Cyberthreat Risk Modeling and Scoring
Cyberthreat Risk Modeling and Scoring
Indentifying and quantifying cyber-risk are essential for effective risk prioritization. Risk scoring not only helps identify and mitigate serious vulnerabilities faster but it also plays an important role in secure application development. As IT environments and network attack surfaces grow in complexity (across network, databases, applications, IoT devices, containers, etc.), risk scoring has become an essential way to prioritize limited security resources for maximum security benefit.
What are you actually measuring when you develop a cyberthreat risk score? Nir Yizhak, CISO and DPO of Gigya, explains it this way: “We measure the likelihood and potential impact of a specific risk along with its related risk category, such as governance risk, technical risk, financial risk, and targeted system classification. For instance, the same threat will be calculated differently depending on whether it’s aimed at a production system holding sensitive information, or a development system holding bogus data. We use risk scoring when prioritizing operational tasks, which can occur daily in some cases, and when presenting risk status to senior management.”
One challenge of risk scoring is quantifying cyber-risk in the context of specific business cases. A lot can go into determining “potential impact,” for instance. Antonio D’Argenio, Cyber Security Architect for Tech Data Corporation, says, “You have to look at many factors that can affect the business from a security perspective.” In addition to technical issues, such factors include legal issues that may arise from a data breach. D’Argenio explains, “Any loss of sensitive information can involve a legal issue because of the nature of the compromised data. In many cases, the company will face fees and fines for the lack of adequate data protection. ”Data loss can damage business operations as well as cause brand damage, which not only affects customer confidence but the business’ ability to raise capital. “Investors may decide to withhold support for the company because of inadequate risk management.” Effective risk scoring involves considering all these factors.
Several frameworks have been designed to help businesses model and score their cyber-risk (in addition to some commercial off-the-shelf tools). The following are some of the more widely used options:
- ISO 31000:2018. The International Organization for Standardization (ISO) created and released this body of risk management standards in 2009 and updated it in 2018. The standard consists of principles for the creation and protection of value. ISO 31000:2018 is a comprehensive approach to risk management, of which risk scoring is one part; like most methodologies and frameworks, it must be adapted to specific business cases.
- Common Vulnerability Scoring System (CVSS). The CVSS is a framework for defining and rating software It looks at such factors as metrics designed to indicate how difficult it would be to exploit a vulnerability and the severity of an exploit on the system should it occur. CVSS calculations can be complex. CVSS does not consider cyber-risks that are not associated with specific software vulnerabilities, and it does not account for overall business impact.
- DREAD. This threat modeling framework is designed to use a simpler, more qualitative scoring model that focuses on Damage, Reproducibility, Exploitability, Affected users, and Discoverability. Like CVSS, it focuses on physical threats to systems rather than business impact.
- STRIDE. The Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege (STRIDE) approach to threat modeling looks more at the types of threats than the qualities of vulnerabilities. STRIDE attempts to take a broader view of all the things that can go wrong in a system.
- Factor Analysis of Information Risk (FAIR). This risk assessment framework focuses on asset loss and the types of threats that can result in such loss. Many consider FAIR a way of augmenting system risk analysis with a complementary business risk assessment.
Many other risk modeling and scoring frameworks exist, some of which are tailored to specific industries and business models. As D’Argenio points out, “There is no one-size-fit-all framework a company can use to evaluate the risk against the business. In general, a CISO or CIO has to evaluate the right balance among several factors.” These factors include:
- Assets. “You need to have a clear and complete vision of the assets you’re protecting,” says D’Argenio. “These include material assets like IT systems, physical locations, people, transports, etc., and nonmaterial assets like information, processes, procedures, and policies.” It can be valuable if you have some ranking that aligns with business criticality associated with each asset.
- Resiliency. This is how long, should an attack occur, your lines of defense can protect your assets before they are compromised. D’Argenio says, “This is a balance between vulnerabilities and the reaction time to mitigate the attack.” It is critical that you have visibility to respond quickly when attacks occur.
- Effectiveness. How effective will your decisions and actions be in protecting your assets? When an attack occurs, many skills are required to respond properly. Having tools that support collaboration between security and IT teams allow for fast communication when time is of the essence.
- Anomalies. This factor is really a continuous evaluation of the threat landscape and seeing what’s happening in your environment. D’Argenio notes that malicious activities are constantly changing, and businesses must consider their processes and skills in responding to these changing threats. Ensuring that you are scanning all your IT assets with a consistent cadence will help you identify these anomalies fast and remediate them if needed.
By keeping sight of these essential pieces of the operating environment, you will be able to adapt and tailor a framework to model and score cyber-risks in the context of your business and its security requirements.
- Data loss can subject a business to remediation costs, legal issues, fees and fines, damaged business operations, and brand damage. This not only impacts customer confidence, but it can affect the business’s ability to raise capital.
- There is no one-size- fit-all framework a company can follow to evaluate the risk against the business.