How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard & Richard Seiersen

Author:Douglas W. Hubbard & Richard Seiersen
Format: epub
ISBN: 9781119224617
Publisher: John Wiley & Sons, Inc.
Published: 2016-07-01T00:00:00+00:00

Avoiding “Over-Decomposition”

The threat skill level example just mentioned may or may not be a good decomposition depending on your situation. If it meets Howard’s criteria and it actually reduces your uncertainty, then we call it an “informative” decomposition. If not, then the decomposition is “uninformative” and you were better off sticking with a simpler model.

Imagine someone standing in front of you holding a crate. The crate is about 2 feet wide and a foot high and deep. They ask you to provide a 90% CI on the weight of the crate simply by looking at it. You can tell they’re not a professional weightlifter, so you can see this crate can’t weigh, say, 350 pounds. You also see that they lean a bit backward to balance their weight as they hold it. And you see that they’re shifting uncomfortably. In the end, you say your 90% CI is 20 to 100 pounds. This strikes you as a wide range, so you attempt to decompose this problem by estimating the number of items in the crate and the weight per item. Or perhaps there are different categories of items in the crate, so you estimate the number of categories of items, the number in each category, and the weight per item in that category. Would your estimate be better? Actually, it could easily be worse. What you have done is decomposed the problem into multiple purely speculative estimates that you then use to try to do some math. This would be an example of an “uninformative decomposition.”

The difference between this and an informative decomposition is whether you are describing the problem in terms of quantities you are more familiar with than the original problem. An informative decomposition would be decompositions that utilize specific knowledge that the cybersecurity expert has about their environment. For example, the cybersecurity expert can get detailed knowledge about the types of systems in their organization and the types of records stored on them. They would have or could acquire details about internal business processes so they could estimate the impacts of denial of service attacks. They understand what types of controls they currently have in place. Decompositions of cybersecurity risks that leverage this specific knowledge are more likely to be helpful.

However, suppose a cybersecurity expert attempts to build a model where they find themselves estimating the number and skill level of state-sponsored attackers or even the hacker group “Anonymous” (about which, as the name implies, it would be very hard to estimate any details). Would this actually constitute a reduction in uncertainty relative to where they started?

Decompositions should be less abstract to the expert than the aggregated amount. If you find yourself decomposing a dollar impact into factors like threat skill level then you should have less uncertainty about the new factors than you did about the original, direct estimate of monetary loss.

However, if decomposition causes you to widen a range, that might be informative if it makes you question the assumptions of your previous range. For

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.