eBook - ePub

How to Measure Anything in Cybersecurity Risk

Name: How to Measure Anything in Cybersecurity Risk
Author: Douglas W. Hubbard, Richard Seiersen

Douglas W. Hubbard, Richard Seiersen

Share book

English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

How to Measure Anything in Cybersecurity Risk

Douglas W. Hubbard, Richard Seiersen

Book details

Book preview

Table of contents

Citations

About This Book

A ground shaking exposé on the failure of popular cyber risk management methods

How to Measure Anything in Cybersecurity Risk exposes the shortcomings of current "risk management" practices, and offers a series of improvement techniques that help you fill the holes and ramp up security. In his bestselling book How to Measure Anything, author Douglas W. Hubbard opened the business world's eyes to the critical need for better measurement. This book expands upon that premise and draws from The Failure of Risk Management to sound the alarm in the cybersecurity realm. Some of the field's premier risk management approaches actually create more risk than they mitigate, and questionable methods have been duplicated across industries and embedded in the products accepted as gospel. This book sheds light on these blatant risks, and provides alternate techniques that can help improve your current situation. You'll also learn which approaches are too risky to save, and are actually more damaging than a total lack of any security.

Dangerous risk management methods abound; there is no industry more critically in need of solutions than cybersecurity. This book provides solutions where they exist, and advises when to change tracks entirely.

Discover the shortcomings of cybersecurity's "best practices"
Learn which risk management approaches actually create risk
Improve your current practices with practical alterations
Learn which methods are beyond saving, and worse than doing nothing

Insightful and enlightening, this book will inspire a closer examination of your company's own risk management practices in the context of cybersecurity. The end goal is airtight data protection, so finding cracks in the vault is a positive thing—as long as you get there before the bad guys do. How to Measure Anything in Cybersecurity Risk is your guide to more robust protection through better quantitative processes, approaches, and techniques.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is How to Measure Anything in Cybersecurity Risk an online PDF/ePUB?

Yes, you can access How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard, Richard Seiersen in PDF and/or ePUB format, as well as other popular books in Volkswirtschaftslehre & Statistik für Volks- & Betriebswirtschaft. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Wiley

Year

2016

ISBN

9781119224617

Edition

Topic

Volkswirtschaftslehre

Subtopic

Statistik für Volks- & Betriebswirtschaft

PART I
Why Cybersecurity Needs Better Measurements for Risk

Chapter 1
The One Patch Most Needed in Cybersecurity

There is nothing more deceptive than an obvious fact.

—Sherlock Holmes

The Bascombe Valley Mystery¹

In the days after September 11, 2001, increased security meant overhauled screening at the airport, no-fly lists, air marshals, and attacking terrorist training camps. But just 12 years later, the FBI was emphasizing the emergence of a very different concern: the “cyber-based threat.” In 2013, FBI director James B. Comey, testifying before the Senate Committee on Homeland Security and Governmental Affairs, stated the following:

. . .we anticipate that in the future, resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.

—FBI director James B. Comey, November 14, 2013²

This is a shift in priorities we cannot overstate. How many organizations in 2001, preparing for what they perceived as the key threats at the time, would have even imagined that cyber threats would have not only equaled but exceeded more conventional terrorist threats? Yet as we write this book, it is accepted as our new “new normal.”

Admittedly, those outside of the world of cybersecurity may think the FBI is sowing seeds of Fear, Uncertainty, and Doubt (FUD) to some political end. But it would seem that there are plenty of sources of FUD, so why pick cyber threats in particular? Of course, to cybersecurity experts this is a non-epiphany. We are under attack and it will certainly get worse before it gets better.

Yet resources are limited. Therefore, the cybersecurity professional must effectively determine a kind of “return on risk mitigation.” Whether or not such a return is explicitly calculated, we must evaluate whether a given defense strategy is a better use of resources than another. In short, we have to measure and monetize risk and risk reduction. What we need is a “how to” book for professionals in charge of allocating limited resources to addressing ever-increasing cyber threats, and leveraging those resources for optimum risk reduction. This includes methods for:

How to measure risk assessment methods themselves.
How to measure reduction in risk from a given defense, control, mitigation, or strategy (using some of the better-performing methods as identified in the first bullet).
How to continuously and measurably improve on the implemented methods, using more advanced methods that the reader may employ as he or she feels ready.

Let’s be explicit about what this book isn’t. This is not a technical security book—if you’re looking for a book on “ethical hacking,” then you have certainly come to the wrong place. There will be no discussions about how to execute stack overflows, defeat encryption algorithms, or execute SQL injections. If and when we do discuss such things, it’s only in the context of understanding them as parameters in a risk model.

But don’t be disappointed if you’re a technical person. We will certainly be getting into some analytic nitty-gritty as it applies to security. This is from the perspective of an analyst or leader trying to make better bets in relation to possible future losses. For now, let’s review the scale of the challenge we are dealing with and how we deal with it currently, then outline a direction for the improvements laid out in the rest of the book.

