Upload
joel-baese
View
136
Download
0
Embed Size (px)
Citation preview
1
RISK QUANTIFICATION
FROM RAINBOWS TO DOLLARS
DisclaimerThese slides and accompanying presentation represent the author’s opinions and experience and are not necessarily those of any organization, including his past, current or future employers. All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information. Please direct all concerns related to this material to the author via email at [email protected]. 2
Introduction• Joel Baese• Email: [email protected]• LinkedIn: https://www.linkedin.com/in/jbaese• ISACA member since June 2010, CRISC since July 2010• 18 years in IT• Currently a Senior Manager II at Walmart building and leading the
Information Security Tactical Risk Analysis team• GRC experience includes:
• Quantitative risk analysis at Walmart, qualitative risk analysis at Raytheon;• Policy author and manager at Raytheon;• Information systems security officer for DoD programs up to and including
Top Secret Special Access
MBABSIT
3
4
Overview
The ChallengeThe PathThe Result
The Challenge
Meaningful measurement
Effective comparisons
Well-informed decisions
Cost effective accurate risk management
5
6
Best Practice Risk Measurement1. Cloud computing2. Insider threat3. External/third parties4. Application vulnerabilities5. Hardware vulnerabilities6. Mobile malware7. Social engineering8. Organized crime9. State sponsored attacks10.Hacktivists
List adapted from: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
7
How much risk is there?
Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
8
How much risk is there?
Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
9
How much risk is there?
Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
10
How much risk is there?
Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
11
Did we all mean the same thing?• What’s the asset?• What’s the threat?• What’s the threat
vector?• What’s the control?• What’s the loss type?• What’s the
vulnerability?• What’s the risk?
• The tire• The Earth• Gravity• The rope• Availability• The probability gravity > rope• The probability gravity overcomes rope resulting in loss
combined with the probable resulting financial loss
12Credit: Jack Jones for the example
MassWeightVelocity
13
Best Practice Risk Measurement1. Cloud computing2. Insider threat3. External/third parties4. Application vulnerabilities5. Hardware vulnerabilities6. Mobile malware7. Social engineering8. Organized crime9. State sponsored attacks10.Hacktivists
List adapted from: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources
14
Human Biases• We tend to exaggerate
spectacular and rare risks and downplay common risks.
• The unknown is perceived to be riskier than the familiar.
• Personified risks are perceived to be riskier than anonymous risks.
• We underestimate risks in situations we do control, and overestimate risks in situations we don't control.
• We estimate the probability of something by how easy it is to bring examples to mind.
The 5 Biggest Biases We Fall Victim To – Bruce Schneier
• Cloud computing• Insider threat• External/third parties• Application
vulnerabilities• Hardware vulnerabilities• Mobile malware• Social engineering• Organized crime• State sponsored attacks• Hacktivists
15
Risk is a reality and a perception
The Missing Ingredient
Accurate Models
Meaningful measurement
Effective comparisons
Well-informed decisions
Cost effective accurate risk management
16
17
The Path
18
Probable Loss Event Frequency
FAIR Ontology
ProbableLoss Magnitude
The probable magnitude and probable frequency of future loss
Factor Analysis of Information Risk
Productivity (P)Replacement (P)Response (PS)Fines and Judgments (S)Competitive Advantage (S)Reputation (S)
19
FAIR ProcessStages of the Analysis Process1. Identify Scenario Components (Scope the Analysis)
Asset Threat Loss Event
2. Evaluate Loss Event Frequency (LEF) Threat Events Vulnerability
3. Evaluate Loss Magnitude (LM) Primary Loss Magnitude Secondary Loss
Frequency Magnitude
4. Derive and Articulate RiskSource: Risk Analysis (O-RA) from The Open Group
The Project• 3 Months• 2 FTEs + ≈1 Contractor• Over 50 Scenarios• Over 100 SMEs• Over 500 Questions• Over 1,400 data points• To get to one number
What is our risk?20
21
The Resultsish
Aggregate Average ALE By EnvironmentTotal: $3 Billion
22
All results are illustrated using randomly generated data and
therefore DO NOT reflect actual results nor disclose any
organization’s sensitive or proprietary information.
Potential Comprehensive Key Risk Metrics
30% 60%
23
All results are illustrated using randomly generated data and
therefore DO NOT reflect actual results nor disclose any
organization’s sensitive or proprietary information.
Potential Comprehensive Key Risk Metrics (continued)
Level of Impact
% of customers lost
HouseholdsImpacted
RevenueImpact
(Lost Customer Value)
Significant 50.00% 500,000 $5 billionMajor 25.00% 250,000 $2.5 billion
Moderate 12.50% 125,000 $1.25 billionMinor 6.25% 62,500 $625 millionSlight 3.13% 31,500 $315 million
Avg value of a household: $10,000 Households: 1 million
Major
24
All results are illustrated using randomly generated data and
therefore DO NOT reflect actual results nor disclose any
organization’s sensitive or proprietary information.
Top 10
25
All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
Aggregate ALE By Threats
26
All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s
sensitive or proprietary information.
Aggregate ALE By Assets
27
All results are illustrated using randomly generated data and
therefore DO NOT reflect actual results nor disclose any
organization’s sensitive or proprietary information.
Materialized Areas of Loss (Aggregate)Prim
ary LossesSecondary Losses
28All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.
Focus Adjustment for Future Analyses
29
All results are illustrated using randomly generated data and
therefore DO NOT reflect actual results nor disclose any
organization’s sensitive or proprietary information.
30
Lessons Learned• Challenges
• Finding the right PoCs/SMEs• Significant difference in data request than what they were used to• Risk quantification skeptics• Significant data validation required due to basic definition differences
• Ex. contact event vs. threat event vs. loss event
• No established workflow process made tracking all the people and data inputs more difficult than it probably needed to be
• Notes, notes, notes• Sources• Rationale
• Know the model and definitions well
Additional Resources• The FAIR Institute
• http://www.fairinstitute.org
• The Open Group• Open FAIR Standards• http://www.opengroup.org/standards/security
• The Society of Information Risk Analysts• https://societyinforisk.org
• Measuring and Managing Information Risk A FAIR Approach• Authors: Jack Freund & Jack Jones• http://store.elsevier.com/product.jsp?isbn=978012420
2313
31
My contact information:• Email: [email protected]• LinkedIn:
https://www.linkedin.com/in/jbaese
Special thanks to Jack Jones for allowing use of several of his slides and examples .