Week1- Intro to CRM

Week-1: Introduction to Cyber Risk Management

Ali Jaddoa, ,

Ali.Jaddoa@roehampton.ac.uk

Date: 2/10/2025


25/26
Week1- Intro to CRM

WHAT IS CYBERSECURITY?

  • Exploring the possible meanings of the term

  • Before defense is possible, one must understand:

    • Exactly what security is?
    • How security relates to information security?

25/26
Week1- Intro to CRM

Security

  • To be free from danger is the goal

  • The process that achieves that freedom

  • The more secure something is, the less convenient it may become to use


25/26
Week1- Intro to CRM

Types of security:

  • Physical Security - Protecting physical assets and infrastructure.
  • Information Security - Safeguarding information from unauthorised access or alteration.
  • Cybersecurity - A subset of information security focused specifically on digital environments.

25/26
Week1- Intro to CRM

Definition of Cybersecurity

  • Refers to the practice of protecting systems, networks, and DATA from digital attacks.

  • Aims: accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

  • Implementing effective cybersecurity measures is particularly challenging today? Due to innovative attacking methods


25/26
Week1- Intro to CRM

25/26
Week1- Intro to CRM

Threat sources for security breaches

There are different threat sources that each can breach different security goals

width:1OO% center


25/26
Week1- Intro to CRM

CIA Triad

  • Confidentiality: Access is only by authorised individuals.
  • Integrity: Protecting information from being altered or tampered with.
  • Availability: Resources are available to those who need them when they need them.

25/26
Week1- Intro to CRM

Task-1 (5 mins): Let's find a scenario for each piller of the CIA

Or

  • Scan

25/26
Week1- Intro to CRM

Cybersecurity: Terminologies-1

Concept Description Example
Asset An item that has value (e.g., data, device, software). Customer data in a database.
Threat An action that has the potential to cause harm. A phishing email attempt.
Threat Actor A person or element with the power to carry out a threat. A cybercriminal hacking a system.
Vulnerability A flaw or weakness that allows a threat agent to bypass security. An unpatched software vulnerability in a web application.
Threat Vector The means by which an attack can occur. An unsecured Wi-Fi network exploited by a hacker.
Risk A situation that involves exposure to some type of danger. The risk of a ransomware attack if security patches aren't applied.

25/26
Week1- Intro to CRM

Illustration

width:1OO% center


25/26
Week1- Intro to CRM

Cybersecurity: Terminologies-2

  • Vulnerability: A weakness in a system that can be exploited by a threat (e.g., unpatched software).
  • Threat: Any potential danger that could exploit a vulnerability (e.g., hackers, malware).
  • Risk: The potential for loss or damage when a threat exploits a vulnerability.

width:1OO% center


25/26
Week1- Intro to CRM

Cybersecurity Terminology-2 Cont'

Term Definition
Threat Actor Entity (person, group, or force) that initiates a threat.
Threat Scenario A realistic sequence of actions that could harm assets.
Vulnerability A flaw or weakness that can be exploited.
Vulnerability Surface All possible attack paths a threat actor might use.
Incident A breach of confidentiality, integrity, or availability.
Impact Negative outcome of an incident (e.g. loss, damage).
Risk Likelihood and impact of a threat exploiting a vulnerability.

25/26
Week1- Intro to CRM

The dynamics of them

width:1OO% center


25/26
Week1- Intro to CRM

Cyber Risk

is the potential that cyberthreats exploit vulnerabilities in information assets, leading to harmful incidents.

  • Risk magnitude increases with:
    • Higher asset value
    • Stronger threats
    • More severe vulnerabilities

In most cases, the most practical way to reduce risk is by reducing vulnerabilities through security controls.


25/26
Week1- Intro to CRM

Cyber Risk: Basic Equation

Relevant threat that exploits a vulnerability with the consequence that an asset gets harmed

width:1OO% center


25/26
Week1- Intro to CRM

Cyber Risk: Level

  • Risk level is the significance of a risk, expressed in terms of the combination of consequences and their likelihood.

  • Calculated based on the likelihood of a security incident and the incident’s impacts.
    width:1OO% center

The term risk exposure is often used as a synonym for risk level.


25/26
Week1- Intro to CRM

Cyber Risk: Level (More)

width:1OO% center


25/26
Week1- Intro to CRM

How an attack(s)happen?

