can to do SUMMARY for each CHAPTER from this book 5 main ideas of the assigned chapter, along with a briefa narr

can to do SUMMARY for each CHAPTER from this book 5 main ideas of the assigned chapter, along with a briefa narrative explaining the idea, its importance, and reasons for its importance


Financial
Cybersecurity Risk
Management
Leadership Perspectives and
Guidance for Systems and
Institutions
Paul Rohmeyer
Jennifer L. Bayuk
Foreword by Dr. Larry Ponemon
Financial Cybersecurity Risk Management: Leadership Perspectives and
Guidance for Systems and Institutions
Paul Rohmeyer
Stevens Institute of Technology,
Hoboken, NJ, USA
Jennifer L. Bayuk
Stevens Institute of Technology,
Hoboken, NJ, USA
ISBN-13 (pbk): 978-1-4842-4193-6
https://doi.org/10.1007/978-1-4842-4194-3
ISBN-13 (electronic): 978-1-4842-4194-3
Library of Congress Control Number: 2018966187
Copyright © 2019 by Paul Rohmeyer, Jennifer L. Bayuk
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or
part of the material is concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way,
and transmission or information storage and retrieval, electronic adaptation, computer software,
or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark
symbol with every occurrence of a trademarked name, logo, or image we use the names, logos,
and images only in an editorial fashion and to the benefit of the trademark owner, with no
intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of
publication, neither the authors nor the editors nor the publisher can accept any legal
responsibility for any errors or omissions that may be made. The publisher makes no warranty,
express or implied, with respect to the material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Development Editor: Laura Berendson
Coordinating Editor: Rita Fernando
Distributed to the book trade worldwide by Springer Science+Business Media New York,
233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505,
e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media, LLC is a
California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc
(SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail rights@apress.com, or visit http://www.apress.
com/rights-permissions.
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Print
and eBook Bulk Sales web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available
to readers on GitHub via the book’s product page, located at www.apress.com/9781484241936.
For more detailed information, please visit http://www.apress.com/source-code.
Printed on acid-free paper
This book is dedicated to all the technology risk
managers in the financial industry, with whom the
authors have utmost empathy.
Table of Contents
About the Authors��������������������������������������������������������������������������������xi
Series Editor’s Foreword�������������������������������������������������������������������xiii
Foreword�������������������������������������������������������������������������������������������xix
Acknowledgments�����������������������������������������������������������������������������xxi
Chapter 1: What Are We Afraid Of?�������������������������������������������������������1
Understanding the Threat Environment����������������������������������������������������������������1
Overview of the Risk Landscape���������������������������������������������������������������������������2
Understanding the Adversary��������������������������������������������������������������������������������3
Threat Categories for Financial Organizations������������������������������������������������������6
That’s Where the Money Is–Theft of Funds�����������������������������������������������������6
Information Is Power–Theft of Data�����������������������������������������������������������������7
Clogging Up the Works–Threats of Disruption�������������������������������������������������9
Facing the Threats����������������������������������������������������������������������������������������������11
Threat Intelligence����������������������������������������������������������������������������������������������12
Threat Modeling��������������������������������������������������������������������������������������������������13
Implementation���������������������������������������������������������������������������������������������������15
Moving Ahead�����������������������������������������������������������������������������������������������������17
Notes�������������������������������������������������������������������������������������������������������������������18
v
Table of Contents
Chapter 2: Where Are We Vulnerable?������������������������������������������������21
Cybersecurity Weaknesses���������������������������������������������������������������������������������21
Technology Vulnerabilities�����������������������������������������������������������������������������������22
New Technologies�����������������������������������������������������������������������������������������������27
Human Vulnerability Dimensions������������������������������������������������������������������������29
An Illustration: Business E-mail Compromise�����������������������������������������������������32
Understanding the Consequences����������������������������������������������������������������������34
Moving Ahead�����������������������������������������������������������������������������������������������������46
Notes�������������������������������������������������������������������������������������������������������������������46
Chapter 3: What Would a Breach Cost Us?�����������������������������������������49
Risk Quantification����������������������������������������������������������������������������������������������49
Scenario Creation������������������������������������������������������������������������������������������������54
Scenario Selection����������������������������������������������������������������������������������������������58
Cost Estimation���������������������������������������������������������������������������������������������������62
Moving Ahead�����������������������������������������������������������������������������������������������������70
Notes�������������������������������������������������������������������������������������������������������������������70
Chapter 4: What Are the Odds?�����������������������������������������������������������73
Plausible Deniability��������������������������������������������������������������������������������������������73
