Technology Risk Assessment

INCIDENT RESPONSE: NEW LIFE CYCLE MODEL BASED ON CSF 2.0 WITH THREAT INTELLIGENCE INTEGRATION ℹ️ NIST SP 800-61r3 provides updated guidance on how organizations should integrate incident response into their broader cybersecurity risk management strategy, aligning with the NIST Cybersecurity Framework (CSF) 2.0. ℹ️ This version significantly restructures the incident response approach by replacing the older cyclical model with a CSF 2.0-aligned life cycle. It emphasizes continuous improvement, cross-functional collaboration, and a shared taxonomy for incident response across sectors. 📍 KEY TAKEAWAYS ■ Incident Response as Risk Management: Incident response is no longer a standalone reactive process; it is now a core component of enterprise risk management, closely tied to all CSF 2.0 functions. ■ Cyber Threat Intelligence Integration: Emphasizes the importance of cyber threat intelligence (CTI) in detection, analysis, and response phases, particularly in improving early detection and proactive decision-making. 📍 CTI ELEMENTS ■ DE-AE-07: CTI and other contextual information are integrated into the analysis. Integrate up-to-date CTI and other contextual information into adverse event analysis to improve detection accuracy and characterize threat actors, their methods, and IoC. ■ ID-RA-02: CTI is received from information-sharing forums and sources, obtaining information on new threats, improving the accuracy of cybersecurity technologies with incident detection or response capabilities, and understanding TTPs used by attackers. ■ ID-RA-03: Internal and external threats to the organization are identified and recorded #csf2 #csirt #incidentresponse #riskmanagement #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

From data privacy challenges and model hallucinations to adversarial threats, the landscape around Gen AI security is growing more complex every day.    The latest in Deloitte’s “Engineering in the Age of Generative AI” series (https://deloi.tt/41AMMif) outlines four key risk areas affecting cyber leaders: enterprise risks, gen AI capability risks, adversarial AI threats, and marketplace challenges like shifting regulations and infrastructure strain.    Managing these risks isn’t just about protecting today’s operations but preparing for what’s next. Leaders should focus on recalibrating cybersecurity strategies, enhancing data provenance, and adopting AI-specific defenses.   While there’s no one-size-fits-all solution, aligning cyber investments with emerging risks will help organizations safeguard their Gen AI strategies — today and well into the future. 

📢 What are the risks from Artificial Intelligence? We present the AI Risk Repository: a comprehensive living database of 700+ risks extracted, with quotes and page numbers, from 43(!) taxonomies. To categorize the identified risks, we adapt two existing frameworks into taxonomies. Our Causal Taxonomy categorizes risks based on three factors: the Entity involved, the Intent behind the risk, and the Timing of its occurrence. Our Domain Taxonomy categorizes AI risks into 7 broad domains and 23 more specific subdomains. For example, 'Misinformation' is one of the domains, while 'False or misleading information' is one of its subdomains. 💡 Four insights from our analysis: 1️⃣ 51% of the risks extracted were attributed to AI systems, while 34% were attributed to humans. Slightly more risks were presented as being unintentional (37%) than intentional (35%). Six times more risks were presented as occurring after (65%) than before deployment (10%). 2️⃣ Existing risk frameworks vary widely in scope. On average, each framework addresses only 34% of the risk subdomains we identified. The most comprehensive framework covers 70% of these subdomains. However, nearly a quarter of the frameworks cover less than 20% of the subdomains. 3️⃣ Several subdomains, such as *Unfair discrimination and misrepresentation* (mentioned in 63% of documents); *Compromise of privacy* (61%); and *Cyberattacks, weapon development or use, and mass harm* (54%) are frequently discussed. 4️⃣ Others such as *AI welfare and rights* (2%), *Competitive dynamics* (12%), and *Pollution of information ecosystem and loss of consensus reality* (12%) were rarely discussed. 🔗 How can you engage?   Visit our website, explore the repository, read our preprint, offer feedback, or suggest missing resources or risks (see links in comments). 🙏 Please help us spread the word by sharing this with anyone relevant. Thanks to everyone involved: Alexander Saeri, Jess Graham 🔸, Emily Grundy, Michael Noetel 🔸, Risto Uuk, Soroush J. Pour, James Dao, Stephen Casper, and Neil Thompson. #AI #technology

