Information Security Risk Quantification
Download as PPTX, PDF3 likes700 views
The document outlines a presentation on risk quantification, emphasizing the need for meaningful measurement, effective comparisons, and informed decision-making in risk management. It discusses various threats and biases in risk perception, as well as methodologies for quantifying risks and their financial implications. The results, derived from a comprehensive analysis involving multiple scenarios and data points, illustrate significant potential losses and key metrics related to risk.
Information Security Risk Quantification
- 1. RISK QUANTIFICATION FROM RAINBOWS TO DOLLARS 1
- 2. Disclaimer These slides and accompanying presentation represent the author’s opinions and experience and are not necessarily those of any organization, including his past, current or future employers. All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information. Please direct all concerns related to this material to the author via email at [email protected]. 2
- 3. Introduction • Joel Baese • Email: [email protected] • LinkedIn: https://www.linkedin.com/in/jbaese • ISACA member since June 2010, CRISC since July 2010 • 18 years in IT • Currently a Senior Manager II at Walmart building and leading the Information Security Tactical Risk Analysis team • GRC experience includes: • Quantitative risk analysis at Walmart, qualitative risk analysis at Raytheon; • Policy author and manager at Raytheon; • Information systems security officer for DoD programs up to and including Top Secret Special Access MBA BSIT 3
- 4. Overview The Challenge The Path The Result 4
- 5. The Challenge Meaningful measurement Effective comparisons Well-informed decisions Cost effective accurate risk management 5
- 6. Best Practice Risk Measurement 1. Cloud computing 2. Insider threat 3. External/third parties 4. Application vulnerabilities 5. Hardware vulnerabilities 6. Mobile malware 7. Social engineering 8. Organized crime 9. State sponsored attacks 10. Hacktivists 6 List adapted from: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
- 7. How much risk is there? 7 Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
- 8. How much risk is there? 8 Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
- 9. How much risk is there? 9 Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
- 10. How much risk is there? 10 Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
- 11. Did we all mean the same thing? • What’s the asset? • What’s the threat? • What’s the threat vector? • What’s the control? • What’s the loss type? • What’s the vulnerability? • What’s the risk? 11 • The tire • The Earth • Gravity • The rope • Availability • The probability gravity > rope • The probability gravity overcomes rope resulting in loss combined with the probable resulting financial loss
- 12. Credit: Jack Jones for the example 12
- 13. Best Practice Risk Measurement 1. Cloud computing 2. Insider threat 3. External/third parties 4. Application vulnerabilities 5. Hardware vulnerabilities 6. Mobile malware 7. Social engineering 8. Organized crime 9. State sponsored attacks 10. Hacktivists 13 List adapted from: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
- 14. Human Biases • We tend to exaggerate spectacular and rare risks and downplay common risks. • The unknown is perceived to be riskier than the familiar. • Personified risks are perceived to be riskier than anonymous risks. • We underestimate risks in situations we do control, and overestimate risks in situations we don't control. • We estimate the probability of something by how easy it is to bring examples to mind. 14The 5 Biggest Biases We Fall Victim To – Bruce Schneier • Cloud computing • Insider threat • External/third parties • Application vulnerabilities • Hardware vulnerabilities • Mobile malware • Social engineering • Organized crime • State sponsored attacks • Hacktivists
- 15. Risk is a reality and a perception 15
- 16. The Missing Ingredient Accurate Models Meaningful measurement Effective comparisons Well-informed decisions Cost effective accurate risk management 16
- 17. The Path 17