Cybersecurity Risk As Operational Risk��������������������������������������������������������������75
Shortage of Sufficient Historical Data�����������������������������������������������������������������78
Probabilities Driven by Vulnerabilities�����������������������������������������������������������������82
The Next Evolution����������������������������������������������������������������������������������������������91
Moving Ahead���������������������������������������������������������������������������������������������������100
Notes�����������������������������������������������������������������������������������������������������������������101
vi
Table of Contents
Chapter 5: What Can We Do?������������������������������������������������������������105
Risk Treatment Across the Organization�����������������������������������������������������������106
Avoidance����������������������������������������������������������������������������������������������������106
Reduction����������������������������������������������������������������������������������������������������107
Transfer�������������������������������������������������������������������������������������������������������111
Acceptance��������������������������������������������������������������������������������������������������114
Risk Treatment Across the Enterprise Architecture�������������������������������������������115
Executing on Risk Treatment Decisions������������������������������������������������������������118
Validating Effectiveness in Execution���������������������������������������������������������������121
Moving Ahead���������������������������������������������������������������������������������������������������123
Notes�����������������������������������������������������������������������������������������������������������������124
Chapter 6: How Do I Manage This?���������������������������������������������������125
Governance Operating Model����������������������������������������������������������������������������126
Cybersecurity Risk Appetite������������������������������������������������������������������������������133
Cybersecurity Performance Objectives�������������������������������������������������������������140
Moving Ahead���������������������������������������������������������������������������������������������������154
Notes�����������������������������������������������������������������������������������������������������������������154
Chapter 7: Should This Involve the Whole Organization?�����������������157
Architectural View���������������������������������������������������������������������������������������������158
Enterprise Capabilities��������������������������������������������������������������������������������������168
Monitoring and Reporting���������������������������������������������������������������������������������176
Metrics��������������������������������������������������������������������������������������������������������������184
Moving Ahead���������������������������������������������������������������������������������������������������189
Notes�����������������������������������������������������������������������������������������������������������������190
vii
Table of Contents
Chapter 8: How Can We Improve Our Capabilities?��������������������������193
Build a Learning Organization���������������������������������������������������������������������������194
Improve the Quality of Risk Assessments���������������������������������������������������������197
Use Organizational Knowledge�������������������������������������������������������������������������203
Take Action Based on the Risk Assessment������������������������������������������������������205
Build Situational Awareness�����������������������������������������������������������������������������207
Conduct Realistic Drills, Tests, and Games�������������������������������������������������������211
Design of Technical Tests����������������������������������������������������������������������������������215
Move from Controls-Thinking to Capabilities-Thinking�������������������������������������217
Moving Ahead���������������������������������������������������������������������������������������������������219
Notes�����������������������������������������������������������������������������������������������������������������220
Chapter 9: What Can We Learn From Losses?����������������������������������223
Breaches Provide the Context That Standards Lack�����������������������������������������224
Technology-Focused Resilience Is Just the Beginning�������������������������������������225
The Learning Organization Revisited����������������������������������������������������������������226
Easier Said Than Done��������������������������������������������������������������������������������������227
AntiFragile���������������������������������������������������������������������������������������������������������228
Learn, Study Mistakes, and Learn Again�����������������������������������������������������������231
Moving Ahead���������������������������������������������������������������������������������������������������232
Notes�����������������������������������������������������������������������������������������������������������������233
viii
Table of Contents
Chapter 10: So What’s Next?������������������������������������������������������������235
Complexity and Interconnectedness�����������������������������������������������������������������235
Potential Cybersecurity Implications�����������������������������������������������������������������240
Emerging Standards�����������������������������������������������������������������������������������������243
Notes�����������������������������������������������������������������������������������������������������������������248
Index�������������������������������������������������������������������������������������������������251
ix
About the Authors
Paul Rohmeyer, PhD has extensive industry
and academic experience in Information
Systems Management, IT Audit, Information
Security, Business Continuity Planning, and
Vendor Management, among other areas. Paul
is a faculty member in the School of Business
at Stevens Institute of Technology and has
presented and published on information
security, decision-making, and business
continuation. He has provided senior-level
guidance to numerous financial institutions
in the areas of risk management, information
assurance, and network security over the past two decades.
