Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Businesses Fail in Risk Modeling and Management: Report
Newest First  |  Oldest First  |  Threaded View
DonT183
50%
50%
DonT183,
User Rank: Black Belt
1/4/2018 | 4:15:58 PM
A business form for introducing quantitative risk
A risk of 4 on a scale of 5 tells no business person how much budget should be assigned to the project needed to reduce the risk from a 4 to a 3.  Below is an introductory form of monetized risk.  What does it cost if cash to run the business is diverted to pay for the onset, clean up over time of a rolling series of failures.  Repeating failures occur on average because no process change alters the time based odds of failures.  No one actually cares to measure the cost of a failure until it occurs, so the first failure starts immediately.

Terms:

F: Fixed costs at the onset of a failure

V: Variable -- time based costs to clean up the failure

MTTR: Mean Time To Repair the failure (Average occurring at time based peak in probablity.)

R: Return On Invested Capital per year, this is the gain or interest rate on cash if it were rounted into the business instead of paying costs for a failure.

MTBF: Mean Time Between Failure; this is the average time between failures.  Note, since these occurs in an odds based way, there will be a spread in time.  Yet, if the odds of the failure does not change as the process with that failure rate does not change, a roughly reliable failure period will set in.

 

NPV: Net Present Value, the amount of cash earning interest that will be able to pay for a time based sequence of costs.

Risk = Money_Lost/time

 

Functions: Excel spreadsheet functions such as exp() will be used to account for continuously compounding interest as this matches well with time based odds of repairs and/or failures.  Structuring costs this way also adapts well as odds are changed by postive action.

 

Single Event Loss:

NPV = F + V/R*(1-exp(-R*MTTR))

 

Rolling series of single event losses -- as the process that created the failure still exists with an unchanged failure rate.

 

NPV = (Single Event Loss) / (1 - exp(-R*MTBF)) 

 

Total Loss from a semi-periodic repeating sequence of failures:

NPV = (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

Annualized losses for this total loss:

Risk = R * NPV = R * (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

But this seems complicated:  What if there is no compounding interest R tends toward %0/yr.

 

Risk = (F + V * MTTR) / MTBF  

Impact = F + V * MTTR

Frequency = 1 / MTBF

Risk = Impact * Frequency

 

Informaiton Security loses nothing but gains respect in the eyes of your business finance team.

Considering the uncertainty in these numbers actually improves the trust earned from your business leads.

 

Considering the effect of risk root causes that change your Mean Time To Repair, Mean Time Between Failures, Fixed losses at the onset of a problem or variable costs to clean up an onset problem help considerably.   These match up with items such as quality of devices, failure rates, ease of repair, operatioanl risk mitigation.   Costs start to become traceable in real cash diverted from the business and traceable sources of cash losses.

 

 

 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.
CVE-2020-13868
PUBLISHED: 2020-06-05
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity.
CVE-2020-13869
PUBLISHED: 2020-06-05
An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name.
CVE-2020-13870
PUBLISHED: 2020-06-05
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.