Cybersecurity Risk Management Transformed...

... from a compliance requirement to a decision-support process for prioritizing and justifying control* investments.

Link the technical analysis of control effectiveness to the reduction of business risk in terms of dollars.

Updated April 10, 2023

Traditional “risk management” exercises have been of limited value to cybersecurity teams who see it mostly as an effort to meet a compliance requirement. Compliance does not assure security – and neither compliance frameworks nor maturity models address the difficult control investment trade-offs that need to be made due to limited budgets and resources.

Simply identifying risks, then prioritizing and choosing among the traditional treatment options – accept, avoid, transfer, or mitigate – does not go far enough. In cyber, unlike other risk domains, critical risks must invariably be mitigated.

I will discuss this in more detail below. I will also discuss the specific difficulties of cyber risk management, the complexities of mitigation, and the need for a formal decision-support process and tools to help optimize cybersecurity budgets in the context of cyber risks.??

The difficulties of cyber risk management

The difficulties of cyber risk management fall into two broad categories:

(1) Understanding (through quantification and visualization):

• Potentially thousands of overlapping and interleaved paths into and through your organization available to adversaries.
• A control’s contribution to overall cyber posture, which may be very different from the control’s effectiveness when evaluated individually.
• Ranking currently deployed controls’ contributions to overall cyber posture.
• Comparing alternative control investments' contributions to risk reduction.

(2) Communicating to leadership (in dollars):

• The uncertainty of severe (long-tail) loss events that can happen in the future.
• The probability of lost revenue and/or costs, in dollars, of loss events at the organization’s current (baseline) cyber posture. This requires connecting the effectiveness of currently deployed controls to business risk.
• Comparison of alternative cyber control additions and/or changes based on business risk reduction in dollars. This also requires connecting the likely technical effectiveness of control changes to risk reduction in dollars.

Identifying cyber risks

Identifying cyber risks is actually rather straightforward when risk is defined in terms of loss events that either result in lost revenue or added expenses. So a hacked web server is not a risk because there is no business loss event. There are surely loss events (risks) that can result from a hacked web server. One possible risk is cryptomining which diverts processing resources to the attacker. Another would be if the attacker is able to pivot from the compromised web server to a critical database server and encrypt files which prevents your organization from taking orders from customers.

Here are the top risks we most often encounter:

Ransomware is currently almost always top of mind because it results in lost revenue due to key business processes being disrupted. No need to dwell on soft costs here. Hard dollars are lost until the organization recovers.

Theft of intellectual property (by an insider or outsider) may not have the immediate impact of a ransomware attack but can negatively impact revenue and profits in the long term. However, for insider theft, there is legal recourse available when discovered after the fact.

Liability due to privacy data breach. No longer the pre-eminent cyber risk due to the ransomware epidemic, disclosure of PII, PHI, or PCI can still lead to heavy losses from legal settlements and/or regulatory enforcement.

Non-compliance in highly regulated industries can result in the revocation of contracts or services (like processing credit cards), or costly regulatory enforcement actions. In addition, many organizations will only do business with vendors who are SOC 2 accredited or ISO 27001 certified.

Business email compromise (BEC) is a serious issue as well in the context of the total amount of dollar losses reported per year. But for an individual organization, the probability of a material loss due to BEC is generally much lower than for business disruption due to ransomware.

Prioritizing cyber risks

Identifying and prioritizing cyber risks can be a time-consuming process. But there’s an important insight to take into consideration: different loss events have largely overlapping threat sequences and attack paths. For example, the attacker tactics and techniques that result in ransomware (encrypt files for impact) and sensitive data exfiltration are 95% the same. In fact, both are often done at the same time by the same attacker – double extortion!!

Put another way, whether an attacker’s objective is data encryption, exfiltration, or alteration, the tactics and techniques leading up to that objective are largely interchangeable.

As a result, management and mitigation strategies tend to be common among the principal risk categories and a precise prioritization or quantitative triage among them is less important.

Treatment options

Let’s turn to treatment options. For cyber risks, the choices narrow.

Avoidance means foregoing a business function – such as building a new application or expanding into a new geography – to avoid its associated risks. Of course, the resulting foregone revenue opportunity cost must be measured against the corresponding mitigation expense, which means that mitigation options must be examined.

Normally, however, avoidance is out of the question unless you disconnect from the Internet. The reality is organizations are exposing more functionality to the Internet by way of “digital transformation.” Therefore, in fact, the organization’s attack surface is increasing.

Transference by way of insurance is an important component of risk management. However cyber insurance companies are now demanding evidence of cyber posture diligence before they are willing to issue policies. Effective risk mitigation is a pre-requisite for insurance coverage, not an alternative.

