Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF - - PowerPoint PPT Presentation

give me 1m give me 1m 3m 10m quantifying risk qcon sf 2019
SMART_READER_LITE
LIVE PREVIEW

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF - - PowerPoint PPT Presentation

May 17, 2023 365 likes •797 views

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon (mdeshon@netflix.com) How to Measure anything in Cybersecurity Risk Douglas W. Hubbard & Richard Siersen Measuring and Managing Information Risk

slide-1
SLIDE 1
slide-2
SLIDE 2
slide-3
SLIDE 3

Give me $1M

slide-4
SLIDE 4
slide-5
SLIDE 5

Give me $1M

slide-6
SLIDE 6
  • $10M
  • $3M
slide-7
SLIDE 7

Quantifying Risk QCon SF 2019

Markus De Shon (mdeshon@netflix.com)

slide-8
SLIDE 8

How to Measure anything in Cybersecurity Risk Douglas W. Hubbard & Richard Siersen

slide-9
SLIDE 9

Measuring and Managing Information Risk Jack Freund & Jack Jones fairinstitute.org

slide-10
SLIDE 10

Frequency ⨉ Magnitude ($)

(of Loss)

slide-11
SLIDE 11

What is a loss?

slide-12
SLIDE 12

First steps of a risk analysis

  • Assets
  • Architecture
  • Control architecture
  • Loss scenarios
slide-13
SLIDE 13
slide-14
SLIDE 14

Meet Sam the Sponge

slide-15
SLIDE 15

His best friend Peter

slide-16
SLIDE 16

His boss Mr. Prawn

slide-17
SLIDE 17

The Prawn Patty

slide-18
SLIDE 18

The secret recipe

slide-19
SLIDE 19

Controls Architecture

  • Only one copy
  • Not memorized
  • Kept in safe
  • Trusted handlers
slide-20
SLIDE 20
  • Confidentiality

○ Competitor ○ Public

  • Integrity

○ crUD

  • Availability

○ Unavailable

Recipe loss scenarios

slide-21
SLIDE 21
slide-22
SLIDE 22

Threat

slide-23
SLIDE 23

Hazard

slide-24
SLIDE 24

Tardigrade

slide-25
SLIDE 25
slide-26
SLIDE 26

Estimate frequency

Security Engineers Range

0 ——— ∞

slide-27
SLIDE 27

Calibration

0.1 0.01 0.001

slide-28
SLIDE 28

Tardigrade steals recipe

0.01

slide-29
SLIDE 29

steals recipe

0.1

slide-30
SLIDE 30

Estimate magnitude

  • Asset owner
  • Decompose
  • Low → High (90% CI)
  • US$
slide-31
SLIDE 31

Model magnitude with lognormal

Low loss 90% CI High loss

slide-32
SLIDE 32
slide-33
SLIDE 33

Why Money?

  • Composable (A+B)
  • Comparable (A>B)
  • Interpretable by business

What about:

  • Priceless? → Implicit valuation
  • Intangible? → Inverse of ROI on

existing investments

slide-34
SLIDE 34
  • Recipe unavailable → sales stop (primary)

○ 1 day @ $10K → $10K ○ 100 days → $1M

  • Knockoffs at Tardigrade’s. Lose customers (primary)

○ 10 @ $100 → $1K ○ 1,000 → $100K

  • Total:

○ Low: $11,000 ○ High: $1,100,000

Magnitude: Tardigrade

Expected Loss: $2,930

slide-35
SLIDE 35

Magnitude: Patty Pirate

Recipe unavailable → lost sales (Primary loss) ○ 10 days @ $10K → $100K ○ 100 days → $1M No Prawn Patties anywhere → immediate collapse, fires. dystopia. (Secondary, external) ○ 10 days @ $1M → $10M ○ 100 days → $100M Totals: ○ Low: $10,100,000 ○ High: $101,000,000

Expected Loss: $4,080,000

slide-36
SLIDE 36
slide-37
SLIDE 37

Engineering a Safer World Nancy G. Leveson

slide-38
SLIDE 38

Controller and process

slide-39
SLIDE 39

(Incomplete) Control architecture

Internal Application System Admin App User System Admin Corporation Government Customers Directives & Culture Purchase Decisions Laws & Regulations Critical Data

slide-40
SLIDE 40

Markus De Shon mdeshon@netflix.com

  • Identify Assets
  • Study Architecture
  • Define Control architecture
  • Identify loss scenarios
  • Estimate frequency
  • Estimate low/high magnitude
  • Calculate expected loss
slide-41
SLIDE 41

import math import numpy as np from scipy.stats import lognorm, norm def get_magnitude(lo, hi): # Calculate the mean mu in log space mu = (math.log(lo) + math.log(hi)) / 2. factor = -0.5 / norm.ppf(0.05) sigma = factor * (math.log(hi) - math.log(lo)) distribution = lognorm(sigma, scale=math.exp(mu)) return distribution 0.01 * get_magnitude(11000, 1100000).mean()