Before I get into this, I should re-acknowledge that I believe there are better methods to measure/evaluate risk, and I fully subscribe to their development. However, I am looking for evolution not revolution – Geoffrey Moore pointed out the challenges of disruptive innovation in “Crossing the Chasm” many years ago and I agree wholeheartedly. Evolution to me means slightly modifying existing approaches in beneficial ways. That is why a few of us are developing the Tech Risk Mgt Maturity Model.

So my goal is, essentially, to be “better than existing practices in techrisk mgt” – I am looking for marginal utility.

I also believe that resources are scarce and that every time infosec/techrisk folks make decisions about allocating them they are revealing preferences that are measurable in very coarse ways. Even though the existing models are seen as “qualitative” we can create control horizons and conduct breakeven analysis in ways to tease out some thresholds at the very least.

Now, to answer the questions:

• Pr(t): Yes, “the probability that a (sufficiently capable) threat actor will attack the system of interest” characterizes my belief well. And since I go out of my way to remind liability-minded folks that the intelligent adversary makes our situation much different from the “acts of god” kinds of hazard, I should acknowledge the non-randomness of the threat… but I am not ready to do that, exactly… for the same reasons as the “random walk down Wall Street” problem – easy to assert non-randomness yet hard to show otherwise.

Here is my thought process:
a) If it isn’t random, it should be predictable; and
b) if it isn’t predictable, then it approximates randomness (especially in the aggregate).
c) Since we can’t predict threat (afaik) then we should be evaluating any model compared to random, so
d) random is a good place to start.

There are many ways to approach how to determine Pr(t) – could be degrees of belief, could be public data (real-time blacklists, etc.), could be based on historical data, could be something else. My favorite application is a simple comparison of two scenarios. I don’t even quantify – just look at the accessibility of the two “systems of interest” and determine which one is higher (compare, say, a bluesnarf attack that requires local proximity to a sql injection that can happen from anywhere; or assess the diff in wi-fi attacks btwn being in the city and in the country). I come up with higher Pr(t) for the latter and the former in my two examples. (It may also be useful to factor in attacker’s costs in the first example).

• Pr(v): This is difficult to characterize, but I think of it more as “the probability that a system of interest will be attacked, and that the attack will succeed [within some time period].” While I agree that any non-trivial system is vulnerable in a theoretical sense, it does not appear that every system is compromised (and I think that “two kinds of orgs – those that are compromised and those that don’t know it yet” *is* closer to nonsense than r=t*v*i). Whether there is an over-abundance of targets, the attacker costs are too high, the control environment is sufficiently strong, or some other reason, not all systems are in a compromised state and so it is worthwhile to measure. It is especially important since the bulk of our defensive efforts revolve around reducing this probability.

Again, estimating Pr(v) can be done in similar ways as Pr(t). In my comparative analysis – I look at things like number of users (as vulns), size of code base, number of open ports, RASQ, etc…

• It is worth discussing why breaking down Pr(event) into Pr(t)*Pr(v) is beneficial. For the most part, I would actually prefer to simply use Pr(event) if we have enough information (historical data). For example, I think we have pretty good data on email-borne attacks and so I wouldn’t be working too hard on assessing ‘t’ and ‘v’ there, though the McColo takedown can show how much of an impact a change in ‘t’ can have.

Maybe the biggest reason is that the respective populations are different and can change drastically. Here are some use cases:

a) One of the better uses is to compare two scenarios/architectures. Banking from smartphone vs. laptop; moving to cloud from internal; determining risk btwn WEP vuln and remote Windows vuln; etc…

b) Acknowledge that if ‘t’ or ‘v’ is 0, then Pr(event) is 0. Though it is hard to conceive of a case where ‘v’ is 0, we can see ‘t’ approaching it in lots of PoCs.

c) Showing the significance of ‘t’ or ‘v’ as its partner approaches 1. I agree that ‘v’ is essentially 1.0 so why do we spend all our time on it? Maybe we should be doing other things… this is also why I think the move towards threat intel is so important.

d) To help folks see how changes in populations of either ‘t’ or ‘v’ might affect each other, and ultimately risk. Like the McColo takedown, bounties (on malware writers and bugs), etc. My favorite use may be pointing out that vuln disclosure does nothing to ‘v’ since it was already there; the impact is on ‘t.’

