The holy grail for cyber is to measure and communicate risk in financial terms and come up with a mitigation plan that works for security professionals, all while speaking to the CEO, CFO and the board. The good news is that the basic formula for figuring this out is simple:
Yet that formula does not take into account the details needed to understand cyber risk. A more detailed version of the formula might look like this:
The latter formula involves three variables and a key part of the equation measures the value of the assets in your organization (in an impact analysis). Now this is still a simplified view but even at this level, people are not computing financial risk. Why? We think there are three things holding them back:
- “Perfect” is the enemy of good enough
- It requires asymmetrical thinking (hackers)
- You cannot figure out your risk if you don’t know your environment
Asset Value – perfect is definitely the enemy of good enough
Asset value defines how much something is worth to the organization. There are a number of ways to elicit this value from performing a business impact analysis (BIA) to leveraging a framework like FAIR to compute the values.
Asymmetrical thinking required
A second reason quantifying cyber risk is challenging is that understanding the threat is not a linear equation. The insurance industry has been looking for a solution to this problem for years. They have some of the best actuarials in the business, yet they cannot figure out how to predict what the cost of a cyber breach would be.
The reason is that to model cyber risk would mean that you have to model hackers themselves. Hackers are non-linear – they are human. They do not follow a standard path, formula or model that can be easily expressed. That is the reason we have things like sandboxes, NGFW, UEBA, and other advanced cyber tools.
Know what you don’t know
If we know our asset value and how the bad guys operate, then we’re good right? Wrong! Too often risk is calculated without the third (and arguably most important) piece of the puzzle – knowing what is actually in your environment.
Home Depot was hacked a few years ago – does that mean Lowe’s has the same risk that Home Depot has? Because Sony was hacked, does that mean Warner Bros would experience the same thing? The answer is obviously not. And the reason is clear – those companies have different people, procedures and tools in their environment.
What do we do?
Now that we have outlined the challenges, we need to start figuring out what to do. There are a number of methods people are using to try and solve this problem. Excel seems to be a primary solution, followed by things like simulations (using Monte-Carlo simulations or other methods). I believe that the answer lies in something we are borrowing from the auto-industry: crash test dummies.
Crash test dummy
Everyone is familiar with the car crash test, and many rely on the safety ratings that it drives. To execute these crash tests, automakers use “crash test dummies”. These “dummies” are tagged with a number of sensors to measure what happens during a crash. The automobile industry then takes the dummy, puts it into a real car, and crashes it, all the while measuring and analyzing the data. Note that the myriad of sensors are NOT on the bumper or the door—they are on the dummy. That’s because if we are in a crash, we could care less about bumper before we care about the most important thing—US! This same analogy should apply to cyber. We should be testing the security of the most important things before we test our bumper.
The next few posts in this series will discuss the three things we outlined – how to compute asset value, how to model a hacker, and how to know your environment – as well as ways to put them together. Our goal is to help change how Security Risk Management (SRM) is done today and move cyber to a more business focused discussion.