This section of our website chronicles our working group's efforts to develop a fine grained model of controls to mitigate specific risks. We are currently focused on a model to defend against data loss. Our plan is to address data loss, malware and business email compromise. Feel free to sign up for periodic emails about our efforts.
In contrast to our peers (while not trying to be negative), our approach is:
- Driven by specific threats: rather than a broad based approach to technology risk, we are focused on specific technology related threats that may impact a business. Our current focus is on 3 threats: data loss, malware / ransomware and Business Email Compromise (BEC).
- Quantitative for inherent risk and impact, in dollars and cents. The magnitude of an event - its inherent risk - is estimated in dollars.
- Quantitative for control effectiveness: the models we develop for each threat will identify an exhaustive set of controls along with effectiveness levels vetted by a group of subject matter experts. The models and effectiveness ratings, while not perfect, are based on the inputs of subject matter experts and vetted by their peers. To our knowledge, this is the first example of controls married to specific effectiveness ratings in the industry.
- Exhaustive in terms of controls: all controls that might mitigate a risk are included in an assessment and given effectiveness ratings. We are not limited to a curated list of controls.
- Consensus driven to determine control effectiveness: the working group will assign effectiveness ratings for controls as a proposed baseline based on their real world experience.
- Relatively linear: when determining control effectiveness, our approach assumes a control is working as intended. We are not yet considering control atrophy, where controls weaken over time due to neglect, etc. Over time we will include more variables as the field matures. One of our colleagues is an expert in this field, including stochastic modeling.
This entire field is extremely complex with many variables. While not trying to be negative about our peers, they do have a few limitations:
- The CIS methodology is based on the CIS Critical Controls list. While that list is an excellent set of important controls, it has weaknesses:
- CIS is not used by many industries, including financial services. Most financial services firms base their controls strategy on regulatory requirements and not CIS.
- The list is not precise: there are general statements but not specific requirements. For example, USB storage devices are a major risk for data loss. Oversight of USB's is a control in the list but does not include specific details to block those devices, even though controls to block those devices are widely available.
- Some critical controls are not widely implemented: many firms do NOT segment their network, record network traffic or decrypt web traffic for inspection. However, compensating controls to mitigate some of the associated risks that are widely implemented are not included.
- Controls utilized by many firms have been deprecated: many large firms use Network Access Control (NAC) to protect their network against rogue devices. In fact, NAC is 'recommended' by banking regulators. NAC is also extremely effective and was included in CIS v7.1 but deprecated in v8.
- Both CIS and FAIR provide a general methodology to manage risk, but not specific threats. Our approach is to identify a specific threat and model controls to mitigate that threat. Our threat based approach allows us to fine tune the model to accommodate specific controls and estimate their effectiveness.
This working group was created in 2015. Interest and activity in this field has grown tremendously over the past few years. Here is a list of organizations and their recent progress in the area of quantifying technology risk:
Center for Internet Security
In January 2022, CIS and Halock Security Labs jointly announced CIS Risk Assessment Method (CIS RAM). CIS RAM was authored by HALOCK Security Labs in partnership with the CIS to establish reasonable implementation of the CIS Controls. By leveraging CIS RAM, enterprises can methodically build what is reasonable and appropriate security safeguards (“reasonable” controls) for their specific environment. Not only does CIS RAM provide standardized methods to achieve compliance, but it also ensures enterprises devote the right amount of resources to maintain security
FAIR & Controls Analytics Model
FAIR-CAM™ model is a formal description of how risk management controls operate, both individually and within a system of other controls, to affect the frequency or magnitude of loss. FAIR is a model for measuring risk, whereas the FAIR-CAM™ model is a model that describes how controls affect risk. It doesn’t change how you measure risk. You should think of this as an extension of the FAIR model, which provides the means to reliably map and account for risk management controls when performing a FAIR analysis. When combined with FAIR, this enables FAIR analysts to more easily and reliably measure the risk reduction value of control.
The DoCRA Council maintains and educates risk practitioners on the use of the Duty of Care Risk Analysis (DoCRA) Standard that CIS RAM is based on. While DoCRA is applicable to evaluation of information security risk, it is designed to be generally applicable to other areas of business that must manage risk and regulatory compliance.
To summarize, an accident in a storm caused a barge to sink. The barge owner sued the tugboat owner for negligence. The tugboat owner lost because the judge ruled it was a trivial cost to buy and use a radio to monitor for bad weather. The judge stated that there was no general custom for tugboats to carry weather radios. However, the tug boat owner was nonetheless negligent for failing to carry a radio. The judge reasoned that the small cost of a radio, compared with its importance, made the tug boat owner negligent in failing to carry one.
This is VERY significant for cyber security: a firm could be considered negligent for a negative technology event if it could have been prevented with a relatively low cost and widely available control.