The Global Attack Surface

Nation-states, organized crime, hacktivist entities, and insider threats want our secrets, our money, and our intellectual property, and some want our complete demise. Sound dramatic? If we understand the FBI correctly, they expect to spend as much or more on protecting us from cyber threats than from those who would turn airplanes, cars, pressure cookers, and even people into bombs. And if you are reading this book, you probably already accept the gravity of the situation. But we should at least spend some time emphasizing this point if for no other reason than to help those who already agree with this point make the case to others.

The Global Information Security Workforce Study (GISWS)—a survey conducted in 2015 of more than 14,000 security professionals, including 1,800 federal employees—showed we are not just taking a beating, we are backpedaling:

When we consider the amount of effort dedicated over the past two years to furthering the security readiness of federal systems and the nation’s overall security posture, our hope was to see an obvious step forward. The data shows that, in fact, we have taken a step back.

—(ISC)² on the announcement of the GISWS, 2015³

Indeed, other sources of data support this dire conclusion. The UK insurance market, Lloyd’s of London, estimated that cyberattacks cost businesses $400 billion globally per year.⁴ In 2014, one billion records were compromised. This caused Forbes magazine to refer to 2014 as “The Year of the Data Breach.”⁵^,⁶ Unfortunately, identifying 2014 as the year of the data breach may still prove to be premature. It could easily get worse.

In fact, the founder and head of XL Catlin, the largest insurer in Lloyd’s of London, said cybersecurity is the “biggest, most systemic risk” he has seen in his 42 years in insurance.⁷ Potential weaknesses in widely used software; interdependent network access between companies, vendors, and clients; and the possibility of large coordinated attacks can affect much more than even one big company like Anthem, Target, or Sony. XL Catlin believes it is possible that there could be a simultaneous impact on multiple major organizations affecting the entire economy. They feel that if there are multiple major claims in a short period of time, this is a bigger burden than insurers can realistically cover.

What is causing such a dramatic rise in breach and the anticipation of even more breaches? It is called attack surface. “Attack surface” is usually defined as the kind of total of all exposures of an information system. It exposes value to untrusted sources. You don’t need to be a security professional to get this. Your home, your bank account, your family, and your identity all have an attack surface. If you received identity theft protection as a federal employee, or a customer of Home Depot, Target, Anthem, or Neiman Marcus, then you received that courtesy of an attack surface. These companies put the digital you within reach of criminals. Directly or indirectly, the Internet facilitated this. This evolution happened quickly and without the knowledge or direct permission of all interested parties (organizations, employees, customers, or citizens).

Various definitions of the phrase consider the ways into and out of a system, the defenses of that system, and sometimes the value of data in that system.⁸^,⁹ Some definitions of attack surface refer to the attack surface of a system and some refer to the attack surface of a network, but either might be too narrow even for a given firm. We might also define an “Enterprise Attack Surface” that not only consists of all systems and networks in that organization but also the exposure of third parties. This includes everyone in the enterprise “ecosystem” including major customers, vendors, and perhaps government agencies. (Recall that in the case of the Target breach, the exploit came from an HVAC vendor.)

Perhaps the total attack surface that concerns all citizens, consumers, and governments is a kind of “global attack surface”: the total set of cybersecurity exposures—across all systems, networks, and organizations—we all face just by shopping with a credit card, browsing online, receiving medical benefits, or even just being employed. This global attack surface is a macro-level phenomenon driven by at least four macro-level causes of growth: increasing users worldwide, variety of users worldwide, growth in discovered and exploited vulnerabilities per person per use, and organizations more networked with each other resulting in “cascade failure” risks.

The increasing number of persons on the Internet. Internet users worldwide grew by a factor of 6 from 2001 to 2014 (half a billion to 3 billion). It may not be obvious that the number of users is a dimension in some attack surfaces, but some measures of attack surface also include the value of a target, which would be partly a function of number of users (e.g., gaining access to more personal records)¹⁰ Also, on a global scale, it acts as an important multiplier on the following dimensions.
The number of uses per person for online resources. The varied uses of the Internet, total time spent on the Internet, use of credit cards, and various services that require the storage of personal data-automated transactions are growing. Per person. Worldwide. For example, since 2001 the number of websites alone has grown at a rate five times faster than the number of users—a billion total by 2014. Connected devices constitute another potential way for an individual to use the Internet even without their active involvement. One forecast regarding the “Internet of Things” (IoT) was made by Gartner, Inc: “4.9 billion connected things will be in use in 2015, up 30 percent from 2014, and will reach 25 billion by 2020.”¹¹ A key concern here is the lack of consistent security in designs. The National Security Telecommunications Advisory Committee determined that “there is a small—and rapidly closi...