Download - Risk Management Metrics That Matter
![Page 1: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/1.jpg)
Risk ManagementMetrics that Matter
![Page 2: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/2.jpg)
Ed Bellis
• Co-founder and CTO at Kenna Security, an automated risk & vulnerability intelligence platform
• Orbitz CISO for 6 years
• 20+ years Info Security experience including Bank of America, CSC, E&Y
• Contributing Author Beautiful Security
• Frequent speaker at events such as…
About Me
![Page 3: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/3.jpg)
WarningThis presentation contains large amounts of data used
for the purpose of proving an information security theory. No marketers were harmed during the making of
this presentation.
![Page 4: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/4.jpg)
You Are What You Measure
![Page 5: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/5.jpg)
JET FUEL X PEANUT BUTTER = SHINY-ALEX HUTTON
![Page 6: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/6.jpg)
Inherent Risk Residual Risk
Know & Measure the Difference
vs.Hint: This is NOT a math formula
![Page 7: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/7.jpg)
Inherent Risk: 80
Please Don’t Do This!
Control Effectiveness: 50%X
Residual Risk: 40
![Page 8: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/8.jpg)
JET FUEL X PEANUT BUTTER = SHINY-ALEX HUTTON
![Page 9: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/9.jpg)
Do This Instead
1. Calculate Risk 2. Identify Potential Key Controls 3. ReCalculate Risk
![Page 10: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/10.jpg)
The Language Barrier
*source: Cyber Balance Sheet - The Cyentia Institute
![Page 11: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/11.jpg)
The Language Barrier
*source: Cyber Balance Sheet - The Cyentia Institute
What the CISO perceives as important versus what
the BoD believes is important often don’t
match and often neither are actually given.
![Page 12: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/12.jpg)
The Language Barrier
*source: Cyber Balance Sheet - The Cyentia Institute
![Page 13: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/13.jpg)
But First…
Threats, Vulnerabilities & Risks.. oh my!
![Page 14: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/14.jpg)
But First… Some Definitions
Threat: A negative scenario you want to avoid.
Threat Actor: the agent that makes the threat happen.
Vulnerabilities: a weakness that can be exploited.
Risk: a negative scenario you want to avoid combined with its probability & impact.
![Page 15: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/15.jpg)
FAIR Example: Risk Taxonomy
![Page 16: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/16.jpg)
Integrate or Die
![Page 17: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/17.jpg)
Operationalizing Security Risk Management
Measurement + Integration
![Page 18: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/18.jpg)
Risk Management Decision Making
![Page 19: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/19.jpg)
Selecting the Right Metrics for Risk Management
Risks > Counts
Results > Work
Quantitative Where Possible
![Page 20: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/20.jpg)
Know Your Assets
Some Useful Metrics
1.External Asset Coverage2.Internal Asset Coverage3.Time to Discover
![Page 21: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/21.jpg)
Know Your Business
Some useful metrics here include:
1. System Susceptibility
1. Value to Attackers
2. Vulnerabilities
2. Time to Compromise: How long would it take to compromise any of the key controls for these assets and applications?
3. Threat Accessibility
1. Access Points and Attack Surface
4. Threat Actor Capability
1. Tools
2. Resources c.
3. Techniques
Does Your Threat Model Include Alexa Ratings?
![Page 22: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/22.jpg)
Know Your Risk
Some Useful Metrics
1.Risk by Asset2.Risk by Business Unit3.Trending Risk over Time4.Mean Time to Risk Reduction
*use targets/goals and mature to SLAs
![Page 23: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/23.jpg)
Know Your Resources
Some Useful Metrics
1.Budget Spent on Security Remediation2.Risk Carried Above Tolerance Level3.Hours spent per Security Solution
![Page 24: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/24.jpg)
Know Your Direction
Some Useful Metrics
1.Risk Reduction by Group Over Time2.Risk Goal/SLA by Group3.Cumulative Risk Accepted Over Time
![Page 25: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/25.jpg)
Some Not So Useful Metrics
1. Measuring Work AKA “atta boy metrics”
Number of Vulnerabilities Closed
Number of Patches Deployed
Number of Incidents Responded to
![Page 26: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/26.jpg)
Some Not So Useful Metrics
2. Measuring Counts “vanity metrics”
Number of Packets Dropped
Number of Malware Detections
Number of IDS Alerts
![Page 27: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/27.jpg)
Some Not So Useful Metrics
3. Averages can be a Fool’s ErrandAverage Age of Vulnerability
Average Time to Discover
Average Time to RespondHint: Averages are skewed by outliers. Medians are your friend.
![Page 28: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/28.jpg)
Aging Can Incent Wrong Behavior
![Page 29: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/29.jpg)
Remember This?
![Page 30: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/30.jpg)
Your Coworkers Have Day Jobs Too
Leverage Existing Tools• Bug Trackers• Trouble Ticketing• Configuration Management• Continuous Integration & Deployment
Bonus Points: Leverage Existing Tools for Security Purposes
![Page 31: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/31.jpg)
Your Coworkers Have Day Jobs Too
Leverage Existing Processes• Change Management• Bug Fixing• Design Reviews• QA Testing• Continuous Integration
![Page 32: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/32.jpg)
The Payoff
Operationalizing Security Risk Management
Security Teams
Operations Teams
Development Teams
Executive Management
Common Language
Distinct Objectives
Efficiency
Effectiveness
![Page 33: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/33.jpg)
References
FAIR Risk Taxonomy: http://www.opengroup.org/subjectareas/security/risk
Cyber Balance Sheet: https://go.focal-point.com/cyber-balance-sheet-report
Risk Management Metrics That Matter: https://blog.kennasecurity.com/2017/03/creating-risk-management-metrics-that-matter/
![Page 34: Risk Management Metrics That Matter](https://reader035.vdocument.in/reader035/viewer/2022062504/5a6497027f8b9a94568b4d3f/html5/thumbnails/34.jpg)
Q&A