Summary Quiz 2
Lecture week 5 (Guest lecture EY)
Security is a lack of risk? Not a great de nition though.
CIA triad
- C: con dentiality (data leakage)
- I: integrity (cyber security)
- A: availability (insider threat)
Cyber risk = likelihood x impact.
DDOS cyber attack = distributed denial of service. This attack is when the attacker oods a
server with internet tra c to prevent users accessing the required network (structure).
Ransomware attacks = steals data so that the organisation can no longer access it and require
said organisation to pay ransom (bitcoin is often used as the payment method as it provides the
attackers with anonymity).
Cyber Risk Management
”A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability
without a corresponding threat”.
Threat: insider threat, phishing, malware, Zero Day.
Vulnerability: patching delay, unaware employees, unprotected endpoints, 3rd party IT security.
Threat + vulnerability = incident.
90% of incidents is due to human error. For example, through the method of phishing, employees
could leak information to hackers.
Types of information security risks
- Un-reported information security incidents
- Lack of security in mobile device
- Physical security breach
- Social engineering
- Suspicious email
- Vulnerable password
- Malware
- Unsafe internet sur ng
Risk treatment
4 options to address risks:
1. Mitigate (e.g. require employees to use strong passwords)
2. Transfer (hire an insurance company)
3. Accept (because there are so many risks, you may need to accept some of them)
4. Avoidance (e.g. if an organisation uses an outdated server)
2 new legal frameworks
DORA (regulation)
- Focus on organizations in the nancial industry
- Focused on ICT governance, risk, resilience and ICT outsourcing
- Prescriptive on procedures, controls
- Enhanced testing and focus on stress testing continuity and security
- Focus on concentration risk and incident reporting/communications
fi fi ffi fi fi fl
, - DORA builds on the NIS directive and addresses possible overlaps via a lex specialis
exemption
NIS2 (directive, provisional agreement)
- Focus on national level, EU level and international level and applies to more variety of industries
- Baseline for cybersecurity risk management and reporting obligations and focus on network
security and information security of essential & important services.
- Focuses on many authoritive entities such as the CISRT, ENISA and the commission
- Focuses on aligning policies, authorative process of cyber security on a national level
Main di erences:
- DORA (Organizations) vs NIS2 (National, EU, international level)
- DORA (Financial organization) vs NIS2 (Diverse industries)
- DORA (wide range of topics operational resilience) vs NIS2 (more on network and information
security)
- DORA (More speci c controls and activities) vs NIS2 (more general, quickly covers testing etc)
- DORA (focus on implementing controls and activities) vs NIS2 (focus on aligning national
policies and national/EU authorities)
Dealing with cyber attacks is just the tip of the iceberg
- Accurately map the organization’s cybersecurity and privacy posture
- Recognize technology, security and privacy challenges when they happen
- Enable organizations to take action on emerging threats, on a technical, process and people
level
- Resilience: bounce back when hit, and continue the business
4 building blocks of personal data according to the GDPR:
1. “Any information”
2. “Relating to”
3. “An identi ed or indenti able”
4. “Natural person”
GDPR:
- The GDPR regulates the processing of personal data (‘any information relating to an identi ed
or an identi able natural person’)
- Processing is de ned as ‘any operation performed on personal data’
- Stricter requirements for special categories of personal data
ff fi fi fi fi fi fi
, - Di erent roles:
Controller (companies like FB and Twitter): an organisation or individual who is in charge of
deciding how data on the subjects is processed and why. FB and Twitter collect and determine
how they use the personal information users provide when creating accounts and posting
content.
Processor: an organisation or an individual that processes the personal data on behalf of the
controller
GDPR principles:
- Be lawful and fair + transparent to the data subject
- Purposes should be explicit and legitimate
- Data should be relevant and adequate, limit data collection to what is necessary
- De ne a period of time for storage data
- Security and con dentiality
- Accountability: adopt policies and implement appropriate measures to ensure personal data is
secured throughout the entire data lifecycle
The GPDR is vague in regard to what measures organizations should take, because technological
and organizational best practices are constantly changing.