To round things out, all this is “good enough” at the level of precision we are working at, and “better than” existing practices, IMO.

For our latest debate – Android vs. iOS – there are three sets of numbers that have recently come into play for evaluation:

1. Number of vulnerabilities: A recent blog post on TheVerge.com highlights that iOS and its 238 vulns from 2007-2013 has 8.8x more vulnerabilities than Android’s 27 from 2009-2013.
2. Number of malware samples: In April, a Symantec report [PDF] pointed out that Apple’s 387 vulns in 2012 dwarfs Android’s 13 and yet Android had 103 “mobile threats” (malware) compared with Apple’s 1. Importantly, they also point out that “most mobile threats have not used software vulnerabilities.”
3. Percent of traffic: A paper presented at NDSS ’13 [PDF] monitored actual smartphone traffic and found that a) “The mobile malware found by the research community thus far appears in a minuscule number of devices in the network: 3,492 out of over 380 million (less than 0.0009%)” and b) “users of iOS devices are virtually identically as likely to communicate with known low reputation domains as the owners of other mobile platforms, calling into question the conventional wisdom of one platform demonstrably providing greater security than another“

Now, since we all know that security is the number one priority for IT decisions (heh), the CIO is waiting to hear from us on which platform is more secure. How do you answer?

Here’s my analysis, just using the numbers provided*

First, number of vulnerabilities as a measure is often thought of as a leading indicator of risk even though we all recognize that more vulns found equals fewer vulnerabilities remaining. The perception, however, is that there are actually even more vulns left. Absent of any other information, however, it is worth considering the notion that a higher number here is a measure of stronger security going forward (that is, #vulns is a lagging indicator). It doesn’t help matters that at least one of the sets of numbers inexplicably uses different time periods in its analysis. This measure would be much more useful if we had a way to normalize the numbers across platforms – the two most obvious ways would be with 1) a measure of complexity or size of the code base or 2) a measure of the personhours expended in looking for vulns. While I favor this latter option, it is not very practical.

The second measure, number of malware samples, is interesting because it is closer to the actual compromise. In addition, as Symantec points out many of them don’t exploit software vulnerabilities (this is another knock against using vuln counts). The challenge here is that there is essentially unlimited ability to create more malware samples. Moreover, the notion of a “mobile threat” is fairly broad and not always threatening to the extent that legitimate apps have some similar characteristics. Given the (somewhat) restricted methods for distribution and installation of apps on smartphones, a better measure would be to identify the distribution and accessibility to the population of these malware apps. In this case, getting an understanding of the number of downloads would get significantly closer to understanding the relative risk.

The final measure, compromised smartphones, provides a historical measure of actual infected phones. Aside from the really, really low number, we must decide whether these values are a good reflection of (future) risk or not. Since this number identifies compromised systems, it gets us closest to that which we are trying to prevent, which is useful. Ultimately, I believe this measure is the best of the three in helping us understand “risk” in the mobile world. And right now, it’s a tossup.

A better measure for determining which platform is more secure, in my opinion, would involve a measure of attack surface combined with one of devices sold (as a placeholder for activity volume and popularity).

So, for example, using available data they calculated that automatic fire extinguishers in airplane lavatory trash receptacles cost $16,000 per life year saved. (This was in 1993 – maybe smoking was still allowed then?)

Interestingly, these costs ranged from “those that save more resources than they consume to those costing more than 10 billion dollars per year of life saved.” The median cost per life year saved was $42,000. The paper also breaks down amounts by type of intervention, prevention stage, and even provides some data on proposed govt regulations by regulatory agency (FAA median $23,000; EPA median $7,600,000).

As a quick aside, the existence of this data helps one understand that even though circumstances where “success means nothing happened” (in this case, death didn’t happen), there is still plenty of opportunity to assess the benefit of some particular intervention.

These types of “revealed preference” study results can be eye-opening to those that suggest we should spend “whatever it takes” to address some particular concern. In looking at the large variance in costs, perhaps that isn’t the best course of action. It is nice to think we have unlimited resources, but at some point they run out. When they do, not only does that impact overall effectiveness, but opportunity costs come into play.