Or

  • Scan

Can you eliminate threats?
Can you protect against vulns?


25/26
Week1- Intro to CRM

It's not that easy

  • Complex Process: Identifying and responding to threats can be complicated.

  • Cost vs. Value: Evaluate if the cost of protection exceeds asset value.

  • Optimal Strategy/Strategic Approach: Aim to reduce threats but avoid over-investing in protection beyond asset worth.

  • Soluation : Implement layered security controls to mitigate risk

    width:1OO% center


25/26
Week1- Intro to CRM

Security Controls

Measures used to prevent, detect, or respond to threat scenarios, reducing vulnerabilities and limiting the impact of incidents.

width:1OO% center
width:1OO% center


25/26
Week1- Intro to CRM

Type of Security Controls

  1. Nist CSF
    width:1OO% center

  2. ISO/IEC 27002
    width:1OO% center


25/26
Week1- Intro to CRM

The Four P’s of Cybersecurity in ITIL

People, Product, Partner, Process form a holistic framework for managing cybersecurity.

  • People: The most vulnerable link-requires skills, roles, and a strong security culture.
  • Product: Security technologies (e.g. firewalls) must prevent, detect, and recover from threats.
  • Partner: Third-party vendors must provide reliable support and service continuity.
  • Process: Security tools are only effective when supported by well-defined procedures.

A secure system needs all four P’s working together.
ITIL (Information Technology Infrastructure Library)


25/26
Week1- Intro to CRM

Who Is the Opponent: Threat Actors

"False face must hide what the false heart doth know, MACBETHM"

width:1OO% center


25/26
Week1- Intro to CRM

Script Kiddies

  • Individuals who lack the knowledge of computers and networks to hack
  • Download automated hacking software (scripts) from websites
  • Tools used are written by other(more skilled) people

width:1OO% center


25/26
Week1- Intro to CRM

Hactivists/ Hacktivists

Attackers who attack for ideological reasons that are generally not as well-defined as a cyberterrorist’s motivation

  • Breaking into a website and changing the contents on the site to make a political statement
  • Disabling a website belonging to a bank because the bank stopped accepting payments

width:1OO% center


25/26
Week1- Intro to CRM

Nation State Actors

An attacker commissioned by a government to attack enemies’ systems

  • May target foreign governments or even citizens of the government who are considered hostile or threatening.

  • Known for being well-resourced and highly trained

  • Commonly use Advanced Persistent Threat (APT) to target victims

  • Petya and NotPetya
    width:1OO% center


25/26
Week1- Intro to CRM


25/26
Week1- Intro to CRM

Insiders

A person or group within an organisation who has authorised access to sensitive information

  • Employees, contractors, and business partners

  • Over 58 percent of breaches are attributed to insiders1
    width:1OO% center


25/26
Week1- Intro to CRM

Task-3: discuss, who is the most dangerous?

  • Go to menti.com and use (7100 1974 )
    Or
  • Scan

25/26
Week1- Intro to CRM

Other Threat Actors

Threat Actor Description Explanation
Competitors Launch attack against an opponent’s system to steal classified information Competitors may steal new product research or list of current customers to gain a competitive advantage.
Organised crime Moving from traditional criminal activities to more rewarding and less risky online attacks Criminal networks are usually run by a small number of experienced online criminal networks who do not commit crimes themselves but act as entrepreneurs.
Brokers Sell their knowledge of a vulnerability to other attackers or governments Individuals who uncover vulnerabilities do not report it to the software vendor but instead sell them to the highest bidder.
Cyberterrorists Attack a nation’s network and computer infrastructure to cause disruption and panic among citizens Targets may include a small group of computers or networks that can affect the largest number of users, such as the computers that control the electrical power grid of a state or region.

25/26
Week1- Intro to CRM

Lab

  • Review activities from here.

  • Cyber lab student account:

    username : student
password: Student2

25/26

![width:1OO% height:100px center](../../figures/risk.png)

## From Goals to Controls - **Security goals** define *what* needs to be protected (e.g., ensure data confidentiality). - **Controls** define *how* to achieve these goals (e.g., encryption, access control). > Selecting appropriate controls depends on context, risk level, and asset criticality. ---