Risk

12/18/2017
03:36 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Businesses Fail in Risk Modeling and Management: Report

Businesses struggle to quantify and manage risk, leading to wasted resources and oversight of major problems.

Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses don't know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.

All this comes from the FAIR Institute, a nonprofit focused on advancing risk measurement and management. The institute polled 114 professionals who identify as CISO, cybersecurity specialist, risk officer, risk analyst, and C-level exec. Its goal was to learn about the current state of risk management maturity.

The top four scores came from businesses in the health, finance, consulting, and insurance industries. While the financial services industry scored highest overall, says Jones, even the top 25th percentile of scores were relatively low -- a sign risk management is immature overall.

Most cyber risk management programs are "going through the motions" on risk management, says FAIR Institute chairman Jack Jones, who is also cofounder and executive vice president of R&D at RiskLens. It's common for organizations to make decisions about people, processes, and technology without ensuring these choices are properly informed and executed.

"The industry has historically focused on best practices checklists … rather than effective risk measurement and prioritization," he says. Much of this is due to a weak understanding of risk. Decision making and execution are both low across industries, suggesting both are problematic.

While compliance checklists aren't harmful by nature, people assume compliance achieves risk management objectives, Jones says. Many businesses fail to prioritize issues due to inaccurate terminology, broken mental models, and insufficient skills among those who rate risk.

One major weakness is a "huge reliance" on mental models for rating risk instead of formal analytical models, Jones explains. Forty-three percent of survey respondents claimed their Model Quality was "Weak," as they rely on the intuition of risk practitioners to evaluate risk.

"Mental models are notoriously inconsistent and unreliable in problem spaces as dynamic and complex as cyber, which significantly increases the odds of inaccurate risk information for decision-makers," he continues. "This affects prioritization and solution selection at both tactical and strategic levels.

Organizations also fail to motivate business leaders to take risk management as seriously as revenue goals, deadlines, and budget requirements. "As long as this is the case, non-compliance with internal policies and/or external regulations will continue to be a problem," says Jones.

Citing previous root cause analyses he has performed, Jones explains how more than 75% of non-compliant conditions (bad passwords, missing patches) exist because other enterprise imperatives like deadlines and budgets are prioritized.

"Risk imperatives need to be placed on equal footing with other business objectives," he emphasizes, suggesting that business executives have part of their compensation tied to specific risk management goals each year. Objectives would be agreed on by the execs who will be held accountable, he adds.

Jones advises businesses reset their understanding of risk and normalize their terminologies, mental models, and measurement practices for risk. They should also put more careful thought into who is responsible for rating risk, he adds.

"Just because someone is a great auditor or security engineer doesn't qualify them to understand or measure risk reliably," Jones explains. "Risk measurement is an analytic process that requires specific, and relatively uncommon, capabilities such as critical thinking skills, an understanding of basic probability principles, calibrated estimation skills, and an ability to use formal analytic models."

When businesses can't manage risk, it has a broader effect on the whole organization. Major issues go unaddressed and resources are wasted on smaller problems. Businesses end up treating the same issues over and over again, Jones says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DonT183
50%
50%
DonT183,
User Rank: Black Belt
1/4/2018 | 4:15:58 PM
A business form for introducing quantitative risk
A risk of 4 on a scale of 5 tells no business person how much budget should be assigned to the project needed to reduce the risk from a 4 to a 3.  Below is an introductory form of monetized risk.  What does it cost if cash to run the business is diverted to pay for the onset, clean up over time of a rolling series of failures.  Repeating failures occur on average because no process change alters the time based odds of failures.  No one actually cares to measure the cost of a failure until it occurs, so the first failure starts immediately.

Terms:

F: Fixed costs at the onset of a failure

V: Variable -- time based costs to clean up the failure

MTTR: Mean Time To Repair the failure (Average occurring at time based peak in probablity.)

R: Return On Invested Capital per year, this is the gain or interest rate on cash if it were rounted into the business instead of paying costs for a failure.

MTBF: Mean Time Between Failure; this is the average time between failures.  Note, since these occurs in an odds based way, there will be a spread in time.  Yet, if the odds of the failure does not change as the process with that failure rate does not change, a roughly reliable failure period will set in.

 

NPV: Net Present Value, the amount of cash earning interest that will be able to pay for a time based sequence of costs.

Risk = Money_Lost/time

 

Functions: Excel spreadsheet functions such as exp() will be used to account for continuously compounding interest as this matches well with time based odds of repairs and/or failures.  Structuring costs this way also adapts well as odds are changed by postive action.

 

Single Event Loss:

NPV = F + V/R*(1-exp(-R*MTTR))

 

Rolling series of single event losses -- as the process that created the failure still exists with an unchanged failure rate.

 

NPV = (Single Event Loss) / (1 - exp(-R*MTBF)) 

 

Total Loss from a semi-periodic repeating sequence of failures:

NPV = (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

Annualized losses for this total loss:

Risk = R * NPV = R * (F + V/R*(1-exp(-R*MTTR))) / (1 - exp(-R*MTBF)) 

 

But this seems complicated:  What if there is no compounding interest R tends toward %0/yr.

 

Risk = (F + V * MTTR) / MTBF  

Impact = F + V * MTTR

Frequency = 1 / MTBF

Risk = Impact * Frequency

 

Informaiton Security loses nothing but gains respect in the eyes of your business finance team.

Considering the uncertainty in these numbers actually improves the trust earned from your business leads.

 

Considering the effect of risk root causes that change your Mean Time To Repair, Mean Time Between Failures, Fixed losses at the onset of a problem or variable costs to clean up an onset problem help considerably.   These match up with items such as quality of devices, failure rates, ease of repair, operatioanl risk mitigation.   Costs start to become traceable in real cash diverted from the business and traceable sources of cash losses.

 

 

 
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3812
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...