:''You can't effectively and consistently manage what you can't measure, and you can't measure what you haven't defined.'' Measuring IT risk (or cyber risk) can occur at many levels. At a business level, the risks are managed categorically. Front line IT departments and
NOC's tend to measure more discrete, individual risks. Managing the nexus between them is a key role for modern
CISO's. When measuring risk of any kind, selecting the correct equation for a given threat, asset, and available data is an important step. Doing so is subject unto itself, but there are common components of risk equations that are helpful to understand. There are four fundamental forces involved in risk management, which also apply to cybersecurity. They are assets, impact, threats, and likelihood. You have internal knowledge of and a fair amount of control over
assets, which are tangible and intangible things that have value. You also have some control over
impact, which refers to loss of, or damage to, an asset. However,
threats that represent adversaries and their methods of attack are external to your control.
Likelihood is the wild card in the bunch. Likelihoods determine if and when a threat will materialize, succeed, and do damage. While never fully under your control, likelihoods can be shaped and influenced to manage the risk. Mathematically, the forces can be represented in a formula such as: Risk = p(Asset, Threat) \times d(Asset, Threat) where p() is the likelihood that a Threat will materialize/succeed against an Asset, and d() is the likelihood of various levels of damage that may occur. The field of IT risk management has spawned a number of terms and techniques which are unique to the industry. Some industry terms have yet to be reconciled. For example, the term
vulnerability is often used interchangeably with likelihood of occurrence, which can be problematic. Often encountered IT risk management terms and techniques include: ;Information security event :
An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. :*
The event can be certain or uncertain. :*
The event can be a single occurrence or a series of occurrences. :(ISO/IEC Guide 73) ;Information security incident: :
is indicated by a single or a series of unwanted information security events that have a significant probability of compromising business operations and threatening information security ;
Impact :The result of an unwanted incident [G.17].(ISO/IEC PDTR 13335-1) ;Consequence :
Outcome of an event [G.11] :*
There can be more than one consequence from one event. :*
Consequences can range from positive to negative. :*
Consequences can be expressed qualitatively or quantitatively (ISO/IEC Guide 73) The risk
R is the product of the likelihood
L of a security incident occurring times the
impact I that will be incurred to the organization due to the incident, that is: based on: • Estimation of Likelihood as a mean between different factors in a 0 to 9 scale: •
Threat agent factors • Skill level: How technically skilled is this group of threat agents? No technical skills (1), some technical skills (3), advanced computer user (4), network and programming skills (6), security penetration skills (9) • Motive: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9) • Opportunity: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9) • Size: How large is this group of threat agents? Developers (2), system administrators (2),
intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9) •
Vulnerability Factors: the next set of factors are related to the vulnerability involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above. • Ease of discovery: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9) • Ease of
exploit: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9) • Awareness: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9) • Intrusion detection: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9) • Estimation of Impact as a mean between different factors in a 0 to 9 scale • Technical Impact Factors; technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited. • Loss of
confidentiality: How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9) • Loss of
integrity: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9) • Loss of
availability How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9) • Loss of accountability: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9) • Business Impact Factors: The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, one should be aiming to support one's risk assessment with an evaluation of the impact on the business if the business fails to guard against risk, particularly if one's audience is at the executive level. The business risk is what justifies investment in fixing security problems. • Financial damage: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9) • Reputation damage: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9) • Non-compliance: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high-profile violation (7) •
Privacy violation: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9) • If the business impact is calculated accurately use it in the following otherwise use the Technical impact • Rate likelihood and impact in a LOW, MEDIUM, HIGH scale assuming that less than 3 is LOW, 3 to less than 6 is MEDIUM, and 6 to 9 is HIGH. • Calculate the risk using the following table == IT risk management ==