When we go through the pages of history, we can easily make out, the economic activities have a substantial risk, and management of these risks is essentially safeguarding the impact on the society and human life. In this era of digitization, businesses have relied more and more on the digital information. Protecting digital information from the risk of compromise, accidental exposure and/or intentional damage has become the prime responsibility of businesses.
Ever growing attack surface, severity, and impact of these attacks on the businesses is increasing every passing year. As per the CNBC report, there were 918 data breaches which compromised 1.9 billion data records in the first six months of 2017, – Gemalto. That’s an increase of 164 percent compared to 2016.
“The risk management needs to lift up from risk control to risk intelligence which can identify the potential business growth opportunities.” – Pearl Zhu
Risks are growing faster due to digitization, increased in attack vector coz inclusion of IoT and mobile devices as a part of the business. This makes tackling risks is a thorny problem for every CISO.
To cope up with the risks and reduce the impact on business, maintain existing client loyalty, regulatory requirements to declare the breach are driving organizations to go for the risk-based approach to cybersecurity. And hence cybersecurity risk management has become one of the focused areas for organizations.
Following diagram depicts the risk drivers and risk management process
Risk Management Challenges:
- Risks and business data is continuing to grow in complexity, volume, and magnitude
- Governance Risk and Compliance (GRC) policies needed to be centralized and integrated to handle spreading security threat vector, financial risks, and compliance requirements.
- Creating matrix to monitor and manage risk is challenging as risks depend on large number of factors like unpatched systems, insecure ports, malicious / spearphishing email, insecure passwords, large number of privileged users, vulnerabilities in BYODs, disruptive technologies like cloud, hybrid environments
- Use of social media and Bring Your Own Device (BYOD) are making risk analysis more difficult as this can create wide exposure at individual level
- The existing tools and technologies are stretched to the limits to identify the threats and attacks, as the attackers are using latest technologies to plan and launch the organization specific attacks
- Organizations need to have well trained and skilled analysts who have knowledge of cybersecurity and understands business. The analyst with this combination of knowledge is not only costly resource but they are limited in number. To deal with the humongous volume of data, dynamic attack vector we need to have an army of these analysts.
“Some risks that are thought to be unknown, are not unknown. With some foresight and critical thought, some risks that at first glance may seem unforeseen, can in fact be foreseen. Armed with the right set of tools, procedures, knowledge and insight, light can be shed on variables that lead to risk, allowing us to manage them.” – Daniel Wagner
How can AI improve the Risk Management?
The inclusion of AI-based risk analysis can be an aid to the risk analysts to focus on complex issues. AI-based tools and technologies employ algorithms to automatically extract concepts and relationships from data, understand their meaning, and learn independently from data patterns and prior experience.
Following diagram depicts the AI based risk management with added intelligence not only inputs from the threats and technical security vulnerabilities perspective but also form the analysis of structured and unstructured data analysis, providing the context to the identified risk , applying this context to provide the risk score which can be used by risk analysts as an inputs to make actionable decisions.
These AI and machine learning based algorithms are self-learning, the more and more data these algorithms will analyze they will improve the risk identification more effectively.
- Identify and Cognize: AI-based tools can identify and help to recognize threats associated with handwritten documents, text, voice, image and video data using natural language engines, semantic computing, predictive algorithms, and machine learning. This will provide more inputs to identify the risks that cannot be identified by the current risk assessment tools.
- Understand the Context: AI enables tools can analyze the risk by taking contextual information and meaning of words
- Apply context: AI-based tools can provide information that is situation-aware and reflects relevant data associations based on computing results from different sources and models.
- Actionable Decision: AI enabled tool can provide the inputs to the risk assessor with reasons to make actionable decisions based on specific environments.
- Learn and Improve: AI and Machine learning algorithms can continuously learn and improve performance based on results and feedback received.
In near future or in long terms AI based Risk assessment tools will not replace the human factor from the risk management equations but these tools will enable risk assessor to make informed, actionable and precise decisions by providing more insights .