Where does the GDPR apply:
Thus:
- When a legal entity is established in Europe;
- When any other form of an establishment exists in Europe (website/representative/equipment);
- When an organizations o ers goods/services to citizens in Europe (language/currency/
reference to EU customers);
- When an organization monitors the behavior of citizens in Europe (tracking of EU citizens on the
internet);
Potential risks
Enterprise risks:
- Business risks ( nancial loss)
- Reputation risks (reputational/brand damage)
- Operational risks (business disruption / unreliable data)
fffi fi fi ff
, - Legal risks (litigation / breach of contract)
- Compliance risks (supervisory authority investigation)
- Regulatory risks (new laws / changes to existing laws)
Data protection risk: risks to individuals from data processing
- Data protection laws
- Rights and freedoms of individuals
De nition of AI according to the amended AI Act:
“means a machine-based system that is designed to operate with varying levels of autonomy and
that can, for explicit or implicit objectives, generate outputs such as predictions,
recommendations, or decisions that in uence physical or virtual environments…”
Issues with AI:
- Black Box problem (unclear how the model operates due to complexity)
- Data problem (even if PII is anonymized or removed, sensitive personal information can be
deduced from big data or extracted from a trained mode)
- Bias problem (models can recreate and amplify unfairness that is included in data -> lack of
diversity awareness in the development process can lead to discriminatory outcomes)
Where does the AIA apply
Arti cial Intelligence Act wants to ensure and facilitate:
- AI systems are safe and respectful
- Legal certainty to facilitate investment and innovation in AI
- Governance and e ective enforcement
- Development of single market for lawful, safe and trustworthy AI systems
- Risk based approach to facilitate the use of certain (lower risk) AI applications
7 pillars of trustworthy AI:
1. Accountability:
- Consider and document any tradeo s when implementing requirement
- Ensure that mechanisms are in place for redressing any negatives
2. Human agency and oversight:
- Perform a fundamental rights impact assessment where risks exists
- Design systems that support individual, informed choices
3. Transparency:
- The decisions or outputs of the AI must be explainable to the user
- These decisions should be communicated to humans interacting with the system
4. Privacy and data governance:
- Ensure that data is protected and privacy preserved when creating AI
- Data going in and out of the AI should be of good quality
5. Societal and environmental wellbeing:
- Determine how the Ais system entire supply chain is sustainable and friendly
- Assess how the AI impacts the individuals but also society at large
6. Diversity, non discrimination, fairness:
- Ascertain that data going into and out of the AI is fair and unbiased
- The AI should be accessible and universally designed for humans
7. Technical robustness and safety:
- Consider resiliency to attach and implement security measure
- Implement a fallback plan and general safety to increase reliability
Key Takeaways
1. While, security professionals are hard to nd, cybersecurity is a hot topic and new EU
regulations require organisations to step up their security game.
2. Privacy regulations set requirements for organisations on how to process personal data
3. To have a sustainable application of ethics it is important to make it business as
usual: integrate it across the development lifecycle and the ways of working of organizations.
Investments in training and up-skilling would be needed as this is a new and exciting eld!
fifi
ff fffl fi fi
Lecture week 5 (Guest lecture EY)
Security is a lack of risk? Not a great de nition though.
CIA triad
- C: con dentiality (data leakage)
- I: integrity (cyber security)
- A: availability (insider threat)
Cyber risk = likelihood x impact.
DDOS cyber attack = distributed denial of service. This attack is when the attacker oods a
server with internet tra c to prevent users accessing the required network (structure).
Ransomware attacks = steals data so that the organisation can no longer access it and require
said organisation to pay ransom (bitcoin is often used as the payment method as it provides the
attackers with anonymity).
Cyber Risk Management
”A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability
without a corresponding threat”.
Threat: insider threat, phishing, malware, Zero Day.
Vulnerability: patching delay, unaware employees, unprotected endpoints, 3rd party IT security.
Threat + vulnerability = incident.
90% of incidents is due to human error. For example, through the method of phishing, employees
could leak information to hackers.
Types of information security risks
- Un-reported information security incidents
- Lack of security in mobile device
- Physical security breach
- Social engineering
- Suspicious email
- Vulnerable password
- Malware
- Unsafe internet sur ng
Risk treatment
4 options to address risks:
1. Mitigate (e.g. require employees to use strong passwords)
2. Transfer (hire an insurance company)
3. Accept (because there are so many risks, you may need to accept some of them)
4. Avoidance (e.g. if an organisation uses an outdated server)
2 new legal frameworks
DORA (regulation)
- Focus on organizations in the nancial industry
- Focused on ICT governance, risk, resilience and ICT outsourcing
- Prescriptive on procedures, controls
- Enhanced testing and focus on stress testing continuity and security
- Focus on concentration risk and incident reporting/communications
fi fi ffi fi fi fl
, - DORA builds on the NIS directive and addresses possible overlaps via a lex specialis
exemption
NIS2 (directive, provisional agreement)
- Focus on national level, EU level and international level and applies to more variety of industries
- Baseline for cybersecurity risk management and reporting obligations and focus on network
security and information security of essential & important services.
