See Bill Frank’s biography and contact information at the end of this article.
This article is Part Two of my series on managing cyber-related business risks. In Part One, I discussed the relationship between Defensive Controls and Performance Controls. Defensive Controls directly block threats. Performance Controls measure the effectiveness of Defensive Controls and suggest improvements.
In Part Two here, I discuss the relationship between Performance Controls and Cyber Risk Quantification (CRQ). The purpose of CRQ is to help CISOs collaborate with business leaders who set cybersecurity budgets and decide on the organization’s cyber risk tolerance. CRQ can provide a useful and credible method for connecting security metrics to cyber-related business risks expressed in dollars.
These three cybersecurity functions – Defensive Controls, Performance Controls, and Cyber Risk Quantification – taken together make up the Cybersecurity 3-Layer Wedding Cake. I see these three functions as layers because Performance Controls analyze information drawn from the Defensive Controls and CRQ analyzes information drawn from Performance Controls.
Performance Controls, whether manual or automated, generate recommendations and security metrics that help security teams work more effectively and efficiently by (1) highlighting gaps in threat coverage and misconfigured or under configured Defensive Controls, and (2) prioritizing vulnerability and control deficiency remediation recommendations.
CRQ software can also use this information to improve its accuracy and credibility to business leaders if the CRQ software model includes factors for individual and aggregate Defensive Control effectiveness, threats, vulnerabilities, attack surfaces, and especially attack paths through an organization’s IT/OT estate.
In addition, the CRQ’s data model must be open enough to support whichever Performance Controls security teams to select.
In this article I discuss (1) how the Cybersecurity 3-Layer Wedding Cake supplements traditional GRC frameworks, (2) the potential value of CRQ, (3) the requirements of CRQ if it is going to achieve its potential, and (4) CRQ vendor business models – SaaS software and Advisory Services.
Finally, I will provide an example of a CRQ offering that meets these requirements.
Part One Article – Performance Controls Summary
In Part One I defined the two types of cybersecurity controls which reduce the Likelihood and Impact of cyber-related Loss Events:
- Defensive – Controls that directly block threats or at least detect suspicious activities which are then resolved by an in-house or third-party security operations team.
- Performance – Indirect controls that measure and report on the effectiveness of Defensive Controls, evaluate the quality of their configurations, and make specific recommendations for improvements. I categorize Offensive security tools as Performance Controls.
Given the number and complexity of deployed Defensive Controls, only automated Performance controls can provide continuous visibility and management. Having said that, highly skilled human pen testers surely add value for detecting the types of vulnerabilities that automated tools might miss.
I defined and discussed five types of automated Performance controls: Attack Simulation, Risk-based Vulnerability Management, Metrics, Security Control Posture Management, and Process Mining.
Why The Cybersecurity 3-Layer Wedding Cake
The limitations of current GRC frameworks
Despite spending billions of dollars on cybersecurity controls and implementing a variety of Governance, Risk, and Compliance (GRC) frameworks, the frequency and impact of cyber incidents are still increasing. How can this be?
I suggest the root cause is lack of meaningful executive involvement in strategic cybersecurity decision-making. None of the GRC frameworks that security teams labor under provides a mechanism to enable business leaders to actively collaborate with CISOs to assess and set their organizations’ cybersecurity risk appetites or provide meaningful criteria for setting their cybersecurity budgets.
Business leaders want this involvement because they recognize that revenue generating business processes rely on information technology. They understand that strategic cybersecurity decisions can no longer be left to security teams.
CISOs are also frustrated because they too understand that cyber risk is business risk. They are looking for an approach that will enable them to collaborate with business leaders who are ultimately responsible for deciding on the amount of cyber risk, expressed in dollars, they are comfortable with.
Government and industry regulatory bodies understand this as well and are moving to require executive responsibility for cybersecurity.
The 3-Layer Wedding Cake Model Supplements GRC Frameworks
I am surely NOT saying that the GRC frameworks don’t have value. They do. But an overarching approach is needed to enable business leadership to take its rightful role in an organization’s cybersecurity program - setting cyber risk tolerance and budget.
Figure 1: The 3-Layer Wedding Cake model enables business leaders to collaborate with the CISO to set cyber risk tolerance and budget
The “3-Layer Wedding Cake” model solves this problem. The technical language of cybersecurity teams must be translated to the financial language used by business leaders to manage the organization’s other strategic risks.
Defensive Controls are the direct controls that block threats or at least alert on suspicious behavior.
Performance Controls are indirect controls that measure the performance of Defensive Controls and make recommendations for improvements.
Cyber Risk Quantification (CRQ) interprets the output of Performance Controls and translates technical metrics to business risks expressed in dollars. CRQ bridges the technical metrics – business risk gap.
Cyber Risk Quantification (CRQ)
Whichever combination of Defensive and Performance Controls you select, these questions remain:
- How best to communicate the effectiveness of your security program to business leaders, particularly to those who set your budget?
- How do you gain approval for the additional budget you are requesting?
- How do you collaborate with business leaders on the likelihood of a material incident?
- How do you determine risk appetite / tolerance?
- How do you obtain cooperation from the IT teams responsible for deploying and maintaining Defensive Controls and remediating IT infrastructure vulnerabilities?
- How do you obtain cooperation from the software development teams that are responsible for remediating application vulnerabilities?
- How do you gain support from the business operations teams who would be impacted by a successful cyber attack?
In theory, Cyber Risk Quantification (CRQ) provides the process and tools to answer these questions by translating technical control metrics to cyber-related business risk expressed in dollars.
More specifically, security teams rely on technical metrics to measure and manage the cyber posture of their organizations. But business leaders rely on financial metrics when assessing business risks. This creates a cyber metrics – business risk gap that in theory CRQ bridges.
But in practice, for the last 10+ years the purveyors of CRQ have fallen short due to their inability to model the efficacy of controls individually and collectively, in the context of threats, vulnerabilities, attack surfaces, and attack paths into and through an organization.
CRQ Software Requirements
For CRQ software to be of value to both security teams, business leaders, IT teams, software development teams, and business operations department leaders, it must:
- Support control investment decision-making by showing how control changes, additions, enhancements, and reductions affect cyber-related business risk in dollars.
- Explicitly factor: (1) the efficacy of Defensive Controls individually and collectively, (2) the range of strength of adversarial tactics, techniques, and procedures based on MITRE ATT&CK®, and (3) attack surfaces and attack paths into and through the organization’s IT/OT estate in the context of the loss events of concern to business leaders.
- Provide a defensible method for calculating Aggregate Control Effectiveness, i.e., the overall effectiveness of all Defensive Controls working together, in concert. The only credible way to do this is by using information from Performance Controls to map Defensive Controls’ effectiveness against the attack paths.
- Provide a set of open, standardized parameters across all Defensive Control types so that the efficacy of controls across all domains can be compared.
- Accept input from any combination of Performance Controls an organization chooses to deploy. This means that the CRQ software places no restrictions or limitations on Performance Control selection.
CRQ Vendor Business Models
There are two prevalent business models for CRQ vendors – SaaS software and Advisory Services.
Most security teams are not ready to make a major commitment to a SaaS annual subscription for two reasons. First, lack of a resource with CRQ experience. Second, simply the expense.
A better approach is to work with an experienced CRQ Advisory Service that can also assist with the selection and implementation of Performance Controls.
A pilot program using an Advisory Service can be inexpensively implemented with very limited client resources.
What follows is a discussion of how Monaco Risk’s CRQ Advisory Service and software platform meets the above requirements.
Monaco Risk’s Cyber Defense Graph™
We architected Monaco Risk’s CRQ software to be the CRQ layer of the Cybersecurity 3-Layer Wedding Cake. More specifically our patented Cyber Defense Graph™ software offers a useful and credible method of calculating individual and Aggregate Control Effectiveness in the context of threats, vulnerabilities, attack surfaces, and attack paths.
Modeling attack paths is critical to understanding how a change to a Defensive Control affects the risk of a Loss Event. Put another way, evaluating a new Defensive Control in isolation cannot predict how that control will perform in concert with the other deployed controls to reduce the likelihood and impact of loss events of concern to business leaders.
Here’s why. A Defensive Control can test very well individually but not reduce risks significantly, even if it’s well configured, for two reasons. First, the control may be on a path that does not see very many threats. Second, the control is on a path with several other strong controls.
Below is a partial example of a Cyber Defense Graph (CDG) generated by Monaco Risk’s software.
Figure 2: Monaco Risk's patented Cyber Defense Graph showing Critical Path Weaknesses.
This CDG highlights the four key stages of a successful attack, based on MITRE ATT&CK®, that results in business disruption due to ransomware: (1) Initial Access, (2) Execution on Workstations, (3) Lateral Movement including execution on workloads, and (4) Adversarial Objectives.
The arrows stand for threats that enter from the left and move along attack paths. The nodes (boxes) represent Defensive Controls that can block the adversary’s tactics, techniques, and procedures. Every Defensive Control can block some percentage of threats. Threats that make it all the to the far right represent loss events.
The shades of red of the control nodes indicate the criticality of the attack path based on the controls’ abilities to block the TTPs. The darker the shade of red, the more critical the attack path.
Sensitivity (Tornado) Charts
In addition to Critical Path Weakness graphs , Monaco Risk’s software generates a Sensitivity Charts which show the relative importance of individual controls. It’s commonly referred to as a tornado chart due to the overall pattern of the bars.
Figure 3: Sensitivity (Tornado) chart shows the relative importance of each control in the Cyber Defense Graph.
The bars to the left of the center line show the percentage decrease in Aggregate Control Effectiveness if the control was removed. The bars to the right show the percentage increase in Aggregate Control Effectiveness if the control is implemented with complete Coverage and a high level of Governance.
GRAACE™
The Cyber Defense Graph software is a component of Monaco Risk’s overall approach to CRQ called GRAACE™ (Graphical Risk Analysis of Aggregate Control Effectiveness, pronounced grace).
GRAACE is both a CRQ ontology fully implemented in software and a process to support strategic and tactical control investment decisions.
Here is a brief description of each of these terms:
Risk is based on the probability (likelihood or frequency) and the financial impact (magnitude) of loss events for a given period of time.
Control can be any people, process, or technology that the organization has control over to reduce risk. Organizations implement Defensive and Performance Controls.
Graphical representation of the attack surfaces and attack paths adversaries can take into and through the organization’s IT/OT estate to achieve their objectives. Defensive Controls are mapped to attack paths and visualized in Monaco Risk’s Cyber Defense Graph.
Aggregate Control Effectiveness is the combined effectiveness of an organization’s portfolio of controls. It’s the inverse of Susceptibility (1-Susceptibility). It’s calculated using Defensive Control efficacy determined by Performance Controls, in the context of threats, vulnerabilities, attack surfaces, and critically attack paths through the organization. Control investment decision-making is improved by showing how one or more additions, changes, or removals of controls affect Aggregate Control Effectiveness.
GRAACE Ontology
Why call this an ontology? At some point in your investigation of CRQ, you are sure to come across the “FAIR™ Ontology.” Since Monaco Risk is in the same space, and you may want to compare and contrast GRAACE with FAIR, I decided to use the word ontology as well. It’s a diagram to show the factors we use for calculating risk and the relationships among them. For a more detailed comparison see, https://www.linkedin.com/pulse/cyber-risk-quantification-models-fair-vs-graace-bill-frank-rxmse/
The figure below shows the GRAACE ontology.
Figure 4: The GRAACE Ontology
Here is a brief description of each component of the GRAACE ontology.
Risk: Loss Event Taxonomy
A problem that often arises when performing cybersecurity risk assessments is determining whether you have addressed all the possible loss event types. For the last four years, Monaco Risk has been maintaining and updating a Loss Event Taxonomy that exhaustively covers all cyber loss event types.
During this period, the number of loss event types has grown from the initial 12 to 16. They are categorized as follows: (1) Exposure of Sensitive Information, (2) Business Disruption, (3) Direct Monetary, Business, or Resource attack, and (4) Non-compliance, audit, or liability.
We’ve made the Loss Event Taxonomy available at no charge under a Creative Commons license. Please contact me and I will send you the document. My contact information is available at the end of this document.
Loss Event Frequency: Cyber Defense Graph™
Monaco Risk’s Cyber Defense Graph™ simulation software was described in an earlier section. It’s our approach to decomposing and calculating Loss Event Frequency.
Loss Magnitude – Financial Loss Components
Monaco Risk’s Loss Event Taxonomy provides four categories of Financial Loss Components which relate directly to the loss event types: (1) Direct Monetary Loss, (2) Lost Revenue, (3) Increased Costs, and (4) Liability & Regulatory. The full list of ten Financial Loss Components is available with the Loss Event Taxonomy under a Creative Commons license. Glad to send upon request.
GRAACE Process
GRAACE is more than a quantitative cybersecurity risk model. It's also a risk management process which consists of three phases: (1) Identify the loss events of concern to business leaders, (2) Baseline current cyber posture using the Cyber Defense Graph, and (3) Run what-if scenarios on control changes to show changes in risk expressed in dollars.
This fosters collaboration with business leaders who set cybersecurity budgets and cooperation with IT and software development teams, and operational teams who are impacted by cyber incidents.
About The Author
Bill Frank has over 24 years of cybersecurity experience. At present, as Chief Client Officer at Monaco Risk Analytics Inc, Mr. Frank is responsible for leading Monaco Risk’s cybersecurity risk management engagements. In addition, he collaborates on the design of Monaco Risk’s cyber risk quantification software used in client engagements.
Mr. Frank is one of two inventors of Monaco Risk’s patented Cyber Defense Graph™. It is the core innovation for Monaco Risk’s cyber risk quantification software which enables a more accurate estimate of the likelihood of loss events.
Prior to Monaco Risk, Mr. Frank spent 12 years assisting clients select and implement cybersecurity controls to strengthen cyber posture. Projects focused on controls to protect, detect, and respond to threats across a wide range of attack surfaces.
Prior to his consulting work, Mr. Frank spent most of the 2000s at a SIEM software company where he designed a novel approach to correlating alerts from multiple log sources using finite state machine-based, risk-scoring algorithms. The first use case was user and entity behavior analysis. The technology was acquired by Nitro Security who in turn was acquired by McAfee.
Bill Frank's contact information:
