... from a compliance requirement to a decision-support process for prioritizing and justifying control* investments. Link the technical analysis of control effectiveness to the reduction of business risk in terms of dollars.
Traditional "risk management" exercises have been of limited value to cybersecurity teams who see it mostly as an effort to meet compliance requirements. Compliance does not assure security – and neither compliance frameworks nor maturity models address the difficult control trade-offs that need to be made due to limited budgets and resources.
Simply identifying risks, then prioritizing and choosing among the traditional treatment options – accept, avoid, transfer, or mitigate – does not go far enough. In cyber, unlike other risk domains, critical risks must invariably be mitigated.
I will discuss this in more detail below. I will also discuss the specific difficulties of cyber risk management, the complexities of mitigation, and the need for a formal decision-support process and tools to help optimize cybersecurity budgets in the context of cyber risks.
The difficulties of cyber risk management
The difficulties of cyber risk management fall into two categories:
(1) Understanding (through quantification and visualization):
(a) Potentially thousands of overlapping and interleaved paths into and through your organization available to adversaries.
(b) A control’s contribution to overall cyber posture, which may be very different from the control’s effectiveness when evaluated individually.
(c) Stack ranking currently deployed controls’ contributions to overall cyber posture.
(2) Communicating to leadership (in dollars):
(a) The uncertainty of severe (heavy tail) loss events that may happen in the future.
(b) The likely range of costs, in dollars, of loss events at the organization’s current (baseline) cyber posture. This requires connecting the effectiveness of currently deployed controls to business risk.
(c) Comparison of alternative cyber control additions and/changes based on business risk reduction in dollars. This also requires connecting the likely technical effectiveness of control changes to risk reduction in dollars.
Identifying cyber risks
Identifying cyber risks is rather straightforward when risk defined in terms of loss events that either result in lost revenue or added expenses. So a hacked web server is not a risk.
There are surely loss events (risks) that can result from a hacked web server. One possible risk is cryptomining which diverts processing resources to the attacker. Another would be if the attacker is able to pivot from the compromised web server to a critical database server and encrypt files which prevents your organization from taking orders from customers.
Here are the top risks we most often encounter:
Ransomware is currently almost always top of mind because it results in lost revenue due to key business processes being disrupted. No need to dwell on soft costs here. Hard dollars are lost until the organization recovers.
Theft of intellectual property (by an insider or outsider) may not have the immediate impact of a ransomware attack but can negatively impact revenue and profits in the long term. However, for insider theft, there is legal recourse available when discovered after the fact.
Liability due to privacy data breach. No longer the pre-eminent cyber risk due to the ransomware epidemic, disclosure of PII, PHI, or PCI can still lead to heavy losses from legal settlements and/or regulatory enforcement.
Non-compliance in highly regulated industries can result in the revocation of contracts or services (like processing credit cards), or costly regulatory enforcement actions.
Business email compromise (BEC) is a serious issue as well in the context of the total amount of dollar losses reported per year. But for an individual organization, the risk of BEC pales in comparison to ransomware.
Prioritizing cyber risks
Identifying and prioritizing cyber risks can be a time-consuming process. But there’s an important insight to take into consideration: different loss events have largely overlapping threat sequences. For example, the attacker tactics and techniques that result in ransomware (encrypt files for impact) and sensitive data exfiltration are 95% the same. In fact, both are often done at the same time by the same attacker – double extortion!!
Put another way, whether an attacker’s objective is data encryption, exfiltration, or alteration, the tactics and techniques leading up to that objective are largely interchangeable.
As a result, management and mitigation strategy tends to be common among the principal risk categories and a precise prioritization or quantitative triage among them is less important.
Treatment options
Let’s turn to treatment options. For cyber risks, the choices narrow.
Avoidance means foregoing a business function – such as building a new application or expanding into a new geography – to avoid its associated risks. Of course, the resulting foregone revenue opportunity cost must be measured against the corresponding mitigation expense, which means that mitigation options must be examined.
Normally, however, avoidance is out of the question unless you disconnect from the Internet. The reality is organizations are exposing more functionality to the Internet by way of “digital transformation.” Therefore, in fact, the organization’s attack surface is increasing.
