Developing an integrated approach to the analysis of MOD cyber-related risks

Transcription

1 Developing an integrated approach to the analysis of MOD cyber-related risks James Tate, Colette Jeffery Joint Enablers Analysis Group 28 th July 2016 COVERING

2 Overview 1. risk research 2. Customer requirement 3. Overview of risk process 4. methodology review 5. Development of risk tool Conclusions

3 is part of the Ministry of Defence (MoD) Provide sensitive and specialist services, advice, analysis and assurance to customers across government Cyber Enterprise project requested by Cyber Joint User (within Joint Forces Command)

4 Customer 1. To develop an evidence-based approach that: informs Capability Planning on the likely risk from cyber threats advises on the level of investment required to reduce this risk to an acceptable level I have an unclear, incomplete picture of cyber risks Where should we invest to most effectively reduce risk? 2. To provide articulation of Cyber at Defence Board level in a meaningful and consistent form with other s reported Sometimes it can be difficult to demonstrate to decision makers the extent of cyber risks

5 Input A process which captures and assesses strategic-level cyber-related risks; informing Defence Board risk Generated a standardised approach to assess the impact and likelihood of these risks using mandated policy from JSP 892 ( Management) Authored a Statement of to inform the development of a pan-mod cyber risk tool

6 Management Process identification: Through technical s 4. monitoring 3. response 1. identification 2. : Follows MOD policy (JSP 892); involves expert elicitation workshops and analysis response: Conducted by the Owners monitoring: Conducted by the Owners / Management Boards

7 Assessment Workshops Workshops attended by ~3 to 7 Subject Matter Experts (SMEs) and a CER facilitator 1 Review risk statement Review Typically aim to assess 3 to 5 risks per workshop 2 Review risk reduction activities SMEs use a mixture of their tacit knowledge and available evidence to score the risks Final scoring reached by group consensus 3 4 scoring evidence Assess

8 Modified JSP Measure of CER method

9 Impact Elicitation Techniques Multiple techniques identified & evaluated The following techniques were down-selected for more in-depth : Analytical Hierarchy Process A or B? Electronic Voting R Shiny Interface By how much?

10 Impact: R Shiny Interface Used to support risk workshops Record min, max & modal scores for each impact area Capture input from multiple stakeholders Export data for analysis in Excel

11 Evidence Elicitation Techniques Multiple techniques investigated as part of methodology review The following techniques were down-selected for more in-depth : Confidence Table Low Italian Flag Medium Star Assessment High * * * *

12 Evidence: Italian Flag Framework Used to help decision makers to understand the confidence they should place in the risk score(s) Experts select a number from 1 to 6 for each they have made (impact / vulnerability) Easy to visually interpret Strong supporting evidence Weak supporting evidence Little / no evidence either way External events could easily change Weak conflicting evidence Strong conflicting evidence

13 JSP 892 Template: CER Output Two-page risk summary

14 JSP 892 Extended Page Aim for consistent reporting of risk detail Extended to present more risk data: Example Data Reasons behind risk scorings Probability distribution from CER process Likelihood vulnerability and threat elements articulated explicitly

15 Collation Tool Research tools to support cyber risk process Aim to improve collation of risk data Prototyping to inform user requirements CERVA prototype tool

16 CERVA Prototype Example Data Collate MODs Cyber-related risks in a single tool Aim for compliance with JSP 892: s, Controls, Mitigations, Evidence Portable for evaluation on MOD IT system (DII)

17 Summary Pages Listings of each entity type Provide examples of simple summary Example Data Example Data

18 Input Forms

19 JSP 892 Excel Tool Functional example for generating reporting output from structured data (in Excel) Portable Simple to use Output into JSP template: Example Data Example Data

20

21 Linkages Research Aim To investigate the relationships between risk data (s, Activities, Evidence) to develop MODs understanding of its risk picture Key Research Questions to Investigate What are the key cyber risk response activities? Which activities currently underpin our residual risks? What level of evidence (confidence, provenance etc.) do we have to support each risk and activity? How, and to what extent, do the planned activities enable the residual risk positions to move toward the target risk positions, and over what time periods? What would a data schema for cyber risk look like?

22 Provenance Links based upon: How reliable the evidence s source is; How valuable and relevant the information from the source is; The extent to which the information agrees/disagrees with a hypothesis. Margaret Varga, Robert Young, Kevin Adams, Rose Hines, QinetiQ, Hypothesis Network Visualisation, Workshop: Visualising Network Dynamics, 4-6 November v4.pdf

23 External Research Proposal Aim Collect & collate data articulating the financial impact of cyber incidents, where those incidents have direct relevance to UK MOD. Key activities The collection of financial (in UK monetary terms) impact data for cyber incidents The collation and categorisation of evidence based on these collated data (and input from cyber SQEPs) The production of an evidence dataset (to agreed formats & standards), with any associated categorisation schemes. The production of a methodology for generating, and maintaining, a cyber financial impact dataset for MOD use.

24 Conclusions Developed a standardised approach for cyber-related risks Aligns to extant MOD risk guidance Developed requirements for MOD risk decision support tools Ongoing research to mature processes, tools, techniques, and integration with wider risk activities The risk s are based on evidence which I can draw upon when advising decision makers. We have a standardised approach to assessing cyber risks. The risk tool provides a go-to place for MOD s cyber risk picture I can use the risk tool to monitor how my risks change over time.

25 Questions? More details: