Presenter:
Transcript:
Next up on stage is going to be Shane Williams. He works for, black and which is a principal consultant. And he's going to talk about cyber risk quantification. Protecting critical infrastructure from cyber sabotage. Pretty exciting. So welcome Shane.
Thank you for back. Before I get going, I had a teams meeting this morning, and it just popped into my head, at the end of the team's call. Microsoft prompted for the survey to say, how was the quality of the call? And I was thinking of it as an opportunity for Microsoft to add a few more questions, like, did you get value out of this call?
Did we resolve any issues? Do we have some next steps? And then I start to think a little more about what if they just continue to record the audio after you've hit the leave button and send that audio back to the presenter for some real time feedback, and I can guarantee you they're not doing that because I wouldn't have a job.
So that welcome.
This hooked up with it. There we go. So Shane Williams black and beachwear, large engineering firm or privately engineering firm based in Kansas City. I'm part of the management consulting group. I've been with them for 20 plus years now, and, I started my career as a application developer system implementation and then moved over into operational technologies and into cybersecurity.
In the more recent years. My first taste of cybersecurity was implementing, next version one. So back in 2007. So if folks were around for that, they might have heard of it. And our previous speaker mentioned, operational technology Incident response Plan in a, in amongst other controls. That would be great to do. Everything okay. In amongst other controls, that would be great to put in place.
And, you know, ideal world, we would implement all of those controls. But what I'm here to today to talk to you about is cyber risk quantification. Because in the real world, we're limited by budget and we limited by resources. So we need to determine which of those controls are the best one to get the most risk reduction.
And it wouldn't be appropriate to be in Houston and not use Houston. We have a problem. It's not the, it's actually 55 years this week that that call came from, Jack swagger from the Apollo 13 mission. The problem I'm talking about is a communication problem. So as a OTA technical group, we, tend to get, hooked up in our jargon.
We like to speak about different things. But the folks we're speaking to about budgets and, and getting funding for the programs don't understand that language. And, and nuts, I get, I guess, the communication problem is we're communicating, but they're not taking the actions that we want to align with those communications. And so.
I think a lot of us have heard this before or seen this before, buzzword bingo or boardroom bingo. I've just put a little spin on it called the cyber lingo. Bingo. So just, through Smil, who's used these terms as they've spoken to the leadership and to the leadership, really understand what they're hearing from you. So attack vectors apts, advanced persistent threats, asymmetric encryption, and the list goes on.
MFA does. It could be banks that we used to rap to. Data breaches, backdoors, smishing something we did in high school, maybe the maturity levels. We talk about control, maturity level. We had a client call us last year. They had hired a major firm to come in and do a cybersecurity assessment. And at the end of that assessment, they presented their findings to the board and said, where, a 2.8 and you really we really need to be at 3.5.
What was like, fantastic. Let's do it. So they kicked off 26 different initiatives, hired the CSO at that time to say, hey, we've just kicked off this work. We want you to keep track of it and make sure that we get to a 3.5. And and that's when the CSO contacted us saying, what's the 3.5? And so we worked with them to try and establish some priority and, get some structure around that program.
And thirdly, through these communications using risk quantification. This is what we're trying to avoid. So just less than a year ago, this is Mr. Witty. He's the, UnitedHealthCare CEO. He's testifying before Congress on a cyber security incident that happened to a subsidiary of United Care called Change Health. And the reason he was there is Change Health.
Process. The sixth of the medical, transactions that happened in the US that they couldn't do pre-approval was they couldn't approve claims, the fraud, the health care system to a grinding halt, if you remember that. So the problem there was, change health was acquired a year beforehand, and, UnitedHealthCare had very strict, very robust cybersecurity controls.
But change health didn't. And so they didn't do that as part of their analysis when they did the acquisition. And that wasn't addressed a year into their business. And that's when they hit the attack and cause of the problems. So there's Mr. Woody, the CEO of UnitedHealthCare, trying to explain to Congress the fact that he failed to implement multifactor authentication.
And the next one is, patient zero for the TSA guidelines, if anyone knows this. So this is Mr. Blount. He's the CEO of, Colonial Pipeline or the ex-CEO now, testifying before Congress of what happened there. And again, just a simple control. They didn't turn off, the credentials of a contract that had left. And those, credentials were found in a different attack.
And then through brute force, they were able to get themselves into Colonial Pipeline. And the rest is history. So that's why we do not want. So we want to get to know our audience. Who are we speaking to? CCR has put out a list of questions that executive management should be asking of their cybersecurity team. And I just picked a handful that I thought were really relevant.
So as cyber practitioners, can we clearly, describe what our current level of cybersecurity is for our company? What are the impacts to our business from that current level of cybersecurity risk? What's that plan to address them? Do we are we capturing, metrics that are measurable and meaningful to the management team? The leadership team?
And then related the question to the cybersecurity risk level that we have. How does that impact stakeholders outside of our business? And and so the links down the bottom there, you'll get a copy of the presentation afterwards. So I'm going to talk about four models for assessing cybersecurity risk that I've used. And then kind of the, the pros and cons of each model.
And then we'll, we'll jump in. So typically when we do a risk assessment we're comparing our level of controls against a known framework. Whether that's 882 or CSF or I say 60 443. And then we say whether they were compliant with that control. And sometimes it's a binary yes. No, I'm meeting all of the, aspects of that control or we can give a subject score, a maturity so we can say there are 1 or 2 or 3 or 4 fully implemented, partially implemented, whatever the case may be.
And so we do our assessment. We've said yes, we've got some controls that we're compliant with, some that we're not. We have our subject matter expert review it. And then at the end they come out with a table saying, well, I think we've got a high risk, control that needs to be addressed. We got a few medium and a few low.
And again, thinking back to those questions that I just presented, the leadership's asking, well, how much risk do I have if I implement these controls that you're recommending? How much risk do I have left? And, and then the cyber security team are answering is a lot, you know, like, how can I tell with that, with that approach?
So the the next model is kind of just building upon that and providing the next level of intelligence, say, well, what's the likelihood of that event to occur? And what's the impact of that event? And again, we've color coded it. We put it under this heat matrix that I'm sure everyone in this room has used at some point.
And then we we go from there and we start to do some funky math there and use that to assign numbers to colors and multiplying and colors by colors and numbers to numbers, and start saying through this arbitrary scores that we've added. I now have a total risk. I have average risk. I have a medium risk. And again, using that maturity model, this is taken from a presentation that I did a few years back.
But using the control groups or the categories in the, program, so to say here's the assessment of where you are and that the orange ring is depicting where I think it should be at the end. When we implement that program. This was another approach that we used with, clients a few years back, and I was using a risk scoring methodology.
And so we were using the, CSat tool that's freely available from Department Homeland Security. And so what they've done there is, had some subject matter experts weigh in to say, if I didn't implement any of the controls in this methodology or in this framework, which one would I implement first? And so they were able to rank stack every control in that methodology.
And so we took that ranking oops wrong way. And we just inverted. And so we said if a control is number one priority it's worth ten risk points. And so on. And so from that we were then able to say, well, what's the total risk universe, all the points in that framework, how many are we compliant with and then how many are we not compliant with.
And then we're able to say, okay, let's group some of those controls into initiatives and determine how many points that initiative would reduce. Put a cost estimate with that initiative. And then I can start to do some comparison on the risk points, for the different initiatives. So in this example, like the numbers are completely made up. But I said that control number ten come out the top control that CSA was recommending.
But when I put that in any initiatives and grouped them, I'm actually getting a better return for investment. Implementing controls three, four and six. And when we did that assessment, I was also trying to tie that risk score to information coming from IBM. They do the average cost of a data breach report. And, and segmented out by utility and also by industry.
And so we were trying to say, okay, how many risk points for the industry in the US. And and and then we could put a $1 value to the benefit of, doing that as well. And so as we're working through that and coming up with it, that's where we stumbled across this term called the cyber Risk Quantification.
And that's been around for a while, which was kind of shocking to me. But and again, it takes the assessments that we're doing and the reason I got the, they, they call it resistance strength in the methodology we're importing, a bunch of information about the threat analysis. Also, the big component of it is the impact of that cyber event into their running some, mathematical models and, probabilistic models in there.
And then we come out with, oops, counter at the table. That kind of indicates what the average loss expectancy would be, based on the current state. And then if I was to implement any of these controls, what that, and then I can run the model again because I now have a higher resistance strength. What's the average loss expectancy after I applied that new control and then I can see what the deltas are on the numbers.
And then I can start to do some return on investment in terms of which controls study implement first because it'll give me the most risk reduction.
So cyber risk quantification, there's several levels of say three levels of sophistication that I want to talk about today. One is at the corporate level. And so and this is from the vendor pool that we've looked at, it's really at the corporate level. It's what the cyber risk and what they're doing there is just really taking the industry code.
And then probably ten other attributes about the company and looking at like the revenues, the employees number of customers and then bouncing that against, an insurance database that, that's actually, a subsidiary of an insurance firm that has this product that they using the insurance data to say in your industry, this is typically what we see is a loss.
This is what we typically see, companies insuring themselves for against loss. And then that kind of works out the impact side of the equation. And then on the resistance strength, again, just leveraging, control framework to determine the resistance strength and then modifying that loss based on that resistance strength, the next level of sophistication dives deeper down into the the impact side of the equation.
So looking at the primary losses. So the primary losses are really what happens inside the four walls you're building in terms of productivity. Any assets that need to be repaired or replaced. And then the secondary losses are what happens outside of the four walls that you're building. So in terms of fines and judgments, customer churn or reputation loss.
And this model is, gaining popularity because, it's looking again at the resistance strength to modify that loss. But determining that threat is pretty difficult at this point. And threats come up, out of the blue. So it's hard to use historical data to say what could happen tomorrow. So they've just sort of said, this is the impact, this is your strength that you have in terms that controls.
Let's focus on what controls we need to remediate the fact that there's, threat actors out there and the probability of actions and their threat capability. We can't predict that that's too academic. Let's just ignore that side of the equation and put a one there in the, the, formulas. And then the deeper one, it's really focused at the asset level.
And this is the fear methodology, which we'll talk about in a second. So this is really just looking at the individual asset. What threat actor is attacking that asset, what vulnerability they leveraging against that asset. And what's the impact after they've got to that asset. And that's really so if we compare their methodologies the fear is quite complex.
It's a heavy load. But you start with the highest value assets and start to build up that library. So similar to that, what in for me? Oh, it's a response plan. And the playbooks, you can't do them all at once. It's a process that you build up upon. Once you get some baseline data, it is easier to continue to build that library and build up that corporate wide view of the risk.
There's another, Methodology called Rosey or return on security investments. And that's a simplified one. And it's really just focused on the ROI of each, control. And then there's octave, and that was developed by Carnegie Mellon. And it's really focused on the processes. So it doesn't really get into the quantitative. It does a little quantitative, but it it's more on process and on stakeholder engagement.
For my talk, I'd like to focus on fair. I was recently certified as an open fair practitioner. So that's where I rest. My, Okay. So when we talk about fair, as I said, it's really calculating that annual loss expectancy. So trying to quantify that cyber risk in terms of dollars and it's not just $1 value, it's a range.
So at a minimum we have this the most likely and the maximum. And based on the inputs going in there and the the statistical modeling, you can say that with 90% confidence. There's always 5% on either end that, account for that could go beyond that range. And then focus on the loss events. We, we do break it down into, what we're calling contact frequency.
So for that asset, how many times in a year would we expect the threat actor to contact that asset? Again, we're using historical data, looking at, what's happening on the firewalls, what's happening in industry reports. And so for the probability of action, that's one area that we're using industry reports for to look at if there was an incident versus a breach.
So an incident means that the threat actor was able to get in and then the breach is that they actually did something when they were there. So we look at that percentage of what's the the incident versus the breach. And then we put that probability around their, threat capability. This is kind of looking at who the threat actor is.
So is it a high school kid just playing around or is it a nation state actor or is it a a ransomware criminal that's motivated by money, or is it a terrorist organization that's trying to get a message out there and and prove that they can overflow water in a water facility, for example? And again, the resistance strength, we talked a little bit about that.
So that's looking at our controls and making sure that it's not just the controls that, that focus on preventing. It's also controls such as an incident response plan or business continuity plan that can reduce the loss magnitude as well. So reducing that time where we're unproductive. Primary losses again, productivity, everything that's happening in the four walls during that cyber events, the secondary losses, again outside of the, the four walls of the building.
So what our customers think what, fines and judgments or, reputation has. And then for every time that we have a loss events and we close that trigger that primary loss, we want to put a percentage. Does it trigger a secondary loss every time, or is only a certain number of times that that happens?
For the fear methodology, again, we break it down into the scenarios who the threat actor is. What control efficiency. The, leveraging which asset are they going after? And then the what's the impact of that asset? Farrell. So breaks down, not all controls are created equal. So, when we talk about a loss event control, that's one that, is a control that is set up.
So let's say authentication for an example. When we implement that control it has an intended efficacy. And then is a what they call the operational efficacy of the control. And then the variance control. In that example maybe the authentication software, it has a vulnerability the variance control. And that operational effect efficacy has gone down because of that vulnerability.
The variance control is now I need to apply a patch to that authentication software to bring that operational effect efficacy back up to its intended. And then decision controls are really the human. So, do I write my password down and put it on my desk? So it's following the policies. But, But again, when we, modeling this and putting it into the, the risk scenarios, we, we focus on, which controls, immediately impacting the loss events and which ones, human and variance controls as well.
So they have different weightings as we apply it. And so some of the outputs of the analysis, this is a tool fair just released probably a month ago. It's free to download. You can see they have some examples and then you can plug it. Obviously you can't read that, but, you can kind of get a feel for how it the mathematics works behind it.
This is an example I pulled from a workbook. We just presented to a client, a few weeks ago. Again, this is us in an Excel workbook doing this, but there are commercial products out there that we're working with to try and find one that is tight suited for IoT. A lot of the IQ is done in the banking and health care industry especially.
So, we're trying to work with a vendor to say, let's let's make it more specific and, get some use cases out of the box there. But the the output there is really showing, you know, like, here's what your, annual loss expectancy is in terms of percentages in dollars. And then if I was to apply that investment, what that would look like, again, once I've run the models with that, some of the, some of the inputs.
So why now for IQ? I guess we're starting to see that cyber is not just a component of the IT group in the company. It's really a strategic risk. So, at the executive level, on the board level now being held accountable to, cyber risk. And as we saw by the pictures, Mr.. William. Mr.. Walton from, colonial having to testify in front of Congress, Congress that they're being held accountable for cyber security.
A lot of companies, now relying on data driven metrics to make decisions that it's just not expert opinion anymore. Business continuity. So as we look at these controls, it's a priority to say we've got to be more resilient. We've got to be able to get through this cyber incident and get back on our feet, or continue to keep our critical operations going while this incident is happening.
And enterprise risk management. So our companies to be doing enterprise risk management for a long time, they have the models methodologies, they have the insurances to go along with it. Cyber security is just now one of those risks that roll up on enterprise risk management and need to be handled accordingly.
So secure is, a great way to translate technical risks into business and financial terms. Using that deeper analysis of the asset level and the bottom up analysis, we, we we tend to put a lot more rigor. We meet with a lot more stakeholders. We can have defensible numbers that we can take to not only the leadership for investment decisions, but, in a lot of the regulated industries, we've got to stand up in front of a regulator and the interveners and defend those numbers as well.
One of the things that is shocking is after you address this, residual risk. And what do I do with that residual risk? Do I ask for more investment to reduce that? Do I go out and try and, transfer that through more insurance? Do I avoid it? Just turn off remote access, like we've got to make sure that we deal with that resilient residual risk.
And the primary reason that I like to, talk about. Q A it's a great way to focus investment and resources on the initiatives that are going to reduce the most risk. Some other benefits of it. If you're a publicly traded company, you have some SEC requirements that you have to, document or your cybersecurity risks as part of your annual filing.
And then if you have a material incident, you have to file a 8-K within 72 hours. But if you're not using CQ, how do you know if it's material and how do you put a dollar value on that? And then the other aspect is, and we're starting to find a little more business in this area is right sizing the cyber insurance.
And, this is, article that was posted, industrial cyber last week. And it was an interview with, gentleman from Munich, Gary. They're a major cybersecurity underwriter based in Europe. But, when you look at 2024, the cyber insurance business was $15.3 billion globally. The US made up over two thirds of that over $10 billion. But what we're seeing from the insurance folks, that was a majority of the cyber risk is still uninsured.
Whether there's someone to overlook them or just some overconfident folks that are just, ignoring them. I had a conversation with a gentleman this week. He was doing a cybersecurity insurance audit for a law firm. And they're very specific in the language in your,
In the insurance guide. But that had to do with you have to list that every, property that you're insuring and what value and what assets are there. So this law firm, was a national law firm for the US. They had, law offices in different cities, and each one of those law offices were indicated in the insurance document.
But the one property they failed to put in there was the data center. So if that law firm had had a cyber breach and bricked up all of their databases, they had no insurance to cover it because it wasn't listed in the, in the, in the document. So that's a great way to do the audits. And, and do the analysis.
And one of the other points that were raised, again, we're seeing a trend of, ransomware as a service or cyber attack as a service. And, again, I enable tools. I just lowering the bar in terms of, barriers to entry to get into this criminal business so we can see the uptick of attacks happening as a result of that.
And so when we're using CQ, we now can get our hands around what value is at risk in terms of cyber security. And then if I'm looking at my insurance, what's my deductible. When I have my insurance, I need to have that cash sitting inside somewhere safe. And what's actually covered by the insurance coverage. So what is my premium cover in terms of the loss.
And there's my residual risk. So what do I do to reduce that. How do I manage that. So do I implement some more controls to get some more funding and reduce that total value at risk, or do I buy extra insurance to reduce that. And that's where it aligns with the LRM and the risk tolerance of the the organization is dealing with that residual risk.
That's not perfect by any means. That's predicated on several assumptions. The first being we use a lot of historical data. And, the assumption is that's pretty, predicting what the future outcome may be. And we all know that's not true. If you watch the stock market recently, that we're still leveraging subjective data from our subject matter experts that they can expertly, account for what the loss would be.
And in the event of attack or, what the, resistance strength of a control would be. And then, especially in IoT, we have very complex systems with a lot of redundancy. So it's quite difficult to decompose those complex systems to, to get a, a defensible number. And then the other thing is, like I've been through the training, I understand how it is, but like as I produce these reports to the people consuming these reports, actually understand it.
So there is some education that goes along with it and make sure that, folks understand what probabilities are and the risk numbers they're looking at and what it really means. So the IQ is magic. So it's turning risks into, into financial numbers that help non-experts make funding decisions. And then with all funding, there's an inherent uncertainty there.
And this looks subjective because we've put a lot of these numbers there. But it is it does have subjective inputs. So I just want to make sure that and then see IQ as a model. And all models can be gamed. So I have a pet initiative that didn't make the cut line in terms of investment. I can go back there and start tweaking numbers to make sure my pet initiative bumps up above something else.
As long as I can defend that and the assumptions, believable for the people reviewing the material.
