In today's fast-paced and ever-evolving digital world, cyber risks have become one of the most significant concerns for organizations of all sizes. Cybersecurity measures that were sufficient yesterday may not be enough today, and the consequences of a cyber-attack can be devastating. Historically, cybersecurity risk management has focused on answering simple yes or no questions, such as whether specific security measures are in place or not. While this approach may provide some insights into an organization's cybersecurity posture, it fails to address the underlying problem of constantly evolving cybersecurity risk management challenges.
Here are the two fundamental challenges with the historical approach to cybersecurity risk management:
As a result, a new approach to susceptibility modeling is necessary, one that offers a unique perspective on quantifying cyber risk and provides a more comprehensive understanding of an organization's ability to withstand cyber-attacks. In this blog, we will explore this innovative approach to cybersecurity risk susceptibility modeling, which borrows lessons from the natural sciences and offers a more holistic view.
In the context of cybersecurity risk quantification, susceptibility modelling is a powerful tool that provides a unique perspective on the effectiveness of an organization's security controls. By simulating attacker and defender activity and applying complex models to these scenarios, susceptibility modelling helps organizations gain a better understanding of what conditions look like during cyber-attacks. This includes how various security controls work together to thwart threats of varying levels of sophistication. Ultimately, susceptibility modelling allows organizations to identify potential weaknesses in their security posture and take proactive steps to mitigate cyber risks. It is a groundbreaking approach that is essential for quantifying cyber risk and ensuring the resilience of an organization's digital assets.
At Alfahive, we take a unique approach to susceptibility modelling that sets us apart from other methods in the industry. Our approach focuses on orienting technical incident details to the risk and compliance point of view, unlike alternatives that either concentrate on kill chains or control maturity. The difference is that our approach accounts for how controls work together during an incident, providing a more comprehensive and holistic view of an organization's security posture. One of the most significant advantages of our susceptibility modelling approach is how straightforward and accessible it is to use. You don't have to be a statistician or OpenFAIR expert to understand and relate the state of controls to the change in risk over time. This makes it easier for organizations to make informed decisions and take proactive steps to manage cyber risks effectively.
Alfahive's approach to susceptibility modeling involves several detailed steps that enable us to accurately evaluate a customer's susceptibility to cyber-attacks. Our process starts with scenario setup, where we simplify the assets under analysis and include the context of control frameworks such as the latest version of the CIS Critical Security Controls (CSC). We then define the control landscape as the canvas and layer onto it multiple models of how controls interact with each other. This process is enriched using MITRE ATT&CK and other frameworks that describe cyber-attacks and incidents. Check out this comprehensive guide on cyber threat modeling by MITRE as a reference. Through this iterative process, we build multiple susceptibility models that represent the cyber incidents our customers face, and we can simulate the events to learn where controls have the most significant impact on risk across various types of loss events.
Alfahive's susceptibility modeling approach was used in a loyalty account takeover scenario for a retailer, where lost capital was the end result of fraudulent activity. By analyzing the risk with the customer, Alfahive was able to identify three controls that could be added to the application requirements to bring susceptibility down to a reasonable level. The plan was immediately bought into by the executive over Loyalty and the right people were aligned. By measuring the risk using their susceptibility modeling approach, Alfahive was able to identify the three most critical gaps and prioritize them for action. Check out our white paper for more details relevant to the banking and financial services industry.
Improving trust in cyber risk quantification capabilities is crucial for organizations to make informed decisions about their security posture. One key recommendation is to use ranges when presenting CRQ outputs. Ranges capture uncertainty and provide a more comprehensive view of potential risks. While point values like mean or median can be useful, they cannot express uncertainty adequately. Additionally, organizations should focus on managing susceptibility, as it is a significant driver of risk. It is also essential to embrace broad brush analyses initially and avoid detailing out assets to get immediate value from the CRQ outputs.
Another recommendation is to augment existing reporting with CRQ outputs that reinforce the overall message. Rather than presenting a wall of stats, focus on communicating the impact of control improvements on susceptibility, which drives risk down. This impact can be expressed in terms of dollars and how it affects business functions in executing their plans and achieving their goals. By focusing on the relationship between controls, susceptibility, and risk, organizations can make better decisions about where to allocate resources and prioritize improvements.
The future of cyber risk quantification and susceptibility modeling is complex and challenging. It requires a deeper understanding of the evolving nature of cybersecurity and the ability to mimic the constantly changing threat landscape. At Alfahive, we believe that Risk & Compliance should be viewed as Complex Adaptive Systems to ensure a better understanding of the interplay between controls and attackers. As technology continues to advance, the metrics of tomorrow will be nothing like what we see today. To keep up with the evolving threat landscape, organizations must equip themselves with the tools and knowledge to measure risk through time and space. Emerging risks in areas such as AR and VR abuse, and AI & ML poisoning are on the horizon, and it is crucial to prepare for them by developing new models and techniques for cyber risk quantification.