What is Cyber Risk Quantification


A risk assessment approach through which Cybersecurity Risk is expressed in economic terms in order to provide a better understanding to business stakeholders.
It acts as a bridge between technology and business objectives and can be utilized to undertake rational and proportional action plans.
It provides a method to calculate the return on investment (ROI) of security initiatives.

Differentiation from Qualitative approach:

While the Qualitative Risk Analysis provides a consistent input on risk exposure, it is difficult to be interpreted by the business decision makers.
Cyber Risk Quantification does not cancel the traditional method of Qualitative Risk Analysis, but further expands it in order to provide a risk analysis and decision tool that will facilitate the design of appropriate and cost effective mitigation plans, while it will also provide more meaningful information to the decision makers.

How Cyber Risk Quantification is applied ?

We focus on the identification of Organization’s crown jewels throughout the business value chain and the applicable loss events, relevant to the associated industry sector.
Following, we map the events to potential cyber threats in order to create a list with possible Cyber Security Threats scenarios.
Each scenario is analyzed in cooperation with the respective Business Owners in order to appropriately integrate Cyber Economics and translate the Cybersecurity Threat Scenario into monetary terms and be expressed as economic impact.
Finally, we design the respective mitigation plans calculating the ROI through a cost-effective approach, proportionate to the quantified risk and to Organization’s P&L.


What is Cyber Economics : Measure and optimize financials related to Cybersecurity Risks and investments

 

 

CYBERFLIP Framework


CYBERFLIP framework is a Security Governance framework designed to enhance Organizations Cyber Resilience in an efficient and cost effective manner. It is based on a reverse approach of NIST Cybersecurity Framework.

 

What is the NIST Cybersecurity Framework:

 

Drafted by the US National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (CSF) is a full set of best practices and standards through which an Organization can design its Cybersecurity Program. The CSF categorizes the Cybersecurity Functions into 5 categories (Identify, Protect, Detect, Respond , Recover) which tranditionally are followed sequentially from the Organizations’ adopting the framework.

 

Our 'flipped' approach:

 

Due to the exponential increase of Cybersecurity incidents during the last decade, we consider that it is a matter of ‘When’, not ‘if’, a breach will occur. Thus, we assume breach and we follow a reverse(‘flipped’) approach by prioritizing the design of the Recovery Capability, which includes all processes that an Organization should have in place in order to minimize incident’s impact.


 

 

Specifically:

Step 1 – Identify Organization’s Crown Jewels throughout the business value chain.

Step 2 – Build the Recovery capability by focusing on how an Organization would minimize the impact from an incident over the critical assets and resources.

Step 3 – Enhance the Response capability and the level of readiness through established Business Continuity and Incident Management processes including industry tailored Incident Response Playbooks.

Step 4 - Utilize the Zero Trust concept to design and build the necessary controls, as to timely Detect potential threats and reduce incidents occurence.

Step 5 – Utilize the Zero Trust concept to design and build the Protect Capability, through which an Organization will achieve to further minimize the overall cybersecurity risk.

What is Zero Trust

Zero Trust is an architecture approach based on the principle of “never trust, always verify". It helps to prevent security compromises by eliminating the concept of trust from an Organization’s internal network and considering it insecure or breached. Security focus is shifted from the ‘Perimeter’ to the ‘Actions’ of a specific ‘Identity’ from and over specific ‘Resources’ (I.e. all data sources and computing services).
The necessity of Zero Trust approach is more important than ever, considering that we live and work in an inter-connected world where the adversaries discover on a daily basis new advanced methods to achieve breach. Furthermore, appropriate adoption of Zero Trust facilitates the Organization’s digital transformation journey, since apart from security it adds flexibility over integration between different parties (external systems or contractors regardless the location).

Traditional approach versus Zero Trust:


 

Tranditional Network Security Architecture

 
 

Zero Trust Architecture

 

Zero Trust Controls Concepts:

The Zero Trust Security approach ensures that the right people have the appropriate level of access, to the needed resources, in the right context, while that access is assessed continuously — and transparently to the user experience. Specifically, Trust is continuously assessed through controls based on the following concepts:

1. User authentication through advanced methods beyond username/password: To ensure that an attacker cannot utilize stolen/breached user credentials.

2. User authorization based on activity context: To ensure that even a breached account will be detected due to abnormal activities (e.g. first time to connect from another country or out of working hours).

3. Device authorization based on baseline security: To ensure that an insecure device will not connect to corporate resources. Applicable to all devices, corporate and personal.

4. All communications are secured regardless the network.

5. All data are secured based on their criticality and regardless the network and the storage location.

6. Network Microsegmenation and least-privileged user access are utilized to ensure that an attacker who successfuly breached into the internal corporate network cannot perform lateral movements and can be easily detected.

7. The aforementioned are reviewed and enforced on a continuous basis through respective policies designed to fascilitate business and enhance security.

 
Zero Trust Architecture real world examples:

Scenario 1: An employee who typically logs in to Company's systems on weekdays from her home and occasionally on weekends from a coffee shop. Last Saturday night, a successful login with her username and password was performed from USA.
Traditional approach: Most possible would allow the connection since the basic control would be user's credentials through Company’s VPN.
Zero Trust approach: Since access is validated with additional contextual criteria (e.g. Login from new country for this specific user), it recognizes the inconsistency, automatically denies the access request and raises an alert. Automated response capabilities could be triggered to temporarily disable the user’s account, given the likelihood that its credentials have been compromised.

Scenario 2: Finance Department needs to access the ERP application.
Traditional approach: Access from internal network would be granted following the provision of user's credentials. Access from external network would be provided with a combination of user's credentials and VPN/certificate.
Zero Trust Approach: Network devices should ensure that traffic going to the ERP comes from a secure device belonging to someone in the Finance Department. The authentication solution should validate that authenticated users are from the Finance Department. If the user is authenticating from a new device, the user should provide a one-time password sent to a known device while the new device should meet the minimum compliance criteria set by the Organization (e.g. updated OS, data at rest encryption, endpoint protection, etc) The aforementioned are continually evaluated for every interaction, as context changes, such as device, location, network and identity data

 

What is the added value of CYBERFLIP Framework:

 

Through the CYBERFLIP framework and the reverse approach, we focus on impact minimization from potential incidents by prioritizing the development of the Business Recovery capability instead of having to expect the full Security Framework implementation.

 

 

Cybersecurity – as – a - Service (CSaaS)


Going beyond our main offerings, Cybersecurity – as – a - Service (CSaaS) is our approach to maintain the desired Cyber Resilience state and becoming your trusted advisor throughout your Digital Transformation Journey.
Our services are offered either uniquely based on your current needs or through packages to choose from what it best delivers your Cybersecurity strategy.


Project Services

  • Cybersecurity Framework update and maintenance
  • Risks Register update and maintenance
  • Cybersecurity Maturity assessment
  • Cybersecurity Awareness training
  • BCP / DRP
  • Incident Response Process and playbooks
  • Technical Security assessments
  • Compliance Services
  • Internal / External Audits
  • Certifications preparation

 

Managed Services

  • Essential: Suggested for Small Companies
  • Optimum: Suggested for Medium Companies 
  • CISO as a Service: : For Organizations that need a dedicated CISO
  • Cybersecurity Office (CSO): A Cybersecurity Office covering the full range of our services

COMPANY MAIL

[email protected]

COMPANY TELEPHONE

+30 211 103 3600

COMPANY ADDRESS

10-12 Dorileou Street,
11521 Athens, Greece