A Quantified Approach to Cybersecurity Risk Assessment

Cybersecurity Risk Assessment should be a hot topic these days. How else can you not only convince your board and management team that you need to do something to protect against cyberattacks but also be able to communicate for once in a language they understand

Cybersecurity Risk assessment is used to answer three questions:

  1. What can go wrong?
  2. What is the probability?
  3. How much money is at risk?

There are lots of risk frameworks around that can help answer the first two questions, but there are none that can answer the third.

The ISO Information Security Risk Assessment (ISRA) is “the overall process of risk identification, risk analysis, and risk evaluation”. In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization.

ISRA practices vary among industries and disciplines, resulting in various approaches and methods for risk assessments.

Yet ISRA provides a complete and standardized framework for assessing the risk levels of information security assets and is widely used by risk advisors to implement security controls by following information security standards and regulations.

The ISRA risk analysis component is divided into three categories: quantitative, qualitative, and synthetic.

Their quantitative approach constructs complicated mathematical models to try and create metered results, but it is based on difficult to collect historical data to support the models and since the risk landscape changes daily now, historical data is not particularly useful in determining risk. It does not have a way to reflect actual threat data operating in your environment 5 minutes ago.

A view that might have been useful to say Equifax, for example.

Their qualitative method collects data based on experts’ opinions or questionnaires which is easy to gather but entirely subjective. Measuring the Equifax risk in this manner might not have even resulted in a “high” let alone “critical” degree of risk. Which may in fact be exactly what happened there.

Synthetic risk analysis methods can arguably overcome some of the limitations of traditional quantitative and qualitative approaches by applying fuzzy and Analytic Hierarchy Process theory, which at least provides a decision-making model. Unfortunately, the design of synthetic risk models can only use attributes of general information security risks and cannot process specific threats like cyber-attacks. Moreover, the risk scores rendered through the model lack any association with dollar value and are usually presented as an asset risk level of 1 to 5, with an overall aggregated risk score of 1 to 100.

This method might have been useful if Equifax were operating in a speed zone of 65, but running through it at 90 did not result in a speeding ticket, but rather in an $800 million (and counting) breach instead.

Additionally, these subjective synthetic scores are useless for cross-company or cross-industry comparisons.

A much better approach would be to use Value-at-risk (VaR) as a foundation. Classical financial risk models like VaR seek a worst-case loss over a specific time horizon. VaR considers the actual dollar values of the assets at risk and when factored by active threat can present a measurable impact of Cybersecurity risk at the very moment of calculation.

The actual dollar value of an information asset is easily determined, though will in part be derived through subjective analysis. For example, the customer PII held by Equifax has a dollar value determined by the cost of replacing the lost data as well as the churn, which is the number of customers lost due to the breach. Ponemon (love them or hate them) provides studies showing that companies with data breaches that involved less than 10,000 records spent an average of $4.5 million to resolve the breach, while companies with a loss or theft of more than 50,000 records spent $10.3 million, etc.

These values can be usefully applied.

They also have to be factored in with forensic and investigative activities; assessment and audit services; crisis team management; and the post-data breach costs which include the cost to notify victims of the breach, help desk activities, inbound communications, special investigative activities, remediation, legal expenses, product discounts, identity protection services, regulatory interventions, compliance failures, the cost of Cybersecurity consultants and the cost of resolving lawsuits. This last category in the case of Equifax may be the heaviest straw of all, as we now have over 400 individual class action suits filed, the earliest of which have just been settled for $381mn with another $125mn for “out-of-pocket” losses.

Factoring in the threat activity may increase or decrease the risk value.

As an example of a very real risk scenario, a well-secured credit card database server reveals low vulnerability under examination by network monitoring systems while a minimally secured clerical support server registers a high level of vulnerability probes. Conventional SIEM platforms that use rules-based engines to evaluate syslog data would alert to the vulnerability on the exposed clerical server. The information assets processed through the credit card server are risk-valued at $20 million (the costs as defined above) while the information assets processed through the clerical server are valued at zero (as they are largely Word documents and spreadsheets).

It is obvious to the SIEM that the clerical server is at risk, but because the SIEM makes no contextual correlation with the value of the assets processed or residing on each server, it will ignore the credit card server because it is treated by the SIEM as simply a network asset with equal value.

Additionally, the SIEM will fail to recognize that the clerical server provides a path to the credit card server and thus creates a substantially increased risk for the high-value server even though that device is not registering attack-related activity.

An SIEM alert here will not address the actual threat to the asset at risk, and consequently, the management of the company and those directly responsible for the assets will remain unaware that their overall cyber risk has increased dramatically. Memo to Equifax: Next time, perhaps you could spend a few hundred thousand dollars to prevent a breach instead of $500 million to litigate it.

The risk engine that I suggest as an alternative, could be easily constructed from a combination of the VaR of each and every information asset (the portfolio) factored by the aggregated and correlated threat data that is active in the IT environment at every moment throughout the day. All of that data exists today in most enterprise environments. That data can be easily collected and processed in real-time so the VaR can be continually updated to reflect actual conditions on the ground, and the risk engine could automatically assess the worst-case loss of that portfolio due to a breach.

These calculations should be done in real time, and the tools to do this actually exist today.

By assessing risk in actual dollar value combined with real threat data, responsible custodians of an organization’s risk would have a no-nonsense basis for making decisions about their Cybersecurity investments and improving their defense systems while transferring appropriate portions of that risk through increased Cyber-insurance.

Either way, the IT executive who has been used to asking for $1 million to reduce her risk from “high” to “medium” could now substitute real money for those risk level differentials and instead be asking for $1 million to reduce risk “by $10 million” and she would also be able to actually prove it.

Read more: