The New Risk Equation: Motives, Means, Opportunity - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
7/26/2021
06:00 AM
Ramsés Gallego, International CTO, CyberRes, a Micro Focus Line of Business
Ramsés Gallego, International CTO, CyberRes, a Micro Focus Line of Business
Sponsored Article
50%
50%

The New Risk Equation: Motives, Means, Opportunity

There is a new risk equation with new variables to consider. Explore how it impacts your organization.

One of the simplest definitions of risk that I have found in my career is expressed in the form of an equation. A risk equation with its mathematical element, variables, its factors, and its quantification.

For risk to exist there must be a threat that exploits a vulnerability, with a probability of that happening and there has to be an impact (Threat - Vulnerability - Probability - Impact).

A threat requires an actor (or agent) who has a motivation (or something to gain) from the campaign; systems require an exploitable surface (weakness or exposure); there must be a probability of this occurring (the greater exposure and/or holes, the greater the probability); and, of course, there has to be an impact, a damage, a loss (otherwise, we could talk about residual risk or even existing risk without real consequences).

Taking into account the previous equation and with the aim of mitigating that risk, we can only work on three of the four variables that build it. We can only reduce the exposure factor by reducing existing vulnerabilities, by closing those holes. In doing so, we will naturally reduce the likelihood of an attack occurring and that is also working on the dimension of dwarfing the risk. And protecting the assets with the appropriate countermeasures -- always knowing the value of what we want to protect -- we will be reducing the impact. Fantastic. However, what we cannot avoid is that there are agents who want to cause evil, who want to steal corporate information, and/or who simply want to cause disruptive situations for the entity. We cannot avoid that there are malefactors (beyond social and educational policies for society that are not subject to these lines) and, consequently, we must comprehend that the threat factor, with that external element -- usually -- that wants to damage the reputation or economic-financial situation of an organization will always exist and we can do nothing about it.

Reflecting on that factor over which we have no control of the risk equation, another "equation" came to my mind that could well be an explanation of why these threats exist and why the society in which we live experiences an amazing increase in some types of threats -- 1500% -- (no, not a typo) as with formjacking and other innovative attacks. It's about motives, means, and opportunity.

A digital attacker -- as in the physical world -- needs a reason to harm, an ultimate goal that 'authorizes' her/him to perform the action. Currently, two fundamental reasons are cited: money, and social or political disruption. These are the two main reasons that move cybercriminals to perform their acts. However, if the adequate means are not available, the will to carry out an attack would only remain in the design phase ... unfortunately, though, there are very advanced means ... with costs that have dramatically reduced the ARPA (average revenue per attack) and they are even "borrowed" by groups of larger attackers to smaller groups sharing benefits (!). We have reached the democratization of the attacks. We have arrived to the extent of a concept taught in first year of Business and Economic Sciences: a cartel (an organization that reaches agreements with other companies in the sector -- the bad ones -- and eliminates the competition -- the good ones).

Finally, in this new risk approach, attackers need a window of opportunity that does root with the "old" risk equation in its facet of exposure factor, company visibility, vulnerability management. The internet allows the invisibility of the attacker -- or if there is visibility, the international judicial system does not always facilitate the prosecution of the crime. Thus, the opportunity aspect is as relevant as the other two factors.

If we add sophisticated tactics, techniques, and procedures to this mix (TTP is the acronym), sometimes even using mechanisms that are used for protection (let's not forget that the main pillar of ransomware attacks is the encryption of the data), we are facing a situation of weakness in front of these attacks.

I would not like to end these lines without addressing a positive aspect of all this: These motives, means, and opportunity are also available for those who want to protect and defend. Today, companies know the reasons to safeguard information -- not only the law but common sense should play an instrumental role here. They have the means to do so (obfuscation in the use of the cloud, isolation chambers, safe navigation, encryption of communications, etc.) and, above all, the opportunity. There has never been so much information or technology to perform that protection and defense effectively. You have never had so much threat intelligence -- captured with millions of points of information at the endpoint, in the network, in storage cabins, in the gateway, in mobile devices ...). Therefore, there is a "new" risk definition with new variables to consider: Motives, means, opportunity. For the bad guys ... but also at the reach of us, the ones who have to defend. We, the good ones.

Ramsés Gallego (CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT, Six Sigma Black Belt) is International Chief Technology Officer with CyberRes, a Micro Focus Line of Business.

 

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Slideshows
Flash Poll