What's Wrong with the CIA Triad?

Protecting the Confidentiality, Integrity, and Availability of information is a core requirement of any cybersecurity program. Paradoxically, we run into trouble when we try to use the CIA Triad to drive cybersecurity programs.

Limitations of the CIA Triad

As Rick Howard notes in his book, “Cybersecurity First Principles,” the CIA Triad cannot be used to drive cybersecurity programs. Rick provides three reasons which I will refer to as scope, adversarial TTPs, and loss event types. While all three are important, the third is crucial. Let me explain.

1. Scope. The CIA Triad does not consider the criticality of information to be protected. It doesn’t address the need to prioritize Information based on its relationship to processes critical to meeting business goals.
2. Adversarial TTPs. The CIA Triad does not lead you to think about intrusion kill chains. To protect information, you must understand the tactics, techniques, and procedures (TTPs) adversaries use to achieve their goals. Then you can deploy controls (people, processes, and technologies) to detect and block those TTPs.
3. Loss Event Types. Three loss event types correlate with the CIA Triad – information disclosure, alteration, and destruction/denial. However, there are loss event types that do not involve information. For example, Business Email Compromise. Another example is what we call, “Export of Compromise.” This is Monaco Risk’s term for a supply chain attack from the perspective of the supplier to their customers. SolarWinds is an example.

At this point, you may be asking, why is it important to work from an exhaustive list of all possible loss event types? Dear reader, the answer is in the next section below.

The Alternative to the CIA Triad

Let’s take a step back for a moment. What is the purpose of cybersecurity? What outcomes are we looking for? Again, I turn to Rick Howard’s "Ultimate First Principle," which I amended slightly: Reduce the probability of material financial impact due to cyber-related loss events.

If this goal resonates with you, a good starting point is to review all possible cyber-related loss event types that could financially impact your organization. Monaco Risk can help with our “Loss Event Taxonomy.” It provides just such a list along with related financial loss components. If you would like a copy, comment below or DM me.

So how do you implement this Ultimate First Principle? Cybersecurity risk management (CSRM)!!

Ugh, you say. We only do CSRM to meet compliance requirements or to support the Enterprise Risk Management team. CSRM hasn’t helped us decide on the critical issues we face. It hasn’t helped us get our budget requests approved.

What’s wrong with traditional CSRM? Two major problems. (1) Lack of useful control effectiveness analysis and visualization. (2) Inability to credibly connect security control efficacy metrics to business risk expressed in dollars.

Requirements for useful CSRM

For CSRM to be useful to CISOs and security teams, it must be able to assess individual and collective control effectiveness against adversarial TTPs scoped by the loss event scenarios of concern to business leaders. This means leveraging MITRE ATT&CK? TTPs and Mitigations and MITRE D3FEND?. MITRE provides the most comprehensive and unbiased catalog of TTPs and countermeasures.

Attack path analysis is critically important. New controls are typically evaluated in isolation. So it’s difficult to project how they will affect risk reduction when added to the set of already deployed controls. A control that performed well in isolation may not reduce risk as anticipated if it’s deployed (1) on a path that does not see many TTPs or (2) on a path with other strong controls.

Attack path visualization is also critical. Cybersecurity is extremely complex due to the combination of dozens of deployable controls, hundreds of TTP types, thousands of attack paths into and through an organization, and the financial impact of loss events. Visualizations of critical path weaknesses and control prioritization help in three ways:

• Isolates the controls that most affect risk
• Identifies the controls that need to be improved
• Makes the analysis more memorable for the security team and business leaders

Justify budget requests. In addition, the CSRM process must help us justify the value of alternative control investments based on how they reduce the probability of material financial impact due to cyber-related loss events. This means bridging the security metrics – business risk gap credibly and transparently.

The problems with risk matrices (heatmaps)

Risk matrices (heatmaps) cannot visualize this type of cyber risk analysis even if dollar ranges are added. First, they don’t show the inverse relationship between the likelihood and the financial impact of a cyber loss event. The dark red box is in the wrong place!!

Second, they hide the long-tail nature of cyber loss events. Any reasonable statistical analysis of the financial losses associated with cyber-related loss events shows the extreme nature of “rare” events. Unfortunately, what is rare for a single organization happens regularly because of the number of organizations subject to cyber risks.

Third, risk matrices don’t visualize the comparative financial value of alternative control investments on reducing the probability of material financial impact due to loss events.

Automated control performance tools

The type of CSRM process I am discussing highlights the importance of automated control performance tools such as attack simulation, risk-based vulnerability management, security control posture management, and process mining.

These tools are controls in their own right, but indirect, as they cannot detect or block a TTP. They provide the insights needed to improve the efficacy of the Direct Controls which detect and/or block TTPs.

Given the complexity of cybersecurity and the limited resources of most security teams, automated control effectiveness analysis is required for a robust CSRM process.

So you can think of the three types of controls as layers. The lowest layer is Direct Controls which block or at least detect and alert on threats.

The second layer is Indirect Performance Controls which monitors the performance of the Direct Controls and recommends improvements.

The third layer is the CSRM software that interprets the output of the Indirect Performance Controls and generates the kill graphs, control prioritization tornado charts, and Loss Exceedance Curves which help prioritize alternative control investments and justify cybersecurity budgets to business leaders.

In a past article, I referred to these three layers as the 3-Layer CAKE – Control Analytics Knowledge and Evaluation.

So what do you think? Might you consider a cybersecurity risk management process designed for security teams? Might you want more information about Monaco Risk's methodology and tools?