Do you want risk-based security analysis or security risk analysis?

By IDI Special Invitation: Dr. Kenneth G. Crowther, MITRE Corporation

There has been confusion as the worlds of risk management and the security analysis are increasingly mixed. The differences are simple: Security is the ability to accomplish specific protection objectives. Risk is the likelihood and severity of adverse effects. Combining them yields the possibility for more cost-effective security investment and for streamlined management of risks.

Let’s talk definitions…

Risk is … Bill Lawrence in his 1976 classic Of Acceptable Risk wrote that risk is the probability and severity of adverse consequences. Doug Hubbard in his 2009 The Failure of Risk Management: Why It’s Broken and How to Fix It wrote that risk is the uncertainty of undesired events. In 1981 the Society for Risk Analysis gathered diverse minds and debated the definition of risk, finally agreeing to disagree and published a dozen definitions. Most of the definitions agreed on some core principles:

     Risk is the study of future bad events.

     Risk is the study of future events that have uncertainty or unknown/ambiguous precursors or consequences.

     Risk is the study of how bad the consequences of the bad events could get.

In volume one, issue one of the journal Risk Analysis published in 1981, Stan Kaplan and John Garrick wrote that risk analysis is the process of answering three questions:

     What can go wrong?

     What is the likelihood?

     What are the consequences?

Some argue over whether the likelihood is about the occurrence of the what-can-go-wrong event or the likelihood of various levels of consequence-severity, but most agree that understanding the uncertainty of both is essential. Because risk is about the future, it becomes a modeling exercise to anticipate the future in which we strive to understand the various components of a system (people, technology, processes), and how will result in various outcomes. Because risk management is about making decisions and taking actions to reduce both uncertainty and bad-consequences, it requires understanding of multiple objective analysis, tradespace estimation, and decision analysis.

Security is … Giovanni Manunta in his 2000 publication Defining Security describes how definitions of security are all over the place, “so wide-ranging as to be impracticable.” (page 9) Security involves freedom from worry, protection from danger, avoidance of anxiety or distress, or removal of troubles. Despite the high variance, most definitions agree on some core principles:

     Security is concerned with preserving the value of an asset (or operation).

     Security is concerned with threats that might undermine the asset value.

     Security is concerned with the actions and responsibilities of a protector.

The task of a security professional is to identify assets or operations that have value, to identify actors or processes that might degrade that value, to establish a set of protective goals, objectives, and standards that will preserve the value of the asset or operation, and finally to create systems that accomplish the intended protection objectives. As such, security is focused on establishing a system (people, technology, processes) against a set of requirements established based on asset value to defend, threats that might undermine the value, and what the protector is about to control in order to accomplish protection objectives.

Security vs. Risk … There is an inherent synergy between security analysis and risk management. There is uncertainty in every aspect of the security process (e.g., what is the value of an asset or operation? what is the probability that a threat might actually degrade an asset? how effective are protective actions?). Security becomes a modeling exercise as the analyst seeks to establish relationships between threats and asset value - and these relationships are frequently the consequences that result from threatening events. Risk analytics provides theory and structure to work through understanding the system and the relationships between threats, hazards, initiating events, people, processes, technology, and how those relationships are known, heterogeneous, ambiguous, or otherwise lead to adverse consequences that might be counter to protection objectives. Security analysis provides focus to a risk manager by focusing the problem on assets, calibrating consequences against the assets value, reducing the space of risk management options around what the protector can control, and overall aiding in the reduction of uncertainty through the reduction of scope accomplished by focusing the risk problem on assets, asset value, threats, and protection abilities.

Some false presumptions …

There are some presumptions about risk management and security analysis that are false, but have begun from a misunderstanding of what is possible in the “other field.”

