SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)

SACON
SACON International 2017
India | Bangalore | November 10 – 11 | Hotel Lalit Ashok
Cyber Risk Assessment – Bayesian
Network
R Venkatasubramanian
Head of Information Risk Management)
Cognizant Technology Solutions

SACON 2017
The Problem with Heat
Maps
(C) Ramakrishnan Venkatasubramanian 2017 2

SACON 2017
The Problem with Heat Maps
• Tony Cox Jr., (Ph.D. in Risk Analysis from MIT), has probably studied risk
matrices more than anyone else
• His findings:
• “…there is not a single study indicating that the use of such methods actually helps reduce risks”
• "…the proliferation of such methods may well be due entirely to their perceived benefits and yet
have no objective value”
• Risk matrices could even be worse than randomly prioritized risks
• His conclusion:
• Risk matrices are often "worse than useless"
3 (C) Ramakrishnan Venkatasubramanian 2017

SACON 2017
The Range Compression Problem
Risk A: Likelihood is 50%, impact is $9 million à 50% * $9 million = $4.5 million
Risk B: likelihood is 60%, impact $2 million à 60% * $2 million = $1.2 million
Risk A > Risk B but Risk A is Medium and B is High

SACON 2017
Other Problems with Heat Maps
• The scales (buckets) are chosen arbitrary but their choice impacts the response.
For example: on a scale of 1 to 5, "1" will be chosen more often than on a scale
of 1-10 even if "1" is defined exactly the same”
• Interpretations vary significantly. For example "Very likely" was found to be
ranging from 43% to 99%.
• Sometimes ordinal scales for likelihood don't even define the reference time
period (Like yearly etc.).
• Direction of scale ( 5 is high or 5 is low affects response).
• Anchoring: Just thinking of a number prior to analysis impacts the choices. You
think of a high number you end up choosing higher ratings.
• Other cognitive biases: Availability Heuristics, Gambler's Fallacy, Optimism
Bias, Confirmation Bias, Framing, Overconfidence…

SACON 2017
Uncertainty, Probability &
Bayes Theorem
(C) Ramakrishnan Venkatasubramanian 2017
Embrace Uncertainty
6

SACON 2017
• Would Stock A move up by 20% in the next 1 year?
• Which movie should we watch next?
• Can I come home safely?
• From search engine or online retailers perspective:
• Which web page is D trying to find?
• Which link will E click on?
• What kind of product does F wish to buy?
• What gesture is G making?
• Many others …
Uncertainty everywhere

SACON 2017
Aleatory uncertainty - Uncertainty that comes from a random process.
• Flipping a coin and predicting either HEADS or TAILS is aleatory uncertainty.
• In other words, the uncertainty we are observing is random, it is part of the natural processes of what we
are observing.
Epistemic uncertainty - Uncertainty that comes from the lack of knowledge.
• This lack of knowledge comes from many sources. Inadequate understanding of the underlying processes,
incomplete knowledge of the phenomena, or imprecise evaluation of the related characteristics are
common sources of epistemic uncertainty.
• In other words, we don't know how this thing works so there is uncertainty about its operation
Types of Uncertainty

SACON 2017
How can we quantify uncertainty in a principled way?
PROBABILITY
Two views of probability
• Frequency: limit of infinite number of trials
• Bayesian: quantification of uncertainty
Handling Uncertainty

SACON 2017
Probability vs. Possibility
• Possibility is “binary": something is possible or it is not.
• Probability is a continuum addressing the area between certainty and impossibility.
Risk management deals with probability as it deals with future events that
always have some amount of uncertainty.
Probability Possibility
There is a 50% chance of rain
between 10am and 2pm today
It’s possible it could rain today
The chance of being killed by a
shark is one in 300 million
It’s possible we could be killed by
a shark when swimming

SACON 2017
Which of these is the most likely sequence from tossing a fair coin 16 times?
T T T T T T T T T T T T T T T T
T H H H H H H H HT T T T T T T
Let’s Play

SACON 2017
• What is the probability of at least 2 people out of 23 having the same birthday?
• 8%
• 51%
• 2%
• 14%
• What is the chance of people choosing same number from 1 to 100 out of 20 people?
• 87%
• 51%
• 5%
• 10%
• 1 in 1,000 system have vulnerability say D . A test for vulnerability D is 100% accurate for
systems that have the vulnerability and 95% accurate for those not...
Your system received a positive test result. What is the probability you have vulnerability D ?
• 95%
• 5%
• 90%
• 2%
Let’s Play

SACON 2017
The Rules of Probability
Sum Rule
Product Rule
Bayes Theorem
Normalization Constant

SACON 2017
= 𝑃 𝑥 𝑦 𝑃(𝑦)
𝑃 𝑦 𝑥 =
𝑃 𝑥 𝑦 𝑃(𝑦)
𝑃(𝑥)
prior
𝑃 𝑥, 𝑦 = 𝑃 𝑦 𝑥 𝑃 𝑥
likelihood
posterior
Prior – belief before making a particular obs.
Posterior – belief after making the obs. Posterior is the
prior for the next observation
– Intrinsically incremental
Bayes Theorem

SACON 2017
Now for a Whodunit…

SACON 2017
A murder mystery
A fiendish murder has been committed
Whodunit?
There are two suspects:
• the Butler
• the Cook
There are three possible murder weapons:
• a butcher’s knife
• a pistol
• a fireplace poker

