Financial Cybersecurity Risk Management (eBook)
XXI, 259 Seiten
Apress (Verlag)
978-1-4842-4194-3 (ISBN)
Financial Cybersecurity Risk Management explores a range of cybersecurity topics impacting financial enterprises. This includes the threat and vulnerability landscape confronting the financial sector, risk assessment practices and methodologies, and cybersecurity data analytics. Governance perspectives, including executive and board considerations, are analyzed as are the appropriate control measures and executive risk reporting.
What You'll Learn
- Analyze the threat and vulnerability landscape confronting the financial sector
- Implement effective technology risk assessment practices and methodologies
- Craft strategies to treat observed risks in financial systems
- Improve the effectiveness of enterprise cybersecurity capabilities
- Evaluate critical aspects of cybersecurity governance, including executive and board oversight
- Identify significant cybersecurity operational challenges
- Consider the impact of the cybersecurity mission across the enterprise
- Leverage cybersecurity regulatory and industry standards to help manage financial services risks
- Use cybersecurity scenarios to measure systemic risks in financial systems environments
- Apply key experiences from actual cybersecurity events to develop more robust cybersecurity architectures
Who This Book Is For
Decision makers, cyber leaders, and front-line professionals, including: chief risk officers, operational risk officers, chief information security officers, chief security officers, chief information officers, enterprise risk managers, cybersecurity operations directors, technology and cybersecurity risk analysts, cybersecurity architects and engineers, and compliance officers
Paul Rohmeyer has extensive industry and academic experience in many areas, including: information systems management, IT audit, information security, business continuity planning, and vendor management. He is a faculty member at the School of Business at Stevens Institute of Technology and has presented and published on information security, decision making, and business continuation. He has provided senior-level guidance to numerous financial institutions in the areas of risk management, information assurance, and network security over the past two decades.
Prior to his consulting career, Paul served as Director of IT for AXA Financial and Director of IT Architecture Planning for SAIC/Bellcore. He has MS and PhD degrees in information management from Stevens Institute of Technology, an MBA in finance from St. Joseph's University, and a BA in economics from Rutgers University. He has achieved the CGEIT (Certified in the Governance of Enterprise IT), PMP (Project Management Professional), and NSA-IAM (US National Security Agency Information Assurance Methodology) credentials.
Jennifer L. Bayuk is a cybersecurity due diligence expert, cybersecurity risk management consultant, and an adjunct professor at Stevens Institute of Technology. She has served in many roles, including: global financial services technology risk management officer, Wall Street chief information security officer, Big 4 information risk management consultant, manager of information technology internal audit, security architect, Bell Labs security software engineer, professor of systems security engineering, private cybersecurity investigator, and expert witness.
Jennifer has written numerous publications on information security management, information technology risk management, information security tools and techniques, cybersecurity forensics, technology-related privacy issues, audit of physical and information systems, security awareness education, and systems security metrics. She has master degrees in computer science and philosophy, and a PhD in systems engineering. Her certifications include CISSP, CISA, CISM, CGEIT, and a New Jersey state private investigator license.
Understand critical cybersecurity and risk perspectives, insights, and tools for the leaders of complex financial systems and markets. This book offers guidance for decision makers and helps establish a framework for communication between cyber leaders and front-line professionals. Information is provided to help in the analysis of cyber challenges and choosing between risk treatment options.Financial cybersecurity is a complex, systemic risk challenge that includes technological and operational elements. The interconnectedness of financial systems and markets creates dynamic, high-risk environments where organizational security is greatly impacted by the level of security effectiveness of partners, counterparties, and other external organizations. The result is a high-risk environment with a growing need for cooperation between enterprises that are otherwise direct competitors. There is a new normal of continuous attack pressures that produce unprecedented enterprise threats that must be met with an array of countermeasures. Financial Cybersecurity Risk Management explores a range of cybersecurity topics impacting financial enterprises. This includes the threat and vulnerability landscape confronting the financial sector, risk assessment practices and methodologies, and cybersecurity data analytics. Governance perspectives, including executive and board considerations, are analyzed as are the appropriate control measures and executive risk reporting.What You'll LearnAnalyze the threat and vulnerability landscape confronting the financial sectorImplement effective technology risk assessment practices and methodologiesCraft strategies to treat observed risks in financial systemsImprove the effectiveness of enterprise cybersecurity capabilitiesEvaluate critical aspects of cybersecurity governance, including executive and board oversightIdentify significant cybersecurity operational challengesConsider the impact of the cybersecurity mission across the enterpriseLeverage cybersecurity regulatory and industry standards to help manage financial services risksUse cybersecurity scenarios to measure systemic risks in financial systems environmentsApply key experiences from actual cybersecurity events to develop more robust cybersecurity architecturesWho This Book Is For Decision makers, cyber leaders, and front-line professionals, including: chief risk officers, operational risk officers, chief information security officers, chief security officers, chief information officers, enterprise risk managers, cybersecurity operations directors, technology and cybersecurity risk analysts, cybersecurity architects and engineers, and compliance officers
Paul Rohmeyer has extensive industry and academic experience in many areas, including: information systems management, IT audit, information security, business continuity planning, and vendor management. He is a faculty member at the School of Business at Stevens Institute of Technology and has presented and published on information security, decision making, and business continuation. He has provided senior-level guidance to numerous financial institutions in the areas of risk management, information assurance, and network security over the past two decades. Prior to his consulting career, Paul served as Director of IT for AXA Financial and Director of IT Architecture Planning for SAIC/Bellcore. He has MS and PhD degrees in information management from Stevens Institute of Technology, an MBA in finance from St. Joseph’s University, and a BA in economics from Rutgers University. He has achieved the CGEIT (Certified in the Governance of Enterprise IT), PMP (Project Management Professional), and NSA-IAM (US National Security Agency Information Assurance Methodology) credentials.Jennifer L. Bayuk is a cybersecurity due diligence expert, cybersecurity risk management consultant, and an adjunct professor at Stevens Institute of Technology. She has served in many roles, including: global financial services technology risk management officer, Wall Street chief information security officer, Big 4 information risk management consultant, manager of information technology internal audit, security architect, Bell Labs security software engineer, professor of systems security engineering, private cybersecurity investigator, and expert witness.Jennifer has written numerous publications on information security management, information technology risk management, information security tools and techniques, cybersecurity forensics, technology-related privacy issues, audit of physical and information systems, security awareness education, and systems security metrics. She has master degrees in computer science and philosophy, and a PhD in systems engineering. Her certifications include CISSP, CISA, CISM, CGEIT, and a New Jersey state private investigator license.
