The answer to the question of how organizations can evaluate information security risk depends on how we first think about risk in cyberspace. Good security risk management is a combination of data, processes, technology, and education. With new opportunities to observe and act on data in real-time, it has become possible to contextualize many different signals into information that supports decision-making for risk mitigation.
Risk 101: is a new series of blog posts that explores risk vectors in cyberspace. The series emphasizes cybersecurity risks that can be objectively observed with data. Through the series we will provide in-depth exploration of signals that can be identified, and address methods for remediation.
These risks will be organized into three categories:
- Misconfiguration & Mismanagement: Signals related to the implementation of specific technologies
- Observation of Cyber Attack: Signals that reveal targeting of, motivation to, or successes in conducting a cyber attack
- User Behavior: Signals that reveal high risk activity
While companies continue to primarily search for threats within their networks, and share information post-attack (such as MD5 hashes of malware, IP addresses involved in attacks, malware signatures etc.), many organizations are ignoring or unaware of the risks present in the “virtual supply chain”. With this series, we hope to empower organizations to reduce risk holistically, which includes security risk from vendors, suppliers and other third parties with whom information is shared.
Our first post in The Risk 101 series will focus on the Sender Policy Framework (SPF), an e-mail validation technique to prevent malicious e-mail. To receive automatic alerts when new content is published, subscribe to our email updates or follow BitSight on Twitter.