- 18. Probable Loss Event Frequency FAIR Ontology 18 Probable Loss Magnitude The probable magnitude and probable frequency of future loss Factor Analysis of Information Risk Productivity (P) Replacement (P) Response (PS) Fines and Judgments (S) Competitive Advantage (S) Reputation (S)
- 19. FAIR Process Stages of the Analysis Process 1. Identify Scenario Components (Scope the Analysis) Asset Threat Loss Event 2. Evaluate Loss Event Frequency (LEF) Threat Events Vulnerability 3. Evaluate Loss Magnitude (LM) Primary Loss Magnitude Secondary Loss Frequency Magnitude 4. Derive and Articulate Risk Source: Risk Analysis (O-RA) from The Open Group 19
- 20. The Project • 3 Months • 2 FTEs + ≈1 Contractor • Over 50 Scenarios • Over 100 SMEs • Over 500 Questions • Over 1,400 data points • To get to one number What is our risk? 20
- 22. Aggregate Average ALE By Environment Total: $3 Billion 22 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 23. Potential Comprehensive Key Risk Metrics 𝐴𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒 𝐴𝐿𝐸 𝐴𝑛𝑛𝑢𝑎𝑙 𝑅𝑒𝑣𝑒𝑛𝑢𝑒 $3 𝐵𝑖𝑙𝑙𝑖𝑜𝑛 $10 𝐵𝑖𝑙𝑙𝑖𝑜𝑛 30% 𝐴𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒 𝐴𝐿𝐸 𝑀𝑎𝑟𝑘𝑒𝑡 𝐶𝑎𝑝 $3 𝐵𝑖𝑙𝑙𝑖𝑜𝑛 $5 𝐵𝑖𝑙𝑙𝑖𝑜𝑛 60% 23 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 24. Potential Comprehensive Key Risk Metrics (continued) 𝐴𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒 𝐴𝐿𝐸 ∝ 𝐿𝑜𝑠𝑡 𝐶𝑢𝑠𝑡𝑜𝑚𝑒𝑟 𝑉𝑎𝑙𝑢𝑒 $3 𝐵𝑖𝑙𝑙𝑖𝑜𝑛 Level of Impact % of customers lost Households Impacted Revenue Impact (Lost Customer Value) Significant 50.00% 500,000 $5 billion Major 25.00% 250,000 $2.5 billion Moderate 12.50% 125,000 $1.25 billion Minor 6.25% 62,500 $625 million Slight 3.13% 31,500 $315 million Avg value of a household: $10,000 Households: 1 million Major 24 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 25. Top 10 25 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 26. Aggregate ALE By Threats 26 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 27. Aggregate ALE By Assets 27 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 28. Materialized Areas of Loss (Aggregate) PrimaryLossesSecondaryLosses 28All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 29. Focus Adjustment for Future Analyses 29 All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
- 30. Lessons Learned • Challenges • Finding the right PoCs/SMEs • Significant difference in data request than what they were used to • Risk quantification skeptics • Significant data validation required due to basic definition differences • Ex. contact event vs. threat event vs. loss event • No established workflow process made tracking all the people and data inputs more difficult than it probably needed to be • Notes, notes, notes • Sources • Rationale • Know the model and definitions well 30
- 31. Additional Resources • The FAIR Institute • http://www.fairinstitute.org • The Open Group • Open FAIR Standards • http://www.opengroup.org/standards/security • The Society of Information Risk Analysts • https://societyinforisk.org • Measuring and Managing Information Risk A FAIR Approach • Authors: Jack Freund & Jack Jones • http://store.elsevier.com/product.jsp?isbn=9780124202313 31 My contact information: • Email: [email protected] • LinkedIn: https://www.linkedin.com/in/jbaese Special thanks to Jack Jones for allowing use of several of his slides and examples .
Editor's Notes
- #6: How close are we to employing meaningful measurement in our risk analysis? But let’s talk about how we measure risk today …
- #8: Let’s walk through a scenario together …
- #13: Now what if I told you the engineers who designed and built the ship had varying definitions of mass, weight, and velocity? Still want to go?
- #15: Schneier: "Newspapers repeat rare risks again and again. When something is in the news, it is, by definition, something that almost never happens. Things that are so common they stop becoming newsworthy -- like car accidents -- are what you need to worry about." Risk is a reality and a perception Confirmation bias Flashbulb Event = Significant Emotional Event
- #17: But what do we give them?
- #23: Random numbers generated between $1M and $2B rounded up to nearest $10M.