Evanta - December 2021

note: these are speaking notes that guided me through the speech, not a transcription. They’re also full of typos and grammar errors.

Acceptable Risk - A commmunity exploration over lunch

Intro

How fast should we fix a serious vulnerability? 30 days, 7 days, 2 days… unless one’s answer is instantly, we are accepting an implicit risk that something bad could happen before we get to patching it. We balance the impact of moving to fast and breaking systems without proper testing against the time sensitivity of patching before exploitation starts.

Several years ago a Cisco announced a critical vulnerability in their ASA firewall platform. It allowed an attacker to gain remote access to the firewall and the network it protected. The company I worked for at the time had many of these firewalls that connected our offices to each other via the internet over VPN tunnels. There was a moment of panic and then a calm thoughful decision to shutdown all the firewalls we could not upgrade. That meant those offices would be offline until we could deploy new equipment. That was a difficult conversation to have with the CEO.

A few years later I came across a report that detailed the exploitation and use of that vulnerabilty. I felt vindicated! I had made the right call. I had done the right thing at the time… but… had I? Or was I lucky?

Incomplete information forces us to make decisions that have uncertain outcomes… we actually make these decisions every day… and you’re comfortable with it in many aspects of your life. You drive a car, you don’t know exactly what will happen and while we have a reasonably good intuition about the outcomes, You can’t know with certainty the behaviours of other drivers. There’s a non-zero chance you will be in a car accident. But that doesn’t mean you’ll die. There are many non-fatal car accidents every day and many more minor collisions. So we are willing to take a risk with something pretty important to get some benefit. On the less hazardous size we do it annually when we make RRSP decisions or perhaps more often if you manage your investment portfolios more actively.

Our businesses are about taking some risk to produce some amount of return; we might design a new market offering at some expense or make an investment and not get much return… these are risks that might not pay off… or it be wildly successful… a risk that produced a reward. Even the mundane has risk… much lower risk… but running a company has a non-zero chance of being unprofitable. Companies unfortunately do go out of business. Even the mundane act of stocking merchandise on a shelf has a risk consideration to it… the product might not sell.

In our profession we make decisions about how much security to do to a particular system; how fast to fix a vulnerability. We do that without knowing the outcomes, sometimes for days and sometimes for years. In some cases we’ve built processes and rules about how to make those decisions. The important question here is do we update our decision making when we learn something new. If our tolerance for risk adjusts or is set to a different level, would we make a different decision?

Understanding our risk tolerances, definding acceptable risk allows us to then better prioritize our limited resources. Not every vulnerability has to be fixed. Not every threat defended against. We deal with the risks that our not acceptable to our business and be prepared to absorb the risks that are acceptable.

Questions

So now we’re going to get to the interactive part of the session. This is something I’m pretty excited about and I’d really appreciate your interaction. Everyone has theories about how the world works and the only way to confirm or disprove them is to investigate, to ask questions, to run experiments. So today, if you’ll indulge me, we’re going to test the theory that everyone has a risk appetite for breaches.

We’re going to do a sequence of 14 questions… there are no right answers, just your answer. I ask that you play along here. Suspend disbelief; answer the questions as if you are really in that moment.

1) Let’s start with something non-cyber… It’s the year 2000 and you’ve recently come into some money due to an error in your tax filings and the government refunds you a large amount of money. You decide to invest it. You learn of a fund that grows 10% consistently and has done so every year since 1991 regardless of what the market has done.

Question: How much do you invest from your tax refund (25%, 50%, 100%)

2) So you’ve been in the fund two years. When you started in 2000 the S&P was just under 1,500. A year later it was down to 1,000 but great news your investment is up 10% as expected. A year later the S&P is now below 1,000 but great news your investment has continued to grow at another 10%. As the S&P continues to recover, your investment continues to grow at about 10% a year. By 2007 the S&P has recovered to just over 1500; your investments have continued to grow at pace and you’ve almost doubled your original investment.

Question: Do you stay invested now that you’ve almost doubled your investment? Yes or no

3) It’s late 2007 and the S&P starts dropping again. The investment fund is continuing to show it’s expected growth.

Question: Do you stay invested as the market declines again but the fund stays steady? Yes or no

4) In late december 2008, the S&P is down to about 800, the financial crisis is underway. Now it’s december 2008… the fund manager is accused of fraud… his name is Berni Madoff. In the years that follow Madoff is founded to have swindled his investors for tens of billions of dollars and he is sentenced to 150 years in jails for the largest ponzi scheme in the history of America. Most of his victims are compensated for the loss of their original investment but all gains were lost.

Assuming you would exit the fund in 2007 and retained all your gains…

Question: If you could go back in time, how much would you have changed your original investment by? (no investment, doubled, tripled, quadruppled, every dollar I had)

So here’s an example of perfect information and you reacting … but in 2007 X% of you stayed in. Some of you guessed what this was… and it’s kind of obvious that this was a trap. Some of you may have recalled stock market performance when answering the questions, some of you may have remembered Bernie Madoff. Even if you didn’t, and X% of you exited the fund just in time, was that a lucky guess? Are you rewarding yourself for a lucky outcome? Maybe you performed the analysis that Harry Markopolos did, who in 2000 and again in 2005 filed complaints with SEC about fraudulent activity at Madoff investments. Had you known of these complaints or performed your own analysis would you have behaved differently?

