Jordan jumps to the forefront of the movement to cyber risk quantification with the release of a National Cybersecurity Framework (now in public consultation phase) that endorses Cyber Risk Quantification and Management (CRQM) and a risk-based outlook on cybersecurity.
From the top, a draft of the framework document by the National Cybersecurity Center of Jordan states a goal to “promote the concept of Cybersecurity Economics to help every organization develop a sophisticated, economically driven” cyber risk management program. “Cybersecurity is a business problem, not a technology problem,” the framework document states, a credo still not accepted in many parts of the world.
“…It is important to adopt a risk-based approach to security … This allows an organization to prioritize its efforts and allocate its resources most effectively.”
– The National Cybersecurity Framework
The framework encourages Jordanian organizations to graduate from qualitative risk assessments that “do not rely on precise and consistent definitions of risk, instead measuring it in terms of high-medium-low, red-yellow-green, or ordinal scales such as 1-5. Risk management and decision making based on qualitative risk assessments are fundamentally incorrect and erroneous because they are vulnerable to subjectivity.”
The draft document continues about CRQM, “Quantitative risk measurements help organizations prioritize risks and risk mitigation investments by quantifying the impact a risk presents to an organization’s operations, assets, and mission. Data and estimates are used to inform risk factors such as event frequency (likelihood) and event magnitude (impact) to obtain a range of probable loss exposure.”
Jordan’s framework builds on six principles - “SELECT”
“In the field of cybersecurity, having a clear strategy and set of objectives is particularly important because of the constantly evolving nature of the threats faced by organizations. A well-defined strategy can help an organization stay ahead of potential threats and be better prepared to respond to them when they do arise.”
Cybersecurity is a “national concern – everybody is responsible and accountable” because cyber attacks can affect the stability of a nation. With the increasing amount of personal and business information stored online, all citizens are at some risk and any institution can be looked on as a cyber defender.
The document goes into detail on the point that “Cybersecurity is a business problem because it is closely tied to an entity’s risk management strategy… It is the responsibility of the business leaders to measure the potential risks and implement measures to mitigate them.”
The framework makes a strong call for “fundamental architecting change, design and redesign of current organizational architecture – security by design is fundamental.” Also, “it is important to adopt a risk-based approach to security, in which the level of protection is tailored to the specific risks faced by the organization. This allows an organization to prioritize its efforts and allocate its resources most effectively.”
To achieve that level of security, the document recommends a sophisticated approach, “decomposing” an organization’s functions to understand “granular and multi-tier risk management responsibilities.”
The Jordanian framework argues for cyber risk management that’s constantly vigilant, and run with updating dashboards – a goal of sophistication that would put Jordan ahead of most of the world: “Continuous Monitoring of Risks is a critical principle, and every organization should develop a business driven cybersecurity dashboard which maps the organizational Key Performance Indicators (KPIs) to the Organizational Key Risk Indicators (KRIs). The Business Driven Cybersecurity Dashboard should be simple and straightforward, helping business leaders to continuously monitor the organizational cybersecurity risks allowing them to enforce and enable responsible as well as accountable stakeholders to respond effectively and efficiently in a timely based manner.”
The framework focuses here on controls, and again takes a cutting-edge approach, emphasizing return on security investment: “It is not possible for an organization to implement all controls, as the number and variety of controls available are vast, and the cost and resources required to implement them all would be prohibitive.”
“When selecting controls, organizations should consider factors such as the cost of implementation, the potential impact on business operations, and the likelihood of the risk occurring. It is also important to evaluate the level of protection provided by each control and consider the overall security posture of the organization.”
Don’t settle for controls checklists and call the job done, the document argues. Aim for root-cause analysis: “Effective controls help to prevent and mitigate risks, but they are reactive in nature and do not necessarily address the root causes of those risks. In contrast, building organizational capabilities involves proactively addressing the underlying issues that contribute to risk and weakness. This can include improving processes, investing in technology, and training, and developing a culture of continuous improvement. By taking a sustainable approach to building organizational capabilities, an organization can better manage risks and achieve long-term success.”
The framework takes an expansive view of “zero trust,” taking it beyond the IT definition. “It is not just a technical solution. It starts with trust in the business process and its alignment towards the business objectives. It is about building a culture of security, where everyone understands that they have a role to play applying the zero trust concept in their daily jobs, protecting the organization's assets as security is not just the responsibility of the IT department.”
A tool for trust-building should be “a risk-based audit…to provide value to the organization by identifying and reporting on risks that could have a significant impact on its operation’s financial aspects and business objectives. It should not only be to meet regulatory compliance, but also to enhance the organization's overall risk management and governance.”
This risk-based, economics-focused approach is very much in line with the principles of Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, and the FAIR Institute was honored to be addressed by Bassam Maharmeh, President of the National Cybersecurity Center of Jordan, who introduced the forward-looking concepts of the National Cybersecurity Framework to the FAIR community at the first FAIR Institute Middle East Summit, held in Amman in March, 2023. Watch the video of his speech (a FAIR Institute Contributing Membership required).