Heuristic Risk Management
()
About this ebook
In the relentless cyber war, understanding that every individual and organization is a target is crucial. In this book, I offer a groundbreaking perspective on cybersecurity risk management, addressing a core issue: despite increased legislation and frameworks, massive breaches continue. Why? The problem often lies in ineffective or non-existent risk assessment and management, resulting in an ineffective cybersecurity program.
Enter Heuristic Risk Management (HRM), a method I developed that is simple, intuitive, and highly effective. HRM cuts through the complexity of quantitative approaches and overbearing government regulations, providing a clear, easily implementable strategy that genuinely reduces risk.
This book is a must-read for security leaders in organizations of all sizes, from SMBs with minimal security programs to large, heavily regulated companies. It's especially valuable for small businesses, often the most vulnerable and least prepared for cyber threats.
Structured into three parts - Strategic, Tactical, and Operational Risk Management - the book builds a comprehensive understanding of cybersecurity threats and how to combat them. You'll learn how to identify your enemies, prepare defenses, and adjust your strategies in an ever-evolving threat landscape.
I've kept the book concise and to the point, focusing on practical, actionable advice rather than overloading it with unnecessary details. For those who want more, numerous footnotes link to additional resources and information.
Don't let compliance traps and the complexity of traditional frameworks hold you back. Embrace HRM and turn your cybersecurity efforts into a robust defense mechanism that outsmarts and outpaces your adversaries. Your enemies aren't waiting – why should you?
Michael Lines
Michael is an information security/risk executive and consultant, with a 20-year track record as a Chief Information Security Officer (CISO), advisory Information Security practice leader, and information security/risk consultant. He writes, blogs, presents, speaks, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs, and why so many companies continue to suffer security breaches due to ineffective programs.
Related to Heuristic Risk Management
Related ebooks
Flip This Risk for Enterprise Security: Industry Experts Share Their Insights About Enterprise Security Risks for Organizations: Flip This Risk Books, #1 Rating: 0 out of 5 stars0 ratingsCorporate Value of Enterprise Risk Management: The Next Step in Business Management Rating: 3 out of 5 stars3/5Security Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 5 out of 5 stars5/5Security Leader Insights for Business Continuity: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsSurviving and Thriving in Uncertainty: Creating The Risk Intelligent Enterprise Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Success: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsThe Risk of Trading: Mastering the Most Important Element in Financial Speculation Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsSecurity Awareness For Dummies Rating: 0 out of 5 stars0 ratingsComplete Guide to Building an Information Security Program Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsCorporate Security Management: Challenges, Risks, and Strategies Rating: 5 out of 5 stars5/5A Risk Management Approach to Business Continuity: Aligning Business Continuity and Corporate Governance Rating: 0 out of 5 stars0 ratingsEmergency Preparedness for Business Professionals: How to Mitigate and Respond to Attacks Against Your Organization Rating: 0 out of 5 stars0 ratingsHow to Define and Build an Effective Cyber Threat Intelligence Capability Rating: 4 out of 5 stars4/5Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Data Risk Management Rating: 0 out of 5 stars0 ratingsSecurity for Business Professionals: How to Plan, Implement, and Manage Your Company’s Security Program Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5Measures and Metrics in Corporate Security Rating: 0 out of 5 stars0 ratingsSteps to Safety Culture Excellence Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsSolving for Project Risk Management: Understanding the Critical Role of Uncertainty in Project Management Rating: 0 out of 5 stars0 ratingsEnterprise Risk Management: A Methodology for Achieving Strategic Objectives Rating: 0 out of 5 stars0 ratingsSafety is Your Business: Your Small Business Guide to a Safety Program Rating: 0 out of 5 stars0 ratingsThe Protective Circle: A Comprehensive Framework for Executive Protection Excellence Rating: 0 out of 5 stars0 ratingsWorkplace Security Playbook: The New Manager's Guide to Security Risk Rating: 0 out of 5 stars0 ratingsCyber Resilience: Defence-in-depth principles Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Certification The Ultimate Study Guide to Practice Questions With Answers and Master the Cybersecurity Analyst Exam Rating: 0 out of 5 stars0 ratings
Business For You
The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Productivity Hacks: 500+ Easy Ways to Accomplish More at Work--That Actually Work! Rating: 4 out of 5 stars4/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Grant Writing For Dummies Rating: 5 out of 5 stars5/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Financial Words You Should Know: Over 1,000 Essential Investment, Accounting, Real Estate, and Tax Words Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Summary of Tiffany Aliche's Get Good with Money Rating: 4 out of 5 stars4/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don't Agree with or Like or Trust Rating: 4 out of 5 stars4/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Limited Liability Companies For Dummies Rating: 5 out of 5 stars5/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5How To Pay Off Your Mortgage in 5 Years Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5Robert's Rules of Order: The Original Manual for Assembly Rules, Business Etiquette, and Conduct Rating: 4 out of 5 stars4/5Buy, Rehab, Rent, Refinance, Repeat: The BRRRR Rental Property Investment Strategy Made Simple Rating: 5 out of 5 stars5/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5
Reviews for Heuristic Risk Management
0 ratings0 reviews
Book preview
Heuristic Risk Management - Michael Lines
HEURISTIC RISK MANAGEMENT
BE AWARE, GET PREPARED, DEFEND YOURSELF
MICHAEL LINES
Copyright © 2024 by Michael Lines. All rights reserved.
Published by Michael Lines
No part of this publication may be reproduced, stored, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, without written permission from the author. It is illegal to copy this book, post it to a website, or distribute it by any other means without permission.
While the author has used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. The author shall not be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
The author is not responsible for the persistence or accuracy of URLs for external or third-party Internet Websites referred to in this publication and does not guarantee that any content on such Websites is, or will remain, accurate or appropriate.
Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book and on its cover are trade names, service marks, trademarks, and registered trademarks of their respective owners. The author and the book are not associated with any product or vendor mentioned in this book, and none of the companies referenced within the book have endorsed the book.
First edition 2024
ISBN: 978-1-964431-00-0 (ebook)
ISBN: 978-1-964431-01-7 (paperback)
ISBN: 978-1-964431-02-4 (hardcover)
ISBN: 978-1-964431-03-1 (audiobook)
Library of Congress Control Number: 2024909526
Cover design and photo from Canva.com
You can subscribe to receive notices of errata and supplemental information on the author’s book website at https://heuristicrisk.substack.com
CONTENTS
Acknowledgments
Introduction
I. Strategic Risk Management
Be Aware
1. Know Your Enemy
1.1 Nation-States
1.2 Criminals
1.3 Hacktivists
1.4 Cyberterrorists
2. Know Yourself
2.1 Purpose
2.2 Crown Jewels
2.3 Revenues
2.4 Sensitive Information
2.5 Key Partners
2.6 Cybersecurity History
3. Understand Their Threats
3.1 Extortion
3.2 Fraud
3.3 Theft
3.4 Espionage
3.5 Sabotage
II. Tactical Risk Management
Get Prepared
4. Know Their Methods
4.1 Compromise the Person
4.2 Compromise the System
5. Assess Your Defenses
5.1 Build A Strong Foundation
5.2 Measure Your Maturity
6. Assemble Your Team
6.1 Define
6.2 Implement
6.3 Operate
6.4 Respond
7. Present Your Plan
7.1 Board Reporting
7.2 Funding Request
7.3 Policies Approval
7.4 Kobayashi Maru
III. Operational Risk Management
Defend Yourself
8. Execute Your Plan
8.1 People
8.2 Processes
8.3 Technologies
9. Manage Your Risks
9.1 Impact
9.2 Likelihood
9.3 Risk
9.4 Risk Appetite
9.5 Risk Exceptions
9.6 Risk Register
10. Find Your Gaps
10.1 By Observation
10.2 By Detection
10.3 By Response
11. Test Your Defenses
11.1 External Attestations
11.2 External Audits
11.3 Internal Audits
12. Report Your Progress
12.1 Steering Committee
12.2 Monthly Reporting
12.3 Quarterly Reporting
12.4 Annual Reporting
12.5 The Forever War
Afterword
Notes
About the Author
ACKNOWLEDGMENTS
I am immensely grateful to my reviewers, Ken Crombie, JR Cunningham, Dave Farrow, Andrew Karpie, Barry Kortekaas, Greg Schaffer, and Glen Sorensen, for the feedback they provided regarding the book. Their insights, expertise and attention to detail enhanced its quality and clarity. Finally, I would like to extend my heartfelt thanks to all those who contributed in any capacity, no matter how small, to the completion of this project. Your contributions are deeply appreciated.
