Quantifying CyberRisks- Solving the Riddle (per AT&T CyberSecurity Blog) March 11, 2021
Posted by Chris Mark in Uncategorized.Tags: AT&T, Bayes, Chris Mark, cybersecurity, data breach, hacker, risk
add a comment
I recently published a new article on the AT&T CyberSecurity blog titled Quantifying CyberRisks- Solving the Riddle. Below is an excerpt. Click ‘read more’ to read the entire piece.
In the late 1990’s and early 2000’s there was a concept that was bandied about that was coined “Return on Security Investment” or ROSI. Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment.
Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”. In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss? If the company experienced an event, was the return on the investment then the difference between the expenditure and the overall losses from the incident? It simply did not work, as it was mathematically flawed.
Fast forward to 2021 and companies once again are fixated on quantifying cyber risk and, more importantly, cybersecurity exposure. The question is similar and is asked: “Can companies accurately quantify cybersecurity risks today?”
This is a complex question but to attempt an answer it is first important to have a working definition of several terms.
Risk- is an artificial construct which can be easily expressed as the function of the likelihood of an adverse event occurring (often provided as a statistical probability) and the impact, should the event be realized (in business, and for the purposes of this article, it will be expressed in monetary terms.). In short R=fPI. Click Here to Read More!
Security, Risk, and Bayes…oh my! January 6, 2017
Posted by Chris Mark in Uncategorized.Tags: adaptive, Bayes, conditional, DHS, hacking, Manunta, probability, risk, security, statistics, threat
add a comment
(this is an excerpt of some research I conducted for a paper)
According to Dr. Giovanni Manunta, the term security does not yet have a commonly accepted definition and evokes numerous connotations among practitioners. Although often not well defined, the relationship between security and risk is well accepted among business, government, and security professionals (Department of Homeland Security, 2008). While providing fodder for debate to those tasked with the security of information assets, the ambiguous definition of security and the differences in risk analysis techniques create significant challenges to effectively protecting assets.
The practical relationship between security, risk, and decision making is articulated well by the US Department of Homeland Security as it is described as an approach for making and security decisions (DHS, 2008). This is further established in the NIST 800-37 Risk Management Framework:
“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…” (NIST, 2010. p. 3). (emphasis added) (more…)
Chris Mark to speak at 2016 TASSCC Annual Conference June 3, 2016
Posted by Chris Mark in Uncategorized.Tags: Bayes, cybersecurity, dark web, data breach, Inference, KeyNote, proximate reality, Speaking, TASSCC
add a comment
I w
as excited to receive a call yesterday evening in which I was informed that my presentation abstract was accepted for the 2016 TASSCC Annual Conference being held in August in Galveston, TX! If you are not familiar TASSCC is Texas Association of State Systems for Computing and Communications. They host a great event every year and are pretty selective about choosing speakers.
My topic will be a variation of my dissertation study related to adversarial analysis. As opining on Bayesian Inference, Proximate reality, and apophasis as they relate to security events would likely put the crowd to sleep I am going to cover some important topics at a high level and then provide a live demonstration of the dark web. People are always shocked to see in real time where they can hire a hitman, or have a Kilo of Cocaine delivered to their door using only BitCoins.
Global Security, Privacy, & Risk Management 