The AREM Window: A Strategy to Anticipate Risk and Threats to Enterprise Cyber Security

Businesses seeking to establish themselves in privileged positions in a digitally modified society must anticipate the competition and explore new opportunities in unstable environments. In this state, companies are aware that they are exposed to known and unknown risk and to issues that must be resolved in real time, and they must overcome their fears and knowledge limitations to drive the changes required in this context.¹

Considering this requirement, it is necessary to have a detailed understanding of the structural uncertainty of the environment. This will help to establish concrete alternatives to prevent key risk from materializing. Alternatives may include the organization taking action based on calculated risk and learning lessons with the speed required in a hectic and uncertain digitally modified market.²

Most of the practices and standards of risk management were conceived and updated by charting a course through a moderately stable, relatively unchanging context. In the face of this reality, the AREM (AREM is an acronym for the Spanish words “amenazas y riesgos emergentes” or “threats and emerging risk”) window,³ a strategic and tactical instrument developed by this author in 2014, can enable enterprises to update seasoned business management frameworks, pushing risk practice out of its current method and to the dynamic exercise needed for the present changing and unexpected reality.

Clearly, it is not possible to anticipate every risk that may arise in an environment, but it is viable to establish a systemwide view of potential risk. The AREM window can aid in the review and update of the environment’s uncertainty. This instrument takes both probability and possibility into consideration and does not invalidate current risk practice, but rather enhances it using the dynamics of understanding risk as a key factor in decision making.

In this sense, the application of the AREM window makes it possible to carry out an exercise involving the joint construction of meanings based on limited information. Participants from different areas of a company can establish a complementary reading of risk that is naturally defined, following the standards established, e.g., International Organization for Standardization’s (ISO) ISO 31000 or Standards Australia’s AS/NZ 4360.

This article applies the AREM window to enterprise cyber security context. It is shown as an instrument that leverages the challenges of anticipating threats and emerging risk and the defense of organizations by using natural, simple language to construct an enriched distinction of risk. This not only speaks to known factors, but also to latent, focused and emerging factors as the basis of a holistic reading of the challenge of being part of the current digital ecosystem.

The AREM Window

The AREM window is a strategic and tactical instrument that helps enterprises rethink organizational risk management. It establishes a systemwide reading of the environment that warns of known risk and reveals latent, focused and emerging risk.

This tool (figure 1) recognizes the virtues of existing risk practice and establishes a new paradigm of risk management. It goes beyond static risk/control matrices and well-known probability assessments and introduces a dynamic risk exercise that follows the environment’s conditions. The AREM window introduces possibilities as key elements in the forecasting analysis and articulates risk inherent in the analyzed sector (focused risk) as a fine-tuned reading of the expectations of executives and the concrete management of the organization.

Known risk factors are those that form part of the traditional risk management standards that are assessed and analyzed according to the logic of inherent risk, exposure risk and residual risk. For each of these risk factors, there must be defined controls whose application and effectiveness must be assessed. After assessment, these controls can be fulfilled to decrease the uncertainty that risk causes within an organization.

Latent risk is risk that is known to exist in the environment but is unknown to the organization. Trained risk analysts know what form this takes and how it arises, but to date they have no specific controls to deal with it. This leaves little margin to establish alternative actions to mitigate the effects of the risk’s occurrence. This is the risk that should be studied more closely to make more rapid advances in effective treatment.

Focused risk is risk known to the organization and unknown in the environment. This risk affects only a particular industry, meaning that it is vital to have statistics or reliable information on its dynamics within the industry in question. Focused risk is analyzed together with latent risk, since they may share some of the same features. This creates a correlation that facilitates the assessment of both risk types’ importance in relation to the instability or the effects identified.

Finally, emerging risk is risk that outlines a scenario of possibilities and opportunities that could be exploited. This risk, which is unknown in the environment and to the organization, consists of tendencies picked up in the environment that are identified as new advances, previously unseen faults, or discontinuous technological changes that alter a market or industry.

Following this method, this article provides a detailed description of a company’s cyber security anticipation and defense exercise; considers the inherent limitations of risk exercise development, which involves the correlation of available information detailing the relevant aspects of the analysis and the different approaches of the participants in the exercise; and reveals some interesting alerts for cyber security professionals and information technology auditors in organizations.

Applying the AREM Window to Enterprise Cyber Security

If enterprise cyber security is understood as “a defined capacity of a company to defend against and anticipate digital threats inherent in the digital ecosystem where the organization operates in order to protect and ensure the resilience and the operations of the company,”⁴ there is an interesting and impactful challenge for organization executives in the digitally modified world.

In this scenario, enterprise cyber security establishes new governing regulations for organizations in the 21^st century. Understanding and anticipating digital threats not only involves incorporating new, relevant information technologies, but also the ability to explore and recognize new attack vectors in advance to prepare the company to face previously unknown phenomena.⁵

To address this need, the AREM window facilitates analysis in context, where possibilities and probabilities connect to make up a spectrum for review. This process commences with an analysis of possibilities that are gradually filtered according to the emerging business dynamics to diagnose and assess risk and threats. It also enables executives and all those responsible for the company’s digital security to stay vigilant.

To apply this instrument, a risk analyst collects and analyzes material on visible and emerging trends relating to new or potential threats or attack vectors over the course of six months to a year. The materials are assessed and prioritized according to their level of impact on the organization, the novelty of the attack and the company’s current response capacity. Based on the results, participants in a workshop use the AREM window to draw up and assess a list of possible threats.

