Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

Why 'Probability' is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

cyber probability

Cyber Risk Quantification is becoming more familiar and I’m seeing more SME / Large companies and consultants using Quantification methods for clients. But a lot of them have something in common. They’re working on the Probability & Impact methodology, shown brilliantly in the picture below:

cyber risk probability cartoon

* Picture Credits – The Cyber Security Hub

This illustration is one the best ways to illustrate how probability and impact “go together” but also because it’s so clear. But it also blinds Cyber Professionals from seeing the huge landmine which is “Quantifying Probability”

I believe after working for years on Cyber Risk quantification into Financial figures (from consulting through to the development of Boardish) that for the Cyber Security Realm focusing on Probability is a mistake. Allow me to explain:

  1. Cyber Security Threats are evolving MUCH quicker than any “past knowledge” experience that you can determine the probability factor on. For example, with Ransomware, the attack vector for Ransowmare to ‘get into your organization’ is evolving on a DAILY (and sometimes hourly) basis. On day X your Probability is low because all of your machines are patched, but day Y a new security flaw on a core system means probability soars.
  2. Cyber attacks are constantly on the offensive, it’s not a “statistical game” like with car accident insurance. Instead, there is a clear ‘business model’ for your attackers to gain access to your systems and cause damage. They are ACTIVELY trying all the time. It’s not a question of “if I will be attacked” but “When” AND “are Zero-Day exploits scenario going to be used”
  3. You’ll always be wrong when speaking to management. When asked by your management “what is the probability” of Cyber Attack X to happen, most likely you will get the answer wrong. It’s a “catch 22” question – you can’t really get it correct because you have no control on the variables which are constantly changing.

How should I address Probability in Cyber Risk Quantification?:

  1. Always assume Worst Case Scenario When it comes to probability – that’s the only “not wrong” answer. Your responsibility as a cyber professional is to be able to: Identify, Protect, Detect, Respond and Recover (The Nist Framework) ANYTIME, ANYWHERE
  2. Focus on the Financial size of the threat impact – when the probability of the threat is ALWAYS HIGH.
  3. Focus on the Efficiency of the solution against the threat – when the probability of the threat is ALWAYS HIGH.
This way the responsibility is on your solutions to protect against overall threats, not asking a thousand ‘what ifs’ to find a solution that may not protect you worst case. What is the point?

So, what’s the alternative to working this out? In Boardish we approach from a solution perspective and have the TPF (Threat Protection Factor). You can see that we have threats and Solutions AND the efficiency of the threats against the solutions.

You can have multiple solution combinations against the threat and, most importantly, you control the efficiency. Based on your specific organizational understanding, experience with solutions, and specific environment.

We don’t “Play” the “Probability” game, its always “HIGH” because this is one “not wrong” (there is no right) answer. You can wake up to a Ransomware attack anytime, anywhere, don’t make the mistake of communicating to your management that you can predict the probability, you cant.

The one thing you can predict is how well solutions can protect against worst case. So use this as your benchmark and you’re a lot closer to being right!

How does the Boardish Framework solve this:

  1. Boardish focuses on the full quantification of the THREAT: Market Loss, Work Days Loss, Sales Loss, and Regulation Loss combined with “how quick the company will recover its market position”
  2. We measure the efficiency of the solution in mitigating the threat, AKA – How efficient is the solution against the threat, We do not automate this process, we believe that its different for each organization, and each IT & Cyber Professionals know/can make a decision based on their specific environment
  3. The Boardish Methodology helps you to quantify the Real and complete solution cost ( including IT & Cyber Labour cost )

sales approval process

The Boardish Methodology shows you very clear decision making metric without the “catch 22” of ‘Probability’

Plus, you can try our solution for free yourself without needing integration etc. at www.boardish.io

If you need help, let me know

Eli Migdal – Co-Founder – Boardish.

Don't play the 'probability game', quantify with Boardish

How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

How To Quantify & Assess The Financial Impact of Business Closures on Your Bottom Line

The unfortunate reality for businesses of all sizes right now are spontaneous business closures (or deciding whether now is the time to reopen your business!)