Table of Contents 5
About the Authors 10
Series Editor’s Foreword 12
Foreword 17
Acknowledgments 19
Chapter 1: What Are We Afraid Of? 20
Understanding the Threat Environment 20
Overview of the Risk Landscape 21
Understanding the Adversary 22
Threat Categories for Financial Organizations 25
That’s Where the Money Is–Theft of Funds 25
Information Is Power–Theft of Data 26
Clogging Up the Works–Threats of Disruption 28
Facing the Threats 30
Threat Intelligence 31
Threat Modeling 32
Implementation 34
Moving Ahead 36
Notes 37
Chapter 2: Where Are We Vulnerable? 39
Cybersecurity Weaknesses 39
Technology Vulnerabilities 40
New Technologies 45
Human Vulnerability Dimensions 47
An Illustration: Business E-mail Compromise 50
Understanding the Consequences 52
Moving Ahead 64
Notes 64
Chapter 3: What Would a Breach Cost Us? 67
Risk Quantification 67
Scenario Creation 72
Scenario Selection 76
Cost Estimation 80
Moving Ahead 88
Notes 88
Chapter 4: What Are the Odds? 90
Plausible Deniability 90
Cybersecurity Risk As Operational Risk 92
Shortage of Sufficient Historical Data 95
Probabilities Driven by Vulnerabilities 99
The Next Evolution 108
Moving Ahead 117
Notes 118
Chapter 5: What Can We Do? 122
Risk Treatment Across the Organization 123
Avoidance 123
Reduction 124
Transfer 128
Acceptance 131
Risk Treatment Across the Enterprise Architecture 132
Executing on Risk Treatment Decisions 135
Validating Effectiveness in Execution 138
Moving Ahead 140
Notes 141
Chapter 6: How Do I Manage This? 142
Governance Operating Model 143
Cybersecurity Risk Appetite 150
Cybersecurity Performance Objectives 157
Moving Ahead 171
Notes 171
Chapter 7: Should This Involve the Whole Organization? 174
Architectural View 175
Enterprise Capabilities 185
Monitoring and Reporting 193
Metrics 201
Moving Ahead 206
Notes 207
Chapter 8: How Can We Improve Our Capabilities? 210
Build a Learning Organization 211
Improve the Quality of Risk Assessments 214
Use Organizational Knowledge 220
Take Action Based on the Risk Assessment 222
Build Situational Awareness 224
Conduct Realistic Drills, Tests, and Games 228
Design of Technical Tests 232
Move from Controls-Thinking to Capabilities-Thinking 234
Moving Ahead 236
Notes 237
Chapter 9: What Can We Learn From Losses? 240
Breaches Provide the Context That Standards Lack 241
Technology-Focused Resilience Is Just the Beginning 242
The Learning Organization Revisited 243
Easier Said Than Done 244
AntiFragile 245
Learn, Study Mistakes, and Learn Again 248
Moving Ahead 249
Notes 250
Chapter 10: So What’s Next? 252
Complexity and Interconnectedness 252
Potential Cybersecurity Implications 257
Emerging Standards 260
Notes 265
Index 268
| Erscheint lt. Verlag | 13.12.2018 |
|---|---|
| Zusatzinfo | XXI, 259 p. 48 illus. |
| Verlagsort | Berkeley |
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management | |
| Schlagworte | Compliance • Cyber Data Sharing • cybersecurity • Cybersecurity Data Analytics • Cybersecurity Metrics • cyber threats • Cyber war gaming • Financial Systems • Governance • Leadership • Operational Risk • risk assessment • security testing • systemic vulnerabilities |
| ISBN-10 | 1-4842-4194-0 / 1484241940 |
| ISBN-13 | 978-1-4842-4194-3 / 9781484241943 |
| Informationen gemäß Produktsicherheitsverordnung (GPSR) | |
| Haben Sie eine Frage zum Produkt? |
PDF (Wasserzeichen)DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasserzeichen und ist damit für Sie personalisiert. Bei einer missbräuchlichen Weitergabe des eBooks an Dritte ist eine Rückverfolgung an die Quelle möglich.
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