Each participant receives a sheet with the result of the analyst’s review and the four quadrants of the AREM window (known, latent, focused and emerging risk). Then the participants proceed to place the threats in each of the quadrants, as follows:

• Known—The threat has been spoken of or communicated within the organization and its existence is known.
• Latent—It has become known that this threat exists, but it is not known whether the organization has any mitigation strategy.
• Focused—The threat has already been seen or has materialized in the particular industry to which the company belongs.
• Emerging—The threat has not previously been known.

The responses of each participant are then compiled, identifying the greatest overlap in the various quadrants. This allows for the analyst who set up the initial exercise to fine-tune the risk analysis based on the concrete realities of the company and its current security levels.

The final deliverable is a systemwide view of key risk (four quadrants). It should be enriched with the vision of the company participants and the risk and threat analysts. This means that the view of cyberrisk ceases to be a predominantly technological approximation and becomes a collective construction of the business’s areas instead.

Figure 2 shows the results of an AREM window application exercise carried out by a Latin American energy company from 2015 to 2017.

The results shown in figure 2 are incorporated into the vision of risk in the IT area and inform top-level executives of the key challenges entailed in the materialization of these trends within the organization. Using this holistic view, the actions that must be implemented become clear according to the quadrant where each risk is situated.

Additionally, the window notifies the technological monitoring and control mechanisms (e.g., the security operation center [SOC]) of new attack patterns identified within the company to initiate an in-depth review of them and anticipate mitigation or control strategies that may be implemented.

The results reveal a variety of key challenges that the organization must face and overcome. Organizations deal not only with known risk, which is possibly part of the traditional risk management practice, but also undertake a whole new strategy of management that makes dealing with a variety of newly identified possible instabilities. This newly identified risk must be shared with the various areas responsible and all who may be involved.

Reviewing the Results of the AREM Window

The results of the exercise provide interested parties with a systemwide view of the risk identified to date. These results are relevant for optimal management and governance of the organization in the company’s cyber security context. This enhanced reading of risk and threats keeps the organization focused in light of events occurring in the environment and illuminates the appropriate action according to the type of risk or threat that may materialize.

It is important to note that when repeating the exercise, the previous results must be evaluated in the current company state to see whether it is possible to move risk from one category to another. In general, some emerging risk will move to the latent quadrant, given that it has been possible to define it better and mitigation strategies are designed to control the potential effects of the risk’s materialization.

As such, the management of known risk ceases to be a static exercise performed once a year and instead becomes a dynamic visualization of the system. This makes it possible to expand the organization’s understanding of environmental challenges. It also improves the organization’s capacity for anticipation and containment of the instabilities and uncertainties inherent to its own sphere of operation.

The consolidated results shown in figure 2 suggest that securing industrial cyber security practices (relating to International Society of Automation [ISA]/International Electrotechnical Commission [IEC] 62443 standards), strengthening tactical information security management (based on regulations and ISO standards or similar) and developing the capacity for active environment monitoring (assisted by traditional SOC or cognitive services) will enable an organization to create windows of known vulnerabilities and close any gaps identified in each of the components comprising the company’s cyber security.

Conclusion

The AREM window facilitates the natural evolution of risk management in organizations. Its use in recognizing and confronting the challenges posed by cyber security in an enterprise makes it possible to explore relevant conditions in the company environment and participate in the digital ecosystem.

Consequently, understanding the current dynamic of threats, emerging artificial intelligence computing resources, SOC exercises and the active intelligence strategies available is integral to advancing a different type of management and governance of company cyber security risk—one based more on possibilities than probabilities.

Considering the current organizational state, the AREM window is a support tool for risk and threat management, particularly for enterprise cyber security. Its application makes it possible to link various points of view to develop enriched views of current analysis regarding the impacts of opposing agents identified in their operational environment. Additionally, it introduces the requirement to constantly watch for possibilities, maintaining focus through emerging risk.

Although the application of this tool has been done in only a few organizations, its results have formulated and facilitated reflections that were previously nonexistent and have afforded an integrated view of the challenges that identified threats pose. It has also highlighted the actions required to mobilize the organization in the face of uncertainty created by latent, focused or emerging risk.

Endnotes

¹ Mocker, M.; P. Weil; S. Woerner; “Revisiting Complexity in the Digital Age,” MIT Sloan Management Review, 17 June 2014, http://sloanreview.mit.edu/article/revisiting-complexity-in-the-digital-age/
² Charan, R.; The Attacker’s Advantage: Turning Uncertainty Into Breakthrough Opportunities, Perseus Books Group, USA, 2015
³ Cano, J.; “La ventana de AREM. Una herramienta estratégica y táctica para visualizar la incertidumbre,” Minutes of the XIII Spanish Conference on Cryptology and Information Security, 5 September 2014, http://web.ua.es/es/recsi2014/documentos/papers/la-ventana-de-arem-una-herramienta-estrategica-y-tactica-para-visualizar-la-incertidumbre.pdf
⁴ Cano, J.; “Ciberseguridad empresarial,” IT-Insecurity blog, 7 September 2015, http://insecurityit.blogspot.com.co/2015/09/ciberseguridad-empresarial-primeras.html
⁵ EY, Cyber Program Management: Identifying Ways to Get Ahead of Cybercrime, October 2014, www.ey.com/Publication/vwLUAssets/EY-cyber-program-management/$FILE/EY-cyber-program-management.pdf