If cybercrime were compared to other global criminal enterprises, it would rank fourth out of five high-impact crimes in terms of the cost as a percentage of the global gross domestic product (GDP). Only transnational crime (1.2 percent), narcotics (0.9 percent), and counterfeiting/piracy (0.89 percent) rank higher in terms of financial impact. Cybercrime, however, is pushing toward the top, representing 0.8 percent of the global GDP, according to a 2014 study conducted by the Center for Strategic and International Studies. While many may not be aware of the worldwide cost of cybercrime, enterprises everywhere are certainly feeling the consequences of intrusions and compromise. It is hitting the bottom line in corporate financial statements.

Cybercrime is also gaining the attention of legislators, regulators, and boards as reports of intrusions and their consequences are released on a daily basis. Everyone is becoming alarmingly aware of cybercrime, as it is constantly in the news. Cybercrime is also very personal because each of us have probably had the experience of receiving notifications that our financial and other personal information may have been compromised in an attack. The incidence of cybercrime is eroding public trust as well.

The Global Cyber Crisis

We are in what can best be described as a global cyber crisis, and the future does not look promising. The June 2014 Center for Strategic and International Studies report estimated that the global impact of cybercrime was between $375 and $575 billion. As cyber incidents are frequently undetected and infrequently reported, it is difficult to arrive at a more accurate understanding of the extent of cybercrime. The Center’s best estimate is $445 billion, given that the four largest economies, the United States, China, Japan, and Germany collectively account for at least $200 billion of this amount.

Despite the lack of details on the extent of cybercrime, we know that it is having a significant negative impact on business and that instead of slowing, cyber attacks are escalating at what could be considered an alarming rate. Even without verified and complete numbers, we calculate that the Internet economy generates between $3 and $5 trillion dollars globally and that cybercrime extracts between 15 percent and 20 percent of this value. The Center for Strategic and International Studies commented that cybercrime is a rapidly growing industry because of the high potential rate of return on investment and the low risk of detection and prosecution. Many legitimate enterprises would love to have the same economic opportunity that cybercriminals currently enjoy.

The April 2016 Internet Security Threat Report produced by Symantec highlights the extent of the cyber crisis. According to their analysis, 430 million new and unique pieces of malware were discovered in 2015. This represents an increase of 36 percent from the prior year. While this is a huge number, we know that malware does not go out of style in the underground cybercrime community. Attack tools and malicious code that were produced over the past several years are still commonly used and remain very effective. It is impossible to know the full extent of the library of malicious code that is either currently in use or available to hackers. The result, however, is that one-half billion personal records were either lost or stolen in 2015. This comes as the result of the known 1 million attacks that were launched against individuals each and every day in 2015. The state of cybersecurity can best be described as “hackers gone wild.” There seems to be no system that cannot be compromised and no information that is safe.

While the daily impact of cybercrime is alarming, the most significant impact cybercriminals can have is on emerging technologies and business activities. The history of cybercrime demonstrates that as technology advances, so, too, do attacks against systems and the resulting damage that attacks bring. We are in an early stage of global transformation where the combined impact of cloud computing, mobile technologies, big data, analytics, robotics, and the interconnected world of smart devices has the potential to change everything. We have seen demonstrations where self-driving cars can be compromised and hackers can access avionics systems in flight. We know that devices such as insulin pumps and pacemakers are vulnerable.

How can we expect that advanced technology applications are safe when technologies that we have relied on and are business critical are not secure? The Symantec 2016 Internet Security Threat Report found that 78 percent of scanned web sites were vulnerable and that 15 percent had critical security flaws. The report also identified that zero day vulnerabilities increased by 125 percent between 2014 and 2015. If a technology with which we have long-term experience, such as web site deployments, is so ill protected from even traditional attack mechanisms, how prepared can we expect to be from zero day attacks and the even more insidious advanced persistent threats?

ISACA research recognizes that enterprises are more aware of the risk of advanced persistent threats (APTs) and are taking action to better manage this risk. Sixty-seven percent of respondents to the 2015 Advanced Persistent Threat Awareness survey were familiar or very familiar with APTs. Unfortunately, many organizations are relying on traditional defense and detection mechanisms, which may only be minimally effective against persistent threats. While Web intrusions resulting from configuration or other security lapses are possible and APTs are likely, there is a growing trend to attack mobile devices. The Symantec Threat Report indicated a 214 percent increase in mobile vulnerabilities in 2015.

While we see greater recognition of the cyber problem and its impact on business, this does not equate to implementing cyber defense better. What is needed is a rethinking of how information and cybersecurity are governed, managed, and implemented. What is needed is a more holistic, business-focused approach to cybersecurity, and recognition that cybersecurity is a business issue and not just a technical problem.

The Time for Change

The need to innovate, the accelerated integration of business and technology, the drive for better performance, and the exploitation of new technologies for business benefit can realistically happen only if cybersecurity is how business is done, instead of being addressed as an afterthought. While many organizations continue to see cybersecurity as a technical problem, we are beginning to see changes that will only enhance the effectiveness of cyber risk management.

Increasing Cyber Risk Management Maturity

Best-performing organizations, with more mature cyber risk management capabilities, share several common characteristics. They commonly:

• Recognize the importance of cybersecurity and address it as a board issue and value enhancer.
• Ensure that executive management is engaged in leading cyber efforts and support cybersecurity as a business issue.
• Manage cyber risks within an enterprise risk management approach providing the necessary human and capital support for programs and initiatives.
• Follow established cybersecurity standards or frameworks in building, managing, and monitoring the enterprise cyber program.
• Continuously evaluate cybersecurity performance against business goals and objectives.
• Track and report cybersecurity performance against the international standards and frameworks used to design and implement their program.
• Fine-tune cybersecurity priorities and activities as enterprise needs and threats change.

What sets best-performing organizations apart from the crowd is that they address cybersecurity as an essential part of how products and services are designed and delivered. These organizations look at cybersecurity as an integral part of business that involves everyone from the board to computer users throughout the organization.

For those who recognize that cybersecurity is a business issue and that cyber risks need to be considered within the context of an enterprise risk management program, the consequences are significant. Best-performing organizations typically experience fewer incidents, the impact of incidents is less severe, and recovery times are quicker. More mature organizations, in summary, better manage cyber risk and are more resilient. Reaching this level of cyber preparedness and defense has been a challenge, however, since business leaders, who need to understand their role, did not have business-oriented guidance available to them. Information and cybersecurity have appeared as a technical issue and not a core part of how things are done and how the business operates. Value has been seen as coming from new products or the adoption of new technologies without connecting the need for protection with value enhancing business strategies.

The Cyber Risk Handbook changes this. It is written from the perspective of, and in a language that will resonate with, both technology and business unit leaders. It captures the elements of organization theory and design that have been shown to be essential in creating mature organizations that experience exceptional performance.

A major advancement in thinking that business executives will appreciate is found in the concept of the business model information security as presented in Figure 1.1 in our Introduction. This drawing demonstrates the essential elements found in every organization and the interconnectedness of these elements. Every organization can be described in terms of the organization structure, the people, the technology they leverage, and the processes that bind organization, people, and technology together to achieve business goals. What is less often considered is the importance of the culture connecting people within the organization, the human factors that need to be considered in making technology useful for both customers and staff, and the effectiveness of the technology design or architecture in supporting the business. Often missed in reference guides for cybersecurity practitioners and business leaders is the enabling power of governance connecting organization design to processes, and how technology needs to foster more effective processes and how processes support business enablement through technology. The mature organization understands how these elements come together and how intrinsic they are to creating superior risk management capabilities.

Understanding cybersecurity as part of a system will lead boards and management to a better understanding of cyber defense within the organization and the components of the business that need to be energized to create the culture, structures, and programs required for an effective risk management system. While this understanding is essential, concepts need to be connected with concrete guidance. This is achieved in The Cyber Risk Handbook by leveraging COBIT 5: A Business Framework for the Governance and Management of Enterprise IT and COBIT 5 for Information Security. Of particular importance is the presentation of the seven COBIT 5 enablers, shown in Figure 1.2, and the use of these enablers as the guiding structure for The Cyber Risk Handbook. While cybersecurity leverages security technology, what separates mature organizations from others is the ability to effectively exploit the interconnectedness of security principles, processes, and frameworks with enterprise-wide processes, structures, culture and behavior, and services and infrastructures and to effectively integrate information as part of the enterprise risk management program.

In planning and executing attacks against organizations, hackers and adversaries often take a holistic approach. Hackers and adversaries are attackers that consider how best to overcome the significant defenses that organizations have constructed to protect their sensitive business and personal information as well as their critical resources. Attackers consider where there are avenues of weakness understanding that the organization’s culture and behavior as well as services and applications can become easy access paths for compromise instead of competent defenses. Creating convincing e-mail messages to entice users to open an attachment or visit an infected web site, or to disclose security credentials in response to a contrived message from the support desk, are frequent attack mechanisms that prove very successful. A mature risk-managed organization creates awareness that seemingly legitimate messages should not be trusted when they run counter to established processes and where the organization culture supports the idea that it is acceptable to question the legitimacy of a request.

The Cyber Risk Handbook provides a perspective of cybersecurity that breaks the barriers between those whose job is technology provisioning and administration and those who are responsible for business innovation, program development, and front-line customer support. It provides cybersecurity guidance that is understandable since it builds on common experience demonstrating how cybersecurity can build on this experience to create a different outcome. The Cyber Risk Handbook will be an invaluable tool in helping organizations reach a level of cyber protection required to support your organizations goals and objectives.

About ISACA

As an independent, nonprofit, global association, ISACA engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. Incorporated in 1969, ISACA today serves 140,000 professionals in 180 countries. ISACA provides practical guidance, benchmarks, and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit, and assurance professionals worldwide. The COBIT framework and the CISA, CISM, CGEIT, and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises.

About Ron Hale

Ron Hale, PhD, CISM is the cief knowledge officer at ISACA. He brings wide professional experience gained from serving as a forensic investigator, information security manager, security consultant, and researcher. In his current position he represents the professional and career needs of ISACA’s constituents across the professional areas of specialization ISACA represents. Ron was admitted to the Directorship 100 by the National Association of Corporate Directors (NACD) for his contributions to corporate governance. He has a master’s degree in criminal justice from the University of Illinois (United States) and a doctorate in Public Policy from Walden University (United States).