Risk is one of those concepts that are tough to nail down. Everyone thinks they know what it is, but it really means different things to different people. Sometimes risk is bad, sometimes risk is good; but one thing everyone agrees on is that risk comes in two basic flavors: rewarded and unrewarded.
Rewarded risk is also known as “opportunity.” This type of risk is proactive or offensive and can provide benefits that outweigh the potential cost. Investing in the stock market is a form of rewarded risk.
Unrewarded risk is reactive or defensive and usually brings negative consequences. Whether information security professionals know it or not, unrewarded risk is what they are talking about when they address the risk posed by cybersecurity threats. This article will focus on unrewarded risk as it applies to IT security.
Common methods for modeling cyber risk
Calculating unrewarded risk to protect network assets is a challenge. The most commonly used risk algorithm is:
Risk = Likelihood x Impact
But this equation (also factored as Risk = Threat x Vulnerability x Impact) often produces meaningless values and will not increase organizational understanding of risk exposure. That is because it includes several types of mistakes found in many risk algorithms. The three most crucial mistakes are 1) using the wrong types variables; 2) an incorrect risk calculation; and 3) the actual score itself. Consider the issues with each of these mistakes:
1. Types of variables
The three most common mistakes with variables are they are either too focused on vulnerabilities, too subjective, or do not have business context. Risk is much more than vulnerabilities, but most common risk algorithms use vulnerabilities as a key component. We need to be much more holistic about which variables derive risk. Also, variables must be objective or measured. Humans have wide ranging opinions. If we leave it up to them, we will get wide fluctuations in our calculations due to this subjectivity. And finally, most risk algorithms lack business context. If I have a high risk on a non-critical system, do I really care? Business context is critical for prioritizing risk.
2. Risk calculation
The three most common mistakes with risk calculations are they are too simple, too complex, or not appraised frequently enough. The first two are fairly self-explanatory, but here are a few examples. A simple averaging equation will dilute risk to the point of making everything look good, even though underneath there may be some really bad things. On the other hand, complex calculations can be confusing and thus lack confidence in their results. Frequency is probably one of the most costly mistakes. Threats are constantly evolving, so quarterly or annual calculations are worthless. Risk must be calculated and assessed much more often to be effective.
3. Actual score
The two most common mistakes with the actual risk score are that the score is either not normalized or unbounded. By not normalizing your scores, there is no way to prioritize risk. In general, I believe all inputs and outputs should be normalized on the same scales to improve accuracy of the results. Unbounded scores are even worse. What’s the difference between a risk score of 32,135 and 65,295? Are they both critical or not? Without a scale for comparison, these arbitrary risk scores mean nothing.
Another common method for assessing risk is the Factor Analysis of Information Risk (FAIR). FAIR is not a simple calculation or formula; it is a set of factors that must be considered and weighed in any risk assessment. Although many factors are addressed in FAIR, I believe that it, too, is still too subjective and complex for most businesses. You need to understand the factors that contribute to cyber risk in your own enterprise.
Towards a better risk assessment
So how do you formulate a robust risk analysis? A good cybersecurity risk assessment must include three core components: data, assets and business.
Data is the foundation of cybersecurity risk. Risk is not just about threats and vulnerabilities, but it’s also about misconfigurations, events, and other data elements that can be automated and collected from various sources. Data results in a more real-time calculation as variables change in the environment.
Data is also associated with assets which are not just IT assets. For example: servers, databases, applications, users, physical locations and media are all business assets.
A business consists of entities such as departments, business units, organizations, and foreign offices that interact with each other and the assets to perform their functions.
The interrelationship of these three components is critical to understanding risk across the business. Risk is so much more than just counting vulnerabilities. And risk is not just a universal formula that you can apply to any situation. It is all about gathering the right data across all your assets and applying the right calculation to produce real-time, objective and normalized results to prioritize risk.
Each organization is different, so security pros need to decide what works best for their systems. Risk is not a one size fits all, but there are a few recommended practices that can help ensure you stay on the right track.
First, understand your data, assets and business. What data is available for your calculation? Do you know all your assets and their interrelationships? Do you know which assets the business is using and the criticality of the business?
Second, formulate your equation. What variables are available? What method works for you?
Third, start measuring risk. How often do you measure? Is it automated? Do you implement a system?