- Focuses on many authoritive entities such as the CISRT, ENISA and the commission
- Focuses on aligning policies, authorative process of cyber security on a national level
Main di erences:
- DORA (Organizations) vs NIS2 (National, EU, international level)
- DORA (Financial organization) vs NIS2 (Diverse industries)
- DORA (wide range of topics operational resilience) vs NIS2 (more on network and information
security)
- DORA (More speci c controls and activities) vs NIS2 (more general, quickly covers testing etc)
- DORA (focus on implementing controls and activities) vs NIS2 (focus on aligning national
policies and national/EU authorities)
Dealing with cyber attacks is just the tip of the iceberg
- Accurately map the organization’s cybersecurity and privacy posture
- Recognize technology, security and privacy challenges when they happen
- Enable organizations to take action on emerging threats, on a technical, process and people
level
- Resilience: bounce back when hit, and continue the business
4 building blocks of personal data according to the GDPR:
1. “Any information”
2. “Relating to”
3. “An identi ed or indenti able”
4. “Natural person”
GDPR:
- The GDPR regulates the processing of personal data (‘any information relating to an identi ed
or an identi able natural person’)
- Processing is de ned as ‘any operation performed on personal data’
- Stricter requirements for special categories of personal data
ff fi fi fi fi fi fi
, - Di erent roles:
Controller (companies like FB and Twitter): an organisation or individual who is in charge of
deciding how data on the subjects is processed and why. FB and Twitter collect and determine
how they use the personal information users provide when creating accounts and posting
content.
Processor: an organisation or an individual that processes the personal data on behalf of the
controller
GDPR principles:
- Be lawful and fair + transparent to the data subject
- Purposes should be explicit and legitimate
- Data should be relevant and adequate, limit data collection to what is necessary
- De ne a period of time for storage data
- Security and con dentiality
- Accountability: adopt policies and implement appropriate measures to ensure personal data is
secured throughout the entire data lifecycle
The GPDR is vague in regard to what measures organizations should take, because technological
and organizational best practices are constantly changing.
Where does the GDPR apply:
Thus:
- When a legal entity is established in Europe;
- When any other form of an establishment exists in Europe (website/representative/equipment);
- When an organizations o ers goods/services to citizens in Europe (language/currency/
reference to EU customers);
- When an organization monitors the behavior of citizens in Europe (tracking of EU citizens on the
internet);
Potential risks
Enterprise risks:
- Business risks ( nancial loss)
- Reputation risks (reputational/brand damage)
- Operational risks (business disruption / unreliable data)
fffi fi fi ff
, - Legal risks (litigation / breach of contract)
- Compliance risks (supervisory authority investigation)
- Regulatory risks (new laws / changes to existing laws)
Data protection risk: risks to individuals from data processing
- Data protection laws
- Rights and freedoms of individuals
De nition of AI according to the amended AI Act:
“means a machine-based system that is designed to operate with varying levels of autonomy and
that can, for explicit or implicit objectives, generate outputs such as predictions,
recommendations, or decisions that in uence physical or virtual environments…”
Issues with AI:
- Black Box problem (unclear how the model operates due to complexity)
- Data problem (even if PII is anonymized or removed, sensitive personal information can be
deduced from big data or extracted from a trained mode)
- Bias problem (models can recreate and amplify unfairness that is included in data -> lack of
diversity awareness in the development process can lead to discriminatory outcomes)
Where does the AIA apply
Arti cial Intelligence Act wants to ensure and facilitate:
- AI systems are safe and respectful
- Legal certainty to facilitate investment and innovation in AI
- Governance and e ective enforcement
- Development of single market for lawful, safe and trustworthy AI systems
- Risk based approach to facilitate the use of certain (lower risk) AI applications
7 pillars of trustworthy AI:
1. Accountability:
- Consider and document any tradeo s when implementing requirement
- Ensure that mechanisms are in place for redressing any negatives
2. Human agency and oversight:
- Perform a fundamental rights impact assessment where risks exists
- Design systems that support individual, informed choices
3. Transparency:
- The decisions or outputs of the AI must be explainable to the user
- These decisions should be communicated to humans interacting with the system
4. Privacy and data governance:
- Ensure that data is protected and privacy preserved when creating AI
- Data going in and out of the AI should be of good quality
5. Societal and environmental wellbeing:
- Determine how the Ais system entire supply chain is sustainable and friendly
- Assess how the AI impacts the individuals but also society at large
6. Diversity, non discrimination, fairness:
- Ascertain that data going into and out of the AI is fair and unbiased
- The AI should be accessible and universally designed for humans
7. Technical robustness and safety:
- Consider resiliency to attach and implement security measure
- Implement a fallback plan and general safety to increase reliability
Key Takeaways
1. While, security professionals are hard to nd, cybersecurity is a hot topic and new EU
regulations require organisations to step up their security game.
2. Privacy regulations set requirements for organisations on how to process personal data
3. To have a sustainable application of ethics it is important to make it business as
usual: integrate it across the development lifecycle and the ways of working of organizations.
Investments in training and up-skilling would be needed as this is a new and exciting eld!
fifi
ff fffl fi fi