For my wife, Deborah, for her boundless patience and support of all my endeavors.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
SUN TZU, THE ART OF WAR
INTRODUCTION
A heuristic technique is an approach to problem-solving that employs a practical method to achieve an answer that is not guaranteed to be optimal but sufficient for the intended purpose.
We are in a war, a cyber war. If you come away with anything from reading this book, I hope it will be the realization that every individual, business, organization, and nation is under constant attack from those who want to steal or harm their information, money, operations, or reputation. This book will teach you to determine who your most likely adversaries are, prepare to defend against their attacks and evolve your plan and defenses based on real-world events.
Properly assessing and managing risk is the foundation of all effective information security programs. There will always be more threats, vulnerabilities, and issues than any organization has the time or resources to address. Prioritizing where to focus your limited attention and funding is critical to ensuring that these resources are directed toward delivering the most significant risk mitigation returns.
Yet despite the increasing focus on cyber risk assessment and management in legislation and control frameworks over the past decade, massive information breaches continue to be reported daily, often traceable to the failure to implement or adequately administer fundamental security controls. ¹ Clearly, something is not working. Either risk assessment and management are not being done properly, or they are not being done at all.
Risk assessment and management techniques do not need to be difficult to understand or implement; however, quantitative approaches such as Factor Analysis of Information Risk (FAIR) ² and Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), ³ combined with government guidance such as in the U.S. National Institute of Standards and Technology (NIST) Risk Management Framework, ⁴ have overly complicated what should be a simple and intuitive process.
The U.S. government’s default response to any significant cyber breach — imposing more regulations on organizations — is making the security leader’s job increasingly challenging by burdening them with an ever-growing list of cybersecurity requirements. ⁵ The result is a compliance hamster wheel, with security teams constantly running to keep up with the latest regulations and, as a result, frequently failing to either implement or adequately maintain the fundamental security controls that matter the most in mitigating risk.
The Heuristic Risk Management (HRM) approach I propose in this book is a direct response to these challenges. It is a straightforward and effective method that non-technical business leaders can easily understand, is simple to implement, and ensures that your efforts deliver tangible risk reduction returns.
The information security program and plan you develop following the HRM approach may be all your company needs if you are a small business and largely unregulated. However, even if your company is larger or heavily regulated, the foundation you develop following the HRM approach will help ensure that the controls you add over time enhance rather than dilute the effectiveness of those you already have in place.
Who Can Benefit From This Book?
This book was written for new security leaders in organizations with immature or nonexistent security functions. However, it can be just as helpful for security leaders with established programs to help perform a sanity check
on their programs and ensure that they are driven by risk considerations and not compliance bureaucracy.
This book is also helpful for board members and senior leaders in educating them on what risk-driven information security programs and plans should address. If these leaders receive plans and updates that do not address the fundamental issues of threats and risk mitigation I cover, then it is time to ask your security and IT leaders more probing questions!
Small and Medium Businesses (SMBs) are particularly vulnerable targets for cybercriminals, a fact that should not be taken lightly. According to a survey conducted by CNBC and Momentive of small business owners, ⁶ almost half (42%) of the respondents admitted they have no formal plans for managing a security breach or incident. Given the challenging economic environment in which small businesses operate, it is understandable that they may struggle to allocate sufficient resources to cybersecurity. However, this vulnerability underscores the urgent need for effective security measures, regardless of the organization’s size.
Even SMBs who know the risks and have the necessary funding still struggle due to a lack of cyber expertise or knowledge. In such cases, these organizations will often attempt to adopt a larger organization’s compliance-focused approach. They will attempt to implement complex security control frameworks such as the U.S. National Institute of Standards and Technology (NIST) 800 series, ⁷ Federal Risk and Authorization Management Program (FedRAMP), ⁸ Payment Card Industry Data Security Standard (PCI DSS), ⁹ or the ISO/IEC 27000 standards ¹⁰ for information security management. Their (mistaken) belief is that implementing all the controls provided by a chosen framework will ensure the organization’s security. However, it is essential to note that compliance does not equal security, as any