And with COVID-19 outbreaks at your physical locations meaning potential mandatory lockdowns, as well as deciding whether to re-open at all it’s important to know the figures and what it could cost you.

We wanted to share how you can use Boardish to quantify into hard numbers what this means for your business.

  • Is it more cost-effective to keep your physical locations closed rather than adopt new procedures?
  • What is the real ‘solution’ cost of implementations? (including the cost of your expert’s hours and time)
  • What is the sales loss for your business closure?
  • What is the regulation impact for remaining closed? (and does this pose a higher risk to you?)

With Boardish you can compare the cost of a closure to your business and the full solution cost to your turnover so that you can decide which areas of the business are still viable. PLUS make a quick decision with all the numbers once you’ve run your simulations.

Once you’ve input your company information you can run several simulations on different scenarios so you can see the full picture quickly, and then use this information to get a fast decision from the board or decision-makers.

Boardish which will give you a snapshot of the information you need on the company right now, and you have complete manual control over the effeciency of your solutions so you don’t have to consider AI learning time, or integration into your systems!

The Boardish Web App is ready to go right now, and you can do all this in the FREE Boardish Basic Tier! 

Take a look at our video above where it runs through the exact process. So you can quantify exactly what you need right now! 

Quantify business closures

And which solutions are cost effective (and which aren’t) 

Why You Need a Human Involved In Risk Decision-Making

Why You Need a Human Involved In Risk Decision-Making

risk decision making

Until there is a whole new level of real AI technology and not pattern-based recognition automation as we know it now, risk decision-making should still always have human involvement.

I got inspired for this article following the David Spark CISO Series Friday evening event on “Hacking Automation”.

During the event, David asked a question, ‘Which element you would never automate’ and both panelists and many others in the chat room said Risk and I wanted to share more on my thoughts on where you can’t automate with AI.

Information on Risk Gathering like penetration testing tools, even risk identification can be automated (or a combination of automation and human) but when it comes to the decision-making on risk, that should always be a human.

A risk assessment can give you scores to consider, but there is no such thing as ‘generic risk’ in cybersecurity, there’s no one-size-fits-all. Every threat has a different impact level for each organization type, industry, and even specific activities in an organization.

I see it with Boardish as well as in consulting. Risk depends on variables in an organization like structure, revenue engines, and even functions like marketing (when you consider market position losses in the calculation) and it’s all interconnected. Cyber threats are a 3D picture (some say 4D) which need different perspectives that automation and AI just cannot give right now.

Which is why a human should have the say on the priority of IT and Cyber risks and make the final decision on what is a higher risk to the organization.

When my partner and I were building the Boardish Methodology, we made a big decision on the ‘decision-making’ and level of control a human has over threat decision-making. Which is why one of our main elements in the methodology is TPF (Threat Protection Factor). This is the efficiency of the solution against the threat.

We knew we could go via the automation route, we can integrate with other tools, take the data, and provide an automated response for “how efficient is the solution against the threat”. E.G – Endpoint Protection is 68% efficient against Malware.

But then we understood that only a skilled professional, that knows:

  • The company inside out
  • Knows how the threats impact His / Her company
  • Knows after real-life testing the real-life efficiency levels of certain solutions

And only with that information can they make an accurate decision on how efficient a solution is for THEM. How much will certain solutions mitigate that company’s threats.

This is also why we separated “On-Prem” and “On-Cloud” and gave them separate TPF input values. We have seen too many scenarios in which a solution can be VERY efficient on-prem but have almost no impact On-Cloud and vice versa.

That’s why when it comes to risk decision-making, we need to give the Cyber Professional FULL CONTROL on the Decision. Of course, we can suggest based on our professional knowledge but it must be a suggestion only so the final word will always be the person who is in charge, who is responsible for the company.

Here is a screenshot of our TPF section in the Boardish wizard, you can see that YOU can decide the efficiency on-prem and on-cloud for each solution against a threat or multiple threats:

Boardish TPF

To try the TPF for yourself, sign up to Boardish completely FREE here: https://app.boardish.io/

Learn more about Boardish here: https://boardish.io/

Eli Midgal, Co-Founder of Boardish

Control Solution Mitigation and Effeciency

To keep the human element in risk decision-making