SACON 2017
Prior distribution
Culprit = {Butler, Cook}
P(Culprit)
Butler has served family well for many years.
Cook hired recently, rumours of dodgy history
P(Culprit = Butler) = 20% P(Culprit = Cook) = 80%
Probabilities add to 100%

SACON 2017
Conditional distribution
Butler is ex-army, keeps a gun in a locked drawer
Cook has access to lots of knives
Butler is older and getting frail
P(Weapon | Culprit)
Prior distribution
P(Culprit)
P(Weapon | Culprit)
Weapon = {Pistol, Knife,
Poker}
Conditional
distribution

SACON 2017
Joint distribution
What is the probability that the Cook committed the murder
using the Pistol?
P(Culprit = Cook) = 80%
P(Weapon = Pistol | Culprit = Cook) = 5%
P(Weapon = Pistol , Culprit = Cook) = 80% x 5% = 4%
Likewise for the other five combinations of Culprit and Weapon

SACON 2017
Joint distribution
Product rule𝑃 𝑥, 𝑦 = 𝑃 𝑦 𝑥 𝑃(𝑥)
= 100%
P(Weapon, Culprit) = P(Weapon | Culprit) P(Culprit)
Likewise for the other five combinations of Culprit and Weapon

SACON 2017
Marginal distribution of Culprit and weapon
Sum rule

SACON 2017
P(Culprit)
P(Weapon | Culprit)
Weapon = {Pistol, Knife, Poker}
P(Weapon, Culprit) = P(Weapon | Culprit) P(Culprit)
Generative model
Generative model
Murderer Weapon
Cook Knife
Butler Knife
Cook Pistol
Cook Poker
Cook Knife
Butler Pistol
Cook Poker
Cook Knife
Butler Pistol
Cook Knife
… …

SACON 2017
Posterior distribution
We discover a Pistol at the scene of the crime
= 20%
= 80%
This looks bad for the Butler!

SACON 2017
Bayes Theorem to
Probabilistic Graphical Model
(Bayesian Network)

SACON 2017
What is Bayesian Network (BN)?
1. BNs, also known as belief networks (or Bayes nets, for short), belong to the family of probabilistic
graphical models (PGMs).
2. These graphical structures are used to represent knowledge about an uncertain domain.
3. PGMs with directed edges are generally called a directed acyclic graph (DAG), which is popular in
statistics, machine learning and artificial intelligence.
4. “A BN is a visual description of the relationships between cause and effect. It is made up of
nodes and arcs, and each node in the network represents a variable, and the arcs represent the
causal relationships between the variables.”
5. BNs use Bayes’ theorem to compute the probabilities in the model.

SACON 201726
Why Bayesian Network?
Graphs are an intuitive way of representing and visualising the relationships between
many variables. (Examples: family trees, electric circuit diagrams, neural networks)
A graph allows us to abstract out the conditional independence relationships between
the variables from the details of their parametric forms. Thus we can ask questions like:
“Is A dependent on B given that we know the value of C ?” just by looking at the
graph.
Graphical models allow us to define general message-passing algorithms that
implement Bayesian inference efficiently. Thus we can answer queries like “What
is P(A|C = c)?” without enumerating all settings of all variables in the model.
Graphical models = statistics × graph theory × computer science.

SACON 2017
Conditional Independence
(Key to Exploit Graph
Structure)

SACON 2017
Conditional Independence

SACON 2017
Two coins
Both heads
{true, false}
Coin 2
{H,T}
Coin 1
{H,T}
p(H) = 1/2 p(H) = 1/2

SACON 2017
What is the probability of two heads?
Coin 2
{H,T}
Coin 1
{H,T}
p(H) = 1/2 p(H) = 1/2
Generative model
Coin 1 T T H H
Coin 2 T H T H
Both heads false false false true
Both heads
{true, false}
p(true) = 1/4

SACON 2017
Reasoning backwards
Both heads
{true, false}
Coin 2
{H,T}
Coin 1
{H,T}
p(H) = 1/3
p(H) = 1/3
false
Inference
Coin 1 T T H
Coin 2 T H T
Both heads false false false tr e
Coin 2
{H,T}
Coin 1
{H,T}
Both heads
{true, false}
Coin 1 T T
Coin 2 T H
Both heads false false f
a
T
l
H
se tr e
H
H
u
false
tails p(H) = 1/2
31

SACON 2017
Reasoning backwards
Coin 2
{H,T}
Coin 1
{H,T}
p(H) = 0
Coin 1
Coin 2
Both heads f
a
T
T
lse fal
T
H
se
H
T
false tr e
H
H
u
heads
“Explaining away”
false
Both heads
{true, false}

SACON 2017
Key Inference Algorithms
• The Sum-Product (Message Passing)
• Junction Tree
• Loopy Belief Propagation
• Variational Message Passing
• MCMC
• Etc…

SACON 2017
Demo
• Bayesian Update
• Simple Risk and Control
• ROI/ROSI
• Security Breach
• Hacking
• Security Audit

SACON 201735
Key Takeaways
• Embrace Uncertainty using theory of Probability
• Probabilistic risk analysis methods inform actionable decisions.
• Only few samples are required when our uncertainty is high
• Domain Expertise matters
For further details refer my blogs in LinkedIn and ISACA Paper
• https://www.linkedin.com/in/venkatasubramanian-ramakrishnan-5544b9/recent-activity/posts/
• https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=338
Key takeaways

SACON 2017
Thank you

SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)