Strategic Information Risk Analysis
Evaluator Report Sample
Evaluator toolkit (https://evaluator.tidyrisk.org)
Summary
This report is based on 56,000 iterations performed over 56 risk scenarios and 63 capabilities on 2020-04-15 20:25:03+0000.
Total yearly losses are estimated to exceed the organization’s major risk threshold of $50,000,000 0% of the time.
The following table shows the maximum, 95th percentile Value at Risk (VaR), mean, and minimum annual losses.
| Value at Risk | Maximum Loss | Mean Loss | Minimum Loss |
|---|---|---|---|
| $22,282,758 | $42,171,518 | $13,820,108 | $5,166,501 |
Loss Exceedance Curve
The following loss exceedance curve is a common way to review the expected losses in a year. This figure shows how often total losses exceed any particular level during a given year. The 80% line shows that a loss of at least $4,223,248 occurs every four out of five years when outlier scenarios are excluded, or at least $10,142,053 when the outliers are included.
Loss Exceedance Curve
Risk Exposure By Domain
The top three information security program domains with the largest likely losses are Information Security Incident Management, Physical and Environmental Security, and Compliance. The losses associated with each domain of the program are described in the following table.
| Domain | Value at Risk | Maximum | Mean (Average) | Minimum | Standard Deviation |
|---|---|---|---|---|---|
| Information Security Incident Management | $6,691,612 | $9,367,780 | $4,465,097 | $1,513,809 | $1,302,761 |
| Physical and Environmental Security | $4,644,610 | $11,578,463 | $430,896 | $0 | $1,759,657 |
| Compliance | $4,077,983 | $6,145,570 | $2,598,394 | $743,762 | $869,087 |
| Information Security Management Program | $3,963,943 | $5,468,451 | $2,474,047 | $663,743 | $807,195 |
| Organization of Information Security | $3,237,394 | $5,326,646 | $1,907,368 | $280,905 | $758,155 |
| Human Resources Security | $1,120,515 | $1,855,731 | $622,980 | $44,730 | $275,654 |
| Access Control | $1,083,095 | $1,450,198 | $599,813 | $15,054 | $266,695 |
| Communications and Operations Management | $533,819 | $1,151,143 | $251,152 | $43,936 | $148,927 |
| Privacy Practices | $436,371 | $786,643 | $159,156 | $0 | $147,745 |
| Asset Management | $58,655 | $321,407 | $27,463 | $1,138 | $32,002 |
| Risk Management | $15,102 | $321,986 | $5,762 | $0 | $30,204 |
| Information Systems Acquisition, Development, and Maintenance | $0 | $304,163 | $4,741 | $0 | $27,386 |
| Business Continuity Management | $0 | $12,660,540 | $273,071 | $0 | $1,414,699 |
| Security Policy | $0 | $8,246 | $169 | $0 | $937 |
Simulation Outcomes by Domain
Each scenario generates a number of threat contact events where the threat community has the opportunity to act against the organization’s assets and result in a loss. Whenever the threat community acts and the organization’s capabilities prevent the attack, no loss occurs and a contained event is recorded in the simulation. Each threat community action that is not prevented by the organization’s capabilities is recorded as a loss event. The distribution of loss vs. contained events, and the average amount of control strength gap/surplus is displayed below.
Top Risk Scenarios
All of the scenarios are ranked against one another based upon their value at risk. The top five scenarios are:
| Scenario ID | Scenario | Median Annual Loss | Value at Risk |
|---|---|---|---|
| PHY - RS-42 | Damage to or loss of physical facility through natural disaster. | $0 | $4,500,548 |
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. | $2,500,580 | $4,073,422 |
| ISMP - RS-54 | Key areas of the security program are not managed. | $2,410,077 | $3,963,943 |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. | $2,314,387 | $3,874,253 |
| IM - RS-22 | Undetected and unremediated security incidents result in unmitigated access. | $1,173,944 | $2,157,974 |
A list of all evaluated risk scenarios is in Appendix A.
