In Hard Times, Remember the 3 F’s of Quantified Cyber Risk Analysis
What is going on right now is definitely a crazy time for those of us who run cyber risk analytics or cybersecurity management – “unprecedented,” everyone says. Finding where and how to make tough decisions about responding to new threats or changing the way you spend to meet lower budgets is now the new norm.
But if you’re FAIR-trained, you’ve got the critical thinking skills, the proven analytical model, and the risk quantification chops to handle whatever comes.
I recommend taking a deep breath and following the Three F’s to get the most impact out of your risk analysis program.
1. Focus on the Scope
In defining a scenario for a risk analysis, the first step is articulating the asset, threat, and the effect. When defining these components, you want to focus on what is probable, rather than all possible (and highly unlikely) scenarios. Focus on the concerns that matter most to your organization.
As you scope out areas of concern with your organization you should be articulating what threats are most probable to impact the specific asset in the way defined in your scenario scope (i.e. impacting the Confidentiality, Integrity, or Availability). However, the most important thing is defining what is your asset.
There is a balance between using a high-level asset like “internet-facing application” or “PII data” and “Servers 1, 2, 3, etc.…”. The higher level the asset the more difficult it will be to define a method or vector which will in turn make it more difficult to obtain reasonable ranges for each factor of the FAIR model. I have seen this happen time and time again. Organizations try to perform an analysis quickly, but they don’t clearly define what the asset is and then they find themselves struggling. Avoid this.
Speaking of threats, when it comes to loss exposure, it does not matter which vector which threat actor uses to impact the asset. In order for the loss event to impact your organization, only one threat attempt needs to succeed.
Therefore, when modeling your risk scenarios, you don’t have to specify a threat actor or vector. For example, if you are unable to identify which external malicious threat community is targeting your organization (hacktivists, cyber criminals, nation states, etc.), you can use a more general community such as “external malicious actors” when defining your risk statement. Similarly, if you are unsure if the threat is more likely to use a phishing campaign or vulnerability exploit to target your database, you can elect not to define a vector and run a more general analysis. Just like with the asset, there is a balance.
This brings me to my next point.
2. Find the Information
If you didn’t spend some time on scope, you will struggle to find the right information. After all, during these unprecedented times (yes, I know what I did there), you need to ensure you are clearly able to articulate the problem so you can know what information is the best available to help answer the question.
As I mentioned in a previous post I wrote, Managing a Cyber Risk Program in an Ever-Evolving Threat Landscape:
When you are gathering data, you want to focus on accuracy with a useful amount of precision. While it would not be a useful estimate to state that a threat event could happen between zero and infinity times per year, an estimate between once in five years and once per year still reduces uncertainty.
This is also an area where you can forecast your future uncertainty. If you believe the landscape will be evolving in the near future and the number of threat attempts targeting this asset will increase, you can model this change in the maximum end of your range.
It is important when modeling your environment to consider a variety of factors including the controls you may have in place to prevent an attack from occurring and whether or not those controls are changing in the near future. By doing so, the analysis will cover not only your current loss exposure, but also a reasonable estimate of your future risk.
Knowing which questions you are trying to answer like, “Should I reduce my spending on control X or Y”, or “Can we really spend money on this control right now - Is it worth it?”, will help you determine what level of detail you need in your analysis.
Then finally, this brings me to my third point.
3. Figure Out the Funding
By leveraging the FAIR model and its components, you can inform the decision on where to invest your limited resources. In order to do so in a way that is useful and reduces uncertainty, you must scope your analysis to the most probable threats to your organization. Leveraging wider ranges and focusing on accuracy over precision will help you anticipate your risk posture.
Determining how much loss exposure you have related to a particular scenario will help you determine what areas you may want to focus your limited resources on to help reduce that risk and ultimately answer that question, “Can I reduce my spending without sacrificing security?” This hits home more when the control is not a technical control but a human one.
One more F to remember: the FAIR Community, the thousands of members of the FAIR Institute who are struggling to answer the same questions as you. We are all in this together.
If you’re not already, become a member of the FAIR Institute now.