INTRODUCTION
This article picks up where I left off in, Modeling Cybersecurity. In that article I defined modeling, the reason for building models, the difficulties of using Excel for modeling cybersecurity, why modeling cybersecurity is important, and alternative cybersecurity models.
I then discussed the two high-level types of cybersecurity risk analysis models - qualitative and quantitative. This included a comparison of the risk matrix to the Loss Exceedance Curve which is especially relevant to publicly traded companies who must adhere to the SEC cybersecurity rule.
In this article I discuss the similarities and differences of two cyber risk quantification models – FAIR® and GRAACE™.
While FAIR is the best-known approach to cyber risk quantification, it has not fulfilled its promise due to the lack of a useful model of cybersecurity reality.
GRAACE directly addresses this issue using Monaco Risk’s Cyber Defense Graph™ which factors attack surfaces, threats, the path distribution of threats, and controls.
At the same time, GRAACE retains traditional risk management concepts such as (1) risk being a function of probability and impact, (2) decomposition, (3) Monte Carlo simulation to support uncertainty, and (4) Loss Exceedance Curves to show the full range of probable losses resulting from cyber incidents.
Given the recent regulatory changes and aggressive prosecution by the SEC and other Federal agencies, CISOs need a more credible model and a simpler process to defend their decisions and collaborate with business leaders who must treat cyber risk as business risk.
FAIR vs GRAACE
FAIR stands for Factor Analysis of Information Risk. FAIR brought traditional risk concepts and techniques to the cybersecurity domain. These include (a) defining risk as the probability and impact of a loss event, (b) decomposition, (c) applying ranges to capture the uncertainty of estimating risk factors, and (d) using Monte Carlo simulation to calculate outputs.
The figure below shows the first level of the risk ontology shared between FAIR and GRAACE.
GRAACE stands for Graphical Risk Analysis of Aggregate Control Effectiveness. It’s pronounced grace. Here is a description of the key terms:
Risk: Risk is a function of the probability (frequency or likelihood) and financial impact (magnitude) of loss events that result from a series of tactics and techniques exploiting vulnerabilities, weakness, and/or control deficiencies.
Control: We use Control to include any people, process, or technology that is, or could be, deployed to reduce the risk of a loss event. Controls are integral to the GRAACE model. In other words, controls are factors modeled in simulation software. This enables GRAACE to compare alternative control investments, including budget reductions and the impact of exceptions, and other CRQ use cases, more credibly to the status quo in dollars.
Graphical: Attack surfaces, threats, and the attack paths the threats take into and through an organization are visually represented using Monaco Risk’s patented Cyber Defense Graph™ software. Rather than consider controls simply as a list of safeguards or requirements, they are mapped to the graph. Each control’s efficacy is analyzed in the context of the strength and volume of threats to reveal Critical Path Weaknesses.
Aggregate Control Effectiveness: The Cyber Defense Graph software calculates each control’s contribution to risk reduction and how an organization’s portfolio of controls works together, i.e., the Aggregate Control Effectiveness, to reduce the risk of loss events.
GRAACE addresses FAIR’s major limitation, which is on the Loss Event Frequency (LEF) side. FAIR does NOT analyze control efficacy. In fact, attack surfaces, threats, attack paths, and controls are not actually factors in FAIR. It uses the notions of Threat Capability and Resistance Strength which are not actual measures of any real-world factors. In other words, FAIR provides no defensible way of correlating threats with controls.
On the Loss Magnitude side, GRAACE uses Loss Exceedance Curves to show the full range of probabilistic financial losses of loss event scenarios. But getting there is simpler with GRAACE because it avoids the confusion surrounding FAIR’s Primary Losses and Secondary Risk with a more straightforward set of Financial Loss Components.
