The Value-at-Risk Challenge

The value-at-risk mathematical function is a risk model that has been widely adopted by the financial services industry, referring to the trade-offs between value gained and the potential risks assumed when evaluating a deal.

A good example in the IT space might be the migration of assets into a public cloud environment. Such a migration could result in significant loss of visibility and control of the information assets, but will definitely result in substantially lower cost. The question is what additional cost is associated with increased security over those assets and how will that investment affect the ultimate risk alignment.

Generally, there are three components involved with the value-at-risk model: risk appetite, vulnerability, and asset value. The challenge is to objectively evaluate the value of the assets at risk, the present danger of the risk materializing combined with the exposure of the assets to that risk (vulnerability) and the overall appetite for risk among the stakeholders.

Assuming you want to do this (and you should), when evaluating your company’s assets, you will need to include both tangible assets like infrastructure (network and hardware), systems or production capabilities, and intangible assets like Intellectual Property, personal and sensitive customer data, reputational impact and damage to the brand.

The value of these assets is determined by estimating the costs associated with the actual hardware, network components and software if damaged, the quantified time and effort required to recover, restore and reconstruct, the actual third party costs associated with reconstructing lost data, providing credit reporting services for at least a year for all affected customers, liability insurance loss cap costs and the requisite public relations and corporate communications campaigns which may be necessary to limit and recover reputational damage and impact to your stock price, supplier, partner and customer relationships overall.

A public breach can instantly become the equivalent of a slip of phrase from a professional athlete that causes the loss of all endorsement contracts, speaking engagements, representational contracts and associated income. Everyone is susceptible regardless of how big or small, rich or poor in assets, and seemingly inconsequential on the surface.

Estimating these costs is tricky and most people wildly under-calculate. Realistic scenarios are to be found at Target and Sony where perhaps in the former case it didn’t dawn on anyone that Target would be footing the bill for what may end up being a lifetime of complimentary credit background services for every customer, past present and future. And, in the latter case, it probably didn’t occur to anyone that executive emails would be made public which turned out to be career devastating for several key people including the CEO, who had a phenomenal track record of performance prior to her emails being displayed on the web for all to see.

Vulnerability goes to the systems that you have put in place to protect and defend your assets from invasion. Part of the assessment process is subjective in that you not only have to consider whether your defenses are sufficient relative to your assets and risk-appetite, but you also have to consider the ease or difficulty with which your adversaries must contend when considering an attack. If you have established a formidable defense-in-depth protection scheme, your adversaries may decide that it is just not worth the effort.

If alternatively, you have been unable or unwilling to spend sufficiently to create that level of protection, your adversaries may decide that your target assets are exposed in a way that makes it tantalizing enough to jump all over. Hackers are prone to finding the most exposed vulnerability and spending their resources exploiting that opportunity.

If your assets rest behind that vulnerability, then you have a much higher degree of risk than you would have otherwise. Windows is a classic example of a target rich environment.

Vulnerabilities also extend to SCADA devices and depending on the intrinsic value of the overall target you may have a much greater exposure than you think. If for example your production devices form part of a larger supply chain to an ultimate high-value target, your operation may represent the most cost efficient component target in the overall target puzzle. So, an attack on your devices may have nothing to do with any single asset value of your own, but rather it simply may be a means to a higher value target further on down the chain. As a participant in discovery, you may be in the embarrassing public position of playing a central though unintentional role in the taking of something huge.

Target Stores is the poster child for a third party component attack.

Risk appetite usually translates to budget, resources and perceived asset value or threat assessment. Because threat assessment is dependent on your ability to think through all of the variables involved in your operation and objectively analyze the complete body of possible scenarios under which you may become involved in attack, the outcome impacts both your vulnerability assessment and the way in which you value your assets.

For example if you start with budget, you will automatically downgrade your asset value and your threat assessment, as the outcome you require depends on an inconsequential asset leading to a low possibility of threat.

Instead of starting with your budget constraints, try identifying all of the impacts you can think of that may result from a breach and estimate the costs of those impacts. You may find that what used to be thought of as discretionary expense moves quickly up to mandatory expense.

I can pretty much guarantee you that if your CEO thought that his or her email would be floating freely on the Web, the money you require would magically appear. Risk appetite is a moving target.

The value-at-risk model depends on an objective analysis of the interconnectedness among these three components, and as you go through the exercise you may find that your assets are actually higher in value or have more significant consequences than you thought or that your adversaries are probably more willing to spend the resources necessary to achieve their objectives.

You may also discover that you are using dated, dead, forgotten and thus highly vulnerable systems for both infrastructure like non-supported or unpatched versions of older operating systems and databases, and applications like ERP, accounting, HR and production control. These factors present a more attractive target and influence your value-at-risk determination by increasing the volume and likelihood of attacks. If you depend on SCADA controlled devices for your operation, you may realize suddenly that they are part of a larger puzzle you hadn’t considered and/or have greater vulnerability impact to your business and will also influence your overall value-at-risk determination.

Value-at-risk is a highly useful method for establishing actual risk in much the same way as it is essential for investors determining how much of their resource they are willing to extend in a bet on a given company, sector, currency, commodity or future state. Like anything else, if abused, value-at-risk can influence over-response in one direction or the other and should be used only as a guidepost for determining the most reasonable assessment of risk given the enormous population of unknowns and the remarkable rapidity of change in the information and cyber-security threat landscape.

The question at the end of the day is what are you doing to quantify and value the impact of a breach? If you have begun to analyze these factors and extended your thinking out to the edges of the problem space, have you begun to take cyber threats seriously yet and is the information you have discovered about your organization compelling enough to raise your own stakes in the game?

Most people in my business argue that small and medium sized businesses have fallen far behind where we should be in terms of preparedness and as a consequence, these attacks will continue to increase in volume and intensity. It is well beyond time that we do something to stem this tide and value-at-risk is a great place to start.

You may be surprised at what you find.