How do you quantify the loss of all an organization’s data? Or loss of all availability? Or loss of data integrity that might lead to lives endangered? As Geoji Paul, director of information security, and Ben Havalka, risk analyst, from Express Scripts told an audience at the recent FAIR Conference 2018 at Carnegie Mellon University, those mind boggling questions are not only answerable with FAIR but worth asking.
As Geoji said “catastrophes force you think about what your crown jewels are,” what it would cost to lose those key assets, whether your security readiness could handle a disaster, and how much insurance you should buy.
Catastrophic risk modeling has been a proven standard in the insurance industry since Hurricane Andrew of 1992, Ben explained.
Hurricane hazard modeling combines four modules – and each closely resembles an element in the FAIR model:
- Exposure data module (property values at risk for a portfolio of houses on the East Coast, for instance), analogous to Loss Magnitude
- Hazard module (based on frequency of occurrence and severity of storms), analogous to Threat Event Frequency
- Vulnerability module (factoring in construction type, building codes, building height, etc.), analogous to Vulnerability
- Finance module, based on input from the previous modules and factoring in policy terms, analogous to Risk, the top level of the FAIR model.
To start with catastrophic cyber risk analysis, FAIR-style, Geoji suggested asking business leaders what they would consider “outrageous” cyber events, and then apply the same FAIR scoping principles you use on more limited scenarios, leveraging historical data, and turning to calibrated experts in the company with a proven record for assessing odds subjectively (Geoji suggested pulling in the cybersecurity blue team, as well).
As a result of this research, you should have a good grasp of:
- What your crown jewels are
- What threats could be after those crown jewels
- What your resistance strength is.
“You will almost certainly have model losses that make you uncomfortable when you are considering catastrophic events,” Geoji warned. “...The best way to use numbers is to use exceedance probabilities,” in particular as a guide to how much cyber insurance to buy. He also recommended limiting to three or four catastrophic scenarios, as a way of aggregating exceedance probability.
Hair-raising though the exercise may seem, “once you establish something like this, it will be an incredible asset to see how this curve is shifting [over time] that will actually serve as your baseline and you can see how it moves up and down based on the investments that you are making or how the threat landscape is changing.”
Watch the video presentation on catastrophic cyber risk modeling now.
See more coverage of the 2018 FAIR Conference.