Prior to his consulting career, Paul served as Director of IT for AXA
Financial and Director of IT Architecture Planning for SAIC/Bellcore. Paul
holds M.S. and Ph.D. degrees in Information Management from Stevens
Institute of Technology, the MBA in Finance from St. Joseph’s University,
and the B.A. in Economics from Rutgers University. Paul has achieved
the CGEIT (Certified in the Governance of Enterprise IT), PMP (Project
Management Professional), and NSA-IAM (US National Security Agency
Information Assurance Methodology) credentials.
xi
About the Authors
Jennifer L. Bayuk, PhD is a Cybersecurity
Due Diligence expert and CEO of Decision
Framework Systems, Inc. She has been
a Global Financial Services Technology
Risk Management Officer, a Wall Street
Chief Information Security Officer, a Big 4
Information Risk Management Consultant, a
Manager of Information Technology Internal
Audit, a Security Architect, a Bell Labs Security
Software Engineer, a Professor of Systems
Security Engineering, a Private Cybersecurity
Investigator, and an Expert Witness. Jennifer is
a cybersecurity risk management consultant and an adjunct professor at
Stevens Institute of Technology.
Jennifer has numerous publications on information security
management, information technology risk management, information
security tools and techniques, cybersecurity forensics, technology-­
related privacy issues, audit of physical and information systems, security
awareness education, and systems security metrics. She has Masters
Degrees in Computer Science and Philosophy, and a PhD in Systems
Engineering. Her certifications include CISSP, CISA, CISM, CGEIT, and a
NJ State Private Investigator’s License.
xii
Series Editor’s Foreword
The cliché about military planners—that they are always preparing to
fight the last war—may apply to many of us in the financial industry as
well. The financial crisis of the 2008 was driven by excessive leverage and
dodgy asset valuations and so we focused on shoring up the banking
industry through stronger regulation, expanded capital requirements,
rigorous stress testing, and better valuation and risk modeling. But the
risks being modeled are the traditional ones: credit, liquidity, market risk.
And the stress testing concentrates on standard macroeconomic scenarios:
recessions, oil price shocks, inflation, and the like.
But what if the risks that drive the next crisis come from a different
direction? In particular, what if the next crisis is precipitated by a
successful cyberattack on some key component of the financial system
such as an attack that might take down a stock exchange or compromise
a major bank or steal identities and financial assets on a large scale or an
attack that might propagate at lightning speed across the globe, racing
through markets that are now highly integrated and automated? Is this the
next war that we are unprepared for?
There are plenty of red flags to suggest that this may be the case:

It has been estimated that there are six new malware
programs released every second (121 million per year)1
dam Janofksy, “How AI Can Help Stop Cyberattacks,” The Wall Street Journal,
A
September 19, 2018
1
xiii
Series Editor’s Foreword

According to some sources, 40% of smart home
appliances (cameras, DVRs, kitchen appliances)
globally are currently compromised, and being used for
botnet attacks2

Even ultra-secure systems—such as a Boeing
757 aircraft—have been hacked, and could be
“cyber-hijack-able”3

There were over 300,000 unfilled cybersecurity jobs in
the US in 2018, perhaps a symptom of unpreparedness4
In this threat-dense environment, even our vocabulary is disrupted.
“User-friendly” becomes a synonym for “hacker-friendly” and a “network”
becomes a channel for “contagion” and “secure” may now translate as
“complacent.”