Acceptance is just an aspect of mitigation; they are points on the same spectrum. An organization may be able to accept (i.e., self-insure against) a risk up to a threshold loss amount, but beyond that point?mitigation is required. Severe (long-tail) loss events like ransomware and others mentioned above require a robust, mature cybersecurity program, especially when your organization’s attack surface is increasing due to digital transformation.

Mitigation therefore is the primary component of cyber risk management.

Furthermore, expressing risk in dollars is critical because business leadership sets cybersecurity budgets. Cyber risk is just another long-tail risk that leadership manages. More on this toward the end of this article.

Cyber risk mitigation

Mitigation decision-making is challenging due to the complexity of cybersecurity.

First, there are thousands of attack paths into and through an organization from which adversaries can choose. You need to determine which paths are weak. To get an idea of how we model this, here is a partial example just showing a few Initial Access methods, some of the paths through the organization (left to right), and two loss event types – encrypt for impact and sensitive data exfiltration.

Second, a control’s contribution to overall cyber posture may be much less than its effectiveness when tested individually because a) the control is on a path that does not see many threats, and/or b) it sits on an attack path with other strong controls.

Third, organizations vary widely in strategic goals, culture, and existing investments in cybersecurity. Therefore, rigid checklists and cookie cutter cybersecurity recommendations can result in suboptimal risk reduction decisions.?

Therefore, a process and supporting software is needed that can be quickly customized to (a) determine an organization’s critical path weaknesses, (b) rank the contributions of their deployed controls to overall cyber posture, and (c) run what-if scenarios to estimate the effectiveness of alternative control changes, subtractions, and/or additions.

Final thought on mitigation. It’s about reducing the likelihood (left of boom) as well as the magnitude (right of boom), i.e., costs of an incident when it does occur. Graphing attack paths and controls that can block threats is left of boom. These include controls such as anti-phishing email security, security awareness training, multifactor authentication, and endpoint anti-malware agents.

In the context of ransomware risk, controls that affect magnitude include incident response planning and recovery controls such as secure data backups and the ability to completely rebuild the affected application/service and supporting infrastructure automatically via code.

Calculating risk in dollars using Loss Exceedance Curves

But this does not go far enough. The risk reduction analysis of alternative control investments must be calculated in dollars in order to communicate with leadership teams who set cybersecurity budgets.

Leadership teams are not interested in hearing about an increased cadence of patching, or an increased percentage of employees and contractors using multifactor authentication, unless those efforts can be translated to risk reduction in dollars. More on this in a future article.

Presenting a risk as a single number or a color does not give leadership a true picture of the risk of a loss event like ransomware. Severe events are inherently less likely and less frequent than moderate or minor events.

Hence risk must be presented in terms of expected loss (or business impact) at various levels of probability. Reducing a risk to a single number fails to convey the uncertainty, and tends to downplay a material risk.

AccuWeather's approach to weather predictions is an example of how probability and impact can be shown together to communicate risk.

Loss Exceedance Curves (LECs) give leadership teams the opportunity to decide how much cyber risk the organization is willing to accept and to show the impact of alternative control investments on risk reduction. At any point along an LEC, you see the probability (vertical axis) that a loss event will exceed a dollar amount (horizontal axis).

Here is an example comparing Baseline values, i.e., currently deployed controls, to three alternative investments – High-end Workstation agent, Secure Email Gateway, and combining the high-end agent with the secure email gateway:

What's interesting about this LEC chart is that Scenario 3, the combination of high-end workstation agent and secure email gateway does not reduce risk by very much compared to the high-end workstation agent by itself. This is because these two controls are on the same attack path for most of the threats for this organization. This is confirmed by Monaco Risk's Cyber Defense Graph? which visually shows the paths threats take into and through an organization.

?To summarize:

For a risk management process to be useful to cybersecurity teams as well as leadership teams it must be designed specifically for cybersecurity with the following capabilities:

• Provides a formal process that analyzes deployed controls’ contributions to overall cyber posture.
• Can use as input the results of penetration testing and/or Breach and Attack Simulation tools.
• Supports decision-making for choosing among alternative control investment by showing risk reduction in dollars using Loss Exceedance Curves.

How do you use risk management? Does it meet your cybersecurity needs?

*Control, as we use it, refers to any technical or administrative effort to improve cyber posture. Therefore controls include, but are not limited to, configuration hardening, patching, security awareness training, separation of duties, incident response planning, as well as technical controls like firewalls, anti-malware, multifactor authentication, SIEMs, secure backups, and automatically rebuilding applications and infrastructure from code. Put another way, anything you have control over that improves cyber posture.

This article was written with?Jim Lipkis CEO and co-founder of Monaco Risk Analytics.