Introduction to Axio content
Axio provides a unified platform to reduce cyber risk. Axio is the only platform to give you comprehensive visibility into the state of your cybersecurity program. This is your entrance into the concepts behind the Axio platform, how to use the platform, and how to gain valuable insights into your cyber risks, mitigate, and protect.
Taking an Operational Focus
Effective cybersecurity risk analysis begins with the development of cyber risk scenarios—narratives that describe potential situations or actions that could result in undesired organizational consequences. These cyber risk scenarios are critical to the cyber risk quantification process, as they describe specific threats or hazards to which the organization may be susceptible, and which may result in substantial losses or damages. The effectiveness of the cyber risk quantification process depends on the degree to which these cyber risk scenarios effectively represent known or perceived organizational concerns—the things that keep cybersecurity professionals “up at night.”
Constructing effective cyber risk scenarios is challenging. Many cyber risk quantification methodologies encourage the development of scenarios that focus on a specific and targeted asset. For example, in a ransomware attack scenario, the narrative may emphasize the exfiltration or encryption of specific datasets, such as personal health information or intellectual property. And while a targeted asset is certainly an important detail in a scenario, focusing on an asset can limit organizational impact analysis by potentially overlooking the asset in the context of its operational significance. The exfiltration of personal health information is indeed a violation of data confidentiality, but the use of this asset in organizational processes—such as for delivering medical services to patients—defines a wider range of potential operational disruptions that can result in devastating first-party and third-party losses.
A more effective way to construct cyber risk scenarios that are useful in cyber risk quantification is to use an operational focus. When building scenarios, an operational focus considers all the assets that together contribute to the success of an operational mission. For example, consider a manufacturing process for building automobiles. This process includes essential personnel who operate machinery and perform quality control, technologies that automate and oversee the welding and painting processes, information and data that direct operational technologies and inform quality control, and a facility in which the manufacturing process takes place. If any of these assets—people, technology, information, or facilities—are disrupted, the potential exists that the operational process will not operate as expected.
The Axio360 Cyber Risk Quantification Method encourages users to adopt an operational view to ensure that all threats to assets that are vital to operational processes are considered. With an operational mindset, a robust cyber risk scenario can be constructed that not only considers a range of disruptions to assets that typically have cyber exposure (such as data and technologies), but also to other assets important to the mission. For example, in the manufacturing scenario, an attack on the physical security system that prevents entry to the facility could disrupt the manufacturing process by impeding the use of the facility and preventing people from performing their responsibilities.