BLUF – Looking at the distinctions between Cyber Threat Intelligence (CTI) and cyber risk – both with similar elements with supportive properties, but often misunderstood. Offering definition to aid practitioners, auditors, regulators and boards.
Working through regulatory and audit enquiries, there seems to be a blurred line (to the enquirers) between CTI and first-line cyber risk. The dictionary definitions hold similarities.
- Threat – a person or thing likely to cause damage or danger “hurricane damage poses a major threat to many coastal communities“; the possibility of trouble, danger, or ruin. “the company faces the threat of bankruptcy“
- Risk – a situation involving exposure to danger “flouting the law was too much of a risk“
Cyber risk even has an esoteric formula that contains threat in it namely (Risk= Threat x Vulnerability x Threat probability x Impact), indicating these are not one and the same. So where is the disconnect? How does cyber play into this?
Here are some subtle but important differences.
- CTI is looking outside the organisation. Cyber risk has to take external findings married up to understood internal components and processes with projected impacts. Whether relaying indicators of compromise (IoCs) to security teams, interpreting bad actor behaviours, Dark Web Marketplace offerings, or any number or other external areas of focus, CTI is looking beyond borders whilst cyber risk focuses further inside the organisation.
- CTI is based on observations and evidence. Cyber risk is based on measured possibilities. Absence of evidence not being evidence of absence notwithstanding, CTI looks to track and alert based on knowns. The challenge here (for another discussion) is how uncertainty found in cyber risk makes proper measurement untenable without clear understanding of dependencies and operational impacts.
- CTI looks at how harm is projected. Cyber risk looks at how much we need to care about it.
As an example, take the above photo. A large number of crocodiles are shown.
CTI (were they digital) would tell you all about the crocodiles. Numbers, placement in the confines, age, eating habits, consumption preferences, perhaps the number and condition of their teeth would all be relayed.
Risk would give your survival chances, were you to walk across.*
CTI and supporting elements focus on event/actor reporting, trends, perhaps some limited projections and confidence levels – contributing to risk. The description of risk further requires details of risk acceptance or risk mitigation in place.
Where else is the distinction important? And for whom?
In addition to those acting as/answering regulators/auditors, these distinctions are crucial if your job is to sign off audit findings and regulatory submissions in an audit committee or on the board.
If you are the one reporting these audit findings or compliance statements to the audit committee or to the board for approval, sign offs, and submission, your role is critical in ensuring the subtleties are communicated clearly to be understood or at least to guide the questioning required to clarify.
*Now just think of circumstances where you could walk across the crocs with limited to no risk found.