“All models are wrong, but some are useful…and some are measurably more useful than others.” – George Box with addendum by Doug Hubbard
Graph Briefly Explained: This is a cloud breach risk model. It uses the NIST Cybersecurity Framework (NIST CSF)1 functions and tiers as key inputs. It forecasts controls maturation over time and their value in mitigating breach. This particular model alerts on insurance limit overruns (exceedance).
Who This Series Is For
This is the first in a series of short articles on managing cybersecurity risk, with a quantitative bent. If you are a risk leader2 tasked with building or overseeing a cybersecurity risk management program, then this article is for you. Individual contributors will also find this introduction and the following articles of high interest.
This series is informed by research I have performed for my books3 and by work over the past couple of decades as a practitioner and leader. I’ve been lucky enough to work alongside many generous and brilliant people. Because of this, I feel obligated to share what is always work in progress.
I look forward to getting your feedback and collaborating to mature the practice of cybersecurity risk management. It takes a village.
A Rapid Intro To The Key Parts of Cybersecurity Risk Management
The first part of cybersecurity risk management is measurement.
Measurement dominates cybersecurity risk management. It’s like gas for a car or blood for the body.
Measurements fall into two high-level categories. The first category is impact, which we model as money. In risk management, we prefer a range of impacts over just one value. Ranges can be quite large (spanning millions of dollars) given the size of value at risk and our uncertainty.
The second measurement category is likelihood. In this context, likelihood is considered the “probability of some event occurring.” Probabilities in cybersecurity risk management can be empirically or subjectively derived.
I’m going to assume eliciting subject matter expert (SME) probabilities is a new topic for some readers. It’s a commonplace practice in cybersecurity risk management and was a primary subject of my first book.4 My co-author Doug Hubbard has been writing, researching and consulting on this topic for over a quarter-century. A more recent book that covers expert elicitation is “NOISE: The Flaw In Our Judgements”5 by Daniel Kahneman. He won the Nobel prize in economics for his work on decision-making under uncertainty.
It is here that I will provide my favorite quote on probability by Bruno De Finetti, “Probability does not exist.”6 All probabilities (in our use case) are measures of our uncertainty. They are used here as forecasts about uncertain future events – a future that in the strictest sense does not exist other than in our minds.
Measurement’s job is informing decisions
This applies to sentient and even artificially intelligent decisions. But what is a decision? According to Professor Ron Howard, the grandfather of decision science, a decision is “an irrevocable allocation of resources.” That’s a fancy way of saying a decision results in some form of expenditure.
Practitioners may quip, “Then what is risk acceptance? There is no resource allocation when you accept risk!” Howard would likely call risk acceptance “worry:”
“Concern without the ability to make decisions is simply ‘worry.’ It is not unusual in practice to encounter decision problems that are really worries. Exposing a decision problem as a worry may be very helpful if it allows the resources of the decision-maker to be devoted more profitably to other concerns.”8
The second part of cybersecurity risk management is mitigation.
Which risks to mitigate, and to what extent we choose to mitigate them is a function of measurement. The goal is maximizing the return on dollars spent on reducing probable future loss. In layman’s terms, we want to get the biggest bang for our security buck. You would use forecasted return on controls to rank order the acquisition and deployment of mitigations.
The third part of cybersecurity risk management is transfer.
Transfer in this context is the domain of cyber insurance. The goal of risk transfer is to work in conjunction with mitigations to keep risk within tolerance. That is a fancy way of saying you want to be sure you keep the business thriving in the face of cybersecurity disruptions.
Transfer is fast to deploy – mitigations aren’t.
Mitigations are composed of slow to acquire and often slow to deploy people, process and technologies. Conversely, you can turn insurance on in days, sometimes less.
Mitigations prevent and lessen impact – transfers don’t.
Transfer covers impact once it’s occurred. Without mitigations, you will continue to disrupt business and eventually tap out your insurance limits. You need both mitigation and transfer.
Effective cybersecurity risk management optimizes the spend on mitigation and transfer with the goal of avoiding and or reducing business disruption (i.e. keeping risk within tolerance).
As stated, this piece is only the first in a series of short articles on cybersecurity risk management. Below is an outline of a few of the topics I will be tackling in no particular order.
Picking Your Perils
This article will focus on a modular – peril-based – approach to building out your cybersecurity risk management practice. Perils are things you are worried about like ransomware, business email compromise and the like. I will focus on concepts of reuse and integration between risk modules.
Measuring Controls Coverage, Configuration And Efficiency
Measuring security operations is core to cybersecurity risk management. This article will provide a framework for operational security metrics.
The Likelihood Of Loss
This article will provide an overview of how likelihoods are developed in cybersecurity risk management. I will lean heavily on my first book’s material.
Measuring Value At Risk
This article will discuss how to model various impacts like data breach, business interruption, and the like. Impacts will be measured in dollars.
Maximizing Return On Controls
This article will demonstrate how to rank order the acquisition and deployment of controls based on forecasted returns. Return on control is a function of the likelihood of loss, efficiency of controls, and value at risk.
Alerting On Tolerance Exceedance
The first step in cybersecurity risk operationalization is alerting. Alerts are a function of risk tolerance and its actual (or potential) exceedance. Getting in front of risk tolerance exceedance is key to mitigating its occurrence and avoiding disruption to the business.
Turning Worries into Decisions
What masquerades as “risk acceptance” may be “risk buildup.” This article will explore how to untangle worry from what is actionable in terms of transfer or mitigation.
Closing Thoughts: Community Matters
As time allows I will cover additional topics. Ideally, ideas that may come directly from you – the cybersecurity risk management community.
To that end, I want to hear what people are working on in this space. What is vexing for you? What is working well?
Along the way I plan on releasing a few tools to the community. Nothing beats taking something for a spin operationally – putting your hands on a thing and seeing it work.
If participating in making community tools or participating in research interests you, feel free to email me: email@example.com
About the Author
Chief Risk Officer
Richard Seiersen is the Chief Risk Officer at Resilience. Prior to joining Resilience in 2021, Seiersen was the co-founder and president of Soluble – a cloud security company sold to Lacework in October 2021. He was previously the Chief Information Security Officer of Twilio, GE Healthcare, and Lending Club. He’s also the co-author of “How To Measure Anything In Cybersecurity Risk” (July 2016) and author of “The Metrics Manifesto: Confronting Security with Data” (March 2022).
2CISO, CFO, CRO, GC, CIO etc.
3How To Measure Anything In Cybersecurity Risk (Wiley 2016) and The Metrics Manifesto Confronting Security With Data (Wiley 2022)
4How To Measure Anything In Cybersecurity Risk (Wiley 2016)
5 Noise: A Flaw in Human Judgment (Little, Brown Spark 2021)
8Readings On The Principles And Applications Of Decision Analysis (Strategic Decisions Group 1983)