By Charlene Deaver-Vazquez, CISSP, CISA. Charlene is the developer of Probabilistic Risk Modeling for Cyber (P-RMOD4Cyber) a framework of mathematical models for quantifying risk.
There is a tendency to view the effectiveness of our cybersecurity practice through a single lens – compliance. We apply controls and best practices hardening our systems and continually monitoring our security posture. We implement defense in depth relying on strong perimeter defense and real-time analytics. At this point, we discuss risk in terms of defensive actions, what we’ve done and what we see based on our logs and alerts.
What does a typical conversation around risk sound like at this maturity level? On any given day leadership can be informed on the progress of patching, numbers of attacks blocked, and malware incidents reported. Operational data is charted to trend over time, we use Common Vulnerability Scoring System (CVSS) scores to prioritize remediation, and there are discussions on the latest reports of attacks. When asked, “what’s our risk”? The response is usually focused on specific vulnerabilities and any related remediation efforts. This is all descriptive analytics, accurate and easy. Not bad, but it could be better.
At the next level of maturity, we see qualitative and semi-quantitative analytics being applied. Now we use words like low, moderate, or high and use heat maps to chart our risks. Vulnerability data is analyzed to gain deeper insights and drive operational efforts. We may have adopted a cybersecurity standard and have compliance reports to refer to. We feel in control. Now when asked, “what’s our risk”? We say low or moderate to communicate our status. But is that good enough?
At this level of maturity, two questions generally arise. Are we more secure, and are all moderate risks equal? This is usually where quantitative analytics using probabilistic methods is implemented. These methods have been adopted in seismology, epidemiology, finance and safety analysis because they are particularly well suited to providing standardized repeated analysis on the probability of events.
We elevate the risk discussion, by elevating the underlying analysis.
Quantitative analysis based on probabilistic methods establishes a common language that is understood by leadership. Risk is expressed as a range with strategic, operational or financial impacts. For example, based on the data available we estimate a 20 to 40% probability of experiencing a negative event impacting operations with an outage of between four hours to three weeks and a financial impact of between $150,000 to $1,200,000.
There are a few options specific to cybersecurity. Factor Analysis of Information Risk (FAIR TM) standard prescribes a sequence of calculations for estimating risk and financial impacts. The Probabilistic Risk Modeling for Cyber (P-RMOD4Cyber TM) framework includes a model implementing the FAIR sequence as well as other models that support analysis of supply chain, compliance, cyber-attacks and other analysis.
Whatever you choose, it’s time to elevate the discussion and begin forecasting rather than reacting to risk.