TY - GEN
T1 - Capability effectiveness testing for architectural resiliency in financial systems
AU - Rohmeyer, Paul
AU - Ben-Zvi, Tal
AU - Lombardi, Donald
AU - Maltz, Alan
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/11/29
Y1 - 2017/11/29
N2 - Increasing interconnectivity in financial institutions and markets along with complex, interdependent architectures present unique enterprise risks. While technological advances continuously improve the reliability and trustworthiness of individual technological system components, the complex, collaborative architectures relied on by most financial organizations present substantial challenges that span technology, personnel, and process dimensions. As systems and threat environments grow in sophistication, approaches to security testing and evaluation must evolve as well. Traditional approaches to cyber security testing may still be useful to evaluate basic architectural components, however new techniques are needed to enable the enterprise to construct simulation exercises that model real-world threat conditions and test the resiliency of all architectural components, including personnel and process dimensions. Organizations must not only establish capabilities to recognize breach attempts, but take decisive response action under conditions of uncertainty and stress. Techniques to evaluate resilient enterprise architectures sometimes underemphasize the threats surrounding human dimensions This paper examines emerging risk considerations presented by increased connectivity among financial services enterprises. It explores new requirements for testing and evaluation of enterprise resiliency as well as organizational detection and response capabilities. The paper considers industry and other external environmental factors driving the need to develop comprehensive evaluation approaches to evaluate the effectiveness of enterprise capabilities in order to embed capability effectiveness assessments within enterprise risk management practices. Limitations of current cyber testing approaches in simulating the emerging cyber threat environment are identified, and the value of realistic, time-bound drills and tests that mimic the stress of real-world cyber events are explored.
AB - Increasing interconnectivity in financial institutions and markets along with complex, interdependent architectures present unique enterprise risks. While technological advances continuously improve the reliability and trustworthiness of individual technological system components, the complex, collaborative architectures relied on by most financial organizations present substantial challenges that span technology, personnel, and process dimensions. As systems and threat environments grow in sophistication, approaches to security testing and evaluation must evolve as well. Traditional approaches to cyber security testing may still be useful to evaluate basic architectural components, however new techniques are needed to enable the enterprise to construct simulation exercises that model real-world threat conditions and test the resiliency of all architectural components, including personnel and process dimensions. Organizations must not only establish capabilities to recognize breach attempts, but take decisive response action under conditions of uncertainty and stress. Techniques to evaluate resilient enterprise architectures sometimes underemphasize the threats surrounding human dimensions This paper examines emerging risk considerations presented by increased connectivity among financial services enterprises. It explores new requirements for testing and evaluation of enterprise resiliency as well as organizational detection and response capabilities. The paper considers industry and other external environmental factors driving the need to develop comprehensive evaluation approaches to evaluate the effectiveness of enterprise capabilities in order to embed capability effectiveness assessments within enterprise risk management practices. Limitations of current cyber testing approaches in simulating the emerging cyber threat environment are identified, and the value of realistic, time-bound drills and tests that mimic the stress of real-world cyber events are explored.
UR - http://www.scopus.com/inward/record.url?scp=85043485889&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85043485889&partnerID=8YFLogxK
U2 - 10.23919/PICMET.2017.8125456
DO - 10.23919/PICMET.2017.8125456
M3 - Conference contribution
AN - SCOPUS:85043485889
T3 - PICMET 2017 - Portland International Conference on Management of Engineering and Technology: Technology Management for the Interconnected World, Proceedings
SP - 1
EP - 7
BT - PICMET 2017 - Portland International Conference on Management of Engineering and Technology
A2 - Anderson, Timothy R.
A2 - Niwa, Kiyoshi
A2 - Kocaoglu, Dundar F.
A2 - Daim, Tugrul U.
A2 - Kozanoglu, Dilek Cetindamar
A2 - Perman, Gary
A2 - Steenhuis, Harm-Jan
T2 - 2017 Portland International Conference on Management of Engineering and Technology, PICMET 2017
Y2 - 9 July 2017 through 13 July 2017
ER -