Risk: Focus On Your Main Thing(s)

April 27, 2015
CyberPhysicalHuman: Post by Rob Simmons, Peter Sheingold, and Chris Folk

The scope of convergence in a CyberPhysicalHuman world, where billions of smart, connected devices will increasingly be integrated into people's day-to-day lives, means that assessing risk and prioritizing security investments will be more complicated. What is connected to what, and who is connected to whom? What are the physical implications? What are the human implications?

This starts to sound pretty overwhelming.

That's why it's important for individual companies and organizations to understand their key mission(s) and the potential impact of their products and services on the people who use them. Knowing their key mission(s) helps organizations prioritize and focus their security investments. For a medical device manufacturer, protecting patients from being harmed by a hacked device is very important. For a financial services company, protecting the integrity of customer financial records is very important. For almost all organizations, protecting the privacy of their customer and employee information is very important.

To illustrate these points, let's consider a hypothetical question from the Internet of Things. What risk is posed by networked refrigerators to the people who use them? For most of us, being able to query our refrigerator from work to see if we need to buy anything on the way home does not pose much of a risk. Now let's consider the same hypothetical networked refrigerator, but this time installed in a subway control center to keep beverages cold for the staff who monitor and manage trains carrying thousands of passengers. If an attacker could exploit the networked refrigerator to launch a cyber attack on the train control system, the refrigerator now poses a potential risk to the people who depend on the traffic control center's ability to execute its mission. It would be prudent for this traffic control center to include networked refrigerators in its risk assessment.

The recent attack on Sony Pictures demonstrates that organizations seldom have just one "main thing" to protect. It should be apparent that entertainment companies need to protect against the loss of their original content, such as unreleased movies. But the attack also illustrates the impact of the theft and public release of embarrassing emails and personal information about Sony employees.

The first step toward improving security remains as always: identify and understand what is most important to protect. The next step to protect our "main things" is to identify the threats against them. We will discuss threats in our next article.

  1. The CyberPhysicalHuman World of Homeland Security
  2. Convergence: A Recent History
  3. Risk: Focus On Your Main Thing(s)
  4. Applying Ancient Wisdom to Help Manage Modern Risks
  5. Resilience Is a Team Sport
  6. Resilience, Moving Beyond Sectors
  7. Enabling Effective Collaboration with Shared Threat Information
  8. Wrapping It Up and Moving Forward
  9. Coming Closer and Closer to You
  10. More Ancient Wisdom for Today's CyberPhysicalHuman World
  11. There is No One-Size Fits All Approach to the CyberPhysicalHuman World