Put On Your Cybersecurity Bicycle Helmet

Do You Feel Threatened? 

Isn’t that sort of our default feeling in cybersecurity? Threatened day in and day out? After all, Slippery Weasel is out to get your proprietary data so they can undercut you with cheaper manufacturing of your widget. An otherwise unimportant country on a watchlist is trying to preposition inside your company as part of their Pinky and the Brain-esque plan to take over the world in 2027. 

Then there’s Financial Badger and THX1134 trying to ransom your customer data or interrupt your ability to manufacture paint. Then there’s your insider threat: Steve in Accounting is selling all your logistics info to FredEx so they can undercut your current provider in their next bid. (Names changed for purposes of humor and to protect the innocent – I’m sure FedEx is an above-board company, and I sincerely hope nobody has named any real cyber-criminals by any of the names I mentioned here.)

So which threat do you prioritize? Which one is more important to you? Are you sure? Did you check under the carpet to make sure there aren’t any other threats? There’s nobody lurking behind in the library with the lead pipe? 

Does anybody see something inherently wrong with how we talk about threats in cybersecurity? Well, I do. And It has everything to do with my bicycle helmet.

Body Armor and Bicycle Helmets

There are certainly a lot of threats I could encounter on my bicycle:

• Being hit by a car.
• Falling off my bicycle trying to avoid a dog that gets off-leash.
• Hitting a tree because I lost concentration and didn’t watch where I was going.
• Being recognized by that old high school bully who will mock me for my beer gut.
• Getting tossed from my bicycle because of a pothole.
• Getting tossed from my bicycle because of a log suddenly in my path.
• Getting tossed from my bicycle because my brakes failed.
• Indiana Jones shoving a flagpole through my spokes, tossing me from my bicycle.
• And so on.

Truly, these are all threats I face. I could worry about having countermeasures for each of them:

• Car: ride my bicycle in areas without cars, or wear full body armor and a helmet like motorcyclists might.
• Off-leash dog: immediately dismount the bike and prepare for scratches and belly rubs until their owner can rejoin them.
• Getting tossed: maybe that motorcycling rig again.
• The bully: some form of disguise.
• Indiana Jones: avoid movie sets.
• And so on.

At the end of the day, the greatest thing I risk from riding my bicycle is injury. Certainly, there are scrapes and bruises that I could suffer. A broken bone or a sprain isn’t off the table either. But it’s really head trauma that concerns me here. I’ve got a lot of empirical evidence that when I ride my bike I don’t run into any one of those threats particularly often. And frankly, some of them I can all but eliminate due to either their unlikeliness or their minimal impact; Indiana Jones and my bully aren’t really that important. 

So I compromised on my countermeasures and generally chose a bike helmet because, at the end of the day, brain trauma is the risk I’m most worried about. As it happens, my noggin is pretty unprotected up there as I’m roaming around on my bike. It turns out that a bicycle helmet is both a fairly effective, and relatively cheap countermeasure to that possibility. Even though I’m far more likely to break a bone, the difference in severity of the impact is what tips the scales for me. 

Qualitative Risk Has Long Been Underrated

Sure, that was a pretty basic example, but that’s the point. Instead of focusing on the threats (even though I listed some of them for illustrative purposes), I focused on my risk. And no, I didn’t pull out the actuarial tables and summon an arcane actuarial accountant to figure things out, I made some qualitative observations to arrive at my decision. I didn’t worry about the name of the dog (Oscar), or the name of my bully (I still can’t say his name, it’s all too traumatic), or what country either of them comes from. Those details just aren’t nearly as important to my risk assessment. 

In that is my recommendation to everyone when it comes to their cybersecurity program: move above the constant noise of threats and threat actors – it probably doesn’t matter to your security program if the “baddies” are from one country or another – and focus on what it is you’re trying to protect and how you can effectively protect it.

Risk Perspective Basics

Where threat based thinking starts with “what could happen,” risk based thinking begins with “what needs protecting?” From a cybersecurity perspective, what needs protecting can usually be categorized into just a few concepts, even though there will likely be many different priorities and severities within these concepts:

• Protect sensitive data, be it PII, IP, or anything else.
• Protect the ability to continue doing “business,” whatever business is. 

As a second step, identifying the impact to the business of an interruption in the protection of these assets can lead to an understanding of the priority and focus necessary, in alignment with the business needs. Again, this can be a big change from the normal view, which has often been more about “what value does that data have to the malicious actor?” It turns out that the value of that data – or the interruption of business as usual – was often mistakenly looked at as the external value, what the malicious actor could get on the open market for the data. Ransomware has very cruelly taught us all that the value we place on that data or ability to keep doing business is what ultimately drives revenue for many malicious actors and requires us to think about it that way.

From there a security program can build in the appropriate controls and countermeasures. Whereas a threat based program continues to chase the latest “shiny object” in threat, and never has a meaningful focus on the efficacy or the focus of the security program. 

Cyber Resilience From a Risk Perspective

Given that the first tenant of cyber resilience focuses on anticipating risk, this approach is well aligned with a cyber resilience perspective. By focusing on what harm can be done – not on who or what will do it – a program can wisely be created to protect those assets, whether they’re customer PII assets or ICS assets. Starting with this is the foundation for a program that will be able to continually adapt to the changing tactics, techniques, threats, and threat actors. Your program will be able to withstand and respond to attacks and threats, and those learnings will help you continually improve your program.

You’ll also find you don’t feel quite so threatened every day, and wouldn’t that be reward enough?

↑