Key Capability Weaknesses
Threats most frequently overcome the control capabilities, resulting in losses, in the domains of Access Control, Information Systems Acquisition, Development, and Maintenance, and Asset Management.
| Domain | Succesful Threat Events | Control Gap | Surplus Control Strength |
|---|---|---|---|
| Access Control | 98.97% | 34.472% | 25.15% |
| Information Systems Acquisition, Development, and Maintenance | 67.19% | 11.386% | 6.02% |
| Asset Management | 99.66% | 36.666% | 4.15% |
| Business Continuity Management | 0.68% | 11.904% | 50.78% |
| Compliance | 45.14% | 16.681% | 16.21% |
| Human Resources Security | 50.18% | 30.727% | 15.16% |
| Information Security Incident Management | 57.80% | 15.263% | 13.17% |
| Information Security Management Program | 95.84% | 11.790% | 2.15% |
| Communications and Operations Management | 47.66% | 46.837% | 22.29% |
| Organization of Information Security | 33.34% | 3.757% | 6.37% |
| Physical and Environmental Security | 2.49% | 20.461% | 32.62% |
| Security Policy | 0.13% | 6.471% | 29.18% |
| Privacy Practices | 4.85% | 3.803% | 32.89% |
| Risk Management | 0.42% | 13.514% | 46.71% |
Focus Risk Scenarios
The focus section allows in depth coverage of any scenarios that are of particular leadership interest. By highlighting those scenarios of particular interest to your decission makers (e.g. ransomware), you can address hot topics of interest without losing sight of the overall risk environment. You can delete this section if there are no particular areas of focus.
Key Scenario A
Scenario: Unauthorized access to or use of information and systems.
| Value at Risk | $1,083,095 |
| Vulnerability (% of events resulting in loss) | 100% |
| Mean Control Gap | 34% |
| Maximum Annual Loss | $1,450,198 |
| Median Annual Loss | $579,625 |
| Maximum Single Loss | $440,835 |
| Median Single Loss | $80,786 |
Key Scenario B
Scenario: External auditors find compliance issues with regulations and standards not identified via internal processes.
| Value at Risk | $0 |
| Vulnerability (% of events resulting in loss) | 8% |
| Mean Control Gap | 2% |
| Maximum Annual Loss | $152,703 |
| Median Annual Loss | $0 |
| Maximum Single Loss | $152,703 |
| Median Single Loss | $0 |
Outliers
Some scenarios have values at risk that are significantly higher than the population mean of $497,503. These scenarios are outliers. When viewed next to non-outlier scenarios, the rest of the risk scenarios may be lost. Portions of this report exclude outliers to avoid distorting the results. Graphs and tables are clearly noted when they display filtered data. The outlier scenarios are:
| Scenario ID | Description | Value at Risk | Median | Maximum |
|---|---|---|---|---|
| PHY - RS-42 | Damage to or loss of physical facility through natural disaster. | $4,500,548 | $0 | $11,437,634 |
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. | $4,073,422 | $2,500,580 | $5,572,632 |
| ISMP - RS-54 | Key areas of the security program are not managed. | $3,963,943 | $2,410,077 | $5,468,451 |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. | $3,874,253 | $2,314,387 | $5,432,649 |
Methodology
The security strategic risk assessment process implemented by the Evaluator toolkit is based upon the industry standard OpenFAIR methodology. Expert opinion is polled on the threats, capabilities, and probable loss magnitudes associated with key risk scenarios. The Evaluator toolkit implements a Monte Carlo model on this information to generating a dollar-quantified exposure for each scenario.
Risks are ranked by the economic Value at Risk (VaR). VaR is a summary statistic (the 95 percentile) and should only be used to rank items at a similar level of granularity. The VaR totals for domains should not be looked at directly with the VaR total for the individual simulations that make up those domains.
