Quantitative risk analysis often isn’t used in security because things may be difficult to quantify. If an attack hasn’t happened before, then what is its likelihood? If no data exists, how do we know how much a breach will cost? Despite these unknowns, there are several strategies for quantifying risk.
Types of unknowns:
- First time hacks: They’ve probably hit someone else in your industry. Use public data to estimate frequency and impact.
- Emerging risks: Even new risks have some predictable trends. We can use historical data for other emerging incident types (DDOS, ransomware, spear phishing, etc.) to look at the speed of spread. We can do scenario analysis for impacts.
- Rare incidents: Using special mathematics, we can quantify the risk of rare events. Further, remembering that no data point is useful data, we can also use extremely sparse data to estimate frequencies of incidents.
Case study:
A medium sized business is evaluating the risk of developers exposing database servers in cloud environments. Calculate the rate and impact of a breach using publicly available data.
Lots of hacks and data breaches occur through unknown assets. But just because the asset is unknown doesn’t mean that the risk can’t be quantified. Data exists that can help calculate the risk of ‘unknown unknowns’, emerging risks, or rare incidents. In this talk, we’ll cover methods and data sources that can be used to demystify unknowns.