This article is Part Two of my series on managing cyber-related business risks. In Part One, I discussed the relationship between Defensive Controls and Performance Controls. Defensive Controls directly block threats. Performance Controls measure the effectiveness of Defensive Controls and suggest improvements.
In Part Two here, I discuss the relationship between Performance Controls and Cyber Risk Quantification (CRQ). The purpose of CRQ is to help CISOs collaborate with business leaders who set cybersecurity budgets and decide on the organization’s cyber risk tolerance. CRQ can provide a useful and credible method for connecting security metrics to cyber-related business risks expressed in dollars.
These three cybersecurity functions – Defensive Controls, Performance Controls, and Cyber Risk Quantification – taken together make up the Cybersecurity 3-Layer Wedding Cake. I see these three functions as layers because Performance Controls analyze information drawn from the Defensive Controls and CRQ analyzes information drawn from Performance Controls.
Performance Controls, whether manual or automated, generate recommendations and security metrics that help security teams work more effectively and efficiently by (1) highlighting gaps in threat coverage and misconfigured or under configured Defensive Controls, and (2) prioritizing vulnerability and control deficiency remediation recommendations.
CRQ software can also use this information to improve its accuracy and credibility to business leaders if the CRQ software model includes factors for individual and aggregate Defensive Control effectiveness, threats, vulnerabilities, attack surfaces, and especially attack paths through an organization’s IT/OT estate.
In addition, the CRQ’s data model must be open enough to support whichever Performance Controls security teams to select.
In this article I discuss (1) how the Cybersecurity 3-Layer Wedding Cake supplements traditional GRC frameworks, (2) the potential value of CRQ, (3) the requirements of CRQ if it is going to achieve its potential, and (4) CRQ vendor business models – SaaS software and Advisory Services.
Finally, I will provide an example of a CRQ offering that meets these requirements.
In Part One I defined the two types of cybersecurity controls which reduce the Likelihood and Impact of cyber-related Loss Events:
Given the number and complexity of deployed Defensive Controls, only automated Performance controls can provide continuous visibility and management. Having said that, highly skilled human pen testers surely add value for detecting the types of vulnerabilities that automated tools might miss.
I defined and discussed five types of automated Performance controls: Attack Simulation, Risk-based Vulnerability Management, Metrics, Security Control Posture Management, and Process Mining.
Despite spending billions of dollars on cybersecurity controls and implementing a variety of Governance, Risk, and Compliance (GRC) frameworks, the frequency and impact of cyber incidents are still increasing. How can this be?
I suggest the root cause is lack of meaningful executive involvement in strategic cybersecurity decision-making. None of the GRC frameworks that security teams labor under provides a mechanism to enable business leaders to actively collaborate with CISOs to assess and set their organizations’ cybersecurity risk appetites or provide meaningful criteria for setting their cybersecurity budgets.
Business leaders want this involvement because they recognize that revenue generating business processes rely on information technology. They understand that strategic cybersecurity decisions can no longer be left to security teams.
CISOs are also frustrated because they too understand that cyber risk is business risk. They are looking for an approach that will enable them to collaborate with business leaders who are ultimately responsible for deciding on the amount of cyber risk, expressed in dollars, they are comfortable with.
Government and industry regulatory bodies understand this as well and are moving to require executive responsibility for cybersecurity.
I am surely NOT saying that the GRC frameworks don’t have value. They do. But an overarching approach is needed to enable business leadership to take its rightful role in an organization’s cybersecurity program - setting cyber risk tolerance and budget.
Figure 1: The 3-Layer Wedding Cake model enables business leaders to collaborate with the CISO to set cyber risk tolerance and budget
The “3-Layer Wedding Cake” model solves this problem. The technical language of cybersecurity teams must be translated to the financial language used by business leaders to manage the organization’s other strategic risks.
Defensive Controls are the direct controls that block threats or at least alert on suspicious behavior.
Performance Controls are indirect controls that measure the performance of Defensive Controls and make recommendations for improvements.
