SlideShare ist ein Scribd-Unternehmen logo

Modern Security Risk

Als PPTX, PDF herunterladen
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A presentation on updating security risk techniques to keep pace with the wider risk community.

Leadership & Management
1 von 11
Modern Security Risk Phil Huggins, Director, CISO Mentor Ltd CISO Mentor
Common Security Practices: Analysis Lists of Risks Overlaps Gaps Assumes independence Category Labels Imprecise Unreliable Range compression Single Likelihood Estimates Implies precision Hides uncertainty Worst Case Estimates Aggregation of risks unbelievable Likely to be in the tail of the risk Probability X Impact Doesn’t reflect reality CISO Mentor Ltd
Common Security Practice: Presentation Risk Matrix Throws away data Does not allow aggregation Often uses log scales Saw-tooth tolerance How bad is a yellow risk? How many yellows are a red worth? Is a thousand green risks acceptable? CISO Mentor Ltd
Levels of Uncertainty in Risk Level 0 o Identification of Hazard o Failure Mode Identification Level 3 Level 1 o Best Estimate o Central Value o Mean / Median o No Long Tails o Worst Case o Cybergeddon Level 4 o Probabilistic Analysis o Single Risk Curve Level 2 o Plausible Upper Bound o What is a reasonable worst case? Level 5 o Probabilistic Analysis o Multiple Risk Curves From: M Elisabeth Pate-Cornell, 1996, Uncertainties in Risk Management: Six Levels of Treatment CISO Mentor Ltd
Modern Risk Practices: Calibrated Estimation Accuracy (Calibration) beats precision (Discrimination). Both are good to have. Expert estimates are by nature subjective, uncertain and biased, there are ways to counter this: o Measuring internal & external base-rate data to indicate risk factors Lots of data available but discrimination and analysis required. o Internal & external expert estimation o Panel-based estimation o Delphi technique o Risk calibration training for experts 90% confidence interval, avoid anchoring General knowledge tests o Brier Scores for annual feedback CISO Mentor Ltd
Modern Risk Practices: Risk Universe There is a risk that <source> causes <event> that causes <consequence>. CISO Mentor LtdFrom: Open Information Security Risk Universe https://github.com/oracuk/oisru
Modern Risk Practices: Tolerance Curve CISO Mentor Ltd Avoid forcing stakeholders to do maths in their head. Avoid qualitative descriptors, they are interpreted differently by different people. Median value handles overly risk hungry executives, weighting executive scores by ownership also appropriate. Expected Rate of Occurrence / Frequency Monthly Likelihood Annual Likelihood Once a month 100.00% 12 x 100% Once a quarter 33.33% 4 x 100% Once every six months 16.67% 2 x 100% Once a year 8.33% 100% Once every two years 4.17% 50% Once every three years 2.78% 33.33% Once every five years 1.67% 20.00% Once every ten years 0.83% 10.00% Once every fifteen years 0.55% 6.66%%
Modern Risk Practices: Quantitative Analysis Likelihood, minimal harm and maximal harm estimates. Standard Monte Carlo simulation run tens of thousands of times and combined. Lognormal distribution for harm. Simulate both risks individually and as a portfolio of risk. Aggregate the risk exposure for board consideration. CISO Mentor Ltd This example represents a risk reduction of £18,820,822 across the risk portfolio in return for approximately £250,000 extra invested in security.
Modern Risk Practices: Bow-Tie Diagram
Further Reading Books: How to Measure Anything in Cybersecurity Risk, Hubbard & Seiersen Measuring and Managing Information Risk: A FAIR Approach, Freund & Jones Uncertain Judgements: Eliciting Experts' Probabilities, O’Hagan Risk Assessment and Decision Analysis with Bayesian Networks, Fenton & Neil Groups: Society of Information Risk Analysts (SIRA) FAIR Institute Cyentia Institute Standards: ISO 31010 - Risk Management - Risk Assessment Techniques Sites: https://magoo.github.io/simple-risk/ http://blog.blackswansecurity.com/category/risk/ Papers: A New Approach for Managing Operational Risk, Society of Actuaries Information Risk Insights Study (IRIS 20/20), Cyentia Institute Three influential risk foundation papers from the 80s and 90s: Are they still state-of-the-art? Terje Aven Uncertainties in Risk Management: Six Levels of Treatment, M Elisabeth Pate- Cornell The risk concept—historical and recent development trends, Terje Aven What's Wrong with Risk Matrices?, Louis Anthony (Tony)Cox Jr Estimation of losses due to cyber risk for financial institutions, Antoine Bouveret Hype and heavy tails: A closer look at data breaches, Edwards, Hofmeyr & Forrest Delphi, Norman C. Dalkey Judgemental Decomposition: When does it work? MacGregor & Armstrong Lessons learned from the real world application of the Bow-tie method, Risktec Supporting on-going capture and sharing of digital event data, CRO Forum Reference Incident Classification Taxonomy: Task Force Status and Way Forward, ENISA Quantitative Techniques in Information Risk Analysis, ISF
Thank you Phil Huggins, Director, CISO Mentor Ltd phil@cisomentor.com www.cisomentor.com CISO Mentor

Empfohlen

Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResiliencePhil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk Phil Huggins FBCS CITP
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber securityPhil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 

Empfohlen

Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResiliencePhil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk Phil Huggins FBCS CITP
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber securityPhil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskEC-Council
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
011918 executive breach_simulation_customer_fac_rs
011918 executive breach_simulation_customer_fac_rs011918 executive breach_simulation_customer_fac_rs
011918 executive breach_simulation_customer_fac_rsRichard Smiraldi
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEC-Council
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Risk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalRisk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalICT Frame Magazine Pvt. Ltd.
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernancePECB
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...EC-Council
 
Managing Insider Risk
Managing Insider RiskManaging Insider Risk
Managing Insider RiskPhil Huggins FBCS CITP
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
MP_OneSheet_VulnThreat
MP_OneSheet_VulnThreatMP_OneSheet_VulnThreat
MP_OneSheet_VulnThreatKatherine Johnston, CFE
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedEnergySec
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Wivenhoe Management Group
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadIvanti
 
PSD Operational Risk Event - June 2016
PSD Operational Risk Event - June 2016 PSD Operational Risk Event - June 2016
PSD Operational Risk Event - June 2016 PSD Group Ltd
 

Weitere ähnliche Inhalte

Was ist angesagt?

Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskEC-Council
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
011918 executive breach_simulation_customer_fac_rs
011918 executive breach_simulation_customer_fac_rs011918 executive breach_simulation_customer_fac_rs
011918 executive breach_simulation_customer_fac_rsRichard Smiraldi
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEC-Council
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernancePECB
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...EC-Council
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedEnergySec
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Wivenhoe Management Group
 

Was ist angesagt? (20)

Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
011918 executive breach_simulation_customer_fac_rs
011918 executive breach_simulation_customer_fac_rs011918 executive breach_simulation_customer_fac_rs
011918 executive breach_simulation_customer_fac_rs
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor Volovich
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Risk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In NepalRisk Based Approach In cyber Security In Nepal
Risk Based Approach In cyber Security In Nepal
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
 
Managing Insider Risk
Managing Insider RiskManaging Insider Risk
Managing Insider Risk
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program Effectiveness
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
MP_OneSheet_VulnThreat
MP_OneSheet_VulnThreatMP_OneSheet_VulnThreat
MP_OneSheet_VulnThreat
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)
 

Ähnlich wie Modern Security Risk

Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadIvanti
 
PSD Operational Risk Event - June 2016
PSD Operational Risk Event - June 2016 PSD Operational Risk Event - June 2016
PSD Operational Risk Event - June 2016 PSD Group Ltd
 
American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...
American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...
American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...tnunnally
 
Web applications: How Penetration Tests can improve your Risk Assessment
Web applications: How Penetration Tests can improve your Risk AssessmentWeb applications: How Penetration Tests can improve your Risk Assessment
Web applications: How Penetration Tests can improve your Risk AssessmentPECB
 
Home Risk Assessment Essay
Home Risk Assessment EssayHome Risk Assessment Essay
Home Risk Assessment EssayAngela Hays
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Emergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionEmergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionMichel Rochette
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxpoulterbarbara
 
Everything you need to know about Risk Management
Everything you need to know about Risk ManagementEverything you need to know about Risk Management
Everything you need to know about Risk ManagementITM Platform
 
07 - Risk Assessment Creating a Risk Matrix.pdf
07 - Risk Assessment Creating a Risk Matrix.pdf07 - Risk Assessment Creating a Risk Matrix.pdf
07 - Risk Assessment Creating a Risk Matrix.pdfssusere173f1
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
How to embed emerging risk identification and management IRMindia Affiliate
How to embed emerging risk identification and management IRMindia AffiliateHow to embed emerging risk identification and management IRMindia Affiliate
How to embed emerging risk identification and management IRMindia AffiliateIRM India Affiliate
 
Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013
Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013
Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013Caveon Test Security
 
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Resolver Inc.
 

Ähnlich wie Modern Security Risk (20)

Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
 
PSD Operational Risk Event - June 2016
PSD Operational Risk Event - June 2016 PSD Operational Risk Event - June 2016
PSD Operational Risk Event - June 2016
 
American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...
American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...
American Bankers Association Risk Management Forum April 29, 2010 Tyler D. ...
 
Web applications: How Penetration Tests can improve your Risk Assessment
Web applications: How Penetration Tests can improve your Risk AssessmentWeb applications: How Penetration Tests can improve your Risk Assessment
Web applications: How Penetration Tests can improve your Risk Assessment
 
Home Risk Assessment Essay
Home Risk Assessment EssayHome Risk Assessment Essay
Home Risk Assessment Essay
 
ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Emergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionEmergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer function
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docx
 
Key Slides
Key SlidesKey Slides
Key Slides
 
Everything you need to know about Risk Management
Everything you need to know about Risk ManagementEverything you need to know about Risk Management
Everything you need to know about Risk Management
 
07 - Risk Assessment Creating a Risk Matrix.pdf
07 - Risk Assessment Creating a Risk Matrix.pdf07 - Risk Assessment Creating a Risk Matrix.pdf
07 - Risk Assessment Creating a Risk Matrix.pdf
 
R af d
R af dR af d
R af d
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
How to embed emerging risk identification and management IRMindia Affiliate
How to embed emerging risk identification and management IRMindia AffiliateHow to embed emerging risk identification and management IRMindia Affiliate
How to embed emerging risk identification and management IRMindia Affiliate
 
Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013
Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013
Caveon Webinar Series: Lessons Learned from EATP and CSDPTF November 2013
 
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 

Kürzlich hochgeladen

Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Hedda Bird
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysistanmayarora45
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxAaron Stannard
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic managementharfimakarim
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhiguptaswati8536
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxssuserf63bd7
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxAss.Prof. Dr. Mogeeb Mosleh
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Ram V Chary
 

Kürzlich hochgeladen (15)

Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
 

Modern Security Risk

  • 1. Modern Security Risk Phil Huggins, Director, CISO Mentor Ltd CISO Mentor
  • 2. Common Security Practices: Analysis Lists of Risks Overlaps Gaps Assumes independence Category Labels Imprecise Unreliable Range compression Single Likelihood Estimates Implies precision Hides uncertainty Worst Case Estimates Aggregation of risks unbelievable Likely to be in the tail of the risk Probability X Impact Doesn’t reflect reality CISO Mentor Ltd
  • 3. Common Security Practice: Presentation Risk Matrix Throws away data Does not allow aggregation Often uses log scales Saw-tooth tolerance How bad is a yellow risk? How many yellows are a red worth? Is a thousand green risks acceptable? CISO Mentor Ltd
  • 4. Levels of Uncertainty in Risk Level 0 o Identification of Hazard o Failure Mode Identification Level 3 Level 1 o Best Estimate o Central Value o Mean / Median o No Long Tails o Worst Case o Cybergeddon Level 4 o Probabilistic Analysis o Single Risk Curve Level 2 o Plausible Upper Bound o What is a reasonable worst case? Level 5 o Probabilistic Analysis o Multiple Risk Curves From: M Elisabeth Pate-Cornell, 1996, Uncertainties in Risk Management: Six Levels of Treatment CISO Mentor Ltd
  • 5. Modern Risk Practices: Calibrated Estimation Accuracy (Calibration) beats precision (Discrimination). Both are good to have. Expert estimates are by nature subjective, uncertain and biased, there are ways to counter this: o Measuring internal & external base-rate data to indicate risk factors Lots of data available but discrimination and analysis required. o Internal & external expert estimation o Panel-based estimation o Delphi technique o Risk calibration training for experts 90% confidence interval, avoid anchoring General knowledge tests o Brier Scores for annual feedback CISO Mentor Ltd
  • 6. Modern Risk Practices: Risk Universe There is a risk that <source> causes <event> that causes <consequence>. CISO Mentor LtdFrom: Open Information Security Risk Universe https://github.com/oracuk/oisru
  • 7. Modern Risk Practices: Tolerance Curve CISO Mentor Ltd Avoid forcing stakeholders to do maths in their head. Avoid qualitative descriptors, they are interpreted differently by different people. Median value handles overly risk hungry executives, weighting executive scores by ownership also appropriate. Expected Rate of Occurrence / Frequency Monthly Likelihood Annual Likelihood Once a month 100.00% 12 x 100% Once a quarter 33.33% 4 x 100% Once every six months 16.67% 2 x 100% Once a year 8.33% 100% Once every two years 4.17% 50% Once every three years 2.78% 33.33% Once every five years 1.67% 20.00% Once every ten years 0.83% 10.00% Once every fifteen years 0.55% 6.66%%
  • 8. Modern Risk Practices: Quantitative Analysis Likelihood, minimal harm and maximal harm estimates. Standard Monte Carlo simulation run tens of thousands of times and combined. Lognormal distribution for harm. Simulate both risks individually and as a portfolio of risk. Aggregate the risk exposure for board consideration. CISO Mentor Ltd This example represents a risk reduction of £18,820,822 across the risk portfolio in return for approximately £250,000 extra invested in security.
  • 9. Modern Risk Practices: Bow-Tie Diagram
  • 10. Further Reading Books: How to Measure Anything in Cybersecurity Risk, Hubbard & Seiersen Measuring and Managing Information Risk: A FAIR Approach, Freund & Jones Uncertain Judgements: Eliciting Experts' Probabilities, O’Hagan Risk Assessment and Decision Analysis with Bayesian Networks, Fenton & Neil Groups: Society of Information Risk Analysts (SIRA) FAIR Institute Cyentia Institute Standards: ISO 31010 - Risk Management - Risk Assessment Techniques Sites: https://magoo.github.io/simple-risk/ http://blog.blackswansecurity.com/category/risk/ Papers: A New Approach for Managing Operational Risk, Society of Actuaries Information Risk Insights Study (IRIS 20/20), Cyentia Institute Three influential risk foundation papers from the 80s and 90s: Are they still state-of-the-art? Terje Aven Uncertainties in Risk Management: Six Levels of Treatment, M Elisabeth Pate- Cornell The risk concept—historical and recent development trends, Terje Aven What's Wrong with Risk Matrices?, Louis Anthony (Tony)Cox Jr Estimation of losses due to cyber risk for financial institutions, Antoine Bouveret Hype and heavy tails: A closer look at data breaches, Edwards, Hofmeyr & Forrest Delphi, Norman C. Dalkey Judgemental Decomposition: When does it work? MacGregor & Armstrong Lessons learned from the real world application of the Bow-tie method, Risktec Supporting on-going capture and sharing of digital event data, CRO Forum Reference Incident Classification Taxonomy: Task Force Status and Way Forward, ENISA Quantitative Techniques in Information Risk Analysis, ISF
  • 11. Thank you Phil Huggins, Director, CISO Mentor Ltd phil@cisomentor.com www.cisomentor.com CISO Mentor