Cyber Prep is a preparedness methodology that aligns with a Multi-tier approach to Risk Management as defined in NIST SP 800-39. Cyber Prep supports the first step of this multi-tier approach which is Risk Framing. Risk framing pertains to the organizational level and from there it cascades all down to Mission / Business and Systems levels. This methodology helps an organization to understand and articulate the assumptions about the threat it faces, the business consequences and its approach to risk management. Ultimately, it defines the organization’s strategy to address how the organization intends to assess, respond and monitor risk.
The main benefit of using this methodology is that it allows the business to understand in a clear language which treats are operating in Cyber and the business impacts they may cause. Additionally, the methodology provides an index to other frameworks once the risk framing phase is completed, it helps to identify mismatches between the organization’s current risk management strategy and the characteristics of the cyber threat it faces, facilitating in a clear language a target of preparedness for the three main areas of Governance, Operations and Architecture & Engineering.
The methodology is primarily based on the threat model defined in my previous post. The threat is categorized in two ways, the conventional threat and the advanced threat. Conventional threats require a practice or compliance driven risk management approach alike advanced threats which require a threat-oriented risk management approach. A compliance approach puts emphasis on controls, vulnerabilities and incident response while a threat driven approach implies a proactive approach guided by threat intelligence management because of the specific characteristics of advanced threats such as the APT.
Once the background and threat model are clear, let’s look at the steps to understand how Cyber Prep works. At first, this seems a long process but I felt I had to publish most of them to show the breath of the methodology; and how it can support high level contextual conversations at the highest levels of the organization which are not technical but have a critical input in setting the general tone for an organizational cyber preparedness strategy.
The first stage involves understanding the overall organization’s orientation. Which of these threats is the organization concerned with? In scenarios in which the organization may encounter multiple adversaries the recommended approach is to assume the worst case.
If the organization does not recognize these types of threats, this is a good opportunity to train the organization. Some of the key questions to understand their business context and operating environment are the following.
- In what sector does your organization operate? Critical infrastructure?
- How critical it’s the organization to its sector? Is the organization critical to the country?
- What is the organization’s position in the supply chain? Is it critical to other organizations? Who are their partners, customers and providers?
- How valuable are the resources that the organization holds, manages or provides (information, products and services)? Do they hold intellectual property? Do they carry out research?
These questions will engage them into a conversation and they provide much of the context needed to choose the threat orientation from the beginning. This stage is particularly important as it engages, trains and helps the organization’s key players to understand who they are and what are the threats and the business impacts associated to each of these threats. At the end of this stage the Organization’s leadership should have a clear vision of what sort of cyber threats may affect their business based on their current situational awareness.
The second stage involves the identification of mismatches between the organization’s risk management strategy and the threats they face. The tables below support this stage.
At this point, the organization have identified on a high level the type of cyber threat it faces, their current cyber preparedness strategy and the existence of potential mismatches. An example is when an organization is facing a Cyber Incursion threat however their current preparedness strategy is just cyber hygiene. In this situation it is clear the misalignment between the cyber strategy and the threat that the organization faces. The next step should be to re-align their strategy and therefore their risk management practices to the level of threat they are expecting.
By now the organization has just done a very high-level cyber preparedness assessment however the methodology allows a more granular cyber assessment and it also index into well-known sector specific frameworks such as NIST CSF. Let’s look into this.
During the presentation of the threat model, it was established that the characterization of the threat at the strategic level is composed of three characteristics which are Capability, Intent and Targeting. Each of these characteristics are aligned with a different element of preparedness.
- Capability = Architecture & Engineering
- Intent = Governance
- Targeting = Operations
Each area is broken down into different aspects which have a different ‘rating’ in each of the different preparedness strategies. This methodology includes different questionnaires that can be used to get a more detailed view of the organization’s approach to cyber risk management. The organization can choose per area what strategy they feel more identified with and they believe their practices align with.
Architecture & Engineering
To ease the process, I created an excel file with all the areas and questionnaires to streamline the methodology.
At the end of the process, the organization has a good understanding of its performance in each area and can decide which parts of its strategy needs to evolve according to the threat it framed in the first stage of the methodology.
Correlation between Cyber Prep and other frameworks is a big thing. Many frameworks are complex to use especially at the beginning however Cyber Prep can be used as an index into them. The main framework I use for assessments is NIST CSF and the correlation is straight between TIERS, threat types and preparedness strategies. Being able to create an organizational profile and link it to an adversary class is extremely helpful to get an overall understanding of the threat orientation of that organization’s cyber risk management practices.
In NIST CSF the implementation TIERS are meant to support organizational decision making about how to manage risk and the correlation is the following.
TIER 1, Partial (Cyber Hygiene – Crime)
TIER 2, Risk Informed (Critical Information Protection- Cyber incursion)
TIER 3, Repeatable (Responsive Awareness- APT)
TIER 4, Adaptive (Architectural Resilience-APT)
Within each TIER NIST CSF defines three key aspects:
- Risk Management Process
- Integrated Risk Management Program
- External Participation
These aspects help determine the extend to which cyber security risk management is informed by business needs and is integrated into an organization’s overall risk management practices. In Cyber Prep we can find these 3 keys aspects within the Governance Category.
The following table shows the mapping of each Cyber Prep aspect with NIST CSF categories and subcategories.
The result is an Organization strategy and road-map that aligns with the threats that the organization is going to encounter. Each threat can be also mapped to a Cyber Preparedness Level and NIST CSF TIER (only the first 4 levels) . See table below for correlation.
Throughout the methodology the assumption is that the three main characteristics of the threat, Capability, Intent and Targeting are uniform and that the organization has only one business function or mission, however, there are scenarios in which the adversary has non-uniform characteristics and the organization has more than one business function or mission. In the first case the organization can combine different levels of Capability, Intent and Targeting into an overall threat level. The organization’s choice is determined by its attitude towards risk, including tolerance for uncertainty. In the second case, the recommendation is to assume the worst-case scenario which is maximum adversarial level for the overall organization’s cyber preparedness level.
In summary, this methodology it is very useful in various scenarios such as risk framing, creation of a NIST CSF profile and target profile and interpreting the results of a cyber assessment; however the main strength is that it enables you to contextually frame the cyber threat thus facilitating a cyber threat-oriented risk management conversation at the organizational level.