I don’t know how many times I’ve heard cyber security professionals say something like “don’t have multi-factor authentication”. [MFA] It is a great risk for our organization.”
The truth is, that kind of statement can illustrate a control weakness, but unless the unintended result is a dent in an audit report where MFA is required, that’s not the real risk. The real risk is the likelihood of a ransomware incident, for example, or a leak of personally identifiable information (PII) from a customer database.
For businesses, the risk lies in the potential losses associated with unintended outcomes incurred through their computing environments. The cybersecurity piece of this generally focuses on incidents where these outcomes were caused by a clever adversary.
A simple way to think about unintended outcomes is to consider the ways in which CSOs may not meet one or more of their control objectives (confidentiality, integrity, availability, or other objectives) and experience one of the above incidents, among others. .
Once risk is understood, it becomes easier to see that much of what we do in cybersecurity revolves around addressing control weaknesses that essentially act as risk placeholders. We feel that there is no real way to determine risks and assess their likelihood, and therefore rely on best practices and control frameworks to fill in the gaps.
Thus, although most CSOs perform their functions in the service of risk management activities, there is almost never any evidence that correcting control weaknesses would lead to a true reduction in unintended outcomes leading to loss events. .
Cyber security risk lives in real time
I think there’s a big reason this is true: we don’t internalize the fact that the risk we seek to manage “lives” within the real-time activities that occur in our IT environments. That is, the risk exists within the millions, billions, trillions, quadrillions of transactions and messages and sessions and other structured elements.
While we can’t definitively measure risk because risk is essentially a prediction about future outcomes, we can at least make those risk predictions and then test their accuracy after the fact by measuring relevant activities. We can then use that data to inform our future risk predictions and your follow-up decisions.
According to Cisco in his Annual Cybersecurity Report 2017, spam accounted for nearly two-thirds (65 percent) of total email volume, and research suggests that global spam volume is growing due to large and thriving spam-sending botnets. As noted by the vendor’s threat researchers, around 8% to 10% of global spam observed in 2016 could be classified as malicious.
Additionally, the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed.
Based on this information, CSOs can derive the probability portion of the risk of receiving a malicious email message at approximately six percent.
Some of my astute colleagues may point out that risk must also include an element of magnitude expressed in financial loss. While that is also my ultimate goal, I don’t see it as a necessary condition as long as one can intuit the losses associated with receiving a malicious email.
This allows CSOs to turn around not to check for weakness, but for strength, depending on how many of those messages a fix can stop before an incident occurs.
With so much cybersecurity activity revolving around people and processes, it’s easy to get distracted or tricked into thinking incorrectly. It’s crucial to understand that amidst the myriad of activities happening in our IT environments, real time is where the risk is.
Join the newsletter!
Error: Please verify your email address.
cyber security labels