A Look at How to Measure Anything in Cybersecurity Risk (Chapter 1)

by Phil Conrad

PART 1 - Why Cybersecurity Needs Better Measurements for Risk

Chapter 1 - The One Patch Most Needed in Cybersecurity

Measuring cybersecurity risk is both challenging to accomplish and communicate. This is evidenced by the lack of senior management, in many organizations, to appropriately invest in cybersecurity efforts. They state, "We need to convince management, in their language, that these issues require their attention and a significant budget." I agree, we do, and if we can do it in their language, we can get the point across. Later in the chapter, they also note, "what risks are acceptable is often not documented." Perhaps it's a vicious cycle.

I believe the part of this is due to the challenge of communicating the risk involved with not investing in cybersecurity defense measures. It's difficult to justify putting a lot of dollars toward cybersecurity infrastructure where you don't know how much bang for your buck you are getting. You don't know how much it could potentially cost you to not invest so how do you know how much to put towards it? How can we have a discussion on the acceptable risks if we can not communicate to management the criticality of this issue?

So, I think the authors correctly state it when they say, "There is a reason to be worried--both about the threats to cybersecurity and the adequacy of methods to assess them."

With a growing attack surface, decisions need to be made about where to put your defense efforts. The authors find four causes of this growth.

The global attack surface is a macro-level phenomenon driven by at least four macro-level causes of growth:

• Increasing users worldwide
• Variety of users worldwide
• Growth in discovered and exploited vulnerabilities
• Organizations more networked with each other resulting in "cascade failure" risks (e.g. the NotPetya attack showed how destructive an attack could be and SolarWinds showed how widespread an attack could be.)

Their key "beef," when it comes to measuring risk is the tools used, namely, the risk matrix. I know I came across these matrices while studying for various cybersecurity certifications. They note "various versions of scores and risk maps are endorsed and promoted by several major organizations" (i.e. NIST, ISO, MITRE.org, OWASP).

Their position on current methods of risk measurement is they do not work. They list these reasons:

• No evidence they improve judgment
• Evidence these methods add noise and error to judgment process
• Overwhelming evidence in published research that quantitative, probabilistic methods are an improvement over unaided expert intuition

Cyber risk quantification (CRQ) is catching on, however, perhaps an indication of where they are taking us in the following chapters of their book.

Thus, they propose adopting a new quantitative approach to cybersecurity built on the following principles:

• It is possible to greatly improve on the existing methods
• Cybersecurity can use the same quantitative language of risk analysis used in other problems.
• These improved methods are entirely feasible.
• Even these improved methods can be improved further--continuously.

Home