Risk Math for Security Investments
Recently, Anup Ghosh wrote an excellent post around optimizing security investments against the kill chain. However, there was one line that stood out for me that I think requires a deeper look
Anup writes “the incident response dollar… is equivalent to one million times an equivalent prevention dollar.”
I would argue that this statement is a stretch based on risk math. The equation for risk (from a Bayesian perspective) is often times referred to as:
Risk (measured as expected value) = Probability that an attack will be attempted x probability attack will be successful if attempted x consequences of attack if successful (measured in dollars)
Shorthand, this can be referred to at Risk = Threat x Vulnerability x Consequence.
A primary role of a Chief Information Security Officer (CISO) is how to optimize investments to maximize risk reduction and Return on Security Investment (ROSI). Lets take a look at how the CISO can affect each variable in the risk equation.
Threat: There actually isn’t too much that the CISO can do directly here. One could argue that by building a strong cyber protection system the CISO could actually deter some attacks from ever being attempted. However, in reality many attackers are persistent, and they will not be deterred by cyber defenses if you have something that is of value to them.
Vulnerability: This is where many traditional security tools fit today. The idea here is that these tools help prevent an attack from occurring given that the attack is attempted. IPS, AV, firewalls, sandboxing, vulnerability scanning and patching, etc. all fit in here.
Consequence: I would argue that this has traditionally been an area of under investment by CISOs and an area ripe for further risk buy-down. To reduce the impact that this variable has on Risk, CISOs need to put in place measures that reduce the consequences of an attack given that it is successful. The types of tools that help consequence management include SIEM, IDS, encryption, incident response, forensics, and remediations tools.
So, looking across these three risk variables, what is a CISO to do? What are the best approaches to build a portfolio of risk reduction measures that optimize ROSI?
I’ve led some very sophisticated, quantitative risk analyses in the past while in government, but the details of doing one of those is beyond the scope of this post. Instead, I would offer these high level suggestions:
- Balance investments in both vulnerability reduction and consequence management. Each CISO will need to decide what the right balance is for him or her, but ultimately you will never be able to build a 100% effective protection system, so you will need to have investments that help reduce the effects of those attacks that do slip through the system.
- Think about marginal risk reduction. Building a portfolio of “layered defenses” is well known concept. As part of this effort, the CISO should be continuously evaluating to what degree a new investment buys down marginal units of risk in a cost effective (and non-redundant) way. For example, perhaps you have already invested significantly in cyber protection / vulnerability reduction systems. Additional investments in this area may be redundant with existing investments and not actually reduce overall risk very much. On the other hand, if you have not heavily invested in consequence reduction systems, there may be low hanging risk fruit there that is easily bought down with new investments.
- Organize your risk analysis through threat scenarios. What are the primary threat scenarios that you are trying to protect against? As you are evaluating new investments, look at them through the lens of these scenarios. By aggregating risk reduction across these scenarios, you can help ensure that you are buying down risk in a way that robust across a wide variety of attack vectors.
So, circling back to the original impetus for this post, lets now revisit the statement that one dollar spent on a vulnerability reduction tool is equivalent to a million dollars spent on a consequence reduction tool. R = T x V x C is a pretty simple equation, and for that statement to be true we would need to believe that vulnerability reduction tools are a million times more effective than consequence reduction tools. A risk unit bought down is a risk unit bought down, regardless of whether it is bought down via vulnerability reduction or consequence reduction.
I think anyone that has been follows the news cycles of cyber attacks would be hard pressed to believe that. The fact of the matter is that no system is 100% secure. There is always a way in. Black swans happen. And you will never stop every attack. Even the most sophisticated banks and government agencies are penetrated on a regular basis. A smart CISO will recognize that an optimized security tool portfolio will look comprehensively at risk reduction across the the full risk equation and balance prevention/detection with response/resilience.