￼Quantifying Cyber Risk: The Unsolvable Math Problem
Organizations are continually striving to assess and mitigate their cybersecurity risk, working to minimize the likelihood that their brand name will be splashed across newspapers nationwide because they’ve fallen prey to a high-profile hack.
In cybersecurity, at least the way it is currently practiced, risk is not quantifiable. Look to other fields, however, and there is a basic formulation of risk:
Risk = Probability x Consequences
In other words, what is the likelihood of a bad thing happening? And if does, what would be the fallout?
Try tallying this equation as it relates to cybersecurity, and you arrive at a rather disturbing result:
- Probability cannot be quantified. Cybersecurity is almost always delivered as individual point solutions designed to defend against particular known kinds of attacks made against particular known kinds of vulnerabilities. But it’s not possible to defend every vulnerability against any number of unknown types of attacks. Since you can only defend against some but not all vulnerabilities, there is no way to quantify the probability of a successful attack against your undefended vulnerabilities, no matter how many point solutions you implement.
- Consequences are rising but they are still unquantifiable. The average cost of a reported data breach has skyrocketed, with negative impacts spanning the financial, reputational, legal, regulatory, and other realms. At the same time, you may be breached and not know it. You might report it and get only a slap on the wrist. Or you could report it and be pilloried by regulators and the courts alike. Who knows?
Assume Compromise and Compensate for It
Perfect defense using point solutions is impossible. The only way to ensure that data remains accessible and controllable solely by permitted users is to assume compromise—assume that network, software, and/or data access are already compromised and could be compromised in the future as well. Then compensate for breach in the design of software and the data software makes and manages.
To change the threat equation, we need applications that a) automatically encrypt data by default and b) that automatically apply usage controls to data. With such applications deployed, the probability of breach can continue to rise exponentially and yet the IT industry can slash risk by making it exceedingly difficult to compromise data even if the systems where it lives are compromised.
This is engineering for assumed compromise. The point isn’t to prevent breaches, it’s to make them irrelevant.
No method can guarantee perfect protection but assuming compromise and engineering to compensate for it reduces consequences, and therefore risk. This can finally help to tip the balance in favor of the good guys.