Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Businesses Fail in Risk Modeling and Management: Report
Newest First  |  Oldest First  |  Threaded View
DonT183
50%
50%
DonT183,
User Rank: Black Belt
1/4/2018 | 4:15:58 PM
A business form for introducing quantitative risk
A risk of 4 on a scale of 5 tells no business person how much budget should be assigned to the project needed to reduce the risk from a 4 to a 3.  Below is an introductory form of monetized risk.  What does it cost if cash to run the business is diverted to pay for the onset, clean up over time of a rolling series of failures.  Repeating failures occur on average because no process change alters the time based odds of failures.  No one actually cares to measure the cost of a failure until it occurs, so the first failure starts immediately.

Terms:

F: Fixed costs at the onset of a failure

V: Variable -- time based costs to clean up the failure

MTTR: Mean Time To Repair the failure (Average occurring at time based peak in probablity.)

R: Return On Invested Capital per year, this is the gain or interest rate on cash if it were rounted into the business instead of paying costs for a failure.

MTBF: Mean Time Between Failure; this is the average time between failures.  Note, since these occurs in an odds based way, there will be a spread in time.  Yet, if the odds of the failure does not change as the process with that failure rate does not change, a roughly reliable failure period will set in.

 

NPV: Net Present Value, the amount of cash earning interest that will be able to pay for a time based sequence of costs.

Risk = Money_Lost/time

 

Functions: Excel spreadsheet functions such as exp() will be used to account for continuously compounding interest as this matches well with time based odds of repairs and/or failures.  Structuring costs this way also adapts well as odds are changed by postive action.

 

Single Event Loss:

NPV = F + V/R*(1-exp(-R*MTTR))

 

Rolling series of single event losses -- as the process that created the failure still exists with an unchanged failure rate.

 

NPV = (Single Event Loss) / (1 - exp(-R*MTBF)) 

 

Total Loss from a semi-periodic repeating sequence of failures:

NPV = (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

Annualized losses for this total loss:

Risk = R * NPV = R * (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

But this seems complicated:  What if there is no compounding interest R tends toward %0/yr.

 

Risk = (F + V * MTTR) / MTBF  

Impact = F + V * MTTR

Frequency = 1 / MTBF

Risk = Impact * Frequency

 

Informaiton Security loses nothing but gains respect in the eyes of your business finance team.

Considering the uncertainty in these numbers actually improves the trust earned from your business leads.

 

Considering the effect of risk root causes that change your Mean Time To Repair, Mean Time Between Failures, Fixed losses at the onset of a problem or variable costs to clean up an onset problem help considerably.   These match up with items such as quality of devices, failure rates, ease of repair, operatioanl risk mitigation.   Costs start to become traceable in real cash diverted from the business and traceable sources of cash losses.

 

 

 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-36343
PUBLISHED: 2022-01-24
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.
CVE-2021-36349
PUBLISHED: 2022-01-24
Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowing port scanning of external hosts.
CVE-2021-43588
PUBLISHED: 2022-01-24
Dell EMC Data Protection Central version 19.5 contains an Improper Input Validation Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.
CVE-2021-43589
PUBLISHED: 2022-01-24
Dell EMC Unity, Dell EMC UnityVSA and Dell EMC Unity XT versions prior to 5.1.2.0.5.007 contain an operating system (OS) command injection Vulnerability. A locally authenticated user with high privileges may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on...
CVE-2021-45222
PUBLISHED: 2022-01-24
An issue was discovered in COINS Construction Cloud 11.12. Due to logical flaws in the human ressources interface, it is vulnerable to privilege escalation by HR personnel.