This document discusses a value-based approach to cybersecurity risk management that focuses on prioritizing strategic decisions. It defines value at risk (VaR) as the largest potential loss given a probability and outlines why VaR is useful for understanding problems, analyzing risks, prioritizing tasks, and communicating risks effectively. The document provides a use case applying VaR to assess the risk of potential losses from an endpoint privileged management system. It shows how VaR can quantify risk exposure and help determine how much should be invested in controls to mitigate threats and reduce losses.

1. A Value-Based Approach to
Cybersecurity Risk Management:
Prioritizing and Driving Strategic Cybersecurity
Decisions
@matthewkarnasmatthew.karnas@gmail.com @matthewkarnas

2. Matt Karnas
▪ Cybersecurity & Risk Leader
▪ +19 years of Experience Providing
Professional Services
▪ Supporting Fortune 500 Companies and
Federal Government Across Multiple Verticals

4. Why It’s UsefulWhat is VaR
Use Case
1. 2.
3.
Try it Out
4.

5. What is VaR
out of1. 4.

6. VaR is defined as the largest potential
loss for a risk given a probability or
confidence level.

7. Too Many Vendors
Promising Silver Bullets
Difficulty in Prioritizing
Initiatives
Misidentified Threats and
Inappropriate Controls
Compliance Driven,
Security by Checklist
Cybersecurity Events Affecting
Organizational Objectives
Ineffective Communication
with 3 Tiers of Defense

8. Why is it Useful
out of2. 4.

9. Measurement is a set of observations
that reduce uncertainty.

10. Understand the problem or threat at
hand first before analyzing risk.

11. Perform comparisons, prioritize tasks
and make decisions.

12. Communicate in a language that
your audience can understand.

13. Use Case
out of3. 4.

14. Use Case:
Endpoint Privileged
Management,
External/Criminal,
Customer Data

15. LOSS FREQUENCY LOSS MAGNITUDE
RISK
THREAT FREQUENCY VULNERABILITY PRIMARY LOSS SECONDARY LOSS
CONTACT
FREQUENCY
PROBABILITY
OF ACTION
THREAT
CAPABILITY
RESISTANCE
STRENGTH
EVENT
FREQUENCY
LOSS
MAGNITUDE

16. ASSET AT
RISK
THREAT
COMMUNITY
VECTOR
THREAT
TYPE
THREAT
EFFECT
CONTACT
TYPE
Employee Desktop Criminal Email Malicious Integrity Intentional
Employee Desktop Criminal Payload Malicious Integrity Intentional
Employee Desktop Employee Phishing Error Integrity Regular
Customer Data Criminal Ransomware Malicious Integrity Intentional
Customer Data Criminal Ransomware Malicious Availability Intentional
CRIMINAL
PHISHING
EMPLOYEE
FILESHARE
RANSOM

17. LOSS FREQUENCY LOSS MAGNITUDE
THREAT EVENT FREQUENCY
Minimum Likely Maximum Confidence
.05 .10 .75 High
VULNERABILITY
Minimum Likely Maximum Confidence
.05 .10 .75 High
PRIMARY LOSS MAGNITUDE
Loss Factor Minimum Likely Maximum Confidence
Response $250K $500K $750 Medium
Productivity $1M $2.5M $5M Medium
SECONDARY LOSS EVENT FREQUENCY
Minimum Likely Maximum Confidence
.05 .10 .75 High
SECONDARY LOSS MAGNITUDE
Loss Factor Minimum Likely Maximum Confidence
Reputation $10K $100K $500K Medium

18. MAXIMUM $5.00M
90% $2.00M
AVERAGE $1.50M
10% $1.25M
MINIMUM $1.00M
CURRENT STATE
FOR SCENARIO

19. $5.0M
$2.5M
$1.25M
$0.0M
LossExposure
Annualized Loss Exposure
100%
ProbabilityofLossorGreater
Loss Exceedance Chart
50%
75%
25%
0%
$1.25M $1.5M $2.0M $5.0M$0.0M
I’m 90% confident in the estimate, that if these series of events occurs,
we can incur a loss of up to $5 million. We can spend $225,000 in
controls and staffing to reduce the loss by $2.5 million.

20. Try it Out
out of4. 4.

21. Be Selective on Vendors Based
on Actual Value Providing
Make Prioritization Decisions
Credible and Defensible
Invest in Controls that Provide
Real Value to Potential Threats
Drive Security Program
Based on Risk
Gain Better Insight into the
Threats that Affect Objectives
Communicate Across the
Three Lines of Defense

22. Don’t Boil the Ocean Try a Proof-of-Concept
Start Decomposing Describe Risk in Relative Terms

23. Questions?

24. Thank You
@matthewkarnasmatthew.karnas@gmail.com @matthewkarnas