The debate that we face: 'When do you know when you've got your cyber security wrong? A relatively easy one to answer, however, 'When do you know when you have got your cyber security controls right?' A more difficult question to answer by far. This post explores a new approach and method to quantifying risk.
Risk Management and Mitigation is one of the hardest and coincidentally one of the most expensive ongoing activities undertaken in an enterprise as you try to prevent any cyber security risks.
It becomes further complicated when combined with the development of new digital channel offerings and innovation within your business. Enterprises typically spend vast sums of money to get an understanding of their threat landscape and despite their best efforts are usually behind the 8 ball when it comes to both quantifying and subsequently prioritising risks to be mitigated via control mechanisms.
Maturity based approaches
Maturity assessment approaches have been used as the main driving force to manage cyber risk and still appear to be the norm today. Businesses try to achieve a level of maturity by building on certain defined capabilities to meet framework requirements such as building out Multi-Factor authentication for all of the organisation to reduce identity theft or deploying monitoring and control capabilities such as Cloud Access Security Broker (CASB) or Data Loss Prevention (DLP) tools to protect company data from ex-filtration methods.
As businesses organically grow, new technologies are piled on, new solutions are built and the complexity of the environment grows exponentially. This has the unfortunate side effect of putting more strain on the controls and monitoring tools that were deployed to the organisation resulting in increased cost and a subsequent drop in effectiveness. The result is the necessity for more risk spend in an effort to add additional controls whilst trying to maintain flexibility to the point of fault. Organisations then start monitoring everything without much thought around which high-risk assets they should be paying more attention to. This leads to a perpetual effect of inefficient spending by the Board and most likely an increased risk as security teams are stretched and cyber initiatives and transformation project end dates are missed.
A Change in approach could be considered
What if we were to change the strategic approach and specifically focus on reducing enterprise Cyber risk by specifically taking a proactive risk-based approach to identifying those risks that pose the greatest threat to the ongoing health of a business?
By specifically identifying those risks that are classified as high risk, senior management can aggressively target them to obtain the best return on investment and achieve a reduction in risk within the allocated spend from the Board rather than just focusing on meeting a specifically defined framework.
The Riskquant tool
Here's quite an innovative approach to this challenge. I'm going to spend a bit of time exploring the tooling developed by Netflix to see if we can identify and prioritise key risks in a business scenario through it.
Riskquant is Netflix's risk quantifying toolkit that was created in-house and has just been released as open-source as of March 2020. After Netflix released this tool I thought it would be worth exploring how it works! This article aims to distil and understand how this tool works and see if we can move from a maturity-based approach to one that focuses better on risk, impact and return on investment.
Netflix has used the FAIR on this occasion which is: The Factor Analysis of Information Risk framework to understand how to quantify risk for their platform.
Using their words, it involves forecasting two quantities:
- Frequency of loss over a year. Many examples can be applied. Here's one potentially lower-risk example e.g. how many times do you think an employee from the IT department will become an insider threat and steal, sell or more likely lose or accidentally make public personally identifiable data contained within your Identity platform or CRM platform?
- And secondly identifying what the magnitude of the loss would be in a dollar figure, ideally identified from within the business across multiple executive levels. In the tool, this is defined via two variables the "low-loss and high-loss scenario" via a dollar figure. This is tied to a 90% confidence interval which is essentially saying that we are 90% confident that the $ figure loss will fall between these two values for this risk if they are realised. The tool also ensures there is a long tail for high losses which allows for ongoing costs to remediate the realised risk past the high-loss scenario.
So let's now plug these two items into the tool...
Using Riskquant to quantify risk
Let's consider what this might look like for a commercial business. Here's a fictitious example where a limited budget is allocated by the Board....(all figures are arbitrary and are for illustration purposes only)
"After a few discussions with the broader cyber team and the Board, I've identified a small list of threats that are possible for this business. The board have agreed to spend $10k for the first half of the year to mitigate as much risk as possible and is expecting a report to quantify the risk reduction return on investment".
1) The user portal is knocked offline due to a denial of service attack from an outside threat actor resulting in no one being able to access their accounts or perform activities relating to it.
- Impact: $5,000 up to $15,000 per denial of service attempt on the portal depending on how long it goes on for
- Likelihood: We anticipate this would likely happen around 0.8 times a year.
2) Internal Customer data was leaked due to an internal threat actor or external attack:
- Impact: Ranging from $10,000 - $50,000 for an internal leak and between $150,000 to $500,000 if the data is exfiltrated by an attacker to the dark web for sale.
- Likelihood: The probability of an internal leak is 0.6 events per year and an external leak is 0.3 events per year or specifically right around once every 3 and a bit years
Fantastic, now that we've defined the two cyber security risks, their associated impacts and the likelihood of them happening, we now need to input these into the Riskquant tool to understand which one I should spend my $10k on.
This tool takes a leaf from financial modelling where a log-normal distribution is used to indicate the potential returns of a stock over some time. We're doing essentially the same by modelling the impact value with the log-normal distribution and utilising the distribution mean as the expected loss for each threat.
An interesting side note - a log normal distribution would also likely be used for defining the rate of the spread of the Covid19-pandemic currently happening with reference to trying to "flatten the curve" and on aircraft to understand fatigue-stress failure lifetimes of components in order for them to be replaced prior to causing any unsafe flight events.
For our example here's the CSV file I'm going to run through the tool (Formatted for readability):
When we run the tool it provides a prioritised .csv file of the risks and their associated expected annual losses based on its calculation.
I'll stop the example here as there is a magnitude of other variables that you can plug into the tool to test other theories and I encourage you to try it. We've got to a point where we've massively improved our decision-making capability already. It gives us great visibility and a strategic overview of each risk based on their prioritisation and expected annual losses each year. This means we can start to work out where we want to distribute our Cyber Security budget. If we're allocated $10k to spend on uplifting capability to reduce risk we can easily look at our spreadsheet and see if we can now identify ways to reduce the risk of losing Customer data to external threat actors through exfiltration methods.
This tool provides the ability for us to provide a quick return on our $10k investment with demonstrable results with the likelihood of it being able to justify further spend in future financially. This report also helps to provide the Board with visibility of Cyber risks associated with their business in a quick and easily quantifiable and prioritised manner.