🙈 “Risks in the Shadow of Change“ 🙉 The basic goal of Management of Change (MOC) is to determine the risks brought by changes to be made in a hazardous process in advance, to eliminate or minimize these risks and to ensure that the change is implemented safely and sustainably. This approach is of vital importance, especially in technical areas. Because even a small change can have major consequences; it can cause rupture, leak, fire or even a major industrial accident. Unfortunately, many change approvers make decisions by evaluating this process only on paper. It is a common mistake to approve without seeing the reflection of the change in the field and without making the necessary analyses and observations. This can ironically turn change management into a process that creates risks rather than reducing risks. MOC is not only a procedural approval process, but also a critical discipline that requires technical expertise, field experience and a multi-faceted evaluation. Therefore, it is essential to adopt a multidisciplinary approach, especially in technical changes. Different areas of expertise such as mechanics, electricity, chemistry, operator, automation, occupational health and environment should come together to make an evaluation. Many industrial accidents in the past have resulted from the implementation of changes without sufficient analysis. For example, a small design change made in a pipeline may not be able to withstand the system pressure and may eventually cause explosions. Similarly, a small error made in software updates may hide alarms of processes that will create risks in PLC or DCS systems. In order to prevent such results, the MOC process must be supported by field observation, engineering calculations, and function tests. Although analyses on paper provide some basic insights, they cannot always reflect the complexity of real conditions. Therefore, conducting onsite inspections, interviewing employees, and observing the physical condition of equipment are critical steps. It should not be forgotten that change inherently involves uncertainty. This uncertainty can only be managed through a planned, systematic, and participatory MOC. It is necessary not only to analyze risks, but also to be prepared for these risks, to provide transparency in processes, and to create systems that can reverse change when necessary. Creating an effective MOC not only prevents accidents, but also paves the way for continuous improvement and innovation. Therefore, it is a critical requirement for change management practitioners to have field awareness as well as technical knowledge. #oil #gas #LPG #refinery #process #safety #learning #engineering #MOC #managementofchange #risks #riskassessment #terminal #safeoperation #safechange #LNG #oilandgas #evaluation.

Cybersecurity Breaches Are Increasing Business Insolvency Risks Increase of cyberattacks raising costs on impacted businesses Large companies citing data breaches in bankruptcy filings Data breaches and ransomware attacks in the US are increasing companies’ risk of financial losses, in many cases dragging them into bankruptcy or putting them out of business altogether. Data breaches cost companies across the world on average about $4.9 million, and nearly double that amount in the US, according to a 2024 study by IBM. Costs can differ based on a number of factors, including regulatory compliance requirements, sensitivity or complexity of the data involved, and subsequent litigation. The International Monetary Fund warned last year that cyberattacks have more than doubled since the onset of the pandemic, increasing the risk of “extreme losses” for companies that could cause funding problems “and even jeopardize their solvency.” Companies in bankruptcy are increasingly citing data breaches as contributing factors to their financial woes. In late November, the US-based units of alcohol distributor Stoli Group—maker of Stolichnaya vodka—filed for Chapter 11 relief, saying an August 2024 data breach and ransomware attack crippled some of the firm’s internal systems and caused “severe operational disruption.” Background check provider National Public Data suffered a hack in late 2023 that compromised millions of personal records and later forced the company into bankruptcy as it faced a loss of business, multiple class actions, regulatory investigations, and duties to notify and pay for credit monitoring of affected individuals. “You end up with a cascade of chaos,” said attorney Angelo Gasparri of Kelley Kronenberg, who represented National Public Data in its short-lived Chapter 11 case last year. “The victim becomes overwhelmingly responsible for the bad actions of an outsider.” https://lnkd.in/g95JDUg3 #cybersecurity #breaches #bankruptcy #BloombergLaw

