Cyber Risk and the Security Action Cycle
Written by: David Holcomb, PhD
When you are trying to secure your environment, you need to take it in layers.
This statement probably conjured up ideas of a network diagram with firewalls every and routers with different levels of access protocols. Although firewalls, routers, and access protocols are important, I am talking about steps to securing your environment along the levels of security action.
Origins of the Security Action Cycle
In the late 1990’s, Detmer Straub and Richard Welke published a great article called “Coping with Systems Risk: Security Planning Models for Management Decision Making.” In this article they outlined a model called the “Security Action Cycle.” The model has four stages in the cycle. These stages are “Deterrence,” “Prevention,” “Detection,” and “Remedy.”
Maxxsure has taken this model and expanded it to Deterrence, Protection, Detection, Containment (and Eradication), and Recovery. Each of these stages learns from all the stages that come after. For example, deterrence would learn from protection, detection, containment, and recovery. The learning from the later four stages would be integrated into the deterrence programs.
The Cycle in Action: An Example
To help put the security action cycle into context, let us consider how you might secure the contents of your home. The key to understanding the security action cycle is to understand loss. There is no reason to deter or protect if there is nothing of value. Likewise, if things have different levels of value, you will apply differing levels of resources based on their value.
Let’s take a look at these each stage.
Deterrence. First, you might put a sign outside saying, “Beware of the Dog” or “Protected by Brinks.” You may also teach your children to not share vacation plans with friends. Finally, you might leave lights on even when you are not home. These measures are in the deterrence stage. You are attempting to deter the bad actor from attacking your home.
Protection. The second stage is the protection stage, which comes into play if a bad actor bypasses your deterrence measures and proceeds with trespassing on your property. In some cases, deterrence measures from the previous stage may have additional facets that effectively allow them to play “double duty” in also delivering protection. In our home defense analogy, your guard dog visible beyond the fence is both a deterrence measure and a protective measure: seeing the dog may deter bad actors from even attempting a breach, but should they decide to move forward, the dog will take action to protect the property from the breach attempt in motion.
Some of your protective measures may also include door locks or safes with combination locks that introduce additional challenges to accessing your valuables. Protection can include alternative storage to prevent loss. For example, you may have your most valuable items in a safe deposit box at a bank. Each of these protective measures are attempts to stop a bad actor from accessing your valuables after having gotten past the outermost perimeter where you had originally tried to deter entry.
Detection. When a bad actor has been able to get past the protective measures, the next stage of the cycle is detection. You may put a passive infrared censor that triggers an alarm, camera, and dialer to the police. These types of measures must be calibrated to understand false positives and false negatives. If you leave your cat at home during your vacation, the passive infrared may register false positives. Of course, you could make trade-offs by placing the cat in kennel or using an alternative detection measure such as neighbors watching the property, security service making the rounds, or smart cameras that recognize your cat.
Containment (and eradication). A key to detecting a problem is response to contain and eradicate it. In our example, if a bad actor is detected by the passive infrared, the police, neighbor, or relative must attempt to respond otherwise the detection is not useful.
- The longer it takes to contain the bad actor, the more damage they can do.
- The more damage they do, the more loss you experience.
An important concept is the lower the time to contain and eradicate, the lower the loss will be for the event. Of course, effective deterrence and protection minimize the potential damage inflicted, thereby reducing any potential loss.
Recovery. The final state is recovery. The bad actor has done damage to your home beyond stealing valuable. The intruder may have broken a window or forced open a door. You may need to get the window or door fixed. The loss caused by the bad actor will go beyond the cost of the values taken. You may experience a psychological toll by knowing someone managed to circumvent your security measures and successfully broke into it. The reputation of your home being a safe place will need to be recovered as well.
Of course, if the bad actor is caught you may get remedies from them but more than just the valuables taken were affected. Recovery includes these remedies and the associated time.
Learning from the Cycle
As previously mentioned, the security action cycle learns.
- If you learn of a break-in attempt, you would respond by putting more deterrents in place.
- If you discover the criminal entry into your home, you would increase protection and deterrence measures based on what you learned.
- If they were not contained quickly, you would perhaps relocate your detection mechanisms closer to the protective fence line.
- When you work your way through the remedies and recovery, the understanding of the cost may lead you to move some valuable to the bank and increase all the other phases.
The security action cycle has significant importance in cyber security and risk management.
Improve Your Cyber Risk Posture with Better Risk Awareness
You don’t need to wait for a bad actor to expose your weaknesses in different stages in the security action cycle. At Maxxsure, we have developed a method of interrogating your entire environment to analyze the efficacy of your security measures throughout the entire cycle. This analysis helps you understand your greatest areas of vulnerability and estimated financial loss so that you can confidently make the best cyber risk management decisions to safeguard your organization’s assets.
Contact us if you would like to learn more about applying security action cycle principles to improve cyber risk management in your organization.
Additional contributions from: Andrea Beck Stout