Attacks/Breaches

7/11/2018
10:30 AM
Jack Jones
Jack Jones
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What We Talk About When We Talk About Risk

Measuring security risk is not that hard if you get your terms straight and leverage well-established methods and principles from other disciplines.

How enthusiastic would you be to ride on a spacecraft if you knew that the scientists and engineers who designed it and planned the mission couldn't agree on the definition of mass, weight, and velocity?

A quick look at the word "risk" in Wikipedia provides a clue regarding the variety of definitions that exist for a foundational term in our profession. But inconsistent formal definitions are really just the tip of the iceberg. For example, I like to ask audiences, "Which of these are risks?":

  • Vulnerabilities
  • Disgruntled employees
  • Reputation
  • Untested recovery plans
  • Sensitive consumer information
  • Weak passwords
  • Cybercriminals

Almost without exception, the answer I hear is "All of them!" The truth, however, is that none of them are risks. Vulnerabilities are not risks and we need to stop acting like they are. Disgruntled employees and cybercriminals are threat communities; reputation and sensitive consumer information are assets; and weak passwords and an untested recovery plan are (deficient) controls. In other words, although these are all parts of the risk landscape, they are importantly different from one another.

Furthermore, when I asked an audience of seasoned infosec professionals to list the top three risks their organizations faced, the following word cloud resulted:

Source: Jack Jones
Source: Jack Jones

I find "unknown" to be particularly ironic.

Why does it matter? Can't we usually glean the meaning of a term through the context in which it's being used? Although that's often true in conversation with colleagues in our profession, clarity is crucial when we're speaking with people outside of our profession — such as executives — and when we're trying to measure something. I'll touch on measurement in a minute. For now, let's focus on communication.

As a profession, we've been saying for a long time that we need to speak the language of business in order to get and maintain the support we need to be effective. That being the case, it's only logical that our use of the word "risk" be driven by how executives think about it.

What senior executives and boards want from us is to help their organizations manage the frequency and magnitude of infosec-related loss events. These loss events are the "risks" we're supposed to manage. This is aligned with the rest of their risk world, and it also enables far more effective measurement and communication. A couple of example infosec risks are:

  • Cybercriminal compromise of consumer personal data
  • Disgruntled employee crashing a system that supports a critical business process

The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events. These risks also provide the context in which we can measure and express the significance of problems in the risk landscape like changes in threat vectors or the vulnerabilities we're trying to resolve.

Imagine, for example, being able to explain to an executive how a change in threat activity increases the likelihood of the compromise of personally identifiable information by somewhere between 20% and 30%, with a resulting increase in loss exposure of between $500,000 and $1 million. No executive in the world is going to have difficulty wrapping their mind around that.

Of course, that raises the question, "Can we measure infosec risk?" The short answer, despite what you may have heard or believe, is yes. In fact, we do it all the time.

Measurement is a prerequisite to prioritization, and you and I both know that we prioritize all the time. Unfortunately, given the inconsistency and ambiguity with which we approach infosec risk, we're horrible at it. Here's some bad news: 70% to 90% of the "high risks" I've examined in organizations over the past several years do not, in fact, represent high risk. This means that those organizations have a significant signal-to-noise problem and aren't able to focus on the things that matter most. And if you think about it, the inability to prioritize effectively is a gift to the bad actors (as if they didn't already have enough advantages) and a failure on our part as stewards of the resources we're given.

The good news is that measuring infosec risk is not that hard once you've gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines. Good sources of information on this include:

  • How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen
  • Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund

Every discipline we think of as mature today — math, medicine, physics, etc. — all went through an early phase in which nobody could agree on fundamental terms or principles. In that sense, we're in good company. But given today's imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/11/2018 | 11:43:29 AM
Cybersecurity Risk Taxonomy
These are excellent points - in fact, the very list of risks you noted that are typically raised when asked are the ones I tend to see in initial project documents that relate to security.

Cybersecurity Risk Taxonomy (A. M. Rea-Guaman, T. San Feliu, J. A. Calvo-Manzano, I. D. Sanchez-Garcia) is a paper published under the International Conference on Software Process Improvement, 2017. It covers an interesting deep dive into studies published from 1990 to 2017. They found "132 papers and some of them mention some risk taxonomies within the scope of IT (information technologies) cybersecurity, although only five primary elements were selected, identifying the main risk taxonomies."

The perspectives covered include Asset, Attacks, Service, Business and External, with papers covering a wide range of combinations of taxonomy descriptions. Some of the items in the taxonomies include Business objects and dynamics models, Social engineering, Systems and technology failures, Failed internal processes, Resource or target information and Actions of people.

Your example InfoSec risks make sense upon more reading of studies like the one above, which is a great piece indicating this conversation of risk in InfoSec has been going on for some time.
jonesj26
50%
50%
jonesj26,
User Rank: Author
7/11/2018 | 1:44:13 PM
Re: Cybersecurity Risk Taxonomy
Thanks, Christian.  You're absolutely right about this problem being discussed for some time now.  Unfortunately, I don't believe it's broadly recognized yet as a foundational Achilles Heel for our profession.  Hopefully we can elevate it within the minds of our colleagues and accelerate the evolution of our profession.

Cheers

Jack
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/11/2018 | 2:59:02 PM
Re: Cybersecurity Risk Taxonomy
Small Business - general rule is that a small business (I guess 50 emps or less) can live for only 2 weeks following a major crash of systems.  I supported such shops and always had a backup-restore plan in working place and used it on several critical cases inclusive of server drive failure and ransomware attack.   Measure THAT!!!   (Lesson - always ask for a large check for services in such cases).
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19301
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
CVE-2018-5407
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-14934
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
CVE-2018-14935
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.
CVE-2018-16619
PUBLISHED: 2018-11-15
Sonatype Nexus Repository Manager before 3.14 allows XSS.