Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 66

When people think of risk, there is frequently an unstated assumption that risk should be minimized. This assumption is wrong. Risk is about balancing loss with the cost to mitigate the loss. This balance should be optimized, not minimized.

Minimizing loss implies that you do absolutely everything possible to stop a loss. That is far from practical. Consider what you might do to minimize your chance of being robbed or accidentally injured on the street. You can buy an armored car that is heavily weighted and has a reinforced metal frame. You can hire a driver so that you can stay in the back in a padded area. You can travel surrounded by armed bodyguards and escort vehicles.

Taking these measures would minimize a great deal of risk, but they would not guarantee your safety and would likely cost more than you stand to lose from an injury or robbery. In fact, for the average person they would be prohibitively expensive. On the other hand, if you were carrying a great deal of money in a high-risk area, some of these precautions might be more practical. The important point is that the cost of your countermeasures is balanced with your potential loss.

NOTE Risk optimization is clearly a complicated concept that we cannot do justice to within a reasonable length. For those people who want to look further into this topic and want to be more effective in a risk mitigation position, we recommend the work of Lawrence Gordon and Martin Loeb. Their book, Managing Cybersecurity Resources: A Cost-Benefit Analysis (McGraw-Hill Education, 2005), is a helpful work on the subject.

Figure 4.2 depicts the relationship of the cost of countermeasures compared to potential loss. The vertical axis represents cost. The curve that begins on the top left represents the potential loss associated with your vulnerabilities. The curve that begins at the bottom left represents the cost of your countermeasures. Figure 4.2 assumes that you are implementing the countermeasures that are appropriate to your organization's needs.

As you can see, when countermeasures are 0, your potential loss is at its maximum. As you begin to implement countermeasures, your vulnerabilities begin to be mitigated and your potential loss decreases. Your potential loss should decrease rapidly, as there is usually a strong payback with the initial and practical countermeasures.

Figure 4.2 Cost of countermeasures compared to vulnerabilities

At some point, however, the cost of your countermeasures exceeds your potential loss. This is when you know that you are spending too much on countermeasures. The users running your security program can actually drain finances disproportionately to benefits, which effectively creates another form of loss.

Keep in mind that there can also be intangible forms of loss other than monetary, such as loss of life, reputational costs, and so on, and these might justify spending more than would otherwise be justified. Even then, you want to try to place a potential monetary value on such intangible loss and not put excessive investment into countermeasures.

Generally, you want the cost of your countermeasures to be significantly less than the potential loss. If you invest in countermeasures to the point where they exceed the potential loss, you are also likely wasting a great deal of money. In Figure 4.2, the area under the vulnerabilities line represents potential loss, not actual loss. It is rare that all potential loss becomes fully realized into actual loss.

For these reasons, you want to determine a good point where you have mitigated most of the potential loss and a minimal amount of potential loss might be acceptable. You will never be completely free from risk or loss, but you can consciously prepare for optimizing the loss. Figure 4.3 represents this concept by introducing the risk optimization point to the vulnerabilities/countermeasures balance.

As you can see in Figure 4.3, the risk optimization point is located where vulnerabilities have greatly decreased while the relative costs of their countermeasures have only modestly increased. The implication is that a reasonable investment in your security program's countermeasures dramatically mitigates potential loss. Clearly, the location of the risk-optimization point relative to the vulnerabilities/countermeasures balance will vary depending on your organization's specific needs. You want to determine the level of potential loss that you are willing to accept and then determine the costs of the countermeasures that will reduce your potential loss to that level.

Figure 4.3 The risk optimization point

That might sound obvious, but that is not the way security programs are typically budgeted. Security programs generally get some percentage of the IT budget and then have to determine how to spend that money. Obviously, this number is frequently inadequate, which results in major losses.

Understanding that last sentence is essential. There is typically no relationship between the potential loss a security program is trying to prevent and the budget the organization is willing to allocate. That is a critical issue that will lead to the failure of the security program.

Consider the example of how the city of Baltimore was the victim of a ransomware attack in 2019, due to malware based on EternalBlue. EternalBlue had been identified as one of the tools exploited by the Shadow Brokers breach of the NSA. EternalBlue was patched in 2017, and should not have been an issue for anyone in 2019. After the successful attack on Baltimore, it and other cities around the United States improved their security budgets to address such attacks. However, the patch was widely known and had already been around for two years. Their budgets should have already accounted for patching, but they apparently had not previously invested sufficient funds to provide for a basic countermeasure.

When you understand your organization's vulnerabilities/countermeasures balance and its risk-optimization point, you develop greater insight into how you might better mitigate UIL.