Attacks/Breaches

7/11/2018
10:30 AM
Jack Jones
Jack Jones
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

What We Talk About When We Talk About Risk

Measuring security risk is not that hard if you get your terms straight and leverage well-established methods and principles from other disciplines.

How enthusiastic would you be to ride on a spacecraft if you knew that the scientists and engineers who designed it and planned the mission couldn't agree on the definition of mass, weight, and velocity?

A quick look at the word "risk" in Wikipedia provides a clue regarding the variety of definitions that exist for a foundational term in our profession. But inconsistent formal definitions are really just the tip of the iceberg. For example, I like to ask audiences, "Which of these are risks?":

  • Vulnerabilities
  • Disgruntled employees
  • Reputation
  • Untested recovery plans
  • Sensitive consumer information
  • Weak passwords
  • Cybercriminals

Almost without exception, the answer I hear is "All of them!" The truth, however, is that none of them are risks. Vulnerabilities are not risks and we need to stop acting like they are. Disgruntled employees and cybercriminals are threat communities; reputation and sensitive consumer information are assets; and weak passwords and an untested recovery plan are (deficient) controls. In other words, although these are all parts of the risk landscape, they are importantly different from one another.

Furthermore, when I asked an audience of seasoned infosec professionals to list the top three risks their organizations faced, the following word cloud resulted:

Source: Jack Jones
Source: Jack Jones

I find "unknown" to be particularly ironic.

Why does it matter? Can't we usually glean the meaning of a term through the context in which it's being used? Although that's often true in conversation with colleagues in our profession, clarity is crucial when we're speaking with people outside of our profession — such as executives — and when we're trying to measure something. I'll touch on measurement in a minute. For now, let's focus on communication.

As a profession, we've been saying for a long time that we need to speak the language of business in order to get and maintain the support we need to be effective. That being the case, it's only logical that our use of the word "risk" be driven by how executives think about it.

What senior executives and boards want from us is to help their organizations manage the frequency and magnitude of infosec-related loss events. These loss events are the "risks" we're supposed to manage. This is aligned with the rest of their risk world, and it also enables far more effective measurement and communication. A couple of example infosec risks are:

  • Cybercriminal compromise of consumer personal data
  • Disgruntled employee crashing a system that supports a critical business process

The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events. These risks also provide the context in which we can measure and express the significance of problems in the risk landscape like changes in threat vectors or the vulnerabilities we're trying to resolve.

Imagine, for example, being able to explain to an executive how a change in threat activity increases the likelihood of the compromise of personally identifiable information by somewhere between 20% and 30%, with a resulting increase in loss exposure of between $500,000 and $1 million. No executive in the world is going to have difficulty wrapping their mind around that.

Of course, that raises the question, "Can we measure infosec risk?" The short answer, despite what you may have heard or believe, is yes. In fact, we do it all the time.

Measurement is a prerequisite to prioritization, and you and I both know that we prioritize all the time. Unfortunately, given the inconsistency and ambiguity with which we approach infosec risk, we're horrible at it. Here's some bad news: 70% to 90% of the "high risks" I've examined in organizations over the past several years do not, in fact, represent high risk. This means that those organizations have a significant signal-to-noise problem and aren't able to focus on the things that matter most. And if you think about it, the inability to prioritize effectively is a gift to the bad actors (as if they didn't already have enough advantages) and a failure on our part as stewards of the resources we're given.

The good news is that measuring infosec risk is not that hard once you've gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines. Good sources of information on this include:

  • How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen
  • Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund

Every discipline we think of as mature today — math, medicine, physics, etc. — all went through an early phase in which nobody could agree on fundamental terms or principles. In that sense, we're in good company. But given today's imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/11/2018 | 2:59:02 PM
Re: Cybersecurity Risk Taxonomy
Small Business - general rule is that a small business (I guess 50 emps or less) can live for only 2 weeks following a major crash of systems.  I supported such shops and always had a backup-restore plan in working place and used it on several critical cases inclusive of server drive failure and ransomware attack.   Measure THAT!!!   (Lesson - always ask for a large check for services in such cases).
jonesj26
50%
50%
jonesj26,
User Rank: Author
7/11/2018 | 1:44:13 PM
Re: Cybersecurity Risk Taxonomy
Thanks, Christian.  You're absolutely right about this problem being discussed for some time now.  Unfortunately, I don't believe it's broadly recognized yet as a foundational Achilles Heel for our profession.  Hopefully we can elevate it within the minds of our colleagues and accelerate the evolution of our profession.

Cheers

Jack
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/11/2018 | 11:43:29 AM
Cybersecurity Risk Taxonomy
These are excellent points - in fact, the very list of risks you noted that are typically raised when asked are the ones I tend to see in initial project documents that relate to security.

Cybersecurity Risk Taxonomy (A. M. Rea-Guaman, T. San Feliu, J. A. Calvo-Manzano, I. D. Sanchez-Garcia) is a paper published under the International Conference on Software Process Improvement, 2017. It covers an interesting deep dive into studies published from 1990 to 2017. They found "132 papers and some of them mention some risk taxonomies within the scope of IT (information technologies) cybersecurity, although only five primary elements were selected, identifying the main risk taxonomies."

The perspectives covered include Asset, Attacks, Service, Business and External, with papers covering a wide range of combinations of taxonomy descriptions. Some of the items in the taxonomies include Business objects and dynamics models, Social engineering, Systems and technology failures, Failed internal processes, Resource or target information and Actions of people.

Your example InfoSec risks make sense upon more reading of studies like the one above, which is a great piece indicating this conversation of risk in InfoSec has been going on for some time.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2765
PUBLISHED: 2018-08-20
pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.
CVE-2018-15594
PUBLISHED: 2018-08-20
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.
CVE-2018-15572
PUBLISHED: 2018-08-20
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.
CVE-2018-15573
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf...
CVE-2018-15574
PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."