intercepted by the cops waved at by a few really happy children and camera people. Kids got to see a whale. Day Saved!”

 

It has been said before we cyber people must speak many languages but common is the most important.

 

My quick tips advice

 

1.       Use common language

2.       Use specific industry language sparingly - only if you must (Aussie Slang at BBQs!)

3.       Use an obvious formular like:
There is a risk that “Event” occurs that can be “caused by” resulting in “the bad thing”.

4.       Use your voice and read them out loud (take care of surroundings people)

5.       Use the basic one you come up with to build on what you and add to the narrative.

Break up the statement using spreadsheeting or other tools to make it easier to consume if appropriate

6.       Use ISACA’s good quality risk statement questions to sound your content:

What could happen, Why could it happen, Why do we care.

 

Helpful links

https://www.isaca.org/

 


Guest Post - Louisa Vogelenzang - 5 behaviours that demonstrate you already have the foundations to manage risk in the online world

Thank you to Louisa Vogelenzang , the cofounder of The Cybersecurity CafĂ© podcast for permitting me to reproduce an edited version of her original article on managing online risk.

Image of the earth with lines surrounding it with HTTPS

Whether you are an individual or a small business, I want to show you that you already have solid foundations you can build on, to help you to confidently manage your risks in the online world. Why? because you already practice those skills on daily basis as a part of the way you secure your physical world.

Let's start with a small exercise and I will show you how.....

In your head, make a quick list of all the valuable items you have at your property or business....

black and white drwing of a clipbaord with a checklist boxes on left lines on right


I am guessing that your list was fairly easy to come up with and that it includes mostly physical items - your loved ones, family photos, perhaps some jewellery, the family car, a shed full of tools, art you have collected, your personal laptop, smartphones, gaming consoles, perhaps your vintage record collection, passports or maybe an inherited family heirloom. If you are a small business maybe your list included your staff, your precious stock, your current cash takings as well as a view of some of the items that are less easy to quantify like the trust your customers place in you or the 'experience' of being in your store.

The important thing is, you are able to identify the items of value to yourself and/or your business.

I bet you also know the value of many of these items in total and individually, you can visualise where they are kept, and you know what steps you have taken to protect them. You have probably before now, also thought about the impact it would have on you if these items were stolen - some items are replaceable, some are not. You may have also insured your items for a total figure and have also named specific high value items on your policy, to ensure you have the ability to replace them in the event that they are stolen or destroyed.


Here are some of the items from my list I thought I would share, including their value to me and what steps I've taken to protect them:

·       My family Invaluable and (overly) protected at all times, I wish they never had to leave my side but when they do, I am verifying their safety as often as they can tolerate (mostly via SMS or in the case of my dog via my pet cam!).

·       My wedding and engagement rings. High sentimental value and to protect these, I never take them off. This is probably because my Mum lost her original engagement ring down the kitchen sink when she took it off one day and I am also quite clumsy, so would probably end up doing something similar!

·       An inherited item of family jewellery. High value both sentimental and monetary - this is kept in a safety deposit box offsite (I can't trust myself not to loose it).

·       The family car. Medium value - it's insured and in the garage protected by key fob entry that only those who live in the block have access to as well as an electronic key individual to the car, immobiliser and car alarm. I am aware there are certain circumstances where my insurer won't cover me and we've made a note of those (for example I can't allow my Dad to drive the car if he visits from the UK unless I pay extra and add him to the insurance during that time).

·       All the other items of value in my apartment are secured as you might expect by a combination of key fob entry to the apartment block where a video entry also controls who can enter the apartment block without a key (they must be authorised to do by a tenant who authenticates them by sight over video). A front door key unique to my apartment that only I, my husband and a trusted friend have a copy of and window locks.

Having a look around my local neighbourhood at the small businesses in the area here are some examples of the physical security measures they take:

·       My local coffee shop locks their outdoor tables and chairs away at night inside their building to reduce the risk of them being stolen

·       The local supermarket franchise uses CCTV inside and out and a security guard on the door, presumably to help them to manage shoplifters during opening hours and the risk of store break-in over night as they have high value items like liquor and cigarettes on the premises.