Paul Rohmeyer and Jennifer Bayuk have written a book that should
become a cornerstone for planners and decision makers in both the
public and private sectors who are concerned with understanding and
countering the vulnerabilities of the modern financial system. It is a timely
initiative. Cybersecurity originally emerged as a discipline in the defense
and national security field, but there is a growing concern that the financial
system is perhaps at even greater risk from cyber crime, in part because
it has evolved to be so much more open and interconnected in the very
nature of its business models, and in part (as Willie Sutton, the bank
robber, would say) because that is where the money is.
arah Murray, “When Fridges Attack: Why Hackers Could Target the Grid,”
S
The Financial Times, October 17, 2018
3
Peggy Hollinger, “Aircraft Face Remote Hijacking Risk,” The Financial
Times,October 17, 2018
4
Janaki Chadha, “Wanted: Cybersecurity Skills,” The Wall Street Journal,
September 19, 2018
2
xiv
Series Editor’s Foreword
Financial Cybersecurity Risk Management is truly the first book
to address this issue comprehensively. It is intended for a broad
audience, to both introduce and characterize the evolving cyber
threat matrix confronting our financial institutions, and to outline the
principles of sound management for developing and deploying effective
countermeasures. It will appeal, we hope, both to those involved in setting
policy and to those responsible for implementation.
This is the second title in the Stevens Series in Quantitative Finance.
Finance today is an industry in the throes of a technological and regulatory
revolution which is transforming the capital markets, upending traditional
business models, and rewriting the academic curriculum. It is an industry
characterized by an expanding spectrum of risk, driven by technological
changes that are engendering more dangerous “unknown unknowns”
than ever before. It is an industry confronting the emergence of systemic
phenomena—especially intensified network effects or “contagions”—that
are the result of vastly increased levels of interconnectedness among
automated agents in fully globalized electronic markets. It is an industry
where everything is suddenly speeding up. The old manual markets and
the old relationship-based networks have been displaced by high-tech,
high-speed systems that threaten to outstrip our governance structures
and management capabilities. Finance is an industry where up-to-date
technical knowledge is more critical than ever. It is an industry in need of a
new syllabus. The aim of this series is to supply the industry that syllabus.
For more than a decade, we at the Stevens Institute of Technology
have been developing new academic programs to address the needs of the
rapidly evolving field of quantitative finance. We have benefited from our
location in the New York/New Jersey financial center, which has given us
access to practitioners who are grappling directly with these changes and
can help orient our curriculum to the real needs of the industry. We are
convinced that this is one of those periods in history in which practice is
leading theory. That is why the perspective of Paul Rohmeyer and Jennifer
xv
Series Editor’s Foreword
Bayuk, who have spent many years working in this field before joining our
faculty, is so valuable.
Working with Springer Nature and Apress, we are designing this series
to project to the widest possible audience the curriculum and knowledge
assets underlying the “new finance.” The series audience includes
practitioners working in the finance industry today and students and
faculty involved in undergraduate and graduate finance programs. The
audience also includes researchers, policymakers, analysts, consultants,
and legal and accounting professionals engaged in developing and
implementing new regulatory frameworks for the industry. It is an
audience that is pragmatic in its motivation and that prizes clarity and
accessibility in the treatment of potentially complex topics.
Our goal in this series is to bring the complexities of the financial
system and it’s supporting technologies into focus in a way that our
audience will find practical, useful, and appealingly presented. The titles
forthcoming in this series will range from highly specific skill set-oriented
books aimed at mastering particular tools, techniques, or problems, to
more comprehensive surveys of major fields, such as Rohmeyer and
Bayuk provide in the present work for the field of financial cybersecurity.
Some titles will meet the criteria for standard classroom textbooks.
