The concept of risk assessment is embedded in our DNA. Our ability to survive as a species is due in part to understanding the potential danger of our environment relative to what's needed to accomplish goals. Whether that goal was to gather food or build the pyramids, we are constantly measuring danger relative to potential rewards. In order to have the best results in the evaluation of risk, one must have the proper information. An example in history is Custar's battle at Little Big Horn. The information Custar received did not accurately account for the number of native American combatants on the field. If Custar had the appropriate information, the risk of his actions may have been too great to continue on his course of action.
While risk assessment is a part of who we are, the implementation of risk management is wrought with issues. The principle among them is bias. Bias is a bane to achieving the proper objective information.
Bias is prevalent throughout the risk management process. From the selection of the risk management team, tool use, and risk impact evaluation, bias tends to shift the perspective of the true impact of risk. The personal experience of the risk managers are used to identify and estimate the likelihood of a risk event. That experience is valuable but it is not objective. It tends to not take into account the changing landscape associated with threat evolution.
Bias serves as a base to distort the fundamental risk equation that information security professionals often use in their risk models.
Risk = Probability * Impact
Traditionally, information security professionals utilize ordinal values to assign the probability variable. Ordinal values are scales (1-5, unlikely-likely) that are widely used because of their perceived simplicity. Unfortunately, it has been proven that people in general are poor at assigning and interpreting ordinal values. The bias of one individual can interpret very likely to mean anywhere between 43% and 99% chance. In a study titled "Psychology of Intelligence Analysis", a veteran CIA officer conducted a study of officers and determined that the phrase "Highly Likely" meant anywhere between 50 to 100%.
How can a group come to a consensus on a decision with such a wide variance in the understanding of the same data?
There needs to be a shift from using gut feelings, intuition, and anecdotal evidence to make risk handling decisions. There has been an emergence of new techniques and tools to facilitate using actual data to support how likely an event that can impact your will occur. One tool that will truly give you a sense of how likely a risk event will occur is threat intelligence.
Gartner defines threat intelligence as "evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard."
Threat intelligence is key because it provides real data that drives your ability to determine how probable an event actually is based on your environment and the mitigating controls you have in place. Threat intelligence is capable of providing near real time insight into how adversaries could potentially infiltrate your environment based on data collected from various sources. You are enabled to discover these attacks in their infancy, before an attack campaign is launched against your organization. Threat intelligence provides a quantifiable shift from stating that an event is likely to having a 60% chance of occurrence.
A properly implemented threat intelligence solution will dynamically identify the threats that are relevant to your environment. The risk manager can then associate the security controls that are in place with the tools, techniques, and procedures utilized by the adversary. The risk manager can then make informed decisions on how the threat landscape can impact your current risk posture. Operationally, threat intelligence can provide indicators that may arm the security team with data need to detect an attack that has already occurred within your environment.
Information asymmetry is an advantage that the adversary utilizes throughout their campaigns. Effective use of threat intelligence does much to reduce the knowledge gap. Had Custar been more informed about his adversary there may have been a different outcome. Data collected from threat intelligence provides you real perspective on the effectiveness of your controls and your real risk posture. Decision making is buoyed by risk analysis based on threat intelligence that has observed real attacker patterns. Threat intelligence is a key component to improving the maturity of cyber risk programs by providing the quantifiable data that it so desperately needs.
References:
Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk. Hoboken: Wiley.
Richards J. Heuer, Jr., Psychology of Intelligence Analysis (Langley, VA: Center for the Study of Intelligence, Central Intelligence Agency, 1999)
No comments:
Post a Comment