The security controls problem space

Over the last few years my career has pivoted from designing security solutions to consulting on security operations, Threat informed defence and security testing strategies. I went down a self indulgent rabbit hole last year completing Red Team courses and Capture The Flag exercises to which I thoroughly enjoyed but it was only to understand how threat actors do their tradecraft, I am no Red Teamer! I realised at some point (can't remember when) that I was missing something. I could never join the dots between all these security solutions I was advocating and their measurable effect on risk reduction. I would say things like "an effective MDR solution that is regularly tested and maintained will deliver tangible risk reduction" with no deeper knowledge of the risk side of the equation to back that statement up. Was I lying to myself? no, I just didn't have any method or academic acumen to point to or reference, that helped with articulating how security risk can be measured and therefore demonstrably reduced.

The big debate about security risk....

There is a big debate in the security community going on about the utility of current methods to measure security risk. Qualitative risk assessments, risk registers, low-medium-high scores and Likelihood x Impact calculations are proving to be as good as finger in the air educated guesses and religious arguments over likelihood, impact and ordinal values Low High Medium are killing the spirit. This is a big problem, because if we can't articulate security risk in a measurable and consistently accurate way to board directors (that is not biased or lacking evidence) who are challenged with where to invest against competing strategic priorities, then we have no chance of been taken seriously, nor should we. But we should not be hard on ourselves because measuring security risk is only in the dark ages because 'Cyber' is still in it's infancy compared to Insurance, healthcare and military risk quantification disciplines that have evolved over decades/centuries. Our industry has been technology focused for over a decade but not very much else.

Enter the pioneers

There are some who think that security risk is so useless in it's current methods of measurement that it should be left to Enterprise Risk Management analysts to own, however that does not seem to be going too well either judging by industry research. The apathy toward security risk measurement is increasing and some say it's too hard to measure because a data breach or external threat actor attack on an organisation is too random, we don't have enough sample data and we are not data scientists nor risk modelers, we, as security professionals, are only focused on protecting the business's capability to create and retain it's value. I find myself agreeing with that sentiment more because there was lacking counter evidence to challenge this opinion. That is, until I started researching the FAIR Institute approach to Security Risk Quantification. Admittedly, I knew of the FAIR (Factor Analysis of Information Risk) model but I never had the time to look into it more deeply. I'm now a member of the FAIR Group, currently around 15k members globally.

The most interesting aspect of FAIR, to me, is the FAIR CAM (Controls Analytics Model) because this is the domain that is most complex to measure risk, plus, it's where my skill set lives, designing defence in depth security controls is my wheelhouse. Here is the FAIR institute's summarised overview of FAIR CAM

The FAIR Controls Analytics Model (FAIR-CAM?) provides a rigorous description of how the risk management controls landscape works. It achieves this by describing the controls landscape as a complex set of interdependent functions that act as a system in the management of risk. This is analogous to how human physiology describes the way in which the different parts of the body operate as a system. This “controls physiology” view fills a void in how risk management has historically been practiced, which has focused almost exclusively on the parts of the system (the controls) versus how those parts operate as a system.

This controls physiology model complements, rather than displaces, frameworks such as ISO27001, NIST CSF, NIST 800-53, HITRUST CSF, etc. In fact, when combined with control frameworks such as those, as well as the FAIR model for risk measurement, FAIR-CAM enables much more reliable measurement, analysis, forecasting, and empirical validation of control efficacy and value.

That summary was music to my ears! we know from incident reports and breach investigations that it is so often the case that a Data breach or harmful violation to a business, orchestrated by a threat actor, is more often than not a failure of a process or a human decision to take action, because not enough data (or poor data) was available to take the right decision, or, they may not have been motivated to consider security as a priority, or, technology alone was expected to deliver risk reduction with unqualified and unmotivated staff. there are so many variables that can act as a combined domino effect leading to a system failure that results in a 'Loss event' and it's all in the security controls space.

Using FAIR CAM as a diagnostic tool

The FAIR Institute's work on the FAIR CAM model is still work in progress but at the very least I have found that it provides a structured ontology to diagnose problems or gaps or identify root cause analysis of security controls, process, people problem spaces that directly or indirectly drive security risk up or down. You also can use it as an audit tool against enterprise security architecture or go deeper into defining KRI & KPI metrics which is dependant on data and knowing the business's risk appetite (risk appetite is contentious, often hard to articulate, so best to think of it as how much loss or harm a business is willing to accept)

Some may balk at this scientific approach but I welcome it because in reality it's not that scientific, it is a logical problem solving model that stretches all the way across security and risk functions and joins them up like a jigsaw puzzle and you can visualise it as a giant control panel that contains dials that when turned up or down or switched off, effect the big flashing Meter called 'current risk state'. At scale this will require software to maintain and track security controls risk and effectiveness in Realtime, which as far as I'm aware is in the market albeit at early maturity (I won't list vendors). in addition, AI can construct the model but that is years away because the all important security data we have access to that feeds the model is vast but not much of it is useful or actionable on it's own, hence humans needed to interpret it with the aid of tools and expertise.

Whilst FAIR CAM uses it's own terminology which can be a challenging to remember there is nothing stopping practitioners substituting with their own terminology where it makes sense and also I'm not sure security professionals should scope in risks such as Floods and Acts of god anymore as these are not within our control or influence and belong in Business continuity world, but this is trivial. The full description of FAIR CAM is available to members and to date there is another paper on example use cases albeit quite high level. As it is only 2 years in the making, we will have to be patient but the work that has gone into it so far is of exceptional value and is starting to fill that void where there is no consistent and accurate method to measure security controls' effect on risk.