Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Businesses Fail in Risk Modeling and Management: Report
Newest First  |  Oldest First  |  Threaded View
DonT183
50%
50%
DonT183,
User Rank: Black Belt
1/4/2018 | 4:15:58 PM
A business form for introducing quantitative risk
A risk of 4 on a scale of 5 tells no business person how much budget should be assigned to the project needed to reduce the risk from a 4 to a 3.  Below is an introductory form of monetized risk.  What does it cost if cash to run the business is diverted to pay for the onset, clean up over time of a rolling series of failures.  Repeating failures occur on average because no process change alters the time based odds of failures.  No one actually cares to measure the cost of a failure until it occurs, so the first failure starts immediately.

Terms:

F: Fixed costs at the onset of a failure

V: Variable -- time based costs to clean up the failure

MTTR: Mean Time To Repair the failure (Average occurring at time based peak in probablity.)

R: Return On Invested Capital per year, this is the gain or interest rate on cash if it were rounted into the business instead of paying costs for a failure.

MTBF: Mean Time Between Failure; this is the average time between failures.  Note, since these occurs in an odds based way, there will be a spread in time.  Yet, if the odds of the failure does not change as the process with that failure rate does not change, a roughly reliable failure period will set in.

 

NPV: Net Present Value, the amount of cash earning interest that will be able to pay for a time based sequence of costs.

Risk = Money_Lost/time

 

Functions: Excel spreadsheet functions such as exp() will be used to account for continuously compounding interest as this matches well with time based odds of repairs and/or failures.  Structuring costs this way also adapts well as odds are changed by postive action.

 

Single Event Loss:

NPV = F + V/R*(1-exp(-R*MTTR))

 

Rolling series of single event losses -- as the process that created the failure still exists with an unchanged failure rate.

 

NPV = (Single Event Loss) / (1 - exp(-R*MTBF)) 

 

Total Loss from a semi-periodic repeating sequence of failures:

NPV = (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

Annualized losses for this total loss:

Risk = R * NPV = R * (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

But this seems complicated:  What if there is no compounding interest R tends toward %0/yr.

 

Risk = (F + V * MTTR) / MTBF  

Impact = F + V * MTTR

Frequency = 1 / MTBF

Risk = Impact * Frequency

 

Informaiton Security loses nothing but gains respect in the eyes of your business finance team.

Considering the uncertainty in these numbers actually improves the trust earned from your business leads.

 

Considering the effect of risk root causes that change your Mean Time To Repair, Mean Time Between Failures, Fixed losses at the onset of a problem or variable costs to clean up an onset problem help considerably.   These match up with items such as quality of devices, failure rates, ease of repair, operatioanl risk mitigation.   Costs start to become traceable in real cash diverted from the business and traceable sources of cash losses.

 

 

 


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.