It is believed that Alexander the Great once said: “Conquer your fear and you will conquer death”. By this he meant that if you are not afraid of a particular negative event or consequence, you will be more effective in avoiding it or in making sure that it does not happen to you. You may wonder how could this be done?
In this regard, the Japanese culture offers us many useful references. Specifically, the code of samurai implies that the samurai is always prepared to die because he conquers his fear of death through training and, importantly, considers the consequences of his death prior to undertaking a risky activity. Notice, it does not mean that the samurai wants to die—on the contrary, life is very valuable to a samurai warrior. Yet, he understands that his life, as a life of any human being, is short and uncertain. It can end at any point in time. So, the important thing is to be prepared for death by considering it consequences.
Many pragmatic VIPs and celebrities have put in place contingency plans for various types of unexpected risks by considering the consequences of adverse effects. They consider the consequences of the publication of compromising materials or photos, and, equally, think of what will happen to their family, business, or community if there is an unsuccessful or successful attempt on their life.
Using the Samurai Approach for Cyber Security Risk Assessment
Similarly, in order to tackle cybersecurity risks, it is useful to apply the Samurai approach to risk assessment and risk management by thinking through all the possible negative (even catastrophic) consequences which may result from adversarial actions. If your business holds large amounts of customer personal data, what is the worst-case scenario of these valuable data being stolen or compromised?
It is also important not to jump into the fatalist mode when conducting this exercise and stay pragmatic while considering such scenarios. For these purposes, business canvas methodology provides a good template. In practice, understanding how business canvas is related to cyber security issues is very important as it allows you to map how cyber security fits your business model, where it saves you money and where it generates revenue. One approach was proposed by Boris Taratine, who argued in 2015 that cybersecurity should not be considered as an organisational fixed cost, but needs to be understood within the context of the entire organisational operations.
Fitting Cyber Security into Business Canvas
Extending this earlier approach, together with Mark Skilton, we have overlaid cybersecurity risk considerations with the business canvas to create a tool (which we call Cyber Security Business Canvas Risk Assessment Tool) which provides businesses with a starting point for thinking about the various risks in the cyberspace.
Cybersecurity business canvas risk assessment tool
Source: Pogrebna, Ganna, and Mark Skilton "Navigating New Cyber Risks." Springer International Publishing, 2019.
The Cybersecurity Business Canvas Risk Assessment Tool outlines a set of questions which should be asked to understand how various cybersecurity issues affect your business model. Following the business canvas methodology, the questions are split into 11 major business model categories: Key Partners, Key Activities, Key Resources, Value Proposition, Customer Relationships (Distribution and Impact) Channels, Customer Segmentation, Cost Structure, Revenue Streams, as well as Reputational, Social, and Environmental Costs and Benefits.
Take Aways
When considering cyber security risks, applying the Samurai approach (imagining and planning for the worst-case scenario) is a beneficial approach. To do this effectively and systematically, potential consequences of cyber security breaches as well as other threats should be considered as a part of an organisational business model. This approach helps to identify areas of concern as well as prioritise investment in tools and training.
#cybersamurai #cybersecurity #cyberrisks #cyberthreats #datasecurity #cyberattack #businesscanvas #risk #infosec #security #riskmanagement #businessmodel #dataprotection #informationsecurity
This post was originally written by Ganna Pogrebna for the CyberBits blog in 2020
Comments