Security Intelligence Handbook Chapter 8: Demystifying Risk Analysis
February 2, 2021 • The Recorded Future Team
Editor’s Note: We’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter eight, “Threat Intelligence Part 2: Risk Analysis.” To read the entire section, download your free copy of the handbook.
Every day, we put ourselves in situations that present risk. We drink hot coffee, drive cars, and walk downstairs. Some of us play extreme sports while others eat junk food — regardless, there’s risk involved. So how do we weigh the benefits versus the consequences of our potential actions — and why do similar choices drive wildly different outcomes from person-to-person?
It’s because analyzing risk is hard, and there isn’t a one-size-fits-all approach to risk reduction in life or in business.
While many can agree with The National Institute of Standards and Technology’s (NIST) definition of risk, “the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: the adverse impacts that would arise if the circumstance or event occurs; and the likelihood of occurrence,” threat analysts have yet to land on one standardized way to actually measure it. And even if there was one, cyber risk models can only ever be as good as the data that “feeds” them.
Yet some models, like the FAIR framework, are rising to the top by offering transparent, quantitative methodologies that organizations can adapt to their unique risk measurement requirements.
High-fidelity inputs in the form of real-time security intelligence make such risk frameworks even more powerful and effective by providing the actionable context security leaders need to forecast attack probabilities and the financial costs of attacks.
Explore the value of risk models like the FAIR framework and the right (and wrong) ways to gather intelligence about risk in “The Security Intelligence Handbook, Third Edition: How to Disrupt Adversaries and Reduce Risk With Security Intelligence.” In this excerpt, which has been edited and condensed, we’ll demonstrate how specific loss probabilities empower organizations to strike the right balance between protecting and running the business.
A key function of threat analysts is to model risks and empower managers to make informed decisions about reducing risk. Risk modeling offers a way to objectively assess current risks, and to estimate clear and quantifiable financial returns from investments in cybersecurity.
However, many cyber risk models suffer from either:
- Vague, non-quantified output, often in the form of “stoplight charts” that show green, yellow, and red threat levels
- Estimates about threat probabilities and costs that are hastily compiled, based on partial information, and riddled with unfounded assumptions
Non-quantified output is not very actionable, while models based on faulty input result in “garbage in, garbage out” scenarios with outputs that appear to be precise, but are actually misleading. To avoid these problems, organizations need a well-designed risk model and plenty of valid, current information — including security intelligence.
Cybersecurity risk assessments should not be based only on criteria defined to prove compliance with regulations. With those criteria, assessing risk usually becomes an exercise in checking boxes against cybersecurity controls like firewalls and encryption. Counting the number of boxes checked results in a very misleading picture of actual risk.
The FAIR Risk Model
The equation at the core of any risk model is simple:
“Likelihood of occurrence times impact equals expected cost”
But, clearly, the devil is in the details. Fortunately, some very smart people have developed effective risk models and methodologies that you can use and adapt to your own needs. One that we like is the Factor Analysis of Information Risk (FAIR) model from the FAIR Institute. Figure 8-1 shows the framework of this model.
The FAIR framework is useful for creating a quantitative risk assessment model that contains specific probabilities for loss from specific kinds of threats.
Measurements and transparency are key
The FAIR framework (and others like it) enable you to create risk models that:
- Make defined measurements of risk
- Are transparent about assumptions, variables, and outcomes
- Show specific loss probabilities in financial terms
Measurements, formulas, assumptions, variables, and outcomes need to be made transparent in order to be discussed, defended, and changed. Because much of the FAIR model is defined in business and financial terms, executives, line of business managers, and other stakeholders can learn to speak the same language to classify assets, threats, and vulnerabilities in the same way.
Whenever possible, incorporate specific probabilities about future losses in your risk model. Specific probabilities enable risk managers and senior executives to discuss the model and potential ways to improve it, after which their confidence in the model and the recommendations that come out of it will increase.
Security Intelligence and Threat Probabilities
As shown in the left side of Figure 8-1, a major part of creating a threat model involves estimating the probability of successful attacks (or “loss event frequency” in the language of the FAIR framework).
The first step is to create a list of threat categories that might affect the business. This list typically includes malware, phishing attacks, exploit kits, zero-day attacks, web application exploits, DDoS attacks, ransomware, and many other threats.
The next step is much more difficult: To estimate probabilities that the attacks will happen, and that they will succeed (i.e., the odds that the organization contains vulnerabilities related to the attacks and existing controls are not sufficient to stop them).
Avoid the following scenario: A GRC (governance, risk, and compliance) team member asks a security analyst, “What is the likelihood of our facing this particular attack?” The security analyst (who really can’t win) thinks for 30 seconds about past experience and current security controls and makes a wild guess: “I dunno, maybe 20 percent.”
To avoid appearing clueless, your security team needs answers that are better informed than that. Security intelligence, and specifically threat intelligence, makes it possible to answer questions such as:
- Which threat actors are using this attack, and do they target our industry?
- How often has this specific attack been observed recently by organizations like ours?
- Is the trend up or down?
- Which vulnerabilities does this attack exploit, and are those vulnerabilities present in our organization?
- What kind of damage, technical and financial, has this attack caused in organizations like ours?
Threat analysts still need to know a great deal about the organization and its security defenses, but threat intelligence enriches their knowledge of attacks, the actors behind them, and their targets. It also provides hard data on the prevalence of the attacks.
Security Intelligence and the Financial Cost of Attacks
The other major component of the formulas in our model is the probable cost of successful attacks. Most of the data for estimating cost is likely to come from inside the organization. However, security intelligence provides useful reference points on topics like:
- The cost of similar attacks on organizations of the same size and in the same industry
- The systems that need to be remediated after an attack, and the type of remediation they require
We will discuss risk management more in Chapter 12, including the Threat Category Risk (TCR) framework which was developed by Levi Gundert of Recorded Future, and is explained in detail in his book, “The Risk Business, What CISOs Need to Know About Risk-Based Cybersecurity.”
Get ‘The Security Intelligence Handbook’
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, geopolitical risk, security leadership, and more.