Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

Why 'Probability' is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

cyber probability

Cyber Risk Quantification is becoming more familiar and I’m seeing more SME / Large companies and consultants using Quantification methods for clients. But a lot of them have something in common. They’re working on the Probability & Impact methodology, shown brilliantly in the picture below:

cyber risk probability cartoon

* Picture Credits – The Cyber Security Hub

This illustration is one the best ways to illustrate how probability and impact “go together” but also because it’s so clear. But it also blinds Cyber Professionals from seeing the huge landmine which is “Quantifying Probability”

I believe after working for years on Cyber Risk quantification into Financial figures (from consulting through to the development of Boardish) that for the Cyber Security Realm focusing on Probability is a mistake. Allow me to explain:

  1. Cyber Security Threats are evolving MUCH quicker than any “past knowledge” experience that you can determine the probability factor on. For example, with Ransomware, the attack vector for Ransowmare to ‘get into your organization’ is evolving on a DAILY (and sometimes hourly) basis. On day X your Probability is low because all of your machines are patched, but day Y a new security flaw on a core system means probability soars.
  2. Cyber attacks are constantly on the offensive, it’s not a “statistical game” like with car accident insurance. Instead, there is a clear ‘business model’ for your attackers to gain access to your systems and cause damage. They are ACTIVELY trying all the time. It’s not a question of “if I will be attacked” but “When” AND “are Zero-Day exploits scenario going to be used”
  3. You’ll always be wrong when speaking to management. When asked by your management “what is the probability” of Cyber Attack X to happen, most likely you will get the answer wrong. It’s a “catch 22” question – you can’t really get it correct because you have no control on the variables which are constantly changing.

How should I address Probability in Cyber Risk Quantification?:

  1. Always assume Worst Case Scenario When it comes to probability – that’s the only “not wrong” answer. Your responsibility as a cyber professional is to be able to: Identify, Protect, Detect, Respond and Recover (The Nist Framework) ANYTIME, ANYWHERE
  2. Focus on the Financial size of the threat impact – when the probability of the threat is ALWAYS HIGH.
  3. Focus on the Efficiency of the solution against the threat – when the probability of the threat is ALWAYS HIGH.
This way the responsibility is on your solutions to protect against overall threats, not asking a thousand ‘what ifs’ to find a solution that may not protect you worst case. What is the point?

So, what’s the alternative to working this out? In Boardish we approach from a solution perspective and have the TPF (Threat Protection Factor). You can see that we have threats and Solutions AND the efficiency of the threats against the solutions.

You can have multiple solution combinations against the threat and, most importantly, you control the efficiency. Based on your specific organizational understanding, experience with solutions, and specific environment.

We don’t “Play” the “Probability” game, its always “HIGH” because this is one “not wrong” (there is no right) answer. You can wake up to a Ransomware attack anytime, anywhere, don’t make the mistake of communicating to your management that you can predict the probability, you cant.

The one thing you can predict is how well solutions can protect against worst case. So use this as your benchmark and you’re a lot closer to being right!

How does the Boardish Framework solve this:

  1. Boardish focuses on the full quantification of the THREAT: Market Loss, Work Days Loss, Sales Loss, and Regulation Loss combined with “how quick the company will recover its market position”
  2. We measure the efficiency of the solution in mitigating the threat, AKA – How efficient is the solution against the threat, We do not automate this process, we believe that its different for each organization, and each IT & Cyber Professionals know/can make a decision based on their specific environment
  3. The Boardish Methodology helps you to quantify the Real and complete solution cost ( including IT & Cyber Labour cost )

sales approval process

The Boardish Methodology shows you very clear decision making metric without the “catch 22” of ‘Probability’

Plus, you can try our solution for free yourself without needing integration etc. at www.boardish.io

If you need help, let me know

Eli Migdal – Co-Founder – Boardish.

Don't play the 'probability game', quantify with Boardish

Quantifying The Financial Impact of Mass Absence From Your Business

Quantifying The Financial Impact of Mass Absence From Your Business

This article was written by our founder Eli Migdal, posted on Linkedin here

woman working from home

In the Boardish community, we have noticed a big spike of companies who are adding the threat of “Immobility” (not being able to work remotely).

I want to help and to show you a basic guide on how to use the Boardish platform* to understand the costs of immobility, for example with situations like the Coronavirus where many people have to self-isolate but are still able to work. So you can get quick approvals on solutions to solve this from decision-makers.

*You can do this with the free version of Boardish also.

Step 1 – Company information:

Fill your company information, all threat impact and solution mitigation are calculated based on the size, type and financial posture of the organization.

INPUTTING company info in boardish

Step 2 – Threats:

Add a custom threat (Go to > Add Threat Type), you can call it “Immobility” or we’ve also seen variations of “Not being able to work remotely” and “no remote working option“.

Then we look at the critical operational information like how much the threat impacts the day-to-day. It’s different for each company, so we recommend involving your Operations, Sales, and Marketing teams.

In our example company below we have:

  1. Set the Chance of Losing Marketing position to Medium
  2. Included 25 Turnover Days Loss (days you are not selling because of a mass absence of staff and your company doesn’t have remote working capabilities in this case)
  3. 50% of Sales Loss in these days (because not all functions are impacted, some are automated etc.)
  4. 14 Workdays Loss is predicted for High, Medium and Low impact users. (for example, a self-quarantine period of two weeks.)
input threat info in boardish

Step 3 – Solutions:

We will add 3 possible solutions that help us with the threat of “not being able to work remotely

  1. Video conferencing tools – Note that many companies are now offering a free option as well (due to the Coronavirus outbreak). So for this example, I made the cost of video conferencing free.
  2. Advanced identity management tools – Tools that help you to protect remote identity, by adding “Device Identity”, MFA, Geographical restrictions and other abilities thathelp you to work remotely and securelyThis is also very important for BYOD capabilities which are a big part of working remotely. For this example, I made the cost $7 per user.
  3. Cloud security solutions – When working remotely, tools like Dropbox, OneDrive, Box, Google Drive etc. will be used more. So we will need tools to secure them in the business. Particularly to make sure we can differentiate between sensitive and non-sensitive types of files being worked and shared remotely. So in this example, I made the cost $6 per user.

For the purpose of this example, I’m staying vendor-neutral but I will be using the solution type field.

solution input on boardish

Step 4 – Threat Protection Factor (the efficiency of solutions against threats)

In this section, we are setting the effectiveness of the 3 solutions against the same threat. The TPF section is where you can use your experience and knowledge of solution efficiency to have manual control.

Based on my experience, I have used the following info:

  1. Immobility and Video Conferencing – 80% on Prem, 0% Cloud
  2. Immobility and Advanced Identity Management – 0% on Prem , 75% Cloud
  3. Immobility and Cloud Security – 0% on Prem , 70% Cloud
TPF in Boardish

Step 5 – Expert costs

This is section is very important when showing solutions to your decision-makers. Video conferencing solutions may be free to use but they will require resources from IT to train and support, these resource requirements and costs need to be quantified.

I have used the following info:

  1. Video Conferencing – Will require 100 hours yearly of 1st Level IT – mainly for support setups or connection issues.
  2. Advanced Identity Management – Will require 50 hours of your Cyber Staff to configure and 100 hours of your 2nd level IT to support
  3. Cloud Security will require the same as Advanced Identity Management ( for this example)

*Again you can use the figures for ongoing support if you know them for a solution you’ve used previously or are benchmarking.

Expert costs input in boardish

Step 6 – Regulation

In this step, we will set the GDPR impact for this threat. Immobility doesn’t have a direct GDPR impact unless there is a security issue that is not taken into consideration, and this is likely to be caused by something specific other than lack of mobility.

So, in this case I have configured GDPR regulation impact as none.

