One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2392066 |
| Date de publication | 2021-02-24 11:00:00 (vue: 2021-02-24 12:05:33) |
| Titre | Quantifying CyberRisk- Solving the riddle |
| Texte | In the late 1990’s and early 2000’s there was a concept that was bandied about that was coined “Return on Security Investment” or ROSI. Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment. Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”. In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss? If the company experienced an event, was the return on the investment then the difference between the expenditure and the overall losses from the incident? It simply did not work, as it was mathematically flawed. Fast forward to 2021 and companies once again are fixated on quantifying cyber risk and, more importantly, cybersecurity exposure. The question is similar and is asked: “Can companies accurately quantify cybersecurity risks today?” This is a complex question but to attempt an answer it is first important to have a working definition of several terms. Risk- is an artificial construct which can be easily expressed as the function of the likelihood of an adverse event occurring (often provided as a statistical probability) and the impact, should the event be realized (in business, and for the purposes of this article, it will be expressed in monetary terms.). In short R=fPI. Probability- refers to the extent to which something is probable; the likelihood of something happening. It can be either quantified (in which case it is deterministic) or qualified in which case it refers to the belief that something will happen (non-deterministic). Frequentist probability models quantify risk and conditional probability models qualify risk using subjective interpretations. There is an ongoing debate amongst statisticians and probability folks as to which model is more accurate in predicting actions in real life. Security is a very important concept that can be defined simply as the implementation of controls commensurate with the identified risks. Understanding the above, we can use a real-world example to understand the failings of attempting to quantify cybersecurity risks using traditional models employing frequentist probability theory. Suppose for a moment that you find natural gas on your property and you decide to build a natural gas well. Being concerned for the environment and the safety of your workers, you want to provide that the natural gas well is engineered correctly against failure which could release gases and have deleterious impacts on people and the environment. One primary piece of the well is the “Mark Ie Main Actuation Recumbent Key valve” (Mark-Ie MARK). The manufacturer states that the Mark Ie MARK has a mean failure rate (MFR) of 1 in 2 million actuations causing a catastrophic failure and total destruction of the well. This means that the valve could fail on the first actuation or never fail as long as it is used, however, given a large enough population of valves tested there will be a |
| Envoyé | Oui |
| Condensat | “…caused “…threats “can “mark “not “return frequentist frequentist implemented in the 1990’s 2000’s 2021 a/k ability about above acceptable according account accounts accurate accurately acknowledges act action actions actor actors actuation actuations adapt adaptation adaptive adding adjust adversarial adverse affect aforementioned after again against ago all allow also always amongst analysis answer any applied apply applying approaches appropriate are are: arrives article artificial as: asked: aspect aspects asset assigned assigning assigns athlete attack attacker attacker’s attacking attacks attempt attempted attempting available background balanced bandied based basic bayes’ bayesian been behavior being belief beliefs believable believe bet better between book borrowing borrows build business but calculations can cannot capabilities capital case cast catastrophic caused causing certainty change changes changing characteristics chris claim classic coin coined coins come commensurate common companies company competitor complete complex complexity concept concerned conditional conditions consider considerable considered considering construct context continues contrast controls correctly could count cultural current cyber cyberrisk cybersecurity cycle day days debate decide defense defenses defensive defined definition degree deleterious deleteriously department design destruction deterministic did difference differing directly disgruntled disruption does early easily edge effect either element employee employing engineered engineers enough environment environmental erin espionage etc evaluated evaluation even event events every example exist existing expected expenditure experienced experiments explain exposure express expressed extent external extrinsically facilitation facing factors fail failing failings failure fast feasible felt fenton final find first fixated flawed flipping folks following forward frequentist frequentists from function fundamental fundamentally further gain gas gases given going great had happen happening happenstance has have heads help hire homeland however human humans ideal identified ideological ignorance ignores impact impacts implementation implemented important importantly impossibility impossible improve improves incident include incorporation industry infinite infinitum influence information inherently intentionally interests interpretations intrinsically investment investment” issues it’s itself judgement key knightian know knowledge known land landing large late leader lend lends less level lexicon life light likelihood likely linked little long loss losses lost main make makes management manufacturer mark mathematical mathematically may mean means measure measures mechanism mfr million model models moment monetary more motivated motivation motivations movie nation natural necessarily negative neil never new non not noted now nuisance/destruction number numbers objective obtaining occur occurrence occurring occurring” odds often once one ongoing only organizations other others out outcome outcomes output over overall own paradigm particular people perfectly person personnel pertains piece point political population predict predictable predicting predictive prevailing prevention primary probabilities probability probable; produced producing property proportion protection protections provide provided purposes qualified qualify quantifiable quantification quantified quantify quantifying question quite r=fpi race rain raining rate rationality reaction read real realized really reasons recognizes recovery recumbent reduce redundant referred refers regression release representation requires response return revenge riddle risk risks roi rosi run safety said same security security’s see sense series seven several short should similar simply since situations small social solving some something sophisticated state states statistical statisticians studio subjecte |
| Tags | Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.