This document discusses a value-based approach to cybersecurity risk management that focuses on prioritizing strategic decisions. It defines value at risk (VaR) as the largest potential loss given a probability and outlines why VaR is useful for understanding problems, analyzing risks, prioritizing tasks, and communicating risks effectively. The document provides a use case applying VaR to assess the risk of potential losses from an endpoint privileged management system. It shows how VaR can quantify risk exposure and help determine how much should be invested in controls to mitigate threats and reduce losses.
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Cybersecurity Risk Quantification
1. A Value-Based Approach to
Cybersecurity Risk Management:
Prioritizing and Driving Strategic Cybersecurity
Decisions
@matthewkarnasmatthew.karnas@gmail.com @matthewkarnas
2. Matt Karnas
▪ Cybersecurity & Risk Leader
▪ +19 years of Experience Providing
Professional Services
▪ Supporting Fortune 500 Companies and
Federal Government Across Multiple Verticals
6. VaR is defined as the largest potential
loss for a risk given a probability or
confidence level.
7. Too Many Vendors
Promising Silver Bullets
Difficulty in Prioritizing
Initiatives
Misidentified Threats and
Inappropriate Controls
Compliance Driven,
Security by Checklist
Cybersecurity Events Affecting
Organizational Objectives
Ineffective Communication
with 3 Tiers of Defense
15. LOSS FREQUENCY LOSS MAGNITUDE
RISK
THREAT FREQUENCY VULNERABILITY PRIMARY LOSS SECONDARY LOSS
CONTACT
FREQUENCY
PROBABILITY
OF ACTION
THREAT
CAPABILITY
RESISTANCE
STRENGTH
EVENT
FREQUENCY
LOSS
MAGNITUDE
16. ASSET AT
RISK
THREAT
COMMUNITY
VECTOR
THREAT
TYPE
THREAT
EFFECT
CONTACT
TYPE
Employee Desktop Criminal Email Malicious Integrity Intentional
Employee Desktop Criminal Payload Malicious Integrity Intentional
Employee Desktop Employee Phishing Error Integrity Regular
Customer Data Criminal Ransomware Malicious Integrity Intentional
Customer Data Criminal Ransomware Malicious Availability Intentional
CRIMINAL
PHISHING
EMPLOYEE
FILESHARE
RANSOM
17. LOSS FREQUENCY LOSS MAGNITUDE
THREAT EVENT FREQUENCY
Minimum Likely Maximum Confidence
.05 .10 .75 High
VULNERABILITY
Minimum Likely Maximum Confidence
.05 .10 .75 High
PRIMARY LOSS MAGNITUDE
Loss Factor Minimum Likely Maximum Confidence
Response $250K $500K $750 Medium
Productivity $1M $2.5M $5M Medium
SECONDARY LOSS EVENT FREQUENCY
Minimum Likely Maximum Confidence
.05 .10 .75 High
SECONDARY LOSS MAGNITUDE
Loss Factor Minimum Likely Maximum Confidence
Reputation $10K $100K $500K Medium
21. Be Selective on Vendors Based
on Actual Value Providing
Make Prioritization Decisions
Credible and Defensible
Invest in Controls that Provide
Real Value to Potential Threats
Drive Security Program
Based on Risk
Gain Better Insight into the
Threats that Affect Objectives
Communicate Across the
Three Lines of Defense
22. Don’t Boil the Ocean Try a Proof-of-Concept
Start Decomposing Describe Risk in Relative Terms