Customer Logins

Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.

Customer Logins

Structured analytic techniques support cyber-security risk assessments

23 July 2018 Jane's Editorial Staff

This is an extract from an article published in Jane's Intelligence Review and available as part of Jane's Military and Security Assessments Intelligence Centre.

Organisations have struggled to quantify cyber-security risk because of a shortage of data. Nick Hare writing for Jane's examines how structured analytic techniques can support risk assessments before enough data is collected to enable quantitative analysis.

Key Points

  • Organisations in the private sector have primarily responded to cyber risks by adopting relatively unsophisticated 'checklist' approaches focused on identifying and managing vulnerabilities.
  • This approach has been driven by a lack of quantitative data on the frequency and impact of cyber-security events, which has made quantitative approaches to risk estimation difficult.
  • As organisations collect data on cyber threats, quantitative assessments of risk are likely to become easier, particularly if augmented by analytically sound subjective risk assessments.

The prevailing commercial approach to managing cyber security is one of ensuring compliance with pre-defined criteria. This compliance is often verified by third parties from the rapidly growing cyber-security industry. One example of these criteria tools is the Common Vulnerability Scoring System (CVSS). This encourages firms to rate threats on a range of subjective metrics, including access vectors, complexity of attack, and potential impacts. These ratings are then combined to derive 'exploitability' and 'impact' scores, which are in turn used to produce a 'CVSS vulnerability vector'.

The Open Web Application Security Project (OWASP) risk-rating methodology performs a similar function, evaluating potential threats on a range of impact and likelihood scores to produce an overall "risk severity" rating. This rating is designed to help firms to prioritise investment.

The UK government's Cyber Essentials scheme is another checklist-based standard. The scheme requires firms to implement a set of technical controls (such as firewalls, access control, and malware protection) to receive accreditation, which is a common prerequisite for supplying services to government clients.

These approaches are focused on identifying and managing vulnerabilities that are potential enablers for successful cyber attacks. A vulnerability-based approach is easy to administer and relies on features of a company that are easier to verify objectively, minimising the need for specialist expertise. These approaches provide an audit trail for a firm's security investment decisions.

However, a purely vulnerability-based approach ignores the probability that any of the vulnerabilities will be exploited. Without an understanding of the probabilities of different threat outcomes, the return on cyber-defence investment cannot be calculated, and the potential value of cyber-risk insurance cannot be assessed.

Taking a purely vulnerability-driven approach also encourages firms to prioritise the costliest potential threats, rather than the most likely ones. This is likely to steer companies away from cyber-security approaches that offer smaller benefits but at lower cost.

This is an extract from an article published in Jane's Intelligence Review and available as part of Jane's Military and Security Assessments Intelligence Centre.

About the author

Nick Hare is a director with consultancy Aleph Insights Limited.


Follow Us

Filter Sort