By Ryan Stolte, co-founder and CTO, Bay Dynamics
How do you measure risk? This is the reigning million-dollar question in infosec. We don’t have a clearcut answer to this question and that can make deciding what actions to take to improve the security of the organization a real challenge for many teams.
We are, as an industry, getting better at measuring the impact after a breach or attack occurs in both the soft dollar (i.e. such as reputational damage) and hard dollar (i.e. stock value declines, customers withdraw funds or close accounts, etc.) losses. However, the part that remains elusive to most is how to determine the likelihood we will realize one of these impacts before it occurs. This brings us to the classic definition of risk, where risk is the likelihood we will experience a negative impact in a specified period of time.
With this in mind how to measure risk is important and coming to agreement on how to do this as an industry is critical. We need a way to look at data that makes it possible to immediately determine what action to take, and that requires a solid, repeatable way to determine the probability portion of the risk equation. And then we need to standardize on that model and make it consistent across organizations and industries.
One of the best examples of a capable model that is consistent and repeatable is the sales funnel, and it is conceivable that we can – and should – use it as an example for how to construct a model for effective cyber risk measurement.
If you think about the sales funnel, it has stages that can be adapted to meet the needs of an organization. These stages provide a common language for forecasting revenue yet they are flexible in nature. The goal of the sales funnel is initially to get as many possible customers – or leads – from the top of the funnel to convert into “opportunities” where we can estimate with more certainty the likelihood that the prospect will make a purchase.
In one example, we may refer to the top of the funnel as the “awareness” stage, and here we find the most activity and the largest number of potential customers (“leads”). In this stage, leads have been exposed to marketing for a product and they likely know that a certain product exists. These leads then start to fall into three distinct groups:
1) Leads that we can rule out early on as ones that are very unlikely to make a purchase (i.e. they don’t respond to emails or opt-out of correspondence);
2) Leads that demonstrate behavior very early on that we can identify as prospective customers (i.e. they request a demo or sign up for an evaluation) and they may even make a purchase at this stage;
3) And, there is a group of leads that we need to continue to gather more information from and in turn we need to cultivate to progress them through the funnel.
Very similarly, with cyber risk, we can look at data and the user community as “leads” and it is their behavior that will help us to determine how much risk they pose to the organization. Similar to the sales funnel, we can determine three groups to which the data and/or users belong:
1) Activity that we can determine to be acceptable normal behavior and leave it alone;
2) Activity that we can immediately determine to be malicious that fits into predefined patterns, which we cantake action on it immediately, either by a person or through automated actions;
3) And there is activity that looks suspicious or anomalous and give us indicators that might prove risky to the organization and require more investigation. It is this last group that will prove the most fruitful in helping us to calculate the risk that is posed to the organization.
If we focus on this last data set, we can begin to calculate the probability of potentially malicious activity, or bad actors, that may exist in our organization by evaluating their progress along a cyber risk funnel in a manner similar to how we advance an opportunity thru the sales funnel. This allows us to prioritize what actions we must take based on the probability this activity or configuration will result in harm and to determine the magnitude of that potential harm. This is very similar to how a sales leader measures the likelihood that potential customers in the sales funnel will progress through the rest of the sales funnel and they can then create a predictable forecast of revenue for their organization.
The bottom line is that enterprises are looking for a predictable model when it comes to risk measurement. They want to be able to gain insights into the configuration of infrastructure, activity of users, and data on their network and they want the ability to act quickly to eradicate potential threats. If they have a means to determine what activity in their organizations pose the most risk, they can make these decisions proactively and in a way that is very similar to how sales and marketers are able to act upon the candidates in the sales funnel to encourage them to purchase. The sales model is trusted and proven, there is no reason why those of us in cybersecurity should not take this as a template and apply it to risk measurement.
Ryan has spent more than 20 years of his career solving big data problems with analytics.