Transference by way of insurance is an important component of risk management. However cyber insurance companies are now demanding evidence of cyber posture diligence before they are willing to issue policies. Effective risk mitigation is a pre-requisite for insurance coverage, not an alternative.
Acceptance is just an aspect of mitigation; they are points on the same spectrum. An organization may be able to accept (i.e., self-insure against) a risk up to a threshold loss amount, but beyond that point mitigation is required. Severe (heavy tail) loss events like ransomware and others mentioned above require a robust, mature cybersecurity program, especially when your organization’s attack surface is increasing due to digital transformation.
Mitigation therefore is the primary component of cyber risk management.
Furthermore, expressing risk in dollars is critical if you need leadership to support decisions about cyber risk mitigation and approve budget increases. Cyber risk is just another heavy-tail risk that leadership manages. More on this toward the end of this article.
Cyber risk mitigation
Mitigation decision-making presents three considerable challenges.
First, there are thousands of attack paths into and through an organization from which adversaries can choose. You need to determine which paths are weak. To get an idea of how we model this, here is a partial example just showing a few Initial Access methods, some of the paths through the organization (left to right), and two loss event types – encrypt for impact and sensitive data exfiltration.
Second, a control’s contribution to overall cyber posture may be much less than its effectiveness when tested individually because a) the control does not see very many threats because it’s a path attackers rarely use, and/or b) it resides on an attack path that is already well protected with other controls.
Third, organizations vary widely in strategic goals, culture, and existing investments in cybersecurity. Therefore, rigid checklists and cookie cutter cybersecurity recommendations result in suboptimal risk reduction decisions.
Therefore, tools that can be quickly customized are needed to (a) determine an organization’s critical path weaknesses, (b) stack rank the contributions of their deployed controls to overall cyber posture, and (c) run what-if scenarios to estimate the effectiveness of alternative control changes, subtractions, and/or additions.
Calculating risk in dollars using Loss Exceedance Curves
But this does not go far enough. The risk reduction analysis of alternative control investments must be calculated in dollars in order to communicate with leadership teams.
Leadership teams are not interested in hearing about an increased cadence of patching, or an increased percentage of employees and contractors using multifactor authentication, or the ratio of detected malicious emails to total emails received, unless those efforts can be translated to risk reduction in dollars. More on this in a future article.
Presenting a risk as a single number or a color does not give leadership a true picture of the risk of the loss event like ransomware. “Catastrophic” events are inherently less likely and less frequent than moderate or minor events.
Hence risk must be presented in terms of expected loss (or business impact) at various levels of probability. Reducing a risk to a single number fails to convey the uncertainty, and tends to downplay a serious or even existential risk.
Loss Exceedance Curves (LECs) give leadership teams the opportunity to decide how much cyber risk the organization is willing to accept and to show the impact of alternative control investments on risk reduction. At any point along a LEC, you see the probability (vertical axis) that a loss event will exceed a dollar amount (horizontal axis).
Here is an example comparing Baseline values, i.e., currently deployed controls, to several alternative investments – Segmentation and Authentication for Operation Technology (OT), Authentication for OT alone, and Segmentation alone:
The Loss Exceedance Curves (LECs) bar charts below shows the probability, at different percentages, that the costs of a ransomware attack will exceed specific dollar amounts for the baseline deployed controls, and the risk reduction of deploying either segmentation or deception controls.
We prefer to show the LEC as a bar chart to make the dollar amounts easier to see compared to the traditional LEC line chart. Our bar chart still visually conveys the idea that as the probability goes down, the loss amounts go up.
This bar chart shows various probabilities of losses exceeding dollar amounts comparing Segmentation and Deception controls to the Baseline, in millions of dollars.
To summarize:
For a risk management process to be useful to cybersecurity teams as well as leadership teams it must be designed specifically for cybersecurity with the following capabilities:
Provides a formal process that analyzes deployed controls’ contributions to overall cyber posture.
Can use as input the results of penetration testing and/or Breach and Attack Simulation tools.
Supports decision-making for choosing among alternative control investments by showing risk reduction in dollars using Loss Exceedance Curves.
How do you use risk management? Does it meet your cybersecurity needs?
This article was written with Jim Lipkis of Monaco Risk Analytics and
originally published on LinkedIn on April 26, 2022.
Comments