Security Risk Assessments Require Context

To accurately understand security posture, context is needed. An organization must consider not only their controls, but also the most likely, most damaging threats. Using cyber intelligence and industry research, security teams should be scientists and play the industry data against existing security. Following these guidelines will help lead to a truly meaningful understanding of cyber security risk.

Don’t Just Consider Compliance

We should apply context to get less theoretical and more real. This is a sensible approach. Why focus on unimportant controls that won’t stop an attack that results in a loss? Often, managers get bogged down with compliance to their industry standards and don’t prioritize their improvements appropriately. Don’t be one of them.

Use Risk Scenarios

Using the attack scenarios from industry reports, analyze the risks, the attack methods, and identify probabilities and potential costs of breaches. We can easily identify gaps and weaknesses in your protections by modeling the scenarios to estimate the frequency and cost of a breach. High cost and likelihood events take priority in our strategic plan.

Identify Frequencies (Likelihood)

We need to be able to estimate the likelihood that a breach event will occur. Admittedly this is an educated guess, but identifying the likelihood provides a baseline that we can look at after improvements are made to the security program. Improved controls mean less likelihood and usually less impact when a breach does occur.

Determine Loss Magnitudes (Cost of a Breach)

We can use actual breach cost data to model the loss event magnitude in dollars. Our model factors in the threat communities and their capabilities as well as the quality of your security program to determine estimated costs of a breach at your organization.

Know the Bad Guys

As you might expect, not all hackers are world class and they have different skill sets and likelihood of success with their bag of tricks.

A threat community is defined as a subset of the overall threat agent population that shares key characteristics. A threat agent is any agent (e.g., object, substance, human, etc.) that is capable of acting against something in a manner that can result in harm. Finally, a threat is defined as anything that is capable of acting in a manner resulting in harm to an asset and/or organization.

Each threat community has a unique threat capability. Threat capability is the probable level of force that a threat agent is capable of applying against an asset. More force means a higher likelihood of succeeding with the attack. The state-sponsored threat community and insiders pose a bigger risk than the “Script Kiddie” threat community because they have better tools, skills, and knowledge that increases their capabilities. Cyber criminals and professional hackers fall somewhere in the middle.

Model the Risk

Next, we use computer modeling techniques already successfully employed in other industries for accurate prediction despite many variables — weather prediction, for example.

We’ve identified today’s prevalent attacks, mapped the threat communities and their capabilities, determined initial breach likelihood and cost data, and rated the implementation quality of your controls in your environment. We’re ready to run the simulation now.

Stimulation from Simulation

Models are able to run thousands of tests in a matter of moments. We not only get detailed feedback that more accurately identifies our risk posture, but also have the ability to “test” how our likelihood and impact (cost) profile changes if we invest in particular controls simply by changing our inputs.

Meaningful Outputs – Visibility, Context, Accuracy

The output of the simulations will tell us which attack scenario poses the greatest risk, leading to greater visibility of our actual posture. Grounded in our current situation — both with security maturity and prevalent threats, we can see where gaps in our program exist and begin to address them. We have more confidence in our situation from better data produced from better inputs to the model.

To learn more about how our smarter approach to security assessments can benefit your organization, please contact us.

Continued in Part IV: The Benefits of Cyber Intelligence: It’s Good to Be Smart