Speaking in generalities is often a tool to cloak poor and/or biased decision-making.

In the world of cyber risk, unfortunately, a lot of generalities get bandied about. For example, information security professionals often discuss “critical” vulnerabilities without defining what this means (with some notable exceptions, although these are still imperfect, as I will explore in later editions). Even U.S. government agencies recommend doing things like upgrading software “immediately,” without providing explicit timelines.

In a pinch, these qualitative terms can allow for describing the relative priority of security issues, but I would avoid them as much as possible. The main reason for doing so is that they don’t allow for absolute comparisons, which is vital for conducting cost/benefit analyses.

For example, it’s not clear how many vulnerabilities presenting a “medium” risk are equal to a “high” risk one, or how many times worse the latter is than the former: twice? ten times? Furthermore, it’s not clear whether the latter refers to outcomes that are high-impact, high-probability, or both. Most importantly, it’s difficult to know what is an appropriate level of expenditure on additional controls to mitigate a vulnerability if you cannot actually value the risk it presents in financial terms.

Once an incident has happened, though, it is often easy to put a number on the expenses incurred, proving that such valuation is indeed possible. For example, addressing the 2019-2020 breach of its networks and the hijacking of its Orion product cost SolarWinds up to $19 million (for just the company itself and not including second-order damage to its customers). Similarly, Colonial Pipeline decided that restarting its operations following a mid-2021 ransomware attack was worth at least $4.4 million, evidenced by the fact that it paid a ransom of this amount.

I’m going to guess, however, that prior to these incidents the information security personnel at these companies would speak only in terms of “low,” “medium,” “high,” and “critical” vulnerabilities. What they likely did not estimate, though, is the dollar value of the risks they presented. Although a former security executive at SolarWinds claims that he stated in 2017 that “the survival of the company depends on an internal commitment to security,” I can easily imagine such a warning being dismissed as hyperbolic. Although it ended up being true, in retrospect, it is essentially true to some degree for any business. The key is determining how big the “commitment” needs to be.

What would have gotten much more attention would be to state that “over the next four years, we are likely to incur approximately $19 million dollars in direct costs, as well as massive reputational damage, due to our lax security posture in the face of advanced persistent threat interest in the Orion product line.” Hindsight is 20/20, but making this calculation or something resembling it would have been reasonable to do in 2017 based on the then-current understanding of the threat environment, the company’s controls (or lack thereof), and the revenue associated with Orion.

As a business leader presented with this type of analysis - assuming that you are the one accountable for cyber risk, as I recommend should be the case - then spending $4.75 million more a year ($19 million divided by four years) on plugging the gaps in your defenses might be a rational course of action. Internet memes notwithstanding, hard numbers are generally more persuasive to those running companies than ominous but vague warnings regarding the “survival of the company.”

Determining in advance the precise cost of a cyber incident and exactly when it will occur is generally impossible. But it is certainly possible to estimate how expensive certain categories of events will be and how frequently they will occur. In the end, measuring the risk stemming from vulnerabilities boils down to calculating the severity (in terms of cost in dollars) of an event, should it occur, and the likelihood or probability of it occurring (usually over a given year). This is critical, so I will re-state below:

Risk = Severity x Likelihood

This two-dimensional framing of risk is fairly common in other industries such as construction and the military and has gained some traction in the world of information security.

Building on top of previous efforts in the field to make these types of estimates and address the problems posed by qualitative analysis, the Factor Analysis of Information Risk (FAIR) methodology emerged as the gold standard for quantitatively evaluating risk in dollar terms. In the end, businesses are about creating value, and the most tangible and easily understood way of describing value is using dollars (or bitcoin or whatever currency you would like to use). FAIR provides some great recommendations for assigning financial values to all of the tangible and intangible aspects of a business that could be impacted by a cyber event, and I highly recommend learning about it.

The FAIR framework makes the most sense when preparing for big procurement and/or policy decisions. The amount of time and resources required for conducting a full analysis, though, can be substantial, and the process often requires a lot of back-and-forth between various business units and stakeholders.

Thus, over the next few editions, I am going to propose a more lightweight methodology - specifically focused on software vulnerability management - that is generally applicable and can be used as a regular part of your software development lifecycle. This tool won’t be a replacement for conducting periodic FAIR analysis but will be useful for quickly understanding the relative importance of newly identified issues as well as how much money and effort you should spend addressing them. Before diving in though, I’ll review some of the existing methods for evaluating vulnerabilities and identify their pros and cons.

First up (pardon the pun): the Common Vulnerability Scoring System (CVSS).

Refer a friend