A Faulty Update, Millions Impacted: Are Our Critical Systems Secure Enough? This week's global IT outage caused by a faulty security update is a stark reminder of the interconnectedness of our world,and the potential domino effect when a single system experiences a hiccup. The disruption, impacting millions and causing delays in critical sectors like healthcare and finance, underscores a crucial question: are the automation systems that power our critical infrastructure truly secure? These Industrial Automation and Control Systems (IACS) are the invisible maestros behind the scenes, keeping our lights on, our water flowing, and our transportation networks operational. Yet, when compromised, the consequences can be catastrophic. Here's where robust cybersecurity measures become paramount. The IEC (International Electrotechnical Commission) 62443 standard provides a well-established framework for securing IACS and other critical IT infrastructure. This globally recognized standard emphasizes thorough risk assessments – a process best entrusted to competent and certified automation cybersecurity specialists. These specialists, verified by independent bodies like exida, possess the expertise to meticulously evaluate your IACS and critical IT infrastructure for vulnerabilities, ensuring your critical infrastructure remains resilient against cyber threats. My recent paper published in the Jurnal Ikatan Ahli Fasilitas Produksi Minyak dan Gas Bumi Indonesia - IAFMI (IAFMI) dives deeper into specific cybersecurity best practices for the oil and gas industry, a prime example of a sector reliant on secure automation and IT systems. You can read more about it here: https://lnkd.in/d67C3EMK Pak Irfan H. and I provide automation cybersecurity risk assessment services to help your organization achieve IEC 62443 compliance. Don't wait for a cyber incident to become a headline. Proactive measures are essential to safeguard our critical infrastructure – and the well-being of millions – for a more secure tomorrow. #Rishare #MenggapaiMimpiBersamaRiandhy #oilandgasindustry #ThinkDigitalThinkDhimas

𝐈𝐓 𝐆𝐞𝐧𝐞𝐫𝐚𝐥 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 (𝐈𝐓𝐆𝐂) 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭 𝐀𝐜𝐜𝐞𝐬𝐬 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 -User access provisioning and de-provisioning processes are established. -Access rights are assigned based on job responsibilities. -Segregation of duties (SoD) controls are in place. -Regular access reviews are conducted. -Strong password policies are enforced. 𝐂𝐡𝐚𝐧𝐠𝐞 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 -Formal change management processes exist for all system changes. -Changes are documented, approved, and tested before implementation. -Segregation of duties between development, testing, and production environments. -Regular reviews of change management are conducted. 𝐁𝐚𝐜𝐤𝐮𝐩 & 𝐑𝐞𝐜𝐨𝐯𝐞𝐫𝐲 -Regular backups of critical systems and data are performed. -Backup integrity checks are regularly conducted. -Backup and recovery procedures are documented and tested. -Off-site storage of backups is maintained for disaster mitigation. 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 -Formal incident response plans are in place. -Procedures for reporting and documenting incidents are established. -Incident response teams are trained and ready. -Post-incident reviews are conducted for improvement. 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 -Intrusion detection/prevention and antivirus are deployed. -Network segmentation minimizes breaches. -Regular vulnerability assessments and penetration testing are conducted. -Wireless network security controls prevent unauthorized access. 𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 -Policies protect sensitive data. -Data encryption is used in transit and at rest. -Data classification policies categorize data by sensitivity. -Regular data privacy training for employees. 𝐌𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠 & 𝐋𝐨𝐠𝐠𝐢𝐧𝐠 -Logging mechanisms record security-related events. -Regular review and analysis of logs for security incidents. -Monitoring of system performance and availability. -Intrusion detection systems monitor suspicious activity. 𝐕𝐞𝐧𝐝𝐨𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 -Vendor risk assessments before engaging third parties. -Vendor contracts include security and compliance provisions. -Ongoing monitoring and oversight of vendor activities. -Procedures for terminating vendor access. 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 & 𝐀𝐮𝐝𝐢𝐭 -Regular compliance assessments and audits. -Documentation of IT policies, procedures, and controls is maintained. -Remediation of control deficiencies or non-compliance issues. #kpmg #periodicreviews #cybersecurity #itgc #technology #learning

