Risk

12/18/2017
03:36 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Businesses Fail in Risk Modeling and Management: Report

Businesses struggle to quantify and manage risk, leading to wasted resources and oversight of major problems.

Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses don't know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.

All this comes from the FAIR Institute, a nonprofit focused on advancing risk measurement and management. The institute polled 114 professionals who identify as CISO, cybersecurity specialist, risk officer, risk analyst, and C-level exec. Its goal was to learn about the current state of risk management maturity.

The top four scores came from businesses in the health, finance, consulting, and insurance industries. While the financial services industry scored highest overall, says Jones, even the top 25th percentile of scores were relatively low -- a sign risk management is immature overall.

Most cyber risk management programs are "going through the motions" on risk management, says FAIR Institute chairman Jack Jones, who is also cofounder and executive vice president of R&D at RiskLens. It's common for organizations to make decisions about people, processes, and technology without ensuring these choices are properly informed and executed.

"The industry has historically focused on best practices checklists … rather than effective risk measurement and prioritization," he says. Much of this is due to a weak understanding of risk. Decision making and execution are both low across industries, suggesting both are problematic.

While compliance checklists aren't harmful by nature, people assume compliance achieves risk management objectives, Jones says. Many businesses fail to prioritize issues due to inaccurate terminology, broken mental models, and insufficient skills among those who rate risk.

One major weakness is a "huge reliance" on mental models for rating risk instead of formal analytical models, Jones explains. Forty-three percent of survey respondents claimed their Model Quality was "Weak," as they rely on the intuition of risk practitioners to evaluate risk.

"Mental models are notoriously inconsistent and unreliable in problem spaces as dynamic and complex as cyber, which significantly increases the odds of inaccurate risk information for decision-makers," he continues. "This affects prioritization and solution selection at both tactical and strategic levels.

Organizations also fail to motivate business leaders to take risk management as seriously as revenue goals, deadlines, and budget requirements. "As long as this is the case, non-compliance with internal policies and/or external regulations will continue to be a problem," says Jones.

Citing previous root cause analyses he has performed, Jones explains how more than 75% of non-compliant conditions (bad passwords, missing patches) exist because other enterprise imperatives like deadlines and budgets are prioritized.

"Risk imperatives need to be placed on equal footing with other business objectives," he emphasizes, suggesting that business executives have part of their compensation tied to specific risk management goals each year. Objectives would be agreed on by the execs who will be held accountable, he adds.

Jones advises businesses reset their understanding of risk and normalize their terminologies, mental models, and measurement practices for risk. They should also put more careful thought into who is responsible for rating risk, he adds.

"Just because someone is a great auditor or security engineer doesn't qualify them to understand or measure risk reliably," Jones explains. "Risk measurement is an analytic process that requires specific, and relatively uncommon, capabilities such as critical thinking skills, an understanding of basic probability principles, calibrated estimation skills, and an ability to use formal analytic models."

When businesses can't manage risk, it has a broader effect on the whole organization. Major issues go unaddressed and resources are wasted on smaller problems. Businesses end up treating the same issues over and over again, Jones says.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DonT183
50%
50%
DonT183,
User Rank: Apprentice
1/4/2018 | 4:15:58 PM
A business form for introducing quantitative risk
A risk of 4 on a scale of 5 tells no business person how much budget should be assigned to the project needed to reduce the risk from a 4 to a 3.  Below is an introductory form of monetized risk.  What does it cost if cash to run the business is diverted to pay for the onset, clean up over time of a rolling series of failures.  Repeating failures occur on average because no process change alters the time based odds of failures.  No one actually cares to measure the cost of a failure until it occurs, so the first failure starts immediately.

Terms:

F: Fixed costs at the onset of a failure

V: Variable -- time based costs to clean up the failure

MTTR: Mean Time To Repair the failure (Average occurring at time based peak in probablity.)

R: Return On Invested Capital per year, this is the gain or interest rate on cash if it were rounted into the business instead of paying costs for a failure.

MTBF: Mean Time Between Failure; this is the average time between failures.  Note, since these occurs in an odds based way, there will be a spread in time.  Yet, if the odds of the failure does not change as the process with that failure rate does not change, a roughly reliable failure period will set in.

 

NPV: Net Present Value, the amount of cash earning interest that will be able to pay for a time based sequence of costs.

Risk = Money_Lost/time

 

Functions: Excel spreadsheet functions such as exp() will be used to account for continuously compounding interest as this matches well with time based odds of repairs and/or failures.  Structuring costs this way also adapts well as odds are changed by postive action.

 

Single Event Loss:

NPV = F + V/R*(1-exp(-R*MTTR))

 

Rolling series of single event losses -- as the process that created the failure still exists with an unchanged failure rate.

 

NPV = (Single Event Loss) / (1 - exp(-R*MTBF)) 

 

Total Loss from a semi-periodic repeating sequence of failures:

NPV = (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

Annualized losses for this total loss:

Risk = R * NPV = R * (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

But this seems complicated:  What if there is no compounding interest R tends toward %0/yr.

 

Risk = (F + V * MTTR) / MTBF  

Impact = F + V * MTTR

Frequency = 1 / MTBF

Risk = Impact * Frequency

 

Informaiton Security loses nothing but gains respect in the eyes of your business finance team.

Considering the uncertainty in these numbers actually improves the trust earned from your business leads.

 

Considering the effect of risk root causes that change your Mean Time To Repair, Mean Time Between Failures, Fixed losses at the onset of a problem or variable costs to clean up an onset problem help considerably.   These match up with items such as quality of devices, failure rates, ease of repair, operatioanl risk mitigation.   Costs start to become traceable in real cash diverted from the business and traceable sources of cash losses.

 

 

 
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Which CISO 'Tribe' Do You Belong To?
Kelly Sheridan, Associate Editor, Dark Reading,  1/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.