Organizations are increasingly realizing that the management of cybersecurity risk in complex environments needs to be addressed using suitable decision-making techniques. They are slowly embarking on the journey of quantifying their exposure to cybersecurity threats (operational risk) in much the same way they quantify credit and market risk exposure. While there is a wealth of data and well-established statistical methods for calculating credit and market risk, no such data or methods have been explored for quantifying cybersecurity risk.
Traditional Cyber Risk assessment methodologies generally use a likelihood/impact-based risk model to arrive at risk ratings. While useful as a starting point, such models suffer from serious deficiencies including:
- Calculating the probability/impact is often oversimplified and may not put much thought into what lies under the hood.
- Risk is not always independent. For example, speed of delivery and quality of delivery are always linked. Yet poor quality and missed delivery usually appear as separate risk factors in risk registers, giving the illusion that one can be controlled or mitigated independently of the other.
- Visualization tools like heat map draws attention to the top right quadrant (high consequence and high likelihood), while items in other quadrants, especially low likelihood and high consequence risk, are generally ignored.
- Risk scoring in traditional approach represents only one possible outcome. In fact, operational risks can have a wide range of outcomes, i.e., a distribution of outcomes where each potential outcome has a corresponding probability.
Failure to addresskey concerns such as:
- What critical causal factors apply to specific risk factors.
- How to quantify risk reduction by implementing specific controls.
This article seeks to address these issues using a simple data analysis based on Bayesian Inference. Bayesian Data Analysis (BDA) brings together data, expert opinion, risk and uncertainty into a formal statistical framework, allowing decision-makers to see their choices clearly. Further, BDA can provide rigorous risk quantification and genuine decision support for risk management.
Imagine this hypothetical, and simplified, scenario. As Security Head for company XXX, you have been called into the Executive Leadership discussion on the recent hack of one of your competitor?swebsitedue to specific vulnerability? huge data loss, reputation damage, and a lot of liability!
Executive Leadership: What is the chance that someone can hack one of our website and steal our clients? data?
Security Head: You pull out your Bayesian Hat and you say, ?2.28% over the next year, but will update that number after penetration test.?
Executive Leadership: We are always used to hear rank order terms like High, Medium etc. You seem to be coming out with a precise number. How did you arrive? As a follow-up question: How much will you change your probability if your test finds something? Or, what if your test finds nothing?
Calculation using Bayes Theorem
Based on the industry-based data breach report, your base rate (prior) for data breach is roughly around 2%.
What is the probability of data breach given penetration test is positive (vulnerable)?
What is the probability of data breach given penetration test is negative (not vulnerable)?
Now let us take that journey further into an interesting area, return on security investment (ROSI) using simulation.
As Security Head for company XXX, you are proposing a new security investment to CFO for mitigation of specific risk event say malware at the cost of 25k USD/year (contrived example)
CFO: Fine. What is the likelihood of the risk event?
Security Head: You pull out your Bayesian Hat and you say, ?20%?over the next year
CFO: Ok, great. Do we know the potential impact?
Security Head: Yes, I?ve discussed this with various Business and Functional Leaders to arrive at 90% confidence bound as
25k USD (Lower Bound)
500k USD (Upper Bound)
i.e. 5% chance that the impact may be less than 25k USD or greater than 500k USD. In other words, 90% likely there will be a loss equal to somewhere between 25k and 500k USD. Key factors that we considered are legal fees, investigation fees, PR effort to convince clients, etc.
CFO: Ok, what is the average exposure?
Security Head: You pull out your Monte Carlo simulation tool and you say, ?~35k USD? over the next year
CFO: Excellent. What is the Return on Investment (ROI)?
Security Head: It depends on how effectively we implement the mitigation strategy
CFO: Could you please explain?
Security Head: You pull out your Monte Carlo simulation tool and you say, ?negative 9%? over the next year if mitigation is only 40% effective and ?positive 31%? over the next year if mitigation is 95% effective
Note: As a good practice, Security Head has to review the expected Impact and Likelihood as the context changes. Bayesian Philosophy is all about updating the belief based on new data.
Risk Exposure (RE) ? Likelihood * Impact
ROSI(%) ? (RE * Mitigation Effectiveness – Cost of Risk Treatment Per Year* )/Cost of Risk Treatment Per Year
The author is Head – Cybersecurity, L&T Smart World & Communication