Risk analysis won’t make countermeasure recommendations. Some early mistakes during the integration of risk analytics into security analysis, believing that understanding the impacts of countermeasures on probability and severity of adverse consequences would result in the ability to understand the “optimal sets” of countermeasures to accomplish security decisions. This is not the case because someone must make the decision of “how safe is ‘safe enough.’” Using risk analysis does not allow a security analyst to skip the inherently preference-focused step of establishing protection objectives. In fact, most traditional security analyst feel that any adverse event needs to be prevented. If anything, the risk analysis perspective might make security more complicated because the security analyst begins to realize that protection objectives can never be accomplished with complete certainty (without spending oneself into oblivion).

There is not “a single, accepted risk assessment methodology.” While there are similarities between risk assessment methods (for example, to bound the system, identify what-can-go-wrong events, assess probabilities and severities, …) there is no single technique that is able to solve all problems. For example, “Risk = Threat x Vulnerability x Consequence” is not an all-encompassing risk formula. In fact, the formula is an average of sorts and could potentially mislead users that are trying to understand how to protect against rare events. To illustrate further, understanding the risks of hurricane to a region’s availability of potable water requires a different set of models and equations than understanding how an adversary might poison a region’s water supply. They would require a different model, a different measurements system, and a different decisions making process. A variety of risk analysis tools can be used iteratively with a variety of security analysis tools to characterize the systems, discover which assets have value, understand/characterize uncertainty of threats, establish models for estimating consequences, and so forth. Nevertheless, ultimately various specific tools and methods are necessary to achieve the specific insights necessary to good security and risk management decisions.

Traditional risk analysis cannot help you identify unimagined, emergent threats and hazards. Traditional approaches to risk analysis begin with system scoping, creating a frame-of-reference based on all the possible what-can-go-wrong events, and then prioritizing, filtering, and parameterizing the possible what-can-go-wrong events through some tailored methodology. The challenges is that this traditional process (known as “closed-world” risk modeling) cannot anticipate something outside of the frame-of-reference. So, for example, if you do a risk assessment on a cyber system you will not create protections against so-called “zero-day threats,” which are called zero-day because they were outside the scope of your frame-of-reference for anticipation. There are emerging methods to use broader reference frames, to shift to “open-world” risk models that use stochastic modeling of adversarial innovation, and to use computational innovation to discover new possible adverse events. These new methods are more costly and the jury is still out whether they will be able to out-perform the “what-if rangers” that we typically rely on for penetration testing and war-gaming. Nevertheless, in the security world in which there is an adaptable adversary, it is important to recognize that much of traditional risk assessment processes assume there is some sustained states of nature and adaptations will need to be made to assure that protection objectives respond to the possible dynamics of adversaries.

Risk analysis does not lend itself to naive data science. Most data science relies on analysis of data from the past (if it has not happened, then you could not yet have data - Some of us call this the rearview mirror problem), and relies on the data that is available to us (which does not necessarily provide information about the entire system - Some of us call this the lamppost problem). When protection objectives demand controls and mitigations for rare events (e.g., Snowden violating the law to release scores of highly classified documents), then data is scarce and can be potentially misleading. When the system is changing rapidly (e.g., emergence of tiny devices with wireless communication capabilities) then we cannot always rely on points from the past to help anticipate the future. As such, most risk analyses require experienced data scientists with strong probabilistic reasoning skills, sufficient domain expertise, and very strong abilities to model systems.

In summary…

Risk is about the probability and severity of adverse events in the future. Security is about accomplishing protection objectives. There is a great deal of synergy when the analyst (or team of analysts) has strong understanding of both. It is important to remember that the most important thing in any analysis is to know what problem you are trying to address (be specific as possible), and to know what objective you are trying to accomplish (be specific as possible), then you will be able to pick apart and tailor security analysis and risk management to meet your needs within acceptable costs and timeframes.

BIO:  Dr. Kenneth G. Crowther is a systems engineer and risk analysis domain expert at the MITRE Corporation where he supports the U.S. Government in several tasks aimed at improving analytics. He also teaches risk analysis to graduate students at the University of Virginia and serves as a Director on the Board of the Security Analysis and Risk Management Association. He is an advocate for strong families and a supporter of the Boy Scouts of America. Kenneth can be contacted at kcrowther@mitre.org.