FBI outlines three components of cyber-risk

Algebra-like formula incorporates all three

To make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence—rather than solely focusing on threat vectors and actors.

Each factor is important, Steven Chabinsky, deputy assistant director at the FBI’s Cyber Division, said today. Chabinsky spoke on a panel at the Armed Forces Communications and Electronics Association Homeland Security Conference in Washington.

Nation-states that commit espionage, terrorist organizations, individuals interested in using the Internet as an attack tool and criminal syndicates are the types of attackers mostly likely to target computer systems in both the public and private sectors, he said. Threat vectors on which the FBI is focused include remote access and intrusion, supply chain vulnerabilities, proximate or close access threats, and insider access threats, he said.

Chabinsky said the risk model is compelling is because risk drops down to zero if any of those three elements or variables is zero. He said the risk model is the first place he goes when he needs to step back strategically.

“Unfortunately, we haven’t gotten to the point where I feel we can maintain at zero any one of those element so we have to constantly figure out as an organization how we are we driving down each of those,” he said.

He added, “If you look through the risk model you’ll find that you have opportunities on the threat vulnerability and consequence management side, and you have to find your partners so that you could work together.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Tue, Mar 2, 2010 Stephen R. Melvin, PE CSP CPP www.oursafetowns.com

TO: Mr. Steven Chabinsky
FROM: Mr. Stephen R. Melvin, PE CSP CPP

Mr. Chabinsky:
The equation that you recommend for determining risk is too simplistic to successfully accomplish your desired outcome. While I agree that risk assessment needs to be addressed more effectively than we have to date, allow me to suggest that this equation will actually obscure the results rather than provide the data for which you are hoping.
First, one has to quantify the threat. Which is a higher threat – a state sponsored hacker that wants to get your password at work (since you’re in the FBI) or a private individual that wants to add your machine to their network of botnets for sale to the highest bidder for carrying out cyber attacks on governments? First, the term “threat” doesn’t include anything about probability or likelihood, but since the other two variables in your equation also don’t include them, I can only assume that the probability of an attack is included under your “threat” variable.
A second reason that this equation will get bogged down is the definition of “consequence.” Which is a worse consequence – a Wall Street attack that costs $1B in damage to the economy, or an attack on a utility that only costs a few hundred million, and thirteen lives? Trying to use a quantitative approach here will cost you time and money and will probably not solve your problem.
Allow me to suggest instead that you begin with a qualitative, or even semi-quantitative, approach. Chemical facilities required to perform safety assessments have used this approach for a decade and a half [http://www.wiley.com/WileyCDA/WileyTitle/productCd-0816907463.html] to get an idea of risk at their facilities. This approach uses a semi-quantitative approach where risk is a function of likelihood and severity (not multiplied) to place scenarios into risk bins. In implementations I have seen, this function may be severity X likelihood, may be weighted in favor of one or the other, or may be derived from a risk-matrix. Higher risks can then be further analyzed using quantitative data and processes such as fault tree or event tree failure analyses.
In closing, the simplistic equation that you’ve presented may initially solve some problems, but will inevitably become the standard if propounded by officials such as yourself, which would stifle further discussion and modeling to determine the correct method for determining risk to a system.

Fri, Feb 26, 2010 Don O'Neill

We need to refresh the vitality of the business case as an important dimension in advancing software assurance and Cyber Security. The FBI approach suggested provides a strategic framework that points us in that direction. But more is needed. On a more tactical level, accomplishing this effectively requires taking a crosscutting look at the organization goals for security and resilience, the state of software engineering in actual practice, the common security weaknesses currently being exploited by bad actors, the resulting range of attack outcomes, the financial and reputation consequences and mission assurance impacts, and the need to reset the level of commitment to trustworthiness, security, and resilience and the investment in their achievement. I am conducting a Cyber Anticipation Tactics study that systematically undertakes this crosscutting look at these complex dimensions along the following lines: 1. The goal to assure resiliency is to manage the risks associated with anticipating, avoiding, withstanding, mitigating, and recovering from the effects of adversity whether natural or man-made under all circumstances. 2. Since risk is uncertainty in achieving a goal and the prospect for loss, the elements of goal uncertainty here lie in anticipating, avoiding, withstanding, mitigating, and recovering. In financial terms, the elements of cost at risk and uncertainty are associated with cleanup, lost opportunity, and recovery. 3. In terms of reputation and mission assurance, the elements at risk and uncertainty are loss of trust, loss of availability, and loss of privacy. 4. These elements of goal uncertainty can be combined with the elements at risk. For example, anticipating and avoiding a Cyber Attack finesses the cleanup, lost opportunity, recovery, loss of trust, and loss of availability impacts; but anticipating and avoiding is hard to accomplish. Consequently, falling back to withstanding and mitigating may be more realistic... depending on what is at stake. National defense systems with their dependence on the defense industrial base and the nation’s critical infrastructure demand all we can deliver... and more. 5. Specific weaknesses and vulnerabilities need to be cataloged according to the likely prospect for attack outcomes to incur including unauthorized access, loss of data, tampering with data, erosion of performance, and denial of service that bring with them the imposition of cleanup, lost opportunity, and recovery impacts as well as loss of trust and loss of availability. 6. These crosscutting results are intended for use as expert testimony with government leaders and business executives to assist in Cyber Security strategic planning, the calculation of return on investment in association with investment planning , and the ongoing management and assessment of Cyber Security risks.

Thu, Feb 25, 2010 Geoff C

Isn't the threat x vulnerability x impact a really standard risk assessment formula or am I missing something here?

Thu, Feb 25, 2010 Roy Boivin

How can you have a 0 consequence and have vulnerability and threat? if you come to this conclusion and you think you have no risk then maybe your not thinking hard enough? The flaw in this equation is knowing your venerabilities, threats, and consequences. there is a i think i dont have any of X Y or Z but you may be wrong... how many zero days did you know about before they hit your network?

Thu, Feb 25, 2010

Article provides little practical value. Need to add some more content, references, and some values other then zeros resulting with a target cyber threshold that would improve with time!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group