As well as knowing what your valuables are, their value, where they are kept and how you are protecting them, you probably also know what to do when things go wrong - who to call and what process you will follow in the event of an incident. For example if you come home and find your tool shed has been broken into you will probably check what is missing, call your loved one(s) to let them know, try not to touch anything to preserve any forensic evidence, call the police and report it and then once you have a crime number from the police, call the insurer (if you have insured this item). The police may also physically attend the incident to take photos or try to capture some forensics and provide advice on how to reduce the risk of this kind of incident in the future. Your insurer may also send an assessor onsite


You also will likely know how you will recover from a security incident for example if your car is stolen, recovery might mean taking public transport until you can arrange a hire car via your insurer (if they offer one), then once the insurance claim has been processed, you will need to go out and buy a new car. If your mobile phone is stolen you might (if you have been taking back ups of the phone) be able to recover fairly quickly and easily - perhaps you have a spare phone and can be up and running in no time, using the back ups.

You are also able to adapt to new threats - perhaps you have a neighbour who had their car stolen from their drive whilst they were unloading their car (here in Australia car theft is still fairly common with latest statistics confirming there is one car stolen every 10 minutes). You learn from the police that thieves are targeting the area in this way at the moment, previously you were not aware of this threat and now you are worried about your family being vulnerable as they often leave the car running in the drive. As a result you take some steps to reduce your risk and improve your overall resilience with new processes that your household agrees on (not leaving the car engine running with the keys in the car on the drive) and you also decide to install some new tools/technology settling on some CCTV outside of your garage.

It is important to also note that our risk appetite (how much risk a person is willing to accept) varies from person to person and business to business - this can be down to our knowledge/awareness of a threat, whether we believe we are vulnerable, the potential impact to us personally (often in $$) of a particular risk being realised, our available budgets to reduce a risk and our even our previous experience.

Here is an example of how our physical security risk appetite can vary between humans...

Jenny, Chris and Jim go to the same swimming pool around the same time each week for the adult lane swimming on a Tuesday evening. They don't know each other and they all have a different perceptions of the physical environment around them. As a result;

·       Jenny aims to lock her wallet and smart phone in the lockers available which costs her $2 each time, except for every now and again when she doesn't have the right change and can't be bothered to go back out to the front desk again. On these occasions, Jenny leaves her bag at the side of the pool as everyone at the pool seems nice enough.

·       Chris doesn't want to pay the extra $2 for the locker (he's trying to save for his first motorbike) and decides to take the risk of leaving his bag at the side of the pool, but looks over to his bag every now and again to check nobody is looking suspicious around it.

·       Jim had his wallet and phone stolen at the same swimming pool last year and spent many hours cancelling and getting replacement cards and getting his phone set up again (he hadn't backed up his phone and his insurer wouldn't cover him for this item outside of his house). He also lost $200 in cash that was in his wallet in addition to the cost of the new phone. He never forgets the $2 locker money and considers this a worthwhile investment at $104 per year.

As well as these 'self-managed' physical risks that we manage on a daily basis, sometimes governments mandate laws to help enforce the reduction of a particular physical risk - for example the use of seatbelts in cars and strict blood alcohol levels for drivers to help reduce the risk of traffic accidents. Manufacturers can also sometimes build security features into their devices for example in the case of cars, alarms and immobilisers are now fitted as standard although maturity varies greatly across different manufacturing industries.

The truth is, a lot of this article probably seems like common sense and is very familiar to you because physical risk is often so much easier for us to understand. Unlike the virtual/online/digital world, humans have been living in the physical world for several hundred thousand years and we are for the most part, very familiar with making risk based decisions within it.

I am hoping this story has helped you to recognise that you should start with a position of confidence when it comes to your ability to manage risk in general, because you do this every single day. To recap these are some of the existing skills you likely already have, that you can apply to your online/digital/virtual world;

1. Identifying what is valuable to you and/or your business, where those valuables are kept, how well they are protected and the potential impact if something happened to these valuable items

2. Being aware/staying up to date on threats around you and whether you might be vulnerable to them

3. Knowing what to do in the event of an incident

4. Knowing how you will recover from an incident

5. Being ready to adapt to reduce your risk

And whilst there are some key differences between the virtual world and the physical world, I will make sure we unpack all of these in the weeks to come, so that you can learn how to adapt your skills accordingly.