Dashboard:

Once completing the dashboard, you will get clear figures on the following:

  1. Cost of the Threat – $39.92M
  2. Cost of Solutions: $64K in total

This is “decision making” knowledge provided to your stakeholders. If your’s company information is as clear as in this example – you will get your budget request approved for solutions that combat an immobility threat. Particularly in cases of mass absence.

To quantify immobility in your organisation, you can run the same simulation using your information in Boardish.

Learn more here: https://boardish.io/

Sign up here: https://app.boardish.io/

 

Quantify quickly to decision-makers

Explain why/how your suggested solutions work, to a non-techy audience. 

CyberTech 2020: Insights From Eli Migdal (Part 2)

CyberTech 2020: Insights From Eli Migdal (Part 2)

 

Eli Migdal, our founder, attended the CyberTech 2020 and got lots of insights from the event. 

In this video, he is discussing the complexity of the cybertech field and how to easily communicate it to decision-makers and board members. 

“How can we really expect our boss, our decision-makers, to fully comprehend the complexity of cybersecurity, especially now in 2020?” 

He explains that even the cybersecurity community finds the field extremely complex. To keep on top of things, cybersecurity professionals must learn about new developments and keep a close eye on new threats, as well as being aware of all the regulatory changes. 

Cybersecurity professionals spend lots of resources on understanding the latest developments – both threats and solutions – by constantly reading, learning, and using proof of concept. 

And while so many resources go into understanding threats and developing adequate solutions quickly, there is also the issue of a big skill gap in the field, where there just aren’t enough cybersecurity professionals. 

“How can we explain this super complex problem which is also complicated for cybersecurity professionals?” asks Eli. How can cybersecurity professionals present the threats and solutions to the board of directors and decisionmakers? 

He gives an insightful answer: “We must simplify it it’s our responsibility. This is what we are getting paid for.” 

As cybersecurity professionals, the only way to truly communicate the impact to board members and decision-makers is to quantify the complexities of the cybersecurity field into financial figures. 

It’s simple really: the board and decisionmakers do not have the time to keep track of all the changes in the field, and they do not care about the complexities faced by cybersecurity professionals. What they do care about are the figures. 

It is not the rate scores or complexity that helps them make a decision – it’s the financial impact. 

Simplify. Don’t complicate.

Simplify Cyber Security

Explain why/how your solutions work, to a non-techy audience. 

CyberTech 2020: Insights From Eli Migdal (Part 1)

CyberTech 2020: Insights From Eli Migdal (Part 1)

Our founder Eli Migdal attended the CyberTech 2020 event. In this video, he is discussing the biggest issue cybersecurity is facing right now – response times to new threats. 

He explains that the issue isn’t in lack of solutions and that there are numerous vendors that are working on different solutions for the same problem. He further stated that he counted at least 15 cybertech companies that are working on solving fraud detection and breaches, which gives him the perfect opportunity to address a rather pressing issue – choosing the right solution.

“How can we quickly choose between them if there are so many solutions?”

Eli argues this is the tricky part of the cybersecurity business. There are different solutions that all work well for a particular issue, but which one is best? 

“As professionals, we still need to investigate those solutions.”

While a solution might sound good on paper, it will be clearer if it’s the right choice after having a proof of concept and evaluation. 

This process of determining the best solution cannot be sped up, but the process that follows can be. The solution cybersecurity experts choose needs to be presented in front of the board of directors. 

“We must make it quicker,” he says about the process of getting approval for the solution cannot wait, especially when there are so many threats to address and so many solutions to choose from. 

He explains that the risk of security and breach issues can be mitigated greatly if organisations move quickly enough. This means that the decisionmaking process of the board “must be quicker than the bad guy’s”. 

“We don’t have a technical solution problem […] the cybersecurity community can solve the majority of the problems; we just need to move quick enough.”

This means that we need to have the means to speed up the decisionmaking. When the decisionmaking is quicker than the bad guy’s decision-making process, we’ll be able to address cybersecurity before it becomes an issue. 

React quickly to cyber threats