An alternative approach to quantifying cyber risk using comprehensive attack surface evaluation assessments and Value-at-Risk modeling.
Organizations have an imperative to protect the data that has been entrusted to them, as well as securing their digital borders against business-interrupting intrusions. The legal landscape regarding accountability for data breaches continues to develop, but it has become clear that regulators, lawmakers, and the public will hold the breached entity responsible for a cyber event and the loss of data. This trend means that a cyber event of any type has the potential to negatively affect an organization's revenue and reputation.
By consensus, the conventional wisdom is that effectively surviving and prospering in cyberspace depends on sound risk management. That, of course, in turn depends upon some credible method of estimating, and quantifying risk.
Experts agree that no one solution will resolve any organization's cyber risk but combining technology and insurance can make significant strides to improving the chances that an organization can more quickly respond to and recover from a cyber event.
The approach proposed for this blog series explores the use of Comprehensive Attack Surface Evaluation (CASE) assessments with scenario modeling and statistical estimation risk quantification techniques to assist organizations in justifying strategic investments, establishing tactical priorities, and quantifying cyber risk in financial terms to make risk transfer decisions. This approach leverages existing technology to improve defensive readiness assessments and perform them continuously against different attack scenarios.
CASE assessments are multi-tiered assessments conducted remotely against a device that mimic a real-world attacker assessing the system for vectors of attack. CASE validation checks are based on a collection of public and proprietary strategies used by malware, pen-testers, exploit toolkits, and real-world attacks that are verified using simple validation checks provided by existing scan results or custom scans. CASE is intended to assist administrators and security teams with identifying strategies and attacker trends that could be used to compromise systems or their users. When applied to cyber risk quantification techniques, decision makers are provided with a means to proactively respond to cyber-related issues and events.
The quantification method proposed was suggested by The World Economic Forum in which Value-at-Risk (VaR) modeling can be used to understand the economic risk an organization faces from potential cyber incidents1. Mapping may be done as follows:
- In place of financial assets, put a computer network infrastructure, modeled at an appropriate level of abstraction through CASE assessments.
- In place of instrument values, put loss potentials associated to intellectual property, service disruption, compliance failure, and so forth, coupled to the network locations whose compromise would directly result in the losses.
- In place of price processes, put cyber-attack processes derived through CASE assessments. In place of market fluctuations, put increases and decreases in each attack's incidence rate and effectiveness.
From these data you can simulate the emergence and progress of CASE assessment-derived attacks over time and observe the losses an organization would expect to incur. By repeating the process over many trials, you build a loss distribution from which the cyber VaR can be computed. With the addition of CASE, you are afforded mitigation recommendations that go beyond technical audits that measure an organizations security posture against standard control frameworks.
This approach to determining VaR, familiar to those who calculate it for financial purposes, is readily adaptable to inform risk management of an enterprise's presence in cyberspace. But of course, the testing and modeling of network infrastructure, the valuation of intellectual property, the consequences of service disruption and compliance failure, and so on, are topics in themselves. We'll treat these in subsequent blog posts.