Domains
The organization categorizes its security program into 14 domains in order to systematically review risk. These domains are:
| Domain ID | Domain |
|---|---|
| AC | Access Control |
| ASSET | Asset Management |
| BC | Business Continuity Management |
| OPS | Communications and Operations Management |
| COMP | Compliance |
| HR | Human Resources Security |
| IM | Information Security Incident Management |
| ISMP | Information Security Management Program |
| ADM | Information Systems Acquisition, Development, and Maintenance |
| ORG | Organization of Information Security |
| PHY | Physical and Environmental Security |
| PRI | Privacy Practices |
| RISK | Risk Management |
| POL | Security Policy |
Capabilities
The security team and key subject matter experts formed a consensus opinion on the maturity level of the 63 capabilities which make up the 14 security program domains. The group assessed each capability against a five-level capability maturity model (patterned after the CMMI model), ranging from initial (level 1) through optimizing (level 5). These capability ratings are used to create a distribution of simulated capability effectiveness over the course of a year, ranging from 100% (completely effective) to 0% (completely ineffective).
The full capabilities catalog is included as Appendix B.
Risk Scenarios
Each domain of the security program has one or more risk scenarios addressed by that portion of the program. These scenarios are made up of:
- The threat community (e.g. internal workforce members, nature, partners) performing the action.
- The action taken by the threat community.
- The program capabilities that resist harm by the threat community’s action.
- The consequences of the action, should it overcome the capabilities.
Working through the scenario list, the security team assigned qualitative ratings to each of these frequency, strength, and loss elements.
Simulation
Each of the qualitative labels is mapped to a set of parameters describing a beta pert distribution. These distributions are used to run simulations over each risk scenario. Within a given iteration, a scenario is evaluated for potential losses using:
- The number of times the threat community acts against the organization.
- The force of the threat community applies against the organization.
- The difficulty the relevant controls present to the threat community. For scenarios which have multiple controls applied, difficulty is the arithmetic mean of all the applicable controls.
This process generates several outputs:
- Threat Events: The number of times per year the threat presents itself
- Loss Events: The number of times the threat results in a loss (the threat community overcomes the controls)
- Single Loss Expected (SLE): The size range of individual losses from each loss event
- Annual Loss Expected (ALE): The annualized sum of all individual losses.
Total risk is the sum of annual expected losses across all 56 scenarios within an iteration.
Recommendations
Recommendations are left for the analyst to complete. Include security improvement (increasing the strength of controls) and analysis improvement projects (increase data input quality) projects.
Project Recommendation
Document the approved or proposed key risk management projects for the coming planning period (typically yearly). These projects should address the findings from the simulated scenarios by improving controls, reducing loss impact, or transferring risk. Describe each project in terms of its cost versus the expected amount of reduced loss exposure.
- FOO
- Description
- Cost
- Expected Loss Reduction
- BAR
- Description
- Cost
- Expected Loss Reduction
- BAZ
- Description
- Cost
- Expected Loss Reduction
- QUX
- Description
- Cost
- Expected Loss Reduction
- UIER
- Description
- Cost
- Expected Loss Reduction
Analysis Improvement Opportunities
The objective of a risk analysis is to provide better information and to reduce uncertainty in making strategic resource allocation decisions. As part of this decision process, consider if additional information is needed to perform a better risk analysis. Additional data or higher confidence data may reduce the variability in your projections.
Typical areas for additional data include:
- Control Effectiveness Refinement - Can we benchmark our controls against other organizations or otherwise better understand the maturity of our capabilities?
- Scenario Refinement - Have we clearly identified the threat communities, their capabilities and their frequency of action?
- Loss Magnitude Refinement - Can we leverage either our own incident data or data publicly (such as the VCDB) or semi-publicly (industry CIRTs) to better understand our potential economic losses?
Supplemental Analysis
Scenarios should be treated based upon size of the value at risk (VaR) calculation. Ranking scenarios by VaR creates a prioritized list of scenarios to address.