The Inner Circle

 View Only
Expand all | Collapse all

NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

  • 1.  NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

    Posted Nov 13, 2021 03:43:00 AM
    Hi All,

    NIST just published Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management: NISTIR 8286A

    NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, provides an in-depth discussion of the concepts introduced in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).

    NISTIR 8286A is intended to help organizations better implement cybersecurity risk management (CSRM) as an integral part of ERM – both taking its direction from ERM and informing it. The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their ERM programs and that the CSRM program is anchored within the context of ERM.
    This final version of the report clarifies several areas of CSRM in light of enterprise objectives and also incorporates editorial and subject matter improvements that were provided as feedback during the second public comment period. In addition, graphics and process descriptions were adjusted to ensure that they support subsequent activities as described in NISTIRs 8286B and 8286C.

    A companion document, NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, will be available for review and comment in the coming weeks.

    Related publications:
    • NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM)
    • NISTIR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management (Draft)
    • NISTIR 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management

    Posted Nov 15, 2021 07:25:00 AM
    The problem is that both mathematically but more importantly, pragmatically, all these approaches assume smooth, continuous functions and random uniform distributions.  In reality threats are discontinuous and highly bimodal….heads nothing ever happens of interest, tails and an entire energy system stops working, etc.

    even at smaller less dramatic scale, 99.99% of the time my IT systems and data are completely safe until one holiday weekend … they are completely not.

    the traffic lighting and normal curve fitting gives both the IT folks and the exec folks the false impression that these are perfectly manageable white swans.

    In the cloud era I would model it as 99% no risk. 1% total loss of systems and data.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------