The Hidden Cost of Ignoring Enterprise Architecture: A $1B+ Wake-Up Call for the Industry (10 Real Time Incidences)   Based on publicly available earnings calls, SEC filings, and post-mortem analyses, the following real-world incidents forced companies to either adopt or overhaul their Enterprise Architecture. These high-profile events underscore the direct, tangible impact of IT misalignment on revenue, reputation, and operational resilience.   Why This Matters for Leadership? These are not theoretical scenarios; they represent costly, avoidable losses—both financially and operationally—stemming from poor architectural foresight. Each incident illustrates that:   -Revenue Losses and Operational Disruptions: BA’s £80M compensation, 16,700 flight cancellations at Southwest, and Toyota’s 40% production cut directly impact the bottom line. -Regulatory and Compliance Risks: The Meta incident underscores the significant penalties organizations may face when data governance and security fall short. -Brand and Customer Trust Erosion: Repeated disruptions lead to loss of consumer confidence that, in competitive markets, can be irreparable.     1. British Airways IT Meltdown (2017)
Incident: A power surge at a critical data center caused BA’s legacy systems—including reservation, baggage, and crew scheduling—to crash, grounding 726 flights and costing approximately £80M in compensation.
   Trigger for EA: Outdated, tightly coupled systems lacked the necessary redundancy and risk mitigation.
 EA Action: Migrated critical systems to AWS using a microservices architecture—resulting in zero downtime during similar subsequent events.
   2. Target Data Breach (2013)
Incident: Hackers compromised 40M credit card details by exploiting a vulnerable third-party HVAC vendor portal.
 Trigger for EA: Absence of proper segmentation between corporate IT and external systems led to a massive security breach that eroded customer trust.
 EA Action: Implemented a zero-trust framework, isolating payment systems and enforcing strict API governance, thereby safeguarding sensitive data   3. Maersk NotPetya Cyberattack (2017)
Incident: A ransomware attack wiped 49,000 laptops and over 1,000 apps, halting global operations for several weeks.
 Trigger for EA: A centralized, monolithic IT infrastructure enabled rapid lateral spread of the malware.
 EA Action: Rebuilt systems with a decentralized, containerized architecture hosted on Azure—transforming cybersecurity into a proactive, strategic asset.   (Complete list is available in our Premium Content Newsletter)   Call to Action:
Leaders must consider EA not as an IT upgrade but as a strategic business imperative. Investing in a robust, forward-looking EA today is essential to avoid these high-profile crises tomorrow. Proactive investment in EA translates directly into enhanced operational resilience, compliance, and competitive advantage. Image Source: AOTEA Transform Partner – Your Digital Transformation Consultancy

🌍 Building Climate Resilient Infrastructure 🌏 Infrastructure is the backbone of our economies and communities, yet natural disasters and climate-related hazards can affect the efficacy of that infrastructure. That's why tools like the Global Infrastructure Resilience Index (GIRI) and Infrastructure Risk Dashboard are game-changers for risk assessment and strategic planning. The GIRI is the world's first publicly available, fully probabilistic risk assessment covering infrastructure assets across most geographic regions. It evaluates the risks associated with major hazards—earthquakes, floods, landslides, tsunamis, tropical cyclones, and droughts—helping policymakers, businesses, and communities make informed decisions. Meanwhile, a little closer to home the Infrastructure Risk Dashboard provides invaluable insights into hazard exposure across Australia, particularly flood-prone zones in New South Wales, Queensland, and Victoria. 🔍 Want to explore how these tools can help shape smarter infrastructure planning? Check out the Infrastructure Australia Infrastructure Risk Dashboard here 👉 https://lnkd.in/gka2D7QK Learn more about the Global Infrastructure Resilience Index (GIRD) here 👉 Coalition for Disaster Resilient Infrastructure https://giri.unepgrid.ch/ #InfrastructureResilience #RiskAssessment #FloodRisk #GIRI #SustainableDevelopment #DisasterResilience #ClimateRisk #InfrastructurePlanning Australian Urban Research Infrastructure Network Georgina Stevenson