Strategic Cyber Cost- Effectiveness Analysis Robin Smith
Brief Introduction • Arke Cost analysis, cost effectiveness and cost benefit • Aim to present our thinking… • Cost-Effectiveness/Cost-Benefit analysis of Cyber security … • Different to the norm? • Interesting challenges? • How to address challenges? To keep track: Defining Benefits Approach Process Future? Problem of Process
Usual Spending Decisions Budget (Spend on…) Mitigations (Reduce the chance of…) Risks (Something bad happening to…) Assets Key aspects for usual cases… • Cost-Effectiveness directly related value for money for taxpayer o Through defence perspective • Assets Entirely defence • Assets Not necessarily interconnections/interdependencies Defining Benefits Approach Process Future? Problem of Process
Assets and Infrastructure: Strategic Level FRONTLINE • Representation: • Network of nodes Operational Base Destroyer • Nodes layered from the fighting end to the infrastructure that it depends Command upon in the long term Command & Control HQ • Usually, risk of ‘attacks’ considered at the operational end. Major Defence MOD Industry Infrastructure Company Critical National National Electricity Infrastructure Grid Defining Benefits Approach Process Future? Problem of Process
Assets and Infrastructure at Risk • Representation: • Network of nodes Operational • Nodes layered from the Base Destroyer fighting end to the infrastructure that it depends upon Command Command • & Control Communication with each HQ FRONTLINE other and some might depend on others to function Major Defence MOD Industry • Usually, risk of attacks Infrastructure Company considered at the operational end. • All exposed to cyber Critical security risks National National Electricity Infrastructure Grid Defining Benefits Approach Process Future? Problem of Process
Cyber Security Budget FRONTLINE (Spend on…) Mitigations (Reduce the chance of…) Risks (Something bad happening…) Assets Key aspects for cyber security… • Cost-Effectiveness directly related value for money for taxpayer o Through defence, trade, energy.. Etc. • Assets Not all entirely Defence • Assets Have interconnections/interdependencies Defining Benefits Approach Process Future? Problem of Process
Cyber Security FRONTLINE New problems with cyber security 1. Wider Impacts (than just defence) 2. Risks propagate (between nodes) Defining Benefits Approach Process Future? Problem of Process
Approach – Framework/Process High-level understanding Best way to spend money? o On reducing chance of successful cyber attacks Budget (Spend on…) Mitigations (Reduce the chance of…) Risks (Something bad happening to…) Assets Defining Benefits Approach Process Future? Problem of Process
Approach Challenges Influencing our approach • Wider Impacts (than just military) • Reflect principles of assessing risks to information systems in the UK • “HMG Information Assurance Standard 1 – Technical Risk Assessment” (Government Standard) for information system risk assessment • Assess core goals of Information Assurance separately o Confidentiality -> Loss of privacy o Integrity -> Loss of trust o Availability -> Loss of presence • Assess relevant impact categories separately (‘Business Impact Levels’) e.g . o Military Operations o Trade o Energy… etc. Defining Benefits Approach Process Future? Problem of Process
Assessing Cost-Effectiveness • Quantifying Risks 1 o a CHANCE of a successful attack o IMPACT of a successful attack b 2 • Effectiveness of mitigations o Highest reduction in probability of successful attack o (want to reduce risks where they have a high impact ) • 3 Cost o Estimated costs of implementing mitigations a o Estimated costs of risks affecting nodes b 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 a CHANCE of a successful attack • Probability of successful attack – based on… o different parameters for different risks • Example Risks could be quite different Indicative Parameters 1. Compromised Hardware -> quantities procured, percentage compromised 2. IP Theft -> # of people security cleared, percentage threats 3. DOS attack – national scale -> SME judged /work-shopped quantities? • Parameters may have different values for each node in the network 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 a CHANCE of a successful attack • Uncertainty – MUST capture the ‘error margins’ o Three point estimating E.g. ‘Best Case’, ‘Most Likely’, ‘Worst Case’ Weighted mean value o o Manually set distributions – eliciting uncertainty • Range of inputs Background work through to best judgement o • Identify and engage relevant Subject Matter Experts 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 a CHANCE of a successful attack Risk Propagation - problem Nodes: Risk 1 • For Risk x 5x10 -4 2x10 -3 o Mean probability of occurrence at each node • Usually 1x10 -5 o (unmitigated) probabilities of occurrence 1x10 -3 3x10 -3 o ‘at risk’ assets not connected • Cyber o consider propagation of risks 1x10 -2 o ‘at risk’ assets are connected 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 a CHANCE of a successful attack Risk Propagation - treatment Nodes: Risk 1 Low Security High Security • Two connection types? • Conditional probabilities o Per risk per connection? 5x10 -4 2x10 -3 5x10 -4 2x10 -3 0.2 0.1 o Two-way value, or one-way 0.1 0.1 0.2 0.2 values? 1x10 -5 1x10 -5 • Implications o Simulation/modelling of 0.1 0.3 0.4 probability 0.1 1x10 -3 3x10 -3 1x10 -3 3x10 -3 0.1 o Triggers an impact at the node 1x10 -2 1x10 -2 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 a CHANCE of a successful attack • CHANCE of a successful attack Summary – o Detailed/not detailed info on risks o Capture uncertainty o Probabilities of Propagation o Use Subject Matter Expert judgement (where needed) 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 b IMPACT of a successful attack Impact • How bad is the loss of an asset? 1. Categories e.g. … • Military Operations • Trade • Energy 2. Time scale 3. Confidentiality, Integrity or Availability (loss of privacy, loss of trust, loss of presence) Impacts Categories # Time scales? C/I/A 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0 6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 5 5 Selection 1 ComHQ Availability 4 Selection 2 Short Term MOD Major Contractor For Category: 3 2 Military Ops NatGrid 0 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0 6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 2 2 Selection 1 ComHQ Availability 6 Selection 2 Long Term MOD Major Contractor For Category: 5 5 Military Ops NatGrid 5 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0 6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 4 5 Selection 1 ComHQ Confidentiality 3 Selection 2 Short Term MOD Major Contractor For Category: 2 2 Military Ops NatGrid 0 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 b IMPACT of a successful attack • What is the impact of a successful attack? • Score 0 6 (e.g. consistent with ‘Business Impact Levels’) Destroyer Base 2 3 Selection 1 ComHQ Confidentiality 6 Selection 2 Long Term MOD Major Contractor For Category: 5 3 Military Ops NatGrid 0 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Quantifying Risks 1 b IMPACT of a successful attack • IMPACT of a successful attack Summary – o Minimum information to capture wider impacts: o Categories o Time Scales o Confidentiality, Integrity, Availability 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Effectiveness of Mitigations 2 2 • Effectiveness of mitigations o How much does CHANCE of a successful attack decrease? o (how high an impact might there be if attack is successful) • Similar to assessing CHANCE of a successful attack… • Summary – o Detailed/not detailed info on mitigations o Capture uncertainty o Probabilities of Propagation o Use Subject Matter Expert judgement (where needed) 1 2 3 Defining Benefits Approach Process Future? Problem of Process
Recommend
More recommend