A Parametric Model for Evaluating Cyber Risks
To say that the life of a cybersecurity professional is stressful would be putting it mildly. From being responsible for keeping their agency’s digital assets safe from an ever-evolving landscape of increasingly sophisticated threats to implementing new processes to stay compliant with a myriad of White House Directives, Legislative rules, and OMB requirements, there isn’t time to catch a breath. Cybersecurity professionals need a way to prioritize risks so that their responses can be timely, and agencies allocate limited resources effectively.
Cyber Risks Warrant Their Own Evaluation Model
Cybersecurity risks are more complicated than other risks because of the layered dimensionality inherent in them. As sophisticated adversaries continuously experiment with advanced techniques, they create a constantly evolving threat landscape with emerging vulnerabilities and attack vectors. This makes the risk management process for cybersecurity challenging on a new level because it requires ongoing vigilance in order to anticipate and mitigate potential breaches and adaptation responsive to new threats. To exacerbate these issues, the interconnected nature of digital systems and the potential for cascading effects amplify the impact of a cybersecurity incident, necessitating comprehensive safeguards that extend beyond the primary risks and incident response capabilities that can scale with the impact amplification.
Standard risks are typically evaluated by “Impact x Probability,” an approach too simplistic for evaluating cyber risks given these intricacies. Our proposed parametric model offers an advanced approach to cyber risk evaluation that considers both value and risk factors at the functional and component level and assesses criticality based on factors such as wide-spread use of the IT and data asset across multiple systems, functional importance to the mission, exploitability, specialization, and interconnectivity. This model calculates recommended prioritization scores, which can help agencies more accurately evaluate and address risks within real-world constraints of finite attention and resources.
Parametric Model for Cyber Risks Evaluation
Our parametric model for evaluating cyber risks provides a comprehensive approach by ensuring agencies review and score the risks within the most significant parameters affecting the dimensionality of the risk: Extent of Use, Functional Importance, Exploitability, Specialization, and Interconnectivity. The values produce a composite score for government organizations to use in prioritizing their cybersecurity efforts and, therefore, more effectively allocate their resources and mitigate risks to ensure the resilience of their cyber posture.
Extent of Use
This parameter assesses system criticality based on the extent of use at the subsystem or component level. Traditionally in the federal government, criticality is assessed by considering each system at the macro level, sometimes even at the system boundary. This view often misses critical tasks or functions performed by underlying subsystems and components across multiple systems. For example, a platform component that provides audit and logging support for various systems within the agency, within the same or across multiple boundaries, would have a higher criticality score. If this component failed or was compromised, it could significantly impact the agency’s ability to identify who or what accessed multiple systems’ resources and data and what was viewed, changed, and deleted, potentially compromising sensitive data. Therefore, the criticality score assigned to a risk identified for this component would be significantly higher than that assigned to a component used by a single system for a specific functional task. The higher criticality score reflects the more significant impact on the agency’s overall mission if this component was to fail or be compromised.
Functional Importance
This parameter evaluates the functional importance of a system and its constituent parts to an organization’s mission by considering how it contributes to achieving the mission, goals, or objectives. Assessing significance must go beyond the High-Value Asset (HVA) designation at the system level and evaluate more granular functions in greater detail. Many HVAs are data repositories (e.g., databases, data lakes), whereas the systems that “feed” or provide data to those data repositories may not have the HVA designation. Additionally, encryption functions may be performed by the platform and not within the boundary of the HVA system itself. In both these examples, agencies may overlook critical functions when prioritizing risks. When assessing risk, it is essential to look beyond the FISMA system boundaries to identify the specific functions performed by components and subsystems that make a system valuable to the mission. This involves examining impacts on upstream and downstream systems or data flows based on one small function that the system performs. For instance, consider a system the Department of Health and Human Services (HHS) uses as part of its data pipeline that transports medical data, moving it from one system to another at HHS. If this simple transport system is compromised or the encryption used within it is compromised, it could significantly impact the HHS’s ability to process healthcare data and potentially lead to data breaches of sensitive patient information. Therefore, the mission importance score assigned to this system would be higher than a system that does not support critical data flow functions or manages non-critical data. The higher importance score would reflect the more significant impact on the HHS’s overall mission if this system were compromised.
Exploitability
The exploitability parameter in the proposed parametric model for evaluating cyber risks considers the likelihood and potential impact of successful exploitation of a component’s known vulnerabilities, weaknesses, or potential attack vectors using threat modeling as a structured approach to identify, prioritize, and mitigate potential security threats to an organization’s assets. For instance, suppose a federal agency relies on a legacy system to store and manage sensitive data, and the system has not been updated in several years, posing potential risks. The agency’s cybersecurity team can develop a threat model to identify potential vulnerabilities and weaknesses in the system and create a threat profile of likely attackers or threat agents. By creating this view, the team can identify several potential attack vectors that could be used to exploit the system’s vulnerabilities, such as outdated encryption and poor segmentation. By assigning a high exploitability score to the components within the legacy system based on these findings, the team elevates these components for prioritized risk reduction actions like updating the system encryption algorithms, conducting a thorough vulnerability assessment and penetration testing, and implementing more robust encryption and segmentation measures to reduce the risk of successful exploitation by cyber attackers.
Specialization
This parameter assesses how specialized a component is in terms of its ability to be rapidly replaced in the event of a cyberattack or other failure. Components that perform highly specific functions or tasks or have been highly customized may not be quickly replaced in the event of a cyber-incident, thereby crippling a system or possibly an activity performed by an agency. For example, a highly specialized decision support system with unique predictive algorithms developed through machine learning may be significantly more challenging to replace than other systems. In the event of a cyber incident impacting components within this system, the agency may be unable to rapidly replace and securely re-initiate the system. By assigning a high specialization score to these components supporting this system, risk mitigation activities can be targeted to protect these specialized components.
Interconnectivity
This parameter assesses if a component impacts beyond the agency on external stakeholders, such as the public or other agencies. These external facing components may have known or unknown impacts on other organizations. For example, consider a critical application multiple agencies use that provides real-time updates on weather patterns and potential natural disasters. This application is connected to various components, such as servers, databases, and communication systems, that emergency responders use to coordinate their response efforts. If the application were to fail or be compromised, it could have cascading effects on other interconnected components, potentially significantly impacting the Government’s ability to respond to natural disasters. Therefore, the external impact score assigned to this critical application would be higher than an application used by a single agency or with fewer interconnections.
Composite Prioritization Score
Using the assigned scores for the extent of use, functional importance, exploitability, specialization, and interconnectivity to prioritize risk along with standard parameters for Impact and Likelihood of Occurrence, creates a composite cyber risk score (for example, a weighted average of these factors). By aggregating these scores, an overall cyber risk portfolio can be developed, allowing the organization to target risk mitigation efforts and allocate resources more effectively. Federal government organizations can use this model to prioritize their cybersecurity efforts by focusing on the components with the highest scores. Therefore, a component with a high criticality score, high importance score, high exploitability score, and strong relationships with other components may require immediate attention to reduce the federal government’s overall cyber risk.
The model not only helps cybersecurity professionals to make informed and timely decisions but also provides a holistic view of an agency’s overall cyber risk portfolio. The importance of prioritizing cyber risks has never been greater, and the model offers a practical and efficient way for federal government organizations to keep their digital assets safe and secure in the wild, complex world of cyber risk.