5) Now we’re going figure out what our appetite for loss is… let’s say your company is developing a new product; it’s an unregulated industry… if succesful, you can enter a massive market and if your first year of sales goes well, you will make revenue - it’s estimated at $11 million. However, there’s a chance the product will fail. If you invest more in the development and marketing of the product, you increase your chance of success.

Question: How much do you invest in the project:

  • Option A - $100,000 a 50% chance of success
  • Option B - $1 million with a 66% chance of success
  • Option C - $10 million with a 90% chance of success

So now let’s switch to our domain…

6) So let’s pretend you’re the CISO of this company, You meet with the board. They’re discussing their cyber insurance for this project, it’s a strategic initiative.

Question: How much cyber insurance do you recommend to them?

  • $0
  • $100,000
  • $1,000,000
  • $10,000,000

7) There is a vulnerability in the software. It’s remotely exploitable, it’s complex to figure out but doesn’t require any authentication or user interaction. It’s rated 9 out of 10 on the CVSS scale.

Question: Do you require the vulnerability be fixed before launch? Yes / No

8) The average breach cost is $200,000 according to Cyentia’s IRIS 2020 study.

Question: Do you require the vuln be fixed before launch facing a possibility of some cost due to the breach? Yes / No

9) If you insist on the vulnerability being fixed, it will delay the launch by seven days and result in significant contract penalty, likely multiple millions of dollars.

Question: Do you require the vuln be fixed before launch even though the delay will result in a signficant penalty for the company? Yes / No

10) The CEO really wants to launch the product on time. They ask you how likely you think it is that the vulnerability will be exploited in the first month of launch. The vulnerability is complex to figure out but doesn’t require any authentication or user interaction. It’s rated 9 out of 10 on the CVSS scale.

Question: I would launch the product if the likelihood of the vulnerability being compromised was:

  • Less than a 1%
  • 2 to 10%
  • 11 to 50%
  • greater than 50%

11) Less than 30% of vulnerabilities with a rating of 9 out of 10 are exploited within 7 days. The engineering team is 80% certain they can fix the vulnerability within the first five days of launch

Question: Do you require the vuln be fixed before launch with a fix coming soon? Yes / No

12) You’re very worried about the possibility of the vulnerability resulting in an actual breach and you’ve asked that the product launch be delayed… the CEO is concerned about the revenue impact and potential penalties. They convene a meeting of the board to discuss.

The Board says they want to launch but asks you what you think an acceptable threshold for the potential for loss if a breach occurs.

Question: What do you set your loss tolerance at for a breach?

  • $0
  • $100,000
  • $1,000,000
  • $10,000,000

13) The board approves the launch knowing there’s a 30% chance of breach and they believe the potential for loss is acceptable to them. The lauch proceeds and is succesful. The engineering team works to fix the vulnerability and they’re on schedule to fix. The day before the fix is about to be deployed, a breach occurs. The breach costs the company $300,000 to deal with it.

Question: Would you have changed your tolerance?

  • Decrease
  • stay the same
  • Increase

14) A few months after the breach, the board wants to reevalute the company’s cyber insurance for the coming year:

Question: Would you change your insurance coverage from your previous recommendation?

  • Decrease
  • stay the same
  • Increase

Closing

Hindsight is perfect; with perfect knowledge it’s easy to engage in bias that says you made the right decisions. However we live in a world of incomplete information. We know that threat actors exist but we don’t know where they’ll strike next. We know that vulnerabilities exist, but we don’t know when they will be exploited. When we give our technology teams days or weeks to fix a vulnerability, we’re setting out an implicit risk tolerance that nothing will happen before you get the fix deployed.

When we make investments, we are saying that we have some appetite for the loss of that investment. When our companies choose a certain investment level in information security, they are pricing their uncertainty… it’s quite possible their pricing is wrong… we just don’t have the loss tables yet to help with that, but we’re getting closer. But even if it is wrong, it is an expression of tolerance, you just need to understand what the other side of the coin is… we are willing to invest this much… and we are willing to lose this much. Although without an explicit conversation you may not understand the loss tolerance

At this time there is no perfect recipe for discovering risk tolerance. The best way to discover it is through exploration… through narrative, through story telling and through discussion. The good news is you all know how to do that… you run table tops, this would just be a different type of table top.

Estimating our risk appetite doesn’t have to be perfect… it can be wrong… and that’s okay as long as we agree to go back and visit it from time to time; to use new information to update it much like we did in both scenarios… and to ask ourselves why we got it wrong… or why we got it right.

It is important that you discover what acceptable risk is for both yourself and your management team. I encourage you to have risk appetite conversations with your management team. Work through scenarios with them to understand how much they’d be willing to lose in a breach before it is catastrophic. I’d recommend easing into the conversation and perhaps doing it over multiple conversations where you have time to reflect on what you’ve heard. Each organization thinks about risk in their own context… is it customer centric, regulatory, uptime, revenue… it could be one or more of these. As you reflect back to your management what you’ve heard, you can guide each other to a point that you have a mutually agreeable definition of what risk is acceptable. If you understand what your organization’s acceptable risk is then not only does it allow you to prioritize your efforts but it also becomes a key touch stone in conversations about future investments.

With that I’ll leave you to your lunch.

I’ll post my speaking online for those that are interested.

Thanks for listening and being part of this interactive session.