When you hear “quantify risk,” you might think it’s the buzz-term du jour. You might be right. Risk quantification is a hot topic right now. It seems everyone who touches security – from the C-suite to the board – has this at the forefront of their mind.
As a security leader, you’re likely being asked about quantifying risk, perhaps more so now than ever before. You might be pressed to answer with much confidence. When you pass the question along to the rest of your team, they might feel stumped as well. This is because security data is often collected without much consideration for what should be measured. Sometimes, the foundation of a measurement framework is simply what an analyst guesses should be measured.
Regardless of how you arrived at this question, know that you’re not alone in struggling to answer it. Not by a long shot. Here’s how to determine your company’s risk exposure.
Same data, different view
No question, capturing data is critical to effectively measuring your risk. But data collection alone, is NOT a security metrics strategy. Imagine the parents of a child who is allergic to peanuts looking at a candy bar. It would be excessive for them to study the calories, sugar content, physical size, weight, brand, number of followers on Instagram and look for a USDA Organic label. What really matters most is if it has peanuts in it.
Without first establishing what metrics are important to your organization, you’ll end up buried in numbers without any context or understanding to guide meaningful analysis.
Harness the power of assumptions
Imagine you are camping and your winter coat has a huge rip in it. How much at risk is there of you catching hypothermia? The answer very much depends. What month is it? Are you in Antarctica or Arizona? Do you also have a low-temperature-rated sleeping bag? This is context, and it’s imperative. We can’t conclusively identify a single component of risk when context and assumptions are undefined. We wouldn’t know if events are significant, measurable, or repeatable.
Security vulnerabilities within your organization may include weak database encryption, outdated operating systems, unpatched software, or poor password hashing. Without the context of knowing the controls, likelihood and impact of a security event, and prevalence of any threat communities, you can’t effectively gauge risk. It’s very important to clarify the context and assumptions being made when establishing your metrics strategy.
Focus on measurement principles
Simple decisions made in measurement can make or break the effectiveness of execution. This is where we consider what’s most important in how to make measurements for the most accurate assessment. Focus on:
Probability, not possibility – What’s most likely to happen vs. everything that COULD happen? Too often, security leaders build out plans and protocols that tack every possible outcome into account. There’s nothing wrong with being thorough. In fact, most leaders are tasked with this level of precision. However, to give the same weight to every possibility would be misguided. It’s important to look at the most probable events more closely, and build metrics around those.
Accuracy, not precision – It’s better to make estimates and achieve accuracy than aim for precision and be wrong. I’m not saying feel free to take wild stabs in the dark. I’m saying to aim for being accurate vs. being exactly precise down to the decibel.
Objectivity, less subjectivity – subjective measuring leads to inconsistent results. Be as objective as possible. This shouldn’t come as a surprise to anyone in IT. Objectivity is how data is obtained and measured.
Calibrate for the human element – Humans are… humans. Plan for it.
Quantifying risk is less overwhelming when utilizing an industry recognized security measurement framework. In the next article, I’ll explain how to implement this framework and optimize it in a way that helps establish and solidify your risk quantification program.