This report is based on 56,000 iterations performed over 56 risk scenarios and 63 capabilities on 2020-04-15 20:25:03+0000.
Total yearly losses are estimated to exceed the organization’s major risk threshold of $50,000,000 0% of the time.
The following table shows the maximum, 95th percentile Value at Risk (VaR), mean, and minimum annual losses.
|Value at Risk||Maximum Loss||Mean Loss||Minimum Loss|
The following loss exceedance curve is a common way to review the expected losses in a year. This figure shows how often total losses exceed any particular level during a given year. The 80% line shows that a loss of at least $4,223,248 occurs every four out of five years when outlier scenarios are excluded, or at least $10,142,053 when the outliers are included.
The top three information security program domains with the largest likely losses are Information Security Incident Management, Physical and Environmental Security, and Compliance. The losses associated with each domain of the program are described in the following table.
|Domain||Value at Risk||Maximum||Mean (Average)||Minimum||Standard Deviation|
|Information Security Incident Management||$6,691,612||$9,367,780||$4,465,097||$1,513,809||$1,302,761|
|Physical and Environmental Security||$4,644,610||$11,578,463||$430,896||$0||$1,759,657|
|Information Security Management Program||$3,963,943||$5,468,451||$2,474,047||$663,743||$807,195|
|Organization of Information Security||$3,237,394||$5,326,646||$1,907,368||$280,905||$758,155|
|Human Resources Security||$1,120,515||$1,855,731||$622,980||$44,730||$275,654|
|Communications and Operations Management||$533,819||$1,151,143||$251,152||$43,936||$148,927|
|Information Systems Acquisition, Development, and Maintenance||$0||$304,163||$4,741||$0||$27,386|
|Business Continuity Management||$0||$12,660,540||$273,071||$0||$1,414,699|
Each scenario generates a number of threat contact events where the threat community has the opportunity to act against the organization’s assets and result in a loss. Whenever the threat community acts and the organization’s capabilities prevent the attack, no loss occurs and a contained event is recorded in the simulation. Each threat community action that is not prevented by the organization’s capabilities is recorded as a loss event. The distribution of loss vs. contained events, and the average amount of control strength gap/surplus is displayed below.
All of the scenarios are ranked against one another based upon their value at risk. The top five scenarios are:
|Scenario ID||Scenario||Median Annual Loss||Value at Risk|
|PHY - RS-42||Damage to or loss of physical facility through natural disaster.||$0||$4,500,548|
|IM - RS-50||Inadequate response results in inappropriate internal use of data.||$2,500,580||$4,073,422|
|ISMP - RS-54||Key areas of the security program are not managed.||$2,410,077||$3,963,943|
|COMP - RS-11||External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls.||$2,314,387||$3,874,253|
|IM - RS-22||Undetected and unremediated security incidents result in unmitigated access.||$1,173,944||$2,157,974|
A list of all evaluated risk scenarios is in Appendix A.
Threats most frequently overcome the control capabilities, resulting in losses, in the domains of Access Control, Information Systems Acquisition, Development, and Maintenance, and Asset Management.
|Domain||Succesful Threat Events||Control Gap||Surplus Control Strength|
|Information Systems Acquisition, Development, and Maintenance||67.19%||11.386%||6.02%|
|Business Continuity Management||0.68%||11.904%||50.78%|
|Human Resources Security||50.18%||30.727%||15.16%|
|Information Security Incident Management||57.80%||15.263%||13.17%|
|Information Security Management Program||95.84%||11.790%||2.15%|
|Communications and Operations Management||47.66%||46.837%||22.29%|
|Organization of Information Security||33.34%||3.757%||6.37%|
|Physical and Environmental Security||2.49%||20.461%||32.62%|
The focus section allows in depth coverage of any scenarios that are of particular leadership interest. By highlighting those scenarios of particular interest to your decission makers (e.g. ransomware), you can address hot topics of interest without losing sight of the overall risk environment. You can delete this section if there are no particular areas of focus.
