CRIF submission to BIS on Cyber Risk

Cyber Risk Call for evidenceIn March 2013, the UK Department for Business, Innovation and Skills issued a “Call for Views and Evidence”  that built on the commitments made in the 2011 Cyber Security Strategy published by government.

The Call for Evidence focused on the intention of government to encourage the adoption of industry led standards that can be used by organisations to  improve the management of cyber risk.

The CRIF - Cyber Risk & Privacy Framework


Protect and Detect Phases

The traditional phases of Protect and Detect are where organisations outsource their security requirements to a managed security provider, build an in-house team, or have a trusted independent IT guy they can call if the worst happens.  Each of these approaches needs to be cognizant of the changes to the threat actors, their motivation and techniques and how social technology has rapidly altered the attack surface for cyber.

Illustration of the CRIF Framework 5 Steps

The challenge business owners, risk managers or security managers have in this phase is identifying how best to spend their traditional security budgets e.g. do I keep buying more security technology to tackle the expanding cyber threats or do I look at culture, awareness and training in parallel.  


Below is an example of how Cyber Risk Matrix may look connecting Threat and Impact with Insurance Exposure (Click on Graphic to download)