2023 Early Hearing Detection & Intervention Conference
March 5-7, 2023 • Cincinnati, OH
9/27/2017 | 11:15 AM - 12:00 PM | Measuring a System’s Cyber Security Risk | Track 3 - Metrics
Measuring a System’s Cyber Security Risk
Risk management starts with understanding the treats and vulnerabilities then identifying the appropriate mitigation action. But risk management decisions need to be based in facts, quantitative and qualitative information. The purpose of quantifying a system’s risk is to provide additional information for the decision process, especially with respect to resources. When resource decisions (personnel or financial) are made, they are made with respect to the system under discussion, what is the impact if the resources are not provided. But in difficult financial times, if one system receives resources, then there is another system that may not receive the requested level of resources. However, there has not been an ability to quantify the cyber security risks for the systems requesting resources.
The federal government is standardizing risk through the NIST Risk Management Framework, but cyber security risk management presents unique challenges to evaluate and determine the risks. Most federal agencies and companies have many systems in their inventory that present different levels of risk. For federal agencies, some systems may be classified by the Department of Homeland Security (DHS) as “High Value Assets (HVA)”, some are Federal Information Security Management Act (FISMA) reportable, some are classified as mission critical by federal guidelines. These are isolated pieces of information about the systems; there is no clear methodology for determining a system’s risk.
A quantifiable methodology is needed to measure system cyber security risk. The concern is that without a quantifiable methodology to evaluate cyber security risks:
• Systems identified as highest risk may be based on knowledge of the system and/or experience with it and unknown systems may not be considered high risk;
• System cyber security risk may not be considered during resource evaluations;
• Systems that have higher cyber security risks may not be properly protected or resourced.
This presentation discusses a methodology developed at Federal Student Aid (Department of Education) to quantify cyber security risks for systems that can be adapted for any organization.
Presentation:
This presentation has not yet been uploaded.
Handouts:
Handout is not Available
Transcripts:
CART transcripts are NOT YET available, but will be posted shortly after the conference
Presenters/Authors
Linda Wilbanks
(), Federal Student Aid Department of Education, linda.wilbanks@ed.gov;
Dr. Wilbanks currently serves as the Chief Risk Office for Cyber Security at Federal Student Aid (FSA) within the Department of Education. Dr. Wilbanks responsible for developing a risk management program to identify and manage all cyber security risks for the data and networks. For the past 4 years Dr. Wilbanks served as the Chief Information Security Officer at FSA. Prior to coming to FSA, Dr. Wilbanks served as the Command Information Officer at the Naval Criminal Investigative Service; CIO at the National Nuclear Security Administration ; and the CIO for GSFC NASA. Prior to joining federal service, Dr. Wilbanks taught mathematics and computer science. Dr. Wilbanks is an Adjunct Professor at Towson University teaching cyber security risk management.
Dr. Wilbanks hold a Bachelors degree in Mathematics and Secondary Education from Towson University MD, a Masters degree in Engineering Science from Loyola University MD and a Doctorate in Computer Science from University of Maryland Baltimore. She is an associate editor for the IEEE journal IT Professional and is a member of the advisory boards for the international IEEE organization and for Towson University.
ASHA DISCLOSURE:
Financial -
Nonfinancial -