Scenario: Unauthorized access to or use of information and systems.
|Value at Risk||$1,083,095|
|Vulnerability (% of events resulting in loss)||100%|
|Mean Control Gap||34%|
|Maximum Annual Loss||$1,450,198|
|Median Annual Loss||$579,625|
|Maximum Single Loss||$440,835|
|Median Single Loss||$80,786|
Scenario: External auditors find compliance issues with regulations and standards not identified via internal processes.
|Value at Risk||$0|
|Vulnerability (% of events resulting in loss)||8%|
|Mean Control Gap||2%|
|Maximum Annual Loss||$152,703|
|Median Annual Loss||$0|
|Maximum Single Loss||$152,703|
|Median Single Loss||$0|
Some scenarios have values at risk that are significantly higher than the population mean of $497,503. These scenarios are outliers. When viewed next to non-outlier scenarios, the rest of the risk scenarios may be lost. Portions of this report exclude outliers to avoid distorting the results. Graphs and tables are clearly noted when they display filtered data. The outlier scenarios are:
|Scenario ID||Description||Value at Risk||Median||Maximum|
|PHY - RS-42||Damage to or loss of physical facility through natural disaster.||$4,500,548||$0||$11,437,634|
|IM - RS-50||Inadequate response results in inappropriate internal use of data.||$4,073,422||$2,500,580||$5,572,632|
|ISMP - RS-54||Key areas of the security program are not managed.||$3,963,943||$2,410,077||$5,468,451|
|COMP - RS-11||External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls.||$3,874,253||$2,314,387||$5,432,649|
The security strategic risk assessment process implemented by the Evaluator toolkit is based upon the industry standard OpenFAIR methodology. Expert opinion is polled on the threats, capabilities, and probable loss magnitudes associated with key risk scenarios. The Evaluator toolkit implements a Monte Carlo model on this information to generating a dollar-quantified exposure for each scenario.
Risks are ranked by the economic Value at Risk (VaR). VaR is a summary statistic (the 95 percentile) and should only be used to rank items at a similar level of granularity. The VaR totals for domains should not be looked at directly with the VaR total for the individual simulations that make up those domains.
The organization categorizes its security program into 14 domains in order to systematically review risk. These domains are:
|BC||Business Continuity Management|
|OPS||Communications and Operations Management|
|HR||Human Resources Security|
|IM||Information Security Incident Management|
|ISMP||Information Security Management Program|
|ADM||Information Systems Acquisition, Development, and Maintenance|
|ORG||Organization of Information Security|
|PHY||Physical and Environmental Security|
The security team and key subject matter experts formed a consensus opinion on the maturity level of the 63 capabilities which make up the 14 security program domains. The group assessed each capability against a five-level capability maturity model (patterned after the CMMI model), ranging from initial (level 1) through optimizing (level 5). These capability ratings are used to create a distribution of simulated capability effectiveness over the course of a year, ranging from 100% (completely effective) to 0% (completely ineffective).
The full capabilities catalog is included as Appendix B.
Each domain of the security program has one or more risk scenarios addressed by that portion of the program. These scenarios are made up of:
Working through the scenario list, the security team assigned qualitative ratings to each of these frequency, strength, and loss elements.
Each of the qualitative labels is mapped to a set of parameters describing a beta pert distribution. These distributions are used to run simulations over each risk scenario. Within a given iteration, a scenario is evaluated for potential losses using:
This process generates several outputs:
Total risk is the sum of annual expected losses across all 56 scenarios within an iteration.
Recommendations are left for the analyst to complete. Include security improvement (increasing the strength of controls) and analysis improvement projects (increase data input quality) projects.
Document the approved or proposed key risk management projects for the coming planning period (typically yearly). These projects should address the findings from the simulated scenarios by improving controls, reducing loss impact, or transferring risk. Describe each project in terms of its cost versus the expected amount of reduced loss exposure.
The objective of a risk analysis is to provide better information and to reduce uncertainty in making strategic resource allocation decisions. As part of this decision process, consider if additional information is needed to perform a better risk analysis. Additional data or higher confidence data may reduce the variability in your projections.
Typical areas for additional data include:
Scenarios should be treated based upon size of the value at risk (VaR) calculation. Ranking scenarios by VaR creates a prioritized list of scenarios to address.