Others will be better suited as supplemental readings, foregoing the
textbook paraphernalia of axioms, exercises, and problem sets in favor of
a more efficient exposition of important practical issues. Some of these
will focus on the messy interstices between different perspectives or
disciplines within finance. Others will address broad trends, such as the
rise of analytics, data science, and “large p, large n” statistics for dealing
with high-dimension data (big data for financial applications). We also
plan policy-oriented primers to translate complex topics into suitable
guidance for regulators (and those being regulated). In short, we plan to
be opportunistically versatile with respect to both topic and format, but
always with the goal of publishing books that are accurate, accessible,
xvi
Series Editor’s Foreword
high-quality, up-to-date, and useful for all the various segments of our
industry audience.
A fertile dimension of our partnership with Springer Nature and
Apress is the program for full electronic distribution of all titles through the
industry-leading SpringerLink channel as well as all the major commercial
e-book formats. In addition, some of the series titles will be coming out
under the open-access model known as ApressOpen and will be available
to everyone free of charge for unlimited e-book downloads. Like the
finance industry, the publishing industry is undergoing its own techdriven revolution, as traditional hardcopy print forms yield increasingly
to digital media and open-source models. It is our joint intention with
Springer Nature and Apress to respond vigorously and imaginatively
to opportunities for innovative content distribution and for the widest
dissemination enabled by the new technologies.
The Stevens Series in Quantitative Finance aspires to serve as a
uniquely valuable resource for current and future practitioners of modern
finance. To that end, I cordially invite you to send your comments,
suggestions, and proposals to me at gcalhoun@stevens.edu, and I thank
you in advance for your interest and support.
—George Calhoun
Program Director, Quantitative Finance
Stevens Institute of Technology
xvii
Foreword
A major deterrent to achieving a strong cybersecurity posture in the
financial services industry is the inability to understand and manage
the risk to critical systems and sensitive information. IT security leaders
in financial services are keenly aware that recent well-publicized mega
breaches and new cybersecurity regulations such as the New York State
Department of Financial Services 23 NYCRR 500 are creating a sense of
urgency among CEOs and boards of directors to address the threats facing
their organizations.
Authored by Dr. Paul Rohmeyer, Program Director of the renowned
Master of Science in Information Systems in the Stevens Institute of
Technology School of Business, and Dr. Jennifer Bayuk, cybersecurity
researcher and former cybersecurity executive, Financial Cybersecurity
Risk Management offers valuable guidance on how to manage
cybersecurity risk at the enterprise level. It is unique in its specific focus
on the challenges financial organizations face, including those involving
governance and culture.
The analysis begins with a thorough examination of the threat
landscape in the financial services industry and the importance of
understanding technology and human vulnerabilities. These vulnerabilities
include the plethora of mobile devices in the workplace and the growing
frequency and severity of Business E-mail Compromises (BEC). According
to a recent Ponemon Institute study,1 79 percent of companies represented
in the research say they certainly or likely experienced a serious data
mail Impersonation Attacks: A Clear & Present Danger, conducted by Ponemon
E
Institute and sponsored by Valimail, July 2018
1
xix
Foreword
breach or cyber attack during the past 12 months, such as phishing or
business e-mail compromise. More than 53 percent of respondents in the
study say it is very difficult to stop BECs.
Financial Cybersecurity Risk Management also discusses the
consequences of data breaches when high-value assets are targeted.
The findings from a Ponemon Institute study2 are consistent with the
authors’ assessment that not safeguarding these assets will have serious
consequences. According to the research, the cost to recover from an
attack against high-value assets can average $6.8 million.
Once organizations understand their risk, the question posed is “How
do I Manage This?” According to the authors, decision makers need to
understand and communicate how technology supports strategy and how
the enterprise governance function can help achieve a strong cybersecurity
posture. Financial Cybersecurity Risk Management concludes with the
potential cybersecurity implications created by new technologies that
improve the customer experience and emerging standards that will result
in increasing scrutiny of the financial services industry.
Given the mounting need to make cybersecurity a priority, Financial
Cybersecurity Risk Management can be key to preparing financial
organizations to think long-term and understand the investments they
should be making in people, process, and technologies to prevent a
catastrophic data breach or cyberattack. I strongly recommend Financial
Cybersecurity Risk Management to IT and IT security professionals as well
as to boards of directors and CEOs.
—Dr. Larry Ponemon
Chairman and Founder
Ponemon Institute
The Second Annual Study on the Cybersecurity Risk to Knowledge Assets, conducted
by Ponemon Institute and sponsored by Kilpatrick Townsend, April 2018
2
xx
Acknowledgments
The authors would like to acknowledge the numerous colleagues, students,
industry experts, and friends who provided countless hours of support and
guidance in the creation of this book.
Dr. Rohmeyer would like to thank his wife, Jennifer Rohmeyer,
and children, August, Terence, Leenie, and Gabriel, for their support
and for politely enduring the always entertaining ad hoc exploration
of cybersecurity risk management that frequently seems to come up
throughout their many adventures.
Dr. Bayuk would like to acknowledge the constant support and
encouragement of her husband, Michael Bayuk.
The authors would also like to thank Lori Ayres for wrestling through
many complex requirements to create the excellent cartoons you will find
throughout this book, and Jane Natoli for her diligent editing and helpful
suggestions.
xxi
CHAPTER 1
What Are We
Afraid Of?
The financial industry depends on the interconnection of institutions,
markets, service providers, and customers that rely on a highly
complex technology environment. The evolving characteristics of the
global financial systems architecture drive an ever-expanding array
of management challenges. Cybersecurity risk exists throughout the
enterprise architecture in technology, personnel, and process domains,
resulting in substantial risk management challenges. A variety of threats
are evident and can exploit many aspects of the new complexity to gain
access to critical systems and sensitive information.
Understanding the Threat Environment
This chapter examines the nature and extent of prevailing cybersecurity
threats to financial institutions and markets. We are witnessing a truly
global phenomenon that has manifested itself in several ways. It is
apparent the relative level of skill, and motivation, of adversaries has
improves substantiallu over the past several years, and the degree of
sophistication of attacks continues to grow. There has been a rapid
evolution of attacker tactics, with successive forms of attacks often
improving upon earlier attack vectors. A detailed knowledge of the
© Paul Rohmeyer, Jennifer L. Bayuk 2019
P. Rohmeyer and J. L. Bayuk, Financial Cybersecurity Risk Management,
https://doi.org/10.1007/978-1-4842-4194-3_1
1
Chapter 1
What Are We Afraid Of?
prevailing threat is essential to effective development of effective
cybersecurity architecture. This knowledge should include understanding
various types of threat actors and their respective motivations, as well
as common tactics. An appreciation of threats is essential not only to
defending against them but also to providing justification for funding
adequate defenses. In-­depth understanding of cybersecurity threats that
are actually impacting institutions must be shared with business leaders
to support and guide resource allocation decisions. It would not be
unfair to observe that security solutions providers have presented have
at times inflated fear, uncertainty, and doubt in efforts to sell products
and services into the cybersecurity marketplace, perhaps leading to
inflated skepticism on the part of business leaders. A mastery of threat
concepts, and continuous monitoring of the threat landscape, may be
helpful in convincing management of the present threat realities and need
appropriate response.
Overview of the Risk Landscape
Cyber threats impact the organization as Operational Risk—risk that
potentially results from, or impacts upon, control failures within any
domain of enterprise architecture. This includes the chance for disruptions
resulting from failed systems and processes, whether intentional or
otherwise. Operational risk exists in all systems, processes, and financial
activities and could ultimately lead to financial and other types of risk
events. Enterprise Governance is expected to provide a platform to treat
various aspects of Operational Risk; however, cybersecurity risk presents
relatively unique characteristics that differentiate it from other types of
operational challenges.
In the financial industry Operational Risk commonly involves
technology, directly and indirectly. Direct risks include the potential
for technical failures resulting from intentional or accidental misuse or
2
Chapter 1
What Are We Afraid Of?
from the manifestation of design flaws. Risk accrues indirectly due to
an enterprise’s reliance on deployed technology. Simply, enterprises
that successfully deploy technical solutions will integrate the new
technology into all facets of architecture; therefore, a sudden disruption
to, or unavailability of, the technology could present adverse impacts.
The nature of recent technical trends has presented unique risks. This
includes the widespread consumerization of information technology via
mobile devices. Mobility has res