a typical example or pattern of something; a model.
Why is information security so broken? As the countless breaches in the news illustrate, something is seriously wrong with how security and privacy are managed in governments and businesses around the world. My theory is that this can be traced back to how we think about information (cyber) risk, and how that thinking affects how we manage information security.
Let’s start with the basic definition of risk as being the product of the impact of an undesirable event and the likelihood of that event occurring (R = L * I). While the basic equation is fairly well known (if not understood), where we go off the rails is in the estimations we make of impact, and in particular likelihood.
This comes from the failure to see that cyber risk is not just another natural event, like hurricanes or floods. How often have I seen the idiotic cyber risk example of calculating the cost of losing “x” records multiplied by the number of events per year or decade to come up with a Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE). You are then supposed to take this number and compare it to the cost of implementing protections against this event, with the logic that you should not spend more per year than the calculated ALE.
Where you don’t have a clue for the likelihood of an event, the suggestion is to use Monte Carlo methods to simulate the probable outcomes across a range of likelihoods and impacts, the result being a more “precise” number.
Repeat after me 100 times, “Cyber risk is not insurance risk”.
Using ALE/SLE methods to calculate cyber risk and drive the resultant prioritization of information security initiatives, is a prescription for failure. Taking a peek under the covers of the countless information security breaches should demonstrate this if nothing does. All too often I have seen the most basic security measures in companies neglected while time and money are devoted to low risk impacting initiatives.
So what should you do? The answer to how to properly consider cyber risk is staring you in the face. Viruses? Infections? Proliferation? Cyber risk is more closely aligned to medical risk than to any ALE/SLE type of calculation. Do you think that Equifax’s risk team could ever have calculated that failure to patch a single server could end up costing the company $1.4 billion? They would have been laughed out of the room if they had.
Looking at this as a medical event, the analogy would be that time and money were being devoted to expensive and complex diagnostic equipment when basic hygiene was not being consistently practiced in the organization. Just as with real viruses, cyber viruses spread through any possible avenue of entry. Unlike a brick through the window (an insurance event), malware can infiltrate an organization, seek to spread itself, mutate to hide itself and more important, allow an intelligent actor (who is behind the threat), to leverage this access to gain even more privileges, obtain more information and circumvent more controls already in place. I don’t see many “bricks” causing this level of damage.
To apply likelihood to these types of events from a frequency perspective is laughably meaningless. A single piece of malware that comes attached to a malicious email can contain everything from a cryptominer, to ransomware, to an APT to allow spying for purpose of business fraud, to providing remote access for an attacker to do just about anything they want in your network. How are you going to predict which piece of malware it is that you will receive, what it can do, or what it will be used to do? The answer is you can’t.
So how do you protect yourself? By viewing cyber as a medical risk, not an insurance risk. If you are going to a remote country that you have never visited, if you have any sense you will take a look at the diseases that are prevalent in that country, how they are spread and how you can protect yourself from them. Let your threats dictate and prioritize your defenses and countermeasures.
In the next chapter, I’ll expand on this concept to discuss threats and threat actors in the cyber world, and how to use this information to start to plan and prioritize your security program.