FBI outlines three components of cyber-risk

Algebra-like formula incorporates all three

To make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence—rather than solely focusing on threat vectors and actors.

Each factor is important, Steven Chabinsky, deputy assistant director at the FBI’s Cyber Division, said today. Chabinsky spoke on a panel at the Armed Forces Communications and Electronics Association Homeland Security Conference in Washington.

Nation-states that commit espionage, terrorist organizations, individuals interested in using the Internet as an attack tool and criminal syndicates are the types of attackers mostly likely to target computer systems in both the public and private sectors, he said. Threat vectors on which the FBI is focused include remote access and intrusion, supply chain vulnerabilities, proximate or close access threats, and insider access threats, he said.

Chabinsky said the risk model is compelling is because risk drops down to zero if any of those three elements or variables is zero. He said the risk model is the first place he goes when he needs to step back strategically.

“Unfortunately, we haven’t gotten to the point where I feel we can maintain at zero any one of those element so we have to constantly figure out as an organization how we are we driving down each of those,” he said.

He added, “If you look through the risk model you’ll find that you have opportunities on the threat vulnerability and consequence management side, and you have to find your partners so that you could work together.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/Shutterstock.com)

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected