Organizations who pay a ransom to cyber-criminals following a cyber-attack are highly likely to suffer a subsequent attack. It is against this backdrop that one leading CISO has developed a new method to help business leaders decide whether to pay.
During the Gartner Security & Risk Management Summit, Lorraine Dryland, CISO at First Sentier Investors presented her quantitative decision-aid. The model has been developed by Dryland and her colleagues to enable executives to make informed choices during time-critical ransomware incident scenarios.
She said that CISOs simply telling executives they should not pay a ransom will not work. “To force an executive down that path can only end up in negative results and bad experiences because these are very wilful individuals – they don’t get to where they are because they shy away from things, they will want to make a decision,” Dryland explained.
She emphasized that decision-aids must incorporate the business implications of ransomware attacks as well as technical impacts. The technical considerations include restore time and scale of impact without paying.
The business aspects in Dryland’s model include how paying a ransom will impact clients and how it ties in with the firm’s ethics and potential legal liabilities – both personal and company.
Working with the First Sentier risk scoring team, Dryland developed a scoring mechanism on such areas that allows executives to calculate the risks involved in whichever choice they make.
No tags.
