Author(s): Elena González (ATOS), Antonio Álvarez (ATOS), Aljosa Pasic (ATOS)
Focus Area
The Horizon 2020 WISER project will deliver, in late 2017, a cyber risk management framework that dynamically assesses the cyber risk to which the client ICT infrastructure is exposed. This is done by continuously monitoring the risk associated to the cyber-climate of its ICT operational environment. It encompasses not only the technical side of cyber risk but also incorporates the business side, including socio-economic impact assessment. WISER builds on current state of the art methodologies and tools, leveraging best practices from multiple industries.
Given the traditional approach where cyber risk management is performed periodically, and the current state of art with risk management frameworks lacking of an integrated, agile methodology to analyse cyber risks, a growing demand for the continuous monitoring of cyber security relevant events and dynamic assessment of risk is more than evident.
The best answer when a cyber-attack threatens valuable assets calls for a reliable support for decision-making. WISER provides support to adopt the correct measures while maximising the return on Investment (RoI).
Who benefits and how?
One of the top priority goals of WISER is making cyber security affordable for SMEs. WISER therefore mostly focuses on SMEs needs that often do not have means to handle cyber risk with advanced methodologies & tools, and cannot usually afford to hire a consultancy services. WISER aims at being a sophisticated solution while easy to adopt by the end user.
Although, as mentioned before, SMEs are the main target of WISER solution, any organisation has to manage cyber security risks appropriately and to show that they are capable of doing it successfully, as pointed out by the European Commission in their communication on ‘ICT Standardisation Priorities for the Digital Single Market’ (19/04/2016). WISER conception is based in this growing security market need.
On top of this, WISER is facilitating the uptake of a cyber security culture that enhances business opportunities and competitiveness in the private sector, making cyber security a key selling point.
This means that, despite the strong focus on SMEs, WISER intends to provide affordable, effective and efficient cyber security to clients, irrespective of their size or market sector.
Digital Single Market Strategy
As the European Commission continues to progress the development of a Digital Single Market (DSM), organisations across the region are beginning to think carefully about how the initiative would impact them. Coupled with the impending adoption of the General Data Protection Regulation (GDPR), privacy and security issues are quickly moving to the top of companies’ and politicians’ agendas.
The first step is to complete a cyber security and privacy assessment for the company´s cross-border business and digital services. An organisation cannot defend itself perfectly against every threat. Hence technology decisions need to be risk-based decisions. Thinking carefully about the size of the organisation and its appetite for risk, businesses should consider which areas are more vulnerable to threats, establish priorities for mitigation goals, and establish cost-efficient mitigation measures. It’s important to understand that there is no one-size-fits-all standard for risk assessment: any successful evaluation has to be based on a thorough expert analysis leading to a comprehensive and holistic picture of the business risks.
WISER is aligned with the DSM, specifically with initiatives 12 and 13, contributing to increase the cyber risk awareness by educating risk managers and boards of directors across the market.
To reach this new level in cyber security, WISER is developing a methodology, based on the definition of the risk assessment cycle, where the evaluation of risk is based on the correlation, thanks to risk models and associated model rules, of information coming from both the infrastructure to monitor and the client himself. The former provides technical information regarding the cyber climate and the presence (or not) of incidents within the client ICT infrastructure, and the latter gives valuable input about the infrastructure elements and their business value according to the client criteria. Thanks to this, a dynamic risk evaluation is performed, expressed in qualitative and quantitative terms. Hence, WISER goes a step beyond and does not settle for detecting and reporting cyber incidents, but also evaluates their business importance, giving an information which is crucial for top management positions, the ones with decision-making capabilities. On top of it, besides the business impact, the tool inform about the societal component of the risk, which is one of the main novelties brought by WISER.
The cycle is completed with the decision-making process which provides to the client decision support tools that make easier the selection of mitigation options integrating tech, business and societal visions of risk. The effect of the mitigation actions is measured in the following risk cycle, where the risk level, evaluated by WISER, must have diminished.
In conclusion, WISER advances the state of the art by leveraging current best practices and recent research results. It is not simply about monitoring cyber incidents; it is about assessing the risk they represent for a company. WISER not only considers damage to the ICT infrastructure, but also impact on the business, providing a multi-level assessment. This risk evaluation evolves as cyber climate changes. The definition of mitigation measures is assisted by the framework with solid criteria to apply to the decision-making. And all of this with a strong focus on SMEs with an aim to make cyber risk assessment and management affordable. In a nutshell, WISER aspires to drive a "cyber security for all" approach. Our first service, CyberWISER Light is available for use on our website.