Measuring security risk is not that hard if you get your terms straight and leverage well-established methods and principles from other disciplines.
How enthusiastic would you be to ride on a spacecraft if you knew that the scientists and engineers who designed it and planned the mission couldn’t agree on the definition of mass, weight, and velocity?
A quick look at the word “risk” in Wikipedia provides a clue regarding the variety of definitions that exist for a foundational term in our profession. But inconsistent formal definitions are really just the tip of the iceberg. For example, I like to ask audiences, “Which of these are risks?”:
- Disgruntled employees
- Untested recovery plans
- Sensitive consumer information
- Weak passwords
Almost without exception, the answer I hear is “All of them!” The truth, however, is that none of them are risks. Vulnerabilities are not risks and we need to stop acting like they are. Disgruntled employees and cybercriminals are threat communities; reputation and sensitive consumer information are assets; and weak passwords and an untested recovery plan are (deficient) controls. In other words, although these are all parts of the risk landscape, they are importantly different from one another.
Furthermore, when I asked an audience of seasoned infosec professionals to list the top three risks their organizations faced, the following word cloud resulted:
I find “unknown” to be particularly ironic.
Why does it matter? Can’t we usually glean the meaning of a term through the context in which it’s being used? Although that’s often true in conversation with colleagues in our profession, clarity is crucial when we’re speaking with people outside of our profession — such as executives — and when we’re trying to measure something. I’ll touch on measurement in a minute. For now, let’s focus on communication.
As a profession, we’ve been saying for a long time that we need to speak the language of business in order to get and maintain the support we need to be effective. That being the case, it’s only logical that our use of the word “risk” be driven by how executives think about it.
What senior executives and boards want from us is to help their organizations manage the frequency and magnitude of infosec-related loss events. These loss events are the “risks” we’re supposed to manage. This is aligned with the rest of their risk world, and it also enables far more effective measurement and communication. A couple of example infosec risks are:
- Cybercriminal compromise of consumer personal data
- Disgruntled employee crashing a system that supports a critical business process
The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events. These risks also provide the context in which we can measure and express the significance of problems in the risk landscape like changes in threat vectors or the vulnerabilities we’re trying to resolve.
Imagine, for example, being able to explain to an executive how a change in threat activity increases the likelihood of the compromise of personally identifiable information by somewhere between 20% and 30%, with a resulting increase in loss exposure of between $500,000 and $1 million. No executive in the world is going to have difficulty wrapping their mind around that.
Of course, that raises the question, “Can we measure infosec risk?” The short answer, despite what you may have heard or believe, is yes. In fact, we do it all the time.
Measurement is a prerequisite to prioritization, and you and I both know that we prioritize all the time. Unfortunately, given the inconsistency and ambiguity with which we approach infosec risk, we’re horrible at it. Here’s some bad news: 70% to 90% of the “high risks” I’ve examined in organizations over the past several years do not, in fact, represent high risk. This means that those organizations have a significant signal-to-noise problem and aren’t able to focus on the things that matter most. And if you think about it, the inability to prioritize effectively is a gift to the bad actors (as if they didn’t already have enough advantages) and a failure on our part as stewards of the resources we’re given.
The good news is that measuring infosec risk is not that hard once you’ve gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines. Good sources of information on this include:
- How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen
- Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund
Every discipline we think of as mature today — math, medicine, physics, etc. — all went through an early phase in which nobody could agree on fundamental terms or principles. In that sense, we’re in good company. But given today’s imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together.