Many businesses are struggling with cyber security defence, because it is hard to quantify potential harm from cyber attacks. Specifically, if an adversarial agent from the outside aims to cause maximum disruption to a company, we need to ask how can we defend the most vulnerable parts of this company (the attack surface) as well as sources of the attack entry (the attack vectors). Vulnerable parts and sources may include employee- subcontractor- or customer personal activity; key company products and services; their channels to the market; supply chains; key enterprise assets and buildings, etc.
Simulating Scenarios and Measuring Damage
While it is often hard to predict where the adversaries might hit the company, many attack scenarios can be mapped out in planning cyber defence. By examining vulnerabilities, consequences, threads, and defence options, as well as by evaluating their costs, you can prioritise where you want to put your resources. This quantification, in turn, will help you make decision about assets you need to defend.
Essentially, the point is that once you have quantified the potential damage, you defend the points of weakness and exploits that have the highest index of vulnerability combined with the potential harm. Of course, this requires measurement of the impact/consequences of the harm if this point of vulnerability is attacked. The important thing to remember is that high vulnerability to an attack may not be a priority if we know the consequences and we estimate that potential impact of a particular attack will be insignificant.
Under these circumstances, a successful defence strategy would imply that you need to model all these factors when planning cyber responses. You can work out the level of optimal allocation of the defensive resources you have available based on the conceptual and intellectual framework models to calculate the costs of security and its level of predicted adequacy. This is a formal mathematical problem: it does not necessarily look at all issues but at least it provides a conceptual mapping of potential damages to your business, which would allow you to think about cybersecurity in a more constructive way.
Cyber Attacks are Cyber "Earthquakes"
Some events may not initially represent cyber risk issues. For example, in regions that are vulnerable to earthquakes such as the West Coast of the USA and Silicon Valley, there are potentially many vulnerable people and infrastructure. A major cybersecurity attack on infrastructure is in many ways similar to an earthquake: you may have to evacuate an area and restore infrastructure, recover homes, businesses, and people’s lives. Can you get people out fast enough? Can you get key infrastructure secured? You may not be able to do this, as transport routes are not designed for mass evacuation, and key infrastructure might be impossible to safeguard in the face of a natural disaster.
Yet, if you are armed with numbers and can quickly assess the damage, you will be able to approach all problems (no matter how devastating they are) more effectively and constructively, even if your numbers are just rough estimates.
Trying to assess a cyber security damage during or after an attack is similar to trying to train your earthquake rescue team while the natural disaster unravels or even after the fact. Obviously, this is a recipe for disaster.
Essentially, you cannot know for certain whether a system is secure, even though there are mathematical algorithms that can prove a set of rules to be secure. A cryptographic set of rules, for example, can be used to determine whether an encryption is secure. Yet, even if you have the best cryptographic developments at your service, theoretically speaking, your encryption is still vulnerable from a cybersecurity practitioner perspective. Whether it is actually secure, can only be tested empirically. If a system is broken by the adversaries, it is clearly not secure; but if it is not broken and functioning, then it may or may not be secure. One thing is certain: it is never 100% secure, it is always secure to a degree. For example, with security information and event management (SIEM) tools, you can demonstrate that nothing anomalous has been detected in the system, but you cannot know this with absolute certainty. Adverse factors preventing you from detecting existing threats and vulnerabilities may include:
Insufficient time to check all system areas
Lack of investment in tools to protect the system
Lack of cyber security technical skills
Lack of risk management skills
Lack of leadership skills to validate and respond to risks
Human error in design of the system
Human error in configuration, support, monitoring, and response to attack
Zero-day events that are new vulnerabilities/exploits
Fake information manipulation
Proximity to other networks and vendors who are attacked
What quantification of potential damages gives you is an understanding of whether you can be happy or concerned about the degree of security you have. If you have very valuable assets (e.g., important consumer data you cannot afford losing), you know you have to have a system with the highest security degree possible and can better prepare to face potential threats.
Quantifying potential damages from cyber attacks is a very important task that defines many aspects of cyber defence strategy for a company. Without understanding the potential adversarial harm, restoring services to the equilibrium state is problematic.