Measuring security risk is not that hard if you get your terms straight and leverage well-established methods and principles from other disciplines.

How enthusiastic would you be to ride on a spacecraft if you knew that the scientists and engineers who designed it and planned the mission couldn’t agree on the definition of mass, weight, and velocity?

A quick look at the word “risk” in Wikipedia provides a clue regarding the variety of definitions that exist for a foundational term in our profession. But inconsistent formal definitions are really just the tip of the iceberg. For example, I like to ask audiences, “Which of these are risks?”:

  • Vulnerabilities
  • Disgruntled employees
  • Reputation
  • Untested recovery plans
  • consumer information
  • Weak passwords
  • Cybercriminals

Almost without exception, the answer I hear is “All of them!” The truth, however, is that none of them are risks. Vulnerabilities are not risks and we need to acting like they are. Disgruntled employees and cybercriminals are threat communities; reputation and sensitive consumer information are assets; and weak passwords and an untested recovery plan are (deficient) controls. In other words, although these are all parts of the risk landscape, they are importantly different from one another.

Furthermore, when I asked an audience of seasoned infosec professionals to list the top three risks their organizations faced, the following word cloud resulted:

Source: Jack Jones  - Top 3 risks of your org - What We Talk about When We Talk about Risk

Source: Jack Jones

I find “unknown” to be particularly ironic.

Why does it matter? Can’t we usually glean the meaning of a term through the context in which it’s being used? Although that’s often true in conversation with colleagues in our profession, clarity is crucial when we’re speaking with people outside of our profession — such as executives — and when we’re trying to measure something. I’ll touch on measurement in a minute. For now, let’s focus on communication.

As a profession, we’ve been saying for a long time that we need to speak the language of business in order to get and maintain the support we need to be effective. That being the case, it’s only logical that our use of the word “risk” be driven by how executives think about it.

What senior executives and boards want from us is to help their organizations manage the frequency and magnitude of infosec-related loss events. These loss events are the “risks” we’re supposed to manage. This is aligned with the rest of their risk world, and it also enables far more effective measurement and communication. A couple of example infosec risks are:

  • Cybercriminal compromise of consumer personal data
  • Disgruntled employee crashing a system that supports a critical business process

The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events. These risks also provide the context in which we can measure and express the significance of problems in the risk landscape like changes in threat vectors or the vulnerabilities we’re trying to resolve.

Imagine, for example, being able to explain to an executive how a change in threat activity increases the likelihood of the compromise of personally identifiable information by somewhere between 20% and 30%, with a resulting increase in loss exposure of between $500,000 and $1 million. No executive in the world is going to have difficulty wrapping their mind around that.

Of course, that raises the question, “Can we measure infosec risk?” The short answer, despite what you may have heard or believe, is yes. In fact, we do it all the time.

Measurement is a prerequisite to prioritization, and you and I both know that we prioritize all the time. Unfortunately, given the inconsistency and ambiguity with which we approach infosec risk, we’re horrible at it. Here’s some bad : 70% to 0% of the “high risks” I’ve examined in organizations over the past several years do not, in fact, represent high risk. This that those organizations have a significant signal-to-noise problem and aren’t able to focus on the things that matter most. And if you think about it, the inability to prioritize effectively is a gift to the bad actors (as if they didn’t already have enough advantages) and a failure on our part as stewards of the resources we’re given.

The good news is that measuring infosec risk is not that hard once you’ve gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines. Good sources of information on this include:

  • How to Measure Anything in Risk by Douglas W. Hubbard and Richard Seiersen
  • Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund

Every discipline we think of as mature today — math, medicine, physics, etc. — all went through an early phase in which nobody could agree on fundamental terms or principles. In that sense, we’re in good company. But given today’s imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together.

Related Content:

- 360 INsecurity Sig Blocks Vplug2 - What We Talk about When We Talk about Risk

from the industry’s most knowledgeable CISOs and IT security in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jack Jones is one of the foremost authorities in the field of information risk management. As the Chairman of the FAIR Institute and Executive VP of Research and Development for RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and … View Full Bio

More Insights



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here