What does this mean for cybersecurity? Though it is not fair any more to say there is no data available to our profession, it certainly is difficult to leverage the data coming out in ways that are helpful to an organization. However, we can start thinking in terms of estimates and measures that make sense. In particular, we can evaluate and compare costs of various controls to each other and factor in some notion of anticipated risk reduction.

We can learn a lot from studies like these.

The challenge for us when measuring impact of some infosec-related incident is that the systems/assets often keep generating the expected value to an organization. Even DoS events against eCommerce sites – perhaps one of the easiest impacts to measure – should consider loyalty at this stage for people to come back and shop later if a system is out. It is often much more difficult than that – if the formula for Coca-Cola is stolen, it doesn’t impact Coke’s ability to make/distribute the drink; it is more likely to have some impact like lost market share due to black-market knockoffs (not sure if this is a problem in the soft drink world). Even more challenging might be the situations where an illegitimate third party can make even more revenue through stolen IP than the victim – did the victim actually lose that?

Creating estimates with problems like this is really challenging so I think we are much better off starting with the revealed preference thresholds that are out there – trying to assess just how much we spend to pursue/defend IP rights through legal means and using that as a baseline, for example. The logic being, again, that if you spend $5m protecting your IP, that is at least as much as you believe you could lose if you didn’t. I’d take this method over the notions of “brand” and “reputation” that get bandied about (for non-human organizations, it *should* all boil down to lost income and/or increased costs – current or future).

Considering thresholds and revealed preferences, security spending is a great baseline number for estimating risk. That is, if our security spending is $5m then we are betting that $5m is offsetting $5m in potential losses, at minimum (advocates of the GLEIS model might even suggest it is something like 39% of potential losses). This line of reasoning is also useful in helping us develop a “control horizon” – we can draw a line on a risk matrix using this spending (aka minimum estimated risk) as the slope. we can also plot the intersection with IT spending, profit, revenue, or other numbers that might be useful in comparison. As we slice up a risk matrix like this, we can determine whether our judgments about risk are holding up based on where they fit as well.

I consider this approach very ALE-like – certainly aggregated and coarse (though it could be applied to individual scenarios as well) and with the caveat that security spending must be carefully calculated. At the level enterprises are working today, I think this information would be very useful in helping folks understand the risk decisions they are making.

“After multivariate adjustment for major lifestyle and dietary risk factors, the pooled hazard ratio (HR) (95% CI) of total mortality for a 1-serving-per-day increase was 1.13 (1.07-1.20) for unprocessed red meat and 1.20 (1.15-1.24) for processed red meat.”

As with many studies about diet, lifestyle, and death, this one has sparked discussion. The Numbers Guy from the Wall Street Journal, Carl Bialik, wrote two articles on the study itself and the difference between absolute risk and relative risk numbers that often create confusion and annoyance. That article led me to the always excellent Understanding Uncertainty blog post by Dr. David Spiegelhalter’s fuller treatment of exactly what a 13% increased risk of death actually means (dying about a year younger, in case you are wondering). It also provides discussion on correlation/causation caveats and the practical application of the numbers.

All this discussion is interesting and should be useful for any IT risk professional interested in quantitative treatments of risk. But these details are not the reason I am writing this. As I was reviewing the information, it struck me just how difficult this is in the physical world. This quote from Dr. Willett in the L.A. Times article really highlights the problem:

“In principle, the ideal study would take 100,000 people and randomly assign some to eating several servings of red meat a day and randomize the others to not consume red meat and then follow them for several decades. But that study, even with any amount of money, in many instances is simply not possible to do.”

What struck me was not only how hard this is, but also the rigor of the results in the face of the described obstacles. And, even more importantly how much easier this would be for IT risk professionals in the virtual world.

In the virtual world, we actually could design and conduct a study that controlled for almost every variable to quantify risk. We could, for example, deploy 10,000 or 100,000 virtual machine clients around the Internet that were all configured exactly alike with the exception of some specified difference – patched vs. non-patched, different anti-malware solutions and/or signature updates, open vs. closed ports, other configuration changes, etc. About the hardest part would be determining how/where to deploy the VMs and coming up with a “honeymonkey” algorithm to mimic user activity.

Perhaps the biggest challenge would be recognizing and characterizing the intelligent adversary contribution to the variance in the numbers – the popularity of vulnerabilities, exploit techniques, 0days, etc. And that would be the good stuff, as well.

