Breaking news from the Federal Buffons of Information:
a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence
What a unique idea! I’m amazed that somebody could possibly be that insightful. I think we should get some big standards body on the job RIGHT AWAY to document this earth-shattering breakthrough. Like NIST!
Where have I heard this before? Let’s do a little digging, shall we?
First, there’s FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems”, published March 2006. That’s a good place as any to start. That one says FISMA (oh dear – that’s another rant altogether) requires categorization of systems “according to a range of risk levels”. Risk is defined in that document as:
The level of impact on organizational operations … resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Threat occurs twice in that sentence. It’s defined in the same document as:
the potential for a threat-source to successfully exploit a particular information system vulnerability
This brings the definition, fully fleshed out to be:
The level of impact on organizational operations … resulting from the operation of an information system given the potential impact of a threat-source to successfully exploit a particular information system vulnerability and the likelihood of that potential for a threat-source to successfully exploit a particular information system vulnerability occurring.
Ok, that isn’t a very easy sentence to digest - let’s remove some of the fluff. While we’re at it, the “operation of an information system” is a given, since we’re talking about IT risk, so we’ll drop that, too. And drop “successfully”, as it’s redundant in context, move “likelihood” to assume it into the sentence, fix a verb tense, and we now have risk being:
The level of impact on organizational operations given the likelihood of a threat-source exploiting a particular vulnerability
… or, algorithmically …
Risk = Threat x Vulnerability
Good enough and easy to understand, and Mr. Chabinsky’s point is made – there seems to be no mention of consequence. But there is this word Impact, which is being used synonymously with Risk (e.g., “risk is the level of impact…”). If we look further into FIPS 200, the recommendations for controls are based entirely on the security categorization from FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems”, from March 2004, which defines levels of impact for us. That (astoundingly brief) document provides the categorization levels based on the adverse affect (impact) a loss of the “Holy Trinity” (confidentiality, integrity, and availability) would have. They provide a scale of limited, serious, and catastrophic to rank the affects, and define those relative to i) degrading mission capability, ii) damage to assets, iii) financial loss and iv) harm to individuals. Here’s that definition, neatly summarized in that document:
The security categories are based on the potential impact on an organization should certain events occur
It appears security category is* potential impact on an organization given certain events. Seems that’s the same definition given for risk, too. I can kind of understand that at a high level – systems that impart greater risk to the organization _should_ have more stringent controls. Makes perfect sense. But then it throws in this nugget:
Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
Really? Risk is to be used in conjunction with vulnerability and threat information in assessing risk? Go figure. Seems to explain why the feds have such a tough time with this. Looking at all we have here so far, it appears that:
Risk is the impact on organizational operations given the potential of a threat-source to exploit a particular vulnerability, the likelihood of that occurring, taking into account… Risk.
Ha! This is a fun game! How’d we get to this clusterf*ck? Let’s see what precipitated this. NIST SP 800-30 is the “Risk Management Guide for Information Technology Systems”, dated July 2002. Sounds like the authoritative source, no? Step 7 of this document states:
The determination of risk for a particular threat/vulnerability pair can be expressed as a function of -
- The likelihood of a given threat-source’s attempting to exercise a given vulnerability
- The magnitude of the impact should a threat-source successfully exercise the vulnerability
- The adequacy of planned or existing security controls for reducing or eliminating risk
… which can be expressed algorithmically as …
Risk = probability x threat source x (vulnerability – adequacy of controls)) x impact
According to step six of this document, Impact is the adverse affect an event will have on the organization. That’s another word for Consequence, I believe. And we already know that the definition of threat is the probability of a source exploiting a vulnerability. And a vulnerability is only a vulnerability if there are no (or ineffective) controls, so we can restate that as just vulnerability. So this can restate the algorithm as:
Risk = Threat x Vulnerability x Consequence
Oh, it just can’t be this easy. That’s from 2002. A little more time travel puts us eight years earlier in 1996, with NIST SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems”, which uses the definition from yet another document, from way back in the day: NIST SP 800-12, “An Introduction to Computer Security: The NIST Handbook”. Dated October 1995, it identifies the following things that need to be performed through data collection and analysis as a part of risk management: Asset Valuation, Consequence Assessment, Threat Identification, Safeguard Analysis, Vulnerability Analysis, Likelihood Assessment. It also states:
A risk management methodology does not necessarily need to analyze each of the components of risk separately. For example, assets/consequences or threats/likelihoods may be analyzed together.
In that document, Asset Valuation includes its intrinsic value as well as the near and long term consequences of its compromise. Sounds like there’s already a fair compromise by joining asset valuation with consequence analysis. And it seems to me that combining down vulnerability and safeguard analyses into one makes sense as well. With that, Risk is a function of asset value/consequence, threat/likelihood, and vulnerability/safeguards. In algorithm form:
Risk = Consequence x Threat x Vulnerability
Ok, this is awkward now, and I’m starting to feel bad for the guy. It’s now EVERYWHERE I LOOK. I knew I read it somewhere, clearly delineated in federal-goverment-speak. Fifteen years ago! That’s back when Mullets were just going out of style, the New Kids on the Block were still kids (but no longer ‘new’), Netscape made it’s debut, there was only one Dolly the sheep, the Unibomber was just the Uniweirdo, and O.J. Simpson was still innocent**. Brilliant new theory, Mr. Chabinsky.
* – Yes, it uses the phrase “based on”, but the basis is a one-to-one relationship where a limited adverse effect equals a Low Impact, serious = moderate, and “severe or catastrophic” is High. Same-same.
** – now he’s just not guilty. Of the first crime.