give me 1m give me 1m 3m 10m quantifying risk qcon sf 2019
play

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF - PowerPoint PPT Presentation

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon (mdeshon@netflix.com) How to Measure anything in Cybersecurity Risk Douglas W. Hubbard & Richard Siersen Measuring and Managing Information Risk


  1. Give me $ 1M

  2. Give me $ 1M

  3. -$ 3M -$ 10M

  4. Quantifying Risk QCon SF 2019 Markus De Shon (mdeshon@netflix.com)

  5. How to Measure anything in Cybersecurity Risk Douglas W. Hubbard & Richard Siersen

  6. Measuring and Managing Information Risk Jack Freund & Jack Jones fairinstitute.org

  7. Frequency ⨉ Magnitude ($) (of Loss)

  8. What is a loss?

  9. First steps of a risk analysis ● Assets ● Architecture ● Control architecture ● Loss scenarios

  10. Meet Sam the Sponge

  11. His best friend Peter

  12. His boss Mr. Prawn

  13. The Prawn Patty

  14. The secret recipe

  15. Controls Architecture ● Only one copy ● Not memorized ● Kept in safe ● Trusted handlers

  16. Recipe loss scenarios ● Confidentiality ○ Competitor ○ Public ● Integrity ○ cr UD ● Availability ○ Unavailable

  17. Threat

  18. Hazard

  19. Tardigrade

  20. Estimate frequency Security Engineers Range 0 ——— ∞

  21. Calibration 0.1 0.01 0.001

  22. Tardigrade steals recipe 0.01

  23. steals recipe 0.1

  24. Estimate magnitude ● Asset owner ● Decompose ● Low → High (90% CI) ● US$

  25. Model magnitude with lognormal Low High loss loss 90% CI

  26. Why Money? ● Composable (A+B) ● Comparable (A>B) ● Interpretable by business What about: ● Priceless? → Implicit valuation ● Intangible? → Inverse of ROI on existing investments

  27. Magnitude: Tardigrade ● Recipe unavailable → sales stop (primary) ○ 1 day @ $10K → $10K ○ 100 days → $1M ● Knockoffs at Tardigrade’s. Lose customers (primary) ○ 10 @ $100 → $1K ○ 1,000 → $100K ● Total: ○ Low: $11,000 Expected Loss: ○ High: $1,100,000 $2,930

  28. Magnitude: Patty Pirate Recipe unavailable → lost sales (Primary loss) ○ 10 days @ $10K → $100K ○ 100 days → $1M No Prawn Patties anywhere → immediate collapse, fires. dystopia. (Secondary, external) ○ 10 days @ $1M → $10M ○ 100 days → $100M Totals: Expected Loss: ○ Low: $10,100,000 $4,080,000 ○ High: $101,000,000

  29. Engineering a Safer World Nancy G. Leveson

  30. Controller and process

  31. (Incomplete) Control architecture Government Customers Laws & Purchase Regulations Decisions Corporation Directives & System Culture Admin Admin App System User Internal Application Critical Data

  32. ● Identify Assets ● Study Architecture ● Define Control architecture ● Identify loss scenarios ● Estimate frequency ● Estimate low/high magnitude ● Calculate expected loss Markus De Shon mdeshon@netflix.com

  33. import math import numpy as np from scipy.stats import lognorm, norm def get_magnitude(lo, hi): # Calculate the mean mu in log space mu = (math.log(lo) + math.log(hi)) / 2. factor = -0.5 / norm.ppf(0.05) sigma = factor * (math.log(hi) - math.log(lo)) distribution = lognorm(sigma, scale=math.exp(mu)) return distribution 0.01 * get_magnitude(11000, 1100000).mean()

Recommend


More recommend