In these difficult days budgets are under pressure – but the cyber threat is far from diminished. The Chief Information Security Officer (CISO) is being driven to justify the value of every pound spent by the chief finance officer, while the chief risk officer wants to understand the change in cyber risk exposure.
As a cybersecurity community, we have quested for ways of linking investment to risk reduction. A clear line of sight from the threat groups, to the attack techniques used, the controls which prevent or detect those attacks, and then the likelihood of these controls being effective.
Of course, that is just one element of assessing risk. We also need to know the impact that the attack might have on the organisation, but getting a better grip on likelihood is a good first step.
We had an opportunity to work with one of the largest insurers in the world to try and tackle this challenge. We don’t have all the answers, but we hope this work will be a contribution to advancing the discussion on cyber risk quantification.
Our aim was to build a practical model for estimating likelihood of an attack. Succeeding in that would help the CISO optimise their investments in controls. It had to be usable, linked to the insurer’s existing risk framework, threat led, informed by empirical data and capable of generating useful and actionable insights. No mean feat.
The answer was to bring together a number of existing concepts to build an integrated model. We needed a taxonomy of controls; a consistent set of threat scenarios linked to attack trees that help us understand which controls would make a difference; and a risk engine which had predictive power.
One of our biggest challenges was estimating the frequency with which attackers might try to breach the defences of the insurer. This is known as the attacker contact rate. This meant analysing industry statistics and data from the insurer’s own security operations centre in a structured and disciplined way. We also had to allow for learning that goes on when an attacker is rebuffed and comes back multiple times to try again. Together these helped us quantify the threat.
The attack trees then provided a framework for bringing control effectiveness estimates together. This will model the likelihood that an attacker would succeed in establishing an attack path, from initial compromise of the system, to finally achieving their objectives. This works well for technical controls but not for the foundational controls of cybersecurity – comprehensive asset management and a strong governance model for example. So, we had to adjust for these factors. There is more that we have to understand about these relationships, but this is a beginning.
Now we can start to model which controls make the biggest contribution to likelihood reduction, and more importantly which improvements in controls might reduce those likelihood figures to a tolerable level. That is the start of modelling how big a difference an investment portfolio might make, and that is a big step forward.
Oddly creating the model had a big and unanticipated benefit. It encouraged our client to structure and organise data on threats, security incidents and control effectiveness into a consistent framework – which could then be fed into the model. Those models help structure our thinking and build better models as we calibrate and relate our initial attempts to reality.
We chose to share this thinking with the cybersecurity community as a contribution to the state of the art on risk quantification. Together we can build better models, but far more importantly we can help CISOs and senior leaders make the right choices when investing to protect their organisations.
For further information on cyber risk modelling, read our latest paper on the current approaches to modelling and quantifying cyber risk, and how we can rethink it.