Company newsGovernance

Augmented Intelligence for Monitoring Enterprise Cyber Risk

By 2022-08-16No Comments

In this post I explore the concept of “Augmented Intelligence” (which I have dubbed “AugI”) and how it can support board members in meeting their fiduciary duty of care regarding cybersecurity.

What is Augmented Intelligence”? In OKTA’s article “Augmented Intelligence vs. Artificial Intelligence (IA vs AI)” they describe the difference:

“Augmented intelligence uses artificial intelligence technologies. However, while AI is often designed to replace the need for human interactions, AugI is meant as a helpful tool to support human decision making. The main difference is that AI uses technology to drive and make decisions, while augmented intelligence uses humans as the decision-makers and technology as more of a source of data. Augmented intelligence does not seek to replace human interaction. It merely aims to help people do their jobs better and faster.”

 AugI is embedded in a variety of areas. Agents such as Google, Siri, and Alexa help with directions or offer what products may be of interest. The user is provided several alternatives and the decision is left to the user reflecting their own preferences. In other words, AI provides the data and AugI helps assess the value of the information.

Traditional AI is part of operational cybersecurity. Simulation, deep learning, and natural language processing use tools (such as Monte Carlo) to provide scenarios which help decide the next steps. However, these processes require larger data sources which must be continually updated. The processes summarized in the OKTA’s article include:

  • Machine learning: Systems learn from data to identify patterns and make independent decisions to learn and improve.
  • Logical reasoning: This uses logical techniques based on available data to rationalize and reach conclusions and deductions to solve problems and make predictions.
  • Spatial navigation: Artificial neural networks are designed to work similarly to the human brain.
  • Natural language processing: This works to teach machines how to understand and interpret the human language.
  • Machine vision: This enables a computer to see for automatic analysis and inspection.
  • Pattern recognition: This is automated recognition of patterns within data by spotting regularities.

As broad as these capabilities are, monitoring cyber risk at the board level is more complex, requiring human oversight and interpretation of standards. The National Institute of Science and Technology (NIST) addresses this in their paper “Integrating Cybersecurity and Enterprise Risk Management (ERM)”:

“Cybersecurity risk is an important type of risk for any enterprise. Other risks include but are not limited to financial, legal, legislative, operational, privacy, reputation, safety, strategic, and supply chain risks. As part of an ERM program, senior leaders (e.g., corporate officers, government senior executive staff) often have fiduciary and reporting responsibilities that other organizational stakeholders do not, so they have a unique responsibility to holistically manage the combined set of risks, including cybersecurity risk.” (NISTIR 8286).

Augmented Intelligence meets the requirement in NISTIR 8286 by providing a bridge between CISOs’ focus on operations and the board’s need to assess cybersecurity as part of overall enterprise risk management. For example:

  • “Do the members understand their role as fiduciaries?”
  • “Do we have board members with the knowledge and experience to help interpret reports from operations?”
  • “How do we demonstrate that the board is monitoring cyber issues on an ongoing basis and not just in preparation for quarterly meetings?”
  • “What processes do we have in place to quickly respond to our constituents in case of a cyber breach?”

For the board, the answers to these questions and others are focused on process of making decisions. But how do we assess whether we are meeting best practices? What benchmarks should we use? There are many global protocols/benchmarks like ISO/IEC 27000 family, NIST CSF and ISACA COBIT® focused on operations, while fiduciary standards for cyber risk are in their infancy.

What is needed is a set of global standards for board members to better understand the CISOs’ role in operational risk management, integrate cyber risk with enterprise risk, and support the board’s requirement to meet their fiduciary duty of care.

Using AugI together with standard AI can greatly enhance the value added of the CISO and help board members sleep at night knowing that they have met their fiduciary duty of care.