With the skills and resources of attackers constantly improving, is cyber risk management a hopeless endeavor? Working with CISOs and risk management teams as a FAIR consultant, this is a question I get asked from time to time and, in short, the answer is no, if you follow these three best practices:
1. Focus the Scope of Your Risk Scenario
In defining a scenario for a risk analysis, the first step is articulating the asset, threat, and the effect. When defining these components, you want to focus on what is probable, rather than all possible (and highly unlikely) scenarios.
As you scope out areas of concern with your organization you should be articulating what threats are most probable to impact the specific asset in the way defined in your scenario scope (i.e. impacting the Confidentiality, Integrity, or Availability). This comes into play in two different ways. The first is in the definition of the threat community, the second is in the definition of the threat vector.
In terms of loss exposure, it does not matter which vector which threat actor uses to impact the asset. In order for the loss event to impact your organization, only one threat attempt needs to succeed.
Therefore, when modeling your risk scenarios, you don’t have to specify a threat actor or vector. For example, if you are unable or unwilling to identify which external malicious threat community is targeting your organization (I.e. hacktivists, cyber criminals, nation states, etc.), you can use a more general community such as “external malicious actors” when defining your risk statement. Similarly, if you are unsure if the threat is more likely to use a phishing campaign or vulnerability exploit to target your database, you can elect not to define a vector and run a more general analysis.
Remember, the goal of risk management is to reduce uncertainty. Being able to provide some clarity around your organization’s concerns is better than none at all. =
But how can we complete an analysis that is general enough to be encompassing of areas of uncertainty but specific enough to provide value to the organization?
2. Remember the Basics: Accuracy vs. Precision
After you have determined what threats you are going to focus on, you can account for the uncertainty you may have by leveraging a wider range when it comes to the frequency of attacks.
When you are gathering data, you want to focus on accuracy with a useful amount of precision. While it would not be a useful estimate to state that a threat event could happen between zero and infinity times per year, an estimate of between once in five years and once per year still reduces uncertainty.
This is also an area where you can forecast your future uncertainty. If you believe the landscape will be evolving in the near future and the number of threat attempts targeting this asset will increase, you can model this change in the maximum end of your range. It is important when modeling your environment to consider a variety of factors including the controls you may have in place to prevent an attack from occurring and whether or not those controls are changing in the near future. By doing so, the analysis will cover not only your current loss exposure, but also a reasonable estimate of your future risk.
There is a famous saying, “All models are wrong, but some are useful.” When using a model to attempt to mirror reality, perfection is impossible. However, if the model is useful in reducing the amount of uncertainty and providing additional understanding around a complex scenario, then it is useful.
3. Leverage Cost-Benefit Analysis
By leveraging the FAIR model and its components, you can inform the decision on where to invest your limited resources. In order to do so in a way that is useful and reduces uncertainty, you must scope your analysis to the most probable threats to your organization. Leveraging wider ranges and focusing on accuracy over precision will help you anticipate your risk posture.
Determining how much loss exposure you have related to a particular scenario will help you determine what areas you may want to focus your limited resources on to help reduce that risk.
So, bringing it back to the original question, is cyber risk management ultimately hopeless? Let me answer this with another question…is it hopeless to save for retirement when the financial environment can change so quickly even overnight? Of course not, if you fail to plan for the future then you are planning to fail in the future. Making decisions about uncertain things is a necessity in your everyday life. It should be in your cyber risk management program as well.
Become a FAIR Institute member - stay informed on the latest tips and techniques for advanced cyber risk management - attend Institute events – network and discuss with other FAIR fans. About 30% of the Fortune 1000 are represented in FAIR Institute membership. Join us!