FAIR vs. GRAACE Functionality Summary Comparison
Here is a chart summarizing the functional similarities and differences between FAIR and GRAACE:
CYBER RISK MODELING USE CASES
After showing the functional similarities and differences between FAIR and GRAACE, we can now evaluate the two models for “fitness of purpose.” Here is a list of the problems we look to solve with Cyber Risk Quantification:
Use Case 1: Collaborating with business leaders to justify control investments. This includes justifying increases in budget or limiting decreases in budget during an uncertain economic environment. A credible discussion with business leaders requires modeling the controls for which budget requests are made. GRAACE – Yes. FAIR – No.
Use Case 2: Fostering cooperation between the cybersecurity team and IT, networking, and software development teams by enabling them to take credit, in dollars, for reducing cyber-related business risk. Since the IT, networking and software development teams are implementing controls or remediating control deficiencies, it would be helpful to model controls to show risk reduction in dollars. GRAACE – Yes. FAIR – No.
Use Case 3: Prioritizing control investments when designing/updating the organization’s defense-in-depth architecture. This is primarily a decision-making process withing the security team. Therefore, to be useful, control efficacy should be modeled against the organization’s attack surfaces, threats, and attack paths. GRAACE – Yes. FAIR – No.
Use Case 4: Moving from Compliance-based Risk to Risk-based Compliance. Rather than treating risk analysis as just another compliance requirement, use risk analysis to drive the overall security program including meeting compliance requirements. This requires modeling the complexity of cybersecurity in a meaningful way which requires attack surfaces, threats, and attack paths to be specific factors in the model. GRAACE – Yes. FAIR – No.
Use Case 5: Analyzing exception requests. Business process owners regularly request exceptions to security policies. These include delaying patch implementations, exceptions to firewall rules, and onboarding vendors who do not meet third party vendor policies. While business leaders understand the business values of their requests, they also need to understand the increased risks associated with their exception requests. Since these requests revolve around controls, security teams need a model in which includes controls. GRAACE – Yes. FAIR – No.
The table below summarizes the fitness of purpose of GRAACE vs FAIR for the five use cases:
GRAACE ONTOLOGY EXPLAINED
The figure below shows the GRAACE ontology:
Risk: Loss Event Taxonomy
A problem that often arises when performing cybersecurity risk assessments is determining whether you have addressed all of the possible loss event types. For the last four years, Monaco Risk has been maintaining and updating a Loss Event Taxonomy that exhaustively covers all cyber loss event types.
During this period, the number of loss event types has grown from the initial 11 to 16. They are categorized as follows: (1) Exposure of Sensitive Information, (2) Business Disruption, (3) Direct Monetary, Business, or Resource attack, and (4) Non-compliance, audit, or liability.
We’ve made the Loss Event Taxonomy available at no charge under a Creative Commons license. Please contact me and I will send you the document.
Loss Event Frequency: Cyber Defense Graph™
The Cyber Defense Graph™ simulation software is Monaco Risk’s approach to decomposing Loss Event Frequency that is useful to cybersecurity teams and credible to business leaders. It treats attack surfaces, threats, attack paths, threat path distribution, and controls as formal factors in the model.
The figure below is a partial, and highly simplified, example of a Cyber Defense Graph. Each graph models a specific loss event scenario such as business disruption due to ransomware. It visualizes the relationships among the controls, threats, attack paths and the distribution of threats along the attack paths.
The threats enter at the left edge and move along the arrows. Each control along a path, based on its specific capabilities, can block, or at least detect, some percentage of threats that traverse that path. Threats that controls do not block arrive at the far right of the graph and represent successful attacks, i.e., loss events.
Critical path weaknesses are shown by each control’s shade of red. The darker the shade, the weaker the path. This provides the security team with indicators of where improvements could be made.
Sensitivity (Tornado) Chart. In addition to the Critical Path Weakness graph shown above, the Cyber Defense Graph software generates a Sensitivity Chart which shows the relative importance of individual controls. It’s commonly referred to as a tornado chart due to the overall pattern of the bars.
Loss Magnitude – Financial Loss Components
Monaco Risk’s Loss Event Taxonomy provides four categories of Financial Loss Components which relate directly to the loss event types: (1) Direct Monetary Loss, (2) Lost Revenue, (3) Increased Costs, and (4) Liability & Regulatory. The full list of ten Financial Loss Components is available with the Loss Event Taxonomy under a Creative Commons license. Glad to send upon request.
