FBI outlines three components of cyber-risk

Algebra-like formula incorporates all three

To make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence—rather than solely focusing on threat vectors and actors.

Each factor is important, Steven Chabinsky, deputy assistant director at the FBI’s Cyber Division, said today. Chabinsky spoke on a panel at the Armed Forces Communications and Electronics Association Homeland Security Conference in Washington.

Nation-states that commit espionage, terrorist organizations, individuals interested in using the Internet as an attack tool and criminal syndicates are the types of attackers mostly likely to target computer systems in both the public and private sectors, he said. Threat vectors on which the FBI is focused include remote access and intrusion, supply chain vulnerabilities, proximate or close access threats, and insider access threats, he said.

Chabinsky said the risk model is compelling is because risk drops down to zero if any of those three elements or variables is zero. He said the risk model is the first place he goes when he needs to step back strategically.

“Unfortunately, we haven’t gotten to the point where I feel we can maintain at zero any one of those element so we have to constantly figure out as an organization how we are we driving down each of those,” he said.

He added, “If you look through the risk model you’ll find that you have opportunities on the threat vulnerability and consequence management side, and you have to find your partners so that you could work together.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.

Featured

Reader comments

Tue, Mar 2, 2010 Stephen R. Melvin, PE CSP CPP www.oursafetowns.com

TO: Mr. Steven Chabinsky
FROM: Mr. Stephen R. Melvin, PE CSP CPP

Mr. Chabinsky:
The equation that you recommend for determining risk is too simplistic to successfully accomplish your desired outcome. While I agree that risk assessment needs to be addressed more effectively than we have to date, allow me to suggest that this equation will actually obscure the results rather than provide the data for which you are hoping.
First, one has to quantify the threat. Which is a higher threat – a state sponsored hacker that wants to get your password at work (since you’re in the FBI) or a private individual that wants to add your machine to their network of botnets for sale to the highest bidder for carrying out cyber attacks on governments? First, the term “threat” doesn’t include anything about probability or likelihood, but since the other two variables in your equation also don’t include them, I can only assume that the probability of an attack is included under your “threat” variable.
A second reason that this equation will get bogged down is the definition of “consequence.” Which is a worse consequence – a Wall Street attack that costs $1B in damage to the economy, or an attack on a utility that only costs a few hundred million, and thirteen lives? Trying to use a quantitative approach here will cost you time and money and will probably not solve your problem.
Allow me to suggest instead that you begin with a qualitative, or even semi-quantitative, approach. Chemical facilities required to perform safety assessments have used this approach for a decade and a half [http://www.wiley.com/WileyCDA/WileyTitle/productCd-0816907463.html] to get an idea of risk at their facilities. This approach uses a semi-quantitative approach where risk is a function of likelihood and severity (not multiplied) to place scenarios into risk bins. In implementations I have seen, this function may be severity X likelihood, may be weighted in favor of one or the other, or may be derived from a risk-matrix. Higher risks can then be further analyzed using quantitative data and processes such as fault tree or event tree failure analyses.
In closing, the simplistic equation that you’ve presented may initially solve some problems, but will inevitably become the standard if propounded by officials such as yourself, which would stifle further discussion and modeling to determine the correct method for determining risk to a system.

Fri, Feb 26, 2010 Don O'Neill

We need to refresh the vitality of the business case as an important dimension in advancing software assurance and Cyber Security. The FBI approach suggested provides a strategic framework that points us in that direction. But more is needed. On a more tactical level, accomplishing this effectively requires taking a crosscutting look at the organization goals for security and resilience, the state of software engineering in actual practice, the common security weaknesses currently being exploited by bad actors, the resulting range of attack outcomes, the financial and reputation consequences and mission assurance impacts, and the need to reset the level of commitment to trustworthiness, security, and resilience and the investment in their achievement. I am conducting a Cyber Anticipation Tactics study that systematically undertakes this crosscutting look at these complex dimensions along the following lines: 1. The goal to assure resiliency is to manage the risks associated with anticipating, avoiding, withstanding, mitigating, and recovering from the effects of adversity whether natural or man-made under all circumstances. 2. Since risk is uncertainty in achieving a goal and the prospect for loss, the elements of goal uncertainty here lie in anticipating, avoiding, withstanding, mitigating, and recovering. In financial terms, the elements of cost at risk and uncertainty are associated with cleanup, lost opportunity, and recovery. 3. In terms of reputation and mission assurance, the elements at risk and uncertainty are loss of trust, loss of availability, and loss of privacy. 4. These elements of goal uncertainty can be combined with the elements at risk. For example, anticipating and avoiding a Cyber Attack finesses the cleanup, lost opportunity, recovery, loss of trust, and loss of availability impacts; but anticipating and avoiding is hard to accomplish. Consequently, falling back to withstanding and mitigating may be more realistic... depending on what is at stake. National defense systems with their dependence on the defense industrial base and the nation’s critical infrastructure demand all we can deliver... and more. 5. Specific weaknesses and vulnerabilities need to be cataloged according to the likely prospect for attack outcomes to incur including unauthorized access, loss of data, tampering with data, erosion of performance, and denial of service that bring with them the imposition of cleanup, lost opportunity, and recovery impacts as well as loss of trust and loss of availability. 6. These crosscutting results are intended for use as expert testimony with government leaders and business executives to assist in Cyber Security strategic planning, the calculation of return on investment in association with investment planning , and the ongoing management and assessment of Cyber Security risks.

Thu, Feb 25, 2010 Geoff C

Isn't the threat x vulnerability x impact a really standard risk assessment formula or am I missing something here?

Thu, Feb 25, 2010 Roy Boivin

How can you have a 0 consequence and have vulnerability and threat? if you come to this conclusion and you think you have no risk then maybe your not thinking hard enough? The flaw in this equation is knowing your venerabilities, threats, and consequences. there is a i think i dont have any of X Y or Z but you may be wrong... how many zero days did you know about before they hit your network?

Thu, Feb 25, 2010

Article provides little practical value. Need to add some more content, references, and some values other then zeros resulting with a target cyber threshold that would improve with time!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group