Conducting an experiment like this seems so easy to me that I wonder if somebody is already doing it. I am pretty sure some group (ISC?) used to do some sort of “time-to-compromise” metric for unpatched systems. And I suspect there may be others. Does anyone know of experiments/studies being done similar to this? If so, I’d love to hear about them. If not, why not?

For these others, I will do my best to make them:

“Last month’s activity has brought to light some opportunities for improvement. We revisited our policies associated with the 4 million blocked connections and determined that approximately 10,000 (.25 percent) should have been allowed and we made a configuration change to address the issue. In addition, the policy associated with the 1695 initially suspected connections were evaluated and changes to our security posture were made that should reduce these false positives by 50 percent. To address the 5 incidents, we have instituted remedial training for the individuals involved and instrumented the affected systems with new means for intrusion detection.”

Read more in my article at CSOonline.com.

Of course, the attackers didn’t use spear-phishing then, but the idea of the “APT”  as an adversary was alive and well (and I am sure there are others that could reasonably trace the adversarial aspect back before computers). Through the years, we’ve heard about (and seen evidence of) things like “blended threats” and the “low and slow attacks” that occur over time. TJ Maxx, Heartland, and many of the other most public attacks can be considered APT in a general sense (though presumably the threat actor doesn’t quite match up). And certainly Google/Aurora was the most prominently identified APT incident that matches up pretty consistently with the RSA attack.

Even the advocates of the APT idea agree that the individual elements of the APT are not particularly new. That begs the question of why do we need a new label to discuss things that are not so new? And the answer is obvious – because those folks that are advocating APT do not believe enough is being done to prevent these types attacks. That is, they think the risk is greater than the effort to mitigate them.

It is not uncommon in the security space for people to latch onto a term and make it mean everything, and therefore nothing. It isn’t necessarily malicious; sometimes it is a result of a weakly defined term or poor choice of words. Sometimes it is a way to shake out some economic doldrums in a time of flat spending even while the market remains competitive.

But the question remains: are we spending less than we should? There is ample evidence in the broader risk management community for two pieces of this puzzle that go hand-in-hand. First, humans are likely to pay less attention to the low frequency, high consequences events. And second, that fear of the unwanted outcome causes people to overestimate the likelihood of an event. So when people use the term “APT” in a manner that some would call FUD, it may actually offset the lower attention and work out in the end.

Ultimately, I think advocates of APT are going to have a hard time convincing others that the risk is higher than we think. Truthfully, it is not clear to me that they are even performing some sort of risk analysis because they themselves are caught up in the “dread” cycle that causes them to overestimate the risk. It would be great for proponents to put together some numbers that assist in measuring frequency and consequences for all those involved so we can better determine our infosec strategy.

Two other observations from the RSA hack that I thought were noteworthy: 1) RSA highlighted that their recommendations were “Security 101″ which I agree with, but that doesn’t fare well when also trying to promote the notion of the APT. We should at least be in Security 102 (second semester ) for APTs, right? Also, 2) I am concerned that we are going to lose sight of what it means to stop an attack “in progress.” AFAIK, RSA has not publicly stated what the duration of the attack was, from the time of initial attack (the spear-phish) to the time of identification and response. The whole notion of catching something “in progress” AFTER data is lost seems somewhat specious to me without a better explanation.

More importantly, nobody is budging because there is nothing new here. Mike simply took semi-random potshots at risk quantification, used a lot of potty language and then sat back. Perhaps the most ironic part of his post was his claim that he was the one baiting trolls. Clearly, with all the wild assertions he makes, he is the troll… unless he didn’t do his homework. No infosec quant I know thinks “generating a number makes them right” nor would they make a statement like “the risk of firing the admin is 92.”

In a lot of respects, the simple fact that a number of folks who favor the status quo (strange in itself) are attempting to discredit a nascent approach to infosec risk (though it isn’t nascent in many other risk management arenas) shows that the ideas are picking up some steam. One of the great things about a measurement approach is that it is transparent and therefore more easily attackable than a qualitative approach that hides behind its ambiguity. Perhaps the collective body of qualitative approaches can most easily be characterized as simply “not quant,” which doesn’t say much for them.

In some respects, Mike is right that risk metrics (better described as risk measures, IMO) are crap. But the only thing worse than quantifying risk is the status quo – existing techniques for qualitative risk assessments. So we are caught between a rock and a hard place here, and in the absence of advances in qualitative risk assessment (really, how would we know that advances were actually advances?) I opt for risk measurement.

This debate between qualitative and quantitative approaches really isn’t an either-or proposition. Mike seems to think that an ordinal scale of measurement (“We need to be able to categorize every decision into a number of risk buckets that can be used to compare the relative risk”) isn’t quantitative but it is, in a rudimentary way. And certainly we can do better than saying “the likelihood is greater than zero and less than 100%” for some particular negative outcome. If we can’t, we really shouldn’t complain about our companies not taking our advice… because it isn’t really advice, right? The true value we provide to our organizations is to whittle those 0-100 intervals down – in objective terms, smaller confidence intervals equate to higher levels of expertise.

Perhaps the most important point about the debate between qualitative and quantitative techniques is that in order to make risk management decisions – that is, to allocate our security resources – we MUST quantify risk, and in fact we ARE quantifying risk. We know that the resources we are allocating for security have both real costs and opportunity costs associated with them. Whether we are making a purchasing decision for $10 million in security products or simply creating a prioritized to-do list, we are expressing relative value. Economists call it “revealed preferences” when we demonstrate value through our resource consumption practices. And we reveal a lot.

At the very least, we can total up the costs of our security consumption behavior and create an “indifference curve” (I call this a control horizon) that plots a line for all pairs of likelihood and consequences at the point where we should be indifferent between applying the controls or bearing the expected losses. A million dollar investment “breaks even” in circumstances where there is a 1% chance of losing $100 million or a 99% chance of losing $1.01 million and at all the points in between the two. Of course, we usually don’t do this explicitly, but when we decide an investment is “worth it” this is the implication nonetheless. A good decision means that the actual risk lay on or above the line (on a risk matrix), and a bad decision is made when the risk is actually below the line – meaning we are paying more in security measures than the expected loss for the risk being addressed.

It is worth repeating that we are measuring risk already because these measures are buried under the covers of “qualitative risk assessment.” That is what I see as the true value of quantitative models – they are transparent. Converse to Mike’s assertion that risk measurers think “generating a number makes them right,” I would assert that we know we aren’t right, but this makes us more precise. That is, it sets the table for a legitimate discussion about risk-related information so that we can come to some conclusions about values and then determine how to address the risks.

I mentioned earlier that our infosec models are nascent, but that is not entirely accurate. The basic models themselves are fairly robust and have been vetted by economists and mathematicians in numerous other arenas; our challenge is in determining the inputs. Make no mistake, the quality of the inputs drives the accuracy of the model and that will always be a judgment call made with the help of experience and historical data (and thus Mike’s snark at the sub-prime mortgage debacle should be directed at the people who decided the inputs, not the models).

There is no need to malign the risk models and measurements; after all, they underly our existing decisions. And trust me, we quants have been agreeing with and responding to challenges like this for years. To whatever extent it makes people nervous to illuminate the set of assumptions behind security recommendations, it just may be for all the wrong reasons.

Want to get involved with the new generation of risk modelers? Check out how Alex Hutton, Jay Jacobs, Chris Hayes, and others are furthering the modeling work of Jack Jones’ FAIR over at the Society of Information Risk Analysts. It just may be your future.

Andrew Gelman’s enlightening blog points to a great example how scientific research helps us get smarter. He excerpts:

Three articles published [by Brett Pelham et al.] have shown that a disproportionate share of people choose spouses, places to live, and occupations with names similar to their own. These findings, interpreted as evidence of implicit egotism, are included in most modern social psychology textbooks and many university courses. The current article successfully replicates the original findings but shows that they are most likely caused by a combination of cohort, geographic, and ethnic confounds as well as reverse causality.

[Unfortunately, the entire original appears to be behind a paywall.]

The studies done by Pelham suggest some relationship between things like the sound of your first name compared to your profession (Dennis the Dentist, for example). This research then spurred some further research that refutes the claims for various reasons. Gelman pulled a chart from the article with a neat summary here.

Now, some might point to this scenario as an illustration of how useless science is – after all, the original studies have generated conclusions that may not be correct. I think that even though the studies are being called into question, that is the beauty of the scientific process. Otherwise, we are simply stuck with a case of he said, she said with no evidence to back up either conclusion.