Keely Wilkins is an Evangelist with the Office of the CTO as well as a Pre-Sales Security Engineer at Check Point. She has been in the technology and security industry for over 25 years. On behalf of Check Point, Keely participates in the “Partnership against Cybercrime” working group with the World Economic Forum. She earned her MS Cybersecurity from Florida Institute of Technology and is expected to complete her MLS Cybersecurity Law and Policy from Texas A&M University School of Law in late 2024.
In this article, Keely demonstrates how data from common sources can be used to quickly build a risk probability and cost model that can be referenced when assessing security solutions. Explore how choosing a security solution with a higher catch rate not only increases security, but also lowers overall risk and optimizes for cost.
Quantifying cyber risk is difficult. There are textbook calculations that are intended to guide cyber security leaders toward building risk probability models and performing cost-based analyses. The product of such an endeavor is meant to be the basis of an organization’s cyber security strategy. I’ve never seen this level of analysis practiced outside of a classroom.
There are people among us who are experts at building risk probability models and cost-based analysis. Bankers, insurers, and investors rely on the expertise of data scientists and Artificial Intelligence (AI) to build complex probability models based on historical data and predictions of future events. The output of these models assists in setting interest rates for loans, insurance valuations and costs and share price.
Those of us in the cyber security realm have a different experience when it comes to probability models and cost-based analysis. Our objective is to protect the organization. We don’t think about interest rates, valuations or share price when we’re building a defense against threat actors and/or nation-state malicious activity. If we’re in IT, we’re thinking about data loss/tampering and unauthorized access. If we’re in OT, we’re thinking about personnel safety, water safety and utility delivery. Specialty areas, such as maritime, aviation, and connected vehicles pose unique concerns as well.
Cyber risk management sits at the crossroads of finance and security.
What’s one thing cyber security leaders should know about cyber risk management?
It’s a team sport. You are not the only one assessing your risk and you are not the only one impacted by your risk. Similarly, you are impacted by the risks taken by others.
There are influencers and stakeholders, such as employees, supply chain partners, board of directors, banks, insurance companies, investors, compliance agencies, and governments with whom each organization has a symbiotic relationship.
How does a product catch rate factor into how organizations manage cyber risk?
The value of a catch rate has been downplayed recently. I’m not sure if that’s because it’s not understood or because it is – which may not be to the benefit of some vendors.
For clarity, a catch rate refers to how well a security solution detects and prevents different types of cyber attacks. Catch rates are usually determined by independent test labs and the results may be published by the lab and/or the vendors.
The value of a catch rate is directly related to how well the security solutions performed during independent testing. For example, security solution X may have a catch rate of 95%. Meaning, it detected and prevented 95% of all the attacks the lab used to test it with. The converse measurement is that the customer is assuming the remaining risk of 5%.
That remaining risk can be quantified into financial terms to aid leadership in choosing the best security solution, lowering the risk of cyber attacks, decreasing the risk transferred to insurance companies, decreasing the number of cyber insurance claims and perhaps, lowering the interest rates on loans.
Can you provide an example of how this can be done?
Yes, of course. I built a very simple model using data from the IBM 2023 Cost of a Data Breach Report, Check Point Research and a KnowB4 Phishing report. Any data sources can be used so long as the data collection method is clearly stated and understood and the following variables are available:
- Attack vector
- Average cost per breach (for the attack vector)
- Attack frequency (for the attack vector)
- Average number of attacks per week per organization
- Click probability (for phishing only)
The example that I’m sharing is specific to phishing, but can be extended to any threat vector so long as good source data is available. Keep in mind that the resulting values from the calculations are estimates of what the risk might cost. Risk is the probability of loss or harm.
Begin with the variables.
- Attack vector = phishing
- Avg cost/breach = $4.76M
- Attack frequency = 16%
- Attacks/wk/org = 1258 (16% = 201 events)
- Click probability = 18% for trained employees; 35% if untrained
- Remaining risk = 5% (assuming catch rate of 95%)
Below are four calculations that will demonstrate the probable cost of the remaining risk.
1. Cost of customer risk per breach = Avg cost/breach * Remaining risk
2. Number of phishing events per week = (Attacks/wk/org * Attack frequency) * Remaining risk
3. Probability of trained employee clicking on phishing event = Number of phishing events * Click probability
4. Cost of remaining risk per week = Cost of customer risk per breach * Probability of employee clicking on link
Notice the difference between ‘cost of remaining risk per week’ for 5% versus 10%. It’s roughly $1.3M of risk per week that the business leaders need to decide how to manage. They have a few choices: Ignore, accept, reduce, avoid or transfer.
Ignoring risk is never advised. Accepting the risk should be purposeful, surgical, and the reasoning for doing so should be well-documented. Reducing or avoiding the risk is preferred, as both are part of an actionable cyber security strategy. Transferring the risk to the cyber insurance company is costly and not as easy as it seems. The insurance company will require the organization to maximize the reduce and avoid options to lower the financial risk they are assuming. Hence, the objective is to reduce and avoid risk as best as possible.
Choosing security solutions with the best catch rate is a big step toward lowering risk and its associated costs.
How else can organizations lower cyber risk?
Other mitigation methods are typically used in conjunction to lower the overall cyber risk assumed by the organization. I normally advocate for four overarching objectives: Zero Trust architecture, business processes, MSSPs, and training.
An important note on training: Employee security awareness training is fantastic and saves the organization a lot of heartache. It’s even more important to have the right security professionals in the right security roles. A Network Architect is not a Security Architect. A Cloud Engineer is not a Security Engineer.
Is there anything else you’d like to share about catch rates and risk management?
Two things come to mind. The first is that we are working to have this model built into a planning tool. The second is that this model is just that, a tool. This small example of it is evaluating the cost of risk based on a single attack vector. Use it as a reference.
Keely will be presenting an in-depth version of this at the mWise conference in Washington D.C. Sept 18-20, 2023. For more expert insights from Keely Wilkins, please click here. Lastly, get more expert insights, actionable tips and executive-level whitepapers when you subscribe to the Cybertalk.org newsletter.