3

Having this simple formula Risk = Threat x Vulnerability x Information Value it is quite difficult to estimate risks quantitatively because of threat estimation seems to me the most difficult part.

I aware about CVSS and other vulnerability scoring systems. However it seems that such systems provide a single score for vulnerability only, without estimating threats and asset values. Besides that, scores cannot be used in such formula. Let's say we have two vulnerabilities with CVSS score equal to 7.0. They can be in different components with asset relative values of $10k and $1M. Of course I can't multiply the score by asset value to compare the risks.

Coming back to the first formula, do I understand correctly that threat and vulnerability in that formulae have some probabilistic meaning, and they are not scores in that formula? If so, are there any frameworks for their, and thus risk estimation?

progmastery
  • 131
  • 2
  • A good document to read on various approaches to risk assessment - analytic/assessment approach (i.e., quantitative, qualitative, semi-quantitative) and the analysis approach (i.e., threat-oriented, asset/impact-oriented, vulnerability-oriented) is NIST SP 800-30 (Guide for Conducting Risk Assessments) – fpmurphy Feb 01 '21 at 05:57

2 Answers2

2

Quantifying based on the formula

There is a massive misunderstanding in risk in general, and you are running into this misunderstanding.

That's not a formula!

Risk = Threat x Vulnerability x Information Value describes a relationship between those factors. You are not supposed to drop numbers in there and come out with a quantitative result.

Note that there are other risk assessment "formulas", and your example is just one. Every assessment model has a place and is used in different contexts. They can also assess different kinds of risk. There are Inherent Risk and Residual Risk assessment models.

Scoring vulnerabilities

As for your example of two vulns with a CVSS score of 7.0, but they are in different risk contexts: the answer is that the scoring of the risks are different because they are in different contexts. The different contexts also likely mean that the threats are different, too. The vulnerability is not a risk in and of itself. The vulnerability can be assessed and scored independently of the risks. That's why there is a separate risk assessment process.

Many infosec professionals equate and confuse "vulnerability" with "risk", and will often swap one term with the other. But they are different ideas and the assessment model highlights that.

Where's Probability in the formula?

Risk = Threat x Vulnerability x Information Value does not include any notion of probabilities/likelihoods. Probabilities are replaced by "threats" as it can be difficult to quantify probabilities of loss in information security. Quantifying threats is much easier and repeatable. So, likelihood gets rolled into the "threat" factor.

Estimating Threat

Threats are independent of vulnerabilities and impacts. Flooding is a threat, but if I live on a mountaintop, my vulnerability to flooding is really low and so is the impact. If I lived in a submarine, my vulnerability to flooding is high and so is the potential impact. So, you need to assess threats in context.

One way to do that is to assess the threat in relation to different impacts and segment the threats:

  • What is the threat of rain causing interior water damage on the walls?
  • What is the threat of rain causing an inch of water on the floor?
  • What is the threat of rain filling a room with water?
  • What is the threat of rain washing the house away?

By segmenting the threats, you can assess your risks with more sophistication and treat the different scenarios differently and more efficiently.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • What's the unit of measurement of risk? I know it can definitely be a probability, but if you also add the asset value to the equation anywhere, then the unit of measurement should become dollars (or euro, etc.). Formally, in INFOSEC, what units of measurement are allowed? – reed Nov 24 '20 at 11:49
  • 2
    Unit of measurement depends on whether you are doing qualitative or quantitative risk. If quant, then it is usually based on the impact measure (monetary is common). If qual, then no unit. It's just a score. – schroeder Nov 24 '20 at 11:57
0

There isn't really any reason to subject vulnerabilities or issues facing your cybersecurity department into formulas or numbers

I agree that CVSS is bad and to rarely ever use it (and definitely never trust it!). It's definitely not something you want to (or can or should) automate on/with

Instead, just use your brains and the brains of the people around you. If you think something is worth fixing based on what Krebs or someone on the Internet wrote -- then do that

It's also nice to know what the threat actors are doing with these vulns and issues. I find that I only get this sort of information about the actors using vulns/issues against my vertical, competitors, or from incidents currently being reported by the FBI from a handful of vendors: Recorded Future, FlashPoint-Intel, CrowdStrike Falcon Intelligence, Microsoft MSTIC Team, Intel 471, and Anomali ThreatStream. There are others that report on vulns/issues, such as FireEye -- but I haven't used them as much

If you and your colleagues can confer on a vuln/issue remediation path / decision tree from actor-level intelligence, then you have a better way forward than CVSS or risk formulas. A platform such as MISP-Project can allow analysts to create weights and relationships based on unstructured data such as CVE or CVE details, as well as issues, vulnerabilities, or exploits that have no CVE — but that require similar tracking or exact/loose linking. This way, the system remembers your relationships for you — and the weights you applied to certain scenarios or incidents. Then you follow your tags, or your overall ontologies based on MISP Galaxies which you can define, create, modify, and watch build an empire of empirical data

atdre
  • 18,885
  • 6
  • 58
  • 107
  • Your edit is relevant to my interests at the moment. Can you provide resources that expand on that? – schroeder Feb 01 '21 at 08:36
  • 1
    Really as easy as this -- https://www.misp-project.org/2020/07/31/MISP-galaxy-101.html -- and if you want a list of known taxonomies for your clusters to link to your galaxies -- already in said formats, check out -- https://github.com/open-source-rs/OSRS-Galaxies/tree/master/OSRS-CMCF/OSRS-CMCF-B-H-CLUSTERS – atdre Feb 01 '21 at 21:13