Questions I’ve been asked a lot are: Is it worth quantifying cyber risks and using well-established models to simulate the effects of those risks? Or is quantifying cyber risk a waste of time, detached from reality? How do we bring business value with statistics?
While we may still be in the infancy of cyber risk quantification, at Swisscom, we’ve found that taking proactive steps, thinking through and quantifying cyber risks in a structured way by using the FAIR™ model allows us to better understand the uncertainty we face, and helps us make good risk-informed decisions. As the saying goes, “What gets measured, gets managed,” but you can only measure what you understand.
Laura Voicu is Senior Security Architect for Swisscom.
See the video of Laura’s presentation at the 2019 FAIR Conference (a free membership in the FAIR Institute and in the LINK discussion board required to view.)
Here are three lessons we learned from our introduction of FAIR at Swisscom.
1. Clean up the risk register (and make it two)
A fundamental problem with many methods for measuring cyber risk is that they use basic terms like “risk” and “threat” imprecisely and inconsistently. When we began our FAIR journey early this year, we realized that we faced the same problems; our risk register was a mix of risks and threats, such as “weak authentication” or “privileged insider threat” which are really more accurately described as factors that contribute to risk.
We began by defining risk more precisely by viewing it in terms of potential loss events, for example, a breach of sensitive consumer data or destruction of critical data. But we just didn’t throw away threats such as “weak authentication” just yet. Instead, we started gathering them in a second register, let’s call a threat register. While we have just began this activity, it has already proven extremely beneficial in identifying organization-specific issues that call for robust strategies that include cross-disciplinary considerations. Jack Jones’ blog post on how to clean up a risk register was a great source of inspiration.
2. Move the discussion away from challenging the rating (or the numbers) to challenging the assumptions.
The process of working through the FAIR model imposes a certain discipline which helps clear out implicit assumptions. Even in the past, when placing a dot on a matrix, we were envisioning a certain scenario to unfold. The assumptions behind it however, remained largely undocumented. What did the dot represent? Best case? Worst case? Something in between?
During this process of working through the FAIR model, the assumptions stop living in somebody’s mind and get documented on paper. Once the assumptions have been clearly documented, we can start debating the assumptions rather than debating personal feelings, whether it’s a personal belief that a rating should be different (typically lower) or that the numbers are too high.
If you start with the assumptions and everybody agrees on them, it becomes very hard to challenge the results (and not trust the math). So, what to do if not everybody agrees with the assumptions? Take it as an opportunity for improvement: Use the FAIR model to identify those assumptions that need to be re-examined.
3. Start a meaningful discussion around risk appetite
We should know what our appetite and tolerance for risk is in order to know whether a cyber risk matters or not (risk management is all about focusing on the uncertainty that matters). But what to do if we haven’t articulated an appetite and tolerance for risk?
Quantifying your risks can help us to understand where the probability of outcomes is falling. We use these results to start a discussion with the risk owners and help them understand whether this is within or exceeding an acceptable level of loss for their particular scenarios.
Jack Jones pointed out in his articles series on risk appetite that there are two broad categories of decisions where risk appetite can/should play a role:
- The first is a “tactical” risk appetite where, as a result of a risk assessment, security audit, etc., the risk owner needs to decide how aggressively to treat it, in other words, prioritize.
- The second decision category is more strategic, where the question is whether the aggregate exposure of the organization is acceptable or not.
For now, we are bringing change to the organization slowly and focusing on the tactical definition of risk appetite. Even if there is a high probability that the appetite and tolerance for risk can be exceeded and the risk owner may still choose to continue on the current path, he/she can more likely be persuaded to put in place more actions, such as bolstering the security controls needed to prevent attacks (any controls that could cause us to have less loss events), or improving the detection and response plan (anything that could change the potential losses we experience).
While the road may be long, FAIR has put us on the right path. I hope you'll find our experiences useful in your FAIR work. I spoke more about the FAIR program at Swisscom at the 2019 FAIR Conference -- please see the video of the session "Use Case Panorama." Let me know your reaction in the comments section below this post or on the LINK discussion board (a free FAIR Institute membership is required).
SC Media recently honored the FAIR Institute as one of the "Most Important Industry Organizations of the Last 30 Years” for its work in advancing the risk quantification movement. Join the movement! Become a member now.