Over the past 25 years, IT and information security have become more commoditized and based on a common security model, in which the focus is on infrastructure rather than asset protection. As internet technology has become cheaper and accepted as the industry standard, the emphasis has been on commercial off-the-shelf, easily deployable security mitigations to address generic threats on an enterprise wide basis. Such an approach was largely sufficient for non-military organizations 10 years ago, but during the last five years, the number of Targeted Attacks reported in industry has generally increased. And while the implementation of uniform commoditized security solutions is an important component in addressing opportunistic threats, enhanced risk management practices are more important than ever to ensure the adoption of appropriate mitigation measures to counter the more sophisticated attacks which will focus on specific assets.
However, while risk management is a well understood discipline, the most commonly taken approach has challenges when applied to addressing cyber risks, including Targeted Attacks. Since the threat environment is constantly changing, past successes in managing cyber risks are not reliable indicators of actual security and the sole basis for future planning. Additionally, many organizations have determined which risks should be managed by elevating various concerns to senior management. Managers then considered these concerns and evaluated them relative to each other, before ultimately allocating resources appropriately across the risks. According to Aonâ€™s 2011 Global Risk Management Survey, many organizations still use this method. â€œSenior managementâ€™s intuition and experience remains the primary method used by survey respondents to identify and assess major risks facing their organizations.â€
This intuitive approach is bound to fail, because senior management cannot possibly understand and assess the full breadth and depth of todayâ€™s cyber risks. It is also the case that, unlike many corporate risk assessments relating to security, the question of probability is a moot point. For most organizations some degree of internal compromise of computer systems is inevitable.
Considerations of the appropriate in-depth approaches to risk management are beyond the scope of this paper. It is though worth noting that regardless of the analysis and assessment models employed, addressing Targeted Attacks does specifically require that digital assets are identified, the potential business impacts of their compromise is understood and that the potential motivations and capabilities of Determined Adversaries are reflected in the deployment of countermeasures.