HOW TO USE GRAACE
GRAACE is more than a quantitative cybersecurity risk model. It also is a process which consists of three phases: (1) Identify the loss events of concern to business leaders, (2) Baseline current cyber posture using the Cyber Defense Graph, and (3) Run what-if scenarios on control changes to show financial impact in support of the use cases itemized above.
The GRAACE 3-Phase Process Explained
Phase 1: Identify Loss Event Scenarios of concern to business leadership. There are several possible approaches to risk assessments. Some start with Assets, or Threats or Vulnerabilities.
Monaco Risk starts with Risks, i.e., loss events such as the disruption of major revenue-generating business processes due to ransomware or the exfiltration of sensitive data. Monaco Risk has developed a Loss Event Taxonomy to assure that all potential loss event types are reviewed. It’s available to anyone under a Creative Commons license.
We start with risks (loss events) of concern to business leaders for five reasons:
Business leaders concentrate on discovering opportunities for revenue and profit growth, while taking into account the potential risks that could hinder or delay their attainment. Given that cyber risk is inherently tied to business risk, CISOs can establish meaningful collaboration with business executives by framing cyber risks in the context of their organizations' business initiatives.
The business leaders of publicly traded companies are now compelled to discuss cyber risks in 10-K filings due to the SEC security rule (S7-09-22) released in July 2023. Furthermore, the lawsuit filed against SolarWinds and their CISO Tim Brown puts more pressure on CISOs to collaborate with business leaders to think about cybersecurity in terms of risks.
CISOs can enhance their credibility by connecting their security teams' achievements, such as improvements in controls and the remediation of control deficiencies, to reductions in the specific risks of concern to business leaders, expressed in financial terms.
The risks of concern to business leaders provide context to CISOs who must decide how best to allocate their budgets across people, processes, and technologies.
CISOs are more likely to secure budget approvals when they tie their requests to reductions in risk, quantified in dollars, associated with the loss events of concern to business leaders.
Phase 2: Generate Baseline Cyber Posture. As mentioned above, our internally developed and patented Cyber Defense Graph software runs a statistical simulation that captures the complex interaction of 1) attack surfaces, (2) threats of different strengths and capabilities using MITRE ATT&CK® as a guide, (3) overlapping attack paths to assets, (4) the distribution of threats along attack paths, and (5) controls deployed at different levels of efficacy, coverage, and governance.
Issues (weaknesses, vulnerabilities, control deficiencies) are surfaced for remediation prioritization and cost justification in Phase 3.
To simplify and reduce the effort needed to generate the baseline cyber posture, Monaco Risk provides templates and default values for controls, attack paths, threat strength, and threat path distribution.
Phase 3: Run What-If Scenarios to support use cases. The simulation software runs what-if scenarios representing alternative options to support decision-making for the five use cases discussed above. We anticipate clients having additional use cases we have not thought of.
The software generates visualizations that display alternatives compared to the baseline (status quo) in dollars using Loss Exceedance Curves. LEC charts show business leaders the long-tail aspect of cybersecurity loss events.
For more information on Loss Exceedance Curves please refer to my previous LinkedIn article entitled, Cybersecurity Models.
CONCLUSION
GRAACE represents the next generation of cybersecurity risk quantification modeling by addressing the key limitations of FAIR.
GRAACE provides a more realistic model of cybersecurity by factoring attack surfaces, threats, attack paths, the path distribution of threats, and controls, while retaining traditional risk analysis factors including probability, impact, Monte Carlo simulation, and Loss Exceedance Curves.
GRAACE provides an exhaustive list of loss event types and a straightforward set of financial loss components.
GRAACE provides a simplified 3-phase process for conducting quantified cyber risk analysis.
This is the second of two articles covering Cybersecurity Modeling. This article was originally published on LinkedIn.