1

RISK QUANTIFICATION

FROM RAINBOWS TO DOLLARS

DisclaimerThese slides and accompanying presentation represent the author’s opinions and experience and are not necessarily those of any organization, including his past, current or future employers. All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information. Please direct all concerns related to this material to the author via email at joel.baese@yahoo.com. 2

Introduction• Joel Baese• Email: joel.baese@yahoo.com• LinkedIn: https://www.linkedin.com/in/jbaese• ISACA member since June 2010, CRISC since July 2010• 18 years in IT• Currently a Senior Manager II at Walmart building and leading the

Information Security Tactical Risk Analysis team• GRC experience includes:

• Quantitative risk analysis at Walmart, qualitative risk analysis at Raytheon;• Policy author and manager at Raytheon;• Information systems security officer for DoD programs up to and including

Top Secret Special Access

MBABSIT

3

4

Overview

The ChallengeThe PathThe Result

The Challenge

Meaningful measurement

Effective comparisons

Well-informed decisions

Cost effective accurate risk management

5

6

Best Practice Risk Measurement1. Cloud computing2. Insider threat3. External/third parties4. Application vulnerabilities5. Hardware vulnerabilities6. Mobile malware7. Social engineering8. Organized crime9. State sponsored attacks10.Hacktivists

List adapted from: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources

7

How much risk is there?

Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources

8

How much risk is there?

Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources

9

How much risk is there?

Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources

10

How much risk is there?

Source: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources

11

Did we all mean the same thing?• What’s the asset?• What’s the threat?• What’s the threat

vector?• What’s the control?• What’s the loss type?• What’s the

vulnerability?• What’s the risk?

• The tire• The Earth• Gravity• The rope• Availability• The probability gravity > rope• The probability gravity overcomes rope resulting in loss

combined with the probable resulting financial loss

12Credit: Jack Jones for the example

MassWeightVelocity

13

Best Practice Risk Measurement1. Cloud computing2. Insider threat3. External/third parties4. Application vulnerabilities5. Hardware vulnerabilities6. Mobile malware7. Social engineering8. Organized crime9. State sponsored attacks10.Hacktivists

List adapted from: Jones, J. (2016). FAIR & RiskLens Executive Overview. Retrieved July 14, 2016, from FAIR Institute: http://www.fairinstitute.org/member-resources

14

Human Biases• We tend to exaggerate

spectacular and rare risks and downplay common risks.

• The unknown is perceived to be riskier than the familiar.

• Personified risks are perceived to be riskier than anonymous risks.

• We underestimate risks in situations we do control, and overestimate risks in situations we don't control.

• We estimate the probability of something by how easy it is to bring examples to mind.

The 5 Biggest Biases We Fall Victim To – Bruce Schneier

• Cloud computing• Insider threat• External/third parties• Application

vulnerabilities• Hardware vulnerabilities• Mobile malware• Social engineering• Organized crime• State sponsored attacks• Hacktivists

15

Risk is a reality and a perception

The Missing Ingredient

Accurate Models

Meaningful measurement

Effective comparisons

Well-informed decisions

Cost effective accurate risk management

16

17

The Path

18

Probable Loss Event Frequency

FAIR Ontology

ProbableLoss Magnitude

The probable magnitude and probable frequency of future loss

Factor Analysis of Information Risk

Productivity (P)Replacement (P)Response (PS)Fines and Judgments (S)Competitive Advantage (S)Reputation (S)

19

FAIR ProcessStages of the Analysis Process1. Identify Scenario Components (Scope the Analysis)

Asset Threat Loss Event

2. Evaluate Loss Event Frequency (LEF) Threat Events Vulnerability

3. Evaluate Loss Magnitude (LM) Primary Loss Magnitude Secondary Loss

Frequency Magnitude

4. Derive and Articulate RiskSource: Risk Analysis (O-RA) from The Open Group

The Project• 3 Months• 2 FTEs + ≈1 Contractor• Over 50 Scenarios• Over 100 SMEs• Over 500 Questions• Over 1,400 data points• To get to one number

What is our risk?20

21

The Resultsish

Aggregate Average ALE By EnvironmentTotal: $3 Billion

22

All results are illustrated using randomly generated data and

therefore DO NOT reflect actual results nor disclose any

organization’s sensitive or proprietary information.

Potential Comprehensive Key Risk Metrics

30% 60%

23

All results are illustrated using randomly generated data and

therefore DO NOT reflect actual results nor disclose any

organization’s sensitive or proprietary information.

Potential Comprehensive Key Risk Metrics (continued)

Level of Impact

% of customers lost

HouseholdsImpacted

RevenueImpact

(Lost Customer Value)

Significant 50.00% 500,000 $5 billionMajor 25.00% 250,000 $2.5 billion

Moderate 12.50% 125,000 $1.25 billionMinor 6.25% 62,500 $625 millionSlight 3.13% 31,500 $315 million

Avg value of a household: $10,000 Households: 1 million

Major

24

All results are illustrated using randomly generated data and

therefore DO NOT reflect actual results nor disclose any

organization’s sensitive or proprietary information.

Top 10

25

All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.

Aggregate ALE By Threats

26

All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s

sensitive or proprietary information.

Aggregate ALE By Assets

27

All results are illustrated using randomly generated data and

therefore DO NOT reflect actual results nor disclose any

organization’s sensitive or proprietary information.

Materialized Areas of Loss (Aggregate)Prim

ary LossesSecondary Losses

28All results are illustrated using randomly generated data and therefore DO NOT reflect actual results nor disclose any organization’s sensitive or proprietary information.

Focus Adjustment for Future Analyses

29

All results are illustrated using randomly generated data and

therefore DO NOT reflect actual results nor disclose any

organization’s sensitive or proprietary information.

30

Lessons Learned• Challenges

• Finding the right PoCs/SMEs• Significant difference in data request than what they were used to• Risk quantification skeptics• Significant data validation required due to basic definition differences

• Ex. contact event vs. threat event vs. loss event

• No established workflow process made tracking all the people and data inputs more difficult than it probably needed to be

• Notes, notes, notes• Sources• Rationale

• Know the model and definitions well

Additional Resources• The FAIR Institute

• http://www.fairinstitute.org

• The Open Group• Open FAIR Standards• http://www.opengroup.org/standards/security

• The Society of Information Risk Analysts• https://societyinforisk.org

• Measuring and Managing Information Risk A FAIR Approach• Authors: Jack Freund & Jack Jones• http://store.elsevier.com/product.jsp?isbn=978012420

2313

31

My contact information:• Email: joel.baese@yahoo.com• LinkedIn:

https://www.linkedin.com/in/jbaese

Special thanks to Jack Jones for allowing use of several of his slides and examples .