Cyber Risk Quantification (CRQ) interprets the output of Performance Controls and translates technical metrics to business risks expressed in dollars. CRQ bridges the technical metrics – business risk gap.
Whichever combination of Defensive and Performance Controls you select, these questions remain:
In theory, Cyber Risk Quantification (CRQ) provides the process and tools to answer these questions by translating technical control metrics to cyber-related business risk expressed in dollars.
More specifically, security teams rely on technical metrics to measure and manage the cyber posture of their organizations. But business leaders rely on financial metrics when assessing business risks. This creates a cyber metrics – business risk gap that in theory CRQ bridges.
But in practice, for the last 10+ years the purveyors of CRQ have fallen short due to their inability to model the efficacy of controls individually and collectively, in the context of threats, vulnerabilities, attack surfaces, and attack paths into and through an organization.
For CRQ software to be of value to both security teams, business leaders, IT teams, software development teams, and business operations department leaders, it must:
There are two prevalent business models for CRQ vendors – SaaS software and Advisory Services.
Most security teams are not ready to make a major commitment to a SaaS annual subscription for two reasons. First, lack of a resource with CRQ experience. Second, simply the expense.
A better approach is to work with an experienced CRQ Advisory Service that can also assist with the selection and implementation of Performance Controls.
A pilot program using an Advisory Service can be inexpensively implemented with very limited client resources.
What follows is a discussion of how Monaco Risk’s CRQ Advisory Service and software platform meets the above requirements.
We architected Monaco Risk’s CRQ software to be the CRQ layer of the Cybersecurity 3-Layer Wedding Cake. More specifically our patented Cyber Defense Graph™ software offers a useful and credible method of calculating individual and Aggregate Control Effectiveness in the context of threats, vulnerabilities, attack surfaces, and attack paths.
Modeling attack paths is critical to understanding how a change to a Defensive Control affects the risk of a Loss Event. Put another way, evaluating a new Defensive Control in isolation cannot predict how that control will perform in concert with the other deployed controls to reduce the likelihood and impact of loss events of concern to business leaders.
Here’s why. A Defensive Control can test very well individually but not reduce risks significantly, even if it’s well configured, for two reasons. First, the control may be on a path that does not see very many threats. Second, the control is on a path with several other strong controls.
Below is a partial example of a Cyber Defense Graph (CDG) generated by Monaco Risk’s software.
Figure 2: Monaco Risk's patented Cyber Defense Graph showing Critical Path Weaknesses.
This CDG highlights the four key stages of a successful attack, based on MITRE ATT&CK®, that results in business disruption due to ransomware: (1) Initial Access, (2) Execution on Workstations, (3) Lateral Movement including execution on workloads, and (4) Adversarial Objectives.
The arrows stand for threats that enter from the left and move along attack paths. The nodes (boxes) represent Defensive Controls that can block the adversary’s tactics, techniques, and procedures. Every Defensive Control can block some percentage of threats. Threats that make it all the to the far right represent loss events.
The shades of red of the control nodes indicate the criticality of the attack path based on the controls’ abilities to block the TTPs. The darker the shade of red, the more critical the attack path.
In addition to Critical Path Weakness graphs , Monaco Risk’s software generates a Sensitivity Charts which show the relative importance of individual controls. It’s commonly referred to as a tornado chart due to the overall pattern of the bars.
Figure 3: Sensitivity (Tornado) chart shows the relative importance of each control in the Cyber Defense Graph.
The bars to the left of the center line show the percentage decrease in Aggregate Control Effectiveness if the control was removed. The bars to the right show the percentage increase in Aggregate Control Effectiveness if the control is implemented with complete Coverage and a high level of Governance.
The Cyber Defense Graph software is a component of Monaco Risk’s overall approach to CRQ called GRAACE™ (Graphical Risk Analysis of Aggregate Control Effectiveness, pronounced grace).
GRAACE is both a CRQ ontology fully implemented in software and a process to support strategic and tactical control investment decisions.
Here is a brief description of each of these terms:
Risk is based on the probability (likelihood or frequency) and the financial impact (magnitude) of loss events for a given period of time.
Control can be any people, process, or technology that the organization has control over to reduce risk. Organizations implement Defensive and Performance Controls.
Graphical representation of the attack surfaces and attack paths adversaries can take into and through the organization’s IT/OT estate to achieve their objectives. Defensive Controls are mapped to attack paths and visualized in Monaco Risk’s Cyber Defense Graph.
Aggregate Control Effectiveness is the combined effectiveness of an organization’s portfolio of controls. It’s the inverse of Susceptibility (1-Susceptibility). It’s calculated using Defensive Control efficacy determined by Performance Controls, in the context of threats, vulnerabilities, attack surfaces, and critically attack paths through the organization. Control investment decision-making is improved by showing how one or more additions, changes, or removals of controls affect Aggregate Control Effectiveness.
Why call this an ontology? At some point in your investigation of CRQ, you are sure to come across the “FAIR™ Ontology.” Since Monaco Risk is in the same space, and you may want to compare and contrast GRAACE with FAIR, I decided to use the word ontology as well. It’s a diagram to show the factors we use for calculating risk and the relationships among them. For a more detailed comparison see, https://www.linkedin.com/pulse/cyber-risk-quantification-models-fair-vs-graace-bill-frank-rxmse/
The figure below shows the GRAACE ontology.
Figure 4: The GRAACE Ontology
Here is a brief description of each component of the GRAACE ontology.
A problem that often arises when performing cybersecurity risk assessments is determining whether you have addressed all the possible loss event types. For the last four years, Monaco Risk has been maintaining and updating a Loss Event Taxonomy that exhaustively covers all cyber loss event types.
During this period, the number of loss event types has grown from the initial 12 to 16. They are categorized as follows: (1) Exposure of Sensitive Information, (2) Business Disruption, (3) Direct Monetary, Business, or Resource attack, and (4) Non-compliance, audit, or liability.
We’ve made the Loss Event Taxonomy available at no charge under a Creative Commons license. Please contact me and I will send you the document. My contact information is available at the end of this document.
Monaco Risk’s Cyber Defense Graph™ simulation software was described in an earlier section. It’s our approach to decomposing and calculating Loss Event Frequency.
Monaco Risk’s Loss Event Taxonomy provides four categories of Financial Loss Components which relate directly to the loss event types: (1) Direct Monetary Loss, (2) Lost Revenue, (3) Increased Costs, and (4) Liability & Regulatory. The full list of ten Financial Loss Components is available with the Loss Event Taxonomy under a Creative Commons license. Glad to send upon request.
GRAACE is more than a quantitative cybersecurity risk model. It's also a risk management process which consists of three phases: (1) Identify the loss events of concern to business leaders, (2) Baseline current cyber posture using the Cyber Defense Graph, and (3) Run what-if scenarios on control changes to show changes in risk expressed in dollars.
This fosters collaboration with business leaders who set cybersecurity budgets and cooperation with IT and software development teams, and operational teams who are impacted by cyber incidents.
Mr. Frank is one of two inventors of Monaco Risk’s patented Cyber Defense Graph™. It is the core innovation for Monaco Risk’s cyber risk quantification software which enables a more accurate estimate of the likelihood of loss events.
Prior to Monaco Risk, Mr. Frank spent 12 years assisting clients select and implement cybersecurity controls to strengthen cyber posture. Projects focused on controls to protect, detect, and respond to threats across a wide range of attack surfaces.
Prior to his consulting work, Mr. Frank spent most of the 2000s at a SIEM software company where he designed a novel approach to correlating alerts from multiple log sources using finite state machine-based, risk-scoring algorithms. The first use case was user and entity behavior analysis. The technology was acquired by Nitro Security who in turn was acquired by McAfee.
Bill Frank's contact information: