Probability of a data breach

Your probability of a significant Cyber Security Breach may be 21%.  Every major information security methodology is risk based. That is, they require that organizations identify assets to be protected, risks to those assets, probability and impact of threats to the assets, actions (treatments) that would mitigate, transfer, accept or help the organization avoid the manifested threat, analysis of what happened and a repetition of the process. The methodologies offer a way to be complete and to take the appropriate level of action.

Right-sizing the coverage and cost of security controls

Organizational leaders need to choose where to apply the organization’s limited resources. I think of this decision as the balancing of the three-legged stool of investment choices:

  • fund growth/efficiency improvements
  • fund keeping the lights on
  • fund reduction in risk

The results of the choices for the three alternatives will always be uncertain. In my experience, given the natural uncertainty of the resource requirements for the three legs of the stool, leaders will want to bias the resourcing toward growth/efficiency improvements, e.g., funding digital transformation over implementing a new information security preventative control such as Identify/Access Management or Micro-segmentation. There is good reason to want to do this. Clear benefit is expected from funding growth/efficiency. Funding, keeping the lights on does not provide any expected improvement and resourcing risk treatment comes with an expectation of some amount of loss of resources for limited gain. The Achilles heel of the risk management process for most organizations is the amount of uncertainty in the probability of threats and the estimated impacts for each risk, i.e., a measurable value for the funding. No sane leader would bet against protection from a loss that exceeded the risk tolerance of the organization if the cost of protection was lower than the loss and a high priority. So, the challenge of information security programs is quantification of risk tolerance, probability of threats, impact of actual threat events and how to prioritize information security investments. Most information security experts, following the guidance from the standard methodologies (ISP27001, NIST, etc.) produce a risk matrix or heat-map to identify the most likely and impact of risks. This is used for recommendations of priority for resourcing risk mitigations.

Measuring cybersecurity risk

In 2016, Douglas Hubbard and Richard Seirsen wrote a book titled How to Measure Anything in Cybersecurity Risk. They are highly critical of the approach used by cybersecurity experts and offer approaches for probabilistically quantifying the likelihood and impact of threats and for reducing the uncertainty of estimates. If empirical evidence cannot be found to support estimation of threat probabilities, they recommended application of probabilistic methods including use of Monte Carlo simulation of threat models, decomposing the threats and estimating probability for the components, etc. They provide examples of how this approach has been used for similar risk management issues with limited empirical measurements including rocket launches. A recent UK DCMS report entitled “Cybersecurity Breaches Survey 2019” says that in the past year, 18% of businesses with 50-249 employees and 21% of businesses in the UK with greater than 249 employees reported a cyber security breach where there was loss of assets or data. Assuming that your organization faces the same probability of an attack, the question to be answered is what is the likely range of impacts from such an attack? This can be decomposed into likelihood of components such as ransomware fees, penalties, loss of revenue, cost of activities to control and recover from the attack, etc. With the combined probability of the attack and the probability for the range of impact, the business can more easily use these financial metrics to determine which alternative options for preventing, detecting, avoiding and transferring risk make sense and can be compared from year to year to improve uncertainty and adjust to trends in information security threats.

At T3 Dynamics, we believe that one of the greatest values of providing measurements for information security risk is that they allow the business to better compare the decisions on investment in increase revenue/efficiency, keep the lights on, and managing risk.