I don’t know how many times I’ve heard cyber security professionals say something like, “not having multi-factor authentication [MFA] is a huge risk for our organisation.”
The truth is, that type of statement may illustrate a control weakness, but unless the unwanted outcome is a ding in an audit report where MFA is required, that is not the real risk. The real risk is the probability of a ransomware incident, for example, or the leak of personally identifiable information (PII) from a customer database.
For enterprises, risk lay in the potential losses associated with unwanted outcomes incurred through their computing environments. The cyber security piece of this typically focuses on incidents where these outcomes were caused by an intelligent adversary.
A simple way to think about unwanted outcomes is to consider the ways CSOs might fail to meet one or more of their control objectives – confidentiality, integrity, availability, or other objectives – and experience one of the aforementioned incidents, among others.
Once risk is understood, it becomes easier to see that much of what we do in cyber security revolves around addressing control weaknesses that essentially act as risk placeholders. We feel like there is no real way to determine risks and assess their likelihood and so therefore rely on best practices and control frameworks to fill in the gaps.
So, while most CSOs perform their duties in service to risk management activities, there is almost never any proof that fixing control weaknesses would ever lead to a true reduction in unwanted outcomes that lead to loss events.
Cyber security risk lives in real-time
I believe there is one big reason why this is true: we don’t internalise the fact that the risk we aim to manage “lives” within the real-time activities happening throughout our IT environments. That is, the risk exists within the millions, billions, trillions, quadrillions of transactions and messages and sessions and other structured elements.
While we can’t definitively measure risk because at its core risk is a prediction about future outcomes, we can at least make those risk predictions and then test their accuracy after the fact by measuring the pertinent activities. Then we can use that data to inform our future risk predictions and their follow-on decisions.
According to Cisco in its 2017 Annual Cybersecurity Report, spam accounted for nearly two-thirds (65 per cent) of total email volume, and research suggests that global spam volume is growing due to large and thriving spam-sending botnets. As outlined by the vendor's threat researchers, about eight per cent to 10 per cent of the global spam observed in 2016 could be classified as malicious.
In addition, the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed.
Based on this information, CSOs can derive the probability part of risk of getting a malicious email message as about six per cent.
Some of my astute colleagues may point out that risk must also include a magnitude element expressed in financial losses. While that is ultimately my goal as well, I don’t consider it a necessary condition as long as one can intuit the losses associated with receiving a malicious email message.
This allows CSOs to circle back around not to control weakness, but to its strength, depending on how many of those messages a solution can stop before an incident occurs.
With so much cyber security activity revolving around people and process, it is easy to become distracted or deceived into thinking incorrectly. It is crucial to understand that amidst the massive amounts